Analysis
-
max time kernel
144s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13/09/2024, 21:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
164c49b60ac0718a6f3668f4cc638c6da578e0799bbd2105898e74dfc1f2a169.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
164c49b60ac0718a6f3668f4cc638c6da578e0799bbd2105898e74dfc1f2a169.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
164c49b60ac0718a6f3668f4cc638c6da578e0799bbd2105898e74dfc1f2a169.exe
-
Size
96KB
-
MD5
2fce1e31bc1a6634c0b221e0b1830ece
-
SHA1
6d4b23db2b5afcff8ebdd362a60ecf307ece9bdf
-
SHA256
164c49b60ac0718a6f3668f4cc638c6da578e0799bbd2105898e74dfc1f2a169
-
SHA512
cffc3121ea1854a0054217ca772ab90b2288b39ad6f085e1537f26e13018d625ba2682f55167feaf6d63a1cee80b68e698e7fbd8865652d3c09610fae71c28b1
-
SSDEEP
1536:lCIarSZVNlurFjMIxY+qbLgqqqqqqC2TSCk2LS9ZS/FCb4noaJSNzJO/:p5EbxYvL8D9aZSs4noakXO/
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jijbnppi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlcpjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehnknfdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eloimcca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gokpgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cleaebna.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcjleq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjgoaflj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooiepnen.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qakkncmi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpnbjfjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcjodiep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lopjlh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfmcapna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhbfcj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbfbfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Geckno32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkiikm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cocnanmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfkhed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nanlla32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fajpdmgb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhnoocab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpgpjdnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Impblnna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oleinmgd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Engpfgql.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecfednma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hejaon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aomdpj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffiebc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhgnie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdpmij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogigpllh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmlcbafa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Neaehelb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emdjbi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fflgahfm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhakkg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbgqbdbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cekihh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dilggefh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnifbaja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngikaijm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Peandcih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afbpph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kejfio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cleaebna.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocmdeg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oabafcek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odpeop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehbdif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jficbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knkngp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onplmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Caofmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekkppkpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffiebc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfkhed32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjnoacdc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcmgdpid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbgmah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjacai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdiciboh.exe -
Executes dropped EXE 64 IoCs
pid Process 2364 Biiljjnk.exe 2380 Bofebqlb.exe 2776 Chafpfqp.exe 2768 Cnnohmog.exe 2612 Cnpknl32.exe 2592 Ccoplcii.exe 2384 Cgmiba32.exe 2952 Dbgjbo32.exe 2440 Dbighojl.exe 1272 Dfgpnm32.exe 2924 Dopdgb32.exe 1692 Dndahokk.exe 2488 Ejpkho32.exe 2184 Epmcqf32.exe 2820 Ekcdegqe.exe 3024 Efihcpqk.exe 1728 Fgmaphdg.exe 1948 Fbbfmqdm.exe 1768 Fnifbaja.exe 1528 Fhakkg32.exe 1800 Fajpdmgb.exe 1648 Fallil32.exe 2992 Ffiebc32.exe 1776 Gaoiol32.exe 880 Gjgmhaim.exe 2296 Gfnnmboa.exe 2220 Geckno32.exe 2784 Gokpgd32.exe 1604 Ghcdpjqj.exe 2600 Hlamfh32.exe 2716 Hejaon32.exe 2648 Hpcbol32.exe 812 Hgpgae32.exe 1064 Hddgkj32.exe 1700 Igdqmeke.exe 2876 Ilaieljl.exe 2908 Ikfffh32.exe 2328 Ifljcanj.exe 1752 Injlmcib.exe 1820 Jcmjfiab.exe 2120 Jijbnppi.exe 1288 Jjjohbgl.exe 3028 Kbedmedg.exe 964 Kmjhjndm.exe 1292 Kbgqbdbd.exe 2860 Kkpekjie.exe 2100 Kamncagl.exe 1988 Kejfio32.exe 1736 Kjgoaflj.exe 296 Kcpcjl32.exe 2200 Lneghd32.exe 2804 Lcbppk32.exe 2976 Liohhbno.exe 2760 Lbgmah32.exe 2636 Lmmaoq32.exe 3068 Lbijgg32.exe 2236 Lopjlh32.exe 2008 Lhiodnob.exe 2460 Laacmc32.exe 1660 Mhkkjnmo.exe 2060 Mbqpgf32.exe 2172 Mhmhpm32.exe 1960 Mddidnqa.exe 276 Mojmbg32.exe -
Loads dropped DLL 64 IoCs
pid Process 2252 164c49b60ac0718a6f3668f4cc638c6da578e0799bbd2105898e74dfc1f2a169.exe 2252 164c49b60ac0718a6f3668f4cc638c6da578e0799bbd2105898e74dfc1f2a169.exe 2364 Biiljjnk.exe 2364 Biiljjnk.exe 2380 Bofebqlb.exe 2380 Bofebqlb.exe 2776 Chafpfqp.exe 2776 Chafpfqp.exe 2768 Cnnohmog.exe 2768 Cnnohmog.exe 2612 Cnpknl32.exe 2612 Cnpknl32.exe 2592 Ccoplcii.exe 2592 Ccoplcii.exe 2384 Cgmiba32.exe 2384 Cgmiba32.exe 2952 Dbgjbo32.exe 2952 Dbgjbo32.exe 2440 Dbighojl.exe 2440 Dbighojl.exe 1272 Dfgpnm32.exe 1272 Dfgpnm32.exe 2924 Dopdgb32.exe 2924 Dopdgb32.exe 1692 Dndahokk.exe 1692 Dndahokk.exe 2488 Ejpkho32.exe 2488 Ejpkho32.exe 2184 Epmcqf32.exe 2184 Epmcqf32.exe 2820 Ekcdegqe.exe 2820 Ekcdegqe.exe 3024 Efihcpqk.exe 3024 Efihcpqk.exe 1728 Fgmaphdg.exe 1728 Fgmaphdg.exe 1948 Fbbfmqdm.exe 1948 Fbbfmqdm.exe 1768 Fnifbaja.exe 1768 Fnifbaja.exe 1528 Fhakkg32.exe 1528 Fhakkg32.exe 1800 Fajpdmgb.exe 1800 Fajpdmgb.exe 1648 Fallil32.exe 1648 Fallil32.exe 2992 Ffiebc32.exe 2992 Ffiebc32.exe 1776 Gaoiol32.exe 1776 Gaoiol32.exe 880 Gjgmhaim.exe 880 Gjgmhaim.exe 2296 Gfnnmboa.exe 2296 Gfnnmboa.exe 2220 Geckno32.exe 2220 Geckno32.exe 2784 Gokpgd32.exe 2784 Gokpgd32.exe 1604 Ghcdpjqj.exe 1604 Ghcdpjqj.exe 2600 Hlamfh32.exe 2600 Hlamfh32.exe 2716 Hejaon32.exe 2716 Hejaon32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Denollgl.dll Coidpiac.exe File created C:\Windows\SysWOW64\Qcield32.dll Gcmgdpid.exe File created C:\Windows\SysWOW64\Bbeaaiga.dll Dclikp32.exe File created C:\Windows\SysWOW64\Nndhfngb.dll Hpckee32.exe File created C:\Windows\SysWOW64\Gapbbk32.exe Fhgnie32.exe File created C:\Windows\SysWOW64\Kjagag32.dll Dbighojl.exe File created C:\Windows\SysWOW64\Jcmjfiab.exe Injlmcib.exe File opened for modification C:\Windows\SysWOW64\Caofmc32.exe Chfadndo.exe File created C:\Windows\SysWOW64\Hfqddkgm.dll Jdnpck32.exe File created C:\Windows\SysWOW64\Oleinmgd.exe Ocmdeg32.exe File created C:\Windows\SysWOW64\Imqkokae.dll Chdeonfa.exe File created C:\Windows\SysWOW64\Bamdcf32.exe Blplkp32.exe File opened for modification C:\Windows\SysWOW64\Fhgnie32.exe Fffabman.exe File opened for modification C:\Windows\SysWOW64\Gjjcqpbj.exe Gabohk32.exe File created C:\Windows\SysWOW64\Bbnjphpe.exe Bpomdmqa.exe File opened for modification C:\Windows\SysWOW64\Chfadndo.exe Chdeonfa.exe File created C:\Windows\SysWOW64\Ngnenojn.dll Bofebqlb.exe File created C:\Windows\SysWOW64\Djfagjai.exe Dclikp32.exe File created C:\Windows\SysWOW64\Mhmhpm32.exe Mbqpgf32.exe File created C:\Windows\SysWOW64\Glefpd32.exe Gapbbk32.exe File created C:\Windows\SysWOW64\Iankbldh.exe Ighfecdb.exe File created C:\Windows\SysWOW64\Gaoiol32.exe Ffiebc32.exe File created C:\Windows\SysWOW64\Obhblkpa.dll Dcjleq32.exe File opened for modification C:\Windows\SysWOW64\Bbkmki32.exe Bfdlehlc.exe File opened for modification C:\Windows\SysWOW64\Ikfffh32.exe Ilaieljl.exe File opened for modification C:\Windows\SysWOW64\Mhbakmgg.exe Mojmbg32.exe File created C:\Windows\SysWOW64\Fmcnbemk.dll Lnmglbgh.exe File created C:\Windows\SysWOW64\Lgomphhn.dll Hgpgae32.exe File created C:\Windows\SysWOW64\Pnjdoh32.dll Knkngp32.exe File opened for modification C:\Windows\SysWOW64\Liohhbno.exe Lcbppk32.exe File opened for modification C:\Windows\SysWOW64\Jomnpdjb.exe Jhbfcj32.exe File opened for modification C:\Windows\SysWOW64\Beccgi32.exe Blkoocfl.exe File created C:\Windows\SysWOW64\Indkgm32.exe Iankbldh.exe File created C:\Windows\SysWOW64\Eqmbca32.exe Egdnjlcg.exe File created C:\Windows\SysWOW64\Ajcpgi32.exe Qakkncmi.exe File created C:\Windows\SysWOW64\Ehbdif32.exe Ekndpa32.exe File created C:\Windows\SysWOW64\Ghndjd32.exe Gadkmj32.exe File opened for modification C:\Windows\SysWOW64\Dopdgb32.exe Dfgpnm32.exe File opened for modification C:\Windows\SysWOW64\Blkoocfl.exe Boadlk32.exe File opened for modification C:\Windows\SysWOW64\Kbedmedg.exe Jjjohbgl.exe File created C:\Windows\SysWOW64\Hfkenkgd.dll Gfigkljk.exe File opened for modification C:\Windows\SysWOW64\Doipoldo.exe Dilggefh.exe File opened for modification C:\Windows\SysWOW64\Campbj32.exe Beccgi32.exe File opened for modification C:\Windows\SysWOW64\Gjjlfjoo.exe Gaahmd32.exe File opened for modification C:\Windows\SysWOW64\Ekcdegqe.exe Epmcqf32.exe File created C:\Windows\SysWOW64\Gokpgd32.exe Geckno32.exe File created C:\Windows\SysWOW64\Edghoc32.dll Aamhdckg.exe File opened for modification C:\Windows\SysWOW64\Algida32.exe Afjplj32.exe File opened for modification C:\Windows\SysWOW64\Fffabman.exe Fmnmih32.exe File opened for modification C:\Windows\SysWOW64\Hkoikcaq.exe Hafdbmjp.exe File opened for modification C:\Windows\SysWOW64\Pnbeacbd.exe Pdjqinld.exe File opened for modification C:\Windows\SysWOW64\Kamncagl.exe Kkpekjie.exe File opened for modification C:\Windows\SysWOW64\Nglhghgj.exe Nlfdjphd.exe File opened for modification C:\Windows\SysWOW64\Pfhghgie.exe Pjafbfca.exe File created C:\Windows\SysWOW64\Fnndco32.dll Cnpknl32.exe File opened for modification C:\Windows\SysWOW64\Kbgqbdbd.exe Kmjhjndm.exe File created C:\Windows\SysWOW64\Hafdbmjp.exe Hfmcapna.exe File opened for modification C:\Windows\SysWOW64\Knkngp32.exe Kdcinjpo.exe File created C:\Windows\SysWOW64\Jpjjklod.dll Ekcdegqe.exe File created C:\Windows\SysWOW64\Fjbfek32.exe Fbeeliin.exe File opened for modification C:\Windows\SysWOW64\Pbohmh32.exe Pkeppngm.exe File created C:\Windows\SysWOW64\Gafemcch.dll Qjacai32.exe File created C:\Windows\SysWOW64\Ikoaghlg.dll Pkopjh32.exe File opened for modification C:\Windows\SysWOW64\Ccoplcii.exe Cnpknl32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4084 3576 WerFault.exe 294 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmmaoq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbqpgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilihij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjgoaflj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnoqbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egdnjlcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjbfek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chafpfqp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghndjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecfednma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjafbfca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Indkgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jndgfqlh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fimgmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nknmplji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkglenej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afjplj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gadkmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfmcapna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdnpck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckpdej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfgpnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogldfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbmhfdnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdadbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbbfmqdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onacgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhgnie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oleinmgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coidpiac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fajpdmgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cleaebna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkohanoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ighfecdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcpcjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlcpjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djfagjai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mabihm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohdkop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqibjq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekkppkpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geckno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaolne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aamhdckg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hemggm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onkoadhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hddgkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boadlk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djokgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecabfpff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iankbldh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nglhghgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikfffh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbgmah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpomdmqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igdqmeke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lopjlh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emdjbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpckee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpcbol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dopdgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmffhi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igmppcpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkopjh32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 164c49b60ac0718a6f3668f4cc638c6da578e0799bbd2105898e74dfc1f2a169.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdcinjpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cammfg32.dll" Doipoldo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igehbokf.dll" Edieng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jciikigk.dll" Mbqpgf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odpeop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghdjjgdp.dll" Campbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gjgmhaim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddbbod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djokgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdnpck32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bofebqlb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnikgnhe.dll" Coqaknog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gapbbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eqmbca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bofebqlb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Neaehelb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agnopk32.dll" Ehphdf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfmcapna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlamfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Laacmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmklbk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmlcbafa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adpmnd32.dll" Mmlfcn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfgpnm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcjleq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iankbldh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofaaghom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chkbjc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Indkgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfdlehlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blnigogd.dll" Epmcqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anlkakqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnpdn32.dll" Ebfpglkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nndhfngb.dll" Hpckee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcjodiep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egdnjlcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbmbeehf.dll" Ilaieljl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhiodnob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceajdhdn.dll" Dnoqbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfqddkgm.dll" Jdnpck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdbdlp32.dll" Ifljcanj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jndgfqlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lemlao32.dll" Agmbolin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dafchi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfnjfepp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" 164c49b60ac0718a6f3668f4cc638c6da578e0799bbd2105898e74dfc1f2a169.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhakkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fffabman.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfkhed32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afbpph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hddgkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngikaijm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecnbpcje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghndjd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdooongp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fffabman.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhbfcj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qohkdkdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moifmnie.dll" Igdqmeke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhdbgqke.dll" Mpmfoodb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Beccgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibgfl32.dll" Dilggefh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cneheief.dll" Ndfbia32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2252 wrote to memory of 2364 2252 164c49b60ac0718a6f3668f4cc638c6da578e0799bbd2105898e74dfc1f2a169.exe 29 PID 2252 wrote to memory of 2364 2252 164c49b60ac0718a6f3668f4cc638c6da578e0799bbd2105898e74dfc1f2a169.exe 29 PID 2252 wrote to memory of 2364 2252 164c49b60ac0718a6f3668f4cc638c6da578e0799bbd2105898e74dfc1f2a169.exe 29 PID 2252 wrote to memory of 2364 2252 164c49b60ac0718a6f3668f4cc638c6da578e0799bbd2105898e74dfc1f2a169.exe 29 PID 2364 wrote to memory of 2380 2364 Biiljjnk.exe 30 PID 2364 wrote to memory of 2380 2364 Biiljjnk.exe 30 PID 2364 wrote to memory of 2380 2364 Biiljjnk.exe 30 PID 2364 wrote to memory of 2380 2364 Biiljjnk.exe 30 PID 2380 wrote to memory of 2776 2380 Bofebqlb.exe 31 PID 2380 wrote to memory of 2776 2380 Bofebqlb.exe 31 PID 2380 wrote to memory of 2776 2380 Bofebqlb.exe 31 PID 2380 wrote to memory of 2776 2380 Bofebqlb.exe 31 PID 2776 wrote to memory of 2768 2776 Chafpfqp.exe 32 PID 2776 wrote to memory of 2768 2776 Chafpfqp.exe 32 PID 2776 wrote to memory of 2768 2776 Chafpfqp.exe 32 PID 2776 wrote to memory of 2768 2776 Chafpfqp.exe 32 PID 2768 wrote to memory of 2612 2768 Cnnohmog.exe 33 PID 2768 wrote to memory of 2612 2768 Cnnohmog.exe 33 PID 2768 wrote to memory of 2612 2768 Cnnohmog.exe 33 PID 2768 wrote to memory of 2612 2768 Cnnohmog.exe 33 PID 2612 wrote to memory of 2592 2612 Cnpknl32.exe 34 PID 2612 wrote to memory of 2592 2612 Cnpknl32.exe 34 PID 2612 wrote to memory of 2592 2612 Cnpknl32.exe 34 PID 2612 wrote to memory of 2592 2612 Cnpknl32.exe 34 PID 2592 wrote to memory of 2384 2592 Ccoplcii.exe 35 PID 2592 wrote to memory of 2384 2592 Ccoplcii.exe 35 PID 2592 wrote to memory of 2384 2592 Ccoplcii.exe 35 PID 2592 wrote to memory of 2384 2592 Ccoplcii.exe 35 PID 2384 wrote to memory of 2952 2384 Cgmiba32.exe 36 PID 2384 wrote to memory of 2952 2384 Cgmiba32.exe 36 PID 2384 wrote to memory of 2952 2384 Cgmiba32.exe 36 PID 2384 wrote to memory of 2952 2384 Cgmiba32.exe 36 PID 2952 wrote to memory of 2440 2952 Dbgjbo32.exe 37 PID 2952 wrote to memory of 2440 2952 Dbgjbo32.exe 37 PID 2952 wrote to memory of 2440 2952 Dbgjbo32.exe 37 PID 2952 wrote to memory of 2440 2952 Dbgjbo32.exe 37 PID 2440 wrote to memory of 1272 2440 Dbighojl.exe 38 PID 2440 wrote to memory of 1272 2440 Dbighojl.exe 38 PID 2440 wrote to memory of 1272 2440 Dbighojl.exe 38 PID 2440 wrote to memory of 1272 2440 Dbighojl.exe 38 PID 1272 wrote to memory of 2924 1272 Dfgpnm32.exe 39 PID 1272 wrote to memory of 2924 1272 Dfgpnm32.exe 39 PID 1272 wrote to memory of 2924 1272 Dfgpnm32.exe 39 PID 1272 wrote to memory of 2924 1272 Dfgpnm32.exe 39 PID 2924 wrote to memory of 1692 2924 Dopdgb32.exe 40 PID 2924 wrote to memory of 1692 2924 Dopdgb32.exe 40 PID 2924 wrote to memory of 1692 2924 Dopdgb32.exe 40 PID 2924 wrote to memory of 1692 2924 Dopdgb32.exe 40 PID 1692 wrote to memory of 2488 1692 Dndahokk.exe 41 PID 1692 wrote to memory of 2488 1692 Dndahokk.exe 41 PID 1692 wrote to memory of 2488 1692 Dndahokk.exe 41 PID 1692 wrote to memory of 2488 1692 Dndahokk.exe 41 PID 2488 wrote to memory of 2184 2488 Ejpkho32.exe 42 PID 2488 wrote to memory of 2184 2488 Ejpkho32.exe 42 PID 2488 wrote to memory of 2184 2488 Ejpkho32.exe 42 PID 2488 wrote to memory of 2184 2488 Ejpkho32.exe 42 PID 2184 wrote to memory of 2820 2184 Epmcqf32.exe 43 PID 2184 wrote to memory of 2820 2184 Epmcqf32.exe 43 PID 2184 wrote to memory of 2820 2184 Epmcqf32.exe 43 PID 2184 wrote to memory of 2820 2184 Epmcqf32.exe 43 PID 2820 wrote to memory of 3024 2820 Ekcdegqe.exe 44 PID 2820 wrote to memory of 3024 2820 Ekcdegqe.exe 44 PID 2820 wrote to memory of 3024 2820 Ekcdegqe.exe 44 PID 2820 wrote to memory of 3024 2820 Ekcdegqe.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\164c49b60ac0718a6f3668f4cc638c6da578e0799bbd2105898e74dfc1f2a169.exe"C:\Users\Admin\AppData\Local\Temp\164c49b60ac0718a6f3668f4cc638c6da578e0799bbd2105898e74dfc1f2a169.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\Biiljjnk.exeC:\Windows\system32\Biiljjnk.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\Bofebqlb.exeC:\Windows\system32\Bofebqlb.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Chafpfqp.exeC:\Windows\system32\Chafpfqp.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Cnnohmog.exeC:\Windows\system32\Cnnohmog.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Cnpknl32.exeC:\Windows\system32\Cnpknl32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Ccoplcii.exeC:\Windows\system32\Ccoplcii.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Cgmiba32.exeC:\Windows\system32\Cgmiba32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Dbgjbo32.exeC:\Windows\system32\Dbgjbo32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Dbighojl.exeC:\Windows\system32\Dbighojl.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\Dfgpnm32.exeC:\Windows\system32\Dfgpnm32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\SysWOW64\Dopdgb32.exeC:\Windows\system32\Dopdgb32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Dndahokk.exeC:\Windows\system32\Dndahokk.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\Ejpkho32.exeC:\Windows\system32\Ejpkho32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\Epmcqf32.exeC:\Windows\system32\Epmcqf32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Ekcdegqe.exeC:\Windows\system32\Ekcdegqe.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Efihcpqk.exeC:\Windows\system32\Efihcpqk.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3024 -
C:\Windows\SysWOW64\Fgmaphdg.exeC:\Windows\system32\Fgmaphdg.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1728 -
C:\Windows\SysWOW64\Fbbfmqdm.exeC:\Windows\system32\Fbbfmqdm.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1948 -
C:\Windows\SysWOW64\Fnifbaja.exeC:\Windows\system32\Fnifbaja.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1768 -
C:\Windows\SysWOW64\Fhakkg32.exeC:\Windows\system32\Fhakkg32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1528 -
C:\Windows\SysWOW64\Fajpdmgb.exeC:\Windows\system32\Fajpdmgb.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1800 -
C:\Windows\SysWOW64\Fallil32.exeC:\Windows\system32\Fallil32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1648 -
C:\Windows\SysWOW64\Ffiebc32.exeC:\Windows\system32\Ffiebc32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2992 -
C:\Windows\SysWOW64\Gaoiol32.exeC:\Windows\system32\Gaoiol32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1776 -
C:\Windows\SysWOW64\Gjgmhaim.exeC:\Windows\system32\Gjgmhaim.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:880 -
C:\Windows\SysWOW64\Gfnnmboa.exeC:\Windows\system32\Gfnnmboa.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2296 -
C:\Windows\SysWOW64\Geckno32.exeC:\Windows\system32\Geckno32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2220 -
C:\Windows\SysWOW64\Gokpgd32.exeC:\Windows\system32\Gokpgd32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2784 -
C:\Windows\SysWOW64\Ghcdpjqj.exeC:\Windows\system32\Ghcdpjqj.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1604 -
C:\Windows\SysWOW64\Hlamfh32.exeC:\Windows\system32\Hlamfh32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2600 -
C:\Windows\SysWOW64\Hejaon32.exeC:\Windows\system32\Hejaon32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2716 -
C:\Windows\SysWOW64\Hpcbol32.exeC:\Windows\system32\Hpcbol32.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2648 -
C:\Windows\SysWOW64\Hgpgae32.exeC:\Windows\system32\Hgpgae32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:812 -
C:\Windows\SysWOW64\Hddgkj32.exeC:\Windows\system32\Hddgkj32.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1064 -
C:\Windows\SysWOW64\Igdqmeke.exeC:\Windows\system32\Igdqmeke.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1700 -
C:\Windows\SysWOW64\Ilaieljl.exeC:\Windows\system32\Ilaieljl.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2876 -
C:\Windows\SysWOW64\Ikfffh32.exeC:\Windows\system32\Ikfffh32.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2908 -
C:\Windows\SysWOW64\Ifljcanj.exeC:\Windows\system32\Ifljcanj.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:2328 -
C:\Windows\SysWOW64\Injlmcib.exeC:\Windows\system32\Injlmcib.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1752 -
C:\Windows\SysWOW64\Jcmjfiab.exeC:\Windows\system32\Jcmjfiab.exe41⤵
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\Jijbnppi.exeC:\Windows\system32\Jijbnppi.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Jjjohbgl.exeC:\Windows\system32\Jjjohbgl.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1288 -
C:\Windows\SysWOW64\Kbedmedg.exeC:\Windows\system32\Kbedmedg.exe44⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Kmjhjndm.exeC:\Windows\system32\Kmjhjndm.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:964 -
C:\Windows\SysWOW64\Kbgqbdbd.exeC:\Windows\system32\Kbgqbdbd.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\Kkpekjie.exeC:\Windows\system32\Kkpekjie.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2860 -
C:\Windows\SysWOW64\Kamncagl.exeC:\Windows\system32\Kamncagl.exe48⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Kejfio32.exeC:\Windows\system32\Kejfio32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Kjgoaflj.exeC:\Windows\system32\Kjgoaflj.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1736 -
C:\Windows\SysWOW64\Kcpcjl32.exeC:\Windows\system32\Kcpcjl32.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:296 -
C:\Windows\SysWOW64\Lneghd32.exeC:\Windows\system32\Lneghd32.exe52⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Lcbppk32.exeC:\Windows\system32\Lcbppk32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2804 -
C:\Windows\SysWOW64\Liohhbno.exeC:\Windows\system32\Liohhbno.exe54⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Lbgmah32.exeC:\Windows\system32\Lbgmah32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2760 -
C:\Windows\SysWOW64\Lmmaoq32.exeC:\Windows\system32\Lmmaoq32.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2636 -
C:\Windows\SysWOW64\Lbijgg32.exeC:\Windows\system32\Lbijgg32.exe57⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Lopjlh32.exeC:\Windows\system32\Lopjlh32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2236 -
C:\Windows\SysWOW64\Lhiodnob.exeC:\Windows\system32\Lhiodnob.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2008 -
C:\Windows\SysWOW64\Laacmc32.exeC:\Windows\system32\Laacmc32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:2460 -
C:\Windows\SysWOW64\Mhkkjnmo.exeC:\Windows\system32\Mhkkjnmo.exe61⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Mbqpgf32.exeC:\Windows\system32\Mbqpgf32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2060 -
C:\Windows\SysWOW64\Mhmhpm32.exeC:\Windows\system32\Mhmhpm32.exe63⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Mddidnqa.exeC:\Windows\system32\Mddidnqa.exe64⤵
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Mojmbg32.exeC:\Windows\system32\Mojmbg32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:276 -
C:\Windows\SysWOW64\Mhbakmgg.exeC:\Windows\system32\Mhbakmgg.exe66⤵PID:2964
-
C:\Windows\SysWOW64\Mpmfoodb.exeC:\Windows\system32\Mpmfoodb.exe67⤵
- Modifies registry class
PID:1684 -
C:\Windows\SysWOW64\Ngikaijm.exeC:\Windows\system32\Ngikaijm.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2504 -
C:\Windows\SysWOW64\Nlfdjphd.exeC:\Windows\system32\Nlfdjphd.exe69⤵
- Drops file in System32 directory
PID:828 -
C:\Windows\SysWOW64\Nglhghgj.exeC:\Windows\system32\Nglhghgj.exe70⤵
- System Location Discovery: System Language Discovery
PID:1652 -
C:\Windows\SysWOW64\Nogmkk32.exeC:\Windows\system32\Nogmkk32.exe71⤵PID:2852
-
C:\Windows\SysWOW64\Neaehelb.exeC:\Windows\system32\Neaehelb.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2824 -
C:\Windows\SysWOW64\Nknmplji.exeC:\Windows\system32\Nknmplji.exe73⤵
- System Location Discovery: System Language Discovery
PID:2856 -
C:\Windows\SysWOW64\Ndfbia32.exeC:\Windows\system32\Ndfbia32.exe74⤵
- Modifies registry class
PID:2720 -
C:\Windows\SysWOW64\Nolffjap.exeC:\Windows\system32\Nolffjap.exe75⤵PID:2632
-
C:\Windows\SysWOW64\Ohdkop32.exeC:\Windows\system32\Ohdkop32.exe76⤵
- System Location Discovery: System Language Discovery
PID:1656 -
C:\Windows\SysWOW64\Onacgf32.exeC:\Windows\system32\Onacgf32.exe77⤵
- System Location Discovery: System Language Discovery
PID:2104 -
C:\Windows\SysWOW64\Ogigpllh.exeC:\Windows\system32\Ogigpllh.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2284 -
C:\Windows\SysWOW64\Oaolne32.exeC:\Windows\system32\Oaolne32.exe79⤵
- System Location Discovery: System Language Discovery
PID:872 -
C:\Windows\SysWOW64\Ogldfl32.exeC:\Windows\system32\Ogldfl32.exe80⤵
- System Location Discovery: System Language Discovery
PID:612 -
C:\Windows\SysWOW64\Odpeop32.exeC:\Windows\system32\Odpeop32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1632 -
C:\Windows\SysWOW64\Ofaaghom.exeC:\Windows\system32\Ofaaghom.exe82⤵
- Modifies registry class
PID:1096 -
C:\Windows\SysWOW64\Ooiepnen.exeC:\Windows\system32\Ooiepnen.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1852 -
C:\Windows\SysWOW64\Ojojmfed.exeC:\Windows\system32\Ojojmfed.exe84⤵PID:2348
-
C:\Windows\SysWOW64\Oqibjq32.exeC:\Windows\system32\Oqibjq32.exe85⤵
- System Location Discovery: System Language Discovery
PID:1284 -
C:\Windows\SysWOW64\Pjafbfca.exeC:\Windows\system32\Pjafbfca.exe86⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2208 -
C:\Windows\SysWOW64\Pfhghgie.exeC:\Windows\system32\Pfhghgie.exe87⤵PID:2320
-
C:\Windows\SysWOW64\Pkeppngm.exeC:\Windows\system32\Pkeppngm.exe88⤵
- Drops file in System32 directory
PID:2988 -
C:\Windows\SysWOW64\Pbohmh32.exeC:\Windows\system32\Pbohmh32.exe89⤵PID:2000
-
C:\Windows\SysWOW64\Pkglenej.exeC:\Windows\system32\Pkglenej.exe90⤵
- System Location Discovery: System Language Discovery
PID:2744 -
C:\Windows\SysWOW64\Pkiikm32.exeC:\Windows\system32\Pkiikm32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2108 -
C:\Windows\SysWOW64\Peandcih.exeC:\Windows\system32\Peandcih.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1940 -
C:\Windows\SysWOW64\Qklfqm32.exeC:\Windows\system32\Qklfqm32.exe93⤵PID:2396
-
C:\Windows\SysWOW64\Qahnid32.exeC:\Windows\system32\Qahnid32.exe94⤵PID:1140
-
C:\Windows\SysWOW64\Qjacai32.exeC:\Windows\system32\Qjacai32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1740 -
C:\Windows\SysWOW64\Qakkncmi.exeC:\Windows\system32\Qakkncmi.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2532 -
C:\Windows\SysWOW64\Ajcpgi32.exeC:\Windows\system32\Ajcpgi32.exe97⤵PID:3036
-
C:\Windows\SysWOW64\Aamhdckg.exeC:\Windows\system32\Aamhdckg.exe98⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:696 -
C:\Windows\SysWOW64\Afjplj32.exeC:\Windows\system32\Afjplj32.exe99⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2036 -
C:\Windows\SysWOW64\Algida32.exeC:\Windows\system32\Algida32.exe100⤵PID:2424
-
C:\Windows\SysWOW64\Abaaakob.exeC:\Windows\system32\Abaaakob.exe101⤵PID:2216
-
C:\Windows\SysWOW64\Amfeodoh.exeC:\Windows\system32\Amfeodoh.exe102⤵PID:1464
-
C:\Windows\SysWOW64\Aeajcf32.exeC:\Windows\system32\Aeajcf32.exe103⤵PID:2832
-
C:\Windows\SysWOW64\Ahpfoa32.exeC:\Windows\system32\Ahpfoa32.exe104⤵PID:2588
-
C:\Windows\SysWOW64\Apgnpo32.exeC:\Windows\system32\Apgnpo32.exe105⤵PID:952
-
C:\Windows\SysWOW64\Anlkakqa.exeC:\Windows\system32\Anlkakqa.exe106⤵
- Modifies registry class
PID:3052 -
C:\Windows\SysWOW64\Bdiciboh.exeC:\Windows\system32\Bdiciboh.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:616 -
C:\Windows\SysWOW64\Blplkp32.exeC:\Windows\system32\Blplkp32.exe108⤵
- Drops file in System32 directory
PID:1516 -
C:\Windows\SysWOW64\Bamdcf32.exeC:\Windows\system32\Bamdcf32.exe109⤵PID:2996
-
C:\Windows\SysWOW64\Boadlk32.exeC:\Windows\system32\Boadlk32.exe110⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2968 -
C:\Windows\SysWOW64\Blkoocfl.exeC:\Windows\system32\Blkoocfl.exe111⤵
- Drops file in System32 directory
PID:776 -
C:\Windows\SysWOW64\Beccgi32.exeC:\Windows\system32\Beccgi32.exe112⤵
- Drops file in System32 directory
- Modifies registry class
PID:1784 -
C:\Windows\SysWOW64\Campbj32.exeC:\Windows\system32\Campbj32.exe113⤵
- Modifies registry class
PID:2052 -
C:\Windows\SysWOW64\Chghodgj.exeC:\Windows\system32\Chghodgj.exe114⤵PID:2160
-
C:\Windows\SysWOW64\Coqaknog.exeC:\Windows\system32\Coqaknog.exe115⤵
- Modifies registry class
PID:2596 -
C:\Windows\SysWOW64\Cekihh32.exeC:\Windows\system32\Cekihh32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2816 -
C:\Windows\SysWOW64\Cleaebna.exeC:\Windows\system32\Cleaebna.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2640 -
C:\Windows\SysWOW64\Cocnanmd.exeC:\Windows\system32\Cocnanmd.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:684 -
C:\Windows\SysWOW64\Cemfnh32.exeC:\Windows\system32\Cemfnh32.exe119⤵PID:2948
-
C:\Windows\SysWOW64\Chkbjc32.exeC:\Windows\system32\Chkbjc32.exe120⤵
- Modifies registry class
PID:1908 -
C:\Windows\SysWOW64\Coejfn32.exeC:\Windows\system32\Coejfn32.exe121⤵PID:832
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-