Analysis
-
max time kernel
141s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20-09-2024 23:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
24d7a39b1f5abb623956581ec200d854715f8ac0a17b108f18d8539ff4de0272N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
24d7a39b1f5abb623956581ec200d854715f8ac0a17b108f18d8539ff4de0272N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
24d7a39b1f5abb623956581ec200d854715f8ac0a17b108f18d8539ff4de0272N.exe
-
Size
56KB
-
MD5
67c9bfa0ac843dab1ba7d39854d659f0
-
SHA1
a1e0c69010e0ae124a8ea4741147f021ce01c5d6
-
SHA256
24d7a39b1f5abb623956581ec200d854715f8ac0a17b108f18d8539ff4de0272
-
SHA512
4421c5c4de75fc82612398ba2127a37527745a51c3da374a66ad083428d999fb1f5ba43875a65ab60eeccc2dd16aec1a1371e6c4d0b6edb988773135d5f818a2
-
SSDEEP
768:lf6tPADnszk/CjxYtluIuLxAzXiTTUvcIeEJ98F8c2EtB/yoX+cDIZ9ZLWAJBv81:lEAD5eRotKL9yoX+zZ/dkt
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caohfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elpldp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkihfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocpakg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cobkhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hacabgig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjmnck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjpnjheg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpjqfpke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jddfbf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qnpbbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idojon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bqhffj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpagbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cplkehnk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljlhme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccbojk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfoookfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pokndp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfcmchla.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkancm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfhjjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebkibk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acldpojj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enliaf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nndhpqma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eigbfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhaobd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hglobj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipnigl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akpmhdqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amledj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbokkagk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndnbeclb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkbhjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbmlbmfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcbbidgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhpflblk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Diackmif.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjdonndl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edokna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpbhmiji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apbblg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpfhfjgq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feppqc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fobodn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bknani32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmacqj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdjckfda.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egchocif.exe -
Executes dropped EXE 64 IoCs
pid Process 2480 Cicggcke.exe 2928 Cejhld32.exe 2332 Cgkanomj.exe 2972 Ceoagcld.exe 2632 Cngfqi32.exe 2680 Cnjbfhqa.exe 1088 Dpmlcpdm.exe 2052 Dfjaej32.exe 2416 Dlfina32.exe 2132 Dlifcqfl.exe 284 Elpldp32.exe 2276 Ekeiel32.exe 2372 Eaoaafli.exe 2208 Fdpjcaij.exe 1168 Fgqcel32.exe 756 Fondonbc.exe 2060 Fkeedo32.exe 1984 Gemfghek.exe 1744 Gklkdn32.exe 784 Glpdbfek.exe 1940 Gfhikl32.exe 1444 Hfjfpkji.exe 2308 Hbafel32.exe 2304 Hbepplkh.exe 2772 Hiphmf32.exe 2792 Hjcajn32.exe 1572 Ikbndqnc.exe 2684 Iabcbg32.exe 2140 Ifoljn32.exe 2496 Ipgpcc32.exe 2548 Imkqmh32.exe 2092 Jplinckj.exe 3008 Jffakm32.exe 2880 Jnafop32.exe 952 Jlegic32.exe 2360 Kikpgk32.exe 2388 Leaallcb.exe 1736 Lllihf32.exe 2268 Lnmfpnqn.exe 1044 Lnobfn32.exe 1524 Ldikbhfh.exe 1824 Lamkllea.exe 1980 Lcnhcdkp.exe 2324 Lpbhmiji.exe 1540 Lcqdidim.exe 2604 Mjkmfn32.exe 3068 Mogene32.exe 1600 Mjmiknng.exe 2836 Mqgahh32.exe 2920 Mfdjpo32.exe 2180 Moloidjl.exe 2628 Mkconepp.exe 2804 Mfhcknpf.exe 1732 Nndhpqma.exe 2400 Nqbdllld.exe 2728 Nnfeep32.exe 2228 Ndpmbjbk.exe 2424 Nmkbfmpf.exe 540 Ncejcg32.exe 2448 Nmnoll32.exe 2216 Nffcebdd.exe 2212 Npngng32.exe 2288 Ojdlkp32.exe 1904 Opqdcgib.exe -
Loads dropped DLL 64 IoCs
pid Process 1424 24d7a39b1f5abb623956581ec200d854715f8ac0a17b108f18d8539ff4de0272N.exe 1424 24d7a39b1f5abb623956581ec200d854715f8ac0a17b108f18d8539ff4de0272N.exe 2480 Cicggcke.exe 2480 Cicggcke.exe 2928 Cejhld32.exe 2928 Cejhld32.exe 2332 Cgkanomj.exe 2332 Cgkanomj.exe 2972 Ceoagcld.exe 2972 Ceoagcld.exe 2632 Cngfqi32.exe 2632 Cngfqi32.exe 2680 Cnjbfhqa.exe 2680 Cnjbfhqa.exe 1088 Dpmlcpdm.exe 1088 Dpmlcpdm.exe 2052 Dfjaej32.exe 2052 Dfjaej32.exe 2416 Dlfina32.exe 2416 Dlfina32.exe 2132 Dlifcqfl.exe 2132 Dlifcqfl.exe 284 Elpldp32.exe 284 Elpldp32.exe 2276 Ekeiel32.exe 2276 Ekeiel32.exe 2372 Eaoaafli.exe 2372 Eaoaafli.exe 2208 Fdpjcaij.exe 2208 Fdpjcaij.exe 1168 Fgqcel32.exe 1168 Fgqcel32.exe 756 Fondonbc.exe 756 Fondonbc.exe 2060 Fkeedo32.exe 2060 Fkeedo32.exe 1984 Gemfghek.exe 1984 Gemfghek.exe 1744 Gklkdn32.exe 1744 Gklkdn32.exe 784 Glpdbfek.exe 784 Glpdbfek.exe 1940 Gfhikl32.exe 1940 Gfhikl32.exe 1444 Hfjfpkji.exe 1444 Hfjfpkji.exe 2308 Hbafel32.exe 2308 Hbafel32.exe 2304 Hbepplkh.exe 2304 Hbepplkh.exe 2772 Hiphmf32.exe 2772 Hiphmf32.exe 2792 Hjcajn32.exe 2792 Hjcajn32.exe 1572 Ikbndqnc.exe 1572 Ikbndqnc.exe 2684 Iabcbg32.exe 2684 Iabcbg32.exe 2140 Ifoljn32.exe 2140 Ifoljn32.exe 2496 Ipgpcc32.exe 2496 Ipgpcc32.exe 2548 Imkqmh32.exe 2548 Imkqmh32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mqgahh32.exe Mjmiknng.exe File created C:\Windows\SysWOW64\Dofonpnk.dll Cgfqii32.exe File opened for modification C:\Windows\SysWOW64\Ecdffe32.exe Engnno32.exe File opened for modification C:\Windows\SysWOW64\Hilghaqq.exe Hhkjpi32.exe File opened for modification C:\Windows\SysWOW64\Ilaieljl.exe Icidlf32.exe File opened for modification C:\Windows\SysWOW64\Eaoaafli.exe Ekeiel32.exe File opened for modification C:\Windows\SysWOW64\Bhglpqeo.exe Bjclfmfe.exe File created C:\Windows\SysWOW64\Kknkncbl.exe Kjmnfk32.exe File opened for modification C:\Windows\SysWOW64\Fknlmggc.exe Fnjkdcii.exe File created C:\Windows\SysWOW64\Egepce32.exe Eddgaj32.exe File created C:\Windows\SysWOW64\Gjolpb32.dll Process not Found File created C:\Windows\SysWOW64\Jngeafln.dll Process not Found File created C:\Windows\SysWOW64\Lbecjo32.dll Jnafop32.exe File opened for modification C:\Windows\SysWOW64\Ianambhc.exe Ilaieljl.exe File created C:\Windows\SysWOW64\Ilcfjkgj.exe Ianambhc.exe File created C:\Windows\SysWOW64\Aeommfnf.exe Algida32.exe File opened for modification C:\Windows\SysWOW64\Gpccgppq.exe Gkfkoi32.exe File opened for modification C:\Windows\SysWOW64\Bqhffj32.exe Afbbiafj.exe File created C:\Windows\SysWOW64\Bdddpa32.exe Process not Found File created C:\Windows\SysWOW64\Ahiimj32.dll Aipbidbj.exe File created C:\Windows\SysWOW64\Hmjagh32.exe Hacabgig.exe File created C:\Windows\SysWOW64\Bdmlne32.dll Process not Found File created C:\Windows\SysWOW64\Efoobkej.exe Dhknigfq.exe File created C:\Windows\SysWOW64\Ckfkdffp.dll Mmdlqa32.exe File created C:\Windows\SysWOW64\Gickgl32.exe Process not Found File created C:\Windows\SysWOW64\Aeiiblhg.dll Process not Found File created C:\Windows\SysWOW64\Hkidclbb.exe Happkf32.exe File created C:\Windows\SysWOW64\Cdjckfda.exe Cjdonndl.exe File opened for modification C:\Windows\SysWOW64\Gelonn32.exe Process not Found File created C:\Windows\SysWOW64\Aijoal32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Lnmfpnqn.exe Lllihf32.exe File opened for modification C:\Windows\SysWOW64\Hnllcoed.exe Hphljkfk.exe File created C:\Windows\SysWOW64\Iobkgo32.dll Mahlgkgo.exe File opened for modification C:\Windows\SysWOW64\Bnnblfgm.exe Process not Found File opened for modification C:\Windows\SysWOW64\Nabegpbp.exe Nlfmoidh.exe File opened for modification C:\Windows\SysWOW64\Ogncddpg.exe Opdkgj32.exe File created C:\Windows\SysWOW64\Oejfld32.dll Pnfkjb32.exe File opened for modification C:\Windows\SysWOW64\Khpccibp.exe Process not Found File created C:\Windows\SysWOW64\Mfeiad32.dll Cfmjoe32.exe File created C:\Windows\SysWOW64\Gbpegdik.exe Ffiebc32.exe File created C:\Windows\SysWOW64\Opeeam32.dll Iodolf32.exe File opened for modification C:\Windows\SysWOW64\Lbibla32.exe Lgcooh32.exe File opened for modification C:\Windows\SysWOW64\Qnmaka32.exe Qgcingnm.exe File created C:\Windows\SysWOW64\Jhiiaqdl.dll Bbnlia32.exe File created C:\Windows\SysWOW64\Pfbkplni.dll Joomnm32.exe File opened for modification C:\Windows\SysWOW64\Kgahcn32.exe Kdckgc32.exe File created C:\Windows\SysWOW64\Hgejjgag.dll Dbenhc32.exe File created C:\Windows\SysWOW64\Mqfjpnmj.exe Process not Found File created C:\Windows\SysWOW64\Lglnblmj.dll Hjglpncm.exe File created C:\Windows\SysWOW64\Mlenijej.exe Process not Found File created C:\Windows\SysWOW64\Leqhhg32.dll Onplmp32.exe File created C:\Windows\SysWOW64\Mhaanofn.dll Bknani32.exe File opened for modification C:\Windows\SysWOW64\Boblbe32.exe Bbnlia32.exe File created C:\Windows\SysWOW64\Hinbqb32.dll Ikhqbo32.exe File created C:\Windows\SysWOW64\Blabef32.exe Abhnlqlf.exe File opened for modification C:\Windows\SysWOW64\Emogdk32.exe Ecfcle32.exe File created C:\Windows\SysWOW64\Gdjopf32.dll Mmojcceo.exe File opened for modification C:\Windows\SysWOW64\Pjiffd32.exe Pmeemp32.exe File created C:\Windows\SysWOW64\Efogifnh.dll Process not Found File created C:\Windows\SysWOW64\Pmghilqf.dll Ijmibn32.exe File created C:\Windows\SysWOW64\Knmjmodm.exe Kchfpf32.exe File opened for modification C:\Windows\SysWOW64\Qhoeqide.exe Plhdkhoq.exe File created C:\Windows\SysWOW64\Elpimpqf.dll Ghqqpd32.exe File created C:\Windows\SysWOW64\Fkeedo32.exe Fondonbc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5908 2256 Process not Found 1341 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efllcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bakgmgpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddgljced.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edenlp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agonig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdefgimi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnmaka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcnomjbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cincaq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lljolodf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdpjcaij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egchocif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmcjldbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfdcdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgfjld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idojon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcbaop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cibnfpjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihclmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjgoaflj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmafocbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpmhgc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cadfbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdbmkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Algjpenp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndnbeclb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eikmkbeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpaaho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhqdgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkhdohnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edokna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emjoep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgkanomj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lllkaobc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdflepqo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekeiel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imkqmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdpmljan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmoijc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnifbaja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opbnbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Haldgbkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acjllqke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koidficq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eddgaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfhlie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pddlggin.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oogolo32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpnpam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iggepjmj.dll" Ildhcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfafnphf.dll" Plhdkhoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lglioqmk.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gailehfk.dll" Hdpqhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfeofa32.dll" Qoopie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pildih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajcbpbkn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnafop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfhjjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onloqmmk.dll" Dcaiqfib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfoffmhd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ephihbnm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elpnmhgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgjkhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fondonbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbblpf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjpnjheg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enmplm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fkipiodd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhlfnn32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jonfpg32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egkfbg32.dll" Gcfioj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ighfecdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajpbbhno.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecdffe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bealkk32.dll" Feppqc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbcooo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcffmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iieikd32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqbdllld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giihlbcj.dll" Fnoiqpqk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eddgaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hondclnf.dll" Dnjeoa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qbggqfca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifhacfhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omincc32.dll" Hjpnjheg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elpimpqf.dll" Ghqqpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbjjfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfgaknbb.dll" Fdfpfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddgljced.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bknani32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmnoih32.dll" Neocahbm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oijlpjma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmoiknoh.dll" Dkakad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omfadgqj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgebfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahiimj32.dll" Aipbidbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iobkgo32.dll" Mahlgkgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oacpeajj.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beoanjep.dll" Ffeoid32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1424 wrote to memory of 2480 1424 24d7a39b1f5abb623956581ec200d854715f8ac0a17b108f18d8539ff4de0272N.exe 29 PID 1424 wrote to memory of 2480 1424 24d7a39b1f5abb623956581ec200d854715f8ac0a17b108f18d8539ff4de0272N.exe 29 PID 1424 wrote to memory of 2480 1424 24d7a39b1f5abb623956581ec200d854715f8ac0a17b108f18d8539ff4de0272N.exe 29 PID 1424 wrote to memory of 2480 1424 24d7a39b1f5abb623956581ec200d854715f8ac0a17b108f18d8539ff4de0272N.exe 29 PID 2480 wrote to memory of 2928 2480 Cicggcke.exe 30 PID 2480 wrote to memory of 2928 2480 Cicggcke.exe 30 PID 2480 wrote to memory of 2928 2480 Cicggcke.exe 30 PID 2480 wrote to memory of 2928 2480 Cicggcke.exe 30 PID 2928 wrote to memory of 2332 2928 Cejhld32.exe 31 PID 2928 wrote to memory of 2332 2928 Cejhld32.exe 31 PID 2928 wrote to memory of 2332 2928 Cejhld32.exe 31 PID 2928 wrote to memory of 2332 2928 Cejhld32.exe 31 PID 2332 wrote to memory of 2972 2332 Cgkanomj.exe 32 PID 2332 wrote to memory of 2972 2332 Cgkanomj.exe 32 PID 2332 wrote to memory of 2972 2332 Cgkanomj.exe 32 PID 2332 wrote to memory of 2972 2332 Cgkanomj.exe 32 PID 2972 wrote to memory of 2632 2972 Ceoagcld.exe 33 PID 2972 wrote to memory of 2632 2972 Ceoagcld.exe 33 PID 2972 wrote to memory of 2632 2972 Ceoagcld.exe 33 PID 2972 wrote to memory of 2632 2972 Ceoagcld.exe 33 PID 2632 wrote to memory of 2680 2632 Cngfqi32.exe 34 PID 2632 wrote to memory of 2680 2632 Cngfqi32.exe 34 PID 2632 wrote to memory of 2680 2632 Cngfqi32.exe 34 PID 2632 wrote to memory of 2680 2632 Cngfqi32.exe 34 PID 2680 wrote to memory of 1088 2680 Cnjbfhqa.exe 35 PID 2680 wrote to memory of 1088 2680 Cnjbfhqa.exe 35 PID 2680 wrote to memory of 1088 2680 Cnjbfhqa.exe 35 PID 2680 wrote to memory of 1088 2680 Cnjbfhqa.exe 35 PID 1088 wrote to memory of 2052 1088 Dpmlcpdm.exe 36 PID 1088 wrote to memory of 2052 1088 Dpmlcpdm.exe 36 PID 1088 wrote to memory of 2052 1088 Dpmlcpdm.exe 36 PID 1088 wrote to memory of 2052 1088 Dpmlcpdm.exe 36 PID 2052 wrote to memory of 2416 2052 Dfjaej32.exe 37 PID 2052 wrote to memory of 2416 2052 Dfjaej32.exe 37 PID 2052 wrote to memory of 2416 2052 Dfjaej32.exe 37 PID 2052 wrote to memory of 2416 2052 Dfjaej32.exe 37 PID 2416 wrote to memory of 2132 2416 Dlfina32.exe 38 PID 2416 wrote to memory of 2132 2416 Dlfina32.exe 38 PID 2416 wrote to memory of 2132 2416 Dlfina32.exe 38 PID 2416 wrote to memory of 2132 2416 Dlfina32.exe 38 PID 2132 wrote to memory of 284 2132 Dlifcqfl.exe 39 PID 2132 wrote to memory of 284 2132 Dlifcqfl.exe 39 PID 2132 wrote to memory of 284 2132 Dlifcqfl.exe 39 PID 2132 wrote to memory of 284 2132 Dlifcqfl.exe 39 PID 284 wrote to memory of 2276 284 Elpldp32.exe 40 PID 284 wrote to memory of 2276 284 Elpldp32.exe 40 PID 284 wrote to memory of 2276 284 Elpldp32.exe 40 PID 284 wrote to memory of 2276 284 Elpldp32.exe 40 PID 2276 wrote to memory of 2372 2276 Ekeiel32.exe 41 PID 2276 wrote to memory of 2372 2276 Ekeiel32.exe 41 PID 2276 wrote to memory of 2372 2276 Ekeiel32.exe 41 PID 2276 wrote to memory of 2372 2276 Ekeiel32.exe 41 PID 2372 wrote to memory of 2208 2372 Eaoaafli.exe 42 PID 2372 wrote to memory of 2208 2372 Eaoaafli.exe 42 PID 2372 wrote to memory of 2208 2372 Eaoaafli.exe 42 PID 2372 wrote to memory of 2208 2372 Eaoaafli.exe 42 PID 2208 wrote to memory of 1168 2208 Fdpjcaij.exe 43 PID 2208 wrote to memory of 1168 2208 Fdpjcaij.exe 43 PID 2208 wrote to memory of 1168 2208 Fdpjcaij.exe 43 PID 2208 wrote to memory of 1168 2208 Fdpjcaij.exe 43 PID 1168 wrote to memory of 756 1168 Fgqcel32.exe 44 PID 1168 wrote to memory of 756 1168 Fgqcel32.exe 44 PID 1168 wrote to memory of 756 1168 Fgqcel32.exe 44 PID 1168 wrote to memory of 756 1168 Fgqcel32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\24d7a39b1f5abb623956581ec200d854715f8ac0a17b108f18d8539ff4de0272N.exe"C:\Users\Admin\AppData\Local\Temp\24d7a39b1f5abb623956581ec200d854715f8ac0a17b108f18d8539ff4de0272N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\SysWOW64\Cicggcke.exeC:\Windows\system32\Cicggcke.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Cejhld32.exeC:\Windows\system32\Cejhld32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Cgkanomj.exeC:\Windows\system32\Cgkanomj.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\Ceoagcld.exeC:\Windows\system32\Ceoagcld.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Cngfqi32.exeC:\Windows\system32\Cngfqi32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Cnjbfhqa.exeC:\Windows\system32\Cnjbfhqa.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Dpmlcpdm.exeC:\Windows\system32\Dpmlcpdm.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\SysWOW64\Dfjaej32.exeC:\Windows\system32\Dfjaej32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\Dlfina32.exeC:\Windows\system32\Dlfina32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Dlifcqfl.exeC:\Windows\system32\Dlifcqfl.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\Elpldp32.exeC:\Windows\system32\Elpldp32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:284 -
C:\Windows\SysWOW64\Ekeiel32.exeC:\Windows\system32\Ekeiel32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\Eaoaafli.exeC:\Windows\system32\Eaoaafli.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\Fdpjcaij.exeC:\Windows\system32\Fdpjcaij.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Fgqcel32.exeC:\Windows\system32\Fgqcel32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\SysWOW64\Fondonbc.exeC:\Windows\system32\Fondonbc.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:756 -
C:\Windows\SysWOW64\Fkeedo32.exeC:\Windows\system32\Fkeedo32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2060 -
C:\Windows\SysWOW64\Gemfghek.exeC:\Windows\system32\Gemfghek.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1984 -
C:\Windows\SysWOW64\Gklkdn32.exeC:\Windows\system32\Gklkdn32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1744 -
C:\Windows\SysWOW64\Glpdbfek.exeC:\Windows\system32\Glpdbfek.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:784 -
C:\Windows\SysWOW64\Gfhikl32.exeC:\Windows\system32\Gfhikl32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1940 -
C:\Windows\SysWOW64\Hfjfpkji.exeC:\Windows\system32\Hfjfpkji.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1444 -
C:\Windows\SysWOW64\Hbafel32.exeC:\Windows\system32\Hbafel32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2308 -
C:\Windows\SysWOW64\Hbepplkh.exeC:\Windows\system32\Hbepplkh.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2304 -
C:\Windows\SysWOW64\Hiphmf32.exeC:\Windows\system32\Hiphmf32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2772 -
C:\Windows\SysWOW64\Hjcajn32.exeC:\Windows\system32\Hjcajn32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2792 -
C:\Windows\SysWOW64\Ikbndqnc.exeC:\Windows\system32\Ikbndqnc.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1572 -
C:\Windows\SysWOW64\Iabcbg32.exeC:\Windows\system32\Iabcbg32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2684 -
C:\Windows\SysWOW64\Ifoljn32.exeC:\Windows\system32\Ifoljn32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2140 -
C:\Windows\SysWOW64\Ipgpcc32.exeC:\Windows\system32\Ipgpcc32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2496 -
C:\Windows\SysWOW64\Imkqmh32.exeC:\Windows\system32\Imkqmh32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2548 -
C:\Windows\SysWOW64\Jplinckj.exeC:\Windows\system32\Jplinckj.exe33⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Jffakm32.exeC:\Windows\system32\Jffakm32.exe34⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Jnafop32.exeC:\Windows\system32\Jnafop32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2880 -
C:\Windows\SysWOW64\Jlegic32.exeC:\Windows\system32\Jlegic32.exe36⤵
- Executes dropped EXE
PID:952 -
C:\Windows\SysWOW64\Kikpgk32.exeC:\Windows\system32\Kikpgk32.exe37⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Leaallcb.exeC:\Windows\system32\Leaallcb.exe38⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Lllihf32.exeC:\Windows\system32\Lllihf32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1736 -
C:\Windows\SysWOW64\Lnmfpnqn.exeC:\Windows\system32\Lnmfpnqn.exe40⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Lnobfn32.exeC:\Windows\system32\Lnobfn32.exe41⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Ldikbhfh.exeC:\Windows\system32\Ldikbhfh.exe42⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Lamkllea.exeC:\Windows\system32\Lamkllea.exe43⤵
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Lcnhcdkp.exeC:\Windows\system32\Lcnhcdkp.exe44⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Lpbhmiji.exeC:\Windows\system32\Lpbhmiji.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Lcqdidim.exeC:\Windows\system32\Lcqdidim.exe46⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Mjkmfn32.exeC:\Windows\system32\Mjkmfn32.exe47⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Mogene32.exeC:\Windows\system32\Mogene32.exe48⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Mjmiknng.exeC:\Windows\system32\Mjmiknng.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1600 -
C:\Windows\SysWOW64\Mqgahh32.exeC:\Windows\system32\Mqgahh32.exe50⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Mfdjpo32.exeC:\Windows\system32\Mfdjpo32.exe51⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Moloidjl.exeC:\Windows\system32\Moloidjl.exe52⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Mkconepp.exeC:\Windows\system32\Mkconepp.exe53⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Mfhcknpf.exeC:\Windows\system32\Mfhcknpf.exe54⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Nndhpqma.exeC:\Windows\system32\Nndhpqma.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Nqbdllld.exeC:\Windows\system32\Nqbdllld.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2400 -
C:\Windows\SysWOW64\Nnfeep32.exeC:\Windows\system32\Nnfeep32.exe57⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Ndpmbjbk.exeC:\Windows\system32\Ndpmbjbk.exe58⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Nmkbfmpf.exeC:\Windows\system32\Nmkbfmpf.exe59⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Ncejcg32.exeC:\Windows\system32\Ncejcg32.exe60⤵
- Executes dropped EXE
PID:540 -
C:\Windows\SysWOW64\Nmnoll32.exeC:\Windows\system32\Nmnoll32.exe61⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Nffcebdd.exeC:\Windows\system32\Nffcebdd.exe62⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Npngng32.exeC:\Windows\system32\Npngng32.exe63⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Ojdlkp32.exeC:\Windows\system32\Ojdlkp32.exe64⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Opqdcgib.exeC:\Windows\system32\Opqdcgib.exe65⤵
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Oenmkngi.exeC:\Windows\system32\Oenmkngi.exe66⤵PID:2484
-
C:\Windows\SysWOW64\Ofmiea32.exeC:\Windows\system32\Ofmiea32.exe67⤵PID:1900
-
C:\Windows\SysWOW64\Obdjjb32.exeC:\Windows\system32\Obdjjb32.exe68⤵PID:1112
-
C:\Windows\SysWOW64\Ohqbbi32.exeC:\Windows\system32\Ohqbbi32.exe69⤵PID:2420
-
C:\Windows\SysWOW64\Obffpa32.exeC:\Windows\system32\Obffpa32.exe70⤵PID:3012
-
C:\Windows\SysWOW64\Ojakdd32.exeC:\Windows\system32\Ojakdd32.exe71⤵PID:1076
-
C:\Windows\SysWOW64\Oakcan32.exeC:\Windows\system32\Oakcan32.exe72⤵PID:2272
-
C:\Windows\SysWOW64\Pfhlie32.exeC:\Windows\system32\Pfhlie32.exe73⤵
- System Location Discovery: System Language Discovery
PID:2916 -
C:\Windows\SysWOW64\Panpgn32.exeC:\Windows\system32\Panpgn32.exe74⤵PID:2948
-
C:\Windows\SysWOW64\Papmlmbp.exeC:\Windows\system32\Papmlmbp.exe75⤵PID:2640
-
C:\Windows\SysWOW64\Pjhaec32.exeC:\Windows\system32\Pjhaec32.exe76⤵PID:1656
-
C:\Windows\SysWOW64\Ppejmj32.exeC:\Windows\system32\Ppejmj32.exe77⤵PID:2872
-
C:\Windows\SysWOW64\Pinnfonh.exeC:\Windows\system32\Pinnfonh.exe78⤵PID:552
-
C:\Windows\SysWOW64\Pbfcoedi.exeC:\Windows\system32\Pbfcoedi.exe79⤵PID:1060
-
C:\Windows\SysWOW64\Pipklo32.exeC:\Windows\system32\Pipklo32.exe80⤵PID:928
-
C:\Windows\SysWOW64\Qakppa32.exeC:\Windows\system32\Qakppa32.exe81⤵PID:3052
-
C:\Windows\SysWOW64\Qoopie32.exeC:\Windows\system32\Qoopie32.exe82⤵
- Modifies registry class
PID:2412 -
C:\Windows\SysWOW64\Alcqcjgd.exeC:\Windows\system32\Alcqcjgd.exe83⤵PID:2204
-
C:\Windows\SysWOW64\Amdmkb32.exeC:\Windows\system32\Amdmkb32.exe84⤵PID:696
-
C:\Windows\SysWOW64\Agmacgcc.exeC:\Windows\system32\Agmacgcc.exe85⤵PID:1264
-
C:\Windows\SysWOW64\Anfjpa32.exeC:\Windows\system32\Anfjpa32.exe86⤵PID:2072
-
C:\Windows\SysWOW64\Agonig32.exeC:\Windows\system32\Agonig32.exe87⤵
- System Location Discovery: System Language Discovery
PID:916 -
C:\Windows\SysWOW64\Apgcbmha.exeC:\Windows\system32\Apgcbmha.exe88⤵PID:2184
-
C:\Windows\SysWOW64\Akmgoehg.exeC:\Windows\system32\Akmgoehg.exe89⤵PID:2712
-
C:\Windows\SysWOW64\Apjpglfn.exeC:\Windows\system32\Apjpglfn.exe90⤵PID:1716
-
C:\Windows\SysWOW64\Annpaq32.exeC:\Windows\system32\Annpaq32.exe91⤵PID:2848
-
C:\Windows\SysWOW64\Bgfdjfkh.exeC:\Windows\system32\Bgfdjfkh.exe92⤵PID:2080
-
C:\Windows\SysWOW64\Boainhic.exeC:\Windows\system32\Boainhic.exe93⤵PID:2648
-
C:\Windows\SysWOW64\Bhjngnod.exeC:\Windows\system32\Bhjngnod.exe94⤵PID:2612
-
C:\Windows\SysWOW64\Bocfch32.exeC:\Windows\system32\Bocfch32.exe95⤵PID:1832
-
C:\Windows\SysWOW64\Bdpnlo32.exeC:\Windows\system32\Bdpnlo32.exe96⤵PID:2524
-
C:\Windows\SysWOW64\Bfpkfb32.exeC:\Windows\system32\Bfpkfb32.exe97⤵PID:2732
-
C:\Windows\SysWOW64\Bnkpjd32.exeC:\Windows\system32\Bnkpjd32.exe98⤵PID:2528
-
C:\Windows\SysWOW64\Bhqdgm32.exeC:\Windows\system32\Bhqdgm32.exe99⤵
- System Location Discovery: System Language Discovery
PID:2248 -
C:\Windows\SysWOW64\Cjbpoeoj.exeC:\Windows\system32\Cjbpoeoj.exe100⤵PID:1204
-
C:\Windows\SysWOW64\Cqlhlo32.exeC:\Windows\system32\Cqlhlo32.exe101⤵PID:1820
-
C:\Windows\SysWOW64\Cgfqii32.exeC:\Windows\system32\Cgfqii32.exe102⤵
- Drops file in System32 directory
PID:2596 -
C:\Windows\SysWOW64\Cqneaodd.exeC:\Windows\system32\Cqneaodd.exe103⤵PID:920
-
C:\Windows\SysWOW64\Cfknjfbl.exeC:\Windows\system32\Cfknjfbl.exe104⤵PID:868
-
C:\Windows\SysWOW64\Cqqbgoba.exeC:\Windows\system32\Cqqbgoba.exe105⤵PID:1608
-
C:\Windows\SysWOW64\Cfmjoe32.exeC:\Windows\system32\Cfmjoe32.exe106⤵
- Drops file in System32 directory
PID:2788 -
C:\Windows\SysWOW64\Cmgblphf.exeC:\Windows\system32\Cmgblphf.exe107⤵PID:2908
-
C:\Windows\SysWOW64\Cbdkdffm.exeC:\Windows\system32\Cbdkdffm.exe108⤵PID:1708
-
C:\Windows\SysWOW64\Cincaq32.exeC:\Windows\system32\Cincaq32.exe109⤵
- System Location Discovery: System Language Discovery
PID:664 -
C:\Windows\SysWOW64\Eccdmmpk.exeC:\Windows\system32\Eccdmmpk.exe110⤵PID:2264
-
C:\Windows\SysWOW64\Elaego32.exeC:\Windows\system32\Elaego32.exe111⤵PID:1648
-
C:\Windows\SysWOW64\Elcbmn32.exeC:\Windows\system32\Elcbmn32.exe112⤵PID:2396
-
C:\Windows\SysWOW64\Ebmjihqn.exeC:\Windows\system32\Ebmjihqn.exe113⤵PID:2516
-
C:\Windows\SysWOW64\Eigbfb32.exeC:\Windows\system32\Eigbfb32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1164 -
C:\Windows\SysWOW64\Eabgjeef.exeC:\Windows\system32\Eabgjeef.exe115⤵PID:1924
-
C:\Windows\SysWOW64\Flhkhnel.exeC:\Windows\system32\Flhkhnel.exe116⤵PID:2096
-
C:\Windows\SysWOW64\Feppqc32.exeC:\Windows\system32\Feppqc32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2504 -
C:\Windows\SysWOW64\Fljhmmci.exeC:\Windows\system32\Fljhmmci.exe118⤵PID:3040
-
C:\Windows\SysWOW64\Fhaibnim.exeC:\Windows\system32\Fhaibnim.exe119⤵PID:2128
-
C:\Windows\SysWOW64\Feeilbhg.exeC:\Windows\system32\Feeilbhg.exe120⤵PID:2408
-
C:\Windows\SysWOW64\Fomndhng.exeC:\Windows\system32\Fomndhng.exe121⤵PID:2852
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-