Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20/09/2024, 07:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8ec1ade2b0f3343ee8d2670244f2f1a77377c96a59a4ed6edc3ba83ba78c248dN.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
8ec1ade2b0f3343ee8d2670244f2f1a77377c96a59a4ed6edc3ba83ba78c248dN.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
6 signatures
120 seconds
General
-
Target
8ec1ade2b0f3343ee8d2670244f2f1a77377c96a59a4ed6edc3ba83ba78c248dN.exe
-
Size
96KB
-
MD5
9dbdb2eb884d55c546458d89058872b0
-
SHA1
285830947fe82d885eb569a714ef632963334f25
-
SHA256
8ec1ade2b0f3343ee8d2670244f2f1a77377c96a59a4ed6edc3ba83ba78c248d
-
SHA512
c1b866e67a7ae191cca3e280e2826337f686281b7c917f7682f99d684fe29ab7033004aea794702598370cafd30d60ef1d1028623bbc5964341fb7b68346547d
-
SSDEEP
1536:tzofGpvXZDl+JAmz+vfq2pY20iQD2SuvYnASRK8H8OM6bOLXi8PmCofGy:K0xxtvS2pY20i7YvK8cDrLXfzoey
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkjphcff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahpifj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljkaeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgqocoin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lkgngb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Offmipej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phlclgfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Elkmmodo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljfapjbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Napbjjom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibmgpoia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nfnneb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjonncab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kekiphge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mqklqhpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Npjlhcmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fjdnlhco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pkdihhag.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pejmfqan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pejmfqan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klbdgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oococb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Agolnbok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afdiondb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgcnghpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afjjed32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlgimqhf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iedfqeka.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfofol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjkgjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jkmeoa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpjngh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kffldlne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pcljmdmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oehdan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ghdgfbkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cpiqmlfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mnmpdlac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nfahomfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaqomeke.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilcoce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfpifm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knnkpobc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjgoje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bigkel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kghpoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lkfddc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Biolanld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdiogq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnacpffh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ipjahd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgdfdbhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gkephn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ieajkfmd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdgmlhha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ohcdhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dacpkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbmaon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lbnpkmfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oajlkojn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pciddedl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbcjnnpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbflno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ooicid32.exe -
Executes dropped EXE 64 IoCs
pid Process 2484 Edqocbkp.exe 2692 Elldgehk.exe 2872 Ecfldoph.exe 2836 Elnqmd32.exe 2832 Fchijone.exe 2604 Fgcejm32.exe 2892 Fheabelm.exe 1196 Fjdnlhco.exe 2688 Fmcjhdbc.exe 2920 Fbpbpkpj.exe 2912 Ffkoai32.exe 1028 Foccjood.exe 1492 Ffmkfifa.exe 2104 Fdpkbf32.exe 2964 Fkjdopeh.exe 2320 Fqglggcp.exe 1400 Fgadda32.exe 3064 Gjpqpl32.exe 952 Geeemeif.exe 1652 Gjbmelgm.exe 844 Gnmifk32.exe 1008 Gqlebf32.exe 892 Gcjbna32.exe 2352 Ggfnopfg.exe 2480 Gpabcbdb.exe 2744 Giiglhjb.exe 2752 Gaqomeke.exe 2608 Gjicfk32.exe 2712 Gildahhp.exe 1880 Gpelnb32.exe 2620 Hfpdkl32.exe 536 Hmjlhfof.exe 1640 Hllmcc32.exe 2820 Hhcmhdke.exe 796 Hbiaemkk.exe 1052 Hibjbgbh.exe 1444 Hnpbjnpo.exe 1712 Hbknkl32.exe 1512 Hhhgcc32.exe 3012 Hjfcpo32.exe 1948 Helgmg32.exe 2108 Hfmddp32.exe 1332 Hjipenda.exe 2024 Hndlem32.exe 2064 Iabhah32.exe 560 Idadnd32.exe 2540 Ifoqjo32.exe 2288 Imiigiab.exe 1808 Iaeegh32.exe 2244 Idcacc32.exe 2884 Ibfaopoi.exe 2628 Ifampo32.exe 2616 Iipiljgf.exe 668 Imleli32.exe 1236 Ipjahd32.exe 1560 Ipjahd32.exe 2004 Ibhndp32.exe 1960 Ifdjeoep.exe 2092 Iibfajdc.exe 2144 Ilabmedg.exe 2228 Iplnnd32.exe 1624 Ioooiack.exe 1684 Ibkkjp32.exe 1752 Ieigfk32.exe -
Loads dropped DLL 64 IoCs
pid Process 2524 8ec1ade2b0f3343ee8d2670244f2f1a77377c96a59a4ed6edc3ba83ba78c248dN.exe 2524 8ec1ade2b0f3343ee8d2670244f2f1a77377c96a59a4ed6edc3ba83ba78c248dN.exe 2484 Edqocbkp.exe 2484 Edqocbkp.exe 2692 Elldgehk.exe 2692 Elldgehk.exe 2872 Ecfldoph.exe 2872 Ecfldoph.exe 2836 Elnqmd32.exe 2836 Elnqmd32.exe 2832 Fchijone.exe 2832 Fchijone.exe 2604 Fgcejm32.exe 2604 Fgcejm32.exe 2892 Fheabelm.exe 2892 Fheabelm.exe 1196 Fjdnlhco.exe 1196 Fjdnlhco.exe 2688 Fmcjhdbc.exe 2688 Fmcjhdbc.exe 2920 Fbpbpkpj.exe 2920 Fbpbpkpj.exe 2912 Ffkoai32.exe 2912 Ffkoai32.exe 1028 Foccjood.exe 1028 Foccjood.exe 1492 Ffmkfifa.exe 1492 Ffmkfifa.exe 2104 Fdpkbf32.exe 2104 Fdpkbf32.exe 2964 Fkjdopeh.exe 2964 Fkjdopeh.exe 2320 Fqglggcp.exe 2320 Fqglggcp.exe 1400 Fgadda32.exe 1400 Fgadda32.exe 3064 Gjpqpl32.exe 3064 Gjpqpl32.exe 952 Geeemeif.exe 952 Geeemeif.exe 1652 Gjbmelgm.exe 1652 Gjbmelgm.exe 844 Gnmifk32.exe 844 Gnmifk32.exe 1008 Gqlebf32.exe 1008 Gqlebf32.exe 892 Gcjbna32.exe 892 Gcjbna32.exe 2352 Ggfnopfg.exe 2352 Ggfnopfg.exe 2480 Gpabcbdb.exe 2480 Gpabcbdb.exe 2744 Giiglhjb.exe 2744 Giiglhjb.exe 2752 Gaqomeke.exe 2752 Gaqomeke.exe 2608 Gjicfk32.exe 2608 Gjicfk32.exe 2712 Gildahhp.exe 2712 Gildahhp.exe 1880 Gpelnb32.exe 1880 Gpelnb32.exe 2620 Hfpdkl32.exe 2620 Hfpdkl32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Nipdkieg.exe Nfahomfd.exe File opened for modification C:\Windows\SysWOW64\Oajlkojn.exe Obgkpb32.exe File opened for modification C:\Windows\SysWOW64\Aqhhanig.exe Anjlebjc.exe File opened for modification C:\Windows\SysWOW64\Jpdnbbah.exe Jmfafgbd.exe File created C:\Windows\SysWOW64\Jhbold32.exe Jhbold32.exe File created C:\Windows\SysWOW64\Cepipm32.exe Cnfqccna.exe File created C:\Windows\SysWOW64\Ohpbbo32.dll Jhafhe32.exe File created C:\Windows\SysWOW64\Okbpde32.exe Ohcdhi32.exe File opened for modification C:\Windows\SysWOW64\Fgdnnl32.exe Edfbaabj.exe File created C:\Windows\SysWOW64\Nncbdomg.exe Njhfcp32.exe File created C:\Windows\SysWOW64\Ipjahd32.exe Ipjahd32.exe File created C:\Windows\SysWOW64\Bchqdi32.dll Boidnh32.exe File created C:\Windows\SysWOW64\Aacinhhc.dll Aojabdlf.exe File created C:\Windows\SysWOW64\Dnoldn32.dll Lqqpgj32.exe File created C:\Windows\SysWOW64\Ggogki32.dll Oioggmmc.exe File created C:\Windows\SysWOW64\Liihgqil.dll Gjojef32.exe File opened for modification C:\Windows\SysWOW64\Kgqocoin.exe Kcecbq32.exe File created C:\Windows\SysWOW64\Lbmnig32.dll Bbmcibjp.exe File created C:\Windows\SysWOW64\Cpmjhk32.exe Chfbgn32.exe File opened for modification C:\Windows\SysWOW64\Eeaepd32.exe Eaeipfei.exe File created C:\Windows\SysWOW64\Olfcfe32.dll Jdnmma32.exe File created C:\Windows\SysWOW64\Icblnd32.dll Nhgnaehm.exe File created C:\Windows\SysWOW64\Llgjaeoj.exe Ldpbpgoh.exe File created C:\Windows\SysWOW64\Onaiomjo.dll Cbffoabe.exe File created C:\Windows\SysWOW64\Fgcejm32.exe Fchijone.exe File opened for modification C:\Windows\SysWOW64\Jaijak32.exe Jnnnalph.exe File created C:\Windows\SysWOW64\Fckada32.dll Kfebambf.exe File created C:\Windows\SysWOW64\Giqhcmil.dll Iimfld32.exe File opened for modification C:\Windows\SysWOW64\Hmjlhfof.exe Hfpdkl32.exe File opened for modification C:\Windows\SysWOW64\Jkhldafl.exe Jhjphfgi.exe File created C:\Windows\SysWOW64\Mgcfig32.dll Phcpgm32.exe File opened for modification C:\Windows\SysWOW64\Qobbofgn.exe Pldebkhj.exe File created C:\Windows\SysWOW64\Kfkpknkq.exe Kghpoa32.exe File opened for modification C:\Windows\SysWOW64\Fqfemqod.exe Fmkilb32.exe File opened for modification C:\Windows\SysWOW64\Nefdpjkl.exe Nbhhdnlh.exe File created C:\Windows\SysWOW64\Obgkpb32.exe Okpcoe32.exe File created C:\Windows\SysWOW64\Bdclnelo.dll Nenkqi32.exe File created C:\Windows\SysWOW64\Gdgqdaoh.dll Cnfqccna.exe File created C:\Windows\SysWOW64\Eobchk32.exe Eldglp32.exe File created C:\Windows\SysWOW64\Aekeef32.dll Gqdefddb.exe File created C:\Windows\SysWOW64\Koaqcn32.exe Klbdgb32.exe File created C:\Windows\SysWOW64\Hefhqhka.dll Nenakoho.exe File opened for modification C:\Windows\SysWOW64\Ecnoijbd.exe Eobchk32.exe File created C:\Windows\SysWOW64\Pfqgfg32.dll Qkfocaki.exe File opened for modification C:\Windows\SysWOW64\Cjakccop.exe Cgcnghpl.exe File opened for modification C:\Windows\SysWOW64\Jlphbbbg.exe Jialfgcc.exe File created C:\Windows\SysWOW64\Hnoefj32.dll Ncnngfna.exe File created C:\Windows\SysWOW64\Kmdlca32.dll Odgamdef.exe File created C:\Windows\SysWOW64\Bkegah32.exe Bigkel32.exe File created C:\Windows\SysWOW64\Pkifdd32.exe Pgnjde32.exe File created C:\Windows\SysWOW64\Phhjblpa.exe Pejmfqan.exe File created C:\Windows\SysWOW64\Fkbgckgd.exe Fhdjgoha.exe File opened for modification C:\Windows\SysWOW64\Cpehmcmg.dll Jhbold32.exe File created C:\Windows\SysWOW64\Bffbdadk.exe Bgcbhd32.exe File created C:\Windows\SysWOW64\Pdonhj32.exe Ppcbgkka.exe File created C:\Windows\SysWOW64\Dpkibo32.exe Dahifbpk.exe File created C:\Windows\SysWOW64\Elajgpmj.exe Dicnkdnf.exe File created C:\Windows\SysWOW64\Bnknoogp.exe Bfdenafn.exe File created C:\Windows\SysWOW64\Qcamkjba.dll Bgllgedi.exe File opened for modification C:\Windows\SysWOW64\Qkibcg32.exe Qgmfchei.exe File created C:\Windows\SysWOW64\Gedjkeaj.dll Ihniaa32.exe File opened for modification C:\Windows\SysWOW64\Imahkg32.exe Ifgpnmom.exe File created C:\Windows\SysWOW64\Mfhmmndi.dll Akabgebj.exe File opened for modification C:\Windows\SysWOW64\Ofadnq32.exe Odchbe32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7292 7212 WerFault.exe 736 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnnnalph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olkfmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agdmdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkqnoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lohccp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hllmcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkfddc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdonhj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dklddhka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbhcim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbknkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oplelf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgcmbcih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcaiiejc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgaaah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifdjeoep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jodhdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaeafklf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pciddedl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoiiijcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhbold32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfahomfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aebmjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geeemeif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlhjhi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppcbgkka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkifdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddblgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knfndjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boljgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnbojmmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Achjibcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffmkfifa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhjphfgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jckgicnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcfbdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqjdgmgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iefcfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgaebe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cileqlmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnmfdb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioooiack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pplaki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqlebf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpelnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kljabgnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfqpecma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jimbkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jolghndm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlhhndno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndmecgba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihbcmaje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdnmma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljfapjbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agolnbok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojmpooah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qeppdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fheabelm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oioggmmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daofpchf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elajgpmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hahnac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jondnnbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cocphf32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cfcijf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hneebcff.dll" Jmfafgbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ompefj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnbamjbm.dll" Bgaebe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gjbmelgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Beackp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jpgjgboe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lddlkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cpiqmlfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Folfoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gbadjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cocphf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bafple32.dll" Hhcmhdke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nlhjhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qcachc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lgehno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nfahomfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eijdkcgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfnmapnj.dll" Mjkgjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofaejacl.dll" Cnmfdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogjbid32.dll" Eeaepd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Phnpagdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icblnd32.dll" Nhgnaehm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbklpemb.dll" Ohiffh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cchbgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jppgpfpi.dll" Lnpgeopa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nhdhif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jolghndm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nbflno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cillkbac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ipeaco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Knhjjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Obokcqhk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pafdjmkq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cbffoabe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pejmfqan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hblgnkdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kgnbnpkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Calcpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iapgkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Miehak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hboddk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Odedge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fdpkbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibanaibn.dll" Ggfnopfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pofkha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Geeemeif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bkjdndjo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fnofjfhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbihfb32.dll" Hjofdi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ppnnai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmhgjdli.dll" Hjacjifm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Khielcfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akafaiao.dll" Ndqkleln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mhonngce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pkifdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieabog32.dll" Nmqpam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bfdenafn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moancj32.dll" Ffmkfifa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mbkpeake.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hihlqeib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pmmeon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Allefimb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bigkel32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2524 wrote to memory of 2484 2524 8ec1ade2b0f3343ee8d2670244f2f1a77377c96a59a4ed6edc3ba83ba78c248dN.exe 30 PID 2524 wrote to memory of 2484 2524 8ec1ade2b0f3343ee8d2670244f2f1a77377c96a59a4ed6edc3ba83ba78c248dN.exe 30 PID 2524 wrote to memory of 2484 2524 8ec1ade2b0f3343ee8d2670244f2f1a77377c96a59a4ed6edc3ba83ba78c248dN.exe 30 PID 2524 wrote to memory of 2484 2524 8ec1ade2b0f3343ee8d2670244f2f1a77377c96a59a4ed6edc3ba83ba78c248dN.exe 30 PID 2484 wrote to memory of 2692 2484 Edqocbkp.exe 31 PID 2484 wrote to memory of 2692 2484 Edqocbkp.exe 31 PID 2484 wrote to memory of 2692 2484 Edqocbkp.exe 31 PID 2484 wrote to memory of 2692 2484 Edqocbkp.exe 31 PID 2692 wrote to memory of 2872 2692 Elldgehk.exe 32 PID 2692 wrote to memory of 2872 2692 Elldgehk.exe 32 PID 2692 wrote to memory of 2872 2692 Elldgehk.exe 32 PID 2692 wrote to memory of 2872 2692 Elldgehk.exe 32 PID 2872 wrote to memory of 2836 2872 Ecfldoph.exe 33 PID 2872 wrote to memory of 2836 2872 Ecfldoph.exe 33 PID 2872 wrote to memory of 2836 2872 Ecfldoph.exe 33 PID 2872 wrote to memory of 2836 2872 Ecfldoph.exe 33 PID 2836 wrote to memory of 2832 2836 Elnqmd32.exe 34 PID 2836 wrote to memory of 2832 2836 Elnqmd32.exe 34 PID 2836 wrote to memory of 2832 2836 Elnqmd32.exe 34 PID 2836 wrote to memory of 2832 2836 Elnqmd32.exe 34 PID 2832 wrote to memory of 2604 2832 Fchijone.exe 35 PID 2832 wrote to memory of 2604 2832 Fchijone.exe 35 PID 2832 wrote to memory of 2604 2832 Fchijone.exe 35 PID 2832 wrote to memory of 2604 2832 Fchijone.exe 35 PID 2604 wrote to memory of 2892 2604 Fgcejm32.exe 36 PID 2604 wrote to memory of 2892 2604 Fgcejm32.exe 36 PID 2604 wrote to memory of 2892 2604 Fgcejm32.exe 36 PID 2604 wrote to memory of 2892 2604 Fgcejm32.exe 36 PID 2892 wrote to memory of 1196 2892 Fheabelm.exe 37 PID 2892 wrote to memory of 1196 2892 Fheabelm.exe 37 PID 2892 wrote to memory of 1196 2892 Fheabelm.exe 37 PID 2892 wrote to memory of 1196 2892 Fheabelm.exe 37 PID 1196 wrote to memory of 2688 1196 Fjdnlhco.exe 38 PID 1196 wrote to memory of 2688 1196 Fjdnlhco.exe 38 PID 1196 wrote to memory of 2688 1196 Fjdnlhco.exe 38 PID 1196 wrote to memory of 2688 1196 Fjdnlhco.exe 38 PID 2688 wrote to memory of 2920 2688 Fmcjhdbc.exe 39 PID 2688 wrote to memory of 2920 2688 Fmcjhdbc.exe 39 PID 2688 wrote to memory of 2920 2688 Fmcjhdbc.exe 39 PID 2688 wrote to memory of 2920 2688 Fmcjhdbc.exe 39 PID 2920 wrote to memory of 2912 2920 Fbpbpkpj.exe 40 PID 2920 wrote to memory of 2912 2920 Fbpbpkpj.exe 40 PID 2920 wrote to memory of 2912 2920 Fbpbpkpj.exe 40 PID 2920 wrote to memory of 2912 2920 Fbpbpkpj.exe 40 PID 2912 wrote to memory of 1028 2912 Ffkoai32.exe 41 PID 2912 wrote to memory of 1028 2912 Ffkoai32.exe 41 PID 2912 wrote to memory of 1028 2912 Ffkoai32.exe 41 PID 2912 wrote to memory of 1028 2912 Ffkoai32.exe 41 PID 1028 wrote to memory of 1492 1028 Foccjood.exe 42 PID 1028 wrote to memory of 1492 1028 Foccjood.exe 42 PID 1028 wrote to memory of 1492 1028 Foccjood.exe 42 PID 1028 wrote to memory of 1492 1028 Foccjood.exe 42 PID 1492 wrote to memory of 2104 1492 Ffmkfifa.exe 43 PID 1492 wrote to memory of 2104 1492 Ffmkfifa.exe 43 PID 1492 wrote to memory of 2104 1492 Ffmkfifa.exe 43 PID 1492 wrote to memory of 2104 1492 Ffmkfifa.exe 43 PID 2104 wrote to memory of 2964 2104 Fdpkbf32.exe 44 PID 2104 wrote to memory of 2964 2104 Fdpkbf32.exe 44 PID 2104 wrote to memory of 2964 2104 Fdpkbf32.exe 44 PID 2104 wrote to memory of 2964 2104 Fdpkbf32.exe 44 PID 2964 wrote to memory of 2320 2964 Fkjdopeh.exe 45 PID 2964 wrote to memory of 2320 2964 Fkjdopeh.exe 45 PID 2964 wrote to memory of 2320 2964 Fkjdopeh.exe 45 PID 2964 wrote to memory of 2320 2964 Fkjdopeh.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ec1ade2b0f3343ee8d2670244f2f1a77377c96a59a4ed6edc3ba83ba78c248dN.exe"C:\Users\Admin\AppData\Local\Temp\8ec1ade2b0f3343ee8d2670244f2f1a77377c96a59a4ed6edc3ba83ba78c248dN.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Edqocbkp.exeC:\Windows\system32\Edqocbkp.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\Elldgehk.exeC:\Windows\system32\Elldgehk.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Ecfldoph.exeC:\Windows\system32\Ecfldoph.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Elnqmd32.exeC:\Windows\system32\Elnqmd32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Fchijone.exeC:\Windows\system32\Fchijone.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Fgcejm32.exeC:\Windows\system32\Fgcejm32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Fheabelm.exeC:\Windows\system32\Fheabelm.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Fjdnlhco.exeC:\Windows\system32\Fjdnlhco.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\SysWOW64\Fmcjhdbc.exeC:\Windows\system32\Fmcjhdbc.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Fbpbpkpj.exeC:\Windows\system32\Fbpbpkpj.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Ffkoai32.exeC:\Windows\system32\Ffkoai32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Foccjood.exeC:\Windows\system32\Foccjood.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\SysWOW64\Ffmkfifa.exeC:\Windows\system32\Ffmkfifa.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\Fdpkbf32.exeC:\Windows\system32\Fdpkbf32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Fkjdopeh.exeC:\Windows\system32\Fkjdopeh.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Fqglggcp.exeC:\Windows\system32\Fqglggcp.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2320 -
C:\Windows\SysWOW64\Fgadda32.exeC:\Windows\system32\Fgadda32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1400 -
C:\Windows\SysWOW64\Gjpqpl32.exeC:\Windows\system32\Gjpqpl32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3064 -
C:\Windows\SysWOW64\Geeemeif.exeC:\Windows\system32\Geeemeif.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:952 -
C:\Windows\SysWOW64\Gjbmelgm.exeC:\Windows\system32\Gjbmelgm.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1652 -
C:\Windows\SysWOW64\Gnmifk32.exeC:\Windows\system32\Gnmifk32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:844 -
C:\Windows\SysWOW64\Gqlebf32.exeC:\Windows\system32\Gqlebf32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1008 -
C:\Windows\SysWOW64\Gcjbna32.exeC:\Windows\system32\Gcjbna32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:892 -
C:\Windows\SysWOW64\Ggfnopfg.exeC:\Windows\system32\Ggfnopfg.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2352 -
C:\Windows\SysWOW64\Gpabcbdb.exeC:\Windows\system32\Gpabcbdb.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2480 -
C:\Windows\SysWOW64\Giiglhjb.exeC:\Windows\system32\Giiglhjb.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2744 -
C:\Windows\SysWOW64\Gaqomeke.exeC:\Windows\system32\Gaqomeke.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2752 -
C:\Windows\SysWOW64\Gjicfk32.exeC:\Windows\system32\Gjicfk32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2608 -
C:\Windows\SysWOW64\Gildahhp.exeC:\Windows\system32\Gildahhp.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2712 -
C:\Windows\SysWOW64\Gpelnb32.exeC:\Windows\system32\Gpelnb32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1880 -
C:\Windows\SysWOW64\Hfpdkl32.exeC:\Windows\system32\Hfpdkl32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2620 -
C:\Windows\SysWOW64\Hmjlhfof.exeC:\Windows\system32\Hmjlhfof.exe33⤵
- Executes dropped EXE
PID:536 -
C:\Windows\SysWOW64\Hllmcc32.exeC:\Windows\system32\Hllmcc32.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1640 -
C:\Windows\SysWOW64\Hhcmhdke.exeC:\Windows\system32\Hhcmhdke.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2820 -
C:\Windows\SysWOW64\Hbiaemkk.exeC:\Windows\system32\Hbiaemkk.exe36⤵
- Executes dropped EXE
PID:796 -
C:\Windows\SysWOW64\Hibjbgbh.exeC:\Windows\system32\Hibjbgbh.exe37⤵
- Executes dropped EXE
PID:1052 -
C:\Windows\SysWOW64\Hnpbjnpo.exeC:\Windows\system32\Hnpbjnpo.exe38⤵
- Executes dropped EXE
PID:1444 -
C:\Windows\SysWOW64\Hbknkl32.exeC:\Windows\system32\Hbknkl32.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1712 -
C:\Windows\SysWOW64\Hhhgcc32.exeC:\Windows\system32\Hhhgcc32.exe40⤵
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\Hjfcpo32.exeC:\Windows\system32\Hjfcpo32.exe41⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Helgmg32.exeC:\Windows\system32\Helgmg32.exe42⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Hfmddp32.exeC:\Windows\system32\Hfmddp32.exe43⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Hjipenda.exeC:\Windows\system32\Hjipenda.exe44⤵
- Executes dropped EXE
PID:1332 -
C:\Windows\SysWOW64\Hndlem32.exeC:\Windows\system32\Hndlem32.exe45⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Iabhah32.exeC:\Windows\system32\Iabhah32.exe46⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Idadnd32.exeC:\Windows\system32\Idadnd32.exe47⤵
- Executes dropped EXE
PID:560 -
C:\Windows\SysWOW64\Ifoqjo32.exeC:\Windows\system32\Ifoqjo32.exe48⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Iinmfk32.exeC:\Windows\system32\Iinmfk32.exe49⤵PID:2392
-
C:\Windows\SysWOW64\Imiigiab.exeC:\Windows\system32\Imiigiab.exe50⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Iaeegh32.exeC:\Windows\system32\Iaeegh32.exe51⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Idcacc32.exeC:\Windows\system32\Idcacc32.exe52⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Ibfaopoi.exeC:\Windows\system32\Ibfaopoi.exe53⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Ifampo32.exeC:\Windows\system32\Ifampo32.exe54⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Iipiljgf.exeC:\Windows\system32\Iipiljgf.exe55⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Imleli32.exeC:\Windows\system32\Imleli32.exe56⤵
- Executes dropped EXE
PID:668 -
C:\Windows\SysWOW64\Ipjahd32.exeC:\Windows\system32\Ipjahd32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1236 -
C:\Windows\SysWOW64\Ipjahd32.exeC:\Windows\system32\Ipjahd32.exe58⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Ibhndp32.exeC:\Windows\system32\Ibhndp32.exe59⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Ifdjeoep.exeC:\Windows\system32\Ifdjeoep.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1960 -
C:\Windows\SysWOW64\Iibfajdc.exeC:\Windows\system32\Iibfajdc.exe61⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Ilabmedg.exeC:\Windows\system32\Ilabmedg.exe62⤵
- Executes dropped EXE
PID:2144 -
C:\Windows\SysWOW64\Iplnnd32.exeC:\Windows\system32\Iplnnd32.exe63⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Ioooiack.exeC:\Windows\system32\Ioooiack.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1624 -
C:\Windows\SysWOW64\Ibkkjp32.exeC:\Windows\system32\Ibkkjp32.exe65⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Ieigfk32.exeC:\Windows\system32\Ieigfk32.exe66⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Iiecgjba.exeC:\Windows\system32\Iiecgjba.exe67⤵PID:1244
-
C:\Windows\SysWOW64\Ihhcbf32.exeC:\Windows\system32\Ihhcbf32.exe68⤵PID:1824
-
C:\Windows\SysWOW64\Ilcoce32.exeC:\Windows\system32\Ilcoce32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2756 -
C:\Windows\SysWOW64\Ioakoq32.exeC:\Windows\system32\Ioakoq32.exe70⤵PID:2828
-
C:\Windows\SysWOW64\Ibmgpoia.exeC:\Windows\system32\Ibmgpoia.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2812 -
C:\Windows\SysWOW64\Iapgkl32.exeC:\Windows\system32\Iapgkl32.exe72⤵
- Modifies registry class
PID:2648 -
C:\Windows\SysWOW64\Iigpli32.exeC:\Windows\system32\Iigpli32.exe73⤵PID:2380
-
C:\Windows\SysWOW64\Jhjphfgi.exeC:\Windows\system32\Jhjphfgi.exe74⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2844 -
C:\Windows\SysWOW64\Jkhldafl.exeC:\Windows\system32\Jkhldafl.exe75⤵PID:2984
-
C:\Windows\SysWOW64\Jodhdp32.exeC:\Windows\system32\Jodhdp32.exe76⤵
- System Location Discovery: System Language Discovery
PID:700 -
C:\Windows\SysWOW64\Jabdql32.exeC:\Windows\system32\Jabdql32.exe77⤵PID:760
-
C:\Windows\SysWOW64\Jenpajfb.exeC:\Windows\system32\Jenpajfb.exe78⤵PID:1816
-
C:\Windows\SysWOW64\Jdaqmg32.exeC:\Windows\system32\Jdaqmg32.exe79⤵PID:848
-
C:\Windows\SysWOW64\Jlhhndno.exeC:\Windows\system32\Jlhhndno.exe80⤵
- System Location Discovery: System Language Discovery
PID:1696 -
C:\Windows\SysWOW64\Jofejpmc.exeC:\Windows\system32\Jofejpmc.exe81⤵PID:1344
-
C:\Windows\SysWOW64\Jaeafklf.exeC:\Windows\system32\Jaeafklf.exe82⤵
- System Location Discovery: System Language Discovery
PID:2232 -
C:\Windows\SysWOW64\Jhoice32.exeC:\Windows\system32\Jhoice32.exe83⤵PID:1768
-
C:\Windows\SysWOW64\Jgaiobjn.exeC:\Windows\system32\Jgaiobjn.exe84⤵PID:1504
-
C:\Windows\SysWOW64\Jkmeoa32.exeC:\Windows\system32\Jkmeoa32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:800 -
C:\Windows\SysWOW64\Jnkakl32.exeC:\Windows\system32\Jnkakl32.exe86⤵PID:2804
-
C:\Windows\SysWOW64\Jpjngh32.exeC:\Windows\system32\Jpjngh32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1576 -
C:\Windows\SysWOW64\Jhafhe32.exeC:\Windows\system32\Jhafhe32.exe88⤵
- Drops file in System32 directory
PID:2760 -
C:\Windows\SysWOW64\Jgdfdbhk.exeC:\Windows\system32\Jgdfdbhk.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2612 -
C:\Windows\SysWOW64\Jjbbpmgo.exeC:\Windows\system32\Jjbbpmgo.exe90⤵PID:2788
-
C:\Windows\SysWOW64\Jnnnalph.exeC:\Windows\system32\Jnnnalph.exe91⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2500 -
C:\Windows\SysWOW64\Jaijak32.exeC:\Windows\system32\Jaijak32.exe92⤵PID:1800
-
C:\Windows\SysWOW64\Jckgicnp.exeC:\Windows\system32\Jckgicnp.exe93⤵
- System Location Discovery: System Language Discovery
PID:628 -
C:\Windows\SysWOW64\Jgfcja32.exeC:\Windows\system32\Jgfcja32.exe94⤵PID:1156
-
C:\Windows\SysWOW64\Jjdofm32.exeC:\Windows\system32\Jjdofm32.exe95⤵PID:1732
-
C:\Windows\SysWOW64\Kdjccf32.exeC:\Windows\system32\Kdjccf32.exe96⤵PID:1596
-
C:\Windows\SysWOW64\Kghpoa32.exeC:\Windows\system32\Kghpoa32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1848 -
C:\Windows\SysWOW64\Kfkpknkq.exeC:\Windows\system32\Kfkpknkq.exe98⤵PID:2824
-
C:\Windows\SysWOW64\Knbhlkkc.exeC:\Windows\system32\Knbhlkkc.exe99⤵PID:2888
-
C:\Windows\SysWOW64\Kpadhg32.exeC:\Windows\system32\Kpadhg32.exe100⤵PID:2212
-
C:\Windows\SysWOW64\Koddccaa.exeC:\Windows\system32\Koddccaa.exe101⤵PID:484
-
C:\Windows\SysWOW64\Kcopdb32.exeC:\Windows\system32\Kcopdb32.exe102⤵PID:320
-
C:\Windows\SysWOW64\Kjihalag.exeC:\Windows\system32\Kjihalag.exe103⤵PID:2028
-
C:\Windows\SysWOW64\Khlili32.exeC:\Windows\system32\Khlili32.exe104⤵PID:2116
-
C:\Windows\SysWOW64\Klhemhpk.exeC:\Windows\system32\Klhemhpk.exe105⤵PID:920
-
C:\Windows\SysWOW64\Kofaicon.exeC:\Windows\system32\Kofaicon.exe106⤵PID:2152
-
C:\Windows\SysWOW64\Kfpifm32.exeC:\Windows\system32\Kfpifm32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:856 -
C:\Windows\SysWOW64\Khoebi32.exeC:\Windows\system32\Khoebi32.exe108⤵PID:2408
-
C:\Windows\SysWOW64\Kljabgnh.exeC:\Windows\system32\Kljabgnh.exe109⤵
- System Location Discovery: System Language Discovery
PID:340 -
C:\Windows\SysWOW64\Kkmand32.exeC:\Windows\system32\Kkmand32.exe110⤵PID:1756
-
C:\Windows\SysWOW64\Kohnoc32.exeC:\Windows\system32\Kohnoc32.exe111⤵PID:2600
-
C:\Windows\SysWOW64\Kfbfkmeh.exeC:\Windows\system32\Kfbfkmeh.exe112⤵PID:2156
-
C:\Windows\SysWOW64\Kllnhg32.exeC:\Windows\system32\Kllnhg32.exe113⤵PID:2088
-
C:\Windows\SysWOW64\Kokjdb32.exeC:\Windows\system32\Kokjdb32.exe114⤵PID:1548
-
C:\Windows\SysWOW64\Knnkpobc.exeC:\Windows\system32\Knnkpobc.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2096 -
C:\Windows\SysWOW64\Kfebambf.exeC:\Windows\system32\Kfebambf.exe116⤵
- Drops file in System32 directory
PID:2696 -
C:\Windows\SysWOW64\Kdhcli32.exeC:\Windows\system32\Kdhcli32.exe117⤵PID:2456
-
C:\Windows\SysWOW64\Kgfoie32.exeC:\Windows\system32\Kgfoie32.exe118⤵PID:2992
-
C:\Windows\SysWOW64\Lkakicam.exeC:\Windows\system32\Lkakicam.exe119⤵PID:2876
-
C:\Windows\SysWOW64\Lnpgeopa.exeC:\Windows\system32\Lnpgeopa.exe120⤵
- Modifies registry class
PID:2164 -
C:\Windows\SysWOW64\Lblcfnhj.exeC:\Windows\system32\Lblcfnhj.exe121⤵PID:2184
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-