Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20/09/2024, 11:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1de476805c5fe16ee4c470efaaaf2fada28bb2b2cbf0f6b22d714225dba2fb9bN.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
1de476805c5fe16ee4c470efaaaf2fada28bb2b2cbf0f6b22d714225dba2fb9bN.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
1de476805c5fe16ee4c470efaaaf2fada28bb2b2cbf0f6b22d714225dba2fb9bN.exe
-
Size
80KB
-
MD5
b843ef7ce8efc2cf9559b47ab51c7e50
-
SHA1
ade37f0a3c944604ef4460e104f632803d14fb53
-
SHA256
1de476805c5fe16ee4c470efaaaf2fada28bb2b2cbf0f6b22d714225dba2fb9b
-
SHA512
8c000b954af18f8081c6c08985eb3cc1f07a91bde8649ec44042fcb0860e9186cbe6a2e44d338fd0529b09d21bea79202d2e0d145b0e7bf8cfb7c7e600cefcae
-
SSDEEP
1536:ylrlEalwsniftW6yq6g+gUZ4Y9SMNBSr6yiVXN+zL20gJi1i9:ylayiftW6rPIBS3iVXgzL20WKS
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhjmfnok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Einjdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olmela32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oippjl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajmijmnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coacbfii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldheebad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iahkpg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oibmpl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Objaha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhmaeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjhcegll.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phcilf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhdhefpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcciqi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmepkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edaalk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olmela32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdpgph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nplimbka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boogmgkl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfjkdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdbbgdjj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bceibfgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfbnoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnphdceh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emoldlmc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mikjpiim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oiffkkbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qjklenpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llomfpag.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmflee32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohdfqbio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anjnnk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jehlkhig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mobomnoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afffenbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahebaiac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbdjcffd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nibqqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egmabg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oehgjfhi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikqnlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmfbpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfkloq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feiddbbj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bogjaamh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hihlqeib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jelfdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohfcfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alageg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgjkfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjmnjkjd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqnapb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbhbai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfpaic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efljhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnphdceh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejaphpnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmkihbho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oibmpl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgnkci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnefhpma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgllgedi.exe -
Executes dropped EXE 64 IoCs
pid Process 332 Fkpjnkig.exe 2372 Fnofjfhk.exe 1912 Fhdjgoha.exe 2820 Famope32.exe 2332 Fgigil32.exe 2272 Fjhcegll.exe 2856 Fdmhbplb.exe 2304 Ffodjh32.exe 2464 Flhmfbim.exe 2876 Fcbecl32.exe 2584 Fqfemqod.exe 1964 Gceailog.exe 2144 Gkpfmnlb.exe 2120 Golbnm32.exe 1160 Ghdgfbkl.exe 1032 Gkbcbn32.exe 1040 Gdkgkcpq.exe 1748 Gifclb32.exe 1692 Gncldi32.exe 1380 Gqahqd32.exe 704 Ggkqmoma.exe 780 Gjjmijme.exe 2428 Gbadjg32.exe 2412 Ggnmbn32.exe 1992 Hnheohcl.exe 2752 Hqfaldbo.exe 1632 Hgpjhn32.exe 2780 Hahnac32.exe 2764 Hgbfnngi.exe 2660 Hidcef32.exe 1036 Hmoofdea.exe 2996 Hcigco32.exe 1956 Hmalldcn.exe 2916 Hldlga32.exe 1936 Hcldhnkk.exe 2168 Hfjpdjjo.exe 2252 Hemqpf32.exe 2400 Hihlqeib.exe 1660 Hpbdmo32.exe 1144 Hneeilgj.exe 1344 Iflmjihl.exe 1676 Ieomef32.exe 2560 Ihniaa32.exe 2024 Iliebpfc.exe 2216 Ipeaco32.exe 2368 Inhanl32.exe 2096 Ibcnojnp.exe 2720 Iafnjg32.exe 2940 Ieajkfmd.exe 2816 Ihpfgalh.exe 2000 Illbhp32.exe 1712 Injndk32.exe 1432 Iahkpg32.exe 1684 Idgglb32.exe 1252 Ilnomp32.exe 3068 Ijqoilii.exe 2188 Inlkik32.exe 1520 Iakgefqe.exe 2080 Iefcfe32.exe 616 Ihdpbq32.exe 2032 Ifgpnmom.exe 1540 Ioohokoo.exe 1800 Imahkg32.exe 564 Ippdgc32.exe -
Loads dropped DLL 64 IoCs
pid Process 2148 1de476805c5fe16ee4c470efaaaf2fada28bb2b2cbf0f6b22d714225dba2fb9bN.exe 2148 1de476805c5fe16ee4c470efaaaf2fada28bb2b2cbf0f6b22d714225dba2fb9bN.exe 332 Fkpjnkig.exe 332 Fkpjnkig.exe 2372 Fnofjfhk.exe 2372 Fnofjfhk.exe 1912 Fhdjgoha.exe 1912 Fhdjgoha.exe 2820 Famope32.exe 2820 Famope32.exe 2332 Fgigil32.exe 2332 Fgigil32.exe 2272 Fjhcegll.exe 2272 Fjhcegll.exe 2856 Fdmhbplb.exe 2856 Fdmhbplb.exe 2304 Ffodjh32.exe 2304 Ffodjh32.exe 2464 Flhmfbim.exe 2464 Flhmfbim.exe 2876 Fcbecl32.exe 2876 Fcbecl32.exe 2584 Fqfemqod.exe 2584 Fqfemqod.exe 1964 Gceailog.exe 1964 Gceailog.exe 2144 Gkpfmnlb.exe 2144 Gkpfmnlb.exe 2120 Golbnm32.exe 2120 Golbnm32.exe 1160 Ghdgfbkl.exe 1160 Ghdgfbkl.exe 1032 Gkbcbn32.exe 1032 Gkbcbn32.exe 1040 Gdkgkcpq.exe 1040 Gdkgkcpq.exe 1748 Gifclb32.exe 1748 Gifclb32.exe 1692 Gncldi32.exe 1692 Gncldi32.exe 1380 Gqahqd32.exe 1380 Gqahqd32.exe 704 Ggkqmoma.exe 704 Ggkqmoma.exe 780 Gjjmijme.exe 780 Gjjmijme.exe 2428 Gbadjg32.exe 2428 Gbadjg32.exe 2412 Ggnmbn32.exe 2412 Ggnmbn32.exe 1992 Hnheohcl.exe 1992 Hnheohcl.exe 2752 Hqfaldbo.exe 2752 Hqfaldbo.exe 1632 Hgpjhn32.exe 1632 Hgpjhn32.exe 2780 Hahnac32.exe 2780 Hahnac32.exe 2764 Hgbfnngi.exe 2764 Hgbfnngi.exe 2660 Hidcef32.exe 2660 Hidcef32.exe 1036 Hmoofdea.exe 1036 Hmoofdea.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Gdkgkcpq.exe Gkbcbn32.exe File created C:\Windows\SysWOW64\Egpfmb32.dll Kdpfadlm.exe File created C:\Windows\SysWOW64\Bkdbhahq.dll Kddomchg.exe File opened for modification C:\Windows\SysWOW64\Lhknaf32.exe Ldpbpgoh.exe File opened for modification C:\Windows\SysWOW64\Pojecajj.exe Pgcmbcih.exe File opened for modification C:\Windows\SysWOW64\Fckhhgcf.exe Fplllkdc.exe File opened for modification C:\Windows\SysWOW64\Kokmmkcm.exe Klmqapci.exe File created C:\Windows\SysWOW64\Ikqnlh32.exe Icifjk32.exe File created C:\Windows\SysWOW64\Giddhc32.dll Oippjl32.exe File opened for modification C:\Windows\SysWOW64\Cchbgi32.exe Ceebklai.exe File created C:\Windows\SysWOW64\Epmadeed.dll Dhckfkbh.exe File created C:\Windows\SysWOW64\Fpcgndfi.dll Gjbpne32.exe File created C:\Windows\SysWOW64\Nbpghl32.exe Ncmglp32.exe File created C:\Windows\SysWOW64\Mehoblpm.dll Qhkipdeb.exe File opened for modification C:\Windows\SysWOW64\Ikldqile.exe Igqhpj32.exe File created C:\Windows\SysWOW64\Jampjian.exe Jondnnbk.exe File opened for modification C:\Windows\SysWOW64\Lnjcomcf.exe Lohccp32.exe File opened for modification C:\Windows\SysWOW64\Pblcbn32.exe Popgboae.exe File opened for modification C:\Windows\SysWOW64\Gaagcpdl.exe Gnfkba32.exe File created C:\Windows\SysWOW64\Pknbhi32.dll Jjjdhc32.exe File opened for modification C:\Windows\SysWOW64\Omnipjni.exe Oibmpl32.exe File created C:\Windows\SysWOW64\Dmepkn32.exe Diidjpbe.exe File created C:\Windows\SysWOW64\Nlfnje32.dll Gqodqodl.exe File created C:\Windows\SysWOW64\Mmccqbpm.exe Mhhgpc32.exe File opened for modification C:\Windows\SysWOW64\Hdbpekam.exe Hadcipbi.exe File created C:\Windows\SysWOW64\Llpfjomf.exe Libjncnc.exe File opened for modification C:\Windows\SysWOW64\Bjdkjpkb.exe Bbmcibjp.exe File opened for modification C:\Windows\SysWOW64\Cfmhdpnc.exe Cbblda32.exe File created C:\Windows\SysWOW64\Fibcoalf.exe Feggob32.exe File created C:\Windows\SysWOW64\Dhhgkj32.dll Ijkocg32.exe File opened for modification C:\Windows\SysWOW64\Fimoiopk.exe Feachqgb.exe File created C:\Windows\SysWOW64\Ifmocb32.exe Icncgf32.exe File created C:\Windows\SysWOW64\Gkcekfad.exe Glpepj32.exe File created C:\Windows\SysWOW64\Kkeecogo.exe Khghgchk.exe File created C:\Windows\SysWOW64\Dbfbnddq.exe Dokfme32.exe File created C:\Windows\SysWOW64\Kibemb32.dll Fcpacf32.exe File created C:\Windows\SysWOW64\Lpopbabj.dll Heliepmn.exe File created C:\Windows\SysWOW64\Acnlgajg.exe Apppkekc.exe File opened for modification C:\Windows\SysWOW64\Bddbjhlp.exe Bfabnl32.exe File created C:\Windows\SysWOW64\Ocfqdk32.dll Fhdmph32.exe File created C:\Windows\SysWOW64\Jcqlkjae.exe Jpepkk32.exe File created C:\Windows\SysWOW64\Omklkkpl.exe Oippjl32.exe File created C:\Windows\SysWOW64\Dhbggodl.dll Dpeiligo.exe File created C:\Windows\SysWOW64\Kmnfciac.dll Jfcabd32.exe File created C:\Windows\SysWOW64\Gaagcpdl.exe Gnfkba32.exe File created C:\Windows\SysWOW64\Oqfqioai.dll Kdbbgdjj.exe File opened for modification C:\Windows\SysWOW64\Qgmpibam.exe Qdncmgbj.exe File created C:\Windows\SysWOW64\Cgoelh32.exe Cileqlmg.exe File opened for modification C:\Windows\SysWOW64\Eanldqgf.exe Eopphehb.exe File created C:\Windows\SysWOW64\Najopl32.dll Hiqoeplo.exe File created C:\Windows\SysWOW64\Oeaqig32.exe Ncpdbohb.exe File created C:\Windows\SysWOW64\Loeccoai.dll Gmhkin32.exe File created C:\Windows\SysWOW64\Kfnpea32.dll Gkpfmnlb.exe File created C:\Windows\SysWOW64\Cbffoabe.exe Cnkjnb32.exe File created C:\Windows\SysWOW64\Gacdld32.dll Fdnjkh32.exe File created C:\Windows\SysWOW64\Hifbdnbi.exe Hfhfhbce.exe File created C:\Windows\SysWOW64\Fmdbnnlj.exe Fihfnp32.exe File created C:\Windows\SysWOW64\Oqfopomn.dll Hgeelf32.exe File opened for modification C:\Windows\SysWOW64\Kjhcag32.exe Khjgel32.exe File created C:\Windows\SysWOW64\Alihaioe.exe Qjklenpa.exe File opened for modification C:\Windows\SysWOW64\Mhhgpc32.exe Mfjkdh32.exe File created C:\Windows\SysWOW64\Qbnphngk.exe Qkghgpfi.exe File created C:\Windows\SysWOW64\Eeojcmfi.exe Efljhq32.exe File created C:\Windows\SysWOW64\Ikeebbaa.dll Gncnmane.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 10156 10132 WerFault.exe 1022 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njjcip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joggci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbgjgomc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfcgbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fliook32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqfemqod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljddjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqipkhbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqolji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqnapb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fooembgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mggabaea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcblan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohipla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppkjac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbcjnnpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdbbgdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pblcbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epeoaffo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfmeccao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laqojfli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikqnlh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfieigio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpnladjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcknhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbpghl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmgfqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcmdnfad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deakjjbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpjbgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piabdiep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjogcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfehhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfoaho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cqfbjhgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeldkonl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqklqhpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhhhbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeaqig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omhhke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeagimdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfcabd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jondnnbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeindm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgpdglhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmpkqklh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbkqdepm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjgehgnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgbfnngi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnoiio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjhgbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kageia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imahkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgiaefgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fihfnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phklaacg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghlfjq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqcnln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfkeokjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inhanl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifgpnmom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncinap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpflkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpbdmo32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mclebc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mqbbagjo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpjbgh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igmbgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plbkfdba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnjoco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnimiblo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddaemh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlfnangf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kechdf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfgnnhkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhqnpqce.dll" Cfehhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nidmfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Monoflqe.dll" Dljmlj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfibhjlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mappnp32.dll" Nmflee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epeoaffo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffakjm32.dll" Kjhcag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnaiol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgfkmgnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iladfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pebncn32.dll" Lhhkapeh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohfcfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbjpil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccbbachm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khldkllj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pepcelel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhjmfnok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fkkfgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anljck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppiidm32.dll" Bfoeil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcdkef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqfopomn.dll" Hgeelf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkbcbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgcmbcih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knpbpo32.dll" Lonibk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Piabdiep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajhddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmfocnjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpfeq32.dll" Gqcnln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijkocg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Momfan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Inbnhihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adiijqhm.dll" Phklaacg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mggljj32.dll" Gncldi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfliim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckmnbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnphdceh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjnmkplj.dll" Godaakic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hohkmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmehhn32.dll" Cgnnab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhbccb32.dll" Bknjfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eppefg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkpfmnlb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnbkfl32.dll" Cagienkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oaogognm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Popgboae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aejlnmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phoogg32.dll" Alddjg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afliclij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fganph32.dll" Fglfgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfdoodan.dll" Jbcjnnpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khielcfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Padhdm32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2148 wrote to memory of 332 2148 1de476805c5fe16ee4c470efaaaf2fada28bb2b2cbf0f6b22d714225dba2fb9bN.exe 30 PID 2148 wrote to memory of 332 2148 1de476805c5fe16ee4c470efaaaf2fada28bb2b2cbf0f6b22d714225dba2fb9bN.exe 30 PID 2148 wrote to memory of 332 2148 1de476805c5fe16ee4c470efaaaf2fada28bb2b2cbf0f6b22d714225dba2fb9bN.exe 30 PID 2148 wrote to memory of 332 2148 1de476805c5fe16ee4c470efaaaf2fada28bb2b2cbf0f6b22d714225dba2fb9bN.exe 30 PID 332 wrote to memory of 2372 332 Fkpjnkig.exe 31 PID 332 wrote to memory of 2372 332 Fkpjnkig.exe 31 PID 332 wrote to memory of 2372 332 Fkpjnkig.exe 31 PID 332 wrote to memory of 2372 332 Fkpjnkig.exe 31 PID 2372 wrote to memory of 1912 2372 Fnofjfhk.exe 32 PID 2372 wrote to memory of 1912 2372 Fnofjfhk.exe 32 PID 2372 wrote to memory of 1912 2372 Fnofjfhk.exe 32 PID 2372 wrote to memory of 1912 2372 Fnofjfhk.exe 32 PID 1912 wrote to memory of 2820 1912 Fhdjgoha.exe 33 PID 1912 wrote to memory of 2820 1912 Fhdjgoha.exe 33 PID 1912 wrote to memory of 2820 1912 Fhdjgoha.exe 33 PID 1912 wrote to memory of 2820 1912 Fhdjgoha.exe 33 PID 2820 wrote to memory of 2332 2820 Famope32.exe 34 PID 2820 wrote to memory of 2332 2820 Famope32.exe 34 PID 2820 wrote to memory of 2332 2820 Famope32.exe 34 PID 2820 wrote to memory of 2332 2820 Famope32.exe 34 PID 2332 wrote to memory of 2272 2332 Fgigil32.exe 35 PID 2332 wrote to memory of 2272 2332 Fgigil32.exe 35 PID 2332 wrote to memory of 2272 2332 Fgigil32.exe 35 PID 2332 wrote to memory of 2272 2332 Fgigil32.exe 35 PID 2272 wrote to memory of 2856 2272 Fjhcegll.exe 36 PID 2272 wrote to memory of 2856 2272 Fjhcegll.exe 36 PID 2272 wrote to memory of 2856 2272 Fjhcegll.exe 36 PID 2272 wrote to memory of 2856 2272 Fjhcegll.exe 36 PID 2856 wrote to memory of 2304 2856 Fdmhbplb.exe 37 PID 2856 wrote to memory of 2304 2856 Fdmhbplb.exe 37 PID 2856 wrote to memory of 2304 2856 Fdmhbplb.exe 37 PID 2856 wrote to memory of 2304 2856 Fdmhbplb.exe 37 PID 2304 wrote to memory of 2464 2304 Ffodjh32.exe 38 PID 2304 wrote to memory of 2464 2304 Ffodjh32.exe 38 PID 2304 wrote to memory of 2464 2304 Ffodjh32.exe 38 PID 2304 wrote to memory of 2464 2304 Ffodjh32.exe 38 PID 2464 wrote to memory of 2876 2464 Flhmfbim.exe 39 PID 2464 wrote to memory of 2876 2464 Flhmfbim.exe 39 PID 2464 wrote to memory of 2876 2464 Flhmfbim.exe 39 PID 2464 wrote to memory of 2876 2464 Flhmfbim.exe 39 PID 2876 wrote to memory of 2584 2876 Fcbecl32.exe 40 PID 2876 wrote to memory of 2584 2876 Fcbecl32.exe 40 PID 2876 wrote to memory of 2584 2876 Fcbecl32.exe 40 PID 2876 wrote to memory of 2584 2876 Fcbecl32.exe 40 PID 2584 wrote to memory of 1964 2584 Fqfemqod.exe 41 PID 2584 wrote to memory of 1964 2584 Fqfemqod.exe 41 PID 2584 wrote to memory of 1964 2584 Fqfemqod.exe 41 PID 2584 wrote to memory of 1964 2584 Fqfemqod.exe 41 PID 1964 wrote to memory of 2144 1964 Gceailog.exe 42 PID 1964 wrote to memory of 2144 1964 Gceailog.exe 42 PID 1964 wrote to memory of 2144 1964 Gceailog.exe 42 PID 1964 wrote to memory of 2144 1964 Gceailog.exe 42 PID 2144 wrote to memory of 2120 2144 Gkpfmnlb.exe 43 PID 2144 wrote to memory of 2120 2144 Gkpfmnlb.exe 43 PID 2144 wrote to memory of 2120 2144 Gkpfmnlb.exe 43 PID 2144 wrote to memory of 2120 2144 Gkpfmnlb.exe 43 PID 2120 wrote to memory of 1160 2120 Golbnm32.exe 44 PID 2120 wrote to memory of 1160 2120 Golbnm32.exe 44 PID 2120 wrote to memory of 1160 2120 Golbnm32.exe 44 PID 2120 wrote to memory of 1160 2120 Golbnm32.exe 44 PID 1160 wrote to memory of 1032 1160 Ghdgfbkl.exe 45 PID 1160 wrote to memory of 1032 1160 Ghdgfbkl.exe 45 PID 1160 wrote to memory of 1032 1160 Ghdgfbkl.exe 45 PID 1160 wrote to memory of 1032 1160 Ghdgfbkl.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\1de476805c5fe16ee4c470efaaaf2fada28bb2b2cbf0f6b22d714225dba2fb9bN.exe"C:\Users\Admin\AppData\Local\Temp\1de476805c5fe16ee4c470efaaaf2fada28bb2b2cbf0f6b22d714225dba2fb9bN.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\Fkpjnkig.exeC:\Windows\system32\Fkpjnkig.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:332 -
C:\Windows\SysWOW64\Fnofjfhk.exeC:\Windows\system32\Fnofjfhk.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\Fhdjgoha.exeC:\Windows\system32\Fhdjgoha.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\Famope32.exeC:\Windows\system32\Famope32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Fgigil32.exeC:\Windows\system32\Fgigil32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\Fjhcegll.exeC:\Windows\system32\Fjhcegll.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\Fdmhbplb.exeC:\Windows\system32\Fdmhbplb.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Ffodjh32.exeC:\Windows\system32\Ffodjh32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\Flhmfbim.exeC:\Windows\system32\Flhmfbim.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\Fcbecl32.exeC:\Windows\system32\Fcbecl32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Fqfemqod.exeC:\Windows\system32\Fqfemqod.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Gceailog.exeC:\Windows\system32\Gceailog.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\Gkpfmnlb.exeC:\Windows\system32\Gkpfmnlb.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\Golbnm32.exeC:\Windows\system32\Golbnm32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\Ghdgfbkl.exeC:\Windows\system32\Ghdgfbkl.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\SysWOW64\Gkbcbn32.exeC:\Windows\system32\Gkbcbn32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1032 -
C:\Windows\SysWOW64\Gdkgkcpq.exeC:\Windows\system32\Gdkgkcpq.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1040 -
C:\Windows\SysWOW64\Gifclb32.exeC:\Windows\system32\Gifclb32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1748 -
C:\Windows\SysWOW64\Gncldi32.exeC:\Windows\system32\Gncldi32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1692 -
C:\Windows\SysWOW64\Gqahqd32.exeC:\Windows\system32\Gqahqd32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1380 -
C:\Windows\SysWOW64\Ggkqmoma.exeC:\Windows\system32\Ggkqmoma.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:704 -
C:\Windows\SysWOW64\Gjjmijme.exeC:\Windows\system32\Gjjmijme.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:780 -
C:\Windows\SysWOW64\Gbadjg32.exeC:\Windows\system32\Gbadjg32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2428 -
C:\Windows\SysWOW64\Ggnmbn32.exeC:\Windows\system32\Ggnmbn32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2412 -
C:\Windows\SysWOW64\Hnheohcl.exeC:\Windows\system32\Hnheohcl.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1992 -
C:\Windows\SysWOW64\Hqfaldbo.exeC:\Windows\system32\Hqfaldbo.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2752 -
C:\Windows\SysWOW64\Hgpjhn32.exeC:\Windows\system32\Hgpjhn32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1632 -
C:\Windows\SysWOW64\Hahnac32.exeC:\Windows\system32\Hahnac32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2780 -
C:\Windows\SysWOW64\Hgbfnngi.exeC:\Windows\system32\Hgbfnngi.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2764 -
C:\Windows\SysWOW64\Hidcef32.exeC:\Windows\system32\Hidcef32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2660 -
C:\Windows\SysWOW64\Hmoofdea.exeC:\Windows\system32\Hmoofdea.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1036 -
C:\Windows\SysWOW64\Hcigco32.exeC:\Windows\system32\Hcigco32.exe33⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Hmalldcn.exeC:\Windows\system32\Hmalldcn.exe34⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Hldlga32.exeC:\Windows\system32\Hldlga32.exe35⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Hcldhnkk.exeC:\Windows\system32\Hcldhnkk.exe36⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Hfjpdjjo.exeC:\Windows\system32\Hfjpdjjo.exe37⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Hemqpf32.exeC:\Windows\system32\Hemqpf32.exe38⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Hihlqeib.exeC:\Windows\system32\Hihlqeib.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Hpbdmo32.exeC:\Windows\system32\Hpbdmo32.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1660 -
C:\Windows\SysWOW64\Hneeilgj.exeC:\Windows\system32\Hneeilgj.exe41⤵
- Executes dropped EXE
PID:1144 -
C:\Windows\SysWOW64\Iflmjihl.exeC:\Windows\system32\Iflmjihl.exe42⤵
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\Ieomef32.exeC:\Windows\system32\Ieomef32.exe43⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Ihniaa32.exeC:\Windows\system32\Ihniaa32.exe44⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Iliebpfc.exeC:\Windows\system32\Iliebpfc.exe45⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Ipeaco32.exeC:\Windows\system32\Ipeaco32.exe46⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Inhanl32.exeC:\Windows\system32\Inhanl32.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2368 -
C:\Windows\SysWOW64\Ibcnojnp.exeC:\Windows\system32\Ibcnojnp.exe48⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Iafnjg32.exeC:\Windows\system32\Iafnjg32.exe49⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Ieajkfmd.exeC:\Windows\system32\Ieajkfmd.exe50⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Ihpfgalh.exeC:\Windows\system32\Ihpfgalh.exe51⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Illbhp32.exeC:\Windows\system32\Illbhp32.exe52⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Injndk32.exeC:\Windows\system32\Injndk32.exe53⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Iahkpg32.exeC:\Windows\system32\Iahkpg32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1432 -
C:\Windows\SysWOW64\Idgglb32.exeC:\Windows\system32\Idgglb32.exe55⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Ilnomp32.exeC:\Windows\system32\Ilnomp32.exe56⤵
- Executes dropped EXE
PID:1252 -
C:\Windows\SysWOW64\Ijqoilii.exeC:\Windows\system32\Ijqoilii.exe57⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Inlkik32.exeC:\Windows\system32\Inlkik32.exe58⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Iakgefqe.exeC:\Windows\system32\Iakgefqe.exe59⤵
- Executes dropped EXE
PID:1520 -
C:\Windows\SysWOW64\Iefcfe32.exeC:\Windows\system32\Iefcfe32.exe60⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Ihdpbq32.exeC:\Windows\system32\Ihdpbq32.exe61⤵
- Executes dropped EXE
PID:616 -
C:\Windows\SysWOW64\Ifgpnmom.exeC:\Windows\system32\Ifgpnmom.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2032 -
C:\Windows\SysWOW64\Ioohokoo.exeC:\Windows\system32\Ioohokoo.exe63⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Imahkg32.exeC:\Windows\system32\Imahkg32.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1800 -
C:\Windows\SysWOW64\Ippdgc32.exeC:\Windows\system32\Ippdgc32.exe65⤵
- Executes dropped EXE
PID:564 -
C:\Windows\SysWOW64\Ihglhp32.exeC:\Windows\system32\Ihglhp32.exe66⤵PID:1728
-
C:\Windows\SysWOW64\Ifjlcmmj.exeC:\Windows\system32\Ifjlcmmj.exe67⤵PID:596
-
C:\Windows\SysWOW64\Ijehdl32.exeC:\Windows\system32\Ijehdl32.exe68⤵PID:2852
-
C:\Windows\SysWOW64\Jmdepg32.exeC:\Windows\system32\Jmdepg32.exe69⤵PID:2012
-
C:\Windows\SysWOW64\Jpbalb32.exeC:\Windows\system32\Jpbalb32.exe70⤵PID:2596
-
C:\Windows\SysWOW64\Jdnmma32.exeC:\Windows\system32\Jdnmma32.exe71⤵PID:3036
-
C:\Windows\SysWOW64\Jbqmhnbo.exeC:\Windows\system32\Jbqmhnbo.exe72⤵PID:2060
-
C:\Windows\SysWOW64\Jfliim32.exeC:\Windows\system32\Jfliim32.exe73⤵
- Modifies registry class
PID:840 -
C:\Windows\SysWOW64\Jmfafgbd.exeC:\Windows\system32\Jmfafgbd.exe74⤵PID:1612
-
C:\Windows\SysWOW64\Jpdnbbah.exeC:\Windows\system32\Jpdnbbah.exe75⤵PID:2448
-
C:\Windows\SysWOW64\Jdpjba32.exeC:\Windows\system32\Jdpjba32.exe76⤵PID:2396
-
C:\Windows\SysWOW64\Jbcjnnpl.exeC:\Windows\system32\Jbcjnnpl.exe77⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1276 -
C:\Windows\SysWOW64\Jeafjiop.exeC:\Windows\system32\Jeafjiop.exe78⤵PID:1888
-
C:\Windows\SysWOW64\Jimbkh32.exeC:\Windows\system32\Jimbkh32.exe79⤵PID:2008
-
C:\Windows\SysWOW64\Jmhnkfpa.exeC:\Windows\system32\Jmhnkfpa.exe80⤵PID:956
-
C:\Windows\SysWOW64\Jpgjgboe.exeC:\Windows\system32\Jpgjgboe.exe81⤵PID:344
-
C:\Windows\SysWOW64\Jojkco32.exeC:\Windows\system32\Jojkco32.exe82⤵PID:2960
-
C:\Windows\SysWOW64\Jgabdlfb.exeC:\Windows\system32\Jgabdlfb.exe83⤵PID:2676
-
C:\Windows\SysWOW64\Jedcpi32.exeC:\Windows\system32\Jedcpi32.exe84⤵PID:2944
-
C:\Windows\SysWOW64\Jhbold32.exeC:\Windows\system32\Jhbold32.exe85⤵PID:2624
-
C:\Windows\SysWOW64\Jpigma32.exeC:\Windows\system32\Jpigma32.exe86⤵PID:2592
-
C:\Windows\SysWOW64\Jolghndm.exeC:\Windows\system32\Jolghndm.exe87⤵PID:636
-
C:\Windows\SysWOW64\Jajcdjca.exeC:\Windows\system32\Jajcdjca.exe88⤵PID:1916
-
C:\Windows\SysWOW64\Jefpeh32.exeC:\Windows\system32\Jefpeh32.exe89⤵PID:1596
-
C:\Windows\SysWOW64\Jhdlad32.exeC:\Windows\system32\Jhdlad32.exe90⤵PID:2692
-
C:\Windows\SysWOW64\Jlphbbbg.exeC:\Windows\system32\Jlphbbbg.exe91⤵PID:2220
-
C:\Windows\SysWOW64\Jkchmo32.exeC:\Windows\system32\Jkchmo32.exe92⤵PID:2124
-
C:\Windows\SysWOW64\Jondnnbk.exeC:\Windows\system32\Jondnnbk.exe93⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1944 -
C:\Windows\SysWOW64\Jampjian.exeC:\Windows\system32\Jampjian.exe94⤵PID:1672
-
C:\Windows\SysWOW64\Jehlkhig.exeC:\Windows\system32\Jehlkhig.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2460 -
C:\Windows\SysWOW64\Khghgchk.exeC:\Windows\system32\Khghgchk.exe96⤵
- Drops file in System32 directory
PID:2356 -
C:\Windows\SysWOW64\Kkeecogo.exeC:\Windows\system32\Kkeecogo.exe97⤵PID:2112
-
C:\Windows\SysWOW64\Koaqcn32.exeC:\Windows\system32\Koaqcn32.exe98⤵PID:2788
-
C:\Windows\SysWOW64\Kncaojfb.exeC:\Windows\system32\Kncaojfb.exe99⤵PID:2620
-
C:\Windows\SysWOW64\Kekiphge.exeC:\Windows\system32\Kekiphge.exe100⤵PID:2616
-
C:\Windows\SysWOW64\Kdnild32.exeC:\Windows\system32\Kdnild32.exe101⤵PID:1312
-
C:\Windows\SysWOW64\Khielcfh.exeC:\Windows\system32\Khielcfh.exe102⤵
- Modifies registry class
PID:820 -
C:\Windows\SysWOW64\Kkgahoel.exeC:\Windows\system32\Kkgahoel.exe103⤵PID:1308
-
C:\Windows\SysWOW64\Knfndjdp.exeC:\Windows\system32\Knfndjdp.exe104⤵PID:3028
-
C:\Windows\SysWOW64\Kaajei32.exeC:\Windows\system32\Kaajei32.exe105⤵PID:1264
-
C:\Windows\SysWOW64\Kdpfadlm.exeC:\Windows\system32\Kdpfadlm.exe106⤵
- Drops file in System32 directory
PID:1868 -
C:\Windows\SysWOW64\Kgnbnpkp.exeC:\Windows\system32\Kgnbnpkp.exe107⤵PID:1124
-
C:\Windows\SysWOW64\Kkjnnn32.exeC:\Windows\system32\Kkjnnn32.exe108⤵PID:2424
-
C:\Windows\SysWOW64\Kjmnjkjd.exeC:\Windows\system32\Kjmnjkjd.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:788 -
C:\Windows\SysWOW64\Kadfkhkf.exeC:\Windows\system32\Kadfkhkf.exe110⤵PID:2756
-
C:\Windows\SysWOW64\Kdbbgdjj.exeC:\Windows\system32\Kdbbgdjj.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2672 -
C:\Windows\SysWOW64\Kcecbq32.exeC:\Windows\system32\Kcecbq32.exe112⤵PID:2648
-
C:\Windows\SysWOW64\Kklkcn32.exeC:\Windows\system32\Kklkcn32.exe113⤵PID:2696
-
C:\Windows\SysWOW64\Knkgpi32.exeC:\Windows\system32\Knkgpi32.exe114⤵PID:3056
-
C:\Windows\SysWOW64\Klngkfge.exeC:\Windows\system32\Klngkfge.exe115⤵PID:1476
-
C:\Windows\SysWOW64\Kddomchg.exeC:\Windows\system32\Kddomchg.exe116⤵
- Drops file in System32 directory
PID:1600 -
C:\Windows\SysWOW64\Kpkpadnl.exeC:\Windows\system32\Kpkpadnl.exe117⤵PID:912
-
C:\Windows\SysWOW64\Lonpma32.exeC:\Windows\system32\Lonpma32.exe118⤵PID:2228
-
C:\Windows\SysWOW64\Lgehno32.exeC:\Windows\system32\Lgehno32.exe119⤵PID:2484
-
C:\Windows\SysWOW64\Lfhhjklc.exeC:\Windows\system32\Lfhhjklc.exe120⤵PID:2728
-
C:\Windows\SysWOW64\Ljddjj32.exeC:\Windows\system32\Ljddjj32.exe121⤵
- System Location Discovery: System Language Discovery
PID:2768
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-