Analysis
-
max time kernel
27s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20-09-2024 19:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3dc09ca4633a193b2cf059506e106bdbeadc6620c386867b3df916d5cbd8ebbf.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
3dc09ca4633a193b2cf059506e106bdbeadc6620c386867b3df916d5cbd8ebbf.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
3dc09ca4633a193b2cf059506e106bdbeadc6620c386867b3df916d5cbd8ebbf.exe
-
Size
64KB
-
MD5
6d0f2e73664d5d390ca2f47e1baf8e28
-
SHA1
e3d4f2155ab281b0b342bab3ef2390677dc41075
-
SHA256
3dc09ca4633a193b2cf059506e106bdbeadc6620c386867b3df916d5cbd8ebbf
-
SHA512
82d9cfaa55adc2364a9fa19752cd538f6c831a1fd6ef478c2784f11be9feeb8a6ad394545c55472de3b06e417f7ff07633e3a14df11f4bf69b5f004ff9267505
-
SSDEEP
1536:wgSAcFbt0yHmH5Fn3kn9F62zJA2/jU46UXruCHcpzt/Idn:e7btHHmH5FnU9l7jUFpFwn
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdhcinme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dajlhc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdincdcl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlcfnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbidof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Homfboco.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oafclh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkfjpemb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkccob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndfppije.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmcibdad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpbhmiji.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmegkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fagnmkjm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojoood32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djibogkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpdibapb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pihnqj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmpqbnmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnipgp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aellfe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckdpinhf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phckglbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lccepqdo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpcfih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hggeeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkqbhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dippfplg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppbfmdfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lngpac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aenileon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Foqadnpq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdpfbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnhkkjbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjmolp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmpqbnmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eelfedpa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keekeg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkolblkk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apapcnaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjofanld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jinghn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnqcaffa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djqcki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aellfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmjkbfnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfnaok32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pejejkhl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alqplmlb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epjdbn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geplpfnh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imccab32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mccaodgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eoanij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kanfgofa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaieai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpalmaad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpalmaad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibbffq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kokppd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqkgbkdj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epmahmcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcdljghj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgjcdc32.exe -
Executes dropped EXE 64 IoCs
pid Process 2984 Eocieq32.exe 2756 Eiimci32.exe 2996 Elgioe32.exe 2812 Fadagl32.exe 2824 Fagnmkjm.exe 2724 Fgcgebhd.exe 1584 Fdggofgn.exe 1152 Fakhhk32.exe 1292 Fnbhmlkk.exe 1744 Gfmmanif.exe 1572 Gmgenh32.exe 1436 Gjkfglom.exe 1760 Gohnpcmd.exe 2616 Gojkecka.exe 1732 Gdgcnj32.exe 2280 Gghloe32.exe 1476 Higiih32.exe 1444 Hgmfjdbe.exe 2228 Haejcj32.exe 832 Hjmolp32.exe 2388 Haggijgb.exe 2104 Hmnhnk32.exe 1612 Hbkpfa32.exe 2808 Ilceog32.exe 2992 Ibmmkaik.exe 2916 Ibpjaagi.exe 2704 Ibbffq32.exe 2672 Ijmkkc32.exe 1076 Iecohl32.exe 2184 Ijphqbpo.exe 600 Jdhlih32.exe 884 Jmpqbnmp.exe 2036 Jhfepfme.exe 664 Jpajdi32.exe 1652 Jfkbqcam.exe 2336 Jpcfih32.exe 1016 Jljgni32.exe 2056 Jgpklb32.exe 2176 Jinghn32.exe 2496 Jlmddi32.exe 1116 Kokppd32.exe 628 Kaillp32.exe 1984 Khcdijac.exe 1100 Kciifc32.exe 1088 Kheaoj32.exe 2368 Kanfgofa.exe 1604 Khhndi32.exe 2760 Kkfjpemb.exe 2928 Kpcbhlki.exe 2788 Kkigfdjo.exe 2892 Kabobo32.exe 2172 Kcdljghj.exe 2696 Lnipgp32.exe 284 Ldchdjom.exe 2700 Lfedlb32.exe 2424 Lomidgkl.exe 2232 Ljbmbpkb.exe 1460 Lpmeojbo.exe 1256 Lfingaaf.exe 2348 Lkffohon.exe 3012 Lbpolb32.exe 1956 Llfcik32.exe 2188 Lngpac32.exe 2524 Mdahnmck.exe -
Loads dropped DLL 64 IoCs
pid Process 3060 3dc09ca4633a193b2cf059506e106bdbeadc6620c386867b3df916d5cbd8ebbf.exe 3060 3dc09ca4633a193b2cf059506e106bdbeadc6620c386867b3df916d5cbd8ebbf.exe 2984 Eocieq32.exe 2984 Eocieq32.exe 2756 Eiimci32.exe 2756 Eiimci32.exe 2996 Elgioe32.exe 2996 Elgioe32.exe 2812 Fadagl32.exe 2812 Fadagl32.exe 2824 Fagnmkjm.exe 2824 Fagnmkjm.exe 2724 Fgcgebhd.exe 2724 Fgcgebhd.exe 1584 Fdggofgn.exe 1584 Fdggofgn.exe 1152 Fakhhk32.exe 1152 Fakhhk32.exe 1292 Fnbhmlkk.exe 1292 Fnbhmlkk.exe 1744 Gfmmanif.exe 1744 Gfmmanif.exe 1572 Gmgenh32.exe 1572 Gmgenh32.exe 1436 Gjkfglom.exe 1436 Gjkfglom.exe 1760 Gohnpcmd.exe 1760 Gohnpcmd.exe 2616 Gojkecka.exe 2616 Gojkecka.exe 1732 Gdgcnj32.exe 1732 Gdgcnj32.exe 2280 Gghloe32.exe 2280 Gghloe32.exe 1476 Higiih32.exe 1476 Higiih32.exe 1444 Hgmfjdbe.exe 1444 Hgmfjdbe.exe 2228 Haejcj32.exe 2228 Haejcj32.exe 832 Hjmolp32.exe 832 Hjmolp32.exe 2388 Haggijgb.exe 2388 Haggijgb.exe 2104 Hmnhnk32.exe 2104 Hmnhnk32.exe 1612 Hbkpfa32.exe 1612 Hbkpfa32.exe 2808 Ilceog32.exe 2808 Ilceog32.exe 2992 Ibmmkaik.exe 2992 Ibmmkaik.exe 2916 Ibpjaagi.exe 2916 Ibpjaagi.exe 2704 Ibbffq32.exe 2704 Ibbffq32.exe 2672 Ijmkkc32.exe 2672 Ijmkkc32.exe 1076 Iecohl32.exe 1076 Iecohl32.exe 2184 Ijphqbpo.exe 2184 Ijphqbpo.exe 600 Jdhlih32.exe 600 Jdhlih32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Haejcj32.exe Hgmfjdbe.exe File created C:\Windows\SysWOW64\Ccdhfhda.dll Hjmolp32.exe File created C:\Windows\SysWOW64\Ppjjcogn.exe Pknakhig.exe File opened for modification C:\Windows\SysWOW64\Ppjjcogn.exe Pknakhig.exe File opened for modification C:\Windows\SysWOW64\Aellfe32.exe Qpocno32.exe File opened for modification C:\Windows\SysWOW64\Ojoood32.exe Ohqbbi32.exe File created C:\Windows\SysWOW64\Odefpfcd.dll Ajbdpblo.exe File opened for modification C:\Windows\SysWOW64\Djibogkn.exe Dcojbm32.exe File opened for modification C:\Windows\SysWOW64\Bcdbjl32.exe Bnhjae32.exe File opened for modification C:\Windows\SysWOW64\Lccepqdo.exe Khnqbhdi.exe File created C:\Windows\SysWOW64\Higiih32.exe Gghloe32.exe File created C:\Windows\SysWOW64\Dahgqohh.dll Kabobo32.exe File created C:\Windows\SysWOW64\Nnoaan32.dll Keodflee.exe File created C:\Windows\SysWOW64\Emqfen32.dll Qamleagn.exe File created C:\Windows\SysWOW64\Hneddmal.dll Agchdfmk.exe File created C:\Windows\SysWOW64\Fhaibnim.exe Fagqed32.exe File created C:\Windows\SysWOW64\Ncjalh32.dll Jijqeg32.exe File opened for modification C:\Windows\SysWOW64\Eiimci32.exe Eocieq32.exe File opened for modification C:\Windows\SysWOW64\Haggijgb.exe Hjmolp32.exe File created C:\Windows\SysWOW64\Qggoeilh.exe Qdhcinme.exe File opened for modification C:\Windows\SysWOW64\Hqhiab32.exe Hnimeg32.exe File opened for modification C:\Windows\SysWOW64\Ijpjik32.exe Iganmp32.exe File created C:\Windows\SysWOW64\Akcaajnk.dll Lmjbphod.exe File created C:\Windows\SysWOW64\Ogkbmcba.exe Obniel32.exe File created C:\Windows\SysWOW64\Geplpfnh.exe Gpccgppq.exe File opened for modification C:\Windows\SysWOW64\Ieohfemq.exe Icmlnmgb.exe File created C:\Windows\SysWOW64\Iiicjf32.dll Ikhqbo32.exe File opened for modification C:\Windows\SysWOW64\Emceag32.exe Egimdmmc.exe File created C:\Windows\SysWOW64\Feccqime.exe Fdbgia32.exe File created C:\Windows\SysWOW64\Anngkg32.exe Adfbbabc.exe File created C:\Windows\SysWOW64\Dhdddnep.exe Dajlhc32.exe File created C:\Windows\SysWOW64\Bpfioeef.dll Ehbcnajn.exe File opened for modification C:\Windows\SysWOW64\Kaieai32.exe Kiamql32.exe File created C:\Windows\SysWOW64\Jfpndkel.exe Jbdadl32.exe File created C:\Windows\SysWOW64\Ogiegc32.exe Oqomkimg.exe File opened for modification C:\Windows\SysWOW64\Opkpme32.exe Oiahpkdj.exe File created C:\Windows\SysWOW64\Pihnqj32.exe Pfjbdn32.exe File created C:\Windows\SysWOW64\Oidqcdjh.dll Kheaoj32.exe File opened for modification C:\Windows\SysWOW64\Kabobo32.exe Kkigfdjo.exe File opened for modification C:\Windows\SysWOW64\Bqciha32.exe Bkgqpjch.exe File created C:\Windows\SysWOW64\Fondonbc.exe Fhdlbd32.exe File created C:\Windows\SysWOW64\Ojakdd32.exe Oaiglnih.exe File opened for modification C:\Windows\SysWOW64\Dmgokcja.exe Djibogkn.exe File created C:\Windows\SysWOW64\Emqaaabg.exe Effidg32.exe File created C:\Windows\SysWOW64\Kafopn32.dll Eelfedpa.exe File opened for modification C:\Windows\SysWOW64\Dajlhc32.exe Djqcki32.exe File created C:\Windows\SysWOW64\Epjdbn32.exe Eiplecnc.exe File created C:\Windows\SysWOW64\Cmeimblp.dll Kpcbhlki.exe File created C:\Windows\SysWOW64\Mcllmmbh.dll Dajlhc32.exe File created C:\Windows\SysWOW64\Jemkai32.exe Jbjejojn.exe File created C:\Windows\SysWOW64\Pffjpg32.dll Ahlnmjkf.exe File opened for modification C:\Windows\SysWOW64\Fhcehngk.exe Feeilbhg.exe File created C:\Windows\SysWOW64\Fagnmkjm.exe Fadagl32.exe File opened for modification C:\Windows\SysWOW64\Lpmeojbo.exe Ljbmbpkb.exe File created C:\Windows\SysWOW64\Eehqme32.exe Ekblplgo.exe File created C:\Windows\SysWOW64\Imaglc32.exe Ifgooikk.exe File created C:\Windows\SysWOW64\Oemmad32.dll Opkpme32.exe File created C:\Windows\SysWOW64\Pciiccbm.exe Pmoqfi32.exe File created C:\Windows\SysWOW64\Fdbgia32.exe Fimclh32.exe File opened for modification C:\Windows\SysWOW64\Iganmp32.exe Ibeeeijg.exe File created C:\Windows\SysWOW64\Jlkigbef.exe Jfnaok32.exe File opened for modification C:\Windows\SysWOW64\Oiqegb32.exe Mdahnmck.exe File created C:\Windows\SysWOW64\Nqkgbkdj.exe Nffcebdd.exe File opened for modification C:\Windows\SysWOW64\Keekeg32.exe Knkbimbg.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5784 5876 WerFault.exe 530 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Conpdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgkanomj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mccaodgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fokaoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlkigbef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaillp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkconepp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhjngnod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcocnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcifdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiimci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emceag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggkoojip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckdpinhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpkocpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kidjfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndbjgjqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdllci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdnihiad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmcibdad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekgfkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcdmikma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plljbkml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgfdjfkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnjbfhqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feccqime.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbidof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfingaaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ephhmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klapha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogkbmcba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbcooo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqciha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laknfmgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oakcan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnimeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khhndi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkoidcaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgpeimhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpbhmiji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkbdbbop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnjhaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjfdpckc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ankckagj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkmhij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klmfmacc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gohnpcmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkigfdjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jplinckj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjpakdbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppbfmdfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdpfbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obopobhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phckglbq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhfepfme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldchdjom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbneekan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cejhld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qoopie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opkpme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kopldl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nidhfgpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdhlih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edidcb32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpcghl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjpaic32.dll" Ggkoojip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbegonmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfedlb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lddagi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgjbbnaj.dll" Dfnjqifb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Keodflee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkaccp32.dll" Haggijgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qpocno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahlnmjkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gcifdj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogkbmcba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fimclh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlnhkclm.dll" Gnhkkjbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhoqqojp.dll" Lpbhmiji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gllabp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgbanlfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pligbekc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gghloe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcflig32.dll" Bdklnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Foqadnpq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kiamql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klnleckl.dll" Acfonhgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efdmohmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmgenh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bokcom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjofanld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndfppije.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alknnodh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbqajk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfaopc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjkdoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbblpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nidhfgpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmnhnk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgkanomj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hblhqf32.dll" Kiamql32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnljkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjkfglom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmdnme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omhjejai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egimdmmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbkaee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmqckf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knkbimbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phelnhnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbdlphnb.dll" Dpmeij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipgnbg32.dll" Cngfqi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdbgia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldcenn32.dll" Mdigakic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnimeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcojjn32.dll" Fadagl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Indagi32.dll" Ilceog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qkpnph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmffhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pljnmkoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbidof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdgphqgg.dll" Dhmchljg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlcffk32.dll" Gpccgppq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fgcgebhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lngpac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdapggln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahgdbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgcgebhd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3060 wrote to memory of 2984 3060 3dc09ca4633a193b2cf059506e106bdbeadc6620c386867b3df916d5cbd8ebbf.exe 29 PID 3060 wrote to memory of 2984 3060 3dc09ca4633a193b2cf059506e106bdbeadc6620c386867b3df916d5cbd8ebbf.exe 29 PID 3060 wrote to memory of 2984 3060 3dc09ca4633a193b2cf059506e106bdbeadc6620c386867b3df916d5cbd8ebbf.exe 29 PID 3060 wrote to memory of 2984 3060 3dc09ca4633a193b2cf059506e106bdbeadc6620c386867b3df916d5cbd8ebbf.exe 29 PID 2984 wrote to memory of 2756 2984 Eocieq32.exe 30 PID 2984 wrote to memory of 2756 2984 Eocieq32.exe 30 PID 2984 wrote to memory of 2756 2984 Eocieq32.exe 30 PID 2984 wrote to memory of 2756 2984 Eocieq32.exe 30 PID 2756 wrote to memory of 2996 2756 Eiimci32.exe 31 PID 2756 wrote to memory of 2996 2756 Eiimci32.exe 31 PID 2756 wrote to memory of 2996 2756 Eiimci32.exe 31 PID 2756 wrote to memory of 2996 2756 Eiimci32.exe 31 PID 2996 wrote to memory of 2812 2996 Elgioe32.exe 32 PID 2996 wrote to memory of 2812 2996 Elgioe32.exe 32 PID 2996 wrote to memory of 2812 2996 Elgioe32.exe 32 PID 2996 wrote to memory of 2812 2996 Elgioe32.exe 32 PID 2812 wrote to memory of 2824 2812 Fadagl32.exe 33 PID 2812 wrote to memory of 2824 2812 Fadagl32.exe 33 PID 2812 wrote to memory of 2824 2812 Fadagl32.exe 33 PID 2812 wrote to memory of 2824 2812 Fadagl32.exe 33 PID 2824 wrote to memory of 2724 2824 Fagnmkjm.exe 34 PID 2824 wrote to memory of 2724 2824 Fagnmkjm.exe 34 PID 2824 wrote to memory of 2724 2824 Fagnmkjm.exe 34 PID 2824 wrote to memory of 2724 2824 Fagnmkjm.exe 34 PID 2724 wrote to memory of 1584 2724 Fgcgebhd.exe 35 PID 2724 wrote to memory of 1584 2724 Fgcgebhd.exe 35 PID 2724 wrote to memory of 1584 2724 Fgcgebhd.exe 35 PID 2724 wrote to memory of 1584 2724 Fgcgebhd.exe 35 PID 1584 wrote to memory of 1152 1584 Fdggofgn.exe 36 PID 1584 wrote to memory of 1152 1584 Fdggofgn.exe 36 PID 1584 wrote to memory of 1152 1584 Fdggofgn.exe 36 PID 1584 wrote to memory of 1152 1584 Fdggofgn.exe 36 PID 1152 wrote to memory of 1292 1152 Fakhhk32.exe 37 PID 1152 wrote to memory of 1292 1152 Fakhhk32.exe 37 PID 1152 wrote to memory of 1292 1152 Fakhhk32.exe 37 PID 1152 wrote to memory of 1292 1152 Fakhhk32.exe 37 PID 1292 wrote to memory of 1744 1292 Fnbhmlkk.exe 38 PID 1292 wrote to memory of 1744 1292 Fnbhmlkk.exe 38 PID 1292 wrote to memory of 1744 1292 Fnbhmlkk.exe 38 PID 1292 wrote to memory of 1744 1292 Fnbhmlkk.exe 38 PID 1744 wrote to memory of 1572 1744 Gfmmanif.exe 39 PID 1744 wrote to memory of 1572 1744 Gfmmanif.exe 39 PID 1744 wrote to memory of 1572 1744 Gfmmanif.exe 39 PID 1744 wrote to memory of 1572 1744 Gfmmanif.exe 39 PID 1572 wrote to memory of 1436 1572 Gmgenh32.exe 40 PID 1572 wrote to memory of 1436 1572 Gmgenh32.exe 40 PID 1572 wrote to memory of 1436 1572 Gmgenh32.exe 40 PID 1572 wrote to memory of 1436 1572 Gmgenh32.exe 40 PID 1436 wrote to memory of 1760 1436 Gjkfglom.exe 41 PID 1436 wrote to memory of 1760 1436 Gjkfglom.exe 41 PID 1436 wrote to memory of 1760 1436 Gjkfglom.exe 41 PID 1436 wrote to memory of 1760 1436 Gjkfglom.exe 41 PID 1760 wrote to memory of 2616 1760 Gohnpcmd.exe 42 PID 1760 wrote to memory of 2616 1760 Gohnpcmd.exe 42 PID 1760 wrote to memory of 2616 1760 Gohnpcmd.exe 42 PID 1760 wrote to memory of 2616 1760 Gohnpcmd.exe 42 PID 2616 wrote to memory of 1732 2616 Gojkecka.exe 43 PID 2616 wrote to memory of 1732 2616 Gojkecka.exe 43 PID 2616 wrote to memory of 1732 2616 Gojkecka.exe 43 PID 2616 wrote to memory of 1732 2616 Gojkecka.exe 43 PID 1732 wrote to memory of 2280 1732 Gdgcnj32.exe 44 PID 1732 wrote to memory of 2280 1732 Gdgcnj32.exe 44 PID 1732 wrote to memory of 2280 1732 Gdgcnj32.exe 44 PID 1732 wrote to memory of 2280 1732 Gdgcnj32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\3dc09ca4633a193b2cf059506e106bdbeadc6620c386867b3df916d5cbd8ebbf.exe"C:\Users\Admin\AppData\Local\Temp\3dc09ca4633a193b2cf059506e106bdbeadc6620c386867b3df916d5cbd8ebbf.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\Eocieq32.exeC:\Windows\system32\Eocieq32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Eiimci32.exeC:\Windows\system32\Eiimci32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Elgioe32.exeC:\Windows\system32\Elgioe32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\Fadagl32.exeC:\Windows\system32\Fadagl32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Fagnmkjm.exeC:\Windows\system32\Fagnmkjm.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Fgcgebhd.exeC:\Windows\system32\Fgcgebhd.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Fdggofgn.exeC:\Windows\system32\Fdggofgn.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\Fakhhk32.exeC:\Windows\system32\Fakhhk32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\SysWOW64\Fnbhmlkk.exeC:\Windows\system32\Fnbhmlkk.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\SysWOW64\Gfmmanif.exeC:\Windows\system32\Gfmmanif.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\Gmgenh32.exeC:\Windows\system32\Gmgenh32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\SysWOW64\Gjkfglom.exeC:\Windows\system32\Gjkfglom.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\SysWOW64\Gohnpcmd.exeC:\Windows\system32\Gohnpcmd.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\Gojkecka.exeC:\Windows\system32\Gojkecka.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Gdgcnj32.exeC:\Windows\system32\Gdgcnj32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\Gghloe32.exeC:\Windows\system32\Gghloe32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2280 -
C:\Windows\SysWOW64\Higiih32.exeC:\Windows\system32\Higiih32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1476 -
C:\Windows\SysWOW64\Hgmfjdbe.exeC:\Windows\system32\Hgmfjdbe.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1444 -
C:\Windows\SysWOW64\Haejcj32.exeC:\Windows\system32\Haejcj32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2228 -
C:\Windows\SysWOW64\Hjmolp32.exeC:\Windows\system32\Hjmolp32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:832 -
C:\Windows\SysWOW64\Haggijgb.exeC:\Windows\system32\Haggijgb.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2388 -
C:\Windows\SysWOW64\Hmnhnk32.exeC:\Windows\system32\Hmnhnk32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2104 -
C:\Windows\SysWOW64\Hbkpfa32.exeC:\Windows\system32\Hbkpfa32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1612 -
C:\Windows\SysWOW64\Ilceog32.exeC:\Windows\system32\Ilceog32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2808 -
C:\Windows\SysWOW64\Ibmmkaik.exeC:\Windows\system32\Ibmmkaik.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2992 -
C:\Windows\SysWOW64\Ibpjaagi.exeC:\Windows\system32\Ibpjaagi.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2916 -
C:\Windows\SysWOW64\Ibbffq32.exeC:\Windows\system32\Ibbffq32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2704 -
C:\Windows\SysWOW64\Ijmkkc32.exeC:\Windows\system32\Ijmkkc32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2672 -
C:\Windows\SysWOW64\Iecohl32.exeC:\Windows\system32\Iecohl32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1076 -
C:\Windows\SysWOW64\Ijphqbpo.exeC:\Windows\system32\Ijphqbpo.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2184 -
C:\Windows\SysWOW64\Jdhlih32.exeC:\Windows\system32\Jdhlih32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:600 -
C:\Windows\SysWOW64\Jmpqbnmp.exeC:\Windows\system32\Jmpqbnmp.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:884 -
C:\Windows\SysWOW64\Jhfepfme.exeC:\Windows\system32\Jhfepfme.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2036 -
C:\Windows\SysWOW64\Jpajdi32.exeC:\Windows\system32\Jpajdi32.exe35⤵
- Executes dropped EXE
PID:664 -
C:\Windows\SysWOW64\Jfkbqcam.exeC:\Windows\system32\Jfkbqcam.exe36⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Jpcfih32.exeC:\Windows\system32\Jpcfih32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Jljgni32.exeC:\Windows\system32\Jljgni32.exe38⤵
- Executes dropped EXE
PID:1016 -
C:\Windows\SysWOW64\Jgpklb32.exeC:\Windows\system32\Jgpklb32.exe39⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Jinghn32.exeC:\Windows\system32\Jinghn32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Jlmddi32.exeC:\Windows\system32\Jlmddi32.exe41⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Kokppd32.exeC:\Windows\system32\Kokppd32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1116 -
C:\Windows\SysWOW64\Kaillp32.exeC:\Windows\system32\Kaillp32.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:628 -
C:\Windows\SysWOW64\Khcdijac.exeC:\Windows\system32\Khcdijac.exe44⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Kciifc32.exeC:\Windows\system32\Kciifc32.exe45⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\Kheaoj32.exeC:\Windows\system32\Kheaoj32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1088 -
C:\Windows\SysWOW64\Kanfgofa.exeC:\Windows\system32\Kanfgofa.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Khhndi32.exeC:\Windows\system32\Khhndi32.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1604 -
C:\Windows\SysWOW64\Kkfjpemb.exeC:\Windows\system32\Kkfjpemb.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Kpcbhlki.exeC:\Windows\system32\Kpcbhlki.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2928 -
C:\Windows\SysWOW64\Kkigfdjo.exeC:\Windows\system32\Kkigfdjo.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2788 -
C:\Windows\SysWOW64\Kabobo32.exeC:\Windows\system32\Kabobo32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2892 -
C:\Windows\SysWOW64\Kcdljghj.exeC:\Windows\system32\Kcdljghj.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Lnipgp32.exeC:\Windows\system32\Lnipgp32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Ldchdjom.exeC:\Windows\system32\Ldchdjom.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:284 -
C:\Windows\SysWOW64\Lfedlb32.exeC:\Windows\system32\Lfedlb32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2700 -
C:\Windows\SysWOW64\Lomidgkl.exeC:\Windows\system32\Lomidgkl.exe57⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Ljbmbpkb.exeC:\Windows\system32\Ljbmbpkb.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2232 -
C:\Windows\SysWOW64\Lpmeojbo.exeC:\Windows\system32\Lpmeojbo.exe59⤵
- Executes dropped EXE
PID:1460 -
C:\Windows\SysWOW64\Lfingaaf.exeC:\Windows\system32\Lfingaaf.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1256 -
C:\Windows\SysWOW64\Lkffohon.exeC:\Windows\system32\Lkffohon.exe61⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Lbpolb32.exeC:\Windows\system32\Lbpolb32.exe62⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Llfcik32.exeC:\Windows\system32\Llfcik32.exe63⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Lngpac32.exeC:\Windows\system32\Lngpac32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2188 -
C:\Windows\SysWOW64\Mdahnmck.exeC:\Windows\system32\Mdahnmck.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2524 -
C:\Windows\SysWOW64\Oiqegb32.exeC:\Windows\system32\Oiqegb32.exe66⤵PID:3020
-
C:\Windows\SysWOW64\Ppmkilbp.exeC:\Windows\system32\Ppmkilbp.exe67⤵PID:1464
-
C:\Windows\SysWOW64\Pbppqf32.exeC:\Windows\system32\Pbppqf32.exe68⤵PID:1624
-
C:\Windows\SysWOW64\Paemac32.exeC:\Windows\system32\Paemac32.exe69⤵PID:2656
-
C:\Windows\SysWOW64\Phoeomjc.exeC:\Windows\system32\Phoeomjc.exe70⤵PID:2980
-
C:\Windows\SysWOW64\Pknakhig.exeC:\Windows\system32\Pknakhig.exe71⤵
- Drops file in System32 directory
PID:2692 -
C:\Windows\SysWOW64\Ppjjcogn.exeC:\Windows\system32\Ppjjcogn.exe72⤵PID:2852
-
C:\Windows\SysWOW64\Qkpnph32.exeC:\Windows\system32\Qkpnph32.exe73⤵
- Modifies registry class
PID:2644 -
C:\Windows\SysWOW64\Qdhcinme.exeC:\Windows\system32\Qdhcinme.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2764 -
C:\Windows\SysWOW64\Qggoeilh.exeC:\Windows\system32\Qggoeilh.exe75⤵PID:2780
-
C:\Windows\SysWOW64\Qpocno32.exeC:\Windows\system32\Qpocno32.exe76⤵
- Drops file in System32 directory
- Modifies registry class
PID:1260 -
C:\Windows\SysWOW64\Aellfe32.exeC:\Windows\system32\Aellfe32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2828 -
C:\Windows\SysWOW64\Apapcnaf.exeC:\Windows\system32\Apapcnaf.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2740 -
C:\Windows\SysWOW64\Aenileon.exeC:\Windows\system32\Aenileon.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2244 -
C:\Windows\SysWOW64\Ahmehqna.exeC:\Windows\system32\Ahmehqna.exe80⤵PID:1944
-
C:\Windows\SysWOW64\Aogmdk32.exeC:\Windows\system32\Aogmdk32.exe81⤵PID:1940
-
C:\Windows\SysWOW64\Aaeiqf32.exeC:\Windows\system32\Aaeiqf32.exe82⤵PID:1496
-
C:\Windows\SysWOW64\Alknnodh.exeC:\Windows\system32\Alknnodh.exe83⤵
- Modifies registry class
PID:1140 -
C:\Windows\SysWOW64\Aoijjjcl.exeC:\Windows\system32\Aoijjjcl.exe84⤵PID:2256
-
C:\Windows\SysWOW64\Aagfffbo.exeC:\Windows\system32\Aagfffbo.exe85⤵PID:2416
-
C:\Windows\SysWOW64\Adfbbabc.exeC:\Windows\system32\Adfbbabc.exe86⤵
- Drops file in System32 directory
PID:2836 -
C:\Windows\SysWOW64\Anngkg32.exeC:\Windows\system32\Anngkg32.exe87⤵PID:2224
-
C:\Windows\SysWOW64\Aggkdlod.exeC:\Windows\system32\Aggkdlod.exe88⤵PID:1608
-
C:\Windows\SysWOW64\Bnqcaffa.exeC:\Windows\system32\Bnqcaffa.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1728 -
C:\Windows\SysWOW64\Bdklnq32.exeC:\Windows\system32\Bdklnq32.exe90⤵
- Modifies registry class
PID:1928 -
C:\Windows\SysWOW64\Bgihjl32.exeC:\Windows\system32\Bgihjl32.exe91⤵PID:2628
-
C:\Windows\SysWOW64\Bncpffdn.exeC:\Windows\system32\Bncpffdn.exe92⤵PID:2512
-
C:\Windows\SysWOW64\Bcpiombe.exeC:\Windows\system32\Bcpiombe.exe93⤵PID:2484
-
C:\Windows\SysWOW64\Bkgqpjch.exeC:\Windows\system32\Bkgqpjch.exe94⤵
- Drops file in System32 directory
PID:556 -
C:\Windows\SysWOW64\Bqciha32.exeC:\Windows\system32\Bqciha32.exe95⤵
- System Location Discovery: System Language Discovery
PID:2320 -
C:\Windows\SysWOW64\Bcbedm32.exeC:\Windows\system32\Bcbedm32.exe96⤵PID:1592
-
C:\Windows\SysWOW64\Bnhjae32.exeC:\Windows\system32\Bnhjae32.exe97⤵
- Drops file in System32 directory
PID:2324 -
C:\Windows\SysWOW64\Bcdbjl32.exeC:\Windows\system32\Bcdbjl32.exe98⤵PID:2120
-
C:\Windows\SysWOW64\Bjnjfffm.exeC:\Windows\system32\Bjnjfffm.exe99⤵PID:928
-
C:\Windows\SysWOW64\Bmmgbbeq.exeC:\Windows\system32\Bmmgbbeq.exe100⤵PID:1092
-
C:\Windows\SysWOW64\Bokcom32.exeC:\Windows\system32\Bokcom32.exe101⤵
- Modifies registry class
PID:768 -
C:\Windows\SysWOW64\Cjqglf32.exeC:\Windows\system32\Cjqglf32.exe102⤵PID:2052
-
C:\Windows\SysWOW64\Conpdm32.exeC:\Windows\system32\Conpdm32.exe103⤵
- System Location Discovery: System Language Discovery
PID:2924 -
C:\Windows\SysWOW64\Cejhld32.exeC:\Windows\system32\Cejhld32.exe104⤵
- System Location Discovery: System Language Discovery
PID:1672 -
C:\Windows\SysWOW64\Ckdpinhf.exeC:\Windows\system32\Ckdpinhf.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2468 -
C:\Windows\SysWOW64\Cbnhfhoc.exeC:\Windows\system32\Cbnhfhoc.exe106⤵PID:2492
-
C:\Windows\SysWOW64\Cgkanomj.exeC:\Windows\system32\Cgkanomj.exe107⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3024 -
C:\Windows\SysWOW64\Cpbiolnl.exeC:\Windows\system32\Cpbiolnl.exe108⤵PID:2884
-
C:\Windows\SysWOW64\Ceoagcld.exeC:\Windows\system32\Ceoagcld.exe109⤵PID:2376
-
C:\Windows\SysWOW64\Ckijdm32.exeC:\Windows\system32\Ckijdm32.exe110⤵PID:1648
-
C:\Windows\SysWOW64\Cngfqi32.exeC:\Windows\system32\Cngfqi32.exe111⤵
- Modifies registry class
PID:3064 -
C:\Windows\SysWOW64\Cgpjin32.exeC:\Windows\system32\Cgpjin32.exe112⤵PID:2880
-
C:\Windows\SysWOW64\Cnjbfhqa.exeC:\Windows\system32\Cnjbfhqa.exe113⤵
- System Location Discovery: System Language Discovery
PID:948 -
C:\Windows\SysWOW64\Dedkbb32.exeC:\Windows\system32\Dedkbb32.exe114⤵PID:2688
-
C:\Windows\SysWOW64\Djqcki32.exeC:\Windows\system32\Djqcki32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2728 -
C:\Windows\SysWOW64\Dajlhc32.exeC:\Windows\system32\Dajlhc32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1632 -
C:\Windows\SysWOW64\Dhdddnep.exeC:\Windows\system32\Dhdddnep.exe117⤵PID:1828
-
C:\Windows\SysWOW64\Dmalmdcg.exeC:\Windows\system32\Dmalmdcg.exe118⤵PID:1964
-
C:\Windows\SysWOW64\Dbneekan.exeC:\Windows\system32\Dbneekan.exe119⤵
- System Location Discovery: System Language Discovery
PID:968 -
C:\Windows\SysWOW64\Dmcibdad.exeC:\Windows\system32\Dmcibdad.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2064 -
C:\Windows\SysWOW64\Dbqajk32.exeC:\Windows\system32\Dbqajk32.exe121⤵
- Modifies registry class
PID:1020
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-