Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05-10-2024 17:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0ed511528106af840d37947ac7c0ebc711c630cf45bc0276bf6c3b3ff09c4849N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
0ed511528106af840d37947ac7c0ebc711c630cf45bc0276bf6c3b3ff09c4849N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
0ed511528106af840d37947ac7c0ebc711c630cf45bc0276bf6c3b3ff09c4849N.exe
-
Size
73KB
-
MD5
f4518e9dcdad2cbb999d925881cabb10
-
SHA1
ae4f20d1bd497701835e8c14913307820e70e207
-
SHA256
0ed511528106af840d37947ac7c0ebc711c630cf45bc0276bf6c3b3ff09c4849
-
SHA512
f8a82ef7f4ec21840d5eba606240aaddd03e32d50e9cb39914fba89557371ce96ef414b1f95035460bb43411ee64791cdbf3c19c8a1062cf9c2104686e4e5916
-
SSDEEP
768:Nf2PliFRczu5aGizYRMKsWUj6wARHYRknpXF6BEH9WdI3/1H5fgB8W44jzo1MkEK:tj5PrMKsPLAR4REpXEd4y5YMkhohBM
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahebaiac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfhcoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iahkpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qnghel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmedlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfmhdpnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hidcef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iihiphln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkcbnanl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmpcgace.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmhnkfpa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnjcomcf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bniajoic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdcifi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" 0ed511528106af840d37947ac7c0ebc711c630cf45bc0276bf6c3b3ff09c4849N.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqfemqod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qeppdo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bceibfgj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjlioj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oabkom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neknki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgldnkkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbqmhnbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koaqcn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knfndjdp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdbbgdjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjaddn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnoiio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmmeon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ooabmbbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfkloq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmpcgace.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loefnpnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odchbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdgmlhha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpbglhjq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcldhnkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jikeeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lldmleam.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgedmb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojomdoof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkoicb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjpaop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Calcpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkecij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mqklqhpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llgjaeoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmicfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbhhdnlh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agolnbok.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpdnbbah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Offmipej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgabdlfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kglehp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkqqnq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajpepm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afffenbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahgofi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfmhdpnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gqahqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hidcef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iihiphln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdghaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmfbpk32.exe -
Executes dropped EXE 64 IoCs
pid Process 3048 Fgigil32.exe 2704 Fkecij32.exe 1668 Fdmhbplb.exe 2724 Fgldnkkf.exe 2924 Fnflke32.exe 1900 Fogibnha.exe 1884 Fgnadkic.exe 2472 Fqfemqod.exe 1476 Gbhbdi32.exe 1964 Gfcnegnk.exe 1816 Gmmfaa32.exe 1612 Gdhkfd32.exe 2708 Gmpcgace.exe 2968 Gblkoham.exe 2220 Gifclb32.exe 2716 Gqahqd32.exe 2196 Ggkqmoma.exe 1276 Gbadjg32.exe 2468 Gcbabpcf.exe 2504 Hjlioj32.exe 912 Hqfaldbo.exe 2284 Hjofdi32.exe 1756 Hmmbqegc.exe 848 Hcgjmo32.exe 2212 Hidcef32.exe 1596 Hakkgc32.exe 2900 Hfhcoj32.exe 2864 Hcldhnkk.exe 2872 Hboddk32.exe 2952 Hihlqeib.exe 2740 Hmdhad32.exe 672 Ihniaa32.exe 1632 Iliebpfc.exe 1580 Ibcnojnp.exe 980 Ieajkfmd.exe 1512 Ibejdjln.exe 292 Iahkpg32.exe 2984 Iakgefqe.exe 2092 Idicbbpi.exe 2120 Ihdpbq32.exe 2180 Ijclol32.exe 952 Ihglhp32.exe 2576 Ijehdl32.exe 348 Iihiphln.exe 812 Jmdepg32.exe 1556 Jpbalb32.exe 772 Jbqmhnbo.exe 552 Jfliim32.exe 328 Jikeeh32.exe 1508 Jmfafgbd.exe 3000 Jpdnbbah.exe 2904 Jdpjba32.exe 2648 Jfofol32.exe 2624 Jmhnkfpa.exe 2164 Jpgjgboe.exe 2156 Jojkco32.exe 2152 Jgabdlfb.exe 1720 Jioopgef.exe 3060 Jhbold32.exe 584 Jpigma32.exe 2660 Jbhcim32.exe 1156 Jajcdjca.exe 1208 Jialfgcc.exe 2308 Jhdlad32.exe -
Loads dropped DLL 64 IoCs
pid Process 2072 0ed511528106af840d37947ac7c0ebc711c630cf45bc0276bf6c3b3ff09c4849N.exe 2072 0ed511528106af840d37947ac7c0ebc711c630cf45bc0276bf6c3b3ff09c4849N.exe 3048 Fgigil32.exe 3048 Fgigil32.exe 2704 Fkecij32.exe 2704 Fkecij32.exe 1668 Fdmhbplb.exe 1668 Fdmhbplb.exe 2724 Fgldnkkf.exe 2724 Fgldnkkf.exe 2924 Fnflke32.exe 2924 Fnflke32.exe 1900 Fogibnha.exe 1900 Fogibnha.exe 1884 Fgnadkic.exe 1884 Fgnadkic.exe 2472 Fqfemqod.exe 2472 Fqfemqod.exe 1476 Gbhbdi32.exe 1476 Gbhbdi32.exe 1964 Gfcnegnk.exe 1964 Gfcnegnk.exe 1816 Gmmfaa32.exe 1816 Gmmfaa32.exe 1612 Gdhkfd32.exe 1612 Gdhkfd32.exe 2708 Gmpcgace.exe 2708 Gmpcgace.exe 2968 Gblkoham.exe 2968 Gblkoham.exe 2220 Gifclb32.exe 2220 Gifclb32.exe 2716 Gqahqd32.exe 2716 Gqahqd32.exe 2196 Ggkqmoma.exe 2196 Ggkqmoma.exe 1276 Gbadjg32.exe 1276 Gbadjg32.exe 2468 Gcbabpcf.exe 2468 Gcbabpcf.exe 2504 Hjlioj32.exe 2504 Hjlioj32.exe 912 Hqfaldbo.exe 912 Hqfaldbo.exe 2284 Hjofdi32.exe 2284 Hjofdi32.exe 1756 Hmmbqegc.exe 1756 Hmmbqegc.exe 848 Hcgjmo32.exe 848 Hcgjmo32.exe 2212 Hidcef32.exe 2212 Hidcef32.exe 1596 Hakkgc32.exe 1596 Hakkgc32.exe 2900 Hfhcoj32.exe 2900 Hfhcoj32.exe 2864 Hcldhnkk.exe 2864 Hcldhnkk.exe 2872 Hboddk32.exe 2872 Hboddk32.exe 2952 Hihlqeib.exe 2952 Hihlqeib.exe 2740 Hmdhad32.exe 2740 Hmdhad32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Apgagg32.exe Allefimb.exe File opened for modification C:\Windows\SysWOW64\Pbagipfi.exe Pofkha32.exe File opened for modification C:\Windows\SysWOW64\Bmnnkl32.exe Bjpaop32.exe File created C:\Windows\SysWOW64\Coglpp32.dll Gbadjg32.exe File opened for modification C:\Windows\SysWOW64\Kdbbgdjj.exe Kadfkhkf.exe File created C:\Windows\SysWOW64\Phkckneq.dll Mgedmb32.exe File created C:\Windows\SysWOW64\Pebpkk32.exe Pmkhjncg.exe File created C:\Windows\SysWOW64\Aohdmdoh.exe Apedah32.exe File opened for modification C:\Windows\SysWOW64\Jdpjba32.exe Jpdnbbah.exe File created C:\Windows\SysWOW64\Hjofdi32.exe Hqfaldbo.exe File created C:\Windows\SysWOW64\Aebmjo32.dll Hidcef32.exe File created C:\Windows\SysWOW64\Neghkn32.dll Jialfgcc.exe File created C:\Windows\SysWOW64\Kgqocoin.exe Kdbbgdjj.exe File opened for modification C:\Windows\SysWOW64\Kklkcn32.exe Kgqocoin.exe File created C:\Windows\SysWOW64\Ikgeel32.dll Mikjpiim.exe File created C:\Windows\SysWOW64\Khdecggq.dll Nenkqi32.exe File created C:\Windows\SysWOW64\Lbnooiab.dll Hjlioj32.exe File opened for modification C:\Windows\SysWOW64\Qjklenpa.exe Qeppdo32.exe File created C:\Windows\SysWOW64\Pkdhln32.dll Aakjdo32.exe File created C:\Windows\SysWOW64\Alqnah32.exe Ahebaiac.exe File created C:\Windows\SysWOW64\Pdgmlhha.exe Pplaki32.exe File created C:\Windows\SysWOW64\Hhdkmd32.dll Knmdeioh.exe File created C:\Windows\SysWOW64\Bkhhhd32.exe Bgllgedi.exe File created C:\Windows\SysWOW64\Boogmgkl.exe Bmpkqklh.exe File opened for modification C:\Windows\SysWOW64\Ckmnbg32.exe Cgaaah32.exe File created C:\Windows\SysWOW64\Cchbgi32.exe Ceebklai.exe File created C:\Windows\SysWOW64\Pacnfacn.dll Ihglhp32.exe File created C:\Windows\SysWOW64\Qnghel32.exe Qjklenpa.exe File created C:\Windows\SysWOW64\Afffenbp.exe Aakjdo32.exe File created C:\Windows\SysWOW64\Kkeecogo.exe Klbdgb32.exe File created C:\Windows\SysWOW64\Gcmbji32.dll Hcgjmo32.exe File created C:\Windows\SysWOW64\Jmfafgbd.exe Jikeeh32.exe File created C:\Windows\SysWOW64\Mikjpiim.exe Mfmndn32.exe File created C:\Windows\SysWOW64\Nnmlcp32.exe Nlnpgd32.exe File created C:\Windows\SysWOW64\Kqcjjk32.dll Paknelgk.exe File opened for modification C:\Windows\SysWOW64\Pkcbnanl.exe Pdjjag32.exe File opened for modification C:\Windows\SysWOW64\Ajpepm32.exe Aaimopli.exe File created C:\Windows\SysWOW64\Gbhbdi32.exe Fqfemqod.exe File created C:\Windows\SysWOW64\Jdpkmjnb.dll Bmnnkl32.exe File created C:\Windows\SysWOW64\Nmepgp32.dll Hfhcoj32.exe File created C:\Windows\SysWOW64\Hakapcjd.dll Iakgefqe.exe File created C:\Windows\SysWOW64\Jpdnbbah.exe Jmfafgbd.exe File created C:\Windows\SysWOW64\Mjaddn32.exe Lgchgb32.exe File created C:\Windows\SysWOW64\Eicjoa32.dll Nlnpgd32.exe File created C:\Windows\SysWOW64\Hnoefj32.dll Neknki32.exe File opened for modification C:\Windows\SysWOW64\Odchbe32.exe Omioekbo.exe File created C:\Windows\SysWOW64\Fohlogok.dll Hmmbqegc.exe File created C:\Windows\SysWOW64\Aoagccfn.exe Ahgofi32.exe File created C:\Windows\SysWOW64\Lhknaf32.exe Lfmbek32.exe File created C:\Windows\SysWOW64\Nbflno32.exe Mpgobc32.exe File opened for modification C:\Windows\SysWOW64\Bnfddp32.exe Bkhhhd32.exe File created C:\Windows\SysWOW64\Obahbj32.dll Bdqlajbb.exe File opened for modification C:\Windows\SysWOW64\Dnpciaef.exe Cfhkhd32.exe File created C:\Windows\SysWOW64\Ieajkfmd.exe Ibcnojnp.exe File created C:\Windows\SysWOW64\Cjehmbkc.dll Hcldhnkk.exe File opened for modification C:\Windows\SysWOW64\Ihdpbq32.exe Idicbbpi.exe File created C:\Windows\SysWOW64\Nnafnopi.exe Nlcibc32.exe File opened for modification C:\Windows\SysWOW64\Fogibnha.exe Fnflke32.exe File opened for modification C:\Windows\SysWOW64\Gdhkfd32.exe Gmmfaa32.exe File created C:\Windows\SysWOW64\Nmmnnh32.dll Jmhnkfpa.exe File created C:\Windows\SysWOW64\Lfmbek32.exe Lcofio32.exe File opened for modification C:\Windows\SysWOW64\Lgchgb32.exe Lddlkg32.exe File created C:\Windows\SysWOW64\Hdaehcom.dll Aaimopli.exe File created C:\Windows\SysWOW64\Bjmeiq32.exe Bgoime32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4024 3856 WerFault.exe 299 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jampjian.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjfnomde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpgobc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pepcelel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Allefimb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdmhbplb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfhcoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngealejo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pljlbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pplaki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdbbgdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqpflg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnafnopi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pofkha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aomnhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjdkjpkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbdiia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmbcen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdpjba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kddomchg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdjjag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnghel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hidcef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hakkgc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmfafgbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qiioon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cagienkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jojkco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhknaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neknki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alnalh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khkbbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnoiio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkhhhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpnmgdli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lddlkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoojnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abmgjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lonpma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnaiol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpfmmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gblkoham.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgqocoin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahebaiac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jajcdjca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odchbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pidfdofi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnkjnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bniajoic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijehdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgabdlfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jialfgcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afffenbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fogibnha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgehno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkaehb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahgofi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnjcomcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqgmfkhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgldnkkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaompi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kadfkhkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lklgbadb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmmfaa32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 0ed511528106af840d37947ac7c0ebc711c630cf45bc0276bf6c3b3ff09c4849N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbhbdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qgjccb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lloeec32.dll" Bcjcme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdhkfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neghkn32.dll" Jialfgcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieocod32.dll" Njhfcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdgqdaoh.dll" Cfmhdpnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hboddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihniaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpehmcmg.dll" Jioopgef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ompefj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajmijmnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aglfmjon.dll" Andgop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdmhbplb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjlioj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ieajkfmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qchaehnb.dll" Lldmleam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqjpab32.dll" Agolnbok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adlcfjgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckmnbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jclcfm32.dll" Gblkoham.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iakgefqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icehdl32.dll" Kadfkhkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nloone32.dll" Calcpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coglpp32.dll" Gbadjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjcgnola.dll" Jgabdlfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Neknki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkfnnoge.dll" Phqmgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkoicb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmcef32.dll" Qlgkki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahebaiac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjmeiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbcbjlmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnafnopi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Offmipej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alecllfh.dll" Bgcbhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfioia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cepipm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgfkmgnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnpincmg.dll" Ihdpbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmhflfhh.dll" Kjmnjkjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bffbdadk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aohdmdoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aaimopli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alqnah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcamkjba.dll" Bgllgedi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihdpbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhgccebd.dll" Knfndjdp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qpbglhjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhjjgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihkhkcdl.dll" Bniajoic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bqgmfkhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cenljmgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfofol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knfndjdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdpfadlm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acnenl32.dll" Ceebklai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihniaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgmdailj.dll" Bgoime32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjpaop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbagipfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bibjaofg.dll" Pohhna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgqocoin.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2072 wrote to memory of 3048 2072 0ed511528106af840d37947ac7c0ebc711c630cf45bc0276bf6c3b3ff09c4849N.exe 30 PID 2072 wrote to memory of 3048 2072 0ed511528106af840d37947ac7c0ebc711c630cf45bc0276bf6c3b3ff09c4849N.exe 30 PID 2072 wrote to memory of 3048 2072 0ed511528106af840d37947ac7c0ebc711c630cf45bc0276bf6c3b3ff09c4849N.exe 30 PID 2072 wrote to memory of 3048 2072 0ed511528106af840d37947ac7c0ebc711c630cf45bc0276bf6c3b3ff09c4849N.exe 30 PID 3048 wrote to memory of 2704 3048 Fgigil32.exe 31 PID 3048 wrote to memory of 2704 3048 Fgigil32.exe 31 PID 3048 wrote to memory of 2704 3048 Fgigil32.exe 31 PID 3048 wrote to memory of 2704 3048 Fgigil32.exe 31 PID 2704 wrote to memory of 1668 2704 Fkecij32.exe 32 PID 2704 wrote to memory of 1668 2704 Fkecij32.exe 32 PID 2704 wrote to memory of 1668 2704 Fkecij32.exe 32 PID 2704 wrote to memory of 1668 2704 Fkecij32.exe 32 PID 1668 wrote to memory of 2724 1668 Fdmhbplb.exe 33 PID 1668 wrote to memory of 2724 1668 Fdmhbplb.exe 33 PID 1668 wrote to memory of 2724 1668 Fdmhbplb.exe 33 PID 1668 wrote to memory of 2724 1668 Fdmhbplb.exe 33 PID 2724 wrote to memory of 2924 2724 Fgldnkkf.exe 34 PID 2724 wrote to memory of 2924 2724 Fgldnkkf.exe 34 PID 2724 wrote to memory of 2924 2724 Fgldnkkf.exe 34 PID 2724 wrote to memory of 2924 2724 Fgldnkkf.exe 34 PID 2924 wrote to memory of 1900 2924 Fnflke32.exe 35 PID 2924 wrote to memory of 1900 2924 Fnflke32.exe 35 PID 2924 wrote to memory of 1900 2924 Fnflke32.exe 35 PID 2924 wrote to memory of 1900 2924 Fnflke32.exe 35 PID 1900 wrote to memory of 1884 1900 Fogibnha.exe 36 PID 1900 wrote to memory of 1884 1900 Fogibnha.exe 36 PID 1900 wrote to memory of 1884 1900 Fogibnha.exe 36 PID 1900 wrote to memory of 1884 1900 Fogibnha.exe 36 PID 1884 wrote to memory of 2472 1884 Fgnadkic.exe 37 PID 1884 wrote to memory of 2472 1884 Fgnadkic.exe 37 PID 1884 wrote to memory of 2472 1884 Fgnadkic.exe 37 PID 1884 wrote to memory of 2472 1884 Fgnadkic.exe 37 PID 2472 wrote to memory of 1476 2472 Fqfemqod.exe 38 PID 2472 wrote to memory of 1476 2472 Fqfemqod.exe 38 PID 2472 wrote to memory of 1476 2472 Fqfemqod.exe 38 PID 2472 wrote to memory of 1476 2472 Fqfemqod.exe 38 PID 1476 wrote to memory of 1964 1476 Gbhbdi32.exe 39 PID 1476 wrote to memory of 1964 1476 Gbhbdi32.exe 39 PID 1476 wrote to memory of 1964 1476 Gbhbdi32.exe 39 PID 1476 wrote to memory of 1964 1476 Gbhbdi32.exe 39 PID 1964 wrote to memory of 1816 1964 Gfcnegnk.exe 40 PID 1964 wrote to memory of 1816 1964 Gfcnegnk.exe 40 PID 1964 wrote to memory of 1816 1964 Gfcnegnk.exe 40 PID 1964 wrote to memory of 1816 1964 Gfcnegnk.exe 40 PID 1816 wrote to memory of 1612 1816 Gmmfaa32.exe 41 PID 1816 wrote to memory of 1612 1816 Gmmfaa32.exe 41 PID 1816 wrote to memory of 1612 1816 Gmmfaa32.exe 41 PID 1816 wrote to memory of 1612 1816 Gmmfaa32.exe 41 PID 1612 wrote to memory of 2708 1612 Gdhkfd32.exe 42 PID 1612 wrote to memory of 2708 1612 Gdhkfd32.exe 42 PID 1612 wrote to memory of 2708 1612 Gdhkfd32.exe 42 PID 1612 wrote to memory of 2708 1612 Gdhkfd32.exe 42 PID 2708 wrote to memory of 2968 2708 Gmpcgace.exe 43 PID 2708 wrote to memory of 2968 2708 Gmpcgace.exe 43 PID 2708 wrote to memory of 2968 2708 Gmpcgace.exe 43 PID 2708 wrote to memory of 2968 2708 Gmpcgace.exe 43 PID 2968 wrote to memory of 2220 2968 Gblkoham.exe 44 PID 2968 wrote to memory of 2220 2968 Gblkoham.exe 44 PID 2968 wrote to memory of 2220 2968 Gblkoham.exe 44 PID 2968 wrote to memory of 2220 2968 Gblkoham.exe 44 PID 2220 wrote to memory of 2716 2220 Gifclb32.exe 45 PID 2220 wrote to memory of 2716 2220 Gifclb32.exe 45 PID 2220 wrote to memory of 2716 2220 Gifclb32.exe 45 PID 2220 wrote to memory of 2716 2220 Gifclb32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ed511528106af840d37947ac7c0ebc711c630cf45bc0276bf6c3b3ff09c4849N.exe"C:\Users\Admin\AppData\Local\Temp\0ed511528106af840d37947ac7c0ebc711c630cf45bc0276bf6c3b3ff09c4849N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\Fgigil32.exeC:\Windows\system32\Fgigil32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\Fkecij32.exeC:\Windows\system32\Fkecij32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Fdmhbplb.exeC:\Windows\system32\Fdmhbplb.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\SysWOW64\Fgldnkkf.exeC:\Windows\system32\Fgldnkkf.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Fnflke32.exeC:\Windows\system32\Fnflke32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Fogibnha.exeC:\Windows\system32\Fogibnha.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\SysWOW64\Fgnadkic.exeC:\Windows\system32\Fgnadkic.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\SysWOW64\Fqfemqod.exeC:\Windows\system32\Fqfemqod.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\Gbhbdi32.exeC:\Windows\system32\Gbhbdi32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\SysWOW64\Gfcnegnk.exeC:\Windows\system32\Gfcnegnk.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\Gmmfaa32.exeC:\Windows\system32\Gmmfaa32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\Gdhkfd32.exeC:\Windows\system32\Gdhkfd32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\Gmpcgace.exeC:\Windows\system32\Gmpcgace.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Gblkoham.exeC:\Windows\system32\Gblkoham.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Gifclb32.exeC:\Windows\system32\Gifclb32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\Gqahqd32.exeC:\Windows\system32\Gqahqd32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2716 -
C:\Windows\SysWOW64\Ggkqmoma.exeC:\Windows\system32\Ggkqmoma.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2196 -
C:\Windows\SysWOW64\Gbadjg32.exeC:\Windows\system32\Gbadjg32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1276 -
C:\Windows\SysWOW64\Gcbabpcf.exeC:\Windows\system32\Gcbabpcf.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2468 -
C:\Windows\SysWOW64\Hjlioj32.exeC:\Windows\system32\Hjlioj32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2504 -
C:\Windows\SysWOW64\Hqfaldbo.exeC:\Windows\system32\Hqfaldbo.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:912 -
C:\Windows\SysWOW64\Hjofdi32.exeC:\Windows\system32\Hjofdi32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2284 -
C:\Windows\SysWOW64\Hmmbqegc.exeC:\Windows\system32\Hmmbqegc.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1756 -
C:\Windows\SysWOW64\Hcgjmo32.exeC:\Windows\system32\Hcgjmo32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:848 -
C:\Windows\SysWOW64\Hidcef32.exeC:\Windows\system32\Hidcef32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2212 -
C:\Windows\SysWOW64\Hakkgc32.exeC:\Windows\system32\Hakkgc32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1596 -
C:\Windows\SysWOW64\Hfhcoj32.exeC:\Windows\system32\Hfhcoj32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2900 -
C:\Windows\SysWOW64\Hcldhnkk.exeC:\Windows\system32\Hcldhnkk.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2864 -
C:\Windows\SysWOW64\Hboddk32.exeC:\Windows\system32\Hboddk32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2872 -
C:\Windows\SysWOW64\Hihlqeib.exeC:\Windows\system32\Hihlqeib.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2952 -
C:\Windows\SysWOW64\Hmdhad32.exeC:\Windows\system32\Hmdhad32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2740 -
C:\Windows\SysWOW64\Ihniaa32.exeC:\Windows\system32\Ihniaa32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:672 -
C:\Windows\SysWOW64\Iliebpfc.exeC:\Windows\system32\Iliebpfc.exe34⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Ibcnojnp.exeC:\Windows\system32\Ibcnojnp.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1580 -
C:\Windows\SysWOW64\Ieajkfmd.exeC:\Windows\system32\Ieajkfmd.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:980 -
C:\Windows\SysWOW64\Ibejdjln.exeC:\Windows\system32\Ibejdjln.exe37⤵
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\Iahkpg32.exeC:\Windows\system32\Iahkpg32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:292 -
C:\Windows\SysWOW64\Iakgefqe.exeC:\Windows\system32\Iakgefqe.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2984 -
C:\Windows\SysWOW64\Idicbbpi.exeC:\Windows\system32\Idicbbpi.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2092 -
C:\Windows\SysWOW64\Ihdpbq32.exeC:\Windows\system32\Ihdpbq32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:2120 -
C:\Windows\SysWOW64\Ijclol32.exeC:\Windows\system32\Ijclol32.exe42⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Ihglhp32.exeC:\Windows\system32\Ihglhp32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:952 -
C:\Windows\SysWOW64\Ijehdl32.exeC:\Windows\system32\Ijehdl32.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2576 -
C:\Windows\SysWOW64\Iihiphln.exeC:\Windows\system32\Iihiphln.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:348 -
C:\Windows\SysWOW64\Jmdepg32.exeC:\Windows\system32\Jmdepg32.exe46⤵
- Executes dropped EXE
PID:812 -
C:\Windows\SysWOW64\Jpbalb32.exeC:\Windows\system32\Jpbalb32.exe47⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Jbqmhnbo.exeC:\Windows\system32\Jbqmhnbo.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:772 -
C:\Windows\SysWOW64\Jfliim32.exeC:\Windows\system32\Jfliim32.exe49⤵
- Executes dropped EXE
PID:552 -
C:\Windows\SysWOW64\Jikeeh32.exeC:\Windows\system32\Jikeeh32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:328 -
C:\Windows\SysWOW64\Jmfafgbd.exeC:\Windows\system32\Jmfafgbd.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1508 -
C:\Windows\SysWOW64\Jpdnbbah.exeC:\Windows\system32\Jpdnbbah.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3000 -
C:\Windows\SysWOW64\Jdpjba32.exeC:\Windows\system32\Jdpjba32.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2904 -
C:\Windows\SysWOW64\Jfofol32.exeC:\Windows\system32\Jfofol32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2648 -
C:\Windows\SysWOW64\Jmhnkfpa.exeC:\Windows\system32\Jmhnkfpa.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2624 -
C:\Windows\SysWOW64\Jpgjgboe.exeC:\Windows\system32\Jpgjgboe.exe56⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Jojkco32.exeC:\Windows\system32\Jojkco32.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2156 -
C:\Windows\SysWOW64\Jgabdlfb.exeC:\Windows\system32\Jgabdlfb.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2152 -
C:\Windows\SysWOW64\Jioopgef.exeC:\Windows\system32\Jioopgef.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:1720 -
C:\Windows\SysWOW64\Jhbold32.exeC:\Windows\system32\Jhbold32.exe60⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Jpigma32.exeC:\Windows\system32\Jpigma32.exe61⤵
- Executes dropped EXE
PID:584 -
C:\Windows\SysWOW64\Jbhcim32.exeC:\Windows\system32\Jbhcim32.exe62⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Jajcdjca.exeC:\Windows\system32\Jajcdjca.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1156 -
C:\Windows\SysWOW64\Jialfgcc.exeC:\Windows\system32\Jialfgcc.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1208 -
C:\Windows\SysWOW64\Jhdlad32.exeC:\Windows\system32\Jhdlad32.exe65⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Jkchmo32.exeC:\Windows\system32\Jkchmo32.exe66⤵PID:1880
-
C:\Windows\SysWOW64\Jondnnbk.exeC:\Windows\system32\Jondnnbk.exe67⤵PID:892
-
C:\Windows\SysWOW64\Jampjian.exeC:\Windows\system32\Jampjian.exe68⤵
- System Location Discovery: System Language Discovery
PID:3036 -
C:\Windows\SysWOW64\Jehlkhig.exeC:\Windows\system32\Jehlkhig.exe69⤵PID:2764
-
C:\Windows\SysWOW64\Klbdgb32.exeC:\Windows\system32\Klbdgb32.exe70⤵
- Drops file in System32 directory
PID:2756 -
C:\Windows\SysWOW64\Kkeecogo.exeC:\Windows\system32\Kkeecogo.exe71⤵PID:2268
-
C:\Windows\SysWOW64\Koaqcn32.exeC:\Windows\system32\Koaqcn32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1412 -
C:\Windows\SysWOW64\Kaompi32.exeC:\Windows\system32\Kaompi32.exe73⤵
- System Location Discovery: System Language Discovery
PID:2860 -
C:\Windows\SysWOW64\Kdnild32.exeC:\Windows\system32\Kdnild32.exe74⤵PID:2520
-
C:\Windows\SysWOW64\Kglehp32.exeC:\Windows\system32\Kglehp32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1944 -
C:\Windows\SysWOW64\Knfndjdp.exeC:\Windows\system32\Knfndjdp.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1072 -
C:\Windows\SysWOW64\Kaajei32.exeC:\Windows\system32\Kaajei32.exe77⤵PID:1864
-
C:\Windows\SysWOW64\Kdpfadlm.exeC:\Windows\system32\Kdpfadlm.exe78⤵
- Modifies registry class
PID:1040 -
C:\Windows\SysWOW64\Khkbbc32.exeC:\Windows\system32\Khkbbc32.exe79⤵
- System Location Discovery: System Language Discovery
PID:1760 -
C:\Windows\SysWOW64\Kkjnnn32.exeC:\Windows\system32\Kkjnnn32.exe80⤵PID:1952
-
C:\Windows\SysWOW64\Kjmnjkjd.exeC:\Windows\system32\Kjmnjkjd.exe81⤵
- Modifies registry class
PID:2356 -
C:\Windows\SysWOW64\Kadfkhkf.exeC:\Windows\system32\Kadfkhkf.exe82⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3040 -
C:\Windows\SysWOW64\Kdbbgdjj.exeC:\Windows\system32\Kdbbgdjj.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2500 -
C:\Windows\SysWOW64\Kgqocoin.exeC:\Windows\system32\Kgqocoin.exe84⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1780 -
C:\Windows\SysWOW64\Kklkcn32.exeC:\Windows\system32\Kklkcn32.exe85⤵PID:2992
-
C:\Windows\SysWOW64\Knkgpi32.exeC:\Windows\system32\Knkgpi32.exe86⤵PID:2344
-
C:\Windows\SysWOW64\Kpicle32.exeC:\Windows\system32\Kpicle32.exe87⤵PID:2656
-
C:\Windows\SysWOW64\Kddomchg.exeC:\Windows\system32\Kddomchg.exe88⤵
- System Location Discovery: System Language Discovery
PID:2692 -
C:\Windows\SysWOW64\Kgclio32.exeC:\Windows\system32\Kgclio32.exe89⤵PID:2932
-
C:\Windows\SysWOW64\Kjahej32.exeC:\Windows\system32\Kjahej32.exe90⤵PID:1416
-
C:\Windows\SysWOW64\Knmdeioh.exeC:\Windows\system32\Knmdeioh.exe91⤵
- Drops file in System32 directory
PID:2028 -
C:\Windows\SysWOW64\Lonpma32.exeC:\Windows\system32\Lonpma32.exe92⤵
- System Location Discovery: System Language Discovery
PID:236 -
C:\Windows\SysWOW64\Lgehno32.exeC:\Windows\system32\Lgehno32.exe93⤵
- System Location Discovery: System Language Discovery
PID:2980 -
C:\Windows\SysWOW64\Lfhhjklc.exeC:\Windows\system32\Lfhhjklc.exe94⤵PID:2480
-
C:\Windows\SysWOW64\Ljddjj32.exeC:\Windows\system32\Ljddjj32.exe95⤵PID:1336
-
C:\Windows\SysWOW64\Lpnmgdli.exeC:\Windows\system32\Lpnmgdli.exe96⤵
- System Location Discovery: System Language Discovery
PID:688 -
C:\Windows\SysWOW64\Lclicpkm.exeC:\Windows\system32\Lclicpkm.exe97⤵PID:3068
-
C:\Windows\SysWOW64\Lfkeokjp.exeC:\Windows\system32\Lfkeokjp.exe98⤵PID:2644
-
C:\Windows\SysWOW64\Lldmleam.exeC:\Windows\system32\Lldmleam.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2720 -
C:\Windows\SysWOW64\Lcofio32.exeC:\Windows\system32\Lcofio32.exe100⤵
- Drops file in System32 directory
PID:2668 -
C:\Windows\SysWOW64\Lfmbek32.exeC:\Windows\system32\Lfmbek32.exe101⤵
- Drops file in System32 directory
PID:2856 -
C:\Windows\SysWOW64\Lhknaf32.exeC:\Windows\system32\Lhknaf32.exe102⤵
- System Location Discovery: System Language Discovery
PID:2024 -
C:\Windows\SysWOW64\Llgjaeoj.exeC:\Windows\system32\Llgjaeoj.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2840 -
C:\Windows\SysWOW64\Loefnpnn.exeC:\Windows\system32\Loefnpnn.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3020 -
C:\Windows\SysWOW64\Lbcbjlmb.exeC:\Windows\system32\Lbcbjlmb.exe105⤵
- Modifies registry class
PID:2956 -
C:\Windows\SysWOW64\Lhnkffeo.exeC:\Windows\system32\Lhnkffeo.exe106⤵PID:1544
-
C:\Windows\SysWOW64\Lklgbadb.exeC:\Windows\system32\Lklgbadb.exe107⤵
- System Location Discovery: System Language Discovery
PID:1672 -
C:\Windows\SysWOW64\Lnjcomcf.exeC:\Windows\system32\Lnjcomcf.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2940 -
C:\Windows\SysWOW64\Lddlkg32.exeC:\Windows\system32\Lddlkg32.exe109⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2808 -
C:\Windows\SysWOW64\Lgchgb32.exeC:\Windows\system32\Lgchgb32.exe110⤵
- Drops file in System32 directory
PID:308 -
C:\Windows\SysWOW64\Mjaddn32.exeC:\Windows\system32\Mjaddn32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:568 -
C:\Windows\SysWOW64\Mqklqhpg.exeC:\Windows\system32\Mqklqhpg.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1300 -
C:\Windows\SysWOW64\Mdghaf32.exeC:\Windows\system32\Mdghaf32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:832 -
C:\Windows\SysWOW64\Mgedmb32.exeC:\Windows\system32\Mgedmb32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2844 -
C:\Windows\SysWOW64\Mkqqnq32.exeC:\Windows\system32\Mkqqnq32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1624 -
C:\Windows\SysWOW64\Mnomjl32.exeC:\Windows\system32\Mnomjl32.exe116⤵PID:2232
-
C:\Windows\SysWOW64\Mqnifg32.exeC:\Windows\system32\Mqnifg32.exe117⤵PID:300
-
C:\Windows\SysWOW64\Mclebc32.exeC:\Windows\system32\Mclebc32.exe118⤵PID:2068
-
C:\Windows\SysWOW64\Mggabaea.exeC:\Windows\system32\Mggabaea.exe119⤵PID:2712
-
C:\Windows\SysWOW64\Mjfnomde.exeC:\Windows\system32\Mjfnomde.exe120⤵
- System Location Discovery: System Language Discovery
PID:1432 -
C:\Windows\SysWOW64\Mnaiol32.exeC:\Windows\system32\Mnaiol32.exe121⤵
- System Location Discovery: System Language Discovery
PID:1800
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-