Analysis
-
max time kernel
16s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
14/10/2024, 19:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f06a674253772fc34bd5b0c74c15e0a468cb166dd663afe058ac927f22081385N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
f06a674253772fc34bd5b0c74c15e0a468cb166dd663afe058ac927f22081385N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
f06a674253772fc34bd5b0c74c15e0a468cb166dd663afe058ac927f22081385N.exe
-
Size
96KB
-
MD5
a1233de60c6e8e8c1c3c2a7c8b9d18d0
-
SHA1
e3280c6c48d86d61ef3563518ea8e20ede52c308
-
SHA256
f06a674253772fc34bd5b0c74c15e0a468cb166dd663afe058ac927f22081385
-
SHA512
5bf051fedf3f62471f8858fff227c20527339ec804230757b14a64873e738de7ecc9129f122017e3a9ed06080399f9e8af7a0f1e0af3de9416faadba387da1c9
-
SSDEEP
1536:9NXv9oH1rc4e5Fi8OqZIUdzRsuT1S83AofVp2Lk1LPXuhiTMuZXGTIVefVDkryy6:9pv9OaLzauOYiaLPXuhuXGQmVDeCyqX
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccpcckck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Folfoj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caaggpdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjhjdm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fggkcl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gneijien.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loqmba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojomdoof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bchfhfeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ompefj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjbeofpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fqfemqod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gonocmbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hifpke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkeecogo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gblkoham.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koaqcn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkjnnn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbafdlod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opglafab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llbqfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eacljf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enlidg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goiehm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcldhnkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Koaqcn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djdgic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dogpdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjacjifm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmalldcn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilnomp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkaehb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eoepnk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phcilf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhbold32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oiffkkbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opglafab.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paknelgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alihaioe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eknmhk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgigil32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jikeeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jimbkh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mklcadfn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhomkcoa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqdefddb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gepafc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqijljfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eldglp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Goiehm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgchgb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phqmgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccjoli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmmbqegc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klbdgb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqgmfkhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpbdmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhknaf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opihgfop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoojnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnpciaef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmhglq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhiomn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbhbdi32.exe -
Executes dropped EXE 64 IoCs
pid Process 2184 Bajqfq32.exe 2052 Biaign32.exe 1156 Bgdibkam.exe 2768 Bjbeofpp.exe 2748 Bjebdfnn.exe 2948 Bejfao32.exe 1748 Bflbigdb.exe 3044 Caaggpdh.exe 580 Ccpcckck.exe 2144 Cmhglq32.exe 1980 Cfpldf32.exe 1680 Ciohqa32.exe 1160 Cpiqmlfm.exe 1456 Ccdmnj32.exe 2244 Ciaefa32.exe 2068 Cnnnnh32.exe 2452 Cehfkb32.exe 3004 Cicalakk.exe 1272 Clbnhmjo.exe 1204 Cpmjhk32.exe 784 Cblfdg32.exe 1536 Dejbqb32.exe 2172 Dhiomn32.exe 2380 Dldkmlhl.exe 1644 Ddpobo32.exe 1560 Dhkkbmnp.exe 2976 Dlfgcl32.exe 2840 Dacpkc32.exe 2860 Dogpdg32.exe 2832 Dmjqpdje.exe 2588 Dphmloih.exe 1984 Dknajh32.exe 1492 Diaaeepi.exe 2028 Dahifbpk.exe 1944 Ddfebnoo.exe 2016 Dgeaoinb.exe 1316 Eclbcj32.exe 1084 Eggndi32.exe 2956 Eiekpd32.exe 2264 Emagacdm.exe 2060 Eldglp32.exe 2284 Eelkeeah.exe 1936 Ehkhaqpk.exe 1740 Epbpbnan.exe 572 Eoepnk32.exe 2364 Eacljf32.exe 1052 Eijdkcgn.exe 2320 Elipgofb.exe 2724 Eklqcl32.exe 2772 Ecbhdi32.exe 2624 Eaeipfei.exe 2892 Eddeladm.exe 1028 Ehpalp32.exe 1820 Eknmhk32.exe 2444 Eoiiijcc.exe 584 Enlidg32.exe 2868 Eecafd32.exe 1656 Edfbaabj.exe 820 Fgdnnl32.exe 1604 Fkpjnkig.exe 1392 Folfoj32.exe 1308 Fnofjfhk.exe 2376 Fajbke32.exe 1728 Fpmbfbgo.exe -
Loads dropped DLL 64 IoCs
pid Process 1828 f06a674253772fc34bd5b0c74c15e0a468cb166dd663afe058ac927f22081385N.exe 1828 f06a674253772fc34bd5b0c74c15e0a468cb166dd663afe058ac927f22081385N.exe 2184 Bajqfq32.exe 2184 Bajqfq32.exe 2052 Biaign32.exe 2052 Biaign32.exe 1156 Bgdibkam.exe 1156 Bgdibkam.exe 2768 Bjbeofpp.exe 2768 Bjbeofpp.exe 2748 Bjebdfnn.exe 2748 Bjebdfnn.exe 2948 Bejfao32.exe 2948 Bejfao32.exe 1748 Bflbigdb.exe 1748 Bflbigdb.exe 3044 Caaggpdh.exe 3044 Caaggpdh.exe 580 Ccpcckck.exe 580 Ccpcckck.exe 2144 Cmhglq32.exe 2144 Cmhglq32.exe 1980 Cfpldf32.exe 1980 Cfpldf32.exe 1680 Ciohqa32.exe 1680 Ciohqa32.exe 1160 Cpiqmlfm.exe 1160 Cpiqmlfm.exe 1456 Ccdmnj32.exe 1456 Ccdmnj32.exe 2244 Ciaefa32.exe 2244 Ciaefa32.exe 2068 Cnnnnh32.exe 2068 Cnnnnh32.exe 2452 Cehfkb32.exe 2452 Cehfkb32.exe 3004 Cicalakk.exe 3004 Cicalakk.exe 1272 Clbnhmjo.exe 1272 Clbnhmjo.exe 1204 Cpmjhk32.exe 1204 Cpmjhk32.exe 784 Cblfdg32.exe 784 Cblfdg32.exe 1536 Dejbqb32.exe 1536 Dejbqb32.exe 2172 Dhiomn32.exe 2172 Dhiomn32.exe 2380 Dldkmlhl.exe 2380 Dldkmlhl.exe 1644 Ddpobo32.exe 1644 Ddpobo32.exe 1560 Dhkkbmnp.exe 1560 Dhkkbmnp.exe 2976 Dlfgcl32.exe 2976 Dlfgcl32.exe 2840 Dacpkc32.exe 2840 Dacpkc32.exe 2860 Dogpdg32.exe 2860 Dogpdg32.exe 2832 Dmjqpdje.exe 2832 Dmjqpdje.exe 2588 Dphmloih.exe 2588 Dphmloih.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Eecafd32.exe Enlidg32.exe File created C:\Windows\SysWOW64\Egjfigdn.dll Ffodjh32.exe File opened for modification C:\Windows\SysWOW64\Gjjmijme.exe Ggkqmoma.exe File opened for modification C:\Windows\SysWOW64\Kdbbgdjj.exe Kjmnjkjd.exe File opened for modification C:\Windows\SysWOW64\Agjobffl.exe Adlcfjgh.exe File created C:\Windows\SysWOW64\Ahanckfm.dll Caaggpdh.exe File created C:\Windows\SysWOW64\Gfebgn32.dll Eelkeeah.exe File created C:\Windows\SysWOW64\Fcnkhmdp.exe Fdkklp32.exe File created C:\Windows\SysWOW64\Hmalldcn.exe Hifpke32.exe File created C:\Windows\SysWOW64\Kgloog32.dll Cbffoabe.exe File created C:\Windows\SysWOW64\Edgeao32.dll Eacljf32.exe File opened for modification C:\Windows\SysWOW64\Fgigil32.exe Fcnkhmdp.exe File created C:\Windows\SysWOW64\Goplilpf.exe Goplilpf.exe File opened for modification C:\Windows\SysWOW64\Gbadjg32.exe Gneijien.exe File created C:\Windows\SysWOW64\Goiebopf.dll Iihiphln.exe File created C:\Windows\SysWOW64\Jbjpom32.exe Jkchmo32.exe File created C:\Windows\SysWOW64\Djgompkk.dll Eklqcl32.exe File created C:\Windows\SysWOW64\Mjaddn32.exe Lgchgb32.exe File opened for modification C:\Windows\SysWOW64\Nedhjj32.exe Mcckcbgp.exe File created C:\Windows\SysWOW64\Nlqmmd32.exe Nefdpjkl.exe File created C:\Windows\SysWOW64\Pobghn32.dll Ckjamgmk.exe File opened for modification C:\Windows\SysWOW64\Diaaeepi.exe Dknajh32.exe File opened for modification C:\Windows\SysWOW64\Giipab32.exe Gdmdacnn.exe File created C:\Windows\SysWOW64\Gphfihaj.dll Ijnbcmkk.exe File created C:\Windows\SysWOW64\Khghgchk.exe Jbjpom32.exe File opened for modification C:\Windows\SysWOW64\Ahbekjcf.exe Afdiondb.exe File created C:\Windows\SysWOW64\Ccpcckck.exe Caaggpdh.exe File created C:\Windows\SysWOW64\Enlidg32.exe Eoiiijcc.exe File created C:\Windows\SysWOW64\Fdkklp32.exe Fpoolael.exe File opened for modification C:\Windows\SysWOW64\Hpphhp32.exe Hmalldcn.exe File created C:\Windows\SysWOW64\Ihpfgalh.exe Iafnjg32.exe File created C:\Windows\SysWOW64\Calcpm32.exe Cmpgpond.exe File opened for modification C:\Windows\SysWOW64\Cmpgpond.exe Cnmfdb32.exe File created C:\Windows\SysWOW64\Dejbqb32.exe Cblfdg32.exe File created C:\Windows\SysWOW64\Ddpobo32.exe Dldkmlhl.exe File opened for modification C:\Windows\SysWOW64\Fpoolael.exe Fnacpffh.exe File created C:\Windows\SysWOW64\Hgmamfed.dll Fqfemqod.exe File created C:\Windows\SysWOW64\Nmmnnh32.dll Jlkngc32.exe File created C:\Windows\SysWOW64\Cpehmcmg.dll Jioopgef.exe File created C:\Windows\SysWOW64\Kmdlca32.dll Odgamdef.exe File opened for modification C:\Windows\SysWOW64\Cicalakk.exe Cehfkb32.exe File created C:\Windows\SysWOW64\Fggkcl32.exe Fdiogq32.exe File created C:\Windows\SysWOW64\Gbhbdi32.exe Gceailog.exe File created C:\Windows\SysWOW64\Gjojef32.exe Gfcnegnk.exe File opened for modification C:\Windows\SysWOW64\Gnaooi32.exe Gonocmbi.exe File created C:\Windows\SysWOW64\Fohlogok.dll Hpkompgg.exe File created C:\Windows\SysWOW64\Gpajfg32.dll Cgcnghpl.exe File opened for modification C:\Windows\SysWOW64\Fkpjnkig.exe Fgdnnl32.exe File created C:\Windows\SysWOW64\Kgfkgo32.dll Fkbgckgd.exe File created C:\Windows\SysWOW64\Jiepeo32.dll Hfcjdkpg.exe File created C:\Windows\SysWOW64\Mahlae32.dll Jhdlad32.exe File opened for modification C:\Windows\SysWOW64\Bigkel32.exe Bfioia32.exe File created C:\Windows\SysWOW64\Ccmpce32.exe Bkegah32.exe File created C:\Windows\SysWOW64\Cbppnbhm.exe Ccmpce32.exe File opened for modification C:\Windows\SysWOW64\Cgfkmgnj.exe Ccjoli32.exe File opened for modification C:\Windows\SysWOW64\Dphmloih.exe Dmjqpdje.exe File created C:\Windows\SysWOW64\Lillifio.dll Ddfebnoo.exe File opened for modification C:\Windows\SysWOW64\Hmkeke32.exe Hnheohcl.exe File created C:\Windows\SysWOW64\Dldlhdpl.dll Khghgchk.exe File opened for modification C:\Windows\SysWOW64\Kpicle32.exe Kjokokha.exe File opened for modification C:\Windows\SysWOW64\Nipdkieg.exe Nedhjj32.exe File created C:\Windows\SysWOW64\Jpebhied.dll Bffbdadk.exe File created C:\Windows\SysWOW64\Qknbpmpk.dll Cicalakk.exe File created C:\Windows\SysWOW64\Feglhlfm.dll Eggndi32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4636 4572 WerFault.exe 393 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoiiijcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcphnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffodjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcbecl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdmdacnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljddjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opglafab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bflbigdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgmpibam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcachc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccpcckck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Diaaeepi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flfpabkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfcnegnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkpfmnlb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggicgopd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggkqmoma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgdibkam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koaqcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djdgic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihpfgalh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaeipfei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjegog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmdepg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhnkffeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjebdfnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbefcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oemgplgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkfocaki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqbdkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgigil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nefdpjkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adnpkjde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnknoogp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdkklp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpkompgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hemqpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijnbcmkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iahkpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjokokha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njjcip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcogbdkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjlioj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilnomp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbhlek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odchbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofhjopbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbppnbhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnimiblo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjhcegll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkpjnkig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkbgckgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gblkoham.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goplilpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnaiol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqpflg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nidmfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cicalakk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjakccop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cebeem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgqocoin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfdddm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjmnjkjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loefnpnn.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekdehk32.dll" Fggkcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggkqmoma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggicgopd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hemqpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcelfiph.dll" Mcnbhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffjaickl.dll" Ehkhaqpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpicle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfibop32.dll" Pebpkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pebpkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqpmpahd.dll" Cmedlk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nncbdomg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgloog32.dll" Cbffoabe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ooabmbbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aoojnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjebdfnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddonghfa.dll" Fogibnha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fgnadkic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jngafd32.dll" Fhomkcoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liihgqil.dll" Gjojef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmalldcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfnpea32.dll" Gkpfmnlb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlefhcnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfalipj.dll" Fkpjnkig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmkeke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bqijljfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pobghn32.dll" Ckjamgmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjebdfnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eecafd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcldhnkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jikeeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khghgchk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkjnnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afbioogg.dll" Mggabaea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oococb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eoepnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpoolael.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmfpeb32.dll" Flfpabkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibcnojnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdbbgdjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngdjmc32.dll" Kdbbgdjj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkjjma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifhckf32.dll" Mjcaimgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddfebnoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eacljf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaijflc.dll" Fgdnnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fggkcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffodjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmkeke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qggfio32.dll" Mgjnhaco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nedhjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enemcbio.dll" Olebgfao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Paknelgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eldglp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fkbgckgd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fogibnha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbgiha32.dll" Ghdgfbkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iikifegp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imahkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkkeeecj.dll" Fqdiga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmmbqegc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jefpeh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elipgofb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mimgeigj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlkngc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1828 wrote to memory of 2184 1828 f06a674253772fc34bd5b0c74c15e0a468cb166dd663afe058ac927f22081385N.exe 30 PID 1828 wrote to memory of 2184 1828 f06a674253772fc34bd5b0c74c15e0a468cb166dd663afe058ac927f22081385N.exe 30 PID 1828 wrote to memory of 2184 1828 f06a674253772fc34bd5b0c74c15e0a468cb166dd663afe058ac927f22081385N.exe 30 PID 1828 wrote to memory of 2184 1828 f06a674253772fc34bd5b0c74c15e0a468cb166dd663afe058ac927f22081385N.exe 30 PID 2184 wrote to memory of 2052 2184 Bajqfq32.exe 31 PID 2184 wrote to memory of 2052 2184 Bajqfq32.exe 31 PID 2184 wrote to memory of 2052 2184 Bajqfq32.exe 31 PID 2184 wrote to memory of 2052 2184 Bajqfq32.exe 31 PID 2052 wrote to memory of 1156 2052 Biaign32.exe 32 PID 2052 wrote to memory of 1156 2052 Biaign32.exe 32 PID 2052 wrote to memory of 1156 2052 Biaign32.exe 32 PID 2052 wrote to memory of 1156 2052 Biaign32.exe 32 PID 1156 wrote to memory of 2768 1156 Bgdibkam.exe 33 PID 1156 wrote to memory of 2768 1156 Bgdibkam.exe 33 PID 1156 wrote to memory of 2768 1156 Bgdibkam.exe 33 PID 1156 wrote to memory of 2768 1156 Bgdibkam.exe 33 PID 2768 wrote to memory of 2748 2768 Bjbeofpp.exe 34 PID 2768 wrote to memory of 2748 2768 Bjbeofpp.exe 34 PID 2768 wrote to memory of 2748 2768 Bjbeofpp.exe 34 PID 2768 wrote to memory of 2748 2768 Bjbeofpp.exe 34 PID 2748 wrote to memory of 2948 2748 Bjebdfnn.exe 35 PID 2748 wrote to memory of 2948 2748 Bjebdfnn.exe 35 PID 2748 wrote to memory of 2948 2748 Bjebdfnn.exe 35 PID 2748 wrote to memory of 2948 2748 Bjebdfnn.exe 35 PID 2948 wrote to memory of 1748 2948 Bejfao32.exe 36 PID 2948 wrote to memory of 1748 2948 Bejfao32.exe 36 PID 2948 wrote to memory of 1748 2948 Bejfao32.exe 36 PID 2948 wrote to memory of 1748 2948 Bejfao32.exe 36 PID 1748 wrote to memory of 3044 1748 Bflbigdb.exe 37 PID 1748 wrote to memory of 3044 1748 Bflbigdb.exe 37 PID 1748 wrote to memory of 3044 1748 Bflbigdb.exe 37 PID 1748 wrote to memory of 3044 1748 Bflbigdb.exe 37 PID 3044 wrote to memory of 580 3044 Caaggpdh.exe 38 PID 3044 wrote to memory of 580 3044 Caaggpdh.exe 38 PID 3044 wrote to memory of 580 3044 Caaggpdh.exe 38 PID 3044 wrote to memory of 580 3044 Caaggpdh.exe 38 PID 580 wrote to memory of 2144 580 Ccpcckck.exe 39 PID 580 wrote to memory of 2144 580 Ccpcckck.exe 39 PID 580 wrote to memory of 2144 580 Ccpcckck.exe 39 PID 580 wrote to memory of 2144 580 Ccpcckck.exe 39 PID 2144 wrote to memory of 1980 2144 Cmhglq32.exe 40 PID 2144 wrote to memory of 1980 2144 Cmhglq32.exe 40 PID 2144 wrote to memory of 1980 2144 Cmhglq32.exe 40 PID 2144 wrote to memory of 1980 2144 Cmhglq32.exe 40 PID 1980 wrote to memory of 1680 1980 Cfpldf32.exe 41 PID 1980 wrote to memory of 1680 1980 Cfpldf32.exe 41 PID 1980 wrote to memory of 1680 1980 Cfpldf32.exe 41 PID 1980 wrote to memory of 1680 1980 Cfpldf32.exe 41 PID 1680 wrote to memory of 1160 1680 Ciohqa32.exe 42 PID 1680 wrote to memory of 1160 1680 Ciohqa32.exe 42 PID 1680 wrote to memory of 1160 1680 Ciohqa32.exe 42 PID 1680 wrote to memory of 1160 1680 Ciohqa32.exe 42 PID 1160 wrote to memory of 1456 1160 Cpiqmlfm.exe 43 PID 1160 wrote to memory of 1456 1160 Cpiqmlfm.exe 43 PID 1160 wrote to memory of 1456 1160 Cpiqmlfm.exe 43 PID 1160 wrote to memory of 1456 1160 Cpiqmlfm.exe 43 PID 1456 wrote to memory of 2244 1456 Ccdmnj32.exe 44 PID 1456 wrote to memory of 2244 1456 Ccdmnj32.exe 44 PID 1456 wrote to memory of 2244 1456 Ccdmnj32.exe 44 PID 1456 wrote to memory of 2244 1456 Ccdmnj32.exe 44 PID 2244 wrote to memory of 2068 2244 Ciaefa32.exe 45 PID 2244 wrote to memory of 2068 2244 Ciaefa32.exe 45 PID 2244 wrote to memory of 2068 2244 Ciaefa32.exe 45 PID 2244 wrote to memory of 2068 2244 Ciaefa32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\f06a674253772fc34bd5b0c74c15e0a468cb166dd663afe058ac927f22081385N.exe"C:\Users\Admin\AppData\Local\Temp\f06a674253772fc34bd5b0c74c15e0a468cb166dd663afe058ac927f22081385N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\SysWOW64\Bajqfq32.exeC:\Windows\system32\Bajqfq32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Biaign32.exeC:\Windows\system32\Biaign32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\Bgdibkam.exeC:\Windows\system32\Bgdibkam.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\SysWOW64\Bjbeofpp.exeC:\Windows\system32\Bjbeofpp.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Bjebdfnn.exeC:\Windows\system32\Bjebdfnn.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Bejfao32.exeC:\Windows\system32\Bejfao32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Bflbigdb.exeC:\Windows\system32\Bflbigdb.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\Caaggpdh.exeC:\Windows\system32\Caaggpdh.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Ccpcckck.exeC:\Windows\system32\Ccpcckck.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Windows\SysWOW64\Cmhglq32.exeC:\Windows\system32\Cmhglq32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\Cfpldf32.exeC:\Windows\system32\Cfpldf32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\Ciohqa32.exeC:\Windows\system32\Ciohqa32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\Cpiqmlfm.exeC:\Windows\system32\Cpiqmlfm.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\SysWOW64\Ccdmnj32.exeC:\Windows\system32\Ccdmnj32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\SysWOW64\Ciaefa32.exeC:\Windows\system32\Ciaefa32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\Cnnnnh32.exeC:\Windows\system32\Cnnnnh32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2068 -
C:\Windows\SysWOW64\Cehfkb32.exeC:\Windows\system32\Cehfkb32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2452 -
C:\Windows\SysWOW64\Cicalakk.exeC:\Windows\system32\Cicalakk.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3004 -
C:\Windows\SysWOW64\Clbnhmjo.exeC:\Windows\system32\Clbnhmjo.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1272 -
C:\Windows\SysWOW64\Cpmjhk32.exeC:\Windows\system32\Cpmjhk32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1204 -
C:\Windows\SysWOW64\Cblfdg32.exeC:\Windows\system32\Cblfdg32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:784 -
C:\Windows\SysWOW64\Dejbqb32.exeC:\Windows\system32\Dejbqb32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1536 -
C:\Windows\SysWOW64\Dhiomn32.exeC:\Windows\system32\Dhiomn32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2172 -
C:\Windows\SysWOW64\Dldkmlhl.exeC:\Windows\system32\Dldkmlhl.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2380 -
C:\Windows\SysWOW64\Ddpobo32.exeC:\Windows\system32\Ddpobo32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1644 -
C:\Windows\SysWOW64\Dhkkbmnp.exeC:\Windows\system32\Dhkkbmnp.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1560 -
C:\Windows\SysWOW64\Dlfgcl32.exeC:\Windows\system32\Dlfgcl32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2976 -
C:\Windows\SysWOW64\Dacpkc32.exeC:\Windows\system32\Dacpkc32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2840 -
C:\Windows\SysWOW64\Dogpdg32.exeC:\Windows\system32\Dogpdg32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2860 -
C:\Windows\SysWOW64\Dmjqpdje.exeC:\Windows\system32\Dmjqpdje.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2832 -
C:\Windows\SysWOW64\Dphmloih.exeC:\Windows\system32\Dphmloih.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2588 -
C:\Windows\SysWOW64\Dknajh32.exeC:\Windows\system32\Dknajh32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1984 -
C:\Windows\SysWOW64\Diaaeepi.exeC:\Windows\system32\Diaaeepi.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1492 -
C:\Windows\SysWOW64\Dahifbpk.exeC:\Windows\system32\Dahifbpk.exe35⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Ddfebnoo.exeC:\Windows\system32\Ddfebnoo.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1944 -
C:\Windows\SysWOW64\Dgeaoinb.exeC:\Windows\system32\Dgeaoinb.exe37⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Eclbcj32.exeC:\Windows\system32\Eclbcj32.exe38⤵
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\Eggndi32.exeC:\Windows\system32\Eggndi32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1084 -
C:\Windows\SysWOW64\Eiekpd32.exeC:\Windows\system32\Eiekpd32.exe40⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Emagacdm.exeC:\Windows\system32\Emagacdm.exe41⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Eldglp32.exeC:\Windows\system32\Eldglp32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2060 -
C:\Windows\SysWOW64\Eelkeeah.exeC:\Windows\system32\Eelkeeah.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2284 -
C:\Windows\SysWOW64\Ehkhaqpk.exeC:\Windows\system32\Ehkhaqpk.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:1936 -
C:\Windows\SysWOW64\Epbpbnan.exeC:\Windows\system32\Epbpbnan.exe45⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Eoepnk32.exeC:\Windows\system32\Eoepnk32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:572 -
C:\Windows\SysWOW64\Eacljf32.exeC:\Windows\system32\Eacljf32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2364 -
C:\Windows\SysWOW64\Eijdkcgn.exeC:\Windows\system32\Eijdkcgn.exe48⤵
- Executes dropped EXE
PID:1052 -
C:\Windows\SysWOW64\Elipgofb.exeC:\Windows\system32\Elipgofb.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:2320 -
C:\Windows\SysWOW64\Eklqcl32.exeC:\Windows\system32\Eklqcl32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2724 -
C:\Windows\SysWOW64\Ecbhdi32.exeC:\Windows\system32\Ecbhdi32.exe51⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Eaeipfei.exeC:\Windows\system32\Eaeipfei.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2624 -
C:\Windows\SysWOW64\Eddeladm.exeC:\Windows\system32\Eddeladm.exe53⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Ehpalp32.exeC:\Windows\system32\Ehpalp32.exe54⤵
- Executes dropped EXE
PID:1028 -
C:\Windows\SysWOW64\Eknmhk32.exeC:\Windows\system32\Eknmhk32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\Eoiiijcc.exeC:\Windows\system32\Eoiiijcc.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2444 -
C:\Windows\SysWOW64\Enlidg32.exeC:\Windows\system32\Enlidg32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:584 -
C:\Windows\SysWOW64\Eecafd32.exeC:\Windows\system32\Eecafd32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2868 -
C:\Windows\SysWOW64\Edfbaabj.exeC:\Windows\system32\Edfbaabj.exe59⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Fgdnnl32.exeC:\Windows\system32\Fgdnnl32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:820 -
C:\Windows\SysWOW64\Fkpjnkig.exeC:\Windows\system32\Fkpjnkig.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1604 -
C:\Windows\SysWOW64\Folfoj32.exeC:\Windows\system32\Folfoj32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1392 -
C:\Windows\SysWOW64\Fnofjfhk.exeC:\Windows\system32\Fnofjfhk.exe63⤵
- Executes dropped EXE
PID:1308 -
C:\Windows\SysWOW64\Fajbke32.exeC:\Windows\system32\Fajbke32.exe64⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Fpmbfbgo.exeC:\Windows\system32\Fpmbfbgo.exe65⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Fdiogq32.exeC:\Windows\system32\Fdiogq32.exe66⤵
- Drops file in System32 directory
PID:1032 -
C:\Windows\SysWOW64\Fggkcl32.exeC:\Windows\system32\Fggkcl32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2904 -
C:\Windows\SysWOW64\Fkbgckgd.exeC:\Windows\system32\Fkbgckgd.exe68⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:636 -
C:\Windows\SysWOW64\Fjegog32.exeC:\Windows\system32\Fjegog32.exe69⤵
- System Location Discovery: System Language Discovery
PID:856 -
C:\Windows\SysWOW64\Fnacpffh.exeC:\Windows\system32\Fnacpffh.exe70⤵
- Drops file in System32 directory
PID:1868 -
C:\Windows\SysWOW64\Fpoolael.exeC:\Windows\system32\Fpoolael.exe71⤵
- Drops file in System32 directory
- Modifies registry class
PID:1952 -
C:\Windows\SysWOW64\Fdkklp32.exeC:\Windows\system32\Fdkklp32.exe72⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2020 -
C:\Windows\SysWOW64\Fcnkhmdp.exeC:\Windows\system32\Fcnkhmdp.exe73⤵
- Drops file in System32 directory
PID:1612 -
C:\Windows\SysWOW64\Fgigil32.exeC:\Windows\system32\Fgigil32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2256 -
C:\Windows\SysWOW64\Fjhcegll.exeC:\Windows\system32\Fjhcegll.exe75⤵
- System Location Discovery: System Language Discovery
PID:760 -
C:\Windows\SysWOW64\Fjhcegll.exeC:\Windows\system32\Fjhcegll.exe76⤵PID:1088
-
C:\Windows\SysWOW64\Fncpef32.exeC:\Windows\system32\Fncpef32.exe77⤵PID:1076
-
C:\Windows\SysWOW64\Flfpabkp.exeC:\Windows\system32\Flfpabkp.exe78⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:900 -
C:\Windows\SysWOW64\Fdmhbplb.exeC:\Windows\system32\Fdmhbplb.exe79⤵PID:1988
-
C:\Windows\SysWOW64\Fcphnm32.exeC:\Windows\system32\Fcphnm32.exe80⤵
- System Location Discovery: System Language Discovery
PID:2412 -
C:\Windows\SysWOW64\Fgldnkkf.exeC:\Windows\system32\Fgldnkkf.exe81⤵PID:2396
-
C:\Windows\SysWOW64\Ffodjh32.exeC:\Windows\system32\Ffodjh32.exe82⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2844 -
C:\Windows\SysWOW64\Flhmfbim.exeC:\Windows\system32\Flhmfbim.exe83⤵PID:2784
-
C:\Windows\SysWOW64\Fqdiga32.exeC:\Windows\system32\Fqdiga32.exe84⤵
- Modifies registry class
PID:668 -
C:\Windows\SysWOW64\Fogibnha.exeC:\Windows\system32\Fogibnha.exe85⤵
- Modifies registry class
PID:1348 -
C:\Windows\SysWOW64\Fcbecl32.exeC:\Windows\system32\Fcbecl32.exe86⤵
- System Location Discovery: System Language Discovery
PID:2672 -
C:\Windows\SysWOW64\Fgnadkic.exeC:\Windows\system32\Fgnadkic.exe87⤵
- Modifies registry class
PID:2736 -
C:\Windows\SysWOW64\Ffaaoh32.exeC:\Windows\system32\Ffaaoh32.exe88⤵PID:1664
-
C:\Windows\SysWOW64\Fhomkcoa.exeC:\Windows\system32\Fhomkcoa.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1856 -
C:\Windows\SysWOW64\Fmkilb32.exeC:\Windows\system32\Fmkilb32.exe90⤵PID:1376
-
C:\Windows\SysWOW64\Fqfemqod.exeC:\Windows\system32\Fqfemqod.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2188 -
C:\Windows\SysWOW64\Goiehm32.exeC:\Windows\system32\Goiehm32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2548 -
C:\Windows\SysWOW64\Gceailog.exeC:\Windows\system32\Gceailog.exe93⤵
- Drops file in System32 directory
PID:2720 -
C:\Windows\SysWOW64\Gbhbdi32.exeC:\Windows\system32\Gbhbdi32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2896 -
C:\Windows\SysWOW64\Gfcnegnk.exeC:\Windows\system32\Gfcnegnk.exe95⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2820 -
C:\Windows\SysWOW64\Gjojef32.exeC:\Windows\system32\Gjojef32.exe96⤵
- Modifies registry class
PID:3056 -
C:\Windows\SysWOW64\Ghajacmo.exeC:\Windows\system32\Ghajacmo.exe97⤵PID:2704
-
C:\Windows\SysWOW64\Gmmfaa32.exeC:\Windows\system32\Gmmfaa32.exe98⤵PID:2676
-
C:\Windows\SysWOW64\Gkpfmnlb.exeC:\Windows\system32\Gkpfmnlb.exe99⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2440 -
C:\Windows\SysWOW64\Golbnm32.exeC:\Windows\system32\Golbnm32.exe100⤵PID:2268
-
C:\Windows\SysWOW64\Gbjojh32.exeC:\Windows\system32\Gbjojh32.exe101⤵PID:3064
-
C:\Windows\SysWOW64\Gfejjgli.exeC:\Windows\system32\Gfejjgli.exe102⤵PID:1832
-
C:\Windows\SysWOW64\Gdhkfd32.exeC:\Windows\system32\Gdhkfd32.exe103⤵PID:2216
-
C:\Windows\SysWOW64\Ghdgfbkl.exeC:\Windows\system32\Ghdgfbkl.exe104⤵
- Modifies registry class
PID:3040 -
C:\Windows\SysWOW64\Gkbcbn32.exeC:\Windows\system32\Gkbcbn32.exe105⤵PID:2348
-
C:\Windows\SysWOW64\Gonocmbi.exeC:\Windows\system32\Gonocmbi.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:948 -
C:\Windows\SysWOW64\Gnaooi32.exeC:\Windows\system32\Gnaooi32.exe107⤵PID:2012
-
C:\Windows\SysWOW64\Gblkoham.exeC:\Windows\system32\Gblkoham.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2472 -
C:\Windows\SysWOW64\Gdkgkcpq.exeC:\Windows\system32\Gdkgkcpq.exe109⤵PID:2880
-
C:\Windows\SysWOW64\Gifclb32.exeC:\Windows\system32\Gifclb32.exe110⤵PID:2680
-
C:\Windows\SysWOW64\Ggicgopd.exeC:\Windows\system32\Ggicgopd.exe111⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1816 -
C:\Windows\SysWOW64\Goplilpf.exeC:\Windows\system32\Goplilpf.exe112⤵
- Drops file in System32 directory
PID:536 -
C:\Windows\SysWOW64\Goplilpf.exeC:\Windows\system32\Goplilpf.exe113⤵
- System Location Discovery: System Language Discovery
PID:328 -
C:\Windows\SysWOW64\Gbohehoj.exeC:\Windows\system32\Gbohehoj.exe114⤵PID:1172
-
C:\Windows\SysWOW64\Gqahqd32.exeC:\Windows\system32\Gqahqd32.exe115⤵PID:2740
-
C:\Windows\SysWOW64\Gdmdacnn.exeC:\Windows\system32\Gdmdacnn.exe116⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3068 -
C:\Windows\SysWOW64\Giipab32.exeC:\Windows\system32\Giipab32.exe117⤵PID:2872
-
C:\Windows\SysWOW64\Ggkqmoma.exeC:\Windows\system32\Ggkqmoma.exe118⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1384 -
C:\Windows\SysWOW64\Gjjmijme.exeC:\Windows\system32\Gjjmijme.exe119⤵PID:304
-
C:\Windows\SysWOW64\Gneijien.exeC:\Windows\system32\Gneijien.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2928 -
C:\Windows\SysWOW64\Gbadjg32.exeC:\Windows\system32\Gbadjg32.exe121⤵PID:1588
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-