Analysis
-
max time kernel
26s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
11/11/2024, 10:58
Static task
static1
Behavioral task
behavioral1
Sample
c601004d97de6f00433923da2498e9dee6734e9afd3aa59470282405d8bcf61e.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
c601004d97de6f00433923da2498e9dee6734e9afd3aa59470282405d8bcf61e.exe
Resource
win10v2004-20241007-en
General
-
Target
c601004d97de6f00433923da2498e9dee6734e9afd3aa59470282405d8bcf61e.exe
-
Size
1.1MB
-
MD5
2304506581ca39b08c98442a1612da97
-
SHA1
892d0471835f9707ce6fc8b1d398fa50d6f16c8a
-
SHA256
c601004d97de6f00433923da2498e9dee6734e9afd3aa59470282405d8bcf61e
-
SHA512
fce81b6f65966c677debf9dff732a6697a6bd64adf335cd9687bff1bb58d8cfb233bd3b8ffadc5ae361bbb71900843da3934cefa29757dc0c9d1c7efd2c7a56c
-
SSDEEP
24576:hGFXPh2kkkkK4kXkkkkkkkkhLX3a20R0v50+YNpsKv2EvZHk:4FnbazR0vKLXZk
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flclam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mloiec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngealejo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkmlmbcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Debadpeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfbcidmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nggggoda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbpghl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eemnnn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjfnomde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adnpkjde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fodebh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afliclij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jefbnacn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoojnc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqlfaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbdiia32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceebklai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcdgmimg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hieiqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aojabdlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckhdggom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elcpbigl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khadpa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efljhq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggkqmoma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnkjnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emgioakg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jeclebja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkbmbl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbclgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ceebklai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edcnakpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbidne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehpcehcj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgqlafap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekkjheja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ponklpcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qobdgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bqmpdioa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgaebe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbaice32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhckfkbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bqgmfkhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjdldd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qobdgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckpckece.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkmmlgik.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nenkqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gconbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Danpemej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbpfnh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdmkoepk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjdldd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Demaoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efljhq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdkjdl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icncgf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqijljfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdfooh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbdiia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppinkcnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qemldifo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeoijidl.exe -
Executes dropped EXE 64 IoCs
pid Process 1960 Ehpalp32.exe 2416 Enlidg32.exe 2900 Fdmhbplb.exe 2740 Gdhkfd32.exe 3020 Ggkqmoma.exe 1716 Hnjbeh32.exe 2704 Hcigco32.exe 2036 Injndk32.exe 2932 Idkpganf.exe 848 Jdnmma32.exe 2808 Jehlkhig.exe 1576 Khielcfh.exe 2056 Lfhhjklc.exe 1896 Lhknaf32.exe 2616 Mgedmb32.exe 1864 Mjfnomde.exe 2244 Ngealejo.exe 1708 Nlcibc32.exe 600 Nmfbpk32.exe 760 Nenkqi32.exe 740 Ojmpooah.exe 1468 Opihgfop.exe 1420 Ompefj32.exe 2000 Oiffkkbk.exe 2712 Olebgfao.exe 2236 Pkmlmbcd.exe 2016 Pgcmbcih.exe 2484 Pmmeon32.exe 2840 Pidfdofi.exe 2684 Qcogbdkg.exe 2328 Qiioon32.exe 2908 Qjklenpa.exe 2372 Aohdmdoh.exe 1260 Aebmjo32.exe 2944 Allefimb.exe 1176 Aojabdlf.exe 748 Ajpepm32.exe 2316 Aakjdo32.exe 1736 Aoojnc32.exe 288 Abmgjo32.exe 296 Agjobffl.exe 1236 Adnpkjde.exe 1740 Bgllgedi.exe 1004 Bccmmf32.exe 2348 Bjmeiq32.exe 1440 Bqgmfkhg.exe 1284 Bgaebe32.exe 1952 Bqijljfd.exe 492 Bgcbhd32.exe 2436 Bqlfaj32.exe 2504 Bfioia32.exe 2352 Cbppnbhm.exe 2732 Cenljmgq.exe 2664 Ckhdggom.exe 1992 Cfmhdpnc.exe 2220 Cpfmmf32.exe 2968 Cbdiia32.exe 272 Cnkjnb32.exe 1664 Ceebklai.exe 2152 Calcpm32.exe 2052 Cgfkmgnj.exe 1796 Danpemej.exe 2200 Dcllbhdn.exe 984 Daplkmbg.exe -
Loads dropped DLL 64 IoCs
pid Process 2500 c601004d97de6f00433923da2498e9dee6734e9afd3aa59470282405d8bcf61e.exe 2500 c601004d97de6f00433923da2498e9dee6734e9afd3aa59470282405d8bcf61e.exe 1960 Ehpalp32.exe 1960 Ehpalp32.exe 2416 Enlidg32.exe 2416 Enlidg32.exe 2900 Fdmhbplb.exe 2900 Fdmhbplb.exe 2740 Gdhkfd32.exe 2740 Gdhkfd32.exe 3020 Ggkqmoma.exe 3020 Ggkqmoma.exe 1716 Hnjbeh32.exe 1716 Hnjbeh32.exe 2704 Hcigco32.exe 2704 Hcigco32.exe 2036 Injndk32.exe 2036 Injndk32.exe 2932 Idkpganf.exe 2932 Idkpganf.exe 848 Jdnmma32.exe 848 Jdnmma32.exe 2808 Jehlkhig.exe 2808 Jehlkhig.exe 1576 Khielcfh.exe 1576 Khielcfh.exe 2056 Lfhhjklc.exe 2056 Lfhhjklc.exe 1896 Lhknaf32.exe 1896 Lhknaf32.exe 2616 Mgedmb32.exe 2616 Mgedmb32.exe 1864 Mjfnomde.exe 1864 Mjfnomde.exe 2244 Ngealejo.exe 2244 Ngealejo.exe 1708 Nlcibc32.exe 1708 Nlcibc32.exe 600 Nmfbpk32.exe 600 Nmfbpk32.exe 760 Nenkqi32.exe 760 Nenkqi32.exe 740 Ojmpooah.exe 740 Ojmpooah.exe 1468 Opihgfop.exe 1468 Opihgfop.exe 1420 Ompefj32.exe 1420 Ompefj32.exe 2000 Oiffkkbk.exe 2000 Oiffkkbk.exe 2712 Olebgfao.exe 2712 Olebgfao.exe 2236 Pkmlmbcd.exe 2236 Pkmlmbcd.exe 2016 Pgcmbcih.exe 2016 Pgcmbcih.exe 2484 Pmmeon32.exe 2484 Pmmeon32.exe 2840 Pidfdofi.exe 2840 Pidfdofi.exe 2684 Qcogbdkg.exe 2684 Qcogbdkg.exe 2328 Qiioon32.exe 2328 Qiioon32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Cmfaflol.dll Qcogbdkg.exe File created C:\Windows\SysWOW64\Cpmahlfd.dll Calcpm32.exe File created C:\Windows\SysWOW64\Eekcfk32.dll Elcpbigl.exe File created C:\Windows\SysWOW64\Glchpp32.exe Gjdldd32.exe File created C:\Windows\SysWOW64\Cnkiqi32.dll Hfbcidmk.exe File created C:\Windows\SysWOW64\Hqnapb32.exe Hbidne32.exe File created C:\Windows\SysWOW64\Bdmpfa32.dll Laqojfli.exe File created C:\Windows\SysWOW64\Bdfooh32.exe Bddbjhlp.exe File opened for modification C:\Windows\SysWOW64\Fgjjad32.exe Fdkmeiei.exe File created C:\Windows\SysWOW64\Gkcekfad.exe Gajqbakc.exe File created C:\Windows\SysWOW64\Jipaip32.exe Jllqplnp.exe File created C:\Windows\SysWOW64\Cenljmgq.exe Cbppnbhm.exe File created C:\Windows\SysWOW64\Gimfed32.dll Emgioakg.exe File created C:\Windows\SysWOW64\Ljpfmo32.dll Iladfn32.exe File created C:\Windows\SysWOW64\Eommkfoh.dll Mhfjjdjf.exe File opened for modification C:\Windows\SysWOW64\Ggkqmoma.exe Gdhkfd32.exe File created C:\Windows\SysWOW64\Edlhqlfi.exe Eibgpnjk.exe File created C:\Windows\SysWOW64\Klhgfq32.exe Klfjpa32.exe File created C:\Windows\SysWOW64\Nenkqi32.exe Nmfbpk32.exe File created C:\Windows\SysWOW64\Hdaehcom.dll Aojabdlf.exe File opened for modification C:\Windows\SysWOW64\Bccmmf32.exe Bgllgedi.exe File created C:\Windows\SysWOW64\Olkifaen.exe Ncpdbohb.exe File opened for modification C:\Windows\SysWOW64\Ohdfqbio.exe Oajndh32.exe File created C:\Windows\SysWOW64\Hkhgoifc.dll Cceogcfj.exe File opened for modification C:\Windows\SysWOW64\Hjfnnajl.exe Hclfag32.exe File created C:\Windows\SysWOW64\Gmqbcm32.dll Gdhkfd32.exe File created C:\Windows\SysWOW64\Cgknkqan.dll Lfhhjklc.exe File created C:\Windows\SysWOW64\Komjgdhc.dll Abmgjo32.exe File created C:\Windows\SysWOW64\Lkbmbl32.exe Keeeje32.exe File created C:\Windows\SysWOW64\Acfdii32.dll Oaogognm.exe File opened for modification C:\Windows\SysWOW64\Adfbpega.exe Anljck32.exe File created C:\Windows\SysWOW64\Gajqbakc.exe Goldfelp.exe File created C:\Windows\SysWOW64\Chpmbe32.dll Hclfag32.exe File opened for modification C:\Windows\SysWOW64\Icncgf32.exe Hjfnnajl.exe File created C:\Windows\SysWOW64\Bgllgedi.exe Adnpkjde.exe File opened for modification C:\Windows\SysWOW64\Bjedmo32.exe Bqmpdioa.exe File created C:\Windows\SysWOW64\Kdphjm32.exe Klecfkff.exe File created C:\Windows\SysWOW64\Pbihfb32.dll Ggkqmoma.exe File created C:\Windows\SysWOW64\Ihkhkcdl.dll Bjmeiq32.exe File created C:\Windows\SysWOW64\Aoaqogml.dll Dbdehdfc.exe File created C:\Windows\SysWOW64\Jlnfak32.dll Lkdjglfo.exe File created C:\Windows\SysWOW64\Nklcci32.dll Bdfooh32.exe File created C:\Windows\SysWOW64\Kkmmlgik.exe Kpgionie.exe File created C:\Windows\SysWOW64\Aohdmdoh.exe Qjklenpa.exe File created C:\Windows\SysWOW64\Cpnifncd.dll Jeclebja.exe File created C:\Windows\SysWOW64\Kcdlhj32.exe Kbbobkol.exe File created C:\Windows\SysWOW64\Ppinkcnp.exe Pbemboof.exe File opened for modification C:\Windows\SysWOW64\Cqaiph32.exe Cjhabndo.exe File created C:\Windows\SysWOW64\Icblnd32.dll Ngealejo.exe File created C:\Windows\SysWOW64\Fhgpia32.dll Cpfmmf32.exe File opened for modification C:\Windows\SysWOW64\Ghofam32.exe Fepjea32.exe File opened for modification C:\Windows\SysWOW64\Mdogedmh.exe Mmccqbpm.exe File opened for modification C:\Windows\SysWOW64\Kkmmlgik.exe Kpgionie.exe File created C:\Windows\SysWOW64\Ajaclncd.dll Cenljmgq.exe File opened for modification C:\Windows\SysWOW64\Flclam32.exe Flapkmlj.exe File opened for modification C:\Windows\SysWOW64\Hcdgmimg.exe Hjlbdc32.exe File created C:\Windows\SysWOW64\Jkbaci32.exe Jdhifooi.exe File opened for modification C:\Windows\SysWOW64\Mciabmlo.exe Mqjefamk.exe File created C:\Windows\SysWOW64\Dekdikhc.exe Dnqlmq32.exe File created C:\Windows\SysWOW64\Ddaglffo.dll Demaoj32.exe File created C:\Windows\SysWOW64\Flnlpo32.dll Idkpganf.exe File created C:\Windows\SysWOW64\Nfdgghho.dll Olebgfao.exe File opened for modification C:\Windows\SysWOW64\Jdhifooi.exe Jhahanie.exe File created C:\Windows\SysWOW64\Lclknm32.dll Bqmpdioa.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3504 3424 WerFault.exe 300 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqgmfkhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Einjdb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgjjad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jikhnaao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmfbpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nknimnap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onnnml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppinkcnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggapbcne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdiqpigl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcqlkjae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgcnahoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nenkqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egmabg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lonibk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bddbjhlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deondj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opialpld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oajndh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ageompfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afliclij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpgionie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhknaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfbnoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqnapb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mloiec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jllqplnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iladfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbpfnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbnocipg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ponklpcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aohdmdoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gajqbakc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijcngenj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qiioon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaihob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pblcbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeoijidl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jefbnacn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pddjlb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbjlhpkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jehlkhig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edlhqlfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkbmbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhkopj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqlfaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inbnhihl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jeclebja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjedmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Injqmdki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdmkoepk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qobdgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcgmfgfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kigndekn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdfooh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbdiia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fodebh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khadpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohdfqbio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agglbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adnpkjde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Danpemej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmhejhao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgfkmgnj.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnfak32.dll" Lkdjglfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qaacem32.dll" Pmhejhao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Demaoj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdhkfd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Allefimb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbjclbek.dll" Ajpepm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Looghene.dll" Jbpfnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcdkef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdiqpigl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gncnmane.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdbpekam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojmpooah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngciog32.dll" Pgcmbcih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkbmbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdppqbkn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckpckece.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hffhec32.dll" Gncnmane.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkmmlgik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgcbhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edlhqlfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmihbe32.dll" Inbnhihl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jeclebja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlhkgm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdhifooi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liefaj32.dll" Nnnbni32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adfbpega.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khielcfh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aojabdlf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bccmmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpfeq32.dll" Gconbj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cqfbjhgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cggioi32.dll" Fgjjad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aonalffc.dll" Hjfnnajl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahpbkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqhepmkh.dll" Gkcekfad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfodfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfhhjklc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khpjqgjc.dll" Aohdmdoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emgioakg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kigeamik.dll" Klfjpa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjjaikoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppiidm32.dll" Bjjaikoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efljhq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehpcehcj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlcibc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnqjhh32.dll" Edlhqlfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nknimnap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfkigdmm.dll" Pbemboof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ieponofk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbemboof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopmpa32.dll" Apppkekc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eikfdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icncgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajpepm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoaqogml.dll" Dbdehdfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnjjadh.dll" Jlhkgm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lngpog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohpboqdk.dll" Mqjefamk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acfenf32.dll" Mbnocipg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nqhepeai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bqmpdioa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjmeignj.dll" Adnpkjde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flocfmnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iiqldc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2500 wrote to memory of 1960 2500 c601004d97de6f00433923da2498e9dee6734e9afd3aa59470282405d8bcf61e.exe 30 PID 2500 wrote to memory of 1960 2500 c601004d97de6f00433923da2498e9dee6734e9afd3aa59470282405d8bcf61e.exe 30 PID 2500 wrote to memory of 1960 2500 c601004d97de6f00433923da2498e9dee6734e9afd3aa59470282405d8bcf61e.exe 30 PID 2500 wrote to memory of 1960 2500 c601004d97de6f00433923da2498e9dee6734e9afd3aa59470282405d8bcf61e.exe 30 PID 1960 wrote to memory of 2416 1960 Ehpalp32.exe 31 PID 1960 wrote to memory of 2416 1960 Ehpalp32.exe 31 PID 1960 wrote to memory of 2416 1960 Ehpalp32.exe 31 PID 1960 wrote to memory of 2416 1960 Ehpalp32.exe 31 PID 2416 wrote to memory of 2900 2416 Enlidg32.exe 32 PID 2416 wrote to memory of 2900 2416 Enlidg32.exe 32 PID 2416 wrote to memory of 2900 2416 Enlidg32.exe 32 PID 2416 wrote to memory of 2900 2416 Enlidg32.exe 32 PID 2900 wrote to memory of 2740 2900 Fdmhbplb.exe 33 PID 2900 wrote to memory of 2740 2900 Fdmhbplb.exe 33 PID 2900 wrote to memory of 2740 2900 Fdmhbplb.exe 33 PID 2900 wrote to memory of 2740 2900 Fdmhbplb.exe 33 PID 2740 wrote to memory of 3020 2740 Gdhkfd32.exe 34 PID 2740 wrote to memory of 3020 2740 Gdhkfd32.exe 34 PID 2740 wrote to memory of 3020 2740 Gdhkfd32.exe 34 PID 2740 wrote to memory of 3020 2740 Gdhkfd32.exe 34 PID 3020 wrote to memory of 1716 3020 Ggkqmoma.exe 35 PID 3020 wrote to memory of 1716 3020 Ggkqmoma.exe 35 PID 3020 wrote to memory of 1716 3020 Ggkqmoma.exe 35 PID 3020 wrote to memory of 1716 3020 Ggkqmoma.exe 35 PID 1716 wrote to memory of 2704 1716 Hnjbeh32.exe 36 PID 1716 wrote to memory of 2704 1716 Hnjbeh32.exe 36 PID 1716 wrote to memory of 2704 1716 Hnjbeh32.exe 36 PID 1716 wrote to memory of 2704 1716 Hnjbeh32.exe 36 PID 2704 wrote to memory of 2036 2704 Hcigco32.exe 37 PID 2704 wrote to memory of 2036 2704 Hcigco32.exe 37 PID 2704 wrote to memory of 2036 2704 Hcigco32.exe 37 PID 2704 wrote to memory of 2036 2704 Hcigco32.exe 37 PID 2036 wrote to memory of 2932 2036 Injndk32.exe 38 PID 2036 wrote to memory of 2932 2036 Injndk32.exe 38 PID 2036 wrote to memory of 2932 2036 Injndk32.exe 38 PID 2036 wrote to memory of 2932 2036 Injndk32.exe 38 PID 2932 wrote to memory of 848 2932 Idkpganf.exe 39 PID 2932 wrote to memory of 848 2932 Idkpganf.exe 39 PID 2932 wrote to memory of 848 2932 Idkpganf.exe 39 PID 2932 wrote to memory of 848 2932 Idkpganf.exe 39 PID 848 wrote to memory of 2808 848 Jdnmma32.exe 40 PID 848 wrote to memory of 2808 848 Jdnmma32.exe 40 PID 848 wrote to memory of 2808 848 Jdnmma32.exe 40 PID 848 wrote to memory of 2808 848 Jdnmma32.exe 40 PID 2808 wrote to memory of 1576 2808 Jehlkhig.exe 41 PID 2808 wrote to memory of 1576 2808 Jehlkhig.exe 41 PID 2808 wrote to memory of 1576 2808 Jehlkhig.exe 41 PID 2808 wrote to memory of 1576 2808 Jehlkhig.exe 41 PID 1576 wrote to memory of 2056 1576 Khielcfh.exe 42 PID 1576 wrote to memory of 2056 1576 Khielcfh.exe 42 PID 1576 wrote to memory of 2056 1576 Khielcfh.exe 42 PID 1576 wrote to memory of 2056 1576 Khielcfh.exe 42 PID 2056 wrote to memory of 1896 2056 Lfhhjklc.exe 43 PID 2056 wrote to memory of 1896 2056 Lfhhjklc.exe 43 PID 2056 wrote to memory of 1896 2056 Lfhhjklc.exe 43 PID 2056 wrote to memory of 1896 2056 Lfhhjklc.exe 43 PID 1896 wrote to memory of 2616 1896 Lhknaf32.exe 44 PID 1896 wrote to memory of 2616 1896 Lhknaf32.exe 44 PID 1896 wrote to memory of 2616 1896 Lhknaf32.exe 44 PID 1896 wrote to memory of 2616 1896 Lhknaf32.exe 44 PID 2616 wrote to memory of 1864 2616 Mgedmb32.exe 45 PID 2616 wrote to memory of 1864 2616 Mgedmb32.exe 45 PID 2616 wrote to memory of 1864 2616 Mgedmb32.exe 45 PID 2616 wrote to memory of 1864 2616 Mgedmb32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\c601004d97de6f00433923da2498e9dee6734e9afd3aa59470282405d8bcf61e.exe"C:\Users\Admin\AppData\Local\Temp\c601004d97de6f00433923da2498e9dee6734e9afd3aa59470282405d8bcf61e.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\Ehpalp32.exeC:\Windows\system32\Ehpalp32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\Enlidg32.exeC:\Windows\system32\Enlidg32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Fdmhbplb.exeC:\Windows\system32\Fdmhbplb.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Gdhkfd32.exeC:\Windows\system32\Gdhkfd32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Ggkqmoma.exeC:\Windows\system32\Ggkqmoma.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\Hnjbeh32.exeC:\Windows\system32\Hnjbeh32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\Hcigco32.exeC:\Windows\system32\Hcigco32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Injndk32.exeC:\Windows\system32\Injndk32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\Idkpganf.exeC:\Windows\system32\Idkpganf.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Jdnmma32.exeC:\Windows\system32\Jdnmma32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Windows\SysWOW64\Jehlkhig.exeC:\Windows\system32\Jehlkhig.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Khielcfh.exeC:\Windows\system32\Khielcfh.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\Lfhhjklc.exeC:\Windows\system32\Lfhhjklc.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\Lhknaf32.exeC:\Windows\system32\Lhknaf32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\Mgedmb32.exeC:\Windows\system32\Mgedmb32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Mjfnomde.exeC:\Windows\system32\Mjfnomde.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1864 -
C:\Windows\SysWOW64\Ngealejo.exeC:\Windows\system32\Ngealejo.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2244 -
C:\Windows\SysWOW64\Nlcibc32.exeC:\Windows\system32\Nlcibc32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1708 -
C:\Windows\SysWOW64\Nmfbpk32.exeC:\Windows\system32\Nmfbpk32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:600 -
C:\Windows\SysWOW64\Nenkqi32.exeC:\Windows\system32\Nenkqi32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:760 -
C:\Windows\SysWOW64\Ojmpooah.exeC:\Windows\system32\Ojmpooah.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:740 -
C:\Windows\SysWOW64\Opihgfop.exeC:\Windows\system32\Opihgfop.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1468 -
C:\Windows\SysWOW64\Ompefj32.exeC:\Windows\system32\Ompefj32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1420 -
C:\Windows\SysWOW64\Oiffkkbk.exeC:\Windows\system32\Oiffkkbk.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2000 -
C:\Windows\SysWOW64\Olebgfao.exeC:\Windows\system32\Olebgfao.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2712 -
C:\Windows\SysWOW64\Pkmlmbcd.exeC:\Windows\system32\Pkmlmbcd.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2236 -
C:\Windows\SysWOW64\Pgcmbcih.exeC:\Windows\system32\Pgcmbcih.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2016 -
C:\Windows\SysWOW64\Pmmeon32.exeC:\Windows\system32\Pmmeon32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2484 -
C:\Windows\SysWOW64\Pidfdofi.exeC:\Windows\system32\Pidfdofi.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2840 -
C:\Windows\SysWOW64\Qcogbdkg.exeC:\Windows\system32\Qcogbdkg.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2684 -
C:\Windows\SysWOW64\Qiioon32.exeC:\Windows\system32\Qiioon32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2328 -
C:\Windows\SysWOW64\Qjklenpa.exeC:\Windows\system32\Qjklenpa.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2908 -
C:\Windows\SysWOW64\Aohdmdoh.exeC:\Windows\system32\Aohdmdoh.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2372 -
C:\Windows\SysWOW64\Aebmjo32.exeC:\Windows\system32\Aebmjo32.exe35⤵
- Executes dropped EXE
PID:1260 -
C:\Windows\SysWOW64\Allefimb.exeC:\Windows\system32\Allefimb.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2944 -
C:\Windows\SysWOW64\Aojabdlf.exeC:\Windows\system32\Aojabdlf.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1176 -
C:\Windows\SysWOW64\Ajpepm32.exeC:\Windows\system32\Ajpepm32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:748 -
C:\Windows\SysWOW64\Aakjdo32.exeC:\Windows\system32\Aakjdo32.exe39⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Aoojnc32.exeC:\Windows\system32\Aoojnc32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Abmgjo32.exeC:\Windows\system32\Abmgjo32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:288 -
C:\Windows\SysWOW64\Agjobffl.exeC:\Windows\system32\Agjobffl.exe42⤵
- Executes dropped EXE
PID:296 -
C:\Windows\SysWOW64\Adnpkjde.exeC:\Windows\system32\Adnpkjde.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1236 -
C:\Windows\SysWOW64\Bgllgedi.exeC:\Windows\system32\Bgllgedi.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1740 -
C:\Windows\SysWOW64\Bccmmf32.exeC:\Windows\system32\Bccmmf32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:1004 -
C:\Windows\SysWOW64\Bjmeiq32.exeC:\Windows\system32\Bjmeiq32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2348 -
C:\Windows\SysWOW64\Bqgmfkhg.exeC:\Windows\system32\Bqgmfkhg.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1440 -
C:\Windows\SysWOW64\Bgaebe32.exeC:\Windows\system32\Bgaebe32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1284 -
C:\Windows\SysWOW64\Bqijljfd.exeC:\Windows\system32\Bqijljfd.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Bgcbhd32.exeC:\Windows\system32\Bgcbhd32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:492 -
C:\Windows\SysWOW64\Bqlfaj32.exeC:\Windows\system32\Bqlfaj32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2436 -
C:\Windows\SysWOW64\Bfioia32.exeC:\Windows\system32\Bfioia32.exe52⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Cbppnbhm.exeC:\Windows\system32\Cbppnbhm.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2352 -
C:\Windows\SysWOW64\Cenljmgq.exeC:\Windows\system32\Cenljmgq.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2732 -
C:\Windows\SysWOW64\Ckhdggom.exeC:\Windows\system32\Ckhdggom.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Cfmhdpnc.exeC:\Windows\system32\Cfmhdpnc.exe56⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Cpfmmf32.exeC:\Windows\system32\Cpfmmf32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2220 -
C:\Windows\SysWOW64\Cbdiia32.exeC:\Windows\system32\Cbdiia32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2968 -
C:\Windows\SysWOW64\Cnkjnb32.exeC:\Windows\system32\Cnkjnb32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:272 -
C:\Windows\SysWOW64\Ceebklai.exeC:\Windows\system32\Ceebklai.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Calcpm32.exeC:\Windows\system32\Calcpm32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2152 -
C:\Windows\SysWOW64\Cgfkmgnj.exeC:\Windows\system32\Cgfkmgnj.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2052 -
C:\Windows\SysWOW64\Danpemej.exeC:\Windows\system32\Danpemej.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1796 -
C:\Windows\SysWOW64\Dcllbhdn.exeC:\Windows\system32\Dcllbhdn.exe64⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Daplkmbg.exeC:\Windows\system32\Daplkmbg.exe65⤵
- Executes dropped EXE
PID:984 -
C:\Windows\SysWOW64\Dbaice32.exeC:\Windows\system32\Dbaice32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2064 -
C:\Windows\SysWOW64\Dbdehdfc.exeC:\Windows\system32\Dbdehdfc.exe67⤵
- Drops file in System32 directory
- Modifies registry class
PID:1524 -
C:\Windows\SysWOW64\Debadpeg.exeC:\Windows\system32\Debadpeg.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2612 -
C:\Windows\SysWOW64\Dfbnoc32.exeC:\Windows\system32\Dfbnoc32.exe69⤵
- System Location Discovery: System Language Discovery
PID:2520 -
C:\Windows\SysWOW64\Dhckfkbh.exeC:\Windows\system32\Dhckfkbh.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2092 -
C:\Windows\SysWOW64\Dpjbgh32.exeC:\Windows\system32\Dpjbgh32.exe71⤵PID:2596
-
C:\Windows\SysWOW64\Eibgpnjk.exeC:\Windows\system32\Eibgpnjk.exe72⤵
- Drops file in System32 directory
PID:2212 -
C:\Windows\SysWOW64\Edlhqlfi.exeC:\Windows\system32\Edlhqlfi.exe73⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2860 -
C:\Windows\SysWOW64\Elcpbigl.exeC:\Windows\system32\Elcpbigl.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2764 -
C:\Windows\SysWOW64\Egmabg32.exeC:\Windows\system32\Egmabg32.exe75⤵
- System Location Discovery: System Language Discovery
PID:2116 -
C:\Windows\SysWOW64\Emgioakg.exeC:\Windows\system32\Emgioakg.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2800 -
C:\Windows\SysWOW64\Ekkjheja.exeC:\Windows\system32\Ekkjheja.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1432 -
C:\Windows\SysWOW64\Einjdb32.exeC:\Windows\system32\Einjdb32.exe78⤵
- System Location Discovery: System Language Discovery
PID:1972 -
C:\Windows\SysWOW64\Edcnakpa.exeC:\Windows\system32\Edcnakpa.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:536 -
C:\Windows\SysWOW64\Flocfmnl.exeC:\Windows\system32\Flocfmnl.exe80⤵
- Modifies registry class
PID:1396 -
C:\Windows\SysWOW64\Fibcoalf.exeC:\Windows\system32\Fibcoalf.exe81⤵PID:2156
-
C:\Windows\SysWOW64\Flapkmlj.exeC:\Windows\system32\Flapkmlj.exe82⤵
- Drops file in System32 directory
PID:2312 -
C:\Windows\SysWOW64\Flclam32.exeC:\Windows\system32\Flclam32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1744 -
C:\Windows\SysWOW64\Fcmdnfad.exeC:\Windows\system32\Fcmdnfad.exe84⤵PID:1808
-
C:\Windows\SysWOW64\Fkhibino.exeC:\Windows\system32\Fkhibino.exe85⤵PID:3040
-
C:\Windows\SysWOW64\Fodebh32.exeC:\Windows\system32\Fodebh32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:920 -
C:\Windows\SysWOW64\Flhflleb.exeC:\Windows\system32\Flhflleb.exe87⤵PID:1160
-
C:\Windows\SysWOW64\Fofbhgde.exeC:\Windows\system32\Fofbhgde.exe88⤵PID:1932
-
C:\Windows\SysWOW64\Fepjea32.exeC:\Windows\system32\Fepjea32.exe89⤵
- Drops file in System32 directory
PID:2068 -
C:\Windows\SysWOW64\Ghofam32.exeC:\Windows\system32\Ghofam32.exe90⤵PID:2176
-
C:\Windows\SysWOW64\Ggdcbi32.exeC:\Windows\system32\Ggdcbi32.exe91⤵PID:2888
-
C:\Windows\SysWOW64\Gaihob32.exeC:\Windows\system32\Gaihob32.exe92⤵
- System Location Discovery: System Language Discovery
PID:2164 -
C:\Windows\SysWOW64\Gdhdkn32.exeC:\Windows\system32\Gdhdkn32.exe93⤵PID:2384
-
C:\Windows\SysWOW64\Gjdldd32.exeC:\Windows\system32\Gjdldd32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2720 -
C:\Windows\SysWOW64\Glchpp32.exeC:\Windows\system32\Glchpp32.exe95⤵PID:856
-
C:\Windows\SysWOW64\Gconbj32.exeC:\Windows\system32\Gconbj32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2168 -
C:\Windows\SysWOW64\Hofngkga.exeC:\Windows\system32\Hofngkga.exe97⤵PID:1640
-
C:\Windows\SysWOW64\Hjlbdc32.exeC:\Windows\system32\Hjlbdc32.exe98⤵
- Drops file in System32 directory
PID:448 -
C:\Windows\SysWOW64\Hcdgmimg.exeC:\Windows\system32\Hcdgmimg.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:892 -
C:\Windows\SysWOW64\Hfbcidmk.exeC:\Windows\system32\Hfbcidmk.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2476 -
C:\Windows\SysWOW64\Hdecea32.exeC:\Windows\system32\Hdecea32.exe101⤵PID:544
-
C:\Windows\SysWOW64\Hbidne32.exeC:\Windows\system32\Hbidne32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1080 -
C:\Windows\SysWOW64\Hqnapb32.exeC:\Windows\system32\Hqnapb32.exe103⤵
- System Location Discovery: System Language Discovery
PID:2172 -
C:\Windows\SysWOW64\Hieiqo32.exeC:\Windows\system32\Hieiqo32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2876 -
C:\Windows\SysWOW64\Hbnmienj.exeC:\Windows\system32\Hbnmienj.exe105⤵PID:2832
-
C:\Windows\SysWOW64\Hgkfal32.exeC:\Windows\system32\Hgkfal32.exe106⤵PID:1092
-
C:\Windows\SysWOW64\Ijibng32.exeC:\Windows\system32\Ijibng32.exe107⤵PID:660
-
C:\Windows\SysWOW64\Igmbgk32.exeC:\Windows\system32\Igmbgk32.exe108⤵PID:1340
-
C:\Windows\SysWOW64\Igoomk32.exeC:\Windows\system32\Igoomk32.exe109⤵PID:1060
-
C:\Windows\SysWOW64\Iiqldc32.exeC:\Windows\system32\Iiqldc32.exe110⤵
- Modifies registry class
PID:1644 -
C:\Windows\SysWOW64\Ijphofem.exeC:\Windows\system32\Ijphofem.exe111⤵PID:1748
-
C:\Windows\SysWOW64\Iladfn32.exeC:\Windows\system32\Iladfn32.exe112⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1800 -
C:\Windows\SysWOW64\Imaapa32.exeC:\Windows\system32\Imaapa32.exe113⤵PID:2400
-
C:\Windows\SysWOW64\Inbnhihl.exeC:\Windows\system32\Inbnhihl.exe114⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2536 -
C:\Windows\SysWOW64\Jlfnangf.exeC:\Windows\system32\Jlfnangf.exe115⤵PID:2320
-
C:\Windows\SysWOW64\Jndjmifj.exeC:\Windows\system32\Jndjmifj.exe116⤵PID:2716
-
C:\Windows\SysWOW64\Jbpfnh32.exeC:\Windows\system32\Jbpfnh32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2784 -
C:\Windows\SysWOW64\Jlhkgm32.exeC:\Windows\system32\Jlhkgm32.exe118⤵
- Modifies registry class
PID:2656 -
C:\Windows\SysWOW64\Jeclebja.exeC:\Windows\system32\Jeclebja.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2928 -
C:\Windows\SysWOW64\Jhahanie.exeC:\Windows\system32\Jhahanie.exe120⤵
- Drops file in System32 directory
PID:1656 -
C:\Windows\SysWOW64\Jdhifooi.exeC:\Windows\system32\Jdhifooi.exe121⤵
- Drops file in System32 directory
- Modifies registry class
PID:1936 -
C:\Windows\SysWOW64\Jkbaci32.exeC:\Windows\system32\Jkbaci32.exe122⤵PID:1380
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-