Analysis
-
max time kernel
49s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
21-11-2024 23:27
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4b8cf44bc7c3b0951c05dbda0b1a28812173852c93d6a13a3a5e43d55821ffcb.exe
Resource
win7-20241010-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
4b8cf44bc7c3b0951c05dbda0b1a28812173852c93d6a13a3a5e43d55821ffcb.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
4b8cf44bc7c3b0951c05dbda0b1a28812173852c93d6a13a3a5e43d55821ffcb.exe
-
Size
1.1MB
-
MD5
ab7b84651253da68b947a1d14e6e8e9b
-
SHA1
82dec9bed6b32a06818866a62173749564e71aeb
-
SHA256
4b8cf44bc7c3b0951c05dbda0b1a28812173852c93d6a13a3a5e43d55821ffcb
-
SHA512
98f961ea54d310b9617711372edf6c39b1728c246474fd052bb3246d9f3809a867979bf8e3601273f34566c8a081aa3e88f7f8f3c389671bd614111e87ec2ded
-
SSDEEP
12288:GksrU5f8rQg5Z/+zrWAIAqWim/+zrWAI5KFukEyDucEQX:GnrU5ErQg5ZmvFimm0HkEyDucEQX
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckjnfobi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iomaaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llojpghe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceeibbgn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbfaopqo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clheeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eickdlcd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elnagijk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eickdlcd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihgcof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfnmnojj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppbfmdfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aihjpman.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Colegflh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Colegflh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jadlgjjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gaiijgbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hjnaehgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbbpmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jijbnppi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knldaf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llbnpm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peoanckj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ipbgci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Adekhkng.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eibikc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chfffk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aeachphg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iopeagip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifndph32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhbdmeoe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaeeoihj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nagobp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fholmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hkdkhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dddodd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jdnpck32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jadlgjjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hincna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcjffc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nldgdpjf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdeehe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pafpjljk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njbanida.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dcdjgbed.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcofqphi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qfdpgd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 4b8cf44bc7c3b0951c05dbda0b1a28812173852c93d6a13a3a5e43d55821ffcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kdeehe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdajff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Clehoiam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hinlck32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkfcdpfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgbmdphe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmgpjgph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lbncbgoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lebemmbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebkndibq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eponmmaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbcdjpba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llojpghe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Meafpibb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlgmkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fqdong32.exe -
Executes dropped EXE 64 IoCs
pid Process 2296 Jadlgjjq.exe 2980 Kdeehe32.exe 2828 Ldikbhfh.exe 2756 Mfhcknpf.exe 2588 Nqkgbkdj.exe 1660 Phelnhnb.exe 832 Qkcdigpa.exe 2800 Adekhkng.exe 540 Bcmeogam.exe 1200 Cdjabn32.exe 1840 Cohlnkeg.exe 1728 Eibikc32.exe 2404 Ebkndibq.exe 2576 Eponmmaj.exe 1848 Eodknifb.exe 1052 Flhkhnel.exe 1820 Fholmo32.exe 1624 Fdemap32.exe 1756 Fhcehngk.exe 1964 Fmpnpe32.exe 2280 Fkdoii32.exe 1352 Gdmcbojl.exe 1184 Glhhgahg.exe 2856 Ggmldj32.exe 780 Gcdmikma.exe 2992 Gaiijgbi.exe 2924 Galfpgpg.exe 2784 Hkdkhl32.exe 2788 Hhhkbqea.exe 2304 Happkf32.exe 2416 Hjnaehgj.exe 1688 Hjpnjheg.exe 3020 Ijbjpg32.exe 2300 Iihgadhl.exe 3028 Imepgbnc.exe 1272 Ifndph32.exe 1768 Ibeeeijg.exe 2488 Ijpjik32.exe 1716 Jnncoini.exe 1644 Jjdcdjcm.exe 2524 Jjgpjjak.exe 2460 Jfnaok32.exe 1304 Kononm32.exe 2288 Kiccle32.exe 1680 Kejdqffo.exe 2988 Kfnmnojj.exe 2880 Laenqg32.exe 2772 Ldfgbb32.exe 2780 Lielphqc.exe 1484 Lcnqin32.exe 1832 Mdajff32.exe 2036 Meafpibb.exe 1096 Mknohpqj.exe 2672 Mhaobd32.exe 2052 Mckpba32.exe 2620 Ncnmhajo.exe 1944 Ngkfnp32.exe 2688 Nogjbbma.exe 2060 Nkmkgc32.exe 1016 Nkphmc32.exe 2080 Nkbdbbop.exe 2944 Okdahbmm.exe 2748 Ojjnioae.exe 2380 Onggom32.exe -
Loads dropped DLL 64 IoCs
pid Process 3008 4b8cf44bc7c3b0951c05dbda0b1a28812173852c93d6a13a3a5e43d55821ffcb.exe 3008 4b8cf44bc7c3b0951c05dbda0b1a28812173852c93d6a13a3a5e43d55821ffcb.exe 2296 Jadlgjjq.exe 2296 Jadlgjjq.exe 2980 Kdeehe32.exe 2980 Kdeehe32.exe 2828 Ldikbhfh.exe 2828 Ldikbhfh.exe 2756 Mfhcknpf.exe 2756 Mfhcknpf.exe 2588 Nqkgbkdj.exe 2588 Nqkgbkdj.exe 1660 Phelnhnb.exe 1660 Phelnhnb.exe 832 Qkcdigpa.exe 832 Qkcdigpa.exe 2800 Adekhkng.exe 2800 Adekhkng.exe 540 Bcmeogam.exe 540 Bcmeogam.exe 1200 Cdjabn32.exe 1200 Cdjabn32.exe 1840 Cohlnkeg.exe 1840 Cohlnkeg.exe 1728 Eibikc32.exe 1728 Eibikc32.exe 2404 Ebkndibq.exe 2404 Ebkndibq.exe 2576 Eponmmaj.exe 2576 Eponmmaj.exe 1848 Eodknifb.exe 1848 Eodknifb.exe 1052 Flhkhnel.exe 1052 Flhkhnel.exe 1820 Fholmo32.exe 1820 Fholmo32.exe 1624 Fdemap32.exe 1624 Fdemap32.exe 1756 Fhcehngk.exe 1756 Fhcehngk.exe 1964 Fmpnpe32.exe 1964 Fmpnpe32.exe 2280 Fkdoii32.exe 2280 Fkdoii32.exe 1352 Gdmcbojl.exe 1352 Gdmcbojl.exe 1184 Glhhgahg.exe 1184 Glhhgahg.exe 2856 Ggmldj32.exe 2856 Ggmldj32.exe 780 Gcdmikma.exe 780 Gcdmikma.exe 2992 Gaiijgbi.exe 2992 Gaiijgbi.exe 2924 Galfpgpg.exe 2924 Galfpgpg.exe 2784 Hkdkhl32.exe 2784 Hkdkhl32.exe 2788 Hhhkbqea.exe 2788 Hhhkbqea.exe 2304 Happkf32.exe 2304 Happkf32.exe 2416 Hjnaehgj.exe 2416 Hjnaehgj.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Flkjffkm.exe Fenedlec.exe File opened for modification C:\Windows\SysWOW64\Bcmeogam.exe Adekhkng.exe File created C:\Windows\SysWOW64\Hcllmi32.exe Gcjogidl.exe File created C:\Windows\SysWOW64\Eodknifb.exe Eponmmaj.exe File created C:\Windows\SysWOW64\Ibeeeijg.exe Ifndph32.exe File created C:\Windows\SysWOW64\Pncemobj.dll Mfhcknpf.exe File created C:\Windows\SysWOW64\Mejjeh32.dll Ejqmahdn.exe File created C:\Windows\SysWOW64\Clehoiam.exe Ckboba32.exe File opened for modification C:\Windows\SysWOW64\Pfekbg32.exe Ooiepnen.exe File created C:\Windows\SysWOW64\Fqdong32.exe Fjhjlm32.exe File created C:\Windows\SysWOW64\Kcojfnhc.dll Gfqmkk32.exe File created C:\Windows\SysWOW64\Qipmdhcj.exe Pmgpjgph.exe File created C:\Windows\SysWOW64\Ighihc32.dll Dcgiejje.exe File created C:\Windows\SysWOW64\Bfcqoqeh.exe Bnhljnhm.exe File created C:\Windows\SysWOW64\Ohhmhk32.dll Hafbid32.exe File created C:\Windows\SysWOW64\Ncnmhajo.exe Mckpba32.exe File opened for modification C:\Windows\SysWOW64\Hpplfm32.exe Hcllmi32.exe File created C:\Windows\SysWOW64\Bppljg32.dll Hbokkagk.exe File created C:\Windows\SysWOW64\Kbdmboqk.exe Jbbpmo32.exe File created C:\Windows\SysWOW64\Ehpeibla.dll Mibgho32.exe File created C:\Windows\SysWOW64\Alfmndaq.dll Ijbjpg32.exe File created C:\Windows\SysWOW64\Kejdqffo.exe Kiccle32.exe File opened for modification C:\Windows\SysWOW64\Kbdmboqk.exe Jbbpmo32.exe File created C:\Windows\SysWOW64\Aeachphg.exe Agkfil32.exe File opened for modification C:\Windows\SysWOW64\Hblgkkfa.exe Gefjlg32.exe File created C:\Windows\SysWOW64\Aomgmgle.dll Bplofekp.exe File created C:\Windows\SysWOW64\Joefkl32.dll Peoanckj.exe File created C:\Windows\SysWOW64\Dipfpa32.dll Nagobp32.exe File created C:\Windows\SysWOW64\Laenqg32.exe Kfnmnojj.exe File opened for modification C:\Windows\SysWOW64\Ppbfmdfo.exe Pppihdha.exe File opened for modification C:\Windows\SysWOW64\Geehcoaf.exe Gpfbfh32.exe File opened for modification C:\Windows\SysWOW64\Ibeeeijg.exe Ifndph32.exe File opened for modification C:\Windows\SysWOW64\Cnekcblk.exe Cbokoa32.exe File created C:\Windows\SysWOW64\Dkihaqji.dll Hincna32.exe File opened for modification C:\Windows\SysWOW64\Llbnpm32.exe Ldgikklb.exe File created C:\Windows\SysWOW64\Palkjk32.dll Bdpgai32.exe File created C:\Windows\SysWOW64\Dkakad32.exe Dcdjgbed.exe File created C:\Windows\SysWOW64\Mckpba32.exe Mhaobd32.exe File opened for modification C:\Windows\SysWOW64\Kchfpf32.exe Kbdmboqk.exe File created C:\Windows\SysWOW64\Fholmo32.exe Flhkhnel.exe File created C:\Windows\SysWOW64\Kkggja32.dll Iggdmkmn.exe File created C:\Windows\SysWOW64\Ojjnioae.exe Okdahbmm.exe File created C:\Windows\SysWOW64\Ijcmipjh.exe Hincna32.exe File created C:\Windows\SysWOW64\Condfo32.exe Bgablmfa.exe File created C:\Windows\SysWOW64\Fidmniqa.exe Flnpoe32.exe File created C:\Windows\SysWOW64\Pnphlc32.exe Pokkkgpo.exe File opened for modification C:\Windows\SysWOW64\Jfnaok32.exe Jjgpjjak.exe File created C:\Windows\SysWOW64\Hopibdfd.exe Gonlld32.exe File opened for modification C:\Windows\SysWOW64\Cdjabn32.exe Bcmeogam.exe File created C:\Windows\SysWOW64\Peoanckj.exe Pbohmh32.exe File opened for modification C:\Windows\SysWOW64\Hjnaehgj.exe Happkf32.exe File opened for modification C:\Windows\SysWOW64\Ncnmhajo.exe Mckpba32.exe File created C:\Windows\SysWOW64\Ngcoin32.dll Cbcdjpba.exe File created C:\Windows\SysWOW64\Acldpojj.exe Qfegakmc.exe File opened for modification C:\Windows\SysWOW64\Dopdgb32.exe Dkakad32.exe File opened for modification C:\Windows\SysWOW64\Ehkgnpbe.exe Dgkkdnkb.exe File created C:\Windows\SysWOW64\Cdjabn32.exe Bcmeogam.exe File opened for modification C:\Windows\SysWOW64\Cohlnkeg.exe Cdjabn32.exe File created C:\Windows\SysWOW64\Fdkfbo32.dll Bgablmfa.exe File created C:\Windows\SysWOW64\Ekqqea32.exe Ebfpglkn.exe File created C:\Windows\SysWOW64\Gnfoao32.exe Gapbbk32.exe File created C:\Windows\SysWOW64\Nfdmqoad.dll Fhcehngk.exe File created C:\Windows\SysWOW64\Jjdcdjcm.exe Jnncoini.exe File created C:\Windows\SysWOW64\Ecklgdag.exe Eickdlcd.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3156 3080 WerFault.exe 313 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eibikc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kejdqffo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdbibjok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcofqphi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbpbek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Heoadcmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcmjfiab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmepboin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbdpag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elmmhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfhcknpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjpnjheg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibeeeijg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqiidg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Galfpgpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkdkhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojjnioae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hinlck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcmeogam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hahoodqi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bebjdjal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejqmahdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oohoeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okdahbmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcllmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hincna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljjkgfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gepgni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iggdmkmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpfoekhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncnmhajo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adohpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anjnllbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajnlqgfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blhkon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amfcfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibklddof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fenedlec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geehcoaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldgikklb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccamabgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iopeagip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nldgdpjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhhkbqea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lielphqc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meafpibb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okhgaqfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clheeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abaaakob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjhjlm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkfcdpfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gckknqkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcnqin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjeblf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfdpgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giakoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqhhin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jijbnppi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Condfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llojpghe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkgjge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coqaknog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfhial32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekqqea32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Adohpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nagobp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Napibq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecllqcgk.dll" Ojjnioae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnblkahe.dll" Acldpojj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fccaicfb.dll" Eibikc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgdcmc32.dll" Fmpnpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nogjbbma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cbcdjpba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Noiiaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fkdoii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nkphmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qmmbhegc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jccjek32.dll" Gnfoao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jfdigocb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kmbgnl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ldikbhfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppaldc32.dll" Kiccle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Okhgaqfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bcmeogam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obopji32.dll" Hcllmi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cdooongp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bicogkal.dll" Oqiidg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Idkdfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ccamabgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fenedlec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igjlnf32.dll" Pbohmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Acldpojj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pokkkgpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cbdpag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfonie32.dll" Fenedlec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nqkgbkdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Onggom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dbpmin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pppihdha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnbdblmp.dll" Conbmfif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enfkfc32.dll" Dkakad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fhdhqg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bbkmki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Emdjbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kiopjgdl.dll" Flbgak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gepeep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoqnikmd.dll" Abaaakob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hbokkagk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ngkfnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dknehe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Elnagijk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qfegakmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgcpojic.dll" Jdnpck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Elafbcao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mmepboin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kejdqffo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Migbkglj.dll" Fdpmljan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ofaaghom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Alnoepam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ejqmahdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pgmfph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Meafpibb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mllqfhgm.dll" Jijbnppi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Acldpojj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmggfmjg.dll" Ckjnfobi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mhaobd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ipbgci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Elmmhc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3008 wrote to memory of 2296 3008 4b8cf44bc7c3b0951c05dbda0b1a28812173852c93d6a13a3a5e43d55821ffcb.exe 29 PID 3008 wrote to memory of 2296 3008 4b8cf44bc7c3b0951c05dbda0b1a28812173852c93d6a13a3a5e43d55821ffcb.exe 29 PID 3008 wrote to memory of 2296 3008 4b8cf44bc7c3b0951c05dbda0b1a28812173852c93d6a13a3a5e43d55821ffcb.exe 29 PID 3008 wrote to memory of 2296 3008 4b8cf44bc7c3b0951c05dbda0b1a28812173852c93d6a13a3a5e43d55821ffcb.exe 29 PID 2296 wrote to memory of 2980 2296 Jadlgjjq.exe 30 PID 2296 wrote to memory of 2980 2296 Jadlgjjq.exe 30 PID 2296 wrote to memory of 2980 2296 Jadlgjjq.exe 30 PID 2296 wrote to memory of 2980 2296 Jadlgjjq.exe 30 PID 2980 wrote to memory of 2828 2980 Kdeehe32.exe 31 PID 2980 wrote to memory of 2828 2980 Kdeehe32.exe 31 PID 2980 wrote to memory of 2828 2980 Kdeehe32.exe 31 PID 2980 wrote to memory of 2828 2980 Kdeehe32.exe 31 PID 2828 wrote to memory of 2756 2828 Ldikbhfh.exe 32 PID 2828 wrote to memory of 2756 2828 Ldikbhfh.exe 32 PID 2828 wrote to memory of 2756 2828 Ldikbhfh.exe 32 PID 2828 wrote to memory of 2756 2828 Ldikbhfh.exe 32 PID 2756 wrote to memory of 2588 2756 Mfhcknpf.exe 33 PID 2756 wrote to memory of 2588 2756 Mfhcknpf.exe 33 PID 2756 wrote to memory of 2588 2756 Mfhcknpf.exe 33 PID 2756 wrote to memory of 2588 2756 Mfhcknpf.exe 33 PID 2588 wrote to memory of 1660 2588 Nqkgbkdj.exe 34 PID 2588 wrote to memory of 1660 2588 Nqkgbkdj.exe 34 PID 2588 wrote to memory of 1660 2588 Nqkgbkdj.exe 34 PID 2588 wrote to memory of 1660 2588 Nqkgbkdj.exe 34 PID 1660 wrote to memory of 832 1660 Phelnhnb.exe 35 PID 1660 wrote to memory of 832 1660 Phelnhnb.exe 35 PID 1660 wrote to memory of 832 1660 Phelnhnb.exe 35 PID 1660 wrote to memory of 832 1660 Phelnhnb.exe 35 PID 832 wrote to memory of 2800 832 Qkcdigpa.exe 36 PID 832 wrote to memory of 2800 832 Qkcdigpa.exe 36 PID 832 wrote to memory of 2800 832 Qkcdigpa.exe 36 PID 832 wrote to memory of 2800 832 Qkcdigpa.exe 36 PID 2800 wrote to memory of 540 2800 Adekhkng.exe 37 PID 2800 wrote to memory of 540 2800 Adekhkng.exe 37 PID 2800 wrote to memory of 540 2800 Adekhkng.exe 37 PID 2800 wrote to memory of 540 2800 Adekhkng.exe 37 PID 540 wrote to memory of 1200 540 Bcmeogam.exe 38 PID 540 wrote to memory of 1200 540 Bcmeogam.exe 38 PID 540 wrote to memory of 1200 540 Bcmeogam.exe 38 PID 540 wrote to memory of 1200 540 Bcmeogam.exe 38 PID 1200 wrote to memory of 1840 1200 Cdjabn32.exe 39 PID 1200 wrote to memory of 1840 1200 Cdjabn32.exe 39 PID 1200 wrote to memory of 1840 1200 Cdjabn32.exe 39 PID 1200 wrote to memory of 1840 1200 Cdjabn32.exe 39 PID 1840 wrote to memory of 1728 1840 Cohlnkeg.exe 40 PID 1840 wrote to memory of 1728 1840 Cohlnkeg.exe 40 PID 1840 wrote to memory of 1728 1840 Cohlnkeg.exe 40 PID 1840 wrote to memory of 1728 1840 Cohlnkeg.exe 40 PID 1728 wrote to memory of 2404 1728 Eibikc32.exe 41 PID 1728 wrote to memory of 2404 1728 Eibikc32.exe 41 PID 1728 wrote to memory of 2404 1728 Eibikc32.exe 41 PID 1728 wrote to memory of 2404 1728 Eibikc32.exe 41 PID 2404 wrote to memory of 2576 2404 Ebkndibq.exe 42 PID 2404 wrote to memory of 2576 2404 Ebkndibq.exe 42 PID 2404 wrote to memory of 2576 2404 Ebkndibq.exe 42 PID 2404 wrote to memory of 2576 2404 Ebkndibq.exe 42 PID 2576 wrote to memory of 1848 2576 Eponmmaj.exe 43 PID 2576 wrote to memory of 1848 2576 Eponmmaj.exe 43 PID 2576 wrote to memory of 1848 2576 Eponmmaj.exe 43 PID 2576 wrote to memory of 1848 2576 Eponmmaj.exe 43 PID 1848 wrote to memory of 1052 1848 Eodknifb.exe 44 PID 1848 wrote to memory of 1052 1848 Eodknifb.exe 44 PID 1848 wrote to memory of 1052 1848 Eodknifb.exe 44 PID 1848 wrote to memory of 1052 1848 Eodknifb.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b8cf44bc7c3b0951c05dbda0b1a28812173852c93d6a13a3a5e43d55821ffcb.exe"C:\Users\Admin\AppData\Local\Temp\4b8cf44bc7c3b0951c05dbda0b1a28812173852c93d6a13a3a5e43d55821ffcb.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\Jadlgjjq.exeC:\Windows\system32\Jadlgjjq.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\Kdeehe32.exeC:\Windows\system32\Kdeehe32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Ldikbhfh.exeC:\Windows\system32\Ldikbhfh.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Mfhcknpf.exeC:\Windows\system32\Mfhcknpf.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Nqkgbkdj.exeC:\Windows\system32\Nqkgbkdj.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Phelnhnb.exeC:\Windows\system32\Phelnhnb.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\Qkcdigpa.exeC:\Windows\system32\Qkcdigpa.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\SysWOW64\Adekhkng.exeC:\Windows\system32\Adekhkng.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Bcmeogam.exeC:\Windows\system32\Bcmeogam.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\SysWOW64\Cdjabn32.exeC:\Windows\system32\Cdjabn32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\SysWOW64\Cohlnkeg.exeC:\Windows\system32\Cohlnkeg.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Windows\SysWOW64\Eibikc32.exeC:\Windows\system32\Eibikc32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\Ebkndibq.exeC:\Windows\system32\Ebkndibq.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\Eponmmaj.exeC:\Windows\system32\Eponmmaj.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Eodknifb.exeC:\Windows\system32\Eodknifb.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\Flhkhnel.exeC:\Windows\system32\Flhkhnel.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1052 -
C:\Windows\SysWOW64\Fholmo32.exeC:\Windows\system32\Fholmo32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1820 -
C:\Windows\SysWOW64\Fdemap32.exeC:\Windows\system32\Fdemap32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1624 -
C:\Windows\SysWOW64\Fhcehngk.exeC:\Windows\system32\Fhcehngk.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1756 -
C:\Windows\SysWOW64\Fmpnpe32.exeC:\Windows\system32\Fmpnpe32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1964 -
C:\Windows\SysWOW64\Fkdoii32.exeC:\Windows\system32\Fkdoii32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2280 -
C:\Windows\SysWOW64\Gdmcbojl.exeC:\Windows\system32\Gdmcbojl.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1352 -
C:\Windows\SysWOW64\Glhhgahg.exeC:\Windows\system32\Glhhgahg.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1184 -
C:\Windows\SysWOW64\Ggmldj32.exeC:\Windows\system32\Ggmldj32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2856 -
C:\Windows\SysWOW64\Gcdmikma.exeC:\Windows\system32\Gcdmikma.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:780 -
C:\Windows\SysWOW64\Gaiijgbi.exeC:\Windows\system32\Gaiijgbi.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2992 -
C:\Windows\SysWOW64\Galfpgpg.exeC:\Windows\system32\Galfpgpg.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2924 -
C:\Windows\SysWOW64\Hkdkhl32.exeC:\Windows\system32\Hkdkhl32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2784 -
C:\Windows\SysWOW64\Hhhkbqea.exeC:\Windows\system32\Hhhkbqea.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2788 -
C:\Windows\SysWOW64\Happkf32.exeC:\Windows\system32\Happkf32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2304 -
C:\Windows\SysWOW64\Hjnaehgj.exeC:\Windows\system32\Hjnaehgj.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2416 -
C:\Windows\SysWOW64\Hjpnjheg.exeC:\Windows\system32\Hjpnjheg.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1688 -
C:\Windows\SysWOW64\Ijbjpg32.exeC:\Windows\system32\Ijbjpg32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3020 -
C:\Windows\SysWOW64\Iihgadhl.exeC:\Windows\system32\Iihgadhl.exe35⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Imepgbnc.exeC:\Windows\system32\Imepgbnc.exe36⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Ifndph32.exeC:\Windows\system32\Ifndph32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1272 -
C:\Windows\SysWOW64\Ibeeeijg.exeC:\Windows\system32\Ibeeeijg.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1768 -
C:\Windows\SysWOW64\Ijpjik32.exeC:\Windows\system32\Ijpjik32.exe39⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Jnncoini.exeC:\Windows\system32\Jnncoini.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1716 -
C:\Windows\SysWOW64\Jjdcdjcm.exeC:\Windows\system32\Jjdcdjcm.exe41⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Jjgpjjak.exeC:\Windows\system32\Jjgpjjak.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2524 -
C:\Windows\SysWOW64\Jfnaok32.exeC:\Windows\system32\Jfnaok32.exe43⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Kononm32.exeC:\Windows\system32\Kononm32.exe44⤵
- Executes dropped EXE
PID:1304 -
C:\Windows\SysWOW64\Kiccle32.exeC:\Windows\system32\Kiccle32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2288 -
C:\Windows\SysWOW64\Kejdqffo.exeC:\Windows\system32\Kejdqffo.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1680 -
C:\Windows\SysWOW64\Kfnmnojj.exeC:\Windows\system32\Kfnmnojj.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2988 -
C:\Windows\SysWOW64\Laenqg32.exeC:\Windows\system32\Laenqg32.exe48⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Ldfgbb32.exeC:\Windows\system32\Ldfgbb32.exe49⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Lielphqc.exeC:\Windows\system32\Lielphqc.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2780 -
C:\Windows\SysWOW64\Lcnqin32.exeC:\Windows\system32\Lcnqin32.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1484 -
C:\Windows\SysWOW64\Mdajff32.exeC:\Windows\system32\Mdajff32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\Meafpibb.exeC:\Windows\system32\Meafpibb.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2036 -
C:\Windows\SysWOW64\Mknohpqj.exeC:\Windows\system32\Mknohpqj.exe54⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\Mhaobd32.exeC:\Windows\system32\Mhaobd32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2672 -
C:\Windows\SysWOW64\Mckpba32.exeC:\Windows\system32\Mckpba32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2052 -
C:\Windows\SysWOW64\Ncnmhajo.exeC:\Windows\system32\Ncnmhajo.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2620 -
C:\Windows\SysWOW64\Ngkfnp32.exeC:\Windows\system32\Ngkfnp32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:1944 -
C:\Windows\SysWOW64\Nogjbbma.exeC:\Windows\system32\Nogjbbma.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2688 -
C:\Windows\SysWOW64\Nkmkgc32.exeC:\Windows\system32\Nkmkgc32.exe60⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Nkphmc32.exeC:\Windows\system32\Nkphmc32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:1016 -
C:\Windows\SysWOW64\Nkbdbbop.exeC:\Windows\system32\Nkbdbbop.exe62⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Okdahbmm.exeC:\Windows\system32\Okdahbmm.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2944 -
C:\Windows\SysWOW64\Ojjnioae.exeC:\Windows\system32\Ojjnioae.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2748 -
C:\Windows\SysWOW64\Onggom32.exeC:\Windows\system32\Onggom32.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:2380 -
C:\Windows\SysWOW64\Ommdqi32.exeC:\Windows\system32\Ommdqi32.exe66⤵PID:2440
-
C:\Windows\SysWOW64\Pmoqfi32.exeC:\Windows\system32\Pmoqfi32.exe67⤵PID:2068
-
C:\Windows\SysWOW64\Pppihdha.exeC:\Windows\system32\Pppihdha.exe68⤵
- Drops file in System32 directory
- Modifies registry class
PID:1168 -
C:\Windows\SysWOW64\Ppbfmdfo.exeC:\Windows\system32\Ppbfmdfo.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:584 -
C:\Windows\SysWOW64\Pafpjljk.exeC:\Windows\system32\Pafpjljk.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2724 -
C:\Windows\SysWOW64\Qhbdmeoe.exeC:\Windows\system32\Qhbdmeoe.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2504 -
C:\Windows\SysWOW64\Amaiklki.exeC:\Windows\system32\Amaiklki.exe72⤵PID:1552
-
C:\Windows\SysWOW64\Aihjpman.exeC:\Windows\system32\Aihjpman.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2420 -
C:\Windows\SysWOW64\Amfcfk32.exeC:\Windows\system32\Amfcfk32.exe74⤵
- System Location Discovery: System Language Discovery
PID:1244 -
C:\Windows\SysWOW64\Abehcbci.exeC:\Windows\system32\Abehcbci.exe75⤵PID:2452
-
C:\Windows\SysWOW64\Abgeiaaf.exeC:\Windows\system32\Abgeiaaf.exe76⤵PID:1772
-
C:\Windows\SysWOW64\Bonenbgj.exeC:\Windows\system32\Bonenbgj.exe77⤵PID:1600
-
C:\Windows\SysWOW64\Bncboo32.exeC:\Windows\system32\Bncboo32.exe78⤵PID:2188
-
C:\Windows\SysWOW64\Bhiglh32.exeC:\Windows\system32\Bhiglh32.exe79⤵PID:884
-
C:\Windows\SysWOW64\Bdpgai32.exeC:\Windows\system32\Bdpgai32.exe80⤵
- Drops file in System32 directory
PID:1744 -
C:\Windows\SysWOW64\Bnhljnhm.exeC:\Windows\system32\Bnhljnhm.exe81⤵
- Drops file in System32 directory
PID:2832 -
C:\Windows\SysWOW64\Bfcqoqeh.exeC:\Windows\system32\Bfcqoqeh.exe82⤵PID:2456
-
C:\Windows\SysWOW64\Colegflh.exeC:\Windows\system32\Colegflh.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2584 -
C:\Windows\SysWOW64\Conbmfif.exeC:\Windows\system32\Conbmfif.exe84⤵
- Modifies registry class
PID:1804 -
C:\Windows\SysWOW64\Chfffk32.exeC:\Windows\system32\Chfffk32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3068 -
C:\Windows\SysWOW64\Cbokoa32.exeC:\Windows\system32\Cbokoa32.exe86⤵
- Drops file in System32 directory
PID:2240 -
C:\Windows\SysWOW64\Cnekcblk.exeC:\Windows\system32\Cnekcblk.exe87⤵PID:1968
-
C:\Windows\SysWOW64\Cgnpmg32.exeC:\Windows\system32\Cgnpmg32.exe88⤵PID:2012
-
C:\Windows\SysWOW64\Cbcdjpba.exeC:\Windows\system32\Cbcdjpba.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:612 -
C:\Windows\SysWOW64\Dbfaopqo.exeC:\Windows\system32\Dbfaopqo.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1464 -
C:\Windows\SysWOW64\Dknehe32.exeC:\Windows\system32\Dknehe32.exe91⤵
- Modifies registry class
PID:1372 -
C:\Windows\SysWOW64\Dcijmhdj.exeC:\Windows\system32\Dcijmhdj.exe92⤵PID:524
-
C:\Windows\SysWOW64\Dnonjqdq.exeC:\Windows\system32\Dnonjqdq.exe93⤵PID:1704
-
C:\Windows\SysWOW64\Elnagijk.exeC:\Windows\system32\Elnagijk.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1712 -
C:\Windows\SysWOW64\Eeffpn32.exeC:\Windows\system32\Eeffpn32.exe95⤵PID:2708
-
C:\Windows\SysWOW64\Eamgeo32.exeC:\Windows\system32\Eamgeo32.exe96⤵PID:2448
-
C:\Windows\SysWOW64\Ejeknelp.exeC:\Windows\system32\Ejeknelp.exe97⤵PID:2004
-
C:\Windows\SysWOW64\Ehilgikj.exeC:\Windows\system32\Ehilgikj.exe98⤵PID:2064
-
C:\Windows\SysWOW64\Fdpmljan.exeC:\Windows\system32\Fdpmljan.exe99⤵
- Modifies registry class
PID:3048 -
C:\Windows\SysWOW64\Fdbibjok.exeC:\Windows\system32\Fdbibjok.exe100⤵
- System Location Discovery: System Language Discovery
PID:2224 -
C:\Windows\SysWOW64\Fdefgimi.exeC:\Windows\system32\Fdefgimi.exe101⤵PID:2088
-
C:\Windows\SysWOW64\Fooghg32.exeC:\Windows\system32\Fooghg32.exe102⤵PID:1560
-
C:\Windows\SysWOW64\Flbgak32.exeC:\Windows\system32\Flbgak32.exe103⤵
- Modifies registry class
PID:2368 -
C:\Windows\SysWOW64\Gkgdbh32.exeC:\Windows\system32\Gkgdbh32.exe104⤵PID:1000
-
C:\Windows\SysWOW64\Ghlell32.exeC:\Windows\system32\Ghlell32.exe105⤵PID:1132
-
C:\Windows\SysWOW64\Gepeep32.exeC:\Windows\system32\Gepeep32.exe106⤵
- Modifies registry class
PID:3000 -
C:\Windows\SysWOW64\Gohjnf32.exeC:\Windows\system32\Gohjnf32.exe107⤵PID:2336
-
C:\Windows\SysWOW64\Giakoc32.exeC:\Windows\system32\Giakoc32.exe108⤵
- System Location Discovery: System Language Discovery
PID:2264 -
C:\Windows\SysWOW64\Gcjogidl.exeC:\Windows\system32\Gcjogidl.exe109⤵
- Drops file in System32 directory
PID:1100 -
C:\Windows\SysWOW64\Hcllmi32.exeC:\Windows\system32\Hcllmi32.exe110⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:932 -
C:\Windows\SysWOW64\Hpplfm32.exeC:\Windows\system32\Hpplfm32.exe111⤵PID:1148
-
C:\Windows\SysWOW64\Hlgmkn32.exeC:\Windows\system32\Hlgmkn32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1160 -
C:\Windows\SysWOW64\Heoadcmh.exeC:\Windows\system32\Heoadcmh.exe113⤵
- System Location Discovery: System Language Discovery
PID:572 -
C:\Windows\SysWOW64\Hafbid32.exeC:\Windows\system32\Hafbid32.exe114⤵
- Drops file in System32 directory
PID:1488 -
C:\Windows\SysWOW64\Hahoodqi.exeC:\Windows\system32\Hahoodqi.exe115⤵
- System Location Discovery: System Language Discovery
PID:2912 -
C:\Windows\SysWOW64\Ibklddof.exeC:\Windows\system32\Ibklddof.exe116⤵
- System Location Discovery: System Language Discovery
PID:2916 -
C:\Windows\SysWOW64\Iggdmkmn.exeC:\Windows\system32\Iggdmkmn.exe117⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2176 -
C:\Windows\SysWOW64\Idkdfo32.exeC:\Windows\system32\Idkdfo32.exe118⤵
- Modifies registry class
PID:1984 -
C:\Windows\SysWOW64\Mlqakaqi.exeC:\Windows\system32\Mlqakaqi.exe119⤵PID:3064
-
C:\Windows\SysWOW64\Njmhcj32.exeC:\Windows\system32\Njmhcj32.exe120⤵PID:1996
-
C:\Windows\SysWOW64\Njbanida.exeC:\Windows\system32\Njbanida.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2864
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-