Analysis
-
max time kernel
89s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
21-11-2024 23:36
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4fb6bf2009ec3c3cf3bdc0d441513e0575a6f667c5fccd087ab6d8e338e7fa0f.exe
Resource
win7-20241010-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
4fb6bf2009ec3c3cf3bdc0d441513e0575a6f667c5fccd087ab6d8e338e7fa0f.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
4fb6bf2009ec3c3cf3bdc0d441513e0575a6f667c5fccd087ab6d8e338e7fa0f.exe
-
Size
304KB
-
MD5
88d516a33a84d397537d8409230e133d
-
SHA1
2bc3602364062dcb5fe92a297aafecbb2700e9bf
-
SHA256
4fb6bf2009ec3c3cf3bdc0d441513e0575a6f667c5fccd087ab6d8e338e7fa0f
-
SHA512
5c4d01568b15a2b3fabe3ca75bc7655497995ed531361fca0f3c244ecba1e2d76cf0847f6aefe9a422496f4e9efa1e0547b26ce14d95a5f3f8e75d8ac3a9dcdd
-
SSDEEP
6144:0fdvIpuHcO7JfnrFVoXJtpNr1RgAaa6FlFlcOuLr2/24qXPAbgPBFpYrFVO/fnre:IJfnYdsWfna
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfghagio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebhjdc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqnlpq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iklajp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjehflbe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlhamp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dendcg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgekdh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odckho32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkdckgpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjbpoeoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phacnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmgenh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fefpfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjfdcc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lanpmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iklajp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kogjib32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmcedg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhaefepn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnlbnagl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edahca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Babpgo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpgmhkfi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndpmbjbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfmceomm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgnfpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kldchgag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjdqbbkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fqeagpop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cabldeik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebhjdc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdlmnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnedfljc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Belfldoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfonlg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdjabn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfknjfbl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laacmc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Condfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lanpmn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Colegflh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igomfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fimpcc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibbioilj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnminkof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emadjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chiedc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpiadq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afnfcl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmjdcm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfmhfm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmgenh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oofpgolq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pccelqeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dokjlcjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lilehl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oefqlmpq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biecoj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccmcfc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifecen32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfkidh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgnhhq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbfaopqo.exe -
Executes dropped EXE 64 IoCs
pid Process 928 Pgacaaij.exe 1632 Pnllnk32.exe 2760 Pchdfb32.exe 2772 Qckalamk.exe 2916 Qmcedg32.exe 2768 Ajgfnk32.exe 2664 Aqanke32.exe 2336 Afnfcl32.exe 2864 Akkokc32.exe 2988 Aioodg32.exe 1280 Ankhmncb.exe 2732 Akphfbbl.exe 1944 Aehmoh32.exe 2376 Ajdego32.exe 2108 Bejiehfi.exe 2456 Bnbnnm32.exe 2516 Bcoffd32.exe 624 Bacgohjk.exe 1764 Biolckgf.exe 2164 Baecehhh.exe 112 Bfblmofp.exe 1744 Blodefdg.exe 2444 Behinlkh.exe 868 Claake32.exe 1484 Cfgehn32.exe 2724 Ciebdj32.exe 2544 Caqfiloi.exe 2812 Cjikaa32.exe 2652 Caccnllf.exe 984 Cdapjglj.exe 564 Cmjdcm32.exe 1992 Cfbhlb32.exe 2420 Dhaefepn.exe 2088 Dmomnlne.exe 668 Dbkffc32.exe 1548 Dkbnhq32.exe 936 Dpofpg32.exe 392 Dkekmp32.exe 584 Dpaceg32.exe 2924 Dijgnm32.exe 3036 Dpdpkfga.exe 2224 Dgnhhq32.exe 2616 Dhodpidl.exe 2036 Eagiho32.exe 2248 Ehaaei32.exe 3044 Ecgeba32.exe 2312 Edhbjjhn.exe 948 Eonfgbhc.exe 468 Edkopifk.exe 2356 Ekdglcmh.exe 2644 Egkgad32.exe 2964 Enepnoji.exe 2508 Edohki32.exe 912 Egndgdai.exe 604 Fnhlcn32.exe 2532 Fcdele32.exe 2816 Fjomhonj.exe 3024 Fqheei32.exe 1152 Ffenmp32.exe 2560 Fcingdbh.exe 2040 Fjcfco32.exe 944 Fkdckgpc.exe 1604 Fbnkha32.exe 2320 Fihcdkom.exe -
Loads dropped DLL 64 IoCs
pid Process 1048 4fb6bf2009ec3c3cf3bdc0d441513e0575a6f667c5fccd087ab6d8e338e7fa0f.exe 1048 4fb6bf2009ec3c3cf3bdc0d441513e0575a6f667c5fccd087ab6d8e338e7fa0f.exe 928 Pgacaaij.exe 928 Pgacaaij.exe 1632 Pnllnk32.exe 1632 Pnllnk32.exe 2760 Pchdfb32.exe 2760 Pchdfb32.exe 2772 Qckalamk.exe 2772 Qckalamk.exe 2916 Qmcedg32.exe 2916 Qmcedg32.exe 2768 Ajgfnk32.exe 2768 Ajgfnk32.exe 2664 Aqanke32.exe 2664 Aqanke32.exe 2336 Afnfcl32.exe 2336 Afnfcl32.exe 2864 Akkokc32.exe 2864 Akkokc32.exe 2988 Aioodg32.exe 2988 Aioodg32.exe 1280 Ankhmncb.exe 1280 Ankhmncb.exe 2732 Akphfbbl.exe 2732 Akphfbbl.exe 1944 Aehmoh32.exe 1944 Aehmoh32.exe 2376 Ajdego32.exe 2376 Ajdego32.exe 2108 Bejiehfi.exe 2108 Bejiehfi.exe 2456 Bnbnnm32.exe 2456 Bnbnnm32.exe 2516 Bcoffd32.exe 2516 Bcoffd32.exe 624 Bacgohjk.exe 624 Bacgohjk.exe 1764 Biolckgf.exe 1764 Biolckgf.exe 2164 Baecehhh.exe 2164 Baecehhh.exe 112 Bfblmofp.exe 112 Bfblmofp.exe 1744 Blodefdg.exe 1744 Blodefdg.exe 2444 Behinlkh.exe 2444 Behinlkh.exe 868 Claake32.exe 868 Claake32.exe 1484 Cfgehn32.exe 1484 Cfgehn32.exe 2724 Ciebdj32.exe 2724 Ciebdj32.exe 2544 Caqfiloi.exe 2544 Caqfiloi.exe 2812 Cjikaa32.exe 2812 Cjikaa32.exe 2652 Caccnllf.exe 2652 Caccnllf.exe 984 Cdapjglj.exe 984 Cdapjglj.exe 564 Cmjdcm32.exe 564 Cmjdcm32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ogljib32.dll Fdbgia32.exe File opened for modification C:\Windows\SysWOW64\Indiodbh.exe Inaliedk.exe File created C:\Windows\SysWOW64\Oqdioaqf.exe Oqaliabh.exe File opened for modification C:\Windows\SysWOW64\Bakgmgpe.exe Afojgiei.exe File created C:\Windows\SysWOW64\Denollgl.dll Cagpldqg.exe File opened for modification C:\Windows\SysWOW64\Dgjdjghf.exe Dghgdg32.exe File created C:\Windows\SysWOW64\Bemkkdbc.dll Afnfcl32.exe File created C:\Windows\SysWOW64\Nllibb32.dll Kjjnnbfj.exe File opened for modification C:\Windows\SysWOW64\Lfedlb32.exe Lnipgp32.exe File created C:\Windows\SysWOW64\Nnpofe32.exe Neemgp32.exe File created C:\Windows\SysWOW64\Ehbcnajn.exe Dimfmeef.exe File opened for modification C:\Windows\SysWOW64\Fdbibjok.exe Fimedaoe.exe File created C:\Windows\SysWOW64\Mdlfpcnd.exe Mheekb32.exe File created C:\Windows\SysWOW64\Dmlffcog.dll Bfdlehlc.exe File created C:\Windows\SysWOW64\Nlnlcg32.exe Nbehjb32.exe File opened for modification C:\Windows\SysWOW64\Fihcdkom.exe Fbnkha32.exe File created C:\Windows\SysWOW64\Adldghpq.dll Lbmicc32.exe File opened for modification C:\Windows\SysWOW64\Bpbokj32.exe Behnkm32.exe File opened for modification C:\Windows\SysWOW64\Bjlpjp32.exe Bnfodojp.exe File opened for modification C:\Windows\SysWOW64\Kceganoe.exe Jkjbml32.exe File created C:\Windows\SysWOW64\Jgihopao.exe Jjehflbe.exe File created C:\Windows\SysWOW64\Eklicjkf.exe Epchbm32.exe File created C:\Windows\SysWOW64\Mflnei32.dll Gnlbnagl.exe File created C:\Windows\SysWOW64\Giikkehc.exe Gdmcbojl.exe File created C:\Windows\SysWOW64\Lpjpgo32.dll Pjiffd32.exe File opened for modification C:\Windows\SysWOW64\Knnmeh32.exe Kgddin32.exe File created C:\Windows\SysWOW64\Kcqfahom.exe Khkadoog.exe File created C:\Windows\SysWOW64\Opcqhn32.dll Fnkblm32.exe File created C:\Windows\SysWOW64\Gpaikiig.exe Fjdqbbkp.exe File opened for modification C:\Windows\SysWOW64\Giljinne.exe Glhjpjok.exe File created C:\Windows\SysWOW64\Gfiaemdb.dll Oofbph32.exe File opened for modification C:\Windows\SysWOW64\Hhmioa32.exe Hnedfljc.exe File created C:\Windows\SysWOW64\Nbckeb32.exe Nikflm32.exe File created C:\Windows\SysWOW64\Ajdego32.exe Aehmoh32.exe File created C:\Windows\SysWOW64\Coccggfi.dll Fbbcdh32.exe File created C:\Windows\SysWOW64\Nnkjca32.dll Dpbgghhl.exe File created C:\Windows\SysWOW64\Clehoiam.exe Ccmcfc32.exe File created C:\Windows\SysWOW64\Kjfhgp32.exe Kigkmmql.exe File opened for modification C:\Windows\SysWOW64\Babpgo32.exe Bfmlif32.exe File created C:\Windows\SysWOW64\Jffjbfpf.dll Dpnogmbl.exe File opened for modification C:\Windows\SysWOW64\Ibafhmph.exe Imenpfap.exe File created C:\Windows\SysWOW64\Eabeal32.exe Eghdanac.exe File created C:\Windows\SysWOW64\Caklgd32.dll Fefpfi32.exe File created C:\Windows\SysWOW64\Ffenmp32.exe Fqheei32.exe File created C:\Windows\SysWOW64\Bgcbja32.exe Bikhce32.exe File created C:\Windows\SysWOW64\Pnminkof.exe Onkmhl32.exe File opened for modification C:\Windows\SysWOW64\Nfogeamk.exe Nbckeb32.exe File created C:\Windows\SysWOW64\Coofoghn.exe Cfcajekc.exe File created C:\Windows\SysWOW64\Jaklei32.exe Jompim32.exe File opened for modification C:\Windows\SysWOW64\Kpoegc32.exe Kjdmjiae.exe File created C:\Windows\SysWOW64\Ilmool32.exe Ifqfge32.exe File created C:\Windows\SysWOW64\Jajaqnkq.dll Lgiakjld.exe File created C:\Windows\SysWOW64\Paihgboc.exe Phacnm32.exe File opened for modification C:\Windows\SysWOW64\Qcfdji32.exe Qbggqfca.exe File created C:\Windows\SysWOW64\Jcfmeq32.dll Bfmlif32.exe File created C:\Windows\SysWOW64\Djcdmp32.dll Cnacbj32.exe File created C:\Windows\SysWOW64\Gdilkpbo.dll Kkajkoml.exe File created C:\Windows\SysWOW64\Koelibnh.exe Kbokda32.exe File created C:\Windows\SysWOW64\Elioal32.dll Nidhfgpl.exe File created C:\Windows\SysWOW64\Bgichoqj.exe Biecoj32.exe File created C:\Windows\SysWOW64\Bkckihel.exe Bkqnchgo.exe File created C:\Windows\SysWOW64\Doflofbf.exe Cenhfqle.exe File opened for modification C:\Windows\SysWOW64\Hebckd32.exe Hpejcnlf.exe File opened for modification C:\Windows\SysWOW64\Ipefba32.exe Ibafhmph.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4624 3560 WerFault.exe 1009 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpndkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enokidgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfmhfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kogjib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abfmecba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnemlf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbdiabcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjappa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlnlcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eklicjkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqanke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieqbbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdakej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhnoocab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffahgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcpecdio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfcajekc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mifmoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dadehh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfamko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Homfboco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flnnfllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmlief32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhaboi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgcbpemp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbckeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhopcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hebckd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgehfodh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfqmkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Almjcobe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Achlch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oofpgolq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjofljho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lanpmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iganmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjomlp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqodho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkfcdpfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egegnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfblmofp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnmcne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbcdfq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhodpidl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lednal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdbdgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lneghd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jncqlj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nglmifca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfpaqdnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcfdji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpiadq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggnqfgce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpojlp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dndahokk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jknlfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coejfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akmgoehg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjlifjjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkkgnmqb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dimfmeef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkkfdmpq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lldhldpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhakkg32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkglenej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knnmeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faohlp32.dll" Ahoamplo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epgabhdg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nffenj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Macnjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpchiebc.dll" Qpnkjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Neihmpon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Enliaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkiacp32.dll" Jjckpl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fqheei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icnbic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Himgihno.dll" Ghcbga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afdjmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbamjgeq.dll" Pkdiehca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcfkgmcj.dll" Ceqlff32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhodpidl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjgoohpd.dll" Cllmdcej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfadoaih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjbljh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dajabd32.dll" Edkopifk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlamfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnckabmd.dll" Hojeka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdfdjnfl.dll" Dgehfodh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eggajb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kldchgag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccmcfc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Poplqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njgeefme.dll" Bikhce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpjboi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjnilh32.dll" Ipqmgbbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngoinfao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfjdmggb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omfoko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgppdp32.dll" Mcdkmg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibmmkaik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fkeedo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aabfqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcdmekne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Laifbnho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgmfmoge.dll" Edahca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kloggici.dll" Clnmmlkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmolagqb.dll" Jkgelh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhpdkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edocjp32.dll" Lfedlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kamncagl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhcaokcc.dll" Kdcinjpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdghbiem.dll" Fjpipkgi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bapcaocc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmockkok.dll" Imidgh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgnpmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehilgikj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdcmjg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oiepmajb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nclgagoq.dll" Gqmmhdka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngalll32.dll" Jajbfeop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifoncgpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceahlg32.dll" Ndnplk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhcheobh.dll" Gcifdj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npbbcgga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjdmjiae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncbdjhnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imekmp32.dll" Eolljk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgjcdc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1048 wrote to memory of 928 1048 4fb6bf2009ec3c3cf3bdc0d441513e0575a6f667c5fccd087ab6d8e338e7fa0f.exe 29 PID 1048 wrote to memory of 928 1048 4fb6bf2009ec3c3cf3bdc0d441513e0575a6f667c5fccd087ab6d8e338e7fa0f.exe 29 PID 1048 wrote to memory of 928 1048 4fb6bf2009ec3c3cf3bdc0d441513e0575a6f667c5fccd087ab6d8e338e7fa0f.exe 29 PID 1048 wrote to memory of 928 1048 4fb6bf2009ec3c3cf3bdc0d441513e0575a6f667c5fccd087ab6d8e338e7fa0f.exe 29 PID 928 wrote to memory of 1632 928 Pgacaaij.exe 30 PID 928 wrote to memory of 1632 928 Pgacaaij.exe 30 PID 928 wrote to memory of 1632 928 Pgacaaij.exe 30 PID 928 wrote to memory of 1632 928 Pgacaaij.exe 30 PID 1632 wrote to memory of 2760 1632 Pnllnk32.exe 31 PID 1632 wrote to memory of 2760 1632 Pnllnk32.exe 31 PID 1632 wrote to memory of 2760 1632 Pnllnk32.exe 31 PID 1632 wrote to memory of 2760 1632 Pnllnk32.exe 31 PID 2760 wrote to memory of 2772 2760 Pchdfb32.exe 32 PID 2760 wrote to memory of 2772 2760 Pchdfb32.exe 32 PID 2760 wrote to memory of 2772 2760 Pchdfb32.exe 32 PID 2760 wrote to memory of 2772 2760 Pchdfb32.exe 32 PID 2772 wrote to memory of 2916 2772 Qckalamk.exe 33 PID 2772 wrote to memory of 2916 2772 Qckalamk.exe 33 PID 2772 wrote to memory of 2916 2772 Qckalamk.exe 33 PID 2772 wrote to memory of 2916 2772 Qckalamk.exe 33 PID 2916 wrote to memory of 2768 2916 Qmcedg32.exe 34 PID 2916 wrote to memory of 2768 2916 Qmcedg32.exe 34 PID 2916 wrote to memory of 2768 2916 Qmcedg32.exe 34 PID 2916 wrote to memory of 2768 2916 Qmcedg32.exe 34 PID 2768 wrote to memory of 2664 2768 Ajgfnk32.exe 35 PID 2768 wrote to memory of 2664 2768 Ajgfnk32.exe 35 PID 2768 wrote to memory of 2664 2768 Ajgfnk32.exe 35 PID 2768 wrote to memory of 2664 2768 Ajgfnk32.exe 35 PID 2664 wrote to memory of 2336 2664 Aqanke32.exe 36 PID 2664 wrote to memory of 2336 2664 Aqanke32.exe 36 PID 2664 wrote to memory of 2336 2664 Aqanke32.exe 36 PID 2664 wrote to memory of 2336 2664 Aqanke32.exe 36 PID 2336 wrote to memory of 2864 2336 Afnfcl32.exe 37 PID 2336 wrote to memory of 2864 2336 Afnfcl32.exe 37 PID 2336 wrote to memory of 2864 2336 Afnfcl32.exe 37 PID 2336 wrote to memory of 2864 2336 Afnfcl32.exe 37 PID 2864 wrote to memory of 2988 2864 Akkokc32.exe 38 PID 2864 wrote to memory of 2988 2864 Akkokc32.exe 38 PID 2864 wrote to memory of 2988 2864 Akkokc32.exe 38 PID 2864 wrote to memory of 2988 2864 Akkokc32.exe 38 PID 2988 wrote to memory of 1280 2988 Aioodg32.exe 39 PID 2988 wrote to memory of 1280 2988 Aioodg32.exe 39 PID 2988 wrote to memory of 1280 2988 Aioodg32.exe 39 PID 2988 wrote to memory of 1280 2988 Aioodg32.exe 39 PID 1280 wrote to memory of 2732 1280 Ankhmncb.exe 40 PID 1280 wrote to memory of 2732 1280 Ankhmncb.exe 40 PID 1280 wrote to memory of 2732 1280 Ankhmncb.exe 40 PID 1280 wrote to memory of 2732 1280 Ankhmncb.exe 40 PID 2732 wrote to memory of 1944 2732 Akphfbbl.exe 41 PID 2732 wrote to memory of 1944 2732 Akphfbbl.exe 41 PID 2732 wrote to memory of 1944 2732 Akphfbbl.exe 41 PID 2732 wrote to memory of 1944 2732 Akphfbbl.exe 41 PID 1944 wrote to memory of 2376 1944 Aehmoh32.exe 42 PID 1944 wrote to memory of 2376 1944 Aehmoh32.exe 42 PID 1944 wrote to memory of 2376 1944 Aehmoh32.exe 42 PID 1944 wrote to memory of 2376 1944 Aehmoh32.exe 42 PID 2376 wrote to memory of 2108 2376 Ajdego32.exe 43 PID 2376 wrote to memory of 2108 2376 Ajdego32.exe 43 PID 2376 wrote to memory of 2108 2376 Ajdego32.exe 43 PID 2376 wrote to memory of 2108 2376 Ajdego32.exe 43 PID 2108 wrote to memory of 2456 2108 Bejiehfi.exe 44 PID 2108 wrote to memory of 2456 2108 Bejiehfi.exe 44 PID 2108 wrote to memory of 2456 2108 Bejiehfi.exe 44 PID 2108 wrote to memory of 2456 2108 Bejiehfi.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\4fb6bf2009ec3c3cf3bdc0d441513e0575a6f667c5fccd087ab6d8e338e7fa0f.exe"C:\Users\Admin\AppData\Local\Temp\4fb6bf2009ec3c3cf3bdc0d441513e0575a6f667c5fccd087ab6d8e338e7fa0f.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\SysWOW64\Pgacaaij.exeC:\Windows\system32\Pgacaaij.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Windows\SysWOW64\Pnllnk32.exeC:\Windows\system32\Pnllnk32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\Pchdfb32.exeC:\Windows\system32\Pchdfb32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Qckalamk.exeC:\Windows\system32\Qckalamk.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Qmcedg32.exeC:\Windows\system32\Qmcedg32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Ajgfnk32.exeC:\Windows\system32\Ajgfnk32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Aqanke32.exeC:\Windows\system32\Aqanke32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Afnfcl32.exeC:\Windows\system32\Afnfcl32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\Akkokc32.exeC:\Windows\system32\Akkokc32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Aioodg32.exeC:\Windows\system32\Aioodg32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Ankhmncb.exeC:\Windows\system32\Ankhmncb.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\SysWOW64\Akphfbbl.exeC:\Windows\system32\Akphfbbl.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Aehmoh32.exeC:\Windows\system32\Aehmoh32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\Ajdego32.exeC:\Windows\system32\Ajdego32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\Bejiehfi.exeC:\Windows\system32\Bejiehfi.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\Bnbnnm32.exeC:\Windows\system32\Bnbnnm32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2456 -
C:\Windows\SysWOW64\Bcoffd32.exeC:\Windows\system32\Bcoffd32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2516 -
C:\Windows\SysWOW64\Bacgohjk.exeC:\Windows\system32\Bacgohjk.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:624 -
C:\Windows\SysWOW64\Biolckgf.exeC:\Windows\system32\Biolckgf.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1764 -
C:\Windows\SysWOW64\Baecehhh.exeC:\Windows\system32\Baecehhh.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2164 -
C:\Windows\SysWOW64\Bfblmofp.exeC:\Windows\system32\Bfblmofp.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:112 -
C:\Windows\SysWOW64\Blodefdg.exeC:\Windows\system32\Blodefdg.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1744 -
C:\Windows\SysWOW64\Behinlkh.exeC:\Windows\system32\Behinlkh.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2444 -
C:\Windows\SysWOW64\Claake32.exeC:\Windows\system32\Claake32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:868 -
C:\Windows\SysWOW64\Cfgehn32.exeC:\Windows\system32\Cfgehn32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1484 -
C:\Windows\SysWOW64\Ciebdj32.exeC:\Windows\system32\Ciebdj32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2724 -
C:\Windows\SysWOW64\Caqfiloi.exeC:\Windows\system32\Caqfiloi.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2544 -
C:\Windows\SysWOW64\Cjikaa32.exeC:\Windows\system32\Cjikaa32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2812 -
C:\Windows\SysWOW64\Caccnllf.exeC:\Windows\system32\Caccnllf.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2652 -
C:\Windows\SysWOW64\Cdapjglj.exeC:\Windows\system32\Cdapjglj.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:984 -
C:\Windows\SysWOW64\Cmjdcm32.exeC:\Windows\system32\Cmjdcm32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:564 -
C:\Windows\SysWOW64\Cfbhlb32.exeC:\Windows\system32\Cfbhlb32.exe33⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Dhaefepn.exeC:\Windows\system32\Dhaefepn.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Dmomnlne.exeC:\Windows\system32\Dmomnlne.exe35⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Dbkffc32.exeC:\Windows\system32\Dbkffc32.exe36⤵
- Executes dropped EXE
PID:668 -
C:\Windows\SysWOW64\Dkbnhq32.exeC:\Windows\system32\Dkbnhq32.exe37⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Dpofpg32.exeC:\Windows\system32\Dpofpg32.exe38⤵
- Executes dropped EXE
PID:936 -
C:\Windows\SysWOW64\Dkekmp32.exeC:\Windows\system32\Dkekmp32.exe39⤵
- Executes dropped EXE
PID:392 -
C:\Windows\SysWOW64\Dpaceg32.exeC:\Windows\system32\Dpaceg32.exe40⤵
- Executes dropped EXE
PID:584 -
C:\Windows\SysWOW64\Dijgnm32.exeC:\Windows\system32\Dijgnm32.exe41⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Dpdpkfga.exeC:\Windows\system32\Dpdpkfga.exe42⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Dgnhhq32.exeC:\Windows\system32\Dgnhhq32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Dhodpidl.exeC:\Windows\system32\Dhodpidl.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2616 -
C:\Windows\SysWOW64\Eagiho32.exeC:\Windows\system32\Eagiho32.exe45⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Ehaaei32.exeC:\Windows\system32\Ehaaei32.exe46⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Ecgeba32.exeC:\Windows\system32\Ecgeba32.exe47⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Edhbjjhn.exeC:\Windows\system32\Edhbjjhn.exe48⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Eonfgbhc.exeC:\Windows\system32\Eonfgbhc.exe49⤵
- Executes dropped EXE
PID:948 -
C:\Windows\SysWOW64\Edkopifk.exeC:\Windows\system32\Edkopifk.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:468 -
C:\Windows\SysWOW64\Ekdglcmh.exeC:\Windows\system32\Ekdglcmh.exe51⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Egkgad32.exeC:\Windows\system32\Egkgad32.exe52⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Enepnoji.exeC:\Windows\system32\Enepnoji.exe53⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Edohki32.exeC:\Windows\system32\Edohki32.exe54⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Egndgdai.exeC:\Windows\system32\Egndgdai.exe55⤵
- Executes dropped EXE
PID:912 -
C:\Windows\SysWOW64\Fnhlcn32.exeC:\Windows\system32\Fnhlcn32.exe56⤵
- Executes dropped EXE
PID:604 -
C:\Windows\SysWOW64\Fcdele32.exeC:\Windows\system32\Fcdele32.exe57⤵
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Fjomhonj.exeC:\Windows\system32\Fjomhonj.exe58⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Fqheei32.exeC:\Windows\system32\Fqheei32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3024 -
C:\Windows\SysWOW64\Ffenmp32.exeC:\Windows\system32\Ffenmp32.exe60⤵
- Executes dropped EXE
PID:1152 -
C:\Windows\SysWOW64\Fcingdbh.exeC:\Windows\system32\Fcingdbh.exe61⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Fjcfco32.exeC:\Windows\system32\Fjcfco32.exe62⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Fkdckgpc.exeC:\Windows\system32\Fkdckgpc.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:944 -
C:\Windows\SysWOW64\Fbnkha32.exeC:\Windows\system32\Fbnkha32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1604 -
C:\Windows\SysWOW64\Fihcdkom.exeC:\Windows\system32\Fihcdkom.exe65⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Ggnqfgce.exeC:\Windows\system32\Ggnqfgce.exe66⤵
- System Location Discovery: System Language Discovery
PID:336 -
C:\Windows\SysWOW64\Gbcecpck.exeC:\Windows\system32\Gbcecpck.exe67⤵PID:2484
-
C:\Windows\SysWOW64\Gjnigb32.exeC:\Windows\system32\Gjnigb32.exe68⤵PID:2604
-
C:\Windows\SysWOW64\Gqhadmhc.exeC:\Windows\system32\Gqhadmhc.exe69⤵PID:2708
-
C:\Windows\SysWOW64\Gnlbnagl.exeC:\Windows\system32\Gnlbnagl.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2476 -
C:\Windows\SysWOW64\Gnoocq32.exeC:\Windows\system32\Gnoocq32.exe71⤵PID:2156
-
C:\Windows\SysWOW64\Iekpdn32.exeC:\Windows\system32\Iekpdn32.exe72⤵PID:2216
-
C:\Windows\SysWOW64\Idpmejag.exeC:\Windows\system32\Idpmejag.exe73⤵PID:2260
-
C:\Windows\SysWOW64\Imhanp32.exeC:\Windows\system32\Imhanp32.exe74⤵PID:1696
-
C:\Windows\SysWOW64\Ipfnjkgk.exeC:\Windows\system32\Ipfnjkgk.exe75⤵PID:2920
-
C:\Windows\SysWOW64\Ifqfge32.exeC:\Windows\system32\Ifqfge32.exe76⤵
- Drops file in System32 directory
PID:1788 -
C:\Windows\SysWOW64\Ilmool32.exeC:\Windows\system32\Ilmool32.exe77⤵PID:1040
-
C:\Windows\SysWOW64\Iefchacp.exeC:\Windows\system32\Iefchacp.exe78⤵PID:2636
-
C:\Windows\SysWOW64\Jongag32.exeC:\Windows\system32\Jongag32.exe79⤵PID:2264
-
C:\Windows\SysWOW64\Jehpna32.exeC:\Windows\system32\Jehpna32.exe80⤵PID:2464
-
C:\Windows\SysWOW64\Jpndkj32.exeC:\Windows\system32\Jpndkj32.exe81⤵
- System Location Discovery: System Language Discovery
PID:264 -
C:\Windows\SysWOW64\Jaopcbga.exeC:\Windows\system32\Jaopcbga.exe82⤵PID:2960
-
C:\Windows\SysWOW64\Jkgelh32.exeC:\Windows\system32\Jkgelh32.exe83⤵
- Modifies registry class
PID:920 -
C:\Windows\SysWOW64\Jdpidm32.exeC:\Windows\system32\Jdpidm32.exe84⤵PID:2880
-
C:\Windows\SysWOW64\Jhnbklji.exeC:\Windows\system32\Jhnbklji.exe85⤵PID:2756
-
C:\Windows\SysWOW64\Jogjgf32.exeC:\Windows\system32\Jogjgf32.exe86⤵PID:2540
-
C:\Windows\SysWOW64\Jgbolhoa.exeC:\Windows\system32\Jgbolhoa.exe87⤵PID:1856
-
C:\Windows\SysWOW64\Kahciaog.exeC:\Windows\system32\Kahciaog.exe88⤵PID:2932
-
C:\Windows\SysWOW64\Kkqhbf32.exeC:\Windows\system32\Kkqhbf32.exe89⤵PID:2252
-
C:\Windows\SysWOW64\Kdilkllh.exeC:\Windows\system32\Kdilkllh.exe90⤵PID:2432
-
C:\Windows\SysWOW64\Kjfdcc32.exeC:\Windows\system32\Kjfdcc32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1684 -
C:\Windows\SysWOW64\Kcnilhap.exeC:\Windows\system32\Kcnilhap.exe92⤵PID:1756
-
C:\Windows\SysWOW64\Khkadoog.exeC:\Windows\system32\Khkadoog.exe93⤵
- Drops file in System32 directory
PID:560 -
C:\Windows\SysWOW64\Kcqfahom.exeC:\Windows\system32\Kcqfahom.exe94⤵PID:1452
-
C:\Windows\SysWOW64\Kjjnnbfj.exeC:\Windows\system32\Kjjnnbfj.exe95⤵
- Drops file in System32 directory
PID:2608 -
C:\Windows\SysWOW64\Kccbgh32.exeC:\Windows\system32\Kccbgh32.exe96⤵PID:2620
-
C:\Windows\SysWOW64\Lhpkoo32.exeC:\Windows\system32\Lhpkoo32.exe97⤵PID:2580
-
C:\Windows\SysWOW64\Lnmcge32.exeC:\Windows\system32\Lnmcge32.exe98⤵PID:2972
-
C:\Windows\SysWOW64\Lfckhc32.exeC:\Windows\system32\Lfckhc32.exe99⤵PID:1092
-
C:\Windows\SysWOW64\Lkqdajhc.exeC:\Windows\system32\Lkqdajhc.exe100⤵PID:1044
-
C:\Windows\SysWOW64\Lbjlnd32.exeC:\Windows\system32\Lbjlnd32.exe101⤵PID:2084
-
C:\Windows\SysWOW64\Lkcqfifp.exeC:\Windows\system32\Lkcqfifp.exe102⤵PID:2096
-
C:\Windows\SysWOW64\Lbmicc32.exeC:\Windows\system32\Lbmicc32.exe103⤵
- Drops file in System32 directory
PID:2600 -
C:\Windows\SysWOW64\Lgiakjld.exeC:\Windows\system32\Lgiakjld.exe104⤵
- Drops file in System32 directory
PID:2340 -
C:\Windows\SysWOW64\Lmfjcajl.exeC:\Windows\system32\Lmfjcajl.exe105⤵PID:3068
-
C:\Windows\SysWOW64\Lfonlg32.exeC:\Windows\system32\Lfonlg32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2588 -
C:\Windows\SysWOW64\Mqdbjp32.exeC:\Windows\system32\Mqdbjp32.exe107⤵PID:2948
-
C:\Windows\SysWOW64\Mgnkfjho.exeC:\Windows\system32\Mgnkfjho.exe108⤵PID:1296
-
C:\Windows\SysWOW64\Mpipkl32.exeC:\Windows\system32\Mpipkl32.exe109⤵PID:2140
-
C:\Windows\SysWOW64\Mpllpl32.exeC:\Windows\system32\Mpllpl32.exe110⤵PID:1980
-
C:\Windows\SysWOW64\Meidib32.exeC:\Windows\system32\Meidib32.exe111⤵PID:1292
-
C:\Windows\SysWOW64\Mlbmem32.exeC:\Windows\system32\Mlbmem32.exe112⤵PID:2680
-
C:\Windows\SysWOW64\Mifmoa32.exeC:\Windows\system32\Mifmoa32.exe113⤵
- System Location Discovery: System Language Discovery
PID:2120 -
C:\Windows\SysWOW64\Niijdq32.exeC:\Windows\system32\Niijdq32.exe114⤵PID:1120
-
C:\Windows\SysWOW64\Ncbkenba.exeC:\Windows\system32\Ncbkenba.exe115⤵PID:2512
-
C:\Windows\SysWOW64\Nafknbqk.exeC:\Windows\system32\Nafknbqk.exe116⤵PID:2200
-
C:\Windows\SysWOW64\Nhpdkm32.exeC:\Windows\system32\Nhpdkm32.exe117⤵
- Modifies registry class
PID:2288 -
C:\Windows\SysWOW64\Nnjlhg32.exeC:\Windows\system32\Nnjlhg32.exe118⤵PID:1612
-
C:\Windows\SysWOW64\Nfeqli32.exeC:\Windows\system32\Nfeqli32.exe119⤵PID:1640
-
C:\Windows\SysWOW64\Nakeib32.exeC:\Windows\system32\Nakeib32.exe120⤵PID:2348
-
C:\Windows\SysWOW64\Nlefjpid.exeC:\Windows\system32\Nlefjpid.exe121⤵PID:940
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-