Analysis
-
max time kernel
118s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
27/07/2024, 11:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
baf338da1c3c2987b1bc254abb0c7e40N.exe
Resource
win7-20240705-en
windows7-x64
8 signatures
120 seconds
General
-
Target
baf338da1c3c2987b1bc254abb0c7e40N.exe
-
Size
163KB
-
MD5
baf338da1c3c2987b1bc254abb0c7e40
-
SHA1
9806bd3697815d2e0fb7dedec527a5b0cd522671
-
SHA256
865580559c710d8aca5ee43ab1b7ce6da6fe0414d51a7b2b0aaec41205d688b2
-
SHA512
6b46e083fe8e6353d4ab8105c808ef4bd1c37c2270d7a6e3e008c7367f16e9437fdf6c7305ac252a0267857321f10701a92836631679618c21deb9b74fc16361
-
SSDEEP
3072:ctcT7y6Y6KO9PzkSHNw9PjwbCltOrWKDBr+yJb:ctiZKO9PYStw9wbCLOf
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhmblljb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggifmgia.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmigke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aopcnbfj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmcidqlf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fahdja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omdbfo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Megmpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phaegfpg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhodgebh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phaegfpg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcddca32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oobkna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbajjiml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnpejklj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkimgflg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcpagg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cceenilo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmlokdgp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdmpgfae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afgoem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkfqbgni.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnkhfnea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imgjfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipefba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kooimpao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nndkdn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feljja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmqlgppo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plfhfiqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Feljja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abacjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnkkeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jllggbde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjmaed32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhjjle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgfannba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkaomm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eoeiniea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eained32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocedieek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fliefa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qklhifhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hiieqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbpendha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhdcfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eafapd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofgfio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnhnnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjlhcegl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpphlp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcodhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgmmnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhpflblk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmglpjak.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njklioqd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afebpmal.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpbiaiin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qklhifhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhimaill.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldqkqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bakjfp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egnjbfqc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohjofgfo.exe -
Executes dropped EXE 64 IoCs
pid Process 2332 Ohdmhhod.exe 2816 Odknmi32.exe 2708 Omdbfo32.exe 2720 Okhboc32.exe 2808 Odpghiqc.exe 2752 Okjoec32.exe 2596 Ocedieek.exe 2172 Pnkhfnea.exe 2388 Plpehj32.exe 2440 Phgfmk32.exe 2860 Paojeafn.exe 2856 Pldobjec.exe 984 Phkohkkh.exe 1236 Padcqp32.exe 2232 Qklhifhi.exe 1676 Qbfqfppe.exe 2108 Qddmbkoi.exe 1608 Qkoeoe32.exe 1912 Qmpafnld.exe 1376 Afjbecqb.exe 524 Abacjd32.exe 764 Amgggm32.exe 2040 Acqpdgni.exe 876 Ainhln32.exe 1808 Aediaoae.exe 1320 Bibagmhk.exe 2384 Bnojpdfb.exe 2780 Bkckihel.exe 2700 Bmdgqp32.exe 2804 Bjhgjdjd.exe 2840 Bmfdfpih.exe 2564 Bcqlcj32.exe 1492 Bpgmhkfi.exe 1744 Cjmaed32.exe 1128 Cceenilo.exe 2848 Cmnjgo32.exe 2820 Ceioka32.exe 896 Clcghk32.exe 1504 Cekkaanh.exe 1300 Clecnk32.exe 2164 Cdphbm32.exe 2100 Clgpckcb.exe 2964 Ddbegmqm.exe 980 Dmkipb32.exe 1244 Dgcnihnn.exe 2012 Dkojjgfg.exe 3044 Daibfa32.exe 1636 Ddgnbl32.exe 1468 Didgkc32.exe 2756 Dpnogmbl.exe 1552 Dghgdg32.exe 2156 Difcpc32.exe 2824 Dlepmnhq.exe 3048 Dcohih32.exe 2468 Eemded32.exe 2620 Elgmbnfn.exe 2688 Eoeiniea.exe 2996 Eadejede.exe 556 Eljihn32.exe 2904 Eohedi32.exe 2256 Eafapd32.exe 3024 Ehpjmoio.exe 1604 Eojbii32.exe 3068 Eained32.exe -
Loads dropped DLL 64 IoCs
pid Process 1772 baf338da1c3c2987b1bc254abb0c7e40N.exe 1772 baf338da1c3c2987b1bc254abb0c7e40N.exe 2332 Ohdmhhod.exe 2332 Ohdmhhod.exe 2816 Odknmi32.exe 2816 Odknmi32.exe 2708 Omdbfo32.exe 2708 Omdbfo32.exe 2720 Okhboc32.exe 2720 Okhboc32.exe 2808 Odpghiqc.exe 2808 Odpghiqc.exe 2752 Okjoec32.exe 2752 Okjoec32.exe 2596 Ocedieek.exe 2596 Ocedieek.exe 2172 Pnkhfnea.exe 2172 Pnkhfnea.exe 2388 Plpehj32.exe 2388 Plpehj32.exe 2440 Phgfmk32.exe 2440 Phgfmk32.exe 2860 Paojeafn.exe 2860 Paojeafn.exe 2856 Pldobjec.exe 2856 Pldobjec.exe 984 Phkohkkh.exe 984 Phkohkkh.exe 1236 Padcqp32.exe 1236 Padcqp32.exe 2232 Qklhifhi.exe 2232 Qklhifhi.exe 1676 Qbfqfppe.exe 1676 Qbfqfppe.exe 2108 Qddmbkoi.exe 2108 Qddmbkoi.exe 1608 Qkoeoe32.exe 1608 Qkoeoe32.exe 1912 Qmpafnld.exe 1912 Qmpafnld.exe 1376 Afjbecqb.exe 1376 Afjbecqb.exe 524 Abacjd32.exe 524 Abacjd32.exe 764 Amgggm32.exe 764 Amgggm32.exe 2040 Acqpdgni.exe 2040 Acqpdgni.exe 876 Ainhln32.exe 876 Ainhln32.exe 3040 Bakjfp32.exe 3040 Bakjfp32.exe 1320 Bibagmhk.exe 1320 Bibagmhk.exe 2384 Bnojpdfb.exe 2384 Bnojpdfb.exe 2780 Bkckihel.exe 2780 Bkckihel.exe 2700 Bmdgqp32.exe 2700 Bmdgqp32.exe 2804 Bjhgjdjd.exe 2804 Bjhgjdjd.exe 2840 Bmfdfpih.exe 2840 Bmfdfpih.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Dehdpnok.exe Dkbpbe32.exe File created C:\Windows\SysWOW64\Gobnljhp.exe Gnaadb32.exe File created C:\Windows\SysWOW64\Immhck32.dll Plfhfiqc.exe File opened for modification C:\Windows\SysWOW64\Agkhbece.exe Admlfida.exe File created C:\Windows\SysWOW64\Bkfqbgni.exe Bfjhippb.exe File opened for modification C:\Windows\SysWOW64\Oobkna32.exe Olcoaf32.exe File created C:\Windows\SysWOW64\Plfhfiqc.exe Pncgjl32.exe File opened for modification C:\Windows\SysWOW64\Hnoane32.exe Holqbipe.exe File created C:\Windows\SysWOW64\Fpphlp32.exe Enblpe32.exe File created C:\Windows\SysWOW64\Gnkkeg32.exe Ggabhmge.exe File created C:\Windows\SysWOW64\Mjkpjkni.exe Mbdhinmf.exe File created C:\Windows\SysWOW64\Palgek32.exe Pieodn32.exe File opened for modification C:\Windows\SysWOW64\Aopcnbfj.exe Akdgmd32.exe File opened for modification C:\Windows\SysWOW64\Deegjo32.exe Dbgknc32.exe File created C:\Windows\SysWOW64\Iijjpgeh.dll baf338da1c3c2987b1bc254abb0c7e40N.exe File opened for modification C:\Windows\SysWOW64\Dcohih32.exe Dlepmnhq.exe File created C:\Windows\SysWOW64\Dmebke32.dll Lbieejff.exe File created C:\Windows\SysWOW64\Kkpcjmne.dll Hgconl32.exe File created C:\Windows\SysWOW64\Jlaqba32.exe Jibdff32.exe File created C:\Windows\SysWOW64\Aljkdc32.dll Mcmnbbja.exe File opened for modification C:\Windows\SysWOW64\Fddcqm32.exe Faegda32.exe File created C:\Windows\SysWOW64\Kqeeabhm.dll Gnaadb32.exe File created C:\Windows\SysWOW64\Knjclp32.dll Okhboc32.exe File created C:\Windows\SysWOW64\Hdpbnp32.dll Dcohih32.exe File created C:\Windows\SysWOW64\Hgconl32.exe Gaigab32.exe File created C:\Windows\SysWOW64\Ajidnp32.exe Agkhbece.exe File opened for modification C:\Windows\SysWOW64\Boblbe32.exe Bkfqbgni.exe File opened for modification C:\Windows\SysWOW64\Fknlmggc.exe Fgbpmh32.exe File opened for modification C:\Windows\SysWOW64\Epnkfq32.exe Eomoohoi.exe File created C:\Windows\SysWOW64\Fhpflblk.exe Fccncknc.exe File created C:\Windows\SysWOW64\Hnkboc32.dll Hjlhcegl.exe File opened for modification C:\Windows\SysWOW64\Penlon32.exe Pdmpgfae.exe File created C:\Windows\SysWOW64\Fbhdic32.dll Dehdpnok.exe File created C:\Windows\SysWOW64\Fhmblljb.exe Fdafkm32.exe File created C:\Windows\SysWOW64\Mlcipnga.dll Hpgcfmge.exe File opened for modification C:\Windows\SysWOW64\Qklhifhi.exe Padcqp32.exe File created C:\Windows\SysWOW64\Iaqbih32.dll Ldedlfhl.exe File created C:\Windows\SysWOW64\Ehkadjdg.dll Qpfmageg.exe File created C:\Windows\SysWOW64\Dfnlkl32.dll Jlodma32.exe File created C:\Windows\SysWOW64\Janijh32.exe Jlaqba32.exe File created C:\Windows\SysWOW64\Glfmnp32.dll Cdphbm32.exe File created C:\Windows\SysWOW64\Pajjpk32.exe Pmnnomnn.exe File opened for modification C:\Windows\SysWOW64\Daibfa32.exe Dkojjgfg.exe File opened for modification C:\Windows\SysWOW64\Gcbchhmc.exe Gmhkkn32.exe File created C:\Windows\SysWOW64\Njcoalho.dll Plpehj32.exe File created C:\Windows\SysWOW64\Jebojh32.exe Ipefba32.exe File created C:\Windows\SysWOW64\Oeffak32.dll Ephkak32.exe File created C:\Windows\SysWOW64\Bamnjpji.dll Jodfilko.exe File opened for modification C:\Windows\SysWOW64\Bjcgdojn.exe Bblocaik.exe File opened for modification C:\Windows\SysWOW64\Fkphcg32.exe Fdfpfm32.exe File created C:\Windows\SysWOW64\Nagakhfn.exe Njnion32.exe File opened for modification C:\Windows\SysWOW64\Holqbipe.exe Hgdhakpb.exe File opened for modification C:\Windows\SysWOW64\Acqpdgni.exe Amgggm32.exe File created C:\Windows\SysWOW64\Bjhgjdjd.exe Bmdgqp32.exe File created C:\Windows\SysWOW64\Lbghpjih.exe Lohlcoid.exe File opened for modification C:\Windows\SysWOW64\Afjbecqb.exe Qmpafnld.exe File created C:\Windows\SysWOW64\Admlfida.exe Aopcnbfj.exe File created C:\Windows\SysWOW64\Cgfdmf32.exe Cmappn32.exe File created C:\Windows\SysWOW64\Hbfappjm.dll Mbdhinmf.exe File created C:\Windows\SysWOW64\Fldeakgp.exe Fieiephm.exe File created C:\Windows\SysWOW64\Annhoa32.dll Gddppp32.exe File created C:\Windows\SysWOW64\Idhplaoe.exe Ibfcei32.exe File created C:\Windows\SysWOW64\Dmhfpmee.exe Diljpn32.exe File created C:\Windows\SysWOW64\Lfefchpb.dll Gcbchhmc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4296 4172 WerFault.exe 423 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njnion32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmnnomnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiclop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjlhcegl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjdhpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mocogc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clhifj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkjbcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amjmpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Milcphgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjepib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceioka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fliefa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmeaaboe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieglfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkaomm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcmbco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqhffj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjnjhcqo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knnmeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjngjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beaaplbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fldeakgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkoeoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clgpckcb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eadejede.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eghcckld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gglimm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hffpiikm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnhjok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbhlilip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbknjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcbmhb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Didgkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmphfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpfblh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knlpphnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cihqdoaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkibbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cekkaanh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkojjgfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hembfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjjknfin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfobndnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbhpidak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afjbecqb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjmaed32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlodma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnghjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajnnipnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fieiephm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icgibkki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbmdpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peqidn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elgmbnfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdicfbpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjgjpiob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odcmagip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjhgjdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plfhfiqc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Padcqp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oobkna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocedieek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hinolcbf.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eemded32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipnigl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ceioka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Milcphgf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkpacaoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} baf338da1c3c2987b1bc254abb0c7e40N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ainhln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehemnf32.dll" Elgmbnfn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Enblpe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Boblbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejnjlm32.dll" Diofenki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oapemdml.dll" Fpphlp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcagma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbiadm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdjcaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmbaklha.dll" Cnlcoage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eeecibci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlepmnhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhignd32.dll" Odcmagip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pecikj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icgibkki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phgfmk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpjlldmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gedelbdk.dll" Njfbno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnghjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oinldeif.dll" Phcbmend.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbogkp32.dll" Bngicb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgnkgjgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilnfjl32.dll" Bcqlcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjdbbkpk.dll" Kcmbco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdjnge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmglpjak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcjlog32.dll" Alojlgii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Diofenki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbnlia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgbpmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcooinfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndadld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkenmidf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihclmp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhjjle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhhfbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Goidmibg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkckihel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhombc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihgajl32.dll" Hqmmja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eafapd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjdhpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohjofgfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adaeai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmneadka.dll" Feljja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddbegmqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmqlgppo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhhagb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pecikj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mniiepja.dll" Pecikj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncopaf32.dll" Ncogge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doijkg32.dll" Pkpacaoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfehcia.dll" Hgdhakpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eljihn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdapdcdj.dll" Fogkhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idmqai32.dll" Hinolcbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgfannba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmijiiao.dll" Mcddca32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1772 wrote to memory of 2332 1772 baf338da1c3c2987b1bc254abb0c7e40N.exe 29 PID 1772 wrote to memory of 2332 1772 baf338da1c3c2987b1bc254abb0c7e40N.exe 29 PID 1772 wrote to memory of 2332 1772 baf338da1c3c2987b1bc254abb0c7e40N.exe 29 PID 1772 wrote to memory of 2332 1772 baf338da1c3c2987b1bc254abb0c7e40N.exe 29 PID 2332 wrote to memory of 2816 2332 Ohdmhhod.exe 30 PID 2332 wrote to memory of 2816 2332 Ohdmhhod.exe 30 PID 2332 wrote to memory of 2816 2332 Ohdmhhod.exe 30 PID 2332 wrote to memory of 2816 2332 Ohdmhhod.exe 30 PID 2816 wrote to memory of 2708 2816 Odknmi32.exe 31 PID 2816 wrote to memory of 2708 2816 Odknmi32.exe 31 PID 2816 wrote to memory of 2708 2816 Odknmi32.exe 31 PID 2816 wrote to memory of 2708 2816 Odknmi32.exe 31 PID 2708 wrote to memory of 2720 2708 Omdbfo32.exe 32 PID 2708 wrote to memory of 2720 2708 Omdbfo32.exe 32 PID 2708 wrote to memory of 2720 2708 Omdbfo32.exe 32 PID 2708 wrote to memory of 2720 2708 Omdbfo32.exe 32 PID 2720 wrote to memory of 2808 2720 Okhboc32.exe 33 PID 2720 wrote to memory of 2808 2720 Okhboc32.exe 33 PID 2720 wrote to memory of 2808 2720 Okhboc32.exe 33 PID 2720 wrote to memory of 2808 2720 Okhboc32.exe 33 PID 2808 wrote to memory of 2752 2808 Odpghiqc.exe 34 PID 2808 wrote to memory of 2752 2808 Odpghiqc.exe 34 PID 2808 wrote to memory of 2752 2808 Odpghiqc.exe 34 PID 2808 wrote to memory of 2752 2808 Odpghiqc.exe 34 PID 2752 wrote to memory of 2596 2752 Okjoec32.exe 35 PID 2752 wrote to memory of 2596 2752 Okjoec32.exe 35 PID 2752 wrote to memory of 2596 2752 Okjoec32.exe 35 PID 2752 wrote to memory of 2596 2752 Okjoec32.exe 35 PID 2596 wrote to memory of 2172 2596 Ocedieek.exe 36 PID 2596 wrote to memory of 2172 2596 Ocedieek.exe 36 PID 2596 wrote to memory of 2172 2596 Ocedieek.exe 36 PID 2596 wrote to memory of 2172 2596 Ocedieek.exe 36 PID 2172 wrote to memory of 2388 2172 Pnkhfnea.exe 37 PID 2172 wrote to memory of 2388 2172 Pnkhfnea.exe 37 PID 2172 wrote to memory of 2388 2172 Pnkhfnea.exe 37 PID 2172 wrote to memory of 2388 2172 Pnkhfnea.exe 37 PID 2388 wrote to memory of 2440 2388 Plpehj32.exe 38 PID 2388 wrote to memory of 2440 2388 Plpehj32.exe 38 PID 2388 wrote to memory of 2440 2388 Plpehj32.exe 38 PID 2388 wrote to memory of 2440 2388 Plpehj32.exe 38 PID 2440 wrote to memory of 2860 2440 Phgfmk32.exe 39 PID 2440 wrote to memory of 2860 2440 Phgfmk32.exe 39 PID 2440 wrote to memory of 2860 2440 Phgfmk32.exe 39 PID 2440 wrote to memory of 2860 2440 Phgfmk32.exe 39 PID 2860 wrote to memory of 2856 2860 Paojeafn.exe 40 PID 2860 wrote to memory of 2856 2860 Paojeafn.exe 40 PID 2860 wrote to memory of 2856 2860 Paojeafn.exe 40 PID 2860 wrote to memory of 2856 2860 Paojeafn.exe 40 PID 2856 wrote to memory of 984 2856 Pldobjec.exe 41 PID 2856 wrote to memory of 984 2856 Pldobjec.exe 41 PID 2856 wrote to memory of 984 2856 Pldobjec.exe 41 PID 2856 wrote to memory of 984 2856 Pldobjec.exe 41 PID 984 wrote to memory of 1236 984 Phkohkkh.exe 42 PID 984 wrote to memory of 1236 984 Phkohkkh.exe 42 PID 984 wrote to memory of 1236 984 Phkohkkh.exe 42 PID 984 wrote to memory of 1236 984 Phkohkkh.exe 42 PID 1236 wrote to memory of 2232 1236 Padcqp32.exe 43 PID 1236 wrote to memory of 2232 1236 Padcqp32.exe 43 PID 1236 wrote to memory of 2232 1236 Padcqp32.exe 43 PID 1236 wrote to memory of 2232 1236 Padcqp32.exe 43 PID 2232 wrote to memory of 1676 2232 Qklhifhi.exe 44 PID 2232 wrote to memory of 1676 2232 Qklhifhi.exe 44 PID 2232 wrote to memory of 1676 2232 Qklhifhi.exe 44 PID 2232 wrote to memory of 1676 2232 Qklhifhi.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\baf338da1c3c2987b1bc254abb0c7e40N.exe"C:\Users\Admin\AppData\Local\Temp\baf338da1c3c2987b1bc254abb0c7e40N.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\Ohdmhhod.exeC:\Windows\system32\Ohdmhhod.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\Odknmi32.exeC:\Windows\system32\Odknmi32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Omdbfo32.exeC:\Windows\system32\Omdbfo32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Okhboc32.exeC:\Windows\system32\Okhboc32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Odpghiqc.exeC:\Windows\system32\Odpghiqc.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Okjoec32.exeC:\Windows\system32\Okjoec32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Ocedieek.exeC:\Windows\system32\Ocedieek.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Pnkhfnea.exeC:\Windows\system32\Pnkhfnea.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\Plpehj32.exeC:\Windows\system32\Plpehj32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\Phgfmk32.exeC:\Windows\system32\Phgfmk32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\Paojeafn.exeC:\Windows\system32\Paojeafn.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Pldobjec.exeC:\Windows\system32\Pldobjec.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Phkohkkh.exeC:\Windows\system32\Phkohkkh.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:984 -
C:\Windows\SysWOW64\Padcqp32.exeC:\Windows\system32\Padcqp32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\SysWOW64\Qklhifhi.exeC:\Windows\system32\Qklhifhi.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\Qbfqfppe.exeC:\Windows\system32\Qbfqfppe.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1676 -
C:\Windows\SysWOW64\Qddmbkoi.exeC:\Windows\system32\Qddmbkoi.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2108 -
C:\Windows\SysWOW64\Qkoeoe32.exeC:\Windows\system32\Qkoeoe32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1608 -
C:\Windows\SysWOW64\Qmpafnld.exeC:\Windows\system32\Qmpafnld.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1912 -
C:\Windows\SysWOW64\Afjbecqb.exeC:\Windows\system32\Afjbecqb.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1376 -
C:\Windows\SysWOW64\Abacjd32.exeC:\Windows\system32\Abacjd32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:524 -
C:\Windows\SysWOW64\Amgggm32.exeC:\Windows\system32\Amgggm32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:764 -
C:\Windows\SysWOW64\Acqpdgni.exeC:\Windows\system32\Acqpdgni.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2040 -
C:\Windows\SysWOW64\Ainhln32.exeC:\Windows\system32\Ainhln32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:876 -
C:\Windows\SysWOW64\Aediaoae.exeC:\Windows\system32\Aediaoae.exe26⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Bakjfp32.exeC:\Windows\system32\Bakjfp32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
PID:3040 -
C:\Windows\SysWOW64\Bibagmhk.exeC:\Windows\system32\Bibagmhk.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1320 -
C:\Windows\SysWOW64\Bnojpdfb.exeC:\Windows\system32\Bnojpdfb.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2384 -
C:\Windows\SysWOW64\Bkckihel.exeC:\Windows\system32\Bkckihel.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2780 -
C:\Windows\SysWOW64\Bmdgqp32.exeC:\Windows\system32\Bmdgqp32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2700 -
C:\Windows\SysWOW64\Bjhgjdjd.exeC:\Windows\system32\Bjhgjdjd.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2804 -
C:\Windows\SysWOW64\Bmfdfpih.exeC:\Windows\system32\Bmfdfpih.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2840 -
C:\Windows\SysWOW64\Bcqlcj32.exeC:\Windows\system32\Bcqlcj32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2564 -
C:\Windows\SysWOW64\Bpgmhkfi.exeC:\Windows\system32\Bpgmhkfi.exe35⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\Cjmaed32.exeC:\Windows\system32\Cjmaed32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1744 -
C:\Windows\SysWOW64\Cceenilo.exeC:\Windows\system32\Cceenilo.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1128 -
C:\Windows\SysWOW64\Cmnjgo32.exeC:\Windows\system32\Cmnjgo32.exe38⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Ceioka32.exeC:\Windows\system32\Ceioka32.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2820 -
C:\Windows\SysWOW64\Clcghk32.exeC:\Windows\system32\Clcghk32.exe40⤵
- Executes dropped EXE
PID:896 -
C:\Windows\SysWOW64\Cekkaanh.exeC:\Windows\system32\Cekkaanh.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1504 -
C:\Windows\SysWOW64\Clecnk32.exeC:\Windows\system32\Clecnk32.exe42⤵
- Executes dropped EXE
PID:1300 -
C:\Windows\SysWOW64\Cdphbm32.exeC:\Windows\system32\Cdphbm32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2164 -
C:\Windows\SysWOW64\Clgpckcb.exeC:\Windows\system32\Clgpckcb.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2100 -
C:\Windows\SysWOW64\Ddbegmqm.exeC:\Windows\system32\Ddbegmqm.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:2964 -
C:\Windows\SysWOW64\Dmkipb32.exeC:\Windows\system32\Dmkipb32.exe46⤵
- Executes dropped EXE
PID:980 -
C:\Windows\SysWOW64\Dgcnihnn.exeC:\Windows\system32\Dgcnihnn.exe47⤵
- Executes dropped EXE
PID:1244 -
C:\Windows\SysWOW64\Dkojjgfg.exeC:\Windows\system32\Dkojjgfg.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2012 -
C:\Windows\SysWOW64\Daibfa32.exeC:\Windows\system32\Daibfa32.exe49⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Ddgnbl32.exeC:\Windows\system32\Ddgnbl32.exe50⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Didgkc32.exeC:\Windows\system32\Didgkc32.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1468 -
C:\Windows\SysWOW64\Dpnogmbl.exeC:\Windows\system32\Dpnogmbl.exe52⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Dghgdg32.exeC:\Windows\system32\Dghgdg32.exe53⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Difcpc32.exeC:\Windows\system32\Difcpc32.exe54⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Dlepmnhq.exeC:\Windows\system32\Dlepmnhq.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2824 -
C:\Windows\SysWOW64\Dcohih32.exeC:\Windows\system32\Dcohih32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3048 -
C:\Windows\SysWOW64\Eemded32.exeC:\Windows\system32\Eemded32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2468 -
C:\Windows\SysWOW64\Elgmbnfn.exeC:\Windows\system32\Elgmbnfn.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2620 -
C:\Windows\SysWOW64\Eoeiniea.exeC:\Windows\system32\Eoeiniea.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Eadejede.exeC:\Windows\system32\Eadejede.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2996 -
C:\Windows\SysWOW64\Eljihn32.exeC:\Windows\system32\Eljihn32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:556 -
C:\Windows\SysWOW64\Eohedi32.exeC:\Windows\system32\Eohedi32.exe62⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Eafapd32.exeC:\Windows\system32\Eafapd32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2256 -
C:\Windows\SysWOW64\Ehpjmoio.exeC:\Windows\system32\Ehpjmoio.exe64⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Eojbii32.exeC:\Windows\system32\Eojbii32.exe65⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Eained32.exeC:\Windows\system32\Eained32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Ehbgbngm.exeC:\Windows\system32\Ehbgbngm.exe67⤵PID:2140
-
C:\Windows\SysWOW64\Ekacnjfp.exeC:\Windows\system32\Ekacnjfp.exe68⤵PID:2120
-
C:\Windows\SysWOW64\Eomoohoi.exeC:\Windows\system32\Eomoohoi.exe69⤵
- Drops file in System32 directory
PID:2968 -
C:\Windows\SysWOW64\Epnkfq32.exeC:\Windows\system32\Epnkfq32.exe70⤵PID:2304
-
C:\Windows\SysWOW64\Eghcckld.exeC:\Windows\system32\Eghcckld.exe71⤵
- System Location Discovery: System Language Discovery
PID:2200 -
C:\Windows\SysWOW64\Enblpe32.exeC:\Windows\system32\Enblpe32.exe72⤵
- Drops file in System32 directory
- Modifies registry class
PID:2812 -
C:\Windows\SysWOW64\Fpphlp32.exeC:\Windows\system32\Fpphlp32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1584 -
C:\Windows\SysWOW64\Fcodhl32.exeC:\Windows\system32\Fcodhl32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2676 -
C:\Windows\SysWOW64\Fndhed32.exeC:\Windows\system32\Fndhed32.exe75⤵PID:3056
-
C:\Windows\SysWOW64\Fdnabo32.exeC:\Windows\system32\Fdnabo32.exe76⤵PID:2612
-
C:\Windows\SysWOW64\Fgmmnj32.exeC:\Windows\system32\Fgmmnj32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2268 -
C:\Windows\SysWOW64\Fjkije32.exeC:\Windows\system32\Fjkije32.exe78⤵PID:2432
-
C:\Windows\SysWOW64\Fliefa32.exeC:\Windows\system32\Fliefa32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2504 -
C:\Windows\SysWOW64\Fccncknc.exeC:\Windows\system32\Fccncknc.exe80⤵
- Drops file in System32 directory
PID:2876 -
C:\Windows\SysWOW64\Fhpflblk.exeC:\Windows\system32\Fhpflblk.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1916 -
C:\Windows\SysWOW64\Fbhkdgbk.exeC:\Windows\system32\Fbhkdgbk.exe82⤵PID:1380
-
C:\Windows\SysWOW64\Fhbcaa32.exeC:\Windows\system32\Fhbcaa32.exe83⤵PID:2404
-
C:\Windows\SysWOW64\Fkaomm32.exeC:\Windows\system32\Fkaomm32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1692 -
C:\Windows\SysWOW64\Fdicfbpl.exeC:\Windows\system32\Fdicfbpl.exe85⤵
- System Location Discovery: System Language Discovery
PID:2184 -
C:\Windows\SysWOW64\Gmqlgppo.exeC:\Windows\system32\Gmqlgppo.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2336 -
C:\Windows\SysWOW64\Gbmdpg32.exeC:\Windows\system32\Gbmdpg32.exe87⤵
- System Location Discovery: System Language Discovery
PID:1672 -
C:\Windows\SysWOW64\Gdlplb32.exeC:\Windows\system32\Gdlplb32.exe88⤵PID:1728
-
C:\Windows\SysWOW64\Gkehhlef.exeC:\Windows\system32\Gkehhlef.exe89⤵PID:2836
-
C:\Windows\SysWOW64\Gndedhdj.exeC:\Windows\system32\Gndedhdj.exe90⤵PID:2592
-
C:\Windows\SysWOW64\Genmab32.exeC:\Windows\system32\Genmab32.exe91⤵PID:1632
-
C:\Windows\SysWOW64\Gglimm32.exeC:\Windows\system32\Gglimm32.exe92⤵
- System Location Discovery: System Language Discovery
PID:2124 -
C:\Windows\SysWOW64\Gkhenlcd.exeC:\Windows\system32\Gkhenlcd.exe93⤵PID:1012
-
C:\Windows\SysWOW64\Gbbnkfjq.exeC:\Windows\system32\Gbbnkfjq.exe94⤵PID:336
-
C:\Windows\SysWOW64\Gepjgaid.exeC:\Windows\system32\Gepjgaid.exe95⤵PID:1184
-
C:\Windows\SysWOW64\Gkjbcl32.exeC:\Windows\system32\Gkjbcl32.exe96⤵
- System Location Discovery: System Language Discovery
PID:2536 -
C:\Windows\SysWOW64\Gmlokdgp.exeC:\Windows\system32\Gmlokdgp.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:916 -
C:\Windows\SysWOW64\Gqgjlb32.exeC:\Windows\system32\Gqgjlb32.exe98⤵PID:592
-
C:\Windows\SysWOW64\Ggabhmge.exeC:\Windows\system32\Ggabhmge.exe99⤵
- Drops file in System32 directory
PID:2016 -
C:\Windows\SysWOW64\Gnkkeg32.exeC:\Windows\system32\Gnkkeg32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2424 -
C:\Windows\SysWOW64\Gaigab32.exeC:\Windows\system32\Gaigab32.exe101⤵
- Drops file in System32 directory
PID:2516 -
C:\Windows\SysWOW64\Hgconl32.exeC:\Windows\system32\Hgconl32.exe102⤵
- Drops file in System32 directory
PID:1860 -
C:\Windows\SysWOW64\Hffpiikm.exeC:\Windows\system32\Hffpiikm.exe103⤵
- System Location Discovery: System Language Discovery
PID:2828 -
C:\Windows\SysWOW64\Hmphfc32.exeC:\Windows\system32\Hmphfc32.exe104⤵
- System Location Discovery: System Language Discovery
PID:3064 -
C:\Windows\SysWOW64\Hpodbo32.exeC:\Windows\system32\Hpodbo32.exe105⤵PID:2732
-
C:\Windows\SysWOW64\Hbmpoj32.exeC:\Windows\system32\Hbmpoj32.exe106⤵PID:532
-
C:\Windows\SysWOW64\Hjdhpg32.exeC:\Windows\system32\Hjdhpg32.exe107⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1708 -
C:\Windows\SysWOW64\Hmbdlc32.exeC:\Windows\system32\Hmbdlc32.exe108⤵PID:2880
-
C:\Windows\SysWOW64\Hleegpgb.exeC:\Windows\system32\Hleegpgb.exe109⤵PID:1972
-
C:\Windows\SysWOW64\Hbomdjoo.exeC:\Windows\system32\Hbomdjoo.exe110⤵PID:1028
-
C:\Windows\SysWOW64\Henipenb.exeC:\Windows\system32\Henipenb.exe111⤵PID:1760
-
C:\Windows\SysWOW64\Hiieqd32.exeC:\Windows\system32\Hiieqd32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2400 -
C:\Windows\SysWOW64\Hmeaaboe.exeC:\Windows\system32\Hmeaaboe.exe113⤵
- System Location Discovery: System Language Discovery
PID:2528 -
C:\Windows\SysWOW64\Hbajjiml.exeC:\Windows\system32\Hbajjiml.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2936 -
C:\Windows\SysWOW64\Hhobbqkc.exeC:\Windows\system32\Hhobbqkc.exe115⤵PID:2056
-
C:\Windows\SysWOW64\Hnhjok32.exeC:\Windows\system32\Hnhjok32.exe116⤵
- System Location Discovery: System Language Discovery
PID:2276 -
C:\Windows\SysWOW64\Haggkf32.exeC:\Windows\system32\Haggkf32.exe117⤵PID:2052
-
C:\Windows\SysWOW64\Hinolcbf.exeC:\Windows\system32\Hinolcbf.exe118⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2716 -
C:\Windows\SysWOW64\Hllkhoaj.exeC:\Windows\system32\Hllkhoaj.exe119⤵PID:2656
-
C:\Windows\SysWOW64\Inkgdjqn.exeC:\Windows\system32\Inkgdjqn.exe120⤵PID:2980
-
C:\Windows\SysWOW64\Ibfcei32.exeC:\Windows\system32\Ibfcei32.exe121⤵
- Drops file in System32 directory
PID:2176
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-