Analysis
-
max time kernel
120s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
06/08/2024, 08:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8439e6e4d631d35a6aadce638dde1ef0N.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
8439e6e4d631d35a6aadce638dde1ef0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
8439e6e4d631d35a6aadce638dde1ef0N.exe
-
Size
324KB
-
MD5
8439e6e4d631d35a6aadce638dde1ef0
-
SHA1
8df42ce7325aff0dee9c86e4880012ebdf90f9a5
-
SHA256
24508a8bb11f8913d1ab4f3ff3605d99f9e180e9441854d0d4f12bbc49e7a54f
-
SHA512
875722f808cc4a2029c2e4fdaa0bd4d7f036d4533eab5303538afd0584f2101139dfdb4f8fd2f2a5251ab0e7526ff384bfc5bfa4aacb2e22fca87c818b84f0fc
-
SSDEEP
6144:mb0jdQJb8FvP1izd5IF6rfBBcVPINRFYpfZvT6zAWq6JMf3us8ws:80a8FXAp5IFy5BcVPINRFYpfZvTmAWqI
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ioikjo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eojpqpih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cndbbolm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmdamojp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hfnomgqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knabngen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qhoqolhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ampbbbbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igojmjgf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oofpgolq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khmamhek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmkeoekf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfdbkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jkmlhccn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adekhkng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eopbooqb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhoeqide.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fapgolal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndgiok32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdadbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nebijfkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hfnhcami.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlalhe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjlpjp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebfpglkn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nipgab32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fipdci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hjbncqkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhbcaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Minpeh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inaliedk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfmhla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjmnfk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahdqdahc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cldolj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ognakk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odnjbibf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eafapd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjcmoqlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Efihcpqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mllcodig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfhial32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Blhkon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glaejokn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjbncqkj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hcohbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ohgnoeii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnofbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mekfmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gdklje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlaffbqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cefpmiji.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebddmq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfmclold.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djdhfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nfqbol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Epflbbpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opdkgj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhmfhe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found -
Executes dropped EXE 64 IoCs
pid Process 2176 Aadbfp32.exe 2608 Akmgoehg.exe 2212 Adekhkng.exe 2916 Apllml32.exe 1036 Bhgaan32.exe 2744 Bjgmka32.exe 3020 Cdjabn32.exe 1580 Cbfhjfdk.exe 2848 Dmllgo32.exe 1816 Djffihmp.exe 1488 Dmgokcja.exe 1400 Efbpihoo.exe 840 Epmahmcm.exe 1148 Eleobngo.exe 2492 Eabgjeef.exe 2356 Fpcghl32.exe 1960 Fhcehngk.exe 1164 Gpagbp32.exe 2296 Gkfkoi32.exe 1716 Gilhpe32.exe 276 Gpfpmonn.exe 1040 Ghaeaaki.exe 1324 Gokmnlcf.exe 1340 Gcifdj32.exe 888 Hnbgdh32.exe 2136 Hqcpfcbl.exe 1596 Hngppgae.exe 592 Hnljkf32.exe 2652 Ieohfemq.exe 2312 Iaheqe32.exe 2184 Jeenfd32.exe 2528 Jfigdl32.exe 2984 Jaolad32.exe 3000 Jmelfeqn.exe 2816 Kiojqfdp.exe 2624 Knkbimbg.exe 3008 Kpkocpjj.exe 2408 Kkglim32.exe 912 Kelqff32.exe 1684 Lpfagd32.exe 2328 Lddjmb32.exe 1676 Lcignoki.exe 2236 Lpmhgc32.exe 1812 Lhhmle32.exe 1972 Lihifhoq.exe 1640 Modano32.exe 812 Mognco32.exe 924 Meafpibb.exe 3068 Mnlkdk32.exe 1708 Mgdpnqfn.exe 1948 Mgglcqdk.exe 1592 Mqoqlfkl.exe 2748 Nlfaag32.exe 2704 Njjbjk32.exe 2472 Nfqbol32.exe 2648 Nmkklflj.exe 2524 Ncdciq32.exe 2504 Nhalag32.exe 2888 Nfeljlqh.exe 2980 Oblmom32.exe 676 Okdahbmm.exe 1496 Oqajqi32.exe 2060 Oeobfgak.exe 904 Ofqonp32.exe -
Loads dropped DLL 64 IoCs
pid Process 2488 8439e6e4d631d35a6aadce638dde1ef0N.exe 2488 8439e6e4d631d35a6aadce638dde1ef0N.exe 2176 Aadbfp32.exe 2176 Aadbfp32.exe 2608 Akmgoehg.exe 2608 Akmgoehg.exe 2212 Adekhkng.exe 2212 Adekhkng.exe 2916 Apllml32.exe 2916 Apllml32.exe 1036 Bhgaan32.exe 1036 Bhgaan32.exe 2744 Bjgmka32.exe 2744 Bjgmka32.exe 3020 Cdjabn32.exe 3020 Cdjabn32.exe 1580 Cbfhjfdk.exe 1580 Cbfhjfdk.exe 2848 Dmllgo32.exe 2848 Dmllgo32.exe 1816 Djffihmp.exe 1816 Djffihmp.exe 1488 Dmgokcja.exe 1488 Dmgokcja.exe 1400 Efbpihoo.exe 1400 Efbpihoo.exe 840 Epmahmcm.exe 840 Epmahmcm.exe 1148 Eleobngo.exe 1148 Eleobngo.exe 2492 Eabgjeef.exe 2492 Eabgjeef.exe 2356 Fpcghl32.exe 2356 Fpcghl32.exe 1960 Fhcehngk.exe 1960 Fhcehngk.exe 1164 Gpagbp32.exe 1164 Gpagbp32.exe 2296 Gkfkoi32.exe 2296 Gkfkoi32.exe 1716 Gilhpe32.exe 1716 Gilhpe32.exe 276 Gpfpmonn.exe 276 Gpfpmonn.exe 1040 Ghaeaaki.exe 1040 Ghaeaaki.exe 1324 Gokmnlcf.exe 1324 Gokmnlcf.exe 1340 Gcifdj32.exe 1340 Gcifdj32.exe 888 Hnbgdh32.exe 888 Hnbgdh32.exe 2136 Hqcpfcbl.exe 2136 Hqcpfcbl.exe 1596 Hngppgae.exe 1596 Hngppgae.exe 592 Hnljkf32.exe 592 Hnljkf32.exe 2652 Ieohfemq.exe 2652 Ieohfemq.exe 2312 Iaheqe32.exe 2312 Iaheqe32.exe 2184 Jeenfd32.exe 2184 Jeenfd32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Hpbilmop.exe Hcohbh32.exe File opened for modification C:\Windows\SysWOW64\Amfeodoh.exe Aflmbj32.exe File opened for modification C:\Windows\SysWOW64\Lcgldc32.exe Lgpkobnb.exe File created C:\Windows\SysWOW64\Dhplgonm.dll Pajjpk32.exe File created C:\Windows\SysWOW64\Oppgpo32.dll Dplnpp32.exe File created C:\Windows\SysWOW64\Annkjdgd.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ijnbpm32.exe Hioefjfb.exe File created C:\Windows\SysWOW64\Kdaoacif.exe Jgmnhojl.exe File created C:\Windows\SysWOW64\Fhmblljb.exe Flfbfken.exe File created C:\Windows\SysWOW64\Qedibbah.dll Efcefndb.exe File created C:\Windows\SysWOW64\Gboidd32.dll Igfmdadd.exe File opened for modification C:\Windows\SysWOW64\Ajladp32.exe Akfdcckn.exe File opened for modification C:\Windows\SysWOW64\Gdiode32.exe Gkqjlpmd.exe File created C:\Windows\SysWOW64\Mkideqgo.dll Ghlgdecf.exe File created C:\Windows\SysWOW64\Jkpqkhpf.dll Objcnj32.exe File opened for modification C:\Windows\SysWOW64\Dhhhphmc.exe Dheljhof.exe File opened for modification C:\Windows\SysWOW64\Peandcih.exe Pgnmjokn.exe File created C:\Windows\SysWOW64\Jhebij32.exe Jjpehn32.exe File created C:\Windows\SysWOW64\Heiomc32.dll Fjpipkgi.exe File created C:\Windows\SysWOW64\Ekegqfbb.dll Dbmnla32.exe File created C:\Windows\SysWOW64\Ocglmcdp.exe Ofcldoef.exe File created C:\Windows\SysWOW64\Kpkaomqn.dll Ojjanlod.exe File opened for modification C:\Windows\SysWOW64\Iinadl32.exe Hfnhcami.exe File created C:\Windows\SysWOW64\Ljdjildq.exe Lqleqg32.exe File created C:\Windows\SysWOW64\Oogdiqki.exe Oijlpjma.exe File created C:\Windows\SysWOW64\Cchfek32.exe Clnnhq32.exe File created C:\Windows\SysWOW64\Faihlcnh.exe Process not Found File created C:\Windows\SysWOW64\Pdmplfkj.dll Gpagbp32.exe File opened for modification C:\Windows\SysWOW64\Ijipbchn.exe Ijgcmc32.exe File created C:\Windows\SysWOW64\Oipdhm32.exe Ofbhlbja.exe File created C:\Windows\SysWOW64\Ggpiikml.dll Oeobfgak.exe File created C:\Windows\SysWOW64\Pdkgcd32.exe Polbemck.exe File opened for modification C:\Windows\SysWOW64\Ndhpiapi.exe Mfbcheka.exe File created C:\Windows\SysWOW64\Nmkklflj.exe Nfqbol32.exe File created C:\Windows\SysWOW64\Aejkhj32.dll Jejgcp32.exe File created C:\Windows\SysWOW64\Mkbnpaln.exe Process not Found File created C:\Windows\SysWOW64\Iaodci32.dll Bgichoqj.exe File created C:\Windows\SysWOW64\Jofhqiec.exe Jodkkj32.exe File opened for modification C:\Windows\SysWOW64\Ecabfpff.exe Djhnmj32.exe File created C:\Windows\SysWOW64\Mpbfddef.exe Lmbmbi32.exe File opened for modification C:\Windows\SysWOW64\Ecfednma.exe Egpdom32.exe File created C:\Windows\SysWOW64\Kbefen32.exe Khmamhek.exe File opened for modification C:\Windows\SysWOW64\Ohfggl32.exe Process not Found File created C:\Windows\SysWOW64\Glbhic32.dll Iolohhpc.exe File opened for modification C:\Windows\SysWOW64\Kjmnfk32.exe Kbefen32.exe File created C:\Windows\SysWOW64\Ndmgck32.dll Ckeffdmi.exe File created C:\Windows\SysWOW64\Ijcdbdkc.dll Kphbom32.exe File opened for modification C:\Windows\SysWOW64\Linanl32.exe Lkjadh32.exe File created C:\Windows\SysWOW64\Mjknab32.exe Mjialchg.exe File created C:\Windows\SysWOW64\Nmdfglhm.exe Ndlanf32.exe File created C:\Windows\SysWOW64\Minpeh32.exe Mpflmbnc.exe File created C:\Windows\SysWOW64\Gmhkkn32.exe Godjaj32.exe File created C:\Windows\SysWOW64\Dicbbade.dll Nebijfkj.exe File created C:\Windows\SysWOW64\Fmicnhob.exe Fcqoec32.exe File created C:\Windows\SysWOW64\Ildgdpca.dll Jlfahgpf.exe File created C:\Windows\SysWOW64\Omipbpfl.exe Oabonopg.exe File created C:\Windows\SysWOW64\Lcfblfmb.dll Fdbibjok.exe File created C:\Windows\SysWOW64\Mbmfpdcn.dll Hegdinpd.exe File created C:\Windows\SysWOW64\Mfgpckkm.dll Baannfim.exe File created C:\Windows\SysWOW64\Ofgljdfh.dll Eenige32.exe File opened for modification C:\Windows\SysWOW64\Pfjbdn32.exe Pmamliin.exe File created C:\Windows\SysWOW64\Dlepmnhq.exe Difcpc32.exe File created C:\Windows\SysWOW64\Hdebhahh.dll Gkkdldhe.exe File created C:\Windows\SysWOW64\Mmhgkopj.dll Aplbin32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3516 3004 Process not Found 1142 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdbmnchk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odnjbibf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkdclgpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dophid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndhpiapi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcpnpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olhmnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bichbckg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odiagj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbbedqcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aimfcedl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feklja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkaghf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cajmbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnjokphk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmnhok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqhcda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkfkoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baannfim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iccqedfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoedch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acjllqke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhkcdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkjkkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofbhlbja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahmpfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qganapgc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cphncpld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghcmedmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igdqmeke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edghighp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcmnbbja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqhffj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjeedcjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qafboi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfbahldf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mognco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dknehe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdiciboh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlepmnhq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkkcmqcn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icmkpibd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jeenfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfdkoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jicgoohq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkgchckl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idjmnecm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cndbbolm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Angafl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbpaef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljoidf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhhhphmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkcfbkfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljjpighp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lodeahen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aplbin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgdpnqfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkmlhccn.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fioajqmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbglgj32.dll" Odhjmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mjohlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaodci32.dll" Bgichoqj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ocpakg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bbbedqcc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Afdjmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdkkjm32.dll" Kkpekjie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bkheal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lboeoagk.dll" Hchcmnlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nioplnhf.dll" Kgahcn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 8439e6e4d631d35a6aadce638dde1ef0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mcccglnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkbeon32.dll" Dmdkkm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kkqjmlhm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kjimafji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bdiciboh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gepjgaid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nqcjiaah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njnknedk.dll" Pfjbdn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oceaql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Edghighp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkddne32.dll" Odnjbibf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dkojjgfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ofqonp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcpedhdk.dll" Ljdjildq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekegqfbb.dll" Dbmnla32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Imkfhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlinchae.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cofndn32.dll" Bmcpfj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lelphbon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bokapipc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fhgkqmph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmnjbi32.dll" Cbjbof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlnjfoml.dll" Galllipa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Amdhidqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Efoobkej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbhjenik.dll" Kjimafji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gmcmomjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmeemifp.dll" Anlkakqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gnaffpoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbhnonjm.dll" Bichbckg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anlieh32.dll" Hilbfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oogdiqki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Daognhlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fpijgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ejfnfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Padbmn32.dll" Danblfmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nojljcjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpqpdh32.dll" Dmmffbek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kciblh32.dll" Eabgjeef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oblmom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pddlggin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hfnomgqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lffhqa32.dll" Coqaknog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpcghm32.dll" Oimpppoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dadikaaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fnlhibff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gjeckk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cbhejf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doojcjpq.dll" Jomadaga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2488 wrote to memory of 2176 2488 8439e6e4d631d35a6aadce638dde1ef0N.exe 28 PID 2488 wrote to memory of 2176 2488 8439e6e4d631d35a6aadce638dde1ef0N.exe 28 PID 2488 wrote to memory of 2176 2488 8439e6e4d631d35a6aadce638dde1ef0N.exe 28 PID 2488 wrote to memory of 2176 2488 8439e6e4d631d35a6aadce638dde1ef0N.exe 28 PID 2176 wrote to memory of 2608 2176 Aadbfp32.exe 29 PID 2176 wrote to memory of 2608 2176 Aadbfp32.exe 29 PID 2176 wrote to memory of 2608 2176 Aadbfp32.exe 29 PID 2176 wrote to memory of 2608 2176 Aadbfp32.exe 29 PID 2608 wrote to memory of 2212 2608 Akmgoehg.exe 30 PID 2608 wrote to memory of 2212 2608 Akmgoehg.exe 30 PID 2608 wrote to memory of 2212 2608 Akmgoehg.exe 30 PID 2608 wrote to memory of 2212 2608 Akmgoehg.exe 30 PID 2212 wrote to memory of 2916 2212 Adekhkng.exe 31 PID 2212 wrote to memory of 2916 2212 Adekhkng.exe 31 PID 2212 wrote to memory of 2916 2212 Adekhkng.exe 31 PID 2212 wrote to memory of 2916 2212 Adekhkng.exe 31 PID 2916 wrote to memory of 1036 2916 Apllml32.exe 32 PID 2916 wrote to memory of 1036 2916 Apllml32.exe 32 PID 2916 wrote to memory of 1036 2916 Apllml32.exe 32 PID 2916 wrote to memory of 1036 2916 Apllml32.exe 32 PID 1036 wrote to memory of 2744 1036 Bhgaan32.exe 33 PID 1036 wrote to memory of 2744 1036 Bhgaan32.exe 33 PID 1036 wrote to memory of 2744 1036 Bhgaan32.exe 33 PID 1036 wrote to memory of 2744 1036 Bhgaan32.exe 33 PID 2744 wrote to memory of 3020 2744 Bjgmka32.exe 34 PID 2744 wrote to memory of 3020 2744 Bjgmka32.exe 34 PID 2744 wrote to memory of 3020 2744 Bjgmka32.exe 34 PID 2744 wrote to memory of 3020 2744 Bjgmka32.exe 34 PID 3020 wrote to memory of 1580 3020 Cdjabn32.exe 35 PID 3020 wrote to memory of 1580 3020 Cdjabn32.exe 35 PID 3020 wrote to memory of 1580 3020 Cdjabn32.exe 35 PID 3020 wrote to memory of 1580 3020 Cdjabn32.exe 35 PID 1580 wrote to memory of 2848 1580 Cbfhjfdk.exe 36 PID 1580 wrote to memory of 2848 1580 Cbfhjfdk.exe 36 PID 1580 wrote to memory of 2848 1580 Cbfhjfdk.exe 36 PID 1580 wrote to memory of 2848 1580 Cbfhjfdk.exe 36 PID 2848 wrote to memory of 1816 2848 Dmllgo32.exe 37 PID 2848 wrote to memory of 1816 2848 Dmllgo32.exe 37 PID 2848 wrote to memory of 1816 2848 Dmllgo32.exe 37 PID 2848 wrote to memory of 1816 2848 Dmllgo32.exe 37 PID 1816 wrote to memory of 1488 1816 Djffihmp.exe 38 PID 1816 wrote to memory of 1488 1816 Djffihmp.exe 38 PID 1816 wrote to memory of 1488 1816 Djffihmp.exe 38 PID 1816 wrote to memory of 1488 1816 Djffihmp.exe 38 PID 1488 wrote to memory of 1400 1488 Dmgokcja.exe 39 PID 1488 wrote to memory of 1400 1488 Dmgokcja.exe 39 PID 1488 wrote to memory of 1400 1488 Dmgokcja.exe 39 PID 1488 wrote to memory of 1400 1488 Dmgokcja.exe 39 PID 1400 wrote to memory of 840 1400 Efbpihoo.exe 40 PID 1400 wrote to memory of 840 1400 Efbpihoo.exe 40 PID 1400 wrote to memory of 840 1400 Efbpihoo.exe 40 PID 1400 wrote to memory of 840 1400 Efbpihoo.exe 40 PID 840 wrote to memory of 1148 840 Epmahmcm.exe 41 PID 840 wrote to memory of 1148 840 Epmahmcm.exe 41 PID 840 wrote to memory of 1148 840 Epmahmcm.exe 41 PID 840 wrote to memory of 1148 840 Epmahmcm.exe 41 PID 1148 wrote to memory of 2492 1148 Eleobngo.exe 42 PID 1148 wrote to memory of 2492 1148 Eleobngo.exe 42 PID 1148 wrote to memory of 2492 1148 Eleobngo.exe 42 PID 1148 wrote to memory of 2492 1148 Eleobngo.exe 42 PID 2492 wrote to memory of 2356 2492 Eabgjeef.exe 43 PID 2492 wrote to memory of 2356 2492 Eabgjeef.exe 43 PID 2492 wrote to memory of 2356 2492 Eabgjeef.exe 43 PID 2492 wrote to memory of 2356 2492 Eabgjeef.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\8439e6e4d631d35a6aadce638dde1ef0N.exe"C:\Users\Admin\AppData\Local\Temp\8439e6e4d631d35a6aadce638dde1ef0N.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\Aadbfp32.exeC:\Windows\system32\Aadbfp32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\Akmgoehg.exeC:\Windows\system32\Akmgoehg.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Adekhkng.exeC:\Windows\system32\Adekhkng.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Apllml32.exeC:\Windows\system32\Apllml32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Bhgaan32.exeC:\Windows\system32\Bhgaan32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\SysWOW64\Bjgmka32.exeC:\Windows\system32\Bjgmka32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Cdjabn32.exeC:\Windows\system32\Cdjabn32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\Cbfhjfdk.exeC:\Windows\system32\Cbfhjfdk.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\Dmllgo32.exeC:\Windows\system32\Dmllgo32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Djffihmp.exeC:\Windows\system32\Djffihmp.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\Dmgokcja.exeC:\Windows\system32\Dmgokcja.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\SysWOW64\Efbpihoo.exeC:\Windows\system32\Efbpihoo.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\SysWOW64\Epmahmcm.exeC:\Windows\system32\Epmahmcm.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\SysWOW64\Eleobngo.exeC:\Windows\system32\Eleobngo.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\Eabgjeef.exeC:\Windows\system32\Eabgjeef.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\Fpcghl32.exeC:\Windows\system32\Fpcghl32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2356 -
C:\Windows\SysWOW64\Fhcehngk.exeC:\Windows\system32\Fhcehngk.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1960 -
C:\Windows\SysWOW64\Gpagbp32.exeC:\Windows\system32\Gpagbp32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1164 -
C:\Windows\SysWOW64\Gkfkoi32.exeC:\Windows\system32\Gkfkoi32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2296 -
C:\Windows\SysWOW64\Gilhpe32.exeC:\Windows\system32\Gilhpe32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1716 -
C:\Windows\SysWOW64\Gpfpmonn.exeC:\Windows\system32\Gpfpmonn.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:276 -
C:\Windows\SysWOW64\Ghaeaaki.exeC:\Windows\system32\Ghaeaaki.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1040 -
C:\Windows\SysWOW64\Gokmnlcf.exeC:\Windows\system32\Gokmnlcf.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1324 -
C:\Windows\SysWOW64\Gcifdj32.exeC:\Windows\system32\Gcifdj32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1340 -
C:\Windows\SysWOW64\Hnbgdh32.exeC:\Windows\system32\Hnbgdh32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:888 -
C:\Windows\SysWOW64\Hqcpfcbl.exeC:\Windows\system32\Hqcpfcbl.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2136 -
C:\Windows\SysWOW64\Hngppgae.exeC:\Windows\system32\Hngppgae.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1596 -
C:\Windows\SysWOW64\Hnljkf32.exeC:\Windows\system32\Hnljkf32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:592 -
C:\Windows\SysWOW64\Ieohfemq.exeC:\Windows\system32\Ieohfemq.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2652 -
C:\Windows\SysWOW64\Iaheqe32.exeC:\Windows\system32\Iaheqe32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2312 -
C:\Windows\SysWOW64\Jeenfd32.exeC:\Windows\system32\Jeenfd32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2184 -
C:\Windows\SysWOW64\Jfigdl32.exeC:\Windows\system32\Jfigdl32.exe33⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Jaolad32.exeC:\Windows\system32\Jaolad32.exe34⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Jmelfeqn.exeC:\Windows\system32\Jmelfeqn.exe35⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Kiojqfdp.exeC:\Windows\system32\Kiojqfdp.exe36⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Knkbimbg.exeC:\Windows\system32\Knkbimbg.exe37⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Kpkocpjj.exeC:\Windows\system32\Kpkocpjj.exe38⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Kkglim32.exeC:\Windows\system32\Kkglim32.exe39⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Kelqff32.exeC:\Windows\system32\Kelqff32.exe40⤵
- Executes dropped EXE
PID:912 -
C:\Windows\SysWOW64\Lpfagd32.exeC:\Windows\system32\Lpfagd32.exe41⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Lddjmb32.exeC:\Windows\system32\Lddjmb32.exe42⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Lcignoki.exeC:\Windows\system32\Lcignoki.exe43⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Lpmhgc32.exeC:\Windows\system32\Lpmhgc32.exe44⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Lhhmle32.exeC:\Windows\system32\Lhhmle32.exe45⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Lihifhoq.exeC:\Windows\system32\Lihifhoq.exe46⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Modano32.exeC:\Windows\system32\Modano32.exe47⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Mognco32.exeC:\Windows\system32\Mognco32.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:812 -
C:\Windows\SysWOW64\Meafpibb.exeC:\Windows\system32\Meafpibb.exe49⤵
- Executes dropped EXE
PID:924 -
C:\Windows\SysWOW64\Mnlkdk32.exeC:\Windows\system32\Mnlkdk32.exe50⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Mgdpnqfn.exeC:\Windows\system32\Mgdpnqfn.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1708 -
C:\Windows\SysWOW64\Mgglcqdk.exeC:\Windows\system32\Mgglcqdk.exe52⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Mqoqlfkl.exeC:\Windows\system32\Mqoqlfkl.exe53⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Nlfaag32.exeC:\Windows\system32\Nlfaag32.exe54⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Njjbjk32.exeC:\Windows\system32\Njjbjk32.exe55⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Nfqbol32.exeC:\Windows\system32\Nfqbol32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2472 -
C:\Windows\SysWOW64\Nmkklflj.exeC:\Windows\system32\Nmkklflj.exe57⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Ncdciq32.exeC:\Windows\system32\Ncdciq32.exe58⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Nhalag32.exeC:\Windows\system32\Nhalag32.exe59⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Nfeljlqh.exeC:\Windows\system32\Nfeljlqh.exe60⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Oblmom32.exeC:\Windows\system32\Oblmom32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2980 -
C:\Windows\SysWOW64\Okdahbmm.exeC:\Windows\system32\Okdahbmm.exe62⤵
- Executes dropped EXE
PID:676 -
C:\Windows\SysWOW64\Oqajqi32.exeC:\Windows\system32\Oqajqi32.exe63⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Oeobfgak.exeC:\Windows\system32\Oeobfgak.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2060 -
C:\Windows\SysWOW64\Ofqonp32.exeC:\Windows\system32\Ofqonp32.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:904 -
C:\Windows\SysWOW64\Omjgkjof.exeC:\Windows\system32\Omjgkjof.exe66⤵PID:1392
-
C:\Windows\SysWOW64\Ofcldoef.exeC:\Windows\system32\Ofcldoef.exe67⤵
- Drops file in System32 directory
PID:1852 -
C:\Windows\SysWOW64\Ocglmcdp.exeC:\Windows\system32\Ocglmcdp.exe68⤵PID:1528
-
C:\Windows\SysWOW64\Ppnmbd32.exeC:\Windows\system32\Ppnmbd32.exe69⤵PID:3052
-
C:\Windows\SysWOW64\Pmamliin.exeC:\Windows\system32\Pmamliin.exe70⤵
- Drops file in System32 directory
PID:3024 -
C:\Windows\SysWOW64\Pfjbdn32.exeC:\Windows\system32\Pfjbdn32.exe71⤵
- Modifies registry class
PID:1704 -
C:\Windows\SysWOW64\Ppbfmdfo.exeC:\Windows\system32\Ppbfmdfo.exe72⤵PID:2284
-
C:\Windows\SysWOW64\Pjlgna32.exeC:\Windows\system32\Pjlgna32.exe73⤵PID:2636
-
C:\Windows\SysWOW64\Pddlggin.exeC:\Windows\system32\Pddlggin.exe74⤵
- Modifies registry class
PID:2632 -
C:\Windows\SysWOW64\Qdfhlggl.exeC:\Windows\system32\Qdfhlggl.exe75⤵PID:2560
-
C:\Windows\SysWOW64\Qolmip32.exeC:\Windows\system32\Qolmip32.exe76⤵PID:980
-
C:\Windows\SysWOW64\Qjcmoqlf.exeC:\Windows\system32\Qjcmoqlf.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1480 -
C:\Windows\SysWOW64\Akejdp32.exeC:\Windows\system32\Akejdp32.exe78⤵PID:1800
-
C:\Windows\SysWOW64\Adnomfqc.exeC:\Windows\system32\Adnomfqc.exe79⤵PID:2860
-
C:\Windows\SysWOW64\Aeokdn32.exeC:\Windows\system32\Aeokdn32.exe80⤵PID:484
-
C:\Windows\SysWOW64\Abbknb32.exeC:\Windows\system32\Abbknb32.exe81⤵PID:2020
-
C:\Windows\SysWOW64\Bkgchckl.exeC:\Windows\system32\Bkgchckl.exe82⤵
- System Location Discovery: System Language Discovery
PID:2428 -
C:\Windows\SysWOW64\Bjlpjp32.exeC:\Windows\system32\Bjlpjp32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1220 -
C:\Windows\SysWOW64\Bfcqoqeh.exeC:\Windows\system32\Bfcqoqeh.exe84⤵PID:2056
-
C:\Windows\SysWOW64\Cldolj32.exeC:\Windows\system32\Cldolj32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:572 -
C:\Windows\SysWOW64\Cfmceomm.exeC:\Windows\system32\Cfmceomm.exe86⤵PID:2144
-
C:\Windows\SysWOW64\Cgnpmg32.exeC:\Windows\system32\Cgnpmg32.exe87⤵PID:1584
-
C:\Windows\SysWOW64\Cbcdjpba.exeC:\Windows\system32\Cbcdjpba.exe88⤵PID:2712
-
C:\Windows\SysWOW64\Cgpmbgai.exeC:\Windows\system32\Cgpmbgai.exe89⤵PID:2660
-
C:\Windows\SysWOW64\Dqiakm32.exeC:\Windows\system32\Dqiakm32.exe90⤵PID:2752
-
C:\Windows\SysWOW64\Dknehe32.exeC:\Windows\system32\Dknehe32.exe91⤵
- System Location Discovery: System Language Discovery
PID:2676 -
C:\Windows\SysWOW64\Dgefmf32.exeC:\Windows\system32\Dgefmf32.exe92⤵PID:3004
-
C:\Windows\SysWOW64\Dnonjqdq.exeC:\Windows\system32\Dnonjqdq.exe93⤵PID:2716
-
C:\Windows\SysWOW64\Dclgbgbh.exeC:\Windows\system32\Dclgbgbh.exe94⤵PID:1808
-
C:\Windows\SysWOW64\Dmdkkm32.exeC:\Windows\system32\Dmdkkm32.exe95⤵
- Modifies registry class
PID:1820 -
C:\Windows\SysWOW64\Dbadcdgp.exeC:\Windows\system32\Dbadcdgp.exe96⤵PID:2852
-
C:\Windows\SysWOW64\Dmfhqmge.exeC:\Windows\system32\Dmfhqmge.exe97⤵PID:2404
-
C:\Windows\SysWOW64\Dcppmg32.exeC:\Windows\system32\Dcppmg32.exe98⤵PID:2928
-
C:\Windows\SysWOW64\Efaiobkc.exeC:\Windows\system32\Efaiobkc.exe99⤵PID:1804
-
C:\Windows\SysWOW64\Enlncdio.exeC:\Windows\system32\Enlncdio.exe100⤵PID:1364
-
C:\Windows\SysWOW64\Elpnmhgh.exeC:\Windows\system32\Elpnmhgh.exe101⤵PID:816
-
C:\Windows\SysWOW64\Eckcak32.exeC:\Windows\system32\Eckcak32.exe102⤵PID:2088
-
C:\Windows\SysWOW64\Emdgjpkd.exeC:\Windows\system32\Emdgjpkd.exe103⤵PID:2448
-
C:\Windows\SysWOW64\Fmfdppia.exeC:\Windows\system32\Fmfdppia.exe104⤵PID:2908
-
C:\Windows\SysWOW64\Ffoihepa.exeC:\Windows\system32\Ffoihepa.exe105⤵PID:2116
-
C:\Windows\SysWOW64\Fdbibjok.exeC:\Windows\system32\Fdbibjok.exe106⤵
- Drops file in System32 directory
PID:2600 -
C:\Windows\SysWOW64\Fioajqmb.exeC:\Windows\system32\Fioajqmb.exe107⤵
- Modifies registry class
PID:988 -
C:\Windows\SysWOW64\Fpijgk32.exeC:\Windows\system32\Fpijgk32.exe108⤵
- Modifies registry class
PID:1780 -
C:\Windows\SysWOW64\Ffcbce32.exeC:\Windows\system32\Ffcbce32.exe109⤵PID:1632
-
C:\Windows\SysWOW64\Fbjchfaq.exeC:\Windows\system32\Fbjchfaq.exe110⤵PID:2052
-
C:\Windows\SysWOW64\Fhgkqmph.exeC:\Windows\system32\Fhgkqmph.exe111⤵
- Modifies registry class
PID:1244 -
C:\Windows\SysWOW64\Feklja32.exeC:\Windows\system32\Feklja32.exe112⤵
- System Location Discovery: System Language Discovery
PID:1200 -
C:\Windows\SysWOW64\Gledgkfn.exeC:\Windows\system32\Gledgkfn.exe113⤵PID:2044
-
C:\Windows\SysWOW64\Gemhpq32.exeC:\Windows\system32\Gemhpq32.exe114⤵PID:2956
-
C:\Windows\SysWOW64\Glgqlkdl.exeC:\Windows\system32\Glgqlkdl.exe115⤵PID:2776
-
C:\Windows\SysWOW64\Ggqamh32.exeC:\Windows\system32\Ggqamh32.exe116⤵PID:2552
-
C:\Windows\SysWOW64\Ghpngkhm.exeC:\Windows\system32\Ghpngkhm.exe117⤵PID:2544
-
C:\Windows\SysWOW64\Gaibpa32.exeC:\Windows\system32\Gaibpa32.exe118⤵PID:1600
-
C:\Windows\SysWOW64\Gkaghf32.exeC:\Windows\system32\Gkaghf32.exe119⤵
- System Location Discovery: System Language Discovery
PID:2232 -
C:\Windows\SysWOW64\Hcllmi32.exeC:\Windows\system32\Hcllmi32.exe120⤵PID:584
-
C:\Windows\SysWOW64\Hnapja32.exeC:\Windows\system32\Hnapja32.exe121⤵PID:320
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-