Analysis
-
max time kernel
112s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
21/08/2024, 21:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c1a2d0cc4efdcaba7b23a153d14c7a40N.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
c1a2d0cc4efdcaba7b23a153d14c7a40N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
c1a2d0cc4efdcaba7b23a153d14c7a40N.exe
-
Size
512KB
-
MD5
c1a2d0cc4efdcaba7b23a153d14c7a40
-
SHA1
5cb8e72998684bf1b1ab984b71e64ebaad17f31a
-
SHA256
c52c337d190bfe0a507e58d7ed478fb289732fbae75b5e6983f5cc09c6ef69cf
-
SHA512
4234a63ff5da987c9077e6f483956bcd3ba75db4d292e32e046eccc13dbba6ca3c96c23bed814f96189557e5d26a656f4e493273d8541b1280e5f7c1b9e6bf7f
-
SSDEEP
12288:SdyYTGyXu1jGG1ws5iETdqvZNemWrsiLk6mqgSg9:SdyYTGyXsGG1ws5ipr
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jqakompl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcjcefbd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aomdpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Khakhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nfhcmkkg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aghdboal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dglfkebm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kcfmnd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpkgmk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofdicodf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qaifoo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eofkgb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eadpig32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peinba32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bamdcf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beccgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbmgapgc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fohacl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpmajb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dlpbpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckqhigeg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdnabo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bpkgmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhmpmcaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oiebej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kebggncm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lkjolc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hncjiecj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmpieg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfgfpoaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oljbil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ekicjlai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdidhfdp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iopqoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hnedfljc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkflpi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfnmjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Facjobce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aaaohfjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfmepd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ponokmah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nanlla32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eopbooqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ilpohecc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eafmng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oelcjkgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jhbaam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekaegbnd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jialbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djmkkb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbdljk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Miciqgqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Belhem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inkimc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jlnadiko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdnabo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mclghl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcmdlgoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpldjajo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edahca32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plnhbk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpedph32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nocfdhfi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcblob32.exe -
Executes dropped EXE 64 IoCs
pid Process 2212 Gonlld32.exe 2152 Hlamfh32.exe 2204 Hphljkfk.exe 2760 Iackhb32.exe 2640 Idcdjmao.exe 852 Jqakompl.exe 2676 Kbljmd32.exe 1956 Kcpcjl32.exe 2100 Llbnpm32.exe 1844 Mogqlgbi.exe 1016 Nppceo32.exe 1676 Nahemf32.exe 2780 Ocphembl.exe 2944 Ponokmah.exe 2292 Pnhegi32.exe 2140 Qfegakmc.exe 2496 Abaaakob.exe 2504 Allbpqcp.exe 1780 Bamdcf32.exe 1708 Bpbadcbj.exe 964 Blkoocfl.exe 2940 Beccgi32.exe 1924 Cpldjajo.exe 756 Cclmlm32.exe 2396 Cadfbi32.exe 3064 Dgqokp32.exe 2796 Djfagjai.exe 2232 Dbaflm32.exe 2260 Ekjjebed.exe 2968 Ehphdf32.exe 2764 Ecnbpcje.exe 2828 Fglkeaqk.exe 2772 Fidmniqa.exe 2012 Gjhfkqdm.exe 688 Gibmglep.exe 824 Hmpemkkf.exe 2580 Hmdohj32.exe 1812 Hfmcapna.exe 2104 Hafdbmjp.exe 1036 Iedmhlqf.exe 2256 Idjjih32.exe 2244 Igjckcbo.exe 2384 Ijklmn32.exe 1784 Iccqedfa.exe 1348 Jlnadiko.exe 1488 Jjbbmmih.exe 2688 Jbmgapgc.exe 2312 Jdnpck32.exe 3052 Khlhiijk.exe 2948 Kdcinjpo.exe 1696 Kcjcefbd.exe 2808 Koacjg32.exe 2752 Lbbmlbej.exe 2932 Lbffga32.exe 3040 Lnmglbgh.exe 1864 Lnpcabef.exe 2088 Mmgmhngk.exe 2664 Mjknab32.exe 1128 Mdcbjhme.exe 2316 Megkgpaq.exe 2192 Nanlla32.exe 804 Noalfe32.exe 236 Ndaaclac.exe 1376 Nmifla32.exe -
Loads dropped DLL 64 IoCs
pid Process 3020 c1a2d0cc4efdcaba7b23a153d14c7a40N.exe 3020 c1a2d0cc4efdcaba7b23a153d14c7a40N.exe 2212 Gonlld32.exe 2212 Gonlld32.exe 2152 Hlamfh32.exe 2152 Hlamfh32.exe 2204 Hphljkfk.exe 2204 Hphljkfk.exe 2760 Iackhb32.exe 2760 Iackhb32.exe 2640 Idcdjmao.exe 2640 Idcdjmao.exe 852 Jqakompl.exe 852 Jqakompl.exe 2676 Kbljmd32.exe 2676 Kbljmd32.exe 1956 Kcpcjl32.exe 1956 Kcpcjl32.exe 2100 Llbnpm32.exe 2100 Llbnpm32.exe 1844 Mogqlgbi.exe 1844 Mogqlgbi.exe 1016 Nppceo32.exe 1016 Nppceo32.exe 1676 Nahemf32.exe 1676 Nahemf32.exe 2780 Ocphembl.exe 2780 Ocphembl.exe 2944 Ponokmah.exe 2944 Ponokmah.exe 2292 Pnhegi32.exe 2292 Pnhegi32.exe 2140 Qfegakmc.exe 2140 Qfegakmc.exe 2496 Abaaakob.exe 2496 Abaaakob.exe 2504 Allbpqcp.exe 2504 Allbpqcp.exe 1780 Bamdcf32.exe 1780 Bamdcf32.exe 1708 Bpbadcbj.exe 1708 Bpbadcbj.exe 964 Blkoocfl.exe 964 Blkoocfl.exe 2940 Beccgi32.exe 2940 Beccgi32.exe 1924 Cpldjajo.exe 1924 Cpldjajo.exe 756 Cclmlm32.exe 756 Cclmlm32.exe 2396 Cadfbi32.exe 2396 Cadfbi32.exe 3064 Dgqokp32.exe 3064 Dgqokp32.exe 2796 Djfagjai.exe 2796 Djfagjai.exe 2232 Dbaflm32.exe 2232 Dbaflm32.exe 2260 Ekjjebed.exe 2260 Ekjjebed.exe 2968 Ehphdf32.exe 2968 Ehphdf32.exe 2764 Ecnbpcje.exe 2764 Ecnbpcje.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Akbmqmgg.exe Aollklac.exe File created C:\Windows\SysWOW64\Mlhfno32.dll Dlajdpoc.exe File opened for modification C:\Windows\SysWOW64\Ofdicodf.exe Niqijkel.exe File created C:\Windows\SysWOW64\Jnieah32.dll Pjmnck32.exe File opened for modification C:\Windows\SysWOW64\Hhmfhe32.exe Hjgjgioi.exe File opened for modification C:\Windows\SysWOW64\Fpcbik32.exe Femnkb32.exe File opened for modification C:\Windows\SysWOW64\Hbjjfl32.exe Giafmfad.exe File created C:\Windows\SysWOW64\Cikocggb.exe Cfjfal32.exe File created C:\Windows\SysWOW64\Mcblob32.exe Mdmonf32.exe File created C:\Windows\SysWOW64\Cbgandnk.dll Ilfeidmk.exe File created C:\Windows\SysWOW64\Pflpecpa.exe Pamkgl32.exe File created C:\Windows\SysWOW64\Hpkbmemd.dll Jqakompl.exe File created C:\Windows\SysWOW64\Gdoacc32.exe Ghhanbek.exe File created C:\Windows\SysWOW64\Bpmokk32.dll Pfadke32.exe File created C:\Windows\SysWOW64\Iploja32.dll Jinkkgeb.exe File opened for modification C:\Windows\SysWOW64\Ippflkok.exe Ilbnfmhd.exe File created C:\Windows\SysWOW64\Cfemakjj.dll Hcmajo32.exe File created C:\Windows\SysWOW64\Hnkboc32.dll Hcbogk32.exe File opened for modification C:\Windows\SysWOW64\Ldcjooac.exe Lcpaag32.exe File opened for modification C:\Windows\SysWOW64\Imkfhj32.exe Hcbapdgc.exe File created C:\Windows\SysWOW64\Cgkoejig.exe Cignlf32.exe File created C:\Windows\SysWOW64\Beibln32.exe Bnojpdfb.exe File created C:\Windows\SysWOW64\Lpnhmi32.dll Fohacl32.exe File opened for modification C:\Windows\SysWOW64\Eohhmbjc.exe Eofkgb32.exe File created C:\Windows\SysWOW64\Bnnfdpgo.dll Gcceqa32.exe File created C:\Windows\SysWOW64\Iieikd32.dll Pengmqkl.exe File created C:\Windows\SysWOW64\Dkfqcd32.dll Amlhmb32.exe File created C:\Windows\SysWOW64\Fajmoa32.dll Bjopbh32.exe File created C:\Windows\SysWOW64\Dfehdnde.dll Fekafc32.exe File created C:\Windows\SysWOW64\Allbpqcp.exe Abaaakob.exe File created C:\Windows\SysWOW64\Dechlfkl.exe Ccbojk32.exe File created C:\Windows\SysWOW64\Goklkh32.dll Gcmgdpid.exe File opened for modification C:\Windows\SysWOW64\Knnmeh32.exe Knlpphnd.exe File opened for modification C:\Windows\SysWOW64\Bhqico32.exe Aaddaecl.exe File created C:\Windows\SysWOW64\Bogmmc32.dll Biheapeq.exe File created C:\Windows\SysWOW64\Oieencik.exe Oqhcda32.exe File created C:\Windows\SysWOW64\Noalfe32.exe Nanlla32.exe File created C:\Windows\SysWOW64\Obhdpaqm.exe Niopgljl.exe File created C:\Windows\SysWOW64\Cffnpdip.exe Cfcajekc.exe File created C:\Windows\SysWOW64\Honpqaff.exe Hdfoni32.exe File created C:\Windows\SysWOW64\Kmdbjjhl.dll Kfgfpoaj.exe File created C:\Windows\SysWOW64\Fdmdpcnm.dll Ooabjbdn.exe File created C:\Windows\SysWOW64\Bfdhdj32.exe Abfonl32.exe File created C:\Windows\SysWOW64\Hblidd32.exe Hkpdbj32.exe File created C:\Windows\SysWOW64\Jknpdinc.dll Lpdhea32.exe File created C:\Windows\SysWOW64\Pmophe32.exe Peclcc32.exe File created C:\Windows\SysWOW64\Cjhofa32.dll Abfmecba.exe File created C:\Windows\SysWOW64\Kleqohdj.dll Jifmgman.exe File created C:\Windows\SysWOW64\Phkohkkh.exe Pdnfalea.exe File created C:\Windows\SysWOW64\Fidmniqa.exe Fglkeaqk.exe File created C:\Windows\SysWOW64\Bjphff32.exe Amlhmb32.exe File opened for modification C:\Windows\SysWOW64\Medggj32.exe Mhpgnfpn.exe File opened for modification C:\Windows\SysWOW64\Lqiohh32.exe Lmkgajnm.exe File opened for modification C:\Windows\SysWOW64\Djmkkb32.exe Djjnfbei.exe File created C:\Windows\SysWOW64\Fnqhce32.dll Nfjpcjhe.exe File created C:\Windows\SysWOW64\Cphmegmd.dll Cclmlm32.exe File created C:\Windows\SysWOW64\Dgqokp32.exe Cadfbi32.exe File opened for modification C:\Windows\SysWOW64\Ilfeidmk.exe Ibnppn32.exe File created C:\Windows\SysWOW64\Blkoocfl.exe Bpbadcbj.exe File opened for modification C:\Windows\SysWOW64\Qepbjh32.exe Plgmabke.exe File opened for modification C:\Windows\SysWOW64\Elgmbnfn.exe Dpnogmbl.exe File created C:\Windows\SysWOW64\Njifhk32.dll Kjaled32.exe File created C:\Windows\SysWOW64\Jppbkoaf.exe Jdibfn32.exe File created C:\Windows\SysWOW64\Epcmdn32.exe Eijegdfb.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3916 964 WerFault.exe 583 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkodfeem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqckhffo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khakhg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcjmdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ediggoma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qbenoccc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nppceo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beibln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Leallkbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpnogmbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhhfbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inkimc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfpcpmef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhicho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcmgdpid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abfmecba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhaqld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmpemkkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdpqec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngkhiebk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbfpcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qoimmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmhfpmee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glaejokn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peclcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlnadiko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Medggj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmfdfpih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akbmqmgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhpgnfpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iajfin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbncfgnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfegakmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iedmhlqf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcjcefbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpkgmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldngqqjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmklikob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkeeqckl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkoeoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmlilfkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmngef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdfjekmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apflic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecnbpcje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdcinjpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbjjfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cphncpld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cklnog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcpcppfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odbcnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kedaddif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjoecjgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fklaqp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Liplmolo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alojlgii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccikghel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqajfmpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpaado32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjohlb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlomnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjldbiig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdidegec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfnmjb32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bnojpdfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jhedachg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gangjnaj.dll" Einljkji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffhoopnc.dll" Hfbfpnel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hhbmgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Goohckob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fljjhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjmfgl32.dll" Efakjgni.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qaifoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbmnmqkl.dll" Ohglfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fpcbik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fgmogcpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnnbmk32.dll" Gkqjlpmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fiiafg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iedmhlqf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Megkgpaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qocaebmb.dll" Agikmeeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chanco32.dll" Qepbjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aaaohfjo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Glapia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqbmomim.dll" Cgdippej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olihibek.dll" Onojfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Paihgboc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkogbc32.dll" Ediggoma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kdfjekmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgebaj32.dll" Mhaodqje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Allbpqcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Belhem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hkpdbj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cfjfal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gdlncn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pghcbd32.dll" Enliaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iopqoi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Alojlgii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddogmf32.dll" Jddhknpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hinolcbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oaecne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jboapc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Efakjgni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgklpnpf.dll" Dfdpbaeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oglgji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fglkeaqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmafgkho.dll" Olpiig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpifgqmh.dll" Odbcnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjmmld32.dll" Kabbehjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdbjjhl.dll" Kfgfpoaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gcbaop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbiangbo.dll" Dpnogmbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hcbapdgc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Enkgkj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pnbeacbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oqhcda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ooabjbdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moelic32.dll" Okjoec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bcfbbe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kamooe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abopnhlp.dll" Fhikiefk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Edahca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gpdhiaoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ilpohecc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpipkb32.dll" Fpjmkhbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfndga32.dll" Lcecpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hhbmgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Amlhmb32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3020 wrote to memory of 2212 3020 c1a2d0cc4efdcaba7b23a153d14c7a40N.exe 29 PID 3020 wrote to memory of 2212 3020 c1a2d0cc4efdcaba7b23a153d14c7a40N.exe 29 PID 3020 wrote to memory of 2212 3020 c1a2d0cc4efdcaba7b23a153d14c7a40N.exe 29 PID 3020 wrote to memory of 2212 3020 c1a2d0cc4efdcaba7b23a153d14c7a40N.exe 29 PID 2212 wrote to memory of 2152 2212 Gonlld32.exe 30 PID 2212 wrote to memory of 2152 2212 Gonlld32.exe 30 PID 2212 wrote to memory of 2152 2212 Gonlld32.exe 30 PID 2212 wrote to memory of 2152 2212 Gonlld32.exe 30 PID 2152 wrote to memory of 2204 2152 Hlamfh32.exe 31 PID 2152 wrote to memory of 2204 2152 Hlamfh32.exe 31 PID 2152 wrote to memory of 2204 2152 Hlamfh32.exe 31 PID 2152 wrote to memory of 2204 2152 Hlamfh32.exe 31 PID 2204 wrote to memory of 2760 2204 Hphljkfk.exe 32 PID 2204 wrote to memory of 2760 2204 Hphljkfk.exe 32 PID 2204 wrote to memory of 2760 2204 Hphljkfk.exe 32 PID 2204 wrote to memory of 2760 2204 Hphljkfk.exe 32 PID 2760 wrote to memory of 2640 2760 Iackhb32.exe 33 PID 2760 wrote to memory of 2640 2760 Iackhb32.exe 33 PID 2760 wrote to memory of 2640 2760 Iackhb32.exe 33 PID 2760 wrote to memory of 2640 2760 Iackhb32.exe 33 PID 2640 wrote to memory of 852 2640 Idcdjmao.exe 34 PID 2640 wrote to memory of 852 2640 Idcdjmao.exe 34 PID 2640 wrote to memory of 852 2640 Idcdjmao.exe 34 PID 2640 wrote to memory of 852 2640 Idcdjmao.exe 34 PID 852 wrote to memory of 2676 852 Jqakompl.exe 35 PID 852 wrote to memory of 2676 852 Jqakompl.exe 35 PID 852 wrote to memory of 2676 852 Jqakompl.exe 35 PID 852 wrote to memory of 2676 852 Jqakompl.exe 35 PID 2676 wrote to memory of 1956 2676 Kbljmd32.exe 36 PID 2676 wrote to memory of 1956 2676 Kbljmd32.exe 36 PID 2676 wrote to memory of 1956 2676 Kbljmd32.exe 36 PID 2676 wrote to memory of 1956 2676 Kbljmd32.exe 36 PID 1956 wrote to memory of 2100 1956 Kcpcjl32.exe 37 PID 1956 wrote to memory of 2100 1956 Kcpcjl32.exe 37 PID 1956 wrote to memory of 2100 1956 Kcpcjl32.exe 37 PID 1956 wrote to memory of 2100 1956 Kcpcjl32.exe 37 PID 2100 wrote to memory of 1844 2100 Llbnpm32.exe 38 PID 2100 wrote to memory of 1844 2100 Llbnpm32.exe 38 PID 2100 wrote to memory of 1844 2100 Llbnpm32.exe 38 PID 2100 wrote to memory of 1844 2100 Llbnpm32.exe 38 PID 1844 wrote to memory of 1016 1844 Mogqlgbi.exe 39 PID 1844 wrote to memory of 1016 1844 Mogqlgbi.exe 39 PID 1844 wrote to memory of 1016 1844 Mogqlgbi.exe 39 PID 1844 wrote to memory of 1016 1844 Mogqlgbi.exe 39 PID 1016 wrote to memory of 1676 1016 Nppceo32.exe 40 PID 1016 wrote to memory of 1676 1016 Nppceo32.exe 40 PID 1016 wrote to memory of 1676 1016 Nppceo32.exe 40 PID 1016 wrote to memory of 1676 1016 Nppceo32.exe 40 PID 1676 wrote to memory of 2780 1676 Nahemf32.exe 41 PID 1676 wrote to memory of 2780 1676 Nahemf32.exe 41 PID 1676 wrote to memory of 2780 1676 Nahemf32.exe 41 PID 1676 wrote to memory of 2780 1676 Nahemf32.exe 41 PID 2780 wrote to memory of 2944 2780 Ocphembl.exe 42 PID 2780 wrote to memory of 2944 2780 Ocphembl.exe 42 PID 2780 wrote to memory of 2944 2780 Ocphembl.exe 42 PID 2780 wrote to memory of 2944 2780 Ocphembl.exe 42 PID 2944 wrote to memory of 2292 2944 Ponokmah.exe 43 PID 2944 wrote to memory of 2292 2944 Ponokmah.exe 43 PID 2944 wrote to memory of 2292 2944 Ponokmah.exe 43 PID 2944 wrote to memory of 2292 2944 Ponokmah.exe 43 PID 2292 wrote to memory of 2140 2292 Pnhegi32.exe 44 PID 2292 wrote to memory of 2140 2292 Pnhegi32.exe 44 PID 2292 wrote to memory of 2140 2292 Pnhegi32.exe 44 PID 2292 wrote to memory of 2140 2292 Pnhegi32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\c1a2d0cc4efdcaba7b23a153d14c7a40N.exe"C:\Users\Admin\AppData\Local\Temp\c1a2d0cc4efdcaba7b23a153d14c7a40N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\Gonlld32.exeC:\Windows\system32\Gonlld32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Hlamfh32.exeC:\Windows\system32\Hlamfh32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\Hphljkfk.exeC:\Windows\system32\Hphljkfk.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\Iackhb32.exeC:\Windows\system32\Iackhb32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Idcdjmao.exeC:\Windows\system32\Idcdjmao.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Jqakompl.exeC:\Windows\system32\Jqakompl.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\SysWOW64\Kbljmd32.exeC:\Windows\system32\Kbljmd32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Kcpcjl32.exeC:\Windows\system32\Kcpcjl32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\Llbnpm32.exeC:\Windows\system32\Llbnpm32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Mogqlgbi.exeC:\Windows\system32\Mogqlgbi.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\SysWOW64\Nppceo32.exeC:\Windows\system32\Nppceo32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\SysWOW64\Nahemf32.exeC:\Windows\system32\Nahemf32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\Ocphembl.exeC:\Windows\system32\Ocphembl.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Ponokmah.exeC:\Windows\system32\Ponokmah.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Pnhegi32.exeC:\Windows\system32\Pnhegi32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\Qfegakmc.exeC:\Windows\system32\Qfegakmc.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2140 -
C:\Windows\SysWOW64\Abaaakob.exeC:\Windows\system32\Abaaakob.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2496 -
C:\Windows\SysWOW64\Allbpqcp.exeC:\Windows\system32\Allbpqcp.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2504 -
C:\Windows\SysWOW64\Bamdcf32.exeC:\Windows\system32\Bamdcf32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1780 -
C:\Windows\SysWOW64\Bpbadcbj.exeC:\Windows\system32\Bpbadcbj.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1708 -
C:\Windows\SysWOW64\Blkoocfl.exeC:\Windows\system32\Blkoocfl.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:964 -
C:\Windows\SysWOW64\Beccgi32.exeC:\Windows\system32\Beccgi32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2940 -
C:\Windows\SysWOW64\Cpldjajo.exeC:\Windows\system32\Cpldjajo.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1924 -
C:\Windows\SysWOW64\Cclmlm32.exeC:\Windows\system32\Cclmlm32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:756 -
C:\Windows\SysWOW64\Cadfbi32.exeC:\Windows\system32\Cadfbi32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2396 -
C:\Windows\SysWOW64\Dgqokp32.exeC:\Windows\system32\Dgqokp32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3064 -
C:\Windows\SysWOW64\Djfagjai.exeC:\Windows\system32\Djfagjai.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2796 -
C:\Windows\SysWOW64\Dbaflm32.exeC:\Windows\system32\Dbaflm32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2232 -
C:\Windows\SysWOW64\Ekjjebed.exeC:\Windows\system32\Ekjjebed.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2260 -
C:\Windows\SysWOW64\Ehphdf32.exeC:\Windows\system32\Ehphdf32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2968 -
C:\Windows\SysWOW64\Ecnbpcje.exeC:\Windows\system32\Ecnbpcje.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2764 -
C:\Windows\SysWOW64\Fglkeaqk.exeC:\Windows\system32\Fglkeaqk.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2828 -
C:\Windows\SysWOW64\Fidmniqa.exeC:\Windows\system32\Fidmniqa.exe34⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Gjhfkqdm.exeC:\Windows\system32\Gjhfkqdm.exe35⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Gibmglep.exeC:\Windows\system32\Gibmglep.exe36⤵
- Executes dropped EXE
PID:688 -
C:\Windows\SysWOW64\Hmpemkkf.exeC:\Windows\system32\Hmpemkkf.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:824 -
C:\Windows\SysWOW64\Hmdohj32.exeC:\Windows\system32\Hmdohj32.exe38⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Hfmcapna.exeC:\Windows\system32\Hfmcapna.exe39⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Hafdbmjp.exeC:\Windows\system32\Hafdbmjp.exe40⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Iedmhlqf.exeC:\Windows\system32\Iedmhlqf.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1036 -
C:\Windows\SysWOW64\Idjjih32.exeC:\Windows\system32\Idjjih32.exe42⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Igjckcbo.exeC:\Windows\system32\Igjckcbo.exe43⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Ijklmn32.exeC:\Windows\system32\Ijklmn32.exe44⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Iccqedfa.exeC:\Windows\system32\Iccqedfa.exe45⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Jlnadiko.exeC:\Windows\system32\Jlnadiko.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1348 -
C:\Windows\SysWOW64\Jjbbmmih.exeC:\Windows\system32\Jjbbmmih.exe47⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Jbmgapgc.exeC:\Windows\system32\Jbmgapgc.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Jdnpck32.exeC:\Windows\system32\Jdnpck32.exe49⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Khlhiijk.exeC:\Windows\system32\Khlhiijk.exe50⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Kdcinjpo.exeC:\Windows\system32\Kdcinjpo.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2948 -
C:\Windows\SysWOW64\Kcjcefbd.exeC:\Windows\system32\Kcjcefbd.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1696 -
C:\Windows\SysWOW64\Koacjg32.exeC:\Windows\system32\Koacjg32.exe53⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Lbbmlbej.exeC:\Windows\system32\Lbbmlbej.exe54⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Lbffga32.exeC:\Windows\system32\Lbffga32.exe55⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Lnmglbgh.exeC:\Windows\system32\Lnmglbgh.exe56⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Lnpcabef.exeC:\Windows\system32\Lnpcabef.exe57⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Mmgmhngk.exeC:\Windows\system32\Mmgmhngk.exe58⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Mjknab32.exeC:\Windows\system32\Mjknab32.exe59⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Mdcbjhme.exeC:\Windows\system32\Mdcbjhme.exe60⤵
- Executes dropped EXE
PID:1128 -
C:\Windows\SysWOW64\Megkgpaq.exeC:\Windows\system32\Megkgpaq.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2316 -
C:\Windows\SysWOW64\Nanlla32.exeC:\Windows\system32\Nanlla32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2192 -
C:\Windows\SysWOW64\Noalfe32.exeC:\Windows\system32\Noalfe32.exe63⤵
- Executes dropped EXE
PID:804 -
C:\Windows\SysWOW64\Ndaaclac.exeC:\Windows\system32\Ndaaclac.exe64⤵
- Executes dropped EXE
PID:236 -
C:\Windows\SysWOW64\Nmifla32.exeC:\Windows\system32\Nmifla32.exe65⤵
- Executes dropped EXE
PID:1376 -
C:\Windows\SysWOW64\Nkpckeek.exeC:\Windows\system32\Nkpckeek.exe66⤵PID:1748
-
C:\Windows\SysWOW64\Odhhdk32.exeC:\Windows\system32\Odhhdk32.exe67⤵PID:2988
-
C:\Windows\SysWOW64\Ogiqffhl.exeC:\Windows\system32\Ogiqffhl.exe68⤵PID:2560
-
C:\Windows\SysWOW64\Oabafcek.exeC:\Windows\system32\Oabafcek.exe69⤵PID:2224
-
C:\Windows\SysWOW64\Ohljcnlh.exeC:\Windows\system32\Ohljcnlh.exe70⤵PID:2556
-
C:\Windows\SysWOW64\Oljbil32.exeC:\Windows\system32\Oljbil32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2208 -
C:\Windows\SysWOW64\Oagkac32.exeC:\Windows\system32\Oagkac32.exe72⤵PID:2084
-
C:\Windows\SysWOW64\Paihgboc.exeC:\Windows\system32\Paihgboc.exe73⤵
- Modifies registry class
PID:2876 -
C:\Windows\SysWOW64\Pnbeacbd.exeC:\Windows\system32\Pnbeacbd.exe74⤵
- Modifies registry class
PID:2768 -
C:\Windows\SysWOW64\Aomdpj32.exeC:\Windows\system32\Aomdpj32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2404 -
C:\Windows\SysWOW64\Aaegha32.exeC:\Windows\system32\Aaegha32.exe76⤵PID:1996
-
C:\Windows\SysWOW64\Amlhmb32.exeC:\Windows\system32\Amlhmb32.exe77⤵
- Drops file in System32 directory
- Modifies registry class
PID:1688 -
C:\Windows\SysWOW64\Bjphff32.exeC:\Windows\system32\Bjphff32.exe78⤵PID:1156
-
C:\Windows\SysWOW64\Bjbelf32.exeC:\Windows\system32\Bjbelf32.exe79⤵PID:2220
-
C:\Windows\SysWOW64\Bpajjmon.exeC:\Windows\system32\Bpajjmon.exe80⤵PID:3016
-
C:\Windows\SysWOW64\Boggkicf.exeC:\Windows\system32\Boggkicf.exe81⤵PID:2376
-
C:\Windows\SysWOW64\Bjnhpj32.exeC:\Windows\system32\Bjnhpj32.exe82⤵PID:676
-
C:\Windows\SysWOW64\Cokqfhpa.exeC:\Windows\system32\Cokqfhpa.exe83⤵PID:1552
-
C:\Windows\SysWOW64\Chdeonfa.exeC:\Windows\system32\Chdeonfa.exe84⤵PID:472
-
C:\Windows\SysWOW64\Cignlf32.exeC:\Windows\system32\Cignlf32.exe85⤵
- Drops file in System32 directory
PID:1692 -
C:\Windows\SysWOW64\Cgkoejig.exeC:\Windows\system32\Cgkoejig.exe86⤵PID:2484
-
C:\Windows\SysWOW64\Ccbojk32.exeC:\Windows\system32\Ccbojk32.exe87⤵
- Drops file in System32 directory
PID:3068 -
C:\Windows\SysWOW64\Dechlfkl.exeC:\Windows\system32\Dechlfkl.exe88⤵PID:2004
-
C:\Windows\SysWOW64\Dcgiejje.exeC:\Windows\system32\Dcgiejje.exe89⤵PID:2916
-
C:\Windows\SysWOW64\Dlomnp32.exeC:\Windows\system32\Dlomnp32.exe90⤵
- System Location Discovery: System Language Discovery
PID:2624 -
C:\Windows\SysWOW64\Dlajdpoc.exeC:\Windows\system32\Dlajdpoc.exe91⤵
- Drops file in System32 directory
PID:1056 -
C:\Windows\SysWOW64\Dejnme32.exeC:\Windows\system32\Dejnme32.exe92⤵PID:332
-
C:\Windows\SysWOW64\Ekicjlai.exeC:\Windows\system32\Ekicjlai.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1200 -
C:\Windows\SysWOW64\Edahca32.exeC:\Windows\system32\Edahca32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1912 -
C:\Windows\SysWOW64\Enliaf32.exeC:\Windows\system32\Enliaf32.exe95⤵
- Modifies registry class
PID:2424 -
C:\Windows\SysWOW64\Eqjenb32.exeC:\Windows\system32\Eqjenb32.exe96⤵PID:2476
-
C:\Windows\SysWOW64\Eopbooqb.exeC:\Windows\system32\Eopbooqb.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:956 -
C:\Windows\SysWOW64\Fobodn32.exeC:\Windows\system32\Fobodn32.exe98⤵PID:1832
-
C:\Windows\SysWOW64\Fnglekch.exeC:\Windows\system32\Fnglekch.exe99⤵PID:924
-
C:\Windows\SysWOW64\Fqjbme32.exeC:\Windows\system32\Fqjbme32.exe100⤵PID:2180
-
C:\Windows\SysWOW64\Fkpfjnnl.exeC:\Windows\system32\Fkpfjnnl.exe101⤵PID:2912
-
C:\Windows\SysWOW64\Fehjcc32.exeC:\Windows\system32\Fehjcc32.exe102⤵PID:632
-
C:\Windows\SysWOW64\Gcmgdpid.exeC:\Windows\system32\Gcmgdpid.exe103⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2732 -
C:\Windows\SysWOW64\Gpdhiaoi.exeC:\Windows\system32\Gpdhiaoi.exe104⤵
- Modifies registry class
PID:2616 -
C:\Windows\SysWOW64\Gcbaop32.exeC:\Windows\system32\Gcbaop32.exe105⤵
- Modifies registry class
PID:2604 -
C:\Windows\SysWOW64\Giafmfad.exeC:\Windows\system32\Giafmfad.exe106⤵
- Drops file in System32 directory
PID:528 -
C:\Windows\SysWOW64\Hbjjfl32.exeC:\Windows\system32\Hbjjfl32.exe107⤵
- System Location Discovery: System Language Discovery
PID:2872 -
C:\Windows\SysWOW64\Hjeojnep.exeC:\Windows\system32\Hjeojnep.exe108⤵PID:1132
-
C:\Windows\SysWOW64\Hhipcbdi.exeC:\Windows\system32\Hhipcbdi.exe109⤵PID:2420
-
C:\Windows\SysWOW64\Hmehlibq.exeC:\Windows\system32\Hmehlibq.exe110⤵PID:2252
-
C:\Windows\SysWOW64\Hnedfljc.exeC:\Windows\system32\Hnedfljc.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1328 -
C:\Windows\SysWOW64\Hdbmnchk.exeC:\Windows\system32\Hdbmnchk.exe112⤵PID:920
-
C:\Windows\SysWOW64\Hfbfpnel.exeC:\Windows\system32\Hfbfpnel.exe113⤵
- Modifies registry class
PID:2308 -
C:\Windows\SysWOW64\Ilpohecc.exeC:\Windows\system32\Ilpohecc.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:564 -
C:\Windows\SysWOW64\Ilbknd32.exeC:\Windows\system32\Ilbknd32.exe115⤵PID:1592
-
C:\Windows\SysWOW64\Ibnppn32.exeC:\Windows\system32\Ibnppn32.exe116⤵
- Drops file in System32 directory
PID:2924 -
C:\Windows\SysWOW64\Ilfeidmk.exeC:\Windows\system32\Ilfeidmk.exe117⤵
- Drops file in System32 directory
PID:2608 -
C:\Windows\SysWOW64\Iacmakkb.exeC:\Windows\system32\Iacmakkb.exe118⤵PID:304
-
C:\Windows\SysWOW64\Khakhg32.exeC:\Windows\system32\Khakhg32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1420 -
C:\Windows\SysWOW64\Kkbdib32.exeC:\Windows\system32\Kkbdib32.exe120⤵PID:1508
-
C:\Windows\SysWOW64\Kdkhbh32.exeC:\Windows\system32\Kdkhbh32.exe121⤵PID:2500
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-