Analysis
-
max time kernel
119s -
max time network
21s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
22/08/2024, 16:47
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ca850c8e5b274aed5f83cdc8b15e56b0N.exe
Resource
win7-20240704-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
ca850c8e5b274aed5f83cdc8b15e56b0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
ca850c8e5b274aed5f83cdc8b15e56b0N.exe
-
Size
92KB
-
MD5
ca850c8e5b274aed5f83cdc8b15e56b0
-
SHA1
d22b6fb310c5260b82f2d0fc9b8c9ff762c533cb
-
SHA256
8d334ca7d16ff62db6d07230bed6453d2726774c49274634e1c829c8e783ecd2
-
SHA512
69d54eb4a88cd45a3fc8e3622a6b4da81c2646f0796d427f5805b5f17c3645d54e5848ef84342aa60bf0250b67177417ccc3899e43e777ca8a1efd882c2807d5
-
SSDEEP
1536:oG95EqG+xzrgv4RAA3Mi/3moMjXq+66DFUABABOVLefE3:xlxzr24RLHeoMj6+JB8M3
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igomfb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eclqhfpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ockiklha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omdpmjfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmkpchmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbmoeeod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnegod32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkpbbeda.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkofon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Banjpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocphembl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caomgjnk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjbccb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bloidc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckkjmf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcipaien.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cemfnh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmkpchmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jchjqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llmnjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngajeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlbooaoe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmjehe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmbhhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iodolf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Faanibeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjmqldee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcknai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkbcjn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phdden32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jchjqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dafeaapg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdaoacif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifhacfhj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijofbnlm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfjaknoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnkhcnfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfibeoog.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbjledoo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmbbcjic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkpckeek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mloigc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkjibnbn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Labamcdb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbegpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odlpfblm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plecdk32.exe -
Executes dropped EXE 64 IoCs
pid Process 2556 Fbbfmqdm.exe 2196 Fjnkac32.exe 316 Ffghlcei.exe 2812 Fjdqbbkp.exe 2728 Glhjpjok.exe 2852 Goicaell.exe 2668 Gokpgd32.exe 980 Giaddm32.exe 1864 Hopibdfd.exe 412 Haqbcoce.exe 760 Hpfoekhm.exe 592 Heedbbdb.exe 1740 Ijcmipjh.exe 2316 Iopeagip.exe 2332 Iodolf32.exe 2700 Ikkoagjo.exe 2252 Ihopjl32.exe 1588 Jjqlbdog.exe 792 Jgdmkhnp.exe 640 Jggiah32.exe 1076 Jflfbdqe.exe 1512 Jkklpk32.exe 2436 Kecpipck.exe 2992 Kkpekjie.exe 1484 Kbjmhd32.exe 2176 Knqnmeff.exe 2348 Lmhhcaik.exe 3024 Ljlhme32.exe 2824 Lbgmah32.exe 2884 Lbijgg32.exe 2896 Lmondpbc.exe 2932 Lobgah32.exe 2600 Memonbnl.exe 2000 Mmjqhd32.exe 1368 Mgbeqjpd.exe 976 Nliqoofa.exe 1016 Nhpadpke.exe 1856 Nhbnjpic.exe 1760 Ooncljom.exe 1744 Odkkdqmd.exe 944 Ocphembl.exe 2140 Ofaaghom.exe 1152 Oqfeda32.exe 236 Ofcnmh32.exe 1784 Ommfibdg.exe 1552 Pbjoaibo.exe 2536 Pkbcjn32.exe 1292 Pifcdbhi.exe 1692 Poplqm32.exe 1508 Pbohmh32.exe 3028 Pkglenej.exe 2288 Pqdend32.exe 2836 Pgnmjokn.exe 2240 Pnhegi32.exe 1248 Pcdnpp32.exe 2620 Qahnid32.exe 1996 Qgbfen32.exe 1716 Qakkncmi.exe 1200 Ajcpgi32.exe 2860 Acldpojj.exe 2200 Ajelmiag.exe 2080 Acnqen32.exe 2256 Aeommfnf.exe 2476 Apeakonl.exe -
Loads dropped DLL 64 IoCs
pid Process 3004 ca850c8e5b274aed5f83cdc8b15e56b0N.exe 3004 ca850c8e5b274aed5f83cdc8b15e56b0N.exe 2556 Fbbfmqdm.exe 2556 Fbbfmqdm.exe 2196 Fjnkac32.exe 2196 Fjnkac32.exe 316 Ffghlcei.exe 316 Ffghlcei.exe 2812 Fjdqbbkp.exe 2812 Fjdqbbkp.exe 2728 Glhjpjok.exe 2728 Glhjpjok.exe 2852 Goicaell.exe 2852 Goicaell.exe 2668 Gokpgd32.exe 2668 Gokpgd32.exe 980 Giaddm32.exe 980 Giaddm32.exe 1864 Hopibdfd.exe 1864 Hopibdfd.exe 412 Haqbcoce.exe 412 Haqbcoce.exe 760 Hpfoekhm.exe 760 Hpfoekhm.exe 592 Heedbbdb.exe 592 Heedbbdb.exe 1740 Ijcmipjh.exe 1740 Ijcmipjh.exe 2316 Iopeagip.exe 2316 Iopeagip.exe 2332 Iodolf32.exe 2332 Iodolf32.exe 2700 Ikkoagjo.exe 2700 Ikkoagjo.exe 2252 Ihopjl32.exe 2252 Ihopjl32.exe 1588 Jjqlbdog.exe 1588 Jjqlbdog.exe 792 Jgdmkhnp.exe 792 Jgdmkhnp.exe 640 Jggiah32.exe 640 Jggiah32.exe 1076 Jflfbdqe.exe 1076 Jflfbdqe.exe 1512 Jkklpk32.exe 1512 Jkklpk32.exe 2436 Kecpipck.exe 2436 Kecpipck.exe 2992 Kkpekjie.exe 2992 Kkpekjie.exe 1484 Kbjmhd32.exe 1484 Kbjmhd32.exe 2176 Knqnmeff.exe 2176 Knqnmeff.exe 2348 Lmhhcaik.exe 2348 Lmhhcaik.exe 3024 Ljlhme32.exe 3024 Ljlhme32.exe 2824 Lbgmah32.exe 2824 Lbgmah32.exe 2884 Lbijgg32.exe 2884 Lbijgg32.exe 2896 Lmondpbc.exe 2896 Lmondpbc.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bkodfk32.dll Jngfei32.exe File opened for modification C:\Windows\SysWOW64\Baloce32.exe Process not Found File created C:\Windows\SysWOW64\Dchqkedl.exe Dnkhcnfe.exe File created C:\Windows\SysWOW64\Enkgkj32.exe Ebdffijp.exe File created C:\Windows\SysWOW64\Nhehnb32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Odbiij32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Dcgppana.exe Dafchi32.exe File opened for modification C:\Windows\SysWOW64\Bbkmki32.exe Bjphff32.exe File created C:\Windows\SysWOW64\Ipclej32.exe Ighgah32.exe File opened for modification C:\Windows\SysWOW64\Hqdeciho.exe Hjjmgo32.exe File created C:\Windows\SysWOW64\Cgenbadb.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jonffc32.exe Process not Found File created C:\Windows\SysWOW64\Mllqfhgm.dll Jkklpk32.exe File opened for modification C:\Windows\SysWOW64\Lebemmbk.exe Lbbmlbej.exe File opened for modification C:\Windows\SysWOW64\Anonqq32.exe Adgihkmf.exe File created C:\Windows\SysWOW64\Fbledk32.dll Mbogchnp.exe File created C:\Windows\SysWOW64\Bioddj32.exe Process not Found File created C:\Windows\SysWOW64\Mdfloc32.dll Process not Found File created C:\Windows\SysWOW64\Kbfeigdn.dll Ehphdf32.exe File created C:\Windows\SysWOW64\Ckjnfobi.exe Cemfnh32.exe File created C:\Windows\SysWOW64\Qjabhq32.dll Jbpcgo32.exe File opened for modification C:\Windows\SysWOW64\Cllaca32.exe Cjnege32.exe File opened for modification C:\Windows\SysWOW64\Dpeike32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Eclqhfpp.exe Ecidbfbb.exe File created C:\Windows\SysWOW64\Ajhgfe32.dll Ihocmeao.exe File created C:\Windows\SysWOW64\Oldbfc32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Nolhoc32.exe Nbehjb32.exe File opened for modification C:\Windows\SysWOW64\Lohlcoid.exe Lfpgkicd.exe File created C:\Windows\SysWOW64\Gkfkae32.exe Gkcnleom.exe File created C:\Windows\SysWOW64\Kbapok32.exe Kmdgfd32.exe File created C:\Windows\SysWOW64\Cbgnaljp.exe Process not Found File created C:\Windows\SysWOW64\Llojlloj.dll Omdpmjfe.exe File opened for modification C:\Windows\SysWOW64\Dglbjgff.exe Dncmaa32.exe File created C:\Windows\SysWOW64\Gjoiokgo.dll Gjomlp32.exe File created C:\Windows\SysWOW64\Bjogpk32.dll Kcjcefbd.exe File created C:\Windows\SysWOW64\Olapcm32.exe Nkpckeek.exe File created C:\Windows\SysWOW64\Gaahmd32.exe Gjeckk32.exe File created C:\Windows\SysWOW64\Gccogijj.dll Glaejokn.exe File opened for modification C:\Windows\SysWOW64\Mhdace32.exe Llmandgf.exe File created C:\Windows\SysWOW64\Ljpfmj32.dll Gfejic32.exe File created C:\Windows\SysWOW64\Deiohe32.dll Gelcpp32.exe File opened for modification C:\Windows\SysWOW64\Piidhp32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Cboljemb.exe Cbmoeeod.exe File created C:\Windows\SysWOW64\Ngifff32.dll Ejmgjf32.exe File opened for modification C:\Windows\SysWOW64\Dceamq32.exe Process not Found File created C:\Windows\SysWOW64\Cnblbiic.exe Process not Found File created C:\Windows\SysWOW64\Nldgapec.dll Process not Found File opened for modification C:\Windows\SysWOW64\Fkipiodd.exe Ejeglg32.exe File opened for modification C:\Windows\SysWOW64\Jialbh32.exe Jfbpfl32.exe File opened for modification C:\Windows\SysWOW64\Ioonhm32.exe Iefiphie.exe File created C:\Windows\SysWOW64\Cmkkhfmn.exe Bmhncg32.exe File created C:\Windows\SysWOW64\Lngblqbj.dll Ekqqea32.exe File opened for modification C:\Windows\SysWOW64\Pefmkpbl.exe Oiolfo32.exe File created C:\Windows\SysWOW64\Oonbnfio.exe Ocgbiedj.exe File created C:\Windows\SysWOW64\Omafhblc.dll Process not Found File opened for modification C:\Windows\SysWOW64\Hegpim32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Okjoec32.exe Oaaklmao.exe File created C:\Windows\SysWOW64\Hejcic32.exe Process not Found File created C:\Windows\SysWOW64\Iiddoo32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Odhjopna.exe Process not Found File created C:\Windows\SysWOW64\Opdfemad.dll Process not Found File created C:\Windows\SysWOW64\Bdkink32.dll Process not Found File created C:\Windows\SysWOW64\Cemfnh32.exe Cocnanmd.exe File created C:\Windows\SysWOW64\Pdcide32.dll Nmifla32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjfhgp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iiaddb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpboan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gacblhii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Badlln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjibkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkbecc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqdong32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjfdfcjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahhhgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojphmfdc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofldfpmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgddin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkkdldhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdfjekmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfpkgblc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fadoqc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckikoagc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkfkae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omflbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Balmjmeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmondpbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lobgah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngajeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnpejklj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfmjfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpbnijic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neocahbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnflif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oncqik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghjkki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpkfng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibaago32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnadfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhallgpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcacfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omaqoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inhfmmfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enamje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opmpenbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Medggj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdlcnkfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ephihbnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pidhjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aplppela.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajindjom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apgnpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcpmqj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfbpfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhnede32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klgnci32.dll" Fpkfng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkbjodoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mknnobmb.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ioocfn32.dll" Giaddm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkheal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhgdkh32.dll" Clphjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akbnfk32.dll" Gmdapoil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mioaalkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gabjna32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdpmij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nldbbbno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhcpkmef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lobkifnl.dll" Ahlphpmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpecfg32.dll" Dfdbkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jialbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knabngen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfnaad32.dll" Blpkmljl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ioonhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmohgd32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bimbfckl.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeebfj32.dll" Clbdobpc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkcgfi32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pimlpcke.dll" Dafchi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Diljpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cceakj32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imiomgme.dll" Ljdgqc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkfkae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipclej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgghoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kamkka32.dll" Oaikjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnanbijd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lapcki32.dll" Nnkpkdio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhpadpke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pijhompm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjepib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmplbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbbfmqdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jggafj32.dll" Olapcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffkejlij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebjpqc32.dll" Eebpil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjpcdg32.dll" Jcidofcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgdmkhnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccjekm32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aggbif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mphhbblp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpfoekhm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Andnff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chpmocpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dcgppana.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmohgoao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amlkpkni.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhbcaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhopp32.dll" Fadoqc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3004 wrote to memory of 2556 3004 ca850c8e5b274aed5f83cdc8b15e56b0N.exe 29 PID 3004 wrote to memory of 2556 3004 ca850c8e5b274aed5f83cdc8b15e56b0N.exe 29 PID 3004 wrote to memory of 2556 3004 ca850c8e5b274aed5f83cdc8b15e56b0N.exe 29 PID 3004 wrote to memory of 2556 3004 ca850c8e5b274aed5f83cdc8b15e56b0N.exe 29 PID 2556 wrote to memory of 2196 2556 Fbbfmqdm.exe 30 PID 2556 wrote to memory of 2196 2556 Fbbfmqdm.exe 30 PID 2556 wrote to memory of 2196 2556 Fbbfmqdm.exe 30 PID 2556 wrote to memory of 2196 2556 Fbbfmqdm.exe 30 PID 2196 wrote to memory of 316 2196 Fjnkac32.exe 31 PID 2196 wrote to memory of 316 2196 Fjnkac32.exe 31 PID 2196 wrote to memory of 316 2196 Fjnkac32.exe 31 PID 2196 wrote to memory of 316 2196 Fjnkac32.exe 31 PID 316 wrote to memory of 2812 316 Ffghlcei.exe 32 PID 316 wrote to memory of 2812 316 Ffghlcei.exe 32 PID 316 wrote to memory of 2812 316 Ffghlcei.exe 32 PID 316 wrote to memory of 2812 316 Ffghlcei.exe 32 PID 2812 wrote to memory of 2728 2812 Fjdqbbkp.exe 33 PID 2812 wrote to memory of 2728 2812 Fjdqbbkp.exe 33 PID 2812 wrote to memory of 2728 2812 Fjdqbbkp.exe 33 PID 2812 wrote to memory of 2728 2812 Fjdqbbkp.exe 33 PID 2728 wrote to memory of 2852 2728 Glhjpjok.exe 34 PID 2728 wrote to memory of 2852 2728 Glhjpjok.exe 34 PID 2728 wrote to memory of 2852 2728 Glhjpjok.exe 34 PID 2728 wrote to memory of 2852 2728 Glhjpjok.exe 34 PID 2852 wrote to memory of 2668 2852 Goicaell.exe 35 PID 2852 wrote to memory of 2668 2852 Goicaell.exe 35 PID 2852 wrote to memory of 2668 2852 Goicaell.exe 35 PID 2852 wrote to memory of 2668 2852 Goicaell.exe 35 PID 2668 wrote to memory of 980 2668 Gokpgd32.exe 36 PID 2668 wrote to memory of 980 2668 Gokpgd32.exe 36 PID 2668 wrote to memory of 980 2668 Gokpgd32.exe 36 PID 2668 wrote to memory of 980 2668 Gokpgd32.exe 36 PID 980 wrote to memory of 1864 980 Giaddm32.exe 37 PID 980 wrote to memory of 1864 980 Giaddm32.exe 37 PID 980 wrote to memory of 1864 980 Giaddm32.exe 37 PID 980 wrote to memory of 1864 980 Giaddm32.exe 37 PID 1864 wrote to memory of 412 1864 Hopibdfd.exe 38 PID 1864 wrote to memory of 412 1864 Hopibdfd.exe 38 PID 1864 wrote to memory of 412 1864 Hopibdfd.exe 38 PID 1864 wrote to memory of 412 1864 Hopibdfd.exe 38 PID 412 wrote to memory of 760 412 Haqbcoce.exe 39 PID 412 wrote to memory of 760 412 Haqbcoce.exe 39 PID 412 wrote to memory of 760 412 Haqbcoce.exe 39 PID 412 wrote to memory of 760 412 Haqbcoce.exe 39 PID 760 wrote to memory of 592 760 Hpfoekhm.exe 40 PID 760 wrote to memory of 592 760 Hpfoekhm.exe 40 PID 760 wrote to memory of 592 760 Hpfoekhm.exe 40 PID 760 wrote to memory of 592 760 Hpfoekhm.exe 40 PID 592 wrote to memory of 1740 592 Heedbbdb.exe 41 PID 592 wrote to memory of 1740 592 Heedbbdb.exe 41 PID 592 wrote to memory of 1740 592 Heedbbdb.exe 41 PID 592 wrote to memory of 1740 592 Heedbbdb.exe 41 PID 1740 wrote to memory of 2316 1740 Ijcmipjh.exe 42 PID 1740 wrote to memory of 2316 1740 Ijcmipjh.exe 42 PID 1740 wrote to memory of 2316 1740 Ijcmipjh.exe 42 PID 1740 wrote to memory of 2316 1740 Ijcmipjh.exe 42 PID 2316 wrote to memory of 2332 2316 Iopeagip.exe 43 PID 2316 wrote to memory of 2332 2316 Iopeagip.exe 43 PID 2316 wrote to memory of 2332 2316 Iopeagip.exe 43 PID 2316 wrote to memory of 2332 2316 Iopeagip.exe 43 PID 2332 wrote to memory of 2700 2332 Iodolf32.exe 44 PID 2332 wrote to memory of 2700 2332 Iodolf32.exe 44 PID 2332 wrote to memory of 2700 2332 Iodolf32.exe 44 PID 2332 wrote to memory of 2700 2332 Iodolf32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\ca850c8e5b274aed5f83cdc8b15e56b0N.exe"C:\Users\Admin\AppData\Local\Temp\ca850c8e5b274aed5f83cdc8b15e56b0N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\Fbbfmqdm.exeC:\Windows\system32\Fbbfmqdm.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Fjnkac32.exeC:\Windows\system32\Fjnkac32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Ffghlcei.exeC:\Windows\system32\Ffghlcei.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\SysWOW64\Fjdqbbkp.exeC:\Windows\system32\Fjdqbbkp.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Glhjpjok.exeC:\Windows\system32\Glhjpjok.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Goicaell.exeC:\Windows\system32\Goicaell.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Gokpgd32.exeC:\Windows\system32\Gokpgd32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Giaddm32.exeC:\Windows\system32\Giaddm32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:980 -
C:\Windows\SysWOW64\Hopibdfd.exeC:\Windows\system32\Hopibdfd.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\Haqbcoce.exeC:\Windows\system32\Haqbcoce.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:412 -
C:\Windows\SysWOW64\Hpfoekhm.exeC:\Windows\system32\Hpfoekhm.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\SysWOW64\Heedbbdb.exeC:\Windows\system32\Heedbbdb.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Windows\SysWOW64\Ijcmipjh.exeC:\Windows\system32\Ijcmipjh.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\Iopeagip.exeC:\Windows\system32\Iopeagip.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Iodolf32.exeC:\Windows\system32\Iodolf32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\Ikkoagjo.exeC:\Windows\system32\Ikkoagjo.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2700 -
C:\Windows\SysWOW64\Ihopjl32.exeC:\Windows\system32\Ihopjl32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2252 -
C:\Windows\SysWOW64\Jjqlbdog.exeC:\Windows\system32\Jjqlbdog.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1588 -
C:\Windows\SysWOW64\Jgdmkhnp.exeC:\Windows\system32\Jgdmkhnp.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:792 -
C:\Windows\SysWOW64\Jggiah32.exeC:\Windows\system32\Jggiah32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:640 -
C:\Windows\SysWOW64\Jflfbdqe.exeC:\Windows\system32\Jflfbdqe.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1076 -
C:\Windows\SysWOW64\Jkklpk32.exeC:\Windows\system32\Jkklpk32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1512 -
C:\Windows\SysWOW64\Kecpipck.exeC:\Windows\system32\Kecpipck.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2436 -
C:\Windows\SysWOW64\Kkpekjie.exeC:\Windows\system32\Kkpekjie.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2992 -
C:\Windows\SysWOW64\Kbjmhd32.exeC:\Windows\system32\Kbjmhd32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1484 -
C:\Windows\SysWOW64\Knqnmeff.exeC:\Windows\system32\Knqnmeff.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2176 -
C:\Windows\SysWOW64\Lmhhcaik.exeC:\Windows\system32\Lmhhcaik.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2348 -
C:\Windows\SysWOW64\Ljlhme32.exeC:\Windows\system32\Ljlhme32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3024 -
C:\Windows\SysWOW64\Lbgmah32.exeC:\Windows\system32\Lbgmah32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2824 -
C:\Windows\SysWOW64\Lbijgg32.exeC:\Windows\system32\Lbijgg32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2884 -
C:\Windows\SysWOW64\Lmondpbc.exeC:\Windows\system32\Lmondpbc.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2896 -
C:\Windows\SysWOW64\Lobgah32.exeC:\Windows\system32\Lobgah32.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2932 -
C:\Windows\SysWOW64\Memonbnl.exeC:\Windows\system32\Memonbnl.exe34⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Mmjqhd32.exeC:\Windows\system32\Mmjqhd32.exe35⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Mgbeqjpd.exeC:\Windows\system32\Mgbeqjpd.exe36⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\Nliqoofa.exeC:\Windows\system32\Nliqoofa.exe37⤵
- Executes dropped EXE
PID:976 -
C:\Windows\SysWOW64\Nhpadpke.exeC:\Windows\system32\Nhpadpke.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:1016 -
C:\Windows\SysWOW64\Nhbnjpic.exeC:\Windows\system32\Nhbnjpic.exe39⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Ooncljom.exeC:\Windows\system32\Ooncljom.exe40⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Odkkdqmd.exeC:\Windows\system32\Odkkdqmd.exe41⤵
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\Ocphembl.exeC:\Windows\system32\Ocphembl.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:944 -
C:\Windows\SysWOW64\Ofaaghom.exeC:\Windows\system32\Ofaaghom.exe43⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Oqfeda32.exeC:\Windows\system32\Oqfeda32.exe44⤵
- Executes dropped EXE
PID:1152 -
C:\Windows\SysWOW64\Ofcnmh32.exeC:\Windows\system32\Ofcnmh32.exe45⤵
- Executes dropped EXE
PID:236 -
C:\Windows\SysWOW64\Ommfibdg.exeC:\Windows\system32\Ommfibdg.exe46⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Pbjoaibo.exeC:\Windows\system32\Pbjoaibo.exe47⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Pkbcjn32.exeC:\Windows\system32\Pkbcjn32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Pifcdbhi.exeC:\Windows\system32\Pifcdbhi.exe49⤵
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\Poplqm32.exeC:\Windows\system32\Poplqm32.exe50⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Pbohmh32.exeC:\Windows\system32\Pbohmh32.exe51⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Pkglenej.exeC:\Windows\system32\Pkglenej.exe52⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Pqdend32.exeC:\Windows\system32\Pqdend32.exe53⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Pgnmjokn.exeC:\Windows\system32\Pgnmjokn.exe54⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Pnhegi32.exeC:\Windows\system32\Pnhegi32.exe55⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Pcdnpp32.exeC:\Windows\system32\Pcdnpp32.exe56⤵
- Executes dropped EXE
PID:1248 -
C:\Windows\SysWOW64\Qahnid32.exeC:\Windows\system32\Qahnid32.exe57⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Qgbfen32.exeC:\Windows\system32\Qgbfen32.exe58⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Qakkncmi.exeC:\Windows\system32\Qakkncmi.exe59⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Ajcpgi32.exeC:\Windows\system32\Ajcpgi32.exe60⤵
- Executes dropped EXE
PID:1200 -
C:\Windows\SysWOW64\Acldpojj.exeC:\Windows\system32\Acldpojj.exe61⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Ajelmiag.exeC:\Windows\system32\Ajelmiag.exe62⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Acnqen32.exeC:\Windows\system32\Acnqen32.exe63⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Aeommfnf.exeC:\Windows\system32\Aeommfnf.exe64⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Apeakonl.exeC:\Windows\system32\Apeakonl.exe65⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Afojgiei.exeC:\Windows\system32\Afojgiei.exe66⤵PID:1764
-
C:\Windows\SysWOW64\Apgnpo32.exeC:\Windows\system32\Apgnpo32.exe67⤵
- System Location Discovery: System Language Discovery
PID:964 -
C:\Windows\SysWOW64\Aedghf32.exeC:\Windows\system32\Aedghf32.exe68⤵PID:1520
-
C:\Windows\SysWOW64\Anlkakqa.exeC:\Windows\system32\Anlkakqa.exe69⤵PID:1504
-
C:\Windows\SysWOW64\Befcne32.exeC:\Windows\system32\Befcne32.exe70⤵PID:3060
-
C:\Windows\SysWOW64\Bamdcf32.exeC:\Windows\system32\Bamdcf32.exe71⤵PID:1492
-
C:\Windows\SysWOW64\Bjehlldb.exeC:\Windows\system32\Bjehlldb.exe72⤵PID:1476
-
C:\Windows\SysWOW64\Bdnmda32.exeC:\Windows\system32\Bdnmda32.exe73⤵PID:2752
-
C:\Windows\SysWOW64\Bkheal32.exeC:\Windows\system32\Bkheal32.exe74⤵
- Modifies registry class
PID:2800 -
C:\Windows\SysWOW64\Bpdnjb32.exeC:\Windows\system32\Bpdnjb32.exe75⤵PID:2636
-
C:\Windows\SysWOW64\Bmhncg32.exeC:\Windows\system32\Bmhncg32.exe76⤵
- Drops file in System32 directory
PID:2672 -
C:\Windows\SysWOW64\Cmkkhfmn.exeC:\Windows\system32\Cmkkhfmn.exe77⤵PID:332
-
C:\Windows\SysWOW64\Clphjc32.exeC:\Windows\system32\Clphjc32.exe78⤵
- Modifies registry class
PID:1688 -
C:\Windows\SysWOW64\Clbdobpc.exeC:\Windows\system32\Clbdobpc.exe79⤵
- Modifies registry class
PID:2652 -
C:\Windows\SysWOW64\Caomgjnk.exeC:\Windows\system32\Caomgjnk.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2104 -
C:\Windows\SysWOW64\Cocnanmd.exeC:\Windows\system32\Cocnanmd.exe81⤵
- Drops file in System32 directory
PID:1936 -
C:\Windows\SysWOW64\Cemfnh32.exeC:\Windows\system32\Cemfnh32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2164 -
C:\Windows\SysWOW64\Ckjnfobi.exeC:\Windows\system32\Ckjnfobi.exe83⤵PID:956
-
C:\Windows\SysWOW64\Cadfbi32.exeC:\Windows\system32\Cadfbi32.exe84⤵PID:1384
-
C:\Windows\SysWOW64\Dafchi32.exeC:\Windows\system32\Dafchi32.exe85⤵
- Drops file in System32 directory
- Modifies registry class
PID:2072 -
C:\Windows\SysWOW64\Dcgppana.exeC:\Windows\system32\Dcgppana.exe86⤵
- Modifies registry class
PID:1256 -
C:\Windows\SysWOW64\Ddgljced.exeC:\Windows\system32\Ddgljced.exe87⤵PID:2152
-
C:\Windows\SysWOW64\Djddbkck.exeC:\Windows\system32\Djddbkck.exe88⤵PID:2216
-
C:\Windows\SysWOW64\Dclikp32.exeC:\Windows\system32\Dclikp32.exe89⤵PID:2732
-
C:\Windows\SysWOW64\Dfjegl32.exeC:\Windows\system32\Dfjegl32.exe90⤵PID:2616
-
C:\Windows\SysWOW64\Dcofqphi.exeC:\Windows\system32\Dcofqphi.exe91⤵PID:2680
-
C:\Windows\SysWOW64\Ekjjebed.exeC:\Windows\system32\Ekjjebed.exe92⤵PID:2488
-
C:\Windows\SysWOW64\Edbonh32.exeC:\Windows\system32\Edbonh32.exe93⤵PID:556
-
C:\Windows\SysWOW64\Enjcfm32.exeC:\Windows\system32\Enjcfm32.exe94⤵PID:3016
-
C:\Windows\SysWOW64\Ehphdf32.exeC:\Windows\system32\Ehphdf32.exe95⤵
- Drops file in System32 directory
PID:2276 -
C:\Windows\SysWOW64\Ebhlmlhl.exeC:\Windows\system32\Ebhlmlhl.exe96⤵PID:676
-
C:\Windows\SysWOW64\Ekqqea32.exeC:\Windows\system32\Ekqqea32.exe97⤵
- Drops file in System32 directory
PID:1032 -
C:\Windows\SysWOW64\Eqninhmc.exeC:\Windows\system32\Eqninhmc.exe98⤵PID:2224
-
C:\Windows\SysWOW64\Ejfnfn32.exeC:\Windows\system32\Ejfnfn32.exe99⤵PID:2576
-
C:\Windows\SysWOW64\Edkbdf32.exeC:\Windows\system32\Edkbdf32.exe100⤵PID:2912
-
C:\Windows\SysWOW64\Fjhjlm32.exeC:\Windows\system32\Fjhjlm32.exe101⤵PID:1572
-
C:\Windows\SysWOW64\Fmffhi32.exeC:\Windows\system32\Fmffhi32.exe102⤵PID:2756
-
C:\Windows\SysWOW64\Fjkgampo.exeC:\Windows\system32\Fjkgampo.exe103⤵PID:3020
-
C:\Windows\SysWOW64\Fqdong32.exeC:\Windows\system32\Fqdong32.exe104⤵
- System Location Discovery: System Language Discovery
PID:2876 -
C:\Windows\SysWOW64\Ffahgn32.exeC:\Windows\system32\Ffahgn32.exe105⤵PID:2664
-
C:\Windows\SysWOW64\Fmkpchmp.exeC:\Windows\system32\Fmkpchmp.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:528 -
C:\Windows\SysWOW64\Gnaffpoi.exeC:\Windows\system32\Gnaffpoi.exe107⤵PID:1132
-
C:\Windows\SysWOW64\Ghjjoeei.exeC:\Windows\system32\Ghjjoeei.exe108⤵PID:1772
-
C:\Windows\SysWOW64\Gdpkdf32.exeC:\Windows\system32\Gdpkdf32.exe109⤵PID:2944
-
C:\Windows\SysWOW64\Glgcec32.exeC:\Windows\system32\Glgcec32.exe110⤵PID:2388
-
C:\Windows\SysWOW64\Gdchifik.exeC:\Windows\system32\Gdchifik.exe111⤵PID:1732
-
C:\Windows\SysWOW64\Gjmpfp32.exeC:\Windows\system32\Gjmpfp32.exe112⤵PID:2336
-
C:\Windows\SysWOW64\Gmklbk32.exeC:\Windows\system32\Gmklbk32.exe113⤵PID:2148
-
C:\Windows\SysWOW64\Gdedoegh.exeC:\Windows\system32\Gdedoegh.exe114⤵PID:2092
-
C:\Windows\SysWOW64\Gjomlp32.exeC:\Windows\system32\Gjomlp32.exe115⤵
- Drops file in System32 directory
PID:2024 -
C:\Windows\SysWOW64\Gpledf32.exeC:\Windows\system32\Gpledf32.exe116⤵PID:2960
-
C:\Windows\SysWOW64\Hidjml32.exeC:\Windows\system32\Hidjml32.exe117⤵PID:2888
-
C:\Windows\SysWOW64\Hpnbjfjj.exeC:\Windows\system32\Hpnbjfjj.exe118⤵PID:2304
-
C:\Windows\SysWOW64\Hfhjfp32.exeC:\Windows\system32\Hfhjfp32.exe119⤵PID:276
-
C:\Windows\SysWOW64\Hmbbcjic.exeC:\Windows\system32\Hmbbcjic.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2428 -
C:\Windows\SysWOW64\Hfjglppd.exeC:\Windows\system32\Hfjglppd.exe121⤵PID:2228
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-