Analysis
-
max time kernel
70s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
23/08/2024, 00:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d86830b42cf80774b0905b72a8cbe7c0N.exe
Resource
win7-20240705-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
d86830b42cf80774b0905b72a8cbe7c0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
d86830b42cf80774b0905b72a8cbe7c0N.exe
-
Size
844KB
-
MD5
d86830b42cf80774b0905b72a8cbe7c0
-
SHA1
713edcb2386740dd0f9ca4050bcbb4ceb8443239
-
SHA256
16087d8a4eb943fe52107aaae0267a3101ed29f8d7539d7b0f9165c7cbd0801c
-
SHA512
b4661d3ad290ae9990dfe8f169b963866b432cd1c7311468b99a66d696718041fc4c171d30614b5cf7138e4fc4c7be899e6b83675612537277e67afd027e32b5
-
SSDEEP
24576:soZ3ytH5W3Tnbc53cp6p5vihMpQnqrdX72LbY6x46uR/qYglMS:sOiH5W3TbGBihw+cdX2x46uhqllMS
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhmblljb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbbkhnbc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Naedfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbbacdfo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkfkae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkqmnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Alifee32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehnpph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hllkhoaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljdjildq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ominjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Opmpenbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjqigkfp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emkanhnb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkojjgfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkhagodb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ofiegggd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eilfoapg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fgbpmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ciemdiph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hecnblah.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olablfbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Plfhfiqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Clhifj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qdbbedhp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cqhdnfpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chgkgmoo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acdemegf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ehfmkmqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Khbmqpii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgqigohb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gapcnodg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqgnmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmlbia32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bggohi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddkdkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjgjmipf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmcidqlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jnmbafik.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obpflhmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bkiopock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmdgqp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgfannba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdafkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kchaniho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dknejb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fihhch32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmglpjak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eeecibci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nfmlhjfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejjhlmqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gjmnmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knabngen.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agngqmhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fgelbhmg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cipaqqli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Agpamd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnjghe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ialpfeno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gckmgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fanjil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Glckehfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hoacqggo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnbagfdg.exe -
Executes dropped EXE 64 IoCs
pid Process 1852 Kboill32.exe 2496 Kdmehh32.exe 2784 Lgpkobnb.exe 2708 Lmppmi32.exe 2948 Lpnlid32.exe 2688 Meonlkcm.exe 272 Mhpgnfpn.exe 2928 Mfedobef.exe 1792 Mdidhfdp.exe 2560 Nmdfglhm.exe 2908 Nogodcli.exe 1460 Nfogeamk.exe 548 Niopgljl.exe 1744 Okefjcle.exe 2396 Oijbkpqm.exe 1096 Odbcnh32.exe 1900 Oecpeqdo.exe 1048 Ponadfim.exe 1968 Pehiqp32.exe 2324 Phgfmk32.exe 340 Pekffp32.exe 3052 Pnfkjb32.exe 1736 Pfmclold.exe 860 Pnhhpaio.exe 2316 Pqfdlmic.exe 2452 Qklhifhi.exe 1956 Qcgmnh32.exe 1820 Qjaejbmq.exe 2444 Adgihkmf.exe 2196 Ajcbpbkn.exe 2892 Afjbecqb.exe 2172 Aiioanpf.exe 1208 Aqpgblqh.exe 2484 Amgggm32.exe 2972 Aebllocg.exe 2912 Aediaoae.exe 1752 Bgbemjqh.exe 308 Bibagmhk.exe 796 Bjcnoe32.exe 1016 Bggohi32.exe 2384 Bkckihel.exe 460 Bjfkde32.exe 2460 Bmdgqp32.exe 1896 Bndckc32.exe 908 Bmfdfpih.exe 1432 Bglhcihn.exe 2524 Bimdka32.exe 2292 Badlln32.exe 1612 Bccihj32.exe 1508 Cfaedeme.exe 660 Cipaqqli.exe 2856 Clnmmlkm.exe 2888 Cfcajekc.exe 2592 Cibnfpjg.exe 2568 Coofoghn.exe 2040 Cffnpdip.exe 600 Chgkgmoo.exe 2236 Cbmoeeod.exe 2104 Chigmlml.exe 3020 Clecnk32.exe 2200 Cocpjf32.exe 2176 Chldbl32.exe 1952 Doflofbf.exe 2208 Depelp32.exe -
Loads dropped DLL 64 IoCs
pid Process 1148 d86830b42cf80774b0905b72a8cbe7c0N.exe 1148 d86830b42cf80774b0905b72a8cbe7c0N.exe 1852 Kboill32.exe 1852 Kboill32.exe 2496 Kdmehh32.exe 2496 Kdmehh32.exe 2784 Lgpkobnb.exe 2784 Lgpkobnb.exe 2708 Lmppmi32.exe 2708 Lmppmi32.exe 2948 Lpnlid32.exe 2948 Lpnlid32.exe 2688 Meonlkcm.exe 2688 Meonlkcm.exe 272 Mhpgnfpn.exe 272 Mhpgnfpn.exe 2928 Mfedobef.exe 2928 Mfedobef.exe 1792 Mdidhfdp.exe 1792 Mdidhfdp.exe 2560 Nmdfglhm.exe 2560 Nmdfglhm.exe 2908 Nogodcli.exe 2908 Nogodcli.exe 1460 Nfogeamk.exe 1460 Nfogeamk.exe 548 Niopgljl.exe 548 Niopgljl.exe 1744 Okefjcle.exe 1744 Okefjcle.exe 2396 Oijbkpqm.exe 2396 Oijbkpqm.exe 1096 Odbcnh32.exe 1096 Odbcnh32.exe 1900 Oecpeqdo.exe 1900 Oecpeqdo.exe 1048 Ponadfim.exe 1048 Ponadfim.exe 1968 Pehiqp32.exe 1968 Pehiqp32.exe 2324 Phgfmk32.exe 2324 Phgfmk32.exe 340 Pekffp32.exe 340 Pekffp32.exe 3052 Pnfkjb32.exe 3052 Pnfkjb32.exe 1736 Pfmclold.exe 1736 Pfmclold.exe 860 Pnhhpaio.exe 860 Pnhhpaio.exe 2316 Pqfdlmic.exe 2316 Pqfdlmic.exe 2452 Qklhifhi.exe 2452 Qklhifhi.exe 1956 Qcgmnh32.exe 1956 Qcgmnh32.exe 1820 Qjaejbmq.exe 1820 Qjaejbmq.exe 2444 Adgihkmf.exe 2444 Adgihkmf.exe 2196 Ajcbpbkn.exe 2196 Ajcbpbkn.exe 2892 Afjbecqb.exe 2892 Afjbecqb.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jepomm32.dll Aiioanpf.exe File opened for modification C:\Windows\SysWOW64\Gmlokdgp.exe Gninpg32.exe File created C:\Windows\SysWOW64\Gnaadb32.exe Gckmgi32.exe File opened for modification C:\Windows\SysWOW64\Kkpbbeda.exe Kgdgaflh.exe File opened for modification C:\Windows\SysWOW64\Dbjjll32.exe Dlpbpa32.exe File created C:\Windows\SysWOW64\Idmqai32.dll Hpejcnlf.exe File created C:\Windows\SysWOW64\Gjponegj.dll Gmkgqncd.exe File created C:\Windows\SysWOW64\Jmafocbb.exe Jkcjchco.exe File created C:\Windows\SysWOW64\Lkiadddj.dll Lgldmlil.exe File created C:\Windows\SysWOW64\Dljoac32.exe Dgocadqk.exe File opened for modification C:\Windows\SysWOW64\Bkiopock.exe Bflghh32.exe File created C:\Windows\SysWOW64\Acjggeal.dll Nhmpmcaq.exe File created C:\Windows\SysWOW64\Doijkg32.dll Phaegfpg.exe File created C:\Windows\SysWOW64\Kjqgbf32.dll Cfaedeme.exe File created C:\Windows\SysWOW64\Pdjcaf32.exe Pmqkellk.exe File created C:\Windows\SysWOW64\Klghoe32.dll Ajladp32.exe File opened for modification C:\Windows\SysWOW64\Hkbagjfi.exe Hggegknp.exe File created C:\Windows\SysWOW64\Kbchbi32.exe Kmfpjb32.exe File created C:\Windows\SysWOW64\Aipehjgd.dll Aekenl32.exe File opened for modification C:\Windows\SysWOW64\Lmcfeh32.exe Ljdjildq.exe File created C:\Windows\SysWOW64\Nejjfh32.exe Npmana32.exe File created C:\Windows\SysWOW64\Fpmond32.dll Ckalkd32.exe File created C:\Windows\SysWOW64\Mkdhlh32.exe Mpodoo32.exe File opened for modification C:\Windows\SysWOW64\Jppedg32.exe Jjcllq32.exe File created C:\Windows\SysWOW64\Dolknkkl.dll Qjleem32.exe File opened for modification C:\Windows\SysWOW64\Epdafl32.exe Emeejpjc.exe File created C:\Windows\SysWOW64\Fibjphfe.dll Icdllk32.exe File opened for modification C:\Windows\SysWOW64\Ljoidf32.exe Ldbalp32.exe File opened for modification C:\Windows\SysWOW64\Djolbp32.exe Debcjiod.exe File opened for modification C:\Windows\SysWOW64\Jpfikjfe.exe Ijipbchn.exe File created C:\Windows\SysWOW64\Fonaehmm.dll Gdklje32.exe File opened for modification C:\Windows\SysWOW64\Ndcqbdge.exe Naedfi32.exe File created C:\Windows\SysWOW64\Gkkkgkla.exe Gjjoob32.exe File opened for modification C:\Windows\SysWOW64\Gkkkgkla.exe Gjjoob32.exe File created C:\Windows\SysWOW64\Aaeoad32.dll Mdpqec32.exe File created C:\Windows\SysWOW64\Bojogp32.exe Bdekjg32.exe File opened for modification C:\Windows\SysWOW64\Nfmlhjfb.exe Napdpchk.exe File created C:\Windows\SysWOW64\Bheqfe32.exe Bqnidh32.exe File created C:\Windows\SysWOW64\Nodjei32.dll Cipcii32.exe File opened for modification C:\Windows\SysWOW64\Glckehfp.exe Ghhoej32.exe File created C:\Windows\SysWOW64\Gkqjlpmd.exe Fpkfng32.exe File created C:\Windows\SysWOW64\Iifhnk32.dll Pnhhpaio.exe File opened for modification C:\Windows\SysWOW64\Bglhcihn.exe Bmfdfpih.exe File opened for modification C:\Windows\SysWOW64\Bheqfe32.exe Bqnidh32.exe File created C:\Windows\SysWOW64\Genhid32.dll Pqfdlmic.exe File created C:\Windows\SysWOW64\Jdjgcbci.dll Jiecdn32.exe File opened for modification C:\Windows\SysWOW64\Fpkfng32.exe Fmmjbk32.exe File opened for modification C:\Windows\SysWOW64\Nggpgn32.exe Nppgfp32.exe File created C:\Windows\SysWOW64\Jiphpf32.exe Jedlph32.exe File opened for modification C:\Windows\SysWOW64\Ldedlfhl.exe Lkmpcpak.exe File created C:\Windows\SysWOW64\Aopcnbfj.exe Ahfkah32.exe File opened for modification C:\Windows\SysWOW64\Bcklmdqn.exe Boppmf32.exe File created C:\Windows\SysWOW64\Dolondiq.exe Dhagaj32.exe File created C:\Windows\SysWOW64\Lafhpnfk.dll Fhkffl32.exe File opened for modification C:\Windows\SysWOW64\Fkphcg32.exe Fgelbhmg.exe File created C:\Windows\SysWOW64\Ofmigm32.exe Ohjhlqbc.exe File created C:\Windows\SysWOW64\Pnbdhegk.dll Aajhhgpg.exe File opened for modification C:\Windows\SysWOW64\Hdkhihdn.exe Hkccpb32.exe File created C:\Windows\SysWOW64\Lcgnmlkk.exe Lnkedemc.exe File opened for modification C:\Windows\SysWOW64\Gkcnleom.exe Glanpi32.exe File created C:\Windows\SysWOW64\Kiepca32.exe Kggcgf32.exe File opened for modification C:\Windows\SysWOW64\Ngiikmmj.exe Nfglcd32.exe File created C:\Windows\SysWOW64\Hbpomb32.exe Hoacqggo.exe File created C:\Windows\SysWOW64\Dkmmdg32.exe Dfaachpa.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1944 8076 WerFault.exe 898 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkhfhaea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eidohiac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmocjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjamhh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahfkah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgmagh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbbedqcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdockgqp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oijlpjma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmjidneo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcbngf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkckihel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afebpmal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Appikd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpoapf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjicdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhimaill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcnfllcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feoihi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnkedemc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hecnblah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkgemh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imomkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fedinobh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgjkhi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqlfpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oimkob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phgfmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjfkde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnifia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgpkobnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nikide32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlhaip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opmpenbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcbpfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdehmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbiadm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcdinbdk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mocogc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dggbeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiclop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnjaci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbohblcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkojjgfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjbljh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbdljk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpjoel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdhjjddc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfjjbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Difcpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnjkdcii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lelphbon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijodiedi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgldmlil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehnpph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iiiapg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljbmdmfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbpioa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpgekanj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iaqljman.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aajhhgpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnhhpaio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbjmodph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahcoli32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pcmcmcjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hecnblah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fkphcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Napdpchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imliaacf.dll" Pdjcaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oadjjfga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Alpmep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pnfkjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppmdmcpk.dll" Hbajjiml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlqjdd32.dll" Kchaniho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Khgglp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gakjcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ehpjmoio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Faegda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ijodiedi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnfnkmom.dll" Dpoapf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fghdhioh.dll" Hkhdfhmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dekcng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gpdide32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jnmlgpeo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Chigmlml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gfdcdi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dkelhemb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jeahpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ibfcei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfohpidn.dll" Ncqmbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pkhagodb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dpoapf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pdkejo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dehfig32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ibaago32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pacacmdn.dll" Cipaqqli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Folknlae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fchgnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oeqmek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnelkg32.dll" Belhem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cijenjap.dll" Gggkqq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kbchbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nedfofig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gqgmdkgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lagjhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bagaojbj.dll" Opmpenbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcqcdbqp.dll" Jfecfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bklhpc32.dll" Mfdmdlaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bkapla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggcfdcbe.dll" Hijgimnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bcgdknlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Epnkfq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Joajdmma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dkelhemb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cignli32.dll" Ehfmkmqj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kmlbia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nnbagfdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fedqdl32.dll" Okmena32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Icgibkki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebemkflj.dll" Mfepmd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aeedhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifgpaqpb.dll" Dlpbpa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eohedi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oeqmek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihcaepei.dll" Hgiblk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dkafofde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fqgnmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnoagg32.dll" Iljjabfh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1148 wrote to memory of 1852 1148 d86830b42cf80774b0905b72a8cbe7c0N.exe 29 PID 1148 wrote to memory of 1852 1148 d86830b42cf80774b0905b72a8cbe7c0N.exe 29 PID 1148 wrote to memory of 1852 1148 d86830b42cf80774b0905b72a8cbe7c0N.exe 29 PID 1148 wrote to memory of 1852 1148 d86830b42cf80774b0905b72a8cbe7c0N.exe 29 PID 1852 wrote to memory of 2496 1852 Kboill32.exe 30 PID 1852 wrote to memory of 2496 1852 Kboill32.exe 30 PID 1852 wrote to memory of 2496 1852 Kboill32.exe 30 PID 1852 wrote to memory of 2496 1852 Kboill32.exe 30 PID 2496 wrote to memory of 2784 2496 Kdmehh32.exe 31 PID 2496 wrote to memory of 2784 2496 Kdmehh32.exe 31 PID 2496 wrote to memory of 2784 2496 Kdmehh32.exe 31 PID 2496 wrote to memory of 2784 2496 Kdmehh32.exe 31 PID 2784 wrote to memory of 2708 2784 Lgpkobnb.exe 32 PID 2784 wrote to memory of 2708 2784 Lgpkobnb.exe 32 PID 2784 wrote to memory of 2708 2784 Lgpkobnb.exe 32 PID 2784 wrote to memory of 2708 2784 Lgpkobnb.exe 32 PID 2708 wrote to memory of 2948 2708 Lmppmi32.exe 33 PID 2708 wrote to memory of 2948 2708 Lmppmi32.exe 33 PID 2708 wrote to memory of 2948 2708 Lmppmi32.exe 33 PID 2708 wrote to memory of 2948 2708 Lmppmi32.exe 33 PID 2948 wrote to memory of 2688 2948 Lpnlid32.exe 34 PID 2948 wrote to memory of 2688 2948 Lpnlid32.exe 34 PID 2948 wrote to memory of 2688 2948 Lpnlid32.exe 34 PID 2948 wrote to memory of 2688 2948 Lpnlid32.exe 34 PID 2688 wrote to memory of 272 2688 Meonlkcm.exe 35 PID 2688 wrote to memory of 272 2688 Meonlkcm.exe 35 PID 2688 wrote to memory of 272 2688 Meonlkcm.exe 35 PID 2688 wrote to memory of 272 2688 Meonlkcm.exe 35 PID 272 wrote to memory of 2928 272 Mhpgnfpn.exe 36 PID 272 wrote to memory of 2928 272 Mhpgnfpn.exe 36 PID 272 wrote to memory of 2928 272 Mhpgnfpn.exe 36 PID 272 wrote to memory of 2928 272 Mhpgnfpn.exe 36 PID 2928 wrote to memory of 1792 2928 Mfedobef.exe 37 PID 2928 wrote to memory of 1792 2928 Mfedobef.exe 37 PID 2928 wrote to memory of 1792 2928 Mfedobef.exe 37 PID 2928 wrote to memory of 1792 2928 Mfedobef.exe 37 PID 1792 wrote to memory of 2560 1792 Mdidhfdp.exe 38 PID 1792 wrote to memory of 2560 1792 Mdidhfdp.exe 38 PID 1792 wrote to memory of 2560 1792 Mdidhfdp.exe 38 PID 1792 wrote to memory of 2560 1792 Mdidhfdp.exe 38 PID 2560 wrote to memory of 2908 2560 Nmdfglhm.exe 39 PID 2560 wrote to memory of 2908 2560 Nmdfglhm.exe 39 PID 2560 wrote to memory of 2908 2560 Nmdfglhm.exe 39 PID 2560 wrote to memory of 2908 2560 Nmdfglhm.exe 39 PID 2908 wrote to memory of 1460 2908 Nogodcli.exe 40 PID 2908 wrote to memory of 1460 2908 Nogodcli.exe 40 PID 2908 wrote to memory of 1460 2908 Nogodcli.exe 40 PID 2908 wrote to memory of 1460 2908 Nogodcli.exe 40 PID 1460 wrote to memory of 548 1460 Nfogeamk.exe 41 PID 1460 wrote to memory of 548 1460 Nfogeamk.exe 41 PID 1460 wrote to memory of 548 1460 Nfogeamk.exe 41 PID 1460 wrote to memory of 548 1460 Nfogeamk.exe 41 PID 548 wrote to memory of 1744 548 Niopgljl.exe 42 PID 548 wrote to memory of 1744 548 Niopgljl.exe 42 PID 548 wrote to memory of 1744 548 Niopgljl.exe 42 PID 548 wrote to memory of 1744 548 Niopgljl.exe 42 PID 1744 wrote to memory of 2396 1744 Okefjcle.exe 43 PID 1744 wrote to memory of 2396 1744 Okefjcle.exe 43 PID 1744 wrote to memory of 2396 1744 Okefjcle.exe 43 PID 1744 wrote to memory of 2396 1744 Okefjcle.exe 43 PID 2396 wrote to memory of 1096 2396 Oijbkpqm.exe 44 PID 2396 wrote to memory of 1096 2396 Oijbkpqm.exe 44 PID 2396 wrote to memory of 1096 2396 Oijbkpqm.exe 44 PID 2396 wrote to memory of 1096 2396 Oijbkpqm.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\d86830b42cf80774b0905b72a8cbe7c0N.exe"C:\Users\Admin\AppData\Local\Temp\d86830b42cf80774b0905b72a8cbe7c0N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\Kboill32.exeC:\Windows\system32\Kboill32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\SysWOW64\Kdmehh32.exeC:\Windows\system32\Kdmehh32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Lgpkobnb.exeC:\Windows\system32\Lgpkobnb.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Lmppmi32.exeC:\Windows\system32\Lmppmi32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Lpnlid32.exeC:\Windows\system32\Lpnlid32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Meonlkcm.exeC:\Windows\system32\Meonlkcm.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Mhpgnfpn.exeC:\Windows\system32\Mhpgnfpn.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:272 -
C:\Windows\SysWOW64\Mfedobef.exeC:\Windows\system32\Mfedobef.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Mdidhfdp.exeC:\Windows\system32\Mdidhfdp.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\Nmdfglhm.exeC:\Windows\system32\Nmdfglhm.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\Nogodcli.exeC:\Windows\system32\Nogodcli.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Nfogeamk.exeC:\Windows\system32\Nfogeamk.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\SysWOW64\Niopgljl.exeC:\Windows\system32\Niopgljl.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\SysWOW64\Okefjcle.exeC:\Windows\system32\Okefjcle.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\Oijbkpqm.exeC:\Windows\system32\Oijbkpqm.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\Odbcnh32.exeC:\Windows\system32\Odbcnh32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1096 -
C:\Windows\SysWOW64\Oecpeqdo.exeC:\Windows\system32\Oecpeqdo.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1900 -
C:\Windows\SysWOW64\Ponadfim.exeC:\Windows\system32\Ponadfim.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1048 -
C:\Windows\SysWOW64\Pehiqp32.exeC:\Windows\system32\Pehiqp32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1968 -
C:\Windows\SysWOW64\Phgfmk32.exeC:\Windows\system32\Phgfmk32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2324 -
C:\Windows\SysWOW64\Pekffp32.exeC:\Windows\system32\Pekffp32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:340 -
C:\Windows\SysWOW64\Pnfkjb32.exeC:\Windows\system32\Pnfkjb32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3052 -
C:\Windows\SysWOW64\Pfmclold.exeC:\Windows\system32\Pfmclold.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1736 -
C:\Windows\SysWOW64\Pnhhpaio.exeC:\Windows\system32\Pnhhpaio.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:860 -
C:\Windows\SysWOW64\Pqfdlmic.exeC:\Windows\system32\Pqfdlmic.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2316 -
C:\Windows\SysWOW64\Qklhifhi.exeC:\Windows\system32\Qklhifhi.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2452 -
C:\Windows\SysWOW64\Qcgmnh32.exeC:\Windows\system32\Qcgmnh32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1956 -
C:\Windows\SysWOW64\Qjaejbmq.exeC:\Windows\system32\Qjaejbmq.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1820 -
C:\Windows\SysWOW64\Adgihkmf.exeC:\Windows\system32\Adgihkmf.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2444 -
C:\Windows\SysWOW64\Ajcbpbkn.exeC:\Windows\system32\Ajcbpbkn.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2196 -
C:\Windows\SysWOW64\Afjbecqb.exeC:\Windows\system32\Afjbecqb.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2892 -
C:\Windows\SysWOW64\Aiioanpf.exeC:\Windows\system32\Aiioanpf.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2172 -
C:\Windows\SysWOW64\Aqpgblqh.exeC:\Windows\system32\Aqpgblqh.exe34⤵
- Executes dropped EXE
PID:1208 -
C:\Windows\SysWOW64\Amgggm32.exeC:\Windows\system32\Amgggm32.exe35⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Aebllocg.exeC:\Windows\system32\Aebllocg.exe36⤵
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Aediaoae.exeC:\Windows\system32\Aediaoae.exe37⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Bgbemjqh.exeC:\Windows\system32\Bgbemjqh.exe38⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Bibagmhk.exeC:\Windows\system32\Bibagmhk.exe39⤵
- Executes dropped EXE
PID:308 -
C:\Windows\SysWOW64\Bjcnoe32.exeC:\Windows\system32\Bjcnoe32.exe40⤵
- Executes dropped EXE
PID:796 -
C:\Windows\SysWOW64\Bggohi32.exeC:\Windows\system32\Bggohi32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1016 -
C:\Windows\SysWOW64\Bkckihel.exeC:\Windows\system32\Bkckihel.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2384 -
C:\Windows\SysWOW64\Bjfkde32.exeC:\Windows\system32\Bjfkde32.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:460 -
C:\Windows\SysWOW64\Bmdgqp32.exeC:\Windows\system32\Bmdgqp32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Bndckc32.exeC:\Windows\system32\Bndckc32.exe45⤵
- Executes dropped EXE
PID:1896 -
C:\Windows\SysWOW64\Bmfdfpih.exeC:\Windows\system32\Bmfdfpih.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:908 -
C:\Windows\SysWOW64\Bglhcihn.exeC:\Windows\system32\Bglhcihn.exe47⤵
- Executes dropped EXE
PID:1432 -
C:\Windows\SysWOW64\Bimdka32.exeC:\Windows\system32\Bimdka32.exe48⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Badlln32.exeC:\Windows\system32\Badlln32.exe49⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Bccihj32.exeC:\Windows\system32\Bccihj32.exe50⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Cfaedeme.exeC:\Windows\system32\Cfaedeme.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1508 -
C:\Windows\SysWOW64\Cipaqqli.exeC:\Windows\system32\Cipaqqli.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:660 -
C:\Windows\SysWOW64\Clnmmlkm.exeC:\Windows\system32\Clnmmlkm.exe53⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Cfcajekc.exeC:\Windows\system32\Cfcajekc.exe54⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Cibnfpjg.exeC:\Windows\system32\Cibnfpjg.exe55⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Coofoghn.exeC:\Windows\system32\Coofoghn.exe56⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Cffnpdip.exeC:\Windows\system32\Cffnpdip.exe57⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Chgkgmoo.exeC:\Windows\system32\Chgkgmoo.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:600 -
C:\Windows\SysWOW64\Cbmoeeod.exeC:\Windows\system32\Cbmoeeod.exe59⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Chigmlml.exeC:\Windows\system32\Chigmlml.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:2104 -
C:\Windows\SysWOW64\Clecnk32.exeC:\Windows\system32\Clecnk32.exe61⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Cocpjf32.exeC:\Windows\system32\Cocpjf32.exe62⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Chldbl32.exeC:\Windows\system32\Chldbl32.exe63⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Doflofbf.exeC:\Windows\system32\Doflofbf.exe64⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Depelp32.exeC:\Windows\system32\Depelp32.exe65⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Dfaachpa.exeC:\Windows\system32\Dfaachpa.exe66⤵
- Drops file in System32 directory
PID:3048 -
C:\Windows\SysWOW64\Dkmmdg32.exeC:\Windows\system32\Dkmmdg32.exe67⤵PID:1260
-
C:\Windows\SysWOW64\Dpifln32.exeC:\Windows\system32\Dpifln32.exe68⤵PID:1572
-
C:\Windows\SysWOW64\Dhqnnk32.exeC:\Windows\system32\Dhqnnk32.exe69⤵PID:1604
-
C:\Windows\SysWOW64\Dkojjgfg.exeC:\Windows\system32\Dkojjgfg.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2780 -
C:\Windows\SysWOW64\Dbjonicb.exeC:\Windows\system32\Dbjonicb.exe71⤵PID:2768
-
C:\Windows\SysWOW64\Dkafofde.exeC:\Windows\system32\Dkafofde.exe72⤵
- Modifies registry class
PID:2900 -
C:\Windows\SysWOW64\Dmpckbci.exeC:\Windows\system32\Dmpckbci.exe73⤵PID:2696
-
C:\Windows\SysWOW64\Dlbcgo32.exeC:\Windows\system32\Dlbcgo32.exe74⤵PID:2648
-
C:\Windows\SysWOW64\Ddjkhl32.exeC:\Windows\system32\Ddjkhl32.exe75⤵PID:2024
-
C:\Windows\SysWOW64\Dghgdg32.exeC:\Windows\system32\Dghgdg32.exe76⤵PID:2476
-
C:\Windows\SysWOW64\Difcpc32.exeC:\Windows\system32\Difcpc32.exe77⤵
- System Location Discovery: System Language Discovery
PID:2976 -
C:\Windows\SysWOW64\Dlepmnhq.exeC:\Windows\system32\Dlepmnhq.exe78⤵PID:2988
-
C:\Windows\SysWOW64\Dpqlmm32.exeC:\Windows\system32\Dpqlmm32.exe79⤵PID:2308
-
C:\Windows\SysWOW64\Eiipfbgj.exeC:\Windows\system32\Eiipfbgj.exe80⤵PID:1232
-
C:\Windows\SysWOW64\Eoeiniea.exeC:\Windows\system32\Eoeiniea.exe81⤵PID:2080
-
C:\Windows\SysWOW64\Eadejede.exeC:\Windows\system32\Eadejede.exe82⤵PID:2116
-
C:\Windows\SysWOW64\Eikmkbeg.exeC:\Windows\system32\Eikmkbeg.exe83⤵PID:1964
-
C:\Windows\SysWOW64\Eohedi32.exeC:\Windows\system32\Eohedi32.exe84⤵
- Modifies registry class
PID:1616 -
C:\Windows\SysWOW64\Eafapd32.exeC:\Windows\system32\Eafapd32.exe85⤵PID:3064
-
C:\Windows\SysWOW64\Ehpjmoio.exeC:\Windows\system32\Ehpjmoio.exe86⤵
- Modifies registry class
PID:2148 -
C:\Windows\SysWOW64\Ekofijic.exeC:\Windows\system32\Ekofijic.exe87⤵PID:2508
-
C:\Windows\SysWOW64\Enmbeehg.exeC:\Windows\system32\Enmbeehg.exe88⤵PID:1284
-
C:\Windows\SysWOW64\Enpoje32.exeC:\Windows\system32\Enpoje32.exe89⤵PID:2692
-
C:\Windows\SysWOW64\Epnkfq32.exeC:\Windows\system32\Epnkfq32.exe90⤵
- Modifies registry class
PID:1996 -
C:\Windows\SysWOW64\Ediggoma.exeC:\Windows\system32\Ediggoma.exe91⤵PID:2584
-
C:\Windows\SysWOW64\Eghcckld.exeC:\Windows\system32\Eghcckld.exe92⤵PID:2836
-
C:\Windows\SysWOW64\Ejfpofkh.exeC:\Windows\system32\Ejfpofkh.exe93⤵PID:1872
-
C:\Windows\SysWOW64\Fcodhl32.exeC:\Windows\system32\Fcodhl32.exe94⤵PID:2240
-
C:\Windows\SysWOW64\Fkflii32.exeC:\Windows\system32\Fkflii32.exe95⤵PID:2372
-
C:\Windows\SysWOW64\Fdnabo32.exeC:\Windows\system32\Fdnabo32.exe96⤵PID:1036
-
C:\Windows\SysWOW64\Fjkije32.exeC:\Windows\system32\Fjkije32.exe97⤵PID:1672
-
C:\Windows\SysWOW64\Fqeagpop.exeC:\Windows\system32\Fqeagpop.exe98⤵PID:2132
-
C:\Windows\SysWOW64\Fohacl32.exeC:\Windows\system32\Fohacl32.exe99⤵PID:2124
-
C:\Windows\SysWOW64\Fgojdj32.exeC:\Windows\system32\Fgojdj32.exe100⤵PID:2016
-
C:\Windows\SysWOW64\Fjmfpe32.exeC:\Windows\system32\Fjmfpe32.exe101⤵PID:2772
-
C:\Windows\SysWOW64\Fqgnmo32.exeC:\Windows\system32\Fqgnmo32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2876 -
C:\Windows\SysWOW64\Fhbcaa32.exeC:\Windows\system32\Fhbcaa32.exe103⤵PID:2364
-
C:\Windows\SysWOW64\Fmnoapba.exeC:\Windows\system32\Fmnoapba.exe104⤵PID:756
-
C:\Windows\SysWOW64\Folknlae.exeC:\Windows\system32\Folknlae.exe105⤵
- Modifies registry class
PID:2748 -
C:\Windows\SysWOW64\Fchgnj32.exeC:\Windows\system32\Fchgnj32.exe106⤵
- Modifies registry class
PID:2904 -
C:\Windows\SysWOW64\Fffckf32.exeC:\Windows\system32\Fffckf32.exe107⤵PID:2376
-
C:\Windows\SysWOW64\Gbmdpg32.exeC:\Windows\system32\Gbmdpg32.exe108⤵PID:3036
-
C:\Windows\SysWOW64\Gfippego.exeC:\Windows\system32\Gfippego.exe109⤵PID:932
-
C:\Windows\SysWOW64\Gigllafc.exeC:\Windows\system32\Gigllafc.exe110⤵PID:752
-
C:\Windows\SysWOW64\Gkehhlef.exeC:\Windows\system32\Gkehhlef.exe111⤵PID:920
-
C:\Windows\SysWOW64\Genmab32.exeC:\Windows\system32\Genmab32.exe112⤵PID:1556
-
C:\Windows\SysWOW64\Gkhenlcd.exeC:\Windows\system32\Gkhenlcd.exe113⤵PID:1704
-
C:\Windows\SysWOW64\Gbbnkfjq.exeC:\Windows\system32\Gbbnkfjq.exe114⤵PID:2776
-
C:\Windows\SysWOW64\Gkjbcl32.exeC:\Windows\system32\Gkjbcl32.exe115⤵PID:2644
-
C:\Windows\SysWOW64\Gninpg32.exeC:\Windows\system32\Gninpg32.exe116⤵
- Drops file in System32 directory
PID:2064 -
C:\Windows\SysWOW64\Gmlokdgp.exeC:\Windows\system32\Gmlokdgp.exe117⤵PID:2920
-
C:\Windows\SysWOW64\Gfdcdi32.exeC:\Windows\system32\Gfdcdi32.exe118⤵
- Modifies registry class
PID:2480 -
C:\Windows\SysWOW64\Gplgmodq.exeC:\Windows\system32\Gplgmodq.exe119⤵PID:1756
-
C:\Windows\SysWOW64\Hgconl32.exeC:\Windows\system32\Hgconl32.exe120⤵PID:2144
-
C:\Windows\SysWOW64\Hjbljh32.exeC:\Windows\system32\Hjbljh32.exe121⤵
- System Location Discovery: System Language Discovery
PID:2752
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-