Analysis
-
max time kernel
115s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
25-08-2024 13:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b9497e78bb8c4686cb36c43e20f300c0N.exe
Resource
win7-20240729-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
b9497e78bb8c4686cb36c43e20f300c0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
b9497e78bb8c4686cb36c43e20f300c0N.exe
-
Size
377KB
-
MD5
b9497e78bb8c4686cb36c43e20f300c0
-
SHA1
c8bd2731e636ad645d28ab5699f1ef0f8f0a27d1
-
SHA256
1a57fe16d3c7dc6ec2fea9a480e1d34ea874d798948f05d9e460410f56d8d549
-
SHA512
fa54b16b02eb965de98464a16e291afe710110955b9192ebbaf04cfcea2b3fca7d80827444ed2beb5ddffd46a47dc0d73798f30469cb88f575c952bcb1c901c4
-
SSDEEP
6144:ggOTLNp5OBGSgnohijgAUv5fKx/SgnohignC5V:gbO+dMTv5i1dayV
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfigdl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Licpki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhbdmeoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Behnkm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elnagijk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad b9497e78bb8c4686cb36c43e20f300c0N.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjbgok32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjqdjn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocpfmd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opkpme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abehcbci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehgoaiml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gebiefle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikhqbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcodcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kblhdkgk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgpjcnhh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdjabn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghaeaaki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbgkhoml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmnakege.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkdkhl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hngppgae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikhqbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aadbfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iecaad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pciiccbm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gokmnlcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kiafff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfeljlqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glajmppm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbdadl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apdobg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgndnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gllabp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkkaik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ioochn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmhile32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ognobcqo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnlkdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abbknb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdophn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnecjgch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkkaik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jehklc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjlgna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkpeojha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gohqhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Moikinib.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aolihc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgkknm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ieaekdkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdmklico.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhmfgdch.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aioppl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chfffk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiafff32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdoaackf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aefaemqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgbiggof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eimien32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gohqhl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmlmacfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpdibapb.exe -
Executes dropped EXE 64 IoCs
pid Process 1556 Onmgeb32.exe 2760 Oakcan32.exe 2776 Pdnihiad.exe 2736 Pfmeddag.exe 2784 Pbfcoedi.exe 2684 Pedokpcm.exe 2292 Phckglbq.exe 2184 Qeihfp32.exe 2144 Ahgdbk32.exe 1632 Aodjdede.exe 2604 Aabfqp32.exe 820 Aadbfp32.exe 3048 Agakog32.exe 2212 Alncgn32.exe 2220 Agchdfmk.exe 1220 Alqplmlb.exe 1920 Bgfdjfkh.exe 1412 Blcmbmip.exe 1960 Bapejd32.exe 1488 Bkhjcing.exe 1948 Bfnnpbnn.exe 3060 Bkjfhile.exe 1684 Bfpkfb32.exe 2052 Bkmcni32.exe 2728 Ckopch32.exe 2840 Cqlhlo32.exe 1640 Cjdmee32.exe 2980 Cdjabn32.exe 2660 Cmeffp32.exe 2696 Cgjjdijo.exe 2400 Cqcomn32.exe 880 Cincaq32.exe 2720 Cbfhjfdk.exe 2688 Dmllgo32.exe 984 Dfdqpdja.exe 2908 Dpmeij32.exe 2328 Dghjmlnm.exe 2068 Deljfqmf.exe 2988 Dndoof32.exe 1700 Dhmchljg.exe 2096 Eaegaaah.exe 3056 Eiplecnc.exe 2700 Edfqclni.exe 2816 Elaego32.exe 2512 Effidg32.exe 632 Eponmmaj.exe 2080 Eelfedpa.exe 2364 Eodknifb.exe 2188 Febmfcjj.exe 2680 Fhaibnim.exe 3064 Fkpeojha.exe 2316 Fmnakege.exe 2796 Fdhigo32.exe 2300 Fgffck32.exe 1536 Fmpnpe32.exe 1972 Faljqcmk.exe 1112 Fhfbmn32.exe 980 Fkdoii32.exe 2396 Figoefkf.exe 2248 Gpagbp32.exe 532 Gcocnk32.exe 2756 Gkfkoi32.exe 876 Glhhgahg.exe 2732 Gpccgppq.exe -
Loads dropped DLL 64 IoCs
pid Process 1956 b9497e78bb8c4686cb36c43e20f300c0N.exe 1956 b9497e78bb8c4686cb36c43e20f300c0N.exe 1556 Onmgeb32.exe 1556 Onmgeb32.exe 2760 Oakcan32.exe 2760 Oakcan32.exe 2776 Pdnihiad.exe 2776 Pdnihiad.exe 2736 Pfmeddag.exe 2736 Pfmeddag.exe 2784 Pbfcoedi.exe 2784 Pbfcoedi.exe 2684 Pedokpcm.exe 2684 Pedokpcm.exe 2292 Phckglbq.exe 2292 Phckglbq.exe 2184 Qeihfp32.exe 2184 Qeihfp32.exe 2144 Ahgdbk32.exe 2144 Ahgdbk32.exe 1632 Aodjdede.exe 1632 Aodjdede.exe 2604 Aabfqp32.exe 2604 Aabfqp32.exe 820 Aadbfp32.exe 820 Aadbfp32.exe 3048 Agakog32.exe 3048 Agakog32.exe 2212 Alncgn32.exe 2212 Alncgn32.exe 2220 Agchdfmk.exe 2220 Agchdfmk.exe 1220 Alqplmlb.exe 1220 Alqplmlb.exe 1920 Bgfdjfkh.exe 1920 Bgfdjfkh.exe 1412 Blcmbmip.exe 1412 Blcmbmip.exe 1960 Bapejd32.exe 1960 Bapejd32.exe 1488 Bkhjcing.exe 1488 Bkhjcing.exe 1948 Bfnnpbnn.exe 1948 Bfnnpbnn.exe 3060 Bkjfhile.exe 3060 Bkjfhile.exe 1684 Bfpkfb32.exe 1684 Bfpkfb32.exe 2088 Bdehgnqc.exe 2088 Bdehgnqc.exe 2728 Ckopch32.exe 2728 Ckopch32.exe 2840 Cqlhlo32.exe 2840 Cqlhlo32.exe 1640 Cjdmee32.exe 1640 Cjdmee32.exe 2980 Cdjabn32.exe 2980 Cdjabn32.exe 2660 Cmeffp32.exe 2660 Cmeffp32.exe 2696 Cgjjdijo.exe 2696 Cgjjdijo.exe 2400 Cqcomn32.exe 2400 Cqcomn32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Hgbanlfc.exe Hdcebagp.exe File created C:\Windows\SysWOW64\Njjbjk32.exe Ncpjnahm.exe File opened for modification C:\Windows\SysWOW64\Nhookh32.exe Njlopkmg.exe File created C:\Windows\SysWOW64\Fbmppilc.dll Qechqj32.exe File created C:\Windows\SysWOW64\Qmdfjmdc.dll Abbknb32.exe File created C:\Windows\SysWOW64\Ffmijgfa.dll Dhmchljg.exe File created C:\Windows\SysWOW64\Mahgejhf.exe Mnlkdk32.exe File created C:\Windows\SysWOW64\Onggom32.exe Ofqonp32.exe File created C:\Windows\SysWOW64\Oiioneca.dll Cdbqflae.exe File created C:\Windows\SysWOW64\Fadmenpg.exe Fjjeid32.exe File opened for modification C:\Windows\SysWOW64\Gpccgppq.exe Glhhgahg.exe File created C:\Windows\SysWOW64\Emoghm32.dll Hdailaib.exe File created C:\Windows\SysWOW64\Bfiebedp.dll Peakkj32.exe File created C:\Windows\SysWOW64\Bkhfmlhk.dll Qfganb32.exe File created C:\Windows\SysWOW64\Lcegdl32.dll Dnonjqdq.exe File created C:\Windows\SysWOW64\Nkphmc32.exe Nmmgafjh.exe File created C:\Windows\SysWOW64\Nbjpjm32.exe Nkphmc32.exe File opened for modification C:\Windows\SysWOW64\Jeenfd32.exe Jnlfjjpl.exe File opened for modification C:\Windows\SysWOW64\Jbdadl32.exe Jpfehq32.exe File created C:\Windows\SysWOW64\Lhkiae32.exe Lihifhoq.exe File opened for modification C:\Windows\SysWOW64\Alfflhpa.exe Amcfpl32.exe File created C:\Windows\SysWOW64\Hnljkf32.exe Hfdbji32.exe File created C:\Windows\SysWOW64\Ioochn32.exe Iiekkdjo.exe File created C:\Windows\SysWOW64\Mjcljlea.exe Mkplnp32.exe File created C:\Windows\SysWOW64\Ggpiikml.dll Ognobcqo.exe File created C:\Windows\SysWOW64\Peakkj32.exe Pbcooo32.exe File created C:\Windows\SysWOW64\Ihpfhhme.dll Kmgekh32.exe File opened for modification C:\Windows\SysWOW64\Fbhfcf32.exe Flnnfllf.exe File opened for modification C:\Windows\SysWOW64\Febmfcjj.exe Eodknifb.exe File opened for modification C:\Windows\SysWOW64\Gkancm32.exe Glongpao.exe File opened for modification C:\Windows\SysWOW64\Hdolga32.exe Happkf32.exe File created C:\Windows\SysWOW64\Llcppm32.dll Happkf32.exe File opened for modification C:\Windows\SysWOW64\Hdcebagp.exe Hmlmacfn.exe File opened for modification C:\Windows\SysWOW64\Gdjblboj.exe Gcifdj32.exe File opened for modification C:\Windows\SysWOW64\Lldhldpg.exe Lielphqc.exe File opened for modification C:\Windows\SysWOW64\Qdfhlggl.exe Qechqj32.exe File opened for modification C:\Windows\SysWOW64\Dcppmg32.exe Dmfhqmge.exe File created C:\Windows\SysWOW64\Oidldm32.dll Eiplecnc.exe File created C:\Windows\SysWOW64\Hphiggmf.dll Ncnmhajo.exe File opened for modification C:\Windows\SysWOW64\Picdejbg.exe Pjqdjn32.exe File created C:\Windows\SysWOW64\Qjcmoqlf.exe Qfganb32.exe File opened for modification C:\Windows\SysWOW64\Bnfodojp.exe Bglghdbc.exe File created C:\Windows\SysWOW64\Almmlg32.exe Ahbqliap.exe File opened for modification C:\Windows\SysWOW64\Pedokpcm.exe Pbfcoedi.exe File opened for modification C:\Windows\SysWOW64\Aabfqp32.exe Aodjdede.exe File created C:\Windows\SysWOW64\Effidg32.exe Elaego32.exe File created C:\Windows\SysWOW64\Knmflijn.dll Jijqeg32.exe File created C:\Windows\SysWOW64\Kblhdkgk.exe Kopldl32.exe File opened for modification C:\Windows\SysWOW64\Gpiffngk.exe Gmkjjbhg.exe File created C:\Windows\SysWOW64\Eocmqiih.dll Gdophn32.exe File created C:\Windows\SysWOW64\Ijpjik32.exe Ikmjnnah.exe File created C:\Windows\SysWOW64\Kejdqffo.exe Kblhdkgk.exe File created C:\Windows\SysWOW64\Opkpme32.exe Ommdqi32.exe File opened for modification C:\Windows\SysWOW64\Plbaafak.exe Pmoqfi32.exe File opened for modification C:\Windows\SysWOW64\Pbqbioeb.exe Ppbfmdfo.exe File created C:\Windows\SysWOW64\Qahlpkhh.exe Pmmppm32.exe File opened for modification C:\Windows\SysWOW64\Aodjdede.exe Ahgdbk32.exe File created C:\Windows\SysWOW64\Lgdcmc32.dll Fhfbmn32.exe File created C:\Windows\SysWOW64\Kekgleob.dll Kopldl32.exe File created C:\Windows\SysWOW64\Oahfnj32.dll Pblinp32.exe File created C:\Windows\SysWOW64\Kbgnil32.exe Kphbmp32.exe File created C:\Windows\SysWOW64\Meojkide.exe Macnjk32.exe File created C:\Windows\SysWOW64\Mqlpph32.dll Pikkfilp.exe File opened for modification C:\Windows\SysWOW64\Fkpeojha.exe Fhaibnim.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5456 5432 WerFault.exe 472 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oifelfni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojjnioae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpmeij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jijqeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdkmld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfeljlqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbdadl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lckdcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlcekgbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flnnfllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfmceomm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmmgobfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glajmppm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfiofefm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnppei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aimckl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Macnjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpieli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cldolj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ickoimie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iodlcnmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnlfjjpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alfflhpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Conbmfif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijpjik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiojqfdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmolkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pligbekc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghcbga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncbfcq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppnmbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmfhqmge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfemdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcijmhdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggqamh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpkocpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgdpnqfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abgeiaaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpfhfjgq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aodjdede.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obniel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeokdn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boqbcbeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkjfhile.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnimeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmlmacfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbgkhoml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcifdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iniidj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kacakgip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdmklico.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofqonp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plbaafak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjomoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhaibnim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggmldj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikfdmogp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmmgafjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpfehq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikkmho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejhhcdjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgfdjfkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cqcomn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqcffi32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nofnglhg.dll" Nmmgafjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okkgeh32.dll" Ofehiocd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qpmiahlp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aajedn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plkchdiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjlglao.dll" Nbgcdmjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phckglbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klapha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfomdk32.dll" Llalgdbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncbfcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelnjj32.dll" Emieflec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gadidabc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acblea32.dll" Ikmjnnah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhojbk32.dll" Onejjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aioppl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chfffk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cakoqh32.dll" Jehklc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oeobfgak.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abgeiaaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epjlaj32.dll" Enjand32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onmgeb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hobcok32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lejppj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elioal32.dll" Nonqca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcijmhdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beoanjep.dll" Feklja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbdadl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmoqfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnmbollk.dll" Aeokdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffaaoip.dll" Bkefcc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nflidmic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Memchb32.dll" Ndhlfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aajedn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hokold32.dll" Bdpgai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gilhpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plnbai32.dll" Jalolemm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpalmaad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gloibpen.dll" Liqcei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlgind32.dll" Gdpikmci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omincc32.dll" Hchbcmlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbdadl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhofjehd.dll" Nlfaag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdfcaegj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aeahjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbiimp32.dll" Bnfodojp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhjhgpcn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Laenqg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Legcjjjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knijji32.dll" Mhmfgdch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdmklico.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdbqflae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eimien32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aodjdede.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eodknifb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibbioilj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jecnpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glongpao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bimkbqpd.dll" Obniel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppnmbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejhhcdjm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkfkoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igdndl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onejjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agljbf32.dll" Chfffk32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1956 wrote to memory of 1556 1956 b9497e78bb8c4686cb36c43e20f300c0N.exe 29 PID 1956 wrote to memory of 1556 1956 b9497e78bb8c4686cb36c43e20f300c0N.exe 29 PID 1956 wrote to memory of 1556 1956 b9497e78bb8c4686cb36c43e20f300c0N.exe 29 PID 1956 wrote to memory of 1556 1956 b9497e78bb8c4686cb36c43e20f300c0N.exe 29 PID 1556 wrote to memory of 2760 1556 Onmgeb32.exe 30 PID 1556 wrote to memory of 2760 1556 Onmgeb32.exe 30 PID 1556 wrote to memory of 2760 1556 Onmgeb32.exe 30 PID 1556 wrote to memory of 2760 1556 Onmgeb32.exe 30 PID 2760 wrote to memory of 2776 2760 Oakcan32.exe 31 PID 2760 wrote to memory of 2776 2760 Oakcan32.exe 31 PID 2760 wrote to memory of 2776 2760 Oakcan32.exe 31 PID 2760 wrote to memory of 2776 2760 Oakcan32.exe 31 PID 2776 wrote to memory of 2736 2776 Pdnihiad.exe 32 PID 2776 wrote to memory of 2736 2776 Pdnihiad.exe 32 PID 2776 wrote to memory of 2736 2776 Pdnihiad.exe 32 PID 2776 wrote to memory of 2736 2776 Pdnihiad.exe 32 PID 2736 wrote to memory of 2784 2736 Pfmeddag.exe 33 PID 2736 wrote to memory of 2784 2736 Pfmeddag.exe 33 PID 2736 wrote to memory of 2784 2736 Pfmeddag.exe 33 PID 2736 wrote to memory of 2784 2736 Pfmeddag.exe 33 PID 2784 wrote to memory of 2684 2784 Pbfcoedi.exe 34 PID 2784 wrote to memory of 2684 2784 Pbfcoedi.exe 34 PID 2784 wrote to memory of 2684 2784 Pbfcoedi.exe 34 PID 2784 wrote to memory of 2684 2784 Pbfcoedi.exe 34 PID 2684 wrote to memory of 2292 2684 Pedokpcm.exe 35 PID 2684 wrote to memory of 2292 2684 Pedokpcm.exe 35 PID 2684 wrote to memory of 2292 2684 Pedokpcm.exe 35 PID 2684 wrote to memory of 2292 2684 Pedokpcm.exe 35 PID 2292 wrote to memory of 2184 2292 Phckglbq.exe 36 PID 2292 wrote to memory of 2184 2292 Phckglbq.exe 36 PID 2292 wrote to memory of 2184 2292 Phckglbq.exe 36 PID 2292 wrote to memory of 2184 2292 Phckglbq.exe 36 PID 2184 wrote to memory of 2144 2184 Qeihfp32.exe 37 PID 2184 wrote to memory of 2144 2184 Qeihfp32.exe 37 PID 2184 wrote to memory of 2144 2184 Qeihfp32.exe 37 PID 2184 wrote to memory of 2144 2184 Qeihfp32.exe 37 PID 2144 wrote to memory of 1632 2144 Ahgdbk32.exe 38 PID 2144 wrote to memory of 1632 2144 Ahgdbk32.exe 38 PID 2144 wrote to memory of 1632 2144 Ahgdbk32.exe 38 PID 2144 wrote to memory of 1632 2144 Ahgdbk32.exe 38 PID 1632 wrote to memory of 2604 1632 Aodjdede.exe 39 PID 1632 wrote to memory of 2604 1632 Aodjdede.exe 39 PID 1632 wrote to memory of 2604 1632 Aodjdede.exe 39 PID 1632 wrote to memory of 2604 1632 Aodjdede.exe 39 PID 2604 wrote to memory of 820 2604 Aabfqp32.exe 40 PID 2604 wrote to memory of 820 2604 Aabfqp32.exe 40 PID 2604 wrote to memory of 820 2604 Aabfqp32.exe 40 PID 2604 wrote to memory of 820 2604 Aabfqp32.exe 40 PID 820 wrote to memory of 3048 820 Aadbfp32.exe 41 PID 820 wrote to memory of 3048 820 Aadbfp32.exe 41 PID 820 wrote to memory of 3048 820 Aadbfp32.exe 41 PID 820 wrote to memory of 3048 820 Aadbfp32.exe 41 PID 3048 wrote to memory of 2212 3048 Agakog32.exe 42 PID 3048 wrote to memory of 2212 3048 Agakog32.exe 42 PID 3048 wrote to memory of 2212 3048 Agakog32.exe 42 PID 3048 wrote to memory of 2212 3048 Agakog32.exe 42 PID 2212 wrote to memory of 2220 2212 Alncgn32.exe 43 PID 2212 wrote to memory of 2220 2212 Alncgn32.exe 43 PID 2212 wrote to memory of 2220 2212 Alncgn32.exe 43 PID 2212 wrote to memory of 2220 2212 Alncgn32.exe 43 PID 2220 wrote to memory of 1220 2220 Agchdfmk.exe 44 PID 2220 wrote to memory of 1220 2220 Agchdfmk.exe 44 PID 2220 wrote to memory of 1220 2220 Agchdfmk.exe 44 PID 2220 wrote to memory of 1220 2220 Agchdfmk.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\b9497e78bb8c4686cb36c43e20f300c0N.exe"C:\Users\Admin\AppData\Local\Temp\b9497e78bb8c4686cb36c43e20f300c0N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\Onmgeb32.exeC:\Windows\system32\Onmgeb32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\Oakcan32.exeC:\Windows\system32\Oakcan32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Pdnihiad.exeC:\Windows\system32\Pdnihiad.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Pfmeddag.exeC:\Windows\system32\Pfmeddag.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Pbfcoedi.exeC:\Windows\system32\Pbfcoedi.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Pedokpcm.exeC:\Windows\system32\Pedokpcm.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Phckglbq.exeC:\Windows\system32\Phckglbq.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\Qeihfp32.exeC:\Windows\system32\Qeihfp32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Ahgdbk32.exeC:\Windows\system32\Ahgdbk32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\Aodjdede.exeC:\Windows\system32\Aodjdede.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\Aabfqp32.exeC:\Windows\system32\Aabfqp32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Aadbfp32.exeC:\Windows\system32\Aadbfp32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Windows\SysWOW64\Agakog32.exeC:\Windows\system32\Agakog32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\Alncgn32.exeC:\Windows\system32\Alncgn32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Agchdfmk.exeC:\Windows\system32\Agchdfmk.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\Alqplmlb.exeC:\Windows\system32\Alqplmlb.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1220 -
C:\Windows\SysWOW64\Bgfdjfkh.exeC:\Windows\system32\Bgfdjfkh.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1920 -
C:\Windows\SysWOW64\Blcmbmip.exeC:\Windows\system32\Blcmbmip.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1412 -
C:\Windows\SysWOW64\Bapejd32.exeC:\Windows\system32\Bapejd32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1960 -
C:\Windows\SysWOW64\Bkhjcing.exeC:\Windows\system32\Bkhjcing.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1488 -
C:\Windows\SysWOW64\Bfnnpbnn.exeC:\Windows\system32\Bfnnpbnn.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1948 -
C:\Windows\SysWOW64\Bkjfhile.exeC:\Windows\system32\Bkjfhile.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3060 -
C:\Windows\SysWOW64\Bfpkfb32.exeC:\Windows\system32\Bfpkfb32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1684 -
C:\Windows\SysWOW64\Bkmcni32.exeC:\Windows\system32\Bkmcni32.exe25⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Bdehgnqc.exeC:\Windows\system32\Bdehgnqc.exe26⤵
- Loads dropped DLL
PID:2088 -
C:\Windows\SysWOW64\Ckopch32.exeC:\Windows\system32\Ckopch32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2728 -
C:\Windows\SysWOW64\Cqlhlo32.exeC:\Windows\system32\Cqlhlo32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2840 -
C:\Windows\SysWOW64\Cjdmee32.exeC:\Windows\system32\Cjdmee32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1640 -
C:\Windows\SysWOW64\Cdjabn32.exeC:\Windows\system32\Cdjabn32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2980 -
C:\Windows\SysWOW64\Cmeffp32.exeC:\Windows\system32\Cmeffp32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2660 -
C:\Windows\SysWOW64\Cgjjdijo.exeC:\Windows\system32\Cgjjdijo.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2696 -
C:\Windows\SysWOW64\Cqcomn32.exeC:\Windows\system32\Cqcomn32.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2400 -
C:\Windows\SysWOW64\Cincaq32.exeC:\Windows\system32\Cincaq32.exe34⤵
- Executes dropped EXE
PID:880 -
C:\Windows\SysWOW64\Cbfhjfdk.exeC:\Windows\system32\Cbfhjfdk.exe35⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Dmllgo32.exeC:\Windows\system32\Dmllgo32.exe36⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Dfdqpdja.exeC:\Windows\system32\Dfdqpdja.exe37⤵
- Executes dropped EXE
PID:984 -
C:\Windows\SysWOW64\Dpmeij32.exeC:\Windows\system32\Dpmeij32.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2908 -
C:\Windows\SysWOW64\Dghjmlnm.exeC:\Windows\system32\Dghjmlnm.exe39⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Deljfqmf.exeC:\Windows\system32\Deljfqmf.exe40⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Dndoof32.exeC:\Windows\system32\Dndoof32.exe41⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Dhmchljg.exeC:\Windows\system32\Dhmchljg.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1700 -
C:\Windows\SysWOW64\Eaegaaah.exeC:\Windows\system32\Eaegaaah.exe43⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Eiplecnc.exeC:\Windows\system32\Eiplecnc.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3056 -
C:\Windows\SysWOW64\Edfqclni.exeC:\Windows\system32\Edfqclni.exe45⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Elaego32.exeC:\Windows\system32\Elaego32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2816 -
C:\Windows\SysWOW64\Effidg32.exeC:\Windows\system32\Effidg32.exe47⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Eponmmaj.exeC:\Windows\system32\Eponmmaj.exe48⤵
- Executes dropped EXE
PID:632 -
C:\Windows\SysWOW64\Eelfedpa.exeC:\Windows\system32\Eelfedpa.exe49⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Eodknifb.exeC:\Windows\system32\Eodknifb.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2364 -
C:\Windows\SysWOW64\Febmfcjj.exeC:\Windows\system32\Febmfcjj.exe51⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Fhaibnim.exeC:\Windows\system32\Fhaibnim.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2680 -
C:\Windows\SysWOW64\Fkpeojha.exeC:\Windows\system32\Fkpeojha.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Fmnakege.exeC:\Windows\system32\Fmnakege.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Fdhigo32.exeC:\Windows\system32\Fdhigo32.exe55⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Fgffck32.exeC:\Windows\system32\Fgffck32.exe56⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Fmpnpe32.exeC:\Windows\system32\Fmpnpe32.exe57⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Faljqcmk.exeC:\Windows\system32\Faljqcmk.exe58⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Fhfbmn32.exeC:\Windows\system32\Fhfbmn32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1112 -
C:\Windows\SysWOW64\Fkdoii32.exeC:\Windows\system32\Fkdoii32.exe60⤵
- Executes dropped EXE
PID:980 -
C:\Windows\SysWOW64\Figoefkf.exeC:\Windows\system32\Figoefkf.exe61⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Gpagbp32.exeC:\Windows\system32\Gpagbp32.exe62⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Gcocnk32.exeC:\Windows\system32\Gcocnk32.exe63⤵
- Executes dropped EXE
PID:532 -
C:\Windows\SysWOW64\Gkfkoi32.exeC:\Windows\system32\Gkfkoi32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:2756 -
C:\Windows\SysWOW64\Glhhgahg.exeC:\Windows\system32\Glhhgahg.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:876 -
C:\Windows\SysWOW64\Gpccgppq.exeC:\Windows\system32\Gpccgppq.exe66⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Gdophn32.exeC:\Windows\system32\Gdophn32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2672 -
C:\Windows\SysWOW64\Ggmldj32.exeC:\Windows\system32\Ggmldj32.exe68⤵
- System Location Discovery: System Language Discovery
PID:2924 -
C:\Windows\SysWOW64\Geplpfnh.exeC:\Windows\system32\Geplpfnh.exe69⤵PID:2336
-
C:\Windows\SysWOW64\Gilhpe32.exeC:\Windows\system32\Gilhpe32.exe70⤵
- Modifies registry class
PID:1508 -
C:\Windows\SysWOW64\Gljdlq32.exeC:\Windows\system32\Gljdlq32.exe71⤵PID:2308
-
C:\Windows\SysWOW64\Gohqhl32.exeC:\Windows\system32\Gohqhl32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1872 -
C:\Windows\SysWOW64\Gebiefle.exeC:\Windows\system32\Gebiefle.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1648 -
C:\Windows\SysWOW64\Ghaeaaki.exeC:\Windows\system32\Ghaeaaki.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2376 -
C:\Windows\SysWOW64\Gllabp32.exeC:\Windows\system32\Gllabp32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:348 -
C:\Windows\SysWOW64\Gokmnlcf.exeC:\Windows\system32\Gokmnlcf.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2104 -
C:\Windows\SysWOW64\Gcfioj32.exeC:\Windows\system32\Gcfioj32.exe77⤵PID:292
-
C:\Windows\SysWOW64\Geeekf32.exeC:\Windows\system32\Geeekf32.exe78⤵PID:2860
-
C:\Windows\SysWOW64\Ghcbga32.exeC:\Windows\system32\Ghcbga32.exe79⤵
- System Location Discovery: System Language Discovery
PID:2596 -
C:\Windows\SysWOW64\Glongpao.exeC:\Windows\system32\Glongpao.exe80⤵
- Drops file in System32 directory
- Modifies registry class
PID:2128 -
C:\Windows\SysWOW64\Gkancm32.exeC:\Windows\system32\Gkancm32.exe81⤵PID:560
-
C:\Windows\SysWOW64\Gomjckqc.exeC:\Windows\system32\Gomjckqc.exe82⤵PID:2092
-
C:\Windows\SysWOW64\Gcifdj32.exeC:\Windows\system32\Gcifdj32.exe83⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2428 -
C:\Windows\SysWOW64\Gdjblboj.exeC:\Windows\system32\Gdjblboj.exe84⤵PID:2064
-
C:\Windows\SysWOW64\Gheola32.exeC:\Windows\system32\Gheola32.exe85⤵PID:1652
-
C:\Windows\SysWOW64\Glajmppm.exeC:\Windows\system32\Glajmppm.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2624 -
C:\Windows\SysWOW64\Hkdkhl32.exeC:\Windows\system32\Hkdkhl32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2444 -
C:\Windows\SysWOW64\Hopgikop.exeC:\Windows\system32\Hopgikop.exe88⤵PID:2676
-
C:\Windows\SysWOW64\Hancef32.exeC:\Windows\system32\Hancef32.exe89⤵PID:2744
-
C:\Windows\SysWOW64\Hfiofefm.exeC:\Windows\system32\Hfiofefm.exe90⤵
- System Location Discovery: System Language Discovery
PID:2916 -
C:\Windows\SysWOW64\Hhhkbqea.exeC:\Windows\system32\Hhhkbqea.exe91⤵PID:896
-
C:\Windows\SysWOW64\Hgkknm32.exeC:\Windows\system32\Hgkknm32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2124 -
C:\Windows\SysWOW64\Hobcok32.exeC:\Windows\system32\Hobcok32.exe93⤵
- Modifies registry class
PID:2848 -
C:\Windows\SysWOW64\Hnecjgch.exeC:\Windows\system32\Hnecjgch.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1888 -
C:\Windows\SysWOW64\Happkf32.exeC:\Windows\system32\Happkf32.exe95⤵
- Drops file in System32 directory
PID:2332 -
C:\Windows\SysWOW64\Hdolga32.exeC:\Windows\system32\Hdolga32.exe96⤵PID:2260
-
C:\Windows\SysWOW64\Hhjhgpcn.exeC:\Windows\system32\Hhjhgpcn.exe97⤵
- Modifies registry class
PID:1548 -
C:\Windows\SysWOW64\Hgmhcm32.exeC:\Windows\system32\Hgmhcm32.exe98⤵PID:1560
-
C:\Windows\SysWOW64\Hjkdoh32.exeC:\Windows\system32\Hjkdoh32.exe99⤵PID:2460
-
C:\Windows\SysWOW64\Hngppgae.exeC:\Windows\system32\Hngppgae.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1876 -
C:\Windows\SysWOW64\Hbblpf32.exeC:\Windows\system32\Hbblpf32.exe101⤵PID:1392
-
C:\Windows\SysWOW64\Hdailaib.exeC:\Windows\system32\Hdailaib.exe102⤵
- Drops file in System32 directory
PID:2500 -
C:\Windows\SysWOW64\Hcdihn32.exeC:\Windows\system32\Hcdihn32.exe103⤵PID:2804
-
C:\Windows\SysWOW64\Hkkaik32.exeC:\Windows\system32\Hkkaik32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2928 -
C:\Windows\SysWOW64\Hnimeg32.exeC:\Windows\system32\Hnimeg32.exe105⤵
- System Location Discovery: System Language Discovery
PID:1460 -
C:\Windows\SysWOW64\Hmlmacfn.exeC:\Windows\system32\Hmlmacfn.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1284 -
C:\Windows\SysWOW64\Hdcebagp.exeC:\Windows\system32\Hdcebagp.exe107⤵
- Drops file in System32 directory
PID:2152 -
C:\Windows\SysWOW64\Hgbanlfc.exeC:\Windows\system32\Hgbanlfc.exe108⤵PID:2204
-
C:\Windows\SysWOW64\Hfdbji32.exeC:\Windows\system32\Hfdbji32.exe109⤵
- Drops file in System32 directory
PID:2532 -
C:\Windows\SysWOW64\Hnljkf32.exeC:\Windows\system32\Hnljkf32.exe110⤵PID:2900
-
C:\Windows\SysWOW64\Hchbcmlh.exeC:\Windows\system32\Hchbcmlh.exe111⤵
- Modifies registry class
PID:2912 -
C:\Windows\SysWOW64\Igdndl32.exeC:\Windows\system32\Igdndl32.exe112⤵
- Modifies registry class
PID:652 -
C:\Windows\SysWOW64\Ijbjpg32.exeC:\Windows\system32\Ijbjpg32.exe113⤵PID:1288
-
C:\Windows\SysWOW64\Iiekkdjo.exeC:\Windows\system32\Iiekkdjo.exe114⤵
- Drops file in System32 directory
PID:1032 -
C:\Windows\SysWOW64\Ioochn32.exeC:\Windows\system32\Ioochn32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1924 -
C:\Windows\SysWOW64\Ickoimie.exeC:\Windows\system32\Ickoimie.exe116⤵
- System Location Discovery: System Language Discovery
PID:2208 -
C:\Windows\SysWOW64\Ibnodj32.exeC:\Windows\system32\Ibnodj32.exe117⤵PID:2944
-
C:\Windows\SysWOW64\Ifikehii.exeC:\Windows\system32\Ifikehii.exe118⤵PID:1600
-
C:\Windows\SysWOW64\Imccab32.exeC:\Windows\system32\Imccab32.exe119⤵PID:2060
-
C:\Windows\SysWOW64\Ikfdmogp.exeC:\Windows\system32\Ikfdmogp.exe120⤵
- System Location Discovery: System Language Discovery
PID:448 -
C:\Windows\SysWOW64\Ioapnn32.exeC:\Windows\system32\Ioapnn32.exe121⤵PID:2764
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-