Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
02/09/2024, 22:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2518af9c7ca82b340112e027686583f0N.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
2518af9c7ca82b340112e027686583f0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
2518af9c7ca82b340112e027686583f0N.exe
-
Size
91KB
-
MD5
2518af9c7ca82b340112e027686583f0
-
SHA1
73870fc3122da986012a158629b8369f1a5d0f69
-
SHA256
2f6868490ead8963d27009e09eba7f75963cf054f09249f4286d31f461df6dd2
-
SHA512
015dcc3f593bd1d8d750ee8a7a5a3af325b9402860686113c7897b3205fbdf3cf17c932e670bce3dc23af5ed6fc3f5c3b170b0b027815d31b65c980bd06ab996
-
SSDEEP
1536:l9Y9rBTWP+ijk2V0mS7Zewd2vY+hVX7Yr/viVMi:49r2lpVkFe7vXro/vOMi
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbaice32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ladebd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfkhndca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbdjcffd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cogfqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Glbaei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Inojhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iamfdo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqgmfkhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dgiaefgg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgnjqe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajckilei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cglalbbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Difqji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eicpcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hqgddm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hfjbmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmmfnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jpmmfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mfeaiime.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdadjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oecmogln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kocpbfei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijkocg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjihmmbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Addfkeid.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emdeok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jcnoejch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mokilo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jeqopcld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnnbni32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgknkf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmkcil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jefbnacn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bbbpenco.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehlmljkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijibng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kcginj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phfoee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qlfdac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ikqnlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jfaeme32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eegkpo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipjdameg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odmckcmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Epbbkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eeagimdf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fchkbg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfepod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nqhepeai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ageompfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Giolnomh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egajnfoe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmdgipkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fodebh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpafapbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Momfan32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anjnnk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fooembgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfaalh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlhkgm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fliook32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkjkle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdkhjgeh.exe -
Executes dropped EXE 64 IoCs
pid Process 1052 Abpcooea.exe 2732 Adnpkjde.exe 2232 Bgllgedi.exe 2692 Bbbpenco.exe 2804 Bdqlajbb.exe 2776 Bniajoic.exe 2668 Bqgmfkhg.exe 2596 Bnknoogp.exe 1332 Bchfhfeh.exe 1624 Bjbndpmd.exe 2012 Bmpkqklh.exe 2852 Boogmgkl.exe 3016 Bbmcibjp.exe 2408 Bmbgfkje.exe 2184 Coacbfii.exe 2528 Cfkloq32.exe 1368 Cmedlk32.exe 2316 Cocphf32.exe 752 Cbblda32.exe 892 Cfmhdpnc.exe 2420 Ckjamgmk.exe 1556 Cpfmmf32.exe 1264 Cagienkb.exe 2828 Ckmnbg32.exe 3056 Caifjn32.exe 2236 Clojhf32.exe 2816 Cnmfdb32.exe 2808 Cfhkhd32.exe 2724 Dnpciaef.exe 2604 Dfkhndca.exe 3012 Djfdob32.exe 1256 Daplkmbg.exe 2536 Dcohghbk.exe 992 Dbaice32.exe 2036 Djiqdb32.exe 536 Ddaemh32.exe 2980 Dinneo32.exe 2428 Dlljaj32.exe 2432 Dphfbiem.exe 2900 Dipjkn32.exe 1220 Dlofgj32.exe 1696 Dbiocd32.exe 664 Eegkpo32.exe 1508 Eheglk32.exe 568 Elacliin.exe 324 Eopphehb.exe 2324 Eanldqgf.exe 2656 Eeiheo32.exe 2756 Ehhdaj32.exe 2584 Ekfpmf32.exe 2576 Emdmjamj.exe 2560 Eeldkonl.exe 1300 Ehjqgjmp.exe 1636 Emgioakg.exe 1664 Edaalk32.exe 1296 Ehlmljkm.exe 2844 Ekkjheja.exe 2856 Ephbal32.exe 760 Egajnfoe.exe 1684 Fmlbjq32.exe 1512 Flocfmnl.exe 1644 Fpjofl32.exe 2824 Fchkbg32.exe 1580 Feggob32.exe -
Loads dropped DLL 64 IoCs
pid Process 2460 2518af9c7ca82b340112e027686583f0N.exe 2460 2518af9c7ca82b340112e027686583f0N.exe 1052 Abpcooea.exe 1052 Abpcooea.exe 2732 Adnpkjde.exe 2732 Adnpkjde.exe 2232 Bgllgedi.exe 2232 Bgllgedi.exe 2692 Bbbpenco.exe 2692 Bbbpenco.exe 2804 Bdqlajbb.exe 2804 Bdqlajbb.exe 2776 Bniajoic.exe 2776 Bniajoic.exe 2668 Bqgmfkhg.exe 2668 Bqgmfkhg.exe 2596 Bnknoogp.exe 2596 Bnknoogp.exe 1332 Bchfhfeh.exe 1332 Bchfhfeh.exe 1624 Bjbndpmd.exe 1624 Bjbndpmd.exe 2012 Bmpkqklh.exe 2012 Bmpkqklh.exe 2852 Boogmgkl.exe 2852 Boogmgkl.exe 3016 Bbmcibjp.exe 3016 Bbmcibjp.exe 2408 Bmbgfkje.exe 2408 Bmbgfkje.exe 2184 Coacbfii.exe 2184 Coacbfii.exe 2528 Cfkloq32.exe 2528 Cfkloq32.exe 1368 Cmedlk32.exe 1368 Cmedlk32.exe 2316 Cocphf32.exe 2316 Cocphf32.exe 752 Cbblda32.exe 752 Cbblda32.exe 892 Cfmhdpnc.exe 892 Cfmhdpnc.exe 2420 Ckjamgmk.exe 2420 Ckjamgmk.exe 1556 Cpfmmf32.exe 1556 Cpfmmf32.exe 1264 Cagienkb.exe 1264 Cagienkb.exe 2828 Ckmnbg32.exe 2828 Ckmnbg32.exe 3056 Caifjn32.exe 3056 Caifjn32.exe 2236 Clojhf32.exe 2236 Clojhf32.exe 2816 Cnmfdb32.exe 2816 Cnmfdb32.exe 2808 Cfhkhd32.exe 2808 Cfhkhd32.exe 2724 Dnpciaef.exe 2724 Dnpciaef.exe 2604 Dfkhndca.exe 2604 Dfkhndca.exe 3012 Djfdob32.exe 3012 Djfdob32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Klcgpkhh.exe Khgkpl32.exe File created C:\Windows\SysWOW64\Bodilc32.dll Kkjpggkn.exe File created C:\Windows\SysWOW64\Lhiddoph.exe Lifcib32.exe File created C:\Windows\SysWOW64\Ehjqgjmp.exe Eeldkonl.exe File created C:\Windows\SysWOW64\Nplnekmg.dll Lgpdglhn.exe File opened for modification C:\Windows\SysWOW64\Fmohco32.exe Fkqlgc32.exe File opened for modification C:\Windows\SysWOW64\Ifolhann.exe Inhdgdmk.exe File created C:\Windows\SysWOW64\Dnlcjk32.dll Iaegpaao.exe File created C:\Windows\SysWOW64\Fckkff32.dll Kindeddf.exe File created C:\Windows\SysWOW64\Npdfik32.dll Ncmglp32.exe File opened for modification C:\Windows\SysWOW64\Jmlddeio.exe Jjnhhjjk.exe File created C:\Windows\SysWOW64\Jhdegn32.exe Jdhifooi.exe File created C:\Windows\SysWOW64\Ppiidm32.dll Bcpimq32.exe File created C:\Windows\SysWOW64\Hddmjk32.exe Hmmdin32.exe File created C:\Windows\SysWOW64\Kmkoadgf.dll Iikkon32.exe File created C:\Windows\SysWOW64\Aaqbpk32.dll Jpgmpk32.exe File opened for modification C:\Windows\SysWOW64\Iiqldc32.exe Igoomk32.exe File opened for modification C:\Windows\SysWOW64\Jfgebjnm.exe Jhdegn32.exe File opened for modification C:\Windows\SysWOW64\Lnecigcp.exe Lkggmldl.exe File created C:\Windows\SysWOW64\Acicla32.exe Aahfdihn.exe File opened for modification C:\Windows\SysWOW64\Djfdob32.exe Dfkhndca.exe File created C:\Windows\SysWOW64\Pddjlb32.exe Plmbkd32.exe File created C:\Windows\SysWOW64\Fppaej32.exe Famaimfe.exe File opened for modification C:\Windows\SysWOW64\Figmjq32.exe Felajbpg.exe File created C:\Windows\SysWOW64\Hdecea32.exe Hcdgmimg.exe File created C:\Windows\SysWOW64\Ncmglp32.exe Npbklabl.exe File created C:\Windows\SysWOW64\Popgboae.exe Plbkfdba.exe File opened for modification C:\Windows\SysWOW64\Jikhnaao.exe Jjhgbd32.exe File opened for modification C:\Windows\SysWOW64\Llpfjomf.exe Lmmfnb32.exe File created C:\Windows\SysWOW64\Epmadeed.dll Dipjkn32.exe File opened for modification C:\Windows\SysWOW64\Kpfplo32.exe Khohkamc.exe File created C:\Windows\SysWOW64\Epaqjmil.dll Ohipla32.exe File opened for modification C:\Windows\SysWOW64\Ikqnlh32.exe Icifjk32.exe File created C:\Windows\SysWOW64\Aohndnll.dll Kilgoe32.exe File created C:\Windows\SysWOW64\Abpcooea.exe 2518af9c7ca82b340112e027686583f0N.exe File opened for modification C:\Windows\SysWOW64\Dfcgbb32.exe Dcdkef32.exe File created C:\Windows\SysWOW64\Hjleia32.dll Fliook32.exe File created C:\Windows\SysWOW64\Lalcbnjb.dll Eeiheo32.exe File created C:\Windows\SysWOW64\Mdadjd32.exe Mbchni32.exe File created C:\Windows\SysWOW64\Aahfdihn.exe Anljck32.exe File opened for modification C:\Windows\SysWOW64\Hgqlafap.exe Hqgddm32.exe File created C:\Windows\SysWOW64\Hiqoeplo.exe Hdecea32.exe File created C:\Windows\SysWOW64\Igmbgk32.exe Ieofkp32.exe File opened for modification C:\Windows\SysWOW64\Mimpkcdn.exe Mdadjd32.exe File created C:\Windows\SysWOW64\Djjjga32.exe Dlgjldnm.exe File created C:\Windows\SysWOW64\Figmjq32.exe Felajbpg.exe File created C:\Windows\SysWOW64\Fofbhgde.exe Fkkfgi32.exe File opened for modification C:\Windows\SysWOW64\Jlhkgm32.exe Jhmofo32.exe File opened for modification C:\Windows\SysWOW64\Dfhdnn32.exe Dblhmoio.exe File created C:\Windows\SysWOW64\Gfkmie32.exe Gcmamj32.exe File opened for modification C:\Windows\SysWOW64\Kmegjdad.exe Kenoifpb.exe File opened for modification C:\Windows\SysWOW64\Nijpdfhm.exe Nflchkii.exe File created C:\Windows\SysWOW64\Ngohbhce.dll Ndcapd32.exe File opened for modification C:\Windows\SysWOW64\Pfebnmcj.exe Pbigmn32.exe File opened for modification C:\Windows\SysWOW64\Fooembgb.exe Fggmldfp.exe File opened for modification C:\Windows\SysWOW64\Ghgfekpn.exe Gehiioaj.exe File created C:\Windows\SysWOW64\Fmnopp32.exe Feggob32.exe File created C:\Windows\SysWOW64\Fleifl32.exe Figmjq32.exe File created C:\Windows\SysWOW64\Bnllhjif.dll Jieaofmp.exe File opened for modification C:\Windows\SysWOW64\Kajiigba.exe Kcginj32.exe File opened for modification C:\Windows\SysWOW64\Hqgddm32.exe Hadcipbi.exe File created C:\Windows\SysWOW64\Lklfipaq.dll Joggci32.exe File created C:\Windows\SysWOW64\Qbnphngk.exe Qldhkc32.exe File opened for modification C:\Windows\SysWOW64\Iaimipjl.exe Ibfmmb32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6716 6684 WerFault.exe 618 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dahkok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gehiioaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjfkmdlg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laleof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mopbgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohdfqbio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmfmojcb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agglbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlifadkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmmdin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeldkonl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaecod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lonibk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpabpcdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egajnfoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oehgjfhi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpnladjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifolhann.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qiflohqk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laahme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehjqgjmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmhbkohm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnbaif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ingkdeak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcedad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibfmmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cagienkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gconbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klhgfq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmcopebh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pioeoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phfoee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciokijfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koipglep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hclfag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpfmmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ageompfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aejlnmkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hinbppna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gockgdeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llpfjomf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lemdncoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qaapcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccbbachm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnkdnqhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikqnlh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eemnnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkjkle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgcnahoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iaegpaao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klfjpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nihcog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dblhmoio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofqmcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjljnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmimcbja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lepaccmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emgioakg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgfdie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbdjcffd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaglcgdc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhhgpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoebgcol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gojhafnb.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kndkfpje.dll" Ikldqile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cmedlk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Legaoehg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkmohi32.dll" Nijpdfhm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pmhejhao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hiioin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cbblda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mjqmig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qdompf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iknafhjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mfgnnhkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pfbfhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cjljnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifblipqh.dll" Imggplgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqkmghhf.dll" Oeaqig32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bqgmfkhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ckjamgmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Looghene.dll" Jhmofo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhkhip32.dll" Mciabmlo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mhjcec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefcmp32.dll" Paocnkph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cqaiph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbppfnao.dll" Lofifi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hjlbdc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kenoifpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mfjkdh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Inmmbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmgaio32.dll" Jabponba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfglkheo.dll" Hnpdcf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lcdhgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahfalc32.dll" Qkielpdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bdqlajbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahknna32.dll" Jhdegn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpifad32.dll" Pmmneg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inajahoe.dll" Ageompfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bhonjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hjmlhbbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opppqdgk.dll" Fennoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pmhejhao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flkeabdg.dll" Bqolji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jabponba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Laahme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hffibceh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hfhfhbce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okmjae32.dll" Pfbfhm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cfehhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Emdmjamj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ddaemh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kibemb32.dll" Fcpacf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gqaafn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mffbkj32.dll" Ghibjjnk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lkdjglfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iieepbje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlhdnf32.dll" Pbgjgomc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eeagimdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjhqaemi.dll" Modlbmmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adnjbnhn.dll" Gcgqgd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eheglk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Felajbpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qmhahkdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Giolnomh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iocgfhhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lddblcik.dll" Colpld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gekfnoog.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2460 wrote to memory of 1052 2460 2518af9c7ca82b340112e027686583f0N.exe 31 PID 2460 wrote to memory of 1052 2460 2518af9c7ca82b340112e027686583f0N.exe 31 PID 2460 wrote to memory of 1052 2460 2518af9c7ca82b340112e027686583f0N.exe 31 PID 2460 wrote to memory of 1052 2460 2518af9c7ca82b340112e027686583f0N.exe 31 PID 1052 wrote to memory of 2732 1052 Abpcooea.exe 32 PID 1052 wrote to memory of 2732 1052 Abpcooea.exe 32 PID 1052 wrote to memory of 2732 1052 Abpcooea.exe 32 PID 1052 wrote to memory of 2732 1052 Abpcooea.exe 32 PID 2732 wrote to memory of 2232 2732 Adnpkjde.exe 33 PID 2732 wrote to memory of 2232 2732 Adnpkjde.exe 33 PID 2732 wrote to memory of 2232 2732 Adnpkjde.exe 33 PID 2732 wrote to memory of 2232 2732 Adnpkjde.exe 33 PID 2232 wrote to memory of 2692 2232 Bgllgedi.exe 34 PID 2232 wrote to memory of 2692 2232 Bgllgedi.exe 34 PID 2232 wrote to memory of 2692 2232 Bgllgedi.exe 34 PID 2232 wrote to memory of 2692 2232 Bgllgedi.exe 34 PID 2692 wrote to memory of 2804 2692 Bbbpenco.exe 35 PID 2692 wrote to memory of 2804 2692 Bbbpenco.exe 35 PID 2692 wrote to memory of 2804 2692 Bbbpenco.exe 35 PID 2692 wrote to memory of 2804 2692 Bbbpenco.exe 35 PID 2804 wrote to memory of 2776 2804 Bdqlajbb.exe 36 PID 2804 wrote to memory of 2776 2804 Bdqlajbb.exe 36 PID 2804 wrote to memory of 2776 2804 Bdqlajbb.exe 36 PID 2804 wrote to memory of 2776 2804 Bdqlajbb.exe 36 PID 2776 wrote to memory of 2668 2776 Bniajoic.exe 37 PID 2776 wrote to memory of 2668 2776 Bniajoic.exe 37 PID 2776 wrote to memory of 2668 2776 Bniajoic.exe 37 PID 2776 wrote to memory of 2668 2776 Bniajoic.exe 37 PID 2668 wrote to memory of 2596 2668 Bqgmfkhg.exe 38 PID 2668 wrote to memory of 2596 2668 Bqgmfkhg.exe 38 PID 2668 wrote to memory of 2596 2668 Bqgmfkhg.exe 38 PID 2668 wrote to memory of 2596 2668 Bqgmfkhg.exe 38 PID 2596 wrote to memory of 1332 2596 Bnknoogp.exe 39 PID 2596 wrote to memory of 1332 2596 Bnknoogp.exe 39 PID 2596 wrote to memory of 1332 2596 Bnknoogp.exe 39 PID 2596 wrote to memory of 1332 2596 Bnknoogp.exe 39 PID 1332 wrote to memory of 1624 1332 Bchfhfeh.exe 40 PID 1332 wrote to memory of 1624 1332 Bchfhfeh.exe 40 PID 1332 wrote to memory of 1624 1332 Bchfhfeh.exe 40 PID 1332 wrote to memory of 1624 1332 Bchfhfeh.exe 40 PID 1624 wrote to memory of 2012 1624 Bjbndpmd.exe 41 PID 1624 wrote to memory of 2012 1624 Bjbndpmd.exe 41 PID 1624 wrote to memory of 2012 1624 Bjbndpmd.exe 41 PID 1624 wrote to memory of 2012 1624 Bjbndpmd.exe 41 PID 2012 wrote to memory of 2852 2012 Bmpkqklh.exe 42 PID 2012 wrote to memory of 2852 2012 Bmpkqklh.exe 42 PID 2012 wrote to memory of 2852 2012 Bmpkqklh.exe 42 PID 2012 wrote to memory of 2852 2012 Bmpkqklh.exe 42 PID 2852 wrote to memory of 3016 2852 Boogmgkl.exe 43 PID 2852 wrote to memory of 3016 2852 Boogmgkl.exe 43 PID 2852 wrote to memory of 3016 2852 Boogmgkl.exe 43 PID 2852 wrote to memory of 3016 2852 Boogmgkl.exe 43 PID 3016 wrote to memory of 2408 3016 Bbmcibjp.exe 44 PID 3016 wrote to memory of 2408 3016 Bbmcibjp.exe 44 PID 3016 wrote to memory of 2408 3016 Bbmcibjp.exe 44 PID 3016 wrote to memory of 2408 3016 Bbmcibjp.exe 44 PID 2408 wrote to memory of 2184 2408 Bmbgfkje.exe 45 PID 2408 wrote to memory of 2184 2408 Bmbgfkje.exe 45 PID 2408 wrote to memory of 2184 2408 Bmbgfkje.exe 45 PID 2408 wrote to memory of 2184 2408 Bmbgfkje.exe 45 PID 2184 wrote to memory of 2528 2184 Coacbfii.exe 46 PID 2184 wrote to memory of 2528 2184 Coacbfii.exe 46 PID 2184 wrote to memory of 2528 2184 Coacbfii.exe 46 PID 2184 wrote to memory of 2528 2184 Coacbfii.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\2518af9c7ca82b340112e027686583f0N.exe"C:\Users\Admin\AppData\Local\Temp\2518af9c7ca82b340112e027686583f0N.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\Abpcooea.exeC:\Windows\system32\Abpcooea.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\Adnpkjde.exeC:\Windows\system32\Adnpkjde.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Bgllgedi.exeC:\Windows\system32\Bgllgedi.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\Bbbpenco.exeC:\Windows\system32\Bbbpenco.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Bdqlajbb.exeC:\Windows\system32\Bdqlajbb.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Bniajoic.exeC:\Windows\system32\Bniajoic.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Bqgmfkhg.exeC:\Windows\system32\Bqgmfkhg.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Bnknoogp.exeC:\Windows\system32\Bnknoogp.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Bchfhfeh.exeC:\Windows\system32\Bchfhfeh.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Windows\SysWOW64\Bjbndpmd.exeC:\Windows\system32\Bjbndpmd.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\Bmpkqklh.exeC:\Windows\system32\Bmpkqklh.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\Boogmgkl.exeC:\Windows\system32\Boogmgkl.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Bbmcibjp.exeC:\Windows\system32\Bbmcibjp.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Bmbgfkje.exeC:\Windows\system32\Bmbgfkje.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\Coacbfii.exeC:\Windows\system32\Coacbfii.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Cfkloq32.exeC:\Windows\system32\Cfkloq32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2528 -
C:\Windows\SysWOW64\Cmedlk32.exeC:\Windows\system32\Cmedlk32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1368 -
C:\Windows\SysWOW64\Cocphf32.exeC:\Windows\system32\Cocphf32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2316 -
C:\Windows\SysWOW64\Cbblda32.exeC:\Windows\system32\Cbblda32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:752 -
C:\Windows\SysWOW64\Cfmhdpnc.exeC:\Windows\system32\Cfmhdpnc.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:892 -
C:\Windows\SysWOW64\Ckjamgmk.exeC:\Windows\system32\Ckjamgmk.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2420 -
C:\Windows\SysWOW64\Cpfmmf32.exeC:\Windows\system32\Cpfmmf32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1556 -
C:\Windows\SysWOW64\Cagienkb.exeC:\Windows\system32\Cagienkb.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1264 -
C:\Windows\SysWOW64\Ckmnbg32.exeC:\Windows\system32\Ckmnbg32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2828 -
C:\Windows\SysWOW64\Caifjn32.exeC:\Windows\system32\Caifjn32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3056 -
C:\Windows\SysWOW64\Clojhf32.exeC:\Windows\system32\Clojhf32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2236 -
C:\Windows\SysWOW64\Cnmfdb32.exeC:\Windows\system32\Cnmfdb32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2816 -
C:\Windows\SysWOW64\Cfhkhd32.exeC:\Windows\system32\Cfhkhd32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2808 -
C:\Windows\SysWOW64\Dnpciaef.exeC:\Windows\system32\Dnpciaef.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2724 -
C:\Windows\SysWOW64\Dfkhndca.exeC:\Windows\system32\Dfkhndca.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2604 -
C:\Windows\SysWOW64\Djfdob32.exeC:\Windows\system32\Djfdob32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3012 -
C:\Windows\SysWOW64\Daplkmbg.exeC:\Windows\system32\Daplkmbg.exe33⤵
- Executes dropped EXE
PID:1256 -
C:\Windows\SysWOW64\Dcohghbk.exeC:\Windows\system32\Dcohghbk.exe34⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Dbaice32.exeC:\Windows\system32\Dbaice32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:992 -
C:\Windows\SysWOW64\Djiqdb32.exeC:\Windows\system32\Djiqdb32.exe36⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Ddaemh32.exeC:\Windows\system32\Ddaemh32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:536 -
C:\Windows\SysWOW64\Dinneo32.exeC:\Windows\system32\Dinneo32.exe38⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Dlljaj32.exeC:\Windows\system32\Dlljaj32.exe39⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Dphfbiem.exeC:\Windows\system32\Dphfbiem.exe40⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Dipjkn32.exeC:\Windows\system32\Dipjkn32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2900 -
C:\Windows\SysWOW64\Dlofgj32.exeC:\Windows\system32\Dlofgj32.exe42⤵
- Executes dropped EXE
PID:1220 -
C:\Windows\SysWOW64\Dbiocd32.exeC:\Windows\system32\Dbiocd32.exe43⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Eegkpo32.exeC:\Windows\system32\Eegkpo32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:664 -
C:\Windows\SysWOW64\Eheglk32.exeC:\Windows\system32\Eheglk32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:1508 -
C:\Windows\SysWOW64\Elacliin.exeC:\Windows\system32\Elacliin.exe46⤵
- Executes dropped EXE
PID:568 -
C:\Windows\SysWOW64\Eopphehb.exeC:\Windows\system32\Eopphehb.exe47⤵
- Executes dropped EXE
PID:324 -
C:\Windows\SysWOW64\Eanldqgf.exeC:\Windows\system32\Eanldqgf.exe48⤵
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Eeiheo32.exeC:\Windows\system32\Eeiheo32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2656 -
C:\Windows\SysWOW64\Ehhdaj32.exeC:\Windows\system32\Ehhdaj32.exe50⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Ekfpmf32.exeC:\Windows\system32\Ekfpmf32.exe51⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Emdmjamj.exeC:\Windows\system32\Emdmjamj.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2576 -
C:\Windows\SysWOW64\Eeldkonl.exeC:\Windows\system32\Eeldkonl.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2560 -
C:\Windows\SysWOW64\Ehjqgjmp.exeC:\Windows\system32\Ehjqgjmp.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1300 -
C:\Windows\SysWOW64\Emgioakg.exeC:\Windows\system32\Emgioakg.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1636 -
C:\Windows\SysWOW64\Edaalk32.exeC:\Windows\system32\Edaalk32.exe56⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Ehlmljkm.exeC:\Windows\system32\Ehlmljkm.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1296 -
C:\Windows\SysWOW64\Ekkjheja.exeC:\Windows\system32\Ekkjheja.exe58⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Ephbal32.exeC:\Windows\system32\Ephbal32.exe59⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Egajnfoe.exeC:\Windows\system32\Egajnfoe.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:760 -
C:\Windows\SysWOW64\Fmlbjq32.exeC:\Windows\system32\Fmlbjq32.exe61⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Flocfmnl.exeC:\Windows\system32\Flocfmnl.exe62⤵
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\Fpjofl32.exeC:\Windows\system32\Fpjofl32.exe63⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Fchkbg32.exeC:\Windows\system32\Fchkbg32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Feggob32.exeC:\Windows\system32\Feggob32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1580 -
C:\Windows\SysWOW64\Fmnopp32.exeC:\Windows\system32\Fmnopp32.exe66⤵PID:2200
-
C:\Windows\SysWOW64\Foolgh32.exeC:\Windows\system32\Foolgh32.exe67⤵PID:2880
-
C:\Windows\SysWOW64\Fckhhgcf.exeC:\Windows\system32\Fckhhgcf.exe68⤵PID:2796
-
C:\Windows\SysWOW64\Fgfdie32.exeC:\Windows\system32\Fgfdie32.exe69⤵
- System Location Discovery: System Language Discovery
PID:2612 -
C:\Windows\SysWOW64\Fiepea32.exeC:\Windows\system32\Fiepea32.exe70⤵PID:2580
-
C:\Windows\SysWOW64\Fhgppnan.exeC:\Windows\system32\Fhgppnan.exe71⤵PID:1676
-
C:\Windows\SysWOW64\Fpohakbp.exeC:\Windows\system32\Fpohakbp.exe72⤵PID:1816
-
C:\Windows\SysWOW64\Fapeic32.exeC:\Windows\system32\Fapeic32.exe73⤵PID:1668
-
C:\Windows\SysWOW64\Felajbpg.exeC:\Windows\system32\Felajbpg.exe74⤵
- Drops file in System32 directory
- Modifies registry class
PID:1560 -
C:\Windows\SysWOW64\Figmjq32.exeC:\Windows\system32\Figmjq32.exe75⤵
- Drops file in System32 directory
PID:2372 -
C:\Windows\SysWOW64\Fleifl32.exeC:\Windows\system32\Fleifl32.exe76⤵PID:2840
-
C:\Windows\SysWOW64\Fodebh32.exeC:\Windows\system32\Fodebh32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2588 -
C:\Windows\SysWOW64\Fcpacf32.exeC:\Windows\system32\Fcpacf32.exe78⤵
- Modifies registry class
PID:376 -
C:\Windows\SysWOW64\Fabaocfl.exeC:\Windows\system32\Fabaocfl.exe79⤵PID:1284
-
C:\Windows\SysWOW64\Fennoa32.exeC:\Windows\system32\Fennoa32.exe80⤵
- Modifies registry class
PID:1032 -
C:\Windows\SysWOW64\Fdqnkoep.exeC:\Windows\system32\Fdqnkoep.exe81⤵PID:2396
-
C:\Windows\SysWOW64\Fkkfgi32.exeC:\Windows\system32\Fkkfgi32.exe82⤵
- Drops file in System32 directory
PID:2220 -
C:\Windows\SysWOW64\Fofbhgde.exeC:\Windows\system32\Fofbhgde.exe83⤵PID:2676
-
C:\Windows\SysWOW64\Fepjea32.exeC:\Windows\system32\Fepjea32.exe84⤵PID:2556
-
C:\Windows\SysWOW64\Gkmbmh32.exeC:\Windows\system32\Gkmbmh32.exe85⤵PID:2552
-
C:\Windows\SysWOW64\Gnkoid32.exeC:\Windows\system32\Gnkoid32.exe86⤵PID:1780
-
C:\Windows\SysWOW64\Ggdcbi32.exeC:\Windows\system32\Ggdcbi32.exe87⤵PID:2276
-
C:\Windows\SysWOW64\Gjbpne32.exeC:\Windows\system32\Gjbpne32.exe88⤵PID:1156
-
C:\Windows\SysWOW64\Gnnlocgk.exeC:\Windows\system32\Gnnlocgk.exe89⤵PID:2400
-
C:\Windows\SysWOW64\Gqlhkofn.exeC:\Windows\system32\Gqlhkofn.exe90⤵PID:2152
-
C:\Windows\SysWOW64\Gdhdkn32.exeC:\Windows\system32\Gdhdkn32.exe91⤵PID:1712
-
C:\Windows\SysWOW64\Ggfpgi32.exeC:\Windows\system32\Ggfpgi32.exe92⤵PID:1372
-
C:\Windows\SysWOW64\Gjdldd32.exeC:\Windows\system32\Gjdldd32.exe93⤵PID:1808
-
C:\Windows\SysWOW64\Glchpp32.exeC:\Windows\system32\Glchpp32.exe94⤵PID:1568
-
C:\Windows\SysWOW64\Gqodqodl.exeC:\Windows\system32\Gqodqodl.exe95⤵PID:2864
-
C:\Windows\SysWOW64\Gcmamj32.exeC:\Windows\system32\Gcmamj32.exe96⤵
- Drops file in System32 directory
PID:2740 -
C:\Windows\SysWOW64\Gfkmie32.exeC:\Windows\system32\Gfkmie32.exe97⤵PID:2192
-
C:\Windows\SysWOW64\Gnbejb32.exeC:\Windows\system32\Gnbejb32.exe98⤵PID:876
-
C:\Windows\SysWOW64\Gmeeepjp.exeC:\Windows\system32\Gmeeepjp.exe99⤵PID:2380
-
C:\Windows\SysWOW64\Gqaafn32.exeC:\Windows\system32\Gqaafn32.exe100⤵
- Modifies registry class
PID:1968 -
C:\Windows\SysWOW64\Gconbj32.exeC:\Windows\system32\Gconbj32.exe101⤵
- System Location Discovery: System Language Discovery
PID:2148 -
C:\Windows\SysWOW64\Gfnjne32.exeC:\Windows\system32\Gfnjne32.exe102⤵PID:2908
-
C:\Windows\SysWOW64\Gmhbkohm.exeC:\Windows\system32\Gmhbkohm.exe103⤵
- System Location Discovery: System Language Discovery
PID:1752 -
C:\Windows\SysWOW64\Hofngkga.exeC:\Windows\system32\Hofngkga.exe104⤵PID:852
-
C:\Windows\SysWOW64\Hbdjcffd.exeC:\Windows\system32\Hbdjcffd.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2392 -
C:\Windows\SysWOW64\Hjlbdc32.exeC:\Windows\system32\Hjlbdc32.exe106⤵
- Modifies registry class
PID:2500 -
C:\Windows\SysWOW64\Hinbppna.exeC:\Windows\system32\Hinbppna.exe107⤵
- System Location Discovery: System Language Discovery
PID:2768 -
C:\Windows\SysWOW64\Hkmollme.exeC:\Windows\system32\Hkmollme.exe108⤵PID:2592
-
C:\Windows\SysWOW64\Hcdgmimg.exeC:\Windows\system32\Hcdgmimg.exe109⤵
- Drops file in System32 directory
PID:1320 -
C:\Windows\SysWOW64\Hdecea32.exeC:\Windows\system32\Hdecea32.exe110⤵
- Drops file in System32 directory
PID:2600 -
C:\Windows\SysWOW64\Hiqoeplo.exeC:\Windows\system32\Hiqoeplo.exe111⤵PID:1628
-
C:\Windows\SysWOW64\Hkolakkb.exeC:\Windows\system32\Hkolakkb.exe112⤵PID:1516
-
C:\Windows\SysWOW64\Hnnhngjf.exeC:\Windows\system32\Hnnhngjf.exe113⤵PID:292
-
C:\Windows\SysWOW64\Hfepod32.exeC:\Windows\system32\Hfepod32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1704 -
C:\Windows\SysWOW64\Hegpjaac.exeC:\Windows\system32\Hegpjaac.exe115⤵PID:1824
-
C:\Windows\SysWOW64\Hiclkp32.exeC:\Windows\system32\Hiclkp32.exe116⤵PID:2484
-
C:\Windows\SysWOW64\Hkahgk32.exeC:\Windows\system32\Hkahgk32.exe117⤵PID:1848
-
C:\Windows\SysWOW64\Hnpdcf32.exeC:\Windows\system32\Hnpdcf32.exe118⤵
- Modifies registry class
PID:2720 -
C:\Windows\SysWOW64\Hejmpqop.exeC:\Windows\system32\Hejmpqop.exe119⤵PID:2260
-
C:\Windows\SysWOW64\Hkdemk32.exeC:\Windows\system32\Hkdemk32.exe120⤵PID:328
-
C:\Windows\SysWOW64\Hnbaif32.exeC:\Windows\system32\Hnbaif32.exe121⤵
- System Location Discovery: System Language Discovery
PID:3024
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-