Analysis
-
max time kernel
37s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
02/09/2024, 04:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
df922842d6356d50ebbe4e64bd60bb49a9ead2acbad27a2b7269b6339ee48314.exe
Resource
win7-20240729-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
df922842d6356d50ebbe4e64bd60bb49a9ead2acbad27a2b7269b6339ee48314.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
df922842d6356d50ebbe4e64bd60bb49a9ead2acbad27a2b7269b6339ee48314.exe
-
Size
94KB
-
MD5
43b63d7d01a822604e9004816917bb5c
-
SHA1
be171ccf99086c954717df0af3c66d89382f7a51
-
SHA256
df922842d6356d50ebbe4e64bd60bb49a9ead2acbad27a2b7269b6339ee48314
-
SHA512
1757c832af6f5c790a4d44ef167c71c3984d9b4d2317d72f4a96977c0dfa69dd41397356a3426a23e32ad431fd6814dd502e79c2f5406e0c2b547a3de8756c2d
-
SSDEEP
1536:XbR31h6knPzkzPhArjGoljoU8KamRoCdG7oGnvsZWsD7BR9L4DT2EnINs:XbpdrkzZArljramRo2G7QIsD6+ob
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndpjkb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lneibjdf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmcije32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iaemicaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gnnbhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jhobea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfgaibbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dkmqhdfi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hobgbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jagfnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dkigme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ekpimg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deloen32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgfjbhlf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkdqao32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecpkne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpbigm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mppiqq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndpjkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dnefdqke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Heomdbla.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpdmao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgkegljn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmcbjojn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjlinfgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ipmgppdk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcgogm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjemni32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejggepfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gpkamiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iknabi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdnagohp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eiamal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfdfhgko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hhklknmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lafbdeag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Majlod32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odbgqaff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fnpbob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knjfofme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lbnininb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghhcfk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmlapa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhdpka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eoabgggf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Koppbjmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nollblqj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlpllpoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Opihfb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opkdkbjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ialcjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fcmkgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmleqnbc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caliip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgnall32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gnehie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlbiap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ehjgpm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbddne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffbmdc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hddmgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iiekie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Konplnaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cckeccnf.exe -
Executes dropped EXE 64 IoCs
pid Process 1720 Chcdqj32.exe 1648 Caliip32.exe 2424 Cicakm32.exe 2880 Clamgi32.exe 2936 Ckdnbend.exe 2792 Cckeccnf.exe 2728 Ceibpnnj.exe 2136 Dkfjhela.exe 2596 Dnefdqke.exe 896 Deloen32.exe 2708 Ddooqkbb.exe 868 Dkigme32.exe 2332 Dodcncbh.exe 2996 Dpepfl32.exe 2464 Dhmggi32.exe 2120 Dkkdcd32.exe 2004 Djndoaof.exe 3036 Daelpooi.exe 912 Ddchlj32.exe 2520 Dcfhggeg.exe 1116 Dkmqhdfi.exe 1672 Dnlmdpem.exe 1288 Dlompl32.exe 2236 Dpjiakdq.exe 1120 Dciemfcd.exe 1704 Dgdane32.exe 2104 Dfgaibbh.exe 2340 Dnnijocj.exe 3016 Dpmefkbn.exe 1160 Efinoa32.exe 2736 Ejejopho.exe 2968 Eoabgggf.exe 1888 Ejggepfl.exe 2784 Ehjgpm32.exe 2672 Elfcakep.exe 2000 Ecpkne32.exe 2956 Edahen32.exe 2272 Ehldflkd.exe 2600 Enilncik.exe 1948 Efpdoqjm.exe 3044 Edcdkm32.exe 584 Ekmmgghe.exe 1652 Eqjepofl.exe 1152 Eiamal32.exe 1716 Ekpimg32.exe 2488 Fnneib32.exe 2608 Fbiajano.exe 3028 Fdhnfmmb.exe 2740 Fgfjbhlf.exe 2644 Fjefnckj.exe 1632 Fnpbob32.exe 2020 Fmcbjojn.exe 2660 Fqookn32.exe 2752 Fcmkgi32.exe 1276 Fgiggh32.exe 2960 Ffkgcdqn.exe 992 Fnbodbaq.exe 2200 Fmeopo32.exe 2588 Fqakqmpd.exe 980 Fcpgmiph.exe 2964 Fgkcmg32.exe 2364 Ffndidol.exe 1384 Fjipic32.exe 1020 Filpepno.exe -
Loads dropped DLL 64 IoCs
pid Process 1724 df922842d6356d50ebbe4e64bd60bb49a9ead2acbad27a2b7269b6339ee48314.exe 1724 df922842d6356d50ebbe4e64bd60bb49a9ead2acbad27a2b7269b6339ee48314.exe 1720 Chcdqj32.exe 1720 Chcdqj32.exe 1648 Caliip32.exe 1648 Caliip32.exe 2424 Cicakm32.exe 2424 Cicakm32.exe 2880 Clamgi32.exe 2880 Clamgi32.exe 2936 Ckdnbend.exe 2936 Ckdnbend.exe 2792 Cckeccnf.exe 2792 Cckeccnf.exe 2728 Ceibpnnj.exe 2728 Ceibpnnj.exe 2136 Dkfjhela.exe 2136 Dkfjhela.exe 2596 Dnefdqke.exe 2596 Dnefdqke.exe 896 Deloen32.exe 896 Deloen32.exe 2708 Ddooqkbb.exe 2708 Ddooqkbb.exe 868 Dkigme32.exe 868 Dkigme32.exe 2332 Dodcncbh.exe 2332 Dodcncbh.exe 2996 Dpepfl32.exe 2996 Dpepfl32.exe 2464 Dhmggi32.exe 2464 Dhmggi32.exe 2120 Dkkdcd32.exe 2120 Dkkdcd32.exe 2004 Djndoaof.exe 2004 Djndoaof.exe 3036 Daelpooi.exe 3036 Daelpooi.exe 912 Ddchlj32.exe 912 Ddchlj32.exe 2520 Dcfhggeg.exe 2520 Dcfhggeg.exe 1116 Dkmqhdfi.exe 1116 Dkmqhdfi.exe 1672 Dnlmdpem.exe 1672 Dnlmdpem.exe 1288 Dlompl32.exe 1288 Dlompl32.exe 2236 Dpjiakdq.exe 2236 Dpjiakdq.exe 1120 Dciemfcd.exe 1120 Dciemfcd.exe 1704 Dgdane32.exe 1704 Dgdane32.exe 2104 Dfgaibbh.exe 2104 Dfgaibbh.exe 2340 Dnnijocj.exe 2340 Dnnijocj.exe 3016 Dpmefkbn.exe 3016 Dpmefkbn.exe 1160 Efinoa32.exe 1160 Efinoa32.exe 2736 Ejejopho.exe 2736 Ejejopho.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kbagam32.dll Lpdfmm32.exe File opened for modification C:\Windows\SysWOW64\Fcbdbhme.exe Fpfhaj32.exe File opened for modification C:\Windows\SysWOW64\Ihmiqnke.exe Heomdbla.exe File created C:\Windows\SysWOW64\Alainbjj.dll Jkbgllfl.exe File opened for modification C:\Windows\SysWOW64\Kqffeaol.exe Kmjjec32.exe File created C:\Windows\SysWOW64\Flmifk32.exe Fmjikndf.exe File opened for modification C:\Windows\SysWOW64\Fphegici.exe Flmifk32.exe File created C:\Windows\SysWOW64\Lckldi32.dll Nhkflqab.exe File created C:\Windows\SysWOW64\Iknabi32.exe Ihoefn32.exe File created C:\Windows\SysWOW64\Fbiajano.exe Fnneib32.exe File opened for modification C:\Windows\SysWOW64\Fiomjp32.exe Fjllobeb.exe File created C:\Windows\SysWOW64\Kkgagk32.exe Kgkegljn.exe File created C:\Windows\SysWOW64\Lgbgfofa.exe Ledkjcgn.exe File created C:\Windows\SysWOW64\Pjhqgcgb.dll Ffndidol.exe File created C:\Windows\SysWOW64\Ibbmng32.exe Ikkemiji.exe File opened for modification C:\Windows\SysWOW64\Kngjifph.exe Kkinmkpd.exe File created C:\Windows\SysWOW64\Fachfmna.exe Filpepno.exe File created C:\Windows\SysWOW64\Ljcdifag.exe Kbllhiqe.exe File created C:\Windows\SysWOW64\Enilncik.exe Ehldflkd.exe File opened for modification C:\Windows\SysWOW64\Cckeccnf.exe Ckdnbend.exe File opened for modification C:\Windows\SysWOW64\Jgkhhigb.exe Ipapko32.exe File opened for modification C:\Windows\SysWOW64\Liknpbdl.exe Lfladgdh.exe File created C:\Windows\SysWOW64\Fogkgf32.dll Cicakm32.exe File opened for modification C:\Windows\SysWOW64\Ekpimg32.exe Eiamal32.exe File created C:\Windows\SysWOW64\Ffkgcdqn.exe Fgiggh32.exe File created C:\Windows\SysWOW64\Gldogjeh.exe Ghhcfk32.exe File created C:\Windows\SysWOW64\Fcmkgi32.exe Fqookn32.exe File opened for modification C:\Windows\SysWOW64\Iahjococ.exe Ioinchpo.exe File created C:\Windows\SysWOW64\Oopidofg.dll Opkdkbjh.exe File opened for modification C:\Windows\SysWOW64\Ceibpnnj.exe Cckeccnf.exe File created C:\Windows\SysWOW64\Jigfna32.dll Fpfhaj32.exe File opened for modification C:\Windows\SysWOW64\Gngend32.exe Gjlinfgm.exe File created C:\Windows\SysWOW64\Nambigme.dll Nbjdhj32.exe File created C:\Windows\SysWOW64\Chcdqj32.exe df922842d6356d50ebbe4e64bd60bb49a9ead2acbad27a2b7269b6339ee48314.exe File created C:\Windows\SysWOW64\Gicjdiln.dll Ihdoamem.exe File created C:\Windows\SysWOW64\Afpcdeni.dll Mlifka32.exe File created C:\Windows\SysWOW64\Fiomjp32.exe Fjllobeb.exe File created C:\Windows\SysWOW64\Fmjikndf.exe Fiomjp32.exe File created C:\Windows\SysWOW64\Cjmpnl32.dll Hpmkal32.exe File created C:\Windows\SysWOW64\Gckmeged.dll Hbpphgmn.exe File created C:\Windows\SysWOW64\Bhidphdp.dll Fcmkgi32.exe File created C:\Windows\SysWOW64\Ejejopho.exe Efinoa32.exe File created C:\Windows\SysWOW64\Gfpmmg32.exe Ghmmakhj.exe File opened for modification C:\Windows\SysWOW64\Ihoefn32.exe Iddieoqi.exe File created C:\Windows\SysWOW64\Mfjamkig.exe Mckdaojc.exe File created C:\Windows\SysWOW64\Bikipeln.dll Kcgogm32.exe File opened for modification C:\Windows\SysWOW64\Deloen32.exe Dnefdqke.exe File created C:\Windows\SysWOW64\Ekpimg32.exe Eiamal32.exe File created C:\Windows\SysWOW64\Dkmqhdfi.exe Dcfhggeg.exe File created C:\Windows\SysWOW64\Lhnemk32.dll Mjemni32.exe File created C:\Windows\SysWOW64\Dnnijocj.exe Dfgaibbh.exe File created C:\Windows\SysWOW64\Opknijfg.dll Hpadllnj.exe File created C:\Windows\SysWOW64\Dlbjldpl.dll Hieojahp.exe File created C:\Windows\SysWOW64\Fffldg32.dll Iddieoqi.exe File created C:\Windows\SysWOW64\Mijjof32.exe Mdnagohp.exe File opened for modification C:\Windows\SysWOW64\Kcgogm32.exe Kokcfn32.exe File created C:\Windows\SysWOW64\Jkbpcm32.dll Dkkdcd32.exe File created C:\Windows\SysWOW64\Mnnlihll.exe Mfgdhkki.exe File opened for modification C:\Windows\SysWOW64\Fdhnfmmb.exe Fbiajano.exe File created C:\Windows\SysWOW64\Fnbodbaq.exe Ffkgcdqn.exe File created C:\Windows\SysWOW64\Gnbkoo32.dll Jgkhhigb.exe File created C:\Windows\SysWOW64\Apofkl32.dll Gmghdahd.exe File opened for modification C:\Windows\SysWOW64\Dpmefkbn.exe Dnnijocj.exe File created C:\Windows\SysWOW64\Fnpbob32.exe Fjefnckj.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3880 3828 WerFault.exe 289 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaagoqcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjilhfip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jblpifni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfjamkig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhkflqab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcfhggeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghmmakhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbaidejd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcpgmiph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffbmdc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nackdfgc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hddmgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlaoqnif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcgogm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mppiqq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejejopho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgkcmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpbigm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhaokqik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nehqdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpjiakdq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edahen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gehjepon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjlajddc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpmkal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iggomj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikehchbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgihamlq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmleqnbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gejgjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnbkcedl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gacdeq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kngjifph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meakdgll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkkdcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enilncik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jagfnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlbiap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibbmng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igdbgjnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcmkgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fachfmna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfbicg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfgcnfil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhmggi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnpbob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlmjko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbekmkke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miocjebb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjllobeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnnbhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hphafmee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfqeie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbjdhj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chcdqj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejggepfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edcdkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgkegljn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jokggk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kboloelf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqffeaol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjqgdgcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dodcncbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiamal32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gelcpp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kqcipb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apnqpdpb.dll" Konplnaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fbiajano.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcnnqp32.dll" Jblpifni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohal32.dll" Okloml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iibbbpnn.dll" Clamgi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gnbkcedl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Joncmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gnehie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Najhngpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oialohck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpmijbcp.dll" Ndpjkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ljcdifag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lfladgdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbnbga32.dll" Kqcipb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gloihkpi.dll" Gelcpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nbjdhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ellnlphk.dll" Efpdoqjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gbinidpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hjpbie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nbjdhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faipgckf.dll" Iknabi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgbmfe32.dll" Incdocab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kboloelf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eoabgggf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gdaqal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hieojahp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ihmiqnke.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iknabi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mppiqq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dkkdcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dpjiakdq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gckmeged.dll" Hbpphgmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plaodphk.dll" Ialcjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bikipeln.dll" Kcgogm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Medbiekb.dll" Oialohck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dhmggi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbdemoin.dll" Dkmqhdfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ekmmgghe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nhkflqab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gelcpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hieojahp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dnefdqke.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Llijlncp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ljqcbjee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ngljbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fphegici.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hfgcnfil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jagfnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fppkgihb.dll" Joncmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpihhb32.dll" Dkfjhela.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlfnobap.dll" Hjpbie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jkbgllfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqaqkg32.dll" Gmleqnbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inlfcmip.dll" Iaemicaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kdmikakj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oampaaka.dll" Nollblqj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fbiajano.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hddmgl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hbkgmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jhaokqik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnpiglbg.dll" Deloen32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ddchlj32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1724 wrote to memory of 1720 1724 df922842d6356d50ebbe4e64bd60bb49a9ead2acbad27a2b7269b6339ee48314.exe 30 PID 1724 wrote to memory of 1720 1724 df922842d6356d50ebbe4e64bd60bb49a9ead2acbad27a2b7269b6339ee48314.exe 30 PID 1724 wrote to memory of 1720 1724 df922842d6356d50ebbe4e64bd60bb49a9ead2acbad27a2b7269b6339ee48314.exe 30 PID 1724 wrote to memory of 1720 1724 df922842d6356d50ebbe4e64bd60bb49a9ead2acbad27a2b7269b6339ee48314.exe 30 PID 1720 wrote to memory of 1648 1720 Chcdqj32.exe 31 PID 1720 wrote to memory of 1648 1720 Chcdqj32.exe 31 PID 1720 wrote to memory of 1648 1720 Chcdqj32.exe 31 PID 1720 wrote to memory of 1648 1720 Chcdqj32.exe 31 PID 1648 wrote to memory of 2424 1648 Caliip32.exe 32 PID 1648 wrote to memory of 2424 1648 Caliip32.exe 32 PID 1648 wrote to memory of 2424 1648 Caliip32.exe 32 PID 1648 wrote to memory of 2424 1648 Caliip32.exe 32 PID 2424 wrote to memory of 2880 2424 Cicakm32.exe 33 PID 2424 wrote to memory of 2880 2424 Cicakm32.exe 33 PID 2424 wrote to memory of 2880 2424 Cicakm32.exe 33 PID 2424 wrote to memory of 2880 2424 Cicakm32.exe 33 PID 2880 wrote to memory of 2936 2880 Clamgi32.exe 34 PID 2880 wrote to memory of 2936 2880 Clamgi32.exe 34 PID 2880 wrote to memory of 2936 2880 Clamgi32.exe 34 PID 2880 wrote to memory of 2936 2880 Clamgi32.exe 34 PID 2936 wrote to memory of 2792 2936 Ckdnbend.exe 35 PID 2936 wrote to memory of 2792 2936 Ckdnbend.exe 35 PID 2936 wrote to memory of 2792 2936 Ckdnbend.exe 35 PID 2936 wrote to memory of 2792 2936 Ckdnbend.exe 35 PID 2792 wrote to memory of 2728 2792 Cckeccnf.exe 36 PID 2792 wrote to memory of 2728 2792 Cckeccnf.exe 36 PID 2792 wrote to memory of 2728 2792 Cckeccnf.exe 36 PID 2792 wrote to memory of 2728 2792 Cckeccnf.exe 36 PID 2728 wrote to memory of 2136 2728 Ceibpnnj.exe 37 PID 2728 wrote to memory of 2136 2728 Ceibpnnj.exe 37 PID 2728 wrote to memory of 2136 2728 Ceibpnnj.exe 37 PID 2728 wrote to memory of 2136 2728 Ceibpnnj.exe 37 PID 2136 wrote to memory of 2596 2136 Dkfjhela.exe 38 PID 2136 wrote to memory of 2596 2136 Dkfjhela.exe 38 PID 2136 wrote to memory of 2596 2136 Dkfjhela.exe 38 PID 2136 wrote to memory of 2596 2136 Dkfjhela.exe 38 PID 2596 wrote to memory of 896 2596 Dnefdqke.exe 39 PID 2596 wrote to memory of 896 2596 Dnefdqke.exe 39 PID 2596 wrote to memory of 896 2596 Dnefdqke.exe 39 PID 2596 wrote to memory of 896 2596 Dnefdqke.exe 39 PID 896 wrote to memory of 2708 896 Deloen32.exe 40 PID 896 wrote to memory of 2708 896 Deloen32.exe 40 PID 896 wrote to memory of 2708 896 Deloen32.exe 40 PID 896 wrote to memory of 2708 896 Deloen32.exe 40 PID 2708 wrote to memory of 868 2708 Ddooqkbb.exe 41 PID 2708 wrote to memory of 868 2708 Ddooqkbb.exe 41 PID 2708 wrote to memory of 868 2708 Ddooqkbb.exe 41 PID 2708 wrote to memory of 868 2708 Ddooqkbb.exe 41 PID 868 wrote to memory of 2332 868 Dkigme32.exe 42 PID 868 wrote to memory of 2332 868 Dkigme32.exe 42 PID 868 wrote to memory of 2332 868 Dkigme32.exe 42 PID 868 wrote to memory of 2332 868 Dkigme32.exe 42 PID 2332 wrote to memory of 2996 2332 Dodcncbh.exe 43 PID 2332 wrote to memory of 2996 2332 Dodcncbh.exe 43 PID 2332 wrote to memory of 2996 2332 Dodcncbh.exe 43 PID 2332 wrote to memory of 2996 2332 Dodcncbh.exe 43 PID 2996 wrote to memory of 2464 2996 Dpepfl32.exe 44 PID 2996 wrote to memory of 2464 2996 Dpepfl32.exe 44 PID 2996 wrote to memory of 2464 2996 Dpepfl32.exe 44 PID 2996 wrote to memory of 2464 2996 Dpepfl32.exe 44 PID 2464 wrote to memory of 2120 2464 Dhmggi32.exe 45 PID 2464 wrote to memory of 2120 2464 Dhmggi32.exe 45 PID 2464 wrote to memory of 2120 2464 Dhmggi32.exe 45 PID 2464 wrote to memory of 2120 2464 Dhmggi32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2508981291\zmstage.exeC:\Users\Admin\AppData\Local\Temp\2508981291\zmstage.exe1⤵PID:2240
-
C:\Users\Admin\AppData\Local\Temp\df922842d6356d50ebbe4e64bd60bb49a9ead2acbad27a2b7269b6339ee48314.exe"C:\Users\Admin\AppData\Local\Temp\df922842d6356d50ebbe4e64bd60bb49a9ead2acbad27a2b7269b6339ee48314.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\Chcdqj32.exeC:\Windows\system32\Chcdqj32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\Caliip32.exeC:\Windows\system32\Caliip32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\Cicakm32.exeC:\Windows\system32\Cicakm32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\Clamgi32.exeC:\Windows\system32\Clamgi32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Ckdnbend.exeC:\Windows\system32\Ckdnbend.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Cckeccnf.exeC:\Windows\system32\Cckeccnf.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Ceibpnnj.exeC:\Windows\system32\Ceibpnnj.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Dkfjhela.exeC:\Windows\system32\Dkfjhela.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\Dnefdqke.exeC:\Windows\system32\Dnefdqke.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Deloen32.exeC:\Windows\system32\Deloen32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Windows\SysWOW64\Ddooqkbb.exeC:\Windows\system32\Ddooqkbb.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Dkigme32.exeC:\Windows\system32\Dkigme32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\SysWOW64\Dodcncbh.exeC:\Windows\system32\Dodcncbh.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\Dpepfl32.exeC:\Windows\system32\Dpepfl32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\Dhmggi32.exeC:\Windows\system32\Dhmggi32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\Dkkdcd32.exeC:\Windows\system32\Dkkdcd32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2120 -
C:\Windows\SysWOW64\Djndoaof.exeC:\Windows\system32\Djndoaof.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2004 -
C:\Windows\SysWOW64\Daelpooi.exeC:\Windows\system32\Daelpooi.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3036 -
C:\Windows\SysWOW64\Ddchlj32.exeC:\Windows\system32\Ddchlj32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:912 -
C:\Windows\SysWOW64\Dcfhggeg.exeC:\Windows\system32\Dcfhggeg.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2520 -
C:\Windows\SysWOW64\Dkmqhdfi.exeC:\Windows\system32\Dkmqhdfi.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1116 -
C:\Windows\SysWOW64\Dnlmdpem.exeC:\Windows\system32\Dnlmdpem.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1672 -
C:\Windows\SysWOW64\Dlompl32.exeC:\Windows\system32\Dlompl32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1288 -
C:\Windows\SysWOW64\Dpjiakdq.exeC:\Windows\system32\Dpjiakdq.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2236 -
C:\Windows\SysWOW64\Dciemfcd.exeC:\Windows\system32\Dciemfcd.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1120 -
C:\Windows\SysWOW64\Dgdane32.exeC:\Windows\system32\Dgdane32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1704 -
C:\Windows\SysWOW64\Dfgaibbh.exeC:\Windows\system32\Dfgaibbh.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2104 -
C:\Windows\SysWOW64\Dnnijocj.exeC:\Windows\system32\Dnnijocj.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2340 -
C:\Windows\SysWOW64\Dpmefkbn.exeC:\Windows\system32\Dpmefkbn.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3016 -
C:\Windows\SysWOW64\Efinoa32.exeC:\Windows\system32\Efinoa32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1160 -
C:\Windows\SysWOW64\Ejejopho.exeC:\Windows\system32\Ejejopho.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2736 -
C:\Windows\SysWOW64\Eoabgggf.exeC:\Windows\system32\Eoabgggf.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2968 -
C:\Windows\SysWOW64\Ejggepfl.exeC:\Windows\system32\Ejggepfl.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1888 -
C:\Windows\SysWOW64\Ehjgpm32.exeC:\Windows\system32\Ehjgpm32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Elfcakep.exeC:\Windows\system32\Elfcakep.exe36⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Ecpkne32.exeC:\Windows\system32\Ecpkne32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Edahen32.exeC:\Windows\system32\Edahen32.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2956 -
C:\Windows\SysWOW64\Ehldflkd.exeC:\Windows\system32\Ehldflkd.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2272 -
C:\Windows\SysWOW64\Enilncik.exeC:\Windows\system32\Enilncik.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2600 -
C:\Windows\SysWOW64\Efpdoqjm.exeC:\Windows\system32\Efpdoqjm.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:1948 -
C:\Windows\SysWOW64\Edcdkm32.exeC:\Windows\system32\Edcdkm32.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3044 -
C:\Windows\SysWOW64\Ekmmgghe.exeC:\Windows\system32\Ekmmgghe.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:584 -
C:\Windows\SysWOW64\Eqjepofl.exeC:\Windows\system32\Eqjepofl.exe44⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Eiamal32.exeC:\Windows\system32\Eiamal32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1152 -
C:\Windows\SysWOW64\Ekpimg32.exeC:\Windows\system32\Ekpimg32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Fnneib32.exeC:\Windows\system32\Fnneib32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2488 -
C:\Windows\SysWOW64\Fbiajano.exeC:\Windows\system32\Fbiajano.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2608 -
C:\Windows\SysWOW64\Fdhnfmmb.exeC:\Windows\system32\Fdhnfmmb.exe49⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Fgfjbhlf.exeC:\Windows\system32\Fgfjbhlf.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Fjefnckj.exeC:\Windows\system32\Fjefnckj.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2644 -
C:\Windows\SysWOW64\Fnpbob32.exeC:\Windows\system32\Fnpbob32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1632 -
C:\Windows\SysWOW64\Fmcbjojn.exeC:\Windows\system32\Fmcbjojn.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Fqookn32.exeC:\Windows\system32\Fqookn32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2660 -
C:\Windows\SysWOW64\Fcmkgi32.exeC:\Windows\system32\Fcmkgi32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2752 -
C:\Windows\SysWOW64\Fgiggh32.exeC:\Windows\system32\Fgiggh32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1276 -
C:\Windows\SysWOW64\Ffkgcdqn.exeC:\Windows\system32\Ffkgcdqn.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2960 -
C:\Windows\SysWOW64\Fnbodbaq.exeC:\Windows\system32\Fnbodbaq.exe58⤵
- Executes dropped EXE
PID:992 -
C:\Windows\SysWOW64\Fmeopo32.exeC:\Windows\system32\Fmeopo32.exe59⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Fqakqmpd.exeC:\Windows\system32\Fqakqmpd.exe60⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Fcpgmiph.exeC:\Windows\system32\Fcpgmiph.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:980 -
C:\Windows\SysWOW64\Fgkcmg32.exeC:\Windows\system32\Fgkcmg32.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2964 -
C:\Windows\SysWOW64\Ffndidol.exeC:\Windows\system32\Ffndidol.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2364 -
C:\Windows\SysWOW64\Fjipic32.exeC:\Windows\system32\Fjipic32.exe64⤵
- Executes dropped EXE
PID:1384 -
C:\Windows\SysWOW64\Filpepno.exeC:\Windows\system32\Filpepno.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1020 -
C:\Windows\SysWOW64\Fachfmna.exeC:\Windows\system32\Fachfmna.exe66⤵
- System Location Discovery: System Language Discovery
PID:448 -
C:\Windows\SysWOW64\Fpfhaj32.exeC:\Windows\system32\Fpfhaj32.exe67⤵
- Drops file in System32 directory
PID:2704 -
C:\Windows\SysWOW64\Fcbdbhme.exeC:\Windows\system32\Fcbdbhme.exe68⤵PID:1328
-
C:\Windows\SysWOW64\Fbddne32.exeC:\Windows\system32\Fbddne32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1768 -
C:\Windows\SysWOW64\Fjllobeb.exeC:\Windows\system32\Fjllobeb.exe70⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2820 -
C:\Windows\SysWOW64\Fiomjp32.exeC:\Windows\system32\Fiomjp32.exe71⤵
- Drops file in System32 directory
PID:2224 -
C:\Windows\SysWOW64\Fmjikndf.exeC:\Windows\system32\Fmjikndf.exe72⤵
- Drops file in System32 directory
PID:308 -
C:\Windows\SysWOW64\Flmifk32.exeC:\Windows\system32\Flmifk32.exe73⤵
- Drops file in System32 directory
PID:2796 -
C:\Windows\SysWOW64\Fphegici.exeC:\Windows\system32\Fphegici.exe74⤵
- Modifies registry class
PID:2144 -
C:\Windows\SysWOW64\Fbgacebm.exeC:\Windows\system32\Fbgacebm.exe75⤵PID:1324
-
C:\Windows\SysWOW64\Ffbmdc32.exeC:\Windows\system32\Ffbmdc32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2160 -
C:\Windows\SysWOW64\Giaipo32.exeC:\Windows\system32\Giaipo32.exe77⤵PID:2628
-
C:\Windows\SysWOW64\Gmleqnbc.exeC:\Windows\system32\Gmleqnbc.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:600 -
C:\Windows\SysWOW64\Gloflk32.exeC:\Windows\system32\Gloflk32.exe79⤵PID:1796
-
C:\Windows\SysWOW64\Gpkamiag.exeC:\Windows\system32\Gpkamiag.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2436 -
C:\Windows\SysWOW64\Gnnbhf32.exeC:\Windows\system32\Gnnbhf32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2276 -
C:\Windows\SysWOW64\Gbinidpj.exeC:\Windows\system32\Gbinidpj.exe82⤵
- Modifies registry class
PID:2240 -
C:\Windows\SysWOW64\Gfejic32.exeC:\Windows\system32\Gfejic32.exe83⤵PID:2664
-
C:\Windows\SysWOW64\Gehjepon.exeC:\Windows\system32\Gehjepon.exe84⤵
- System Location Discovery: System Language Discovery
PID:948 -
C:\Windows\SysWOW64\Ghffal32.exeC:\Windows\system32\Ghffal32.exe85⤵PID:2152
-
C:\Windows\SysWOW64\Gblknd32.exeC:\Windows\system32\Gblknd32.exe86⤵PID:1272
-
C:\Windows\SysWOW64\Gaokjaeb.exeC:\Windows\system32\Gaokjaeb.exe87⤵PID:2616
-
C:\Windows\SysWOW64\Gejgjp32.exeC:\Windows\system32\Gejgjp32.exe88⤵
- System Location Discovery: System Language Discovery
PID:1440 -
C:\Windows\SysWOW64\Gieckned.exeC:\Windows\system32\Gieckned.exe89⤵PID:1764
-
C:\Windows\SysWOW64\Ghhcfk32.exeC:\Windows\system32\Ghhcfk32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1432 -
C:\Windows\SysWOW64\Gldogjeh.exeC:\Windows\system32\Gldogjeh.exe91⤵PID:2756
-
C:\Windows\SysWOW64\Gnbkcedl.exeC:\Windows\system32\Gnbkcedl.exe92⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:988 -
C:\Windows\SysWOW64\Gbngdd32.exeC:\Windows\system32\Gbngdd32.exe93⤵PID:2232
-
C:\Windows\SysWOW64\Gaagoqcp.exeC:\Windows\system32\Gaagoqcp.exe94⤵
- System Location Discovery: System Language Discovery
PID:2864 -
C:\Windows\SysWOW64\Gelcpp32.exeC:\Windows\system32\Gelcpp32.exe95⤵
- Modifies registry class
PID:2184 -
C:\Windows\SysWOW64\Ghkplk32.exeC:\Windows\system32\Ghkplk32.exe96⤵PID:1156
-
C:\Windows\SysWOW64\Glflmi32.exeC:\Windows\system32\Glflmi32.exe97⤵PID:2760
-
C:\Windows\SysWOW64\Gjilhfip.exeC:\Windows\system32\Gjilhfip.exe98⤵
- System Location Discovery: System Language Discovery
PID:2768 -
C:\Windows\SysWOW64\Gnehie32.exeC:\Windows\system32\Gnehie32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:812 -
C:\Windows\SysWOW64\Gmghdahd.exeC:\Windows\system32\Gmghdahd.exe100⤵
- Drops file in System32 directory
PID:3048 -
C:\Windows\SysWOW64\Gacdeq32.exeC:\Windows\system32\Gacdeq32.exe101⤵
- System Location Discovery: System Language Discovery
PID:1456 -
C:\Windows\SysWOW64\Gdaqal32.exeC:\Windows\system32\Gdaqal32.exe102⤵
- Modifies registry class
PID:1628 -
C:\Windows\SysWOW64\Ghmmakhj.exeC:\Windows\system32\Ghmmakhj.exe103⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2744 -
C:\Windows\SysWOW64\Gfpmmg32.exeC:\Windows\system32\Gfpmmg32.exe104⤵PID:2652
-
C:\Windows\SysWOW64\Gjlinfgm.exeC:\Windows\system32\Gjlinfgm.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2984 -
C:\Windows\SysWOW64\Gngend32.exeC:\Windows\system32\Gngend32.exe106⤵PID:1368
-
C:\Windows\SysWOW64\Haeajp32.exeC:\Windows\system32\Haeajp32.exe107⤵PID:2500
-
C:\Windows\SysWOW64\Hphafmee.exeC:\Windows\system32\Hphafmee.exe108⤵
- System Location Discovery: System Language Discovery
PID:2688 -
C:\Windows\SysWOW64\Hddmgl32.exeC:\Windows\system32\Hddmgl32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2432 -
C:\Windows\SysWOW64\Hfbicg32.exeC:\Windows\system32\Hfbicg32.exe110⤵
- System Location Discovery: System Language Discovery
PID:952 -
C:\Windows\SysWOW64\Hiqfoble.exeC:\Windows\system32\Hiqfoble.exe111⤵PID:1660
-
C:\Windows\SysWOW64\Hmlapa32.exeC:\Windows\system32\Hmlapa32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1140 -
C:\Windows\SysWOW64\Hahnppmh.exeC:\Windows\system32\Hahnppmh.exe113⤵PID:2320
-
C:\Windows\SysWOW64\Hdfjlklk.exeC:\Windows\system32\Hdfjlklk.exe114⤵PID:2052
-
C:\Windows\SysWOW64\Hbijhh32.exeC:\Windows\system32\Hbijhh32.exe115⤵PID:2924
-
C:\Windows\SysWOW64\Hfdfhgko.exeC:\Windows\system32\Hfdfhgko.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2504 -
C:\Windows\SysWOW64\Hjpbie32.exeC:\Windows\system32\Hjpbie32.exe117⤵
- Modifies registry class
PID:3012 -
C:\Windows\SysWOW64\Hmoneq32.exeC:\Windows\system32\Hmoneq32.exe118⤵PID:2900
-
C:\Windows\SysWOW64\Hlaoqnif.exeC:\Windows\system32\Hlaoqnif.exe119⤵
- System Location Discovery: System Language Discovery
PID:2444 -
C:\Windows\SysWOW64\Hpmkal32.exeC:\Windows\system32\Hpmkal32.exe120⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1524 -
C:\Windows\SysWOW64\Hdigakji.exeC:\Windows\system32\Hdigakji.exe121⤵PID:2908
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-