Analysis
-
max time kernel
81s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
14-09-2024 00:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b458e966c1162eb40f877e81933694245056b9e00be5d4f64c1d389571b677b2.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
b458e966c1162eb40f877e81933694245056b9e00be5d4f64c1d389571b677b2.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
b458e966c1162eb40f877e81933694245056b9e00be5d4f64c1d389571b677b2.exe
-
Size
80KB
-
MD5
5796d6c54cdede10226c3f44e98ac8b4
-
SHA1
0a8351c19761c3eca6a3a2ced428777730f9d7c9
-
SHA256
b458e966c1162eb40f877e81933694245056b9e00be5d4f64c1d389571b677b2
-
SHA512
e48a2e236130c6246273b648f538260043921d4e9f19b75028cfeb443712e137750f88887a8ab1551f89615b33e12037546318d9059ba8696ad14a279ea5f5b1
-
SSDEEP
1536:21gGhe/c1WfQGv0qKh34iWlo3q2iiWxSzFeJuqnhCN:22Ghe/ZmR4XloxoEzFeJLCN
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mliibj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpalmaad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbepplkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pifakj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apglgfde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jekoljgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gnenfjdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdahnmck.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkhhie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gljdlq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eekpknlf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lednal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hnimeg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmkklflj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdmklico.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad b458e966c1162eb40f877e81933694245056b9e00be5d4f64c1d389571b677b2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Akhndf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acfonhgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fimedaoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhdlbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mkelcenm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnbbjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfmceomm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gopnca32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdhcinme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aagfffbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Khnqbhdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcendc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dippfplg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fncddc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgfjjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnjbfhqa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfdbji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjeholco.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aglhph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfaopc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncpjnahm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dqpgll32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fimedaoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nicfnn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmjaadjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbllph32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnakjaoc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gljdlq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hnljkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kokppd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feccqime.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gllabp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iganmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fidkep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ancdgcab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddnaonia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jpnfdbig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdbhcfjd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbgkhoml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bnhjae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kblhdkgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Apglgfde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fblpnepn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jpfehq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ohkpdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qdhcinme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Biakbc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iamjghnm.exe -
Executes dropped EXE 64 IoCs
pid Process 2504 Dpgedepn.exe 2928 Edenjc32.exe 2188 Ekofgnna.exe 472 Elqcnfdp.exe 2688 Eigpmjqg.exe 2468 Fhnjdfcl.exe 2008 Fkocfa32.exe 1428 Fhccoe32.exe 884 Gfmmanif.exe 2064 Gmjbchnq.exe 1692 Gbfklolh.exe 1376 Gfdcbmbn.exe 1180 Gfgpgmql.exe 2080 Hqpahkmj.exe 2456 Hbpmbndm.exe 904 Hgobpd32.exe 2196 Hjplao32.exe 1360 Ilceog32.exe 2136 Ifiilp32.exe 1536 Ihlbih32.exe 1752 Ieqbbl32.exe 3024 Ibdclp32.exe 2176 Ihaldgak.exe 708 Jffhec32.exe 2380 Jpomnilc.exe 2116 Janihlcf.exe 2828 Jkfnaa32.exe 1996 Jpfcohfk.exe 2868 Kokppd32.exe 2996 Kiqdmm32.exe 2840 Kegebn32.exe 1624 Kejahn32.exe 2364 Khjkiikl.exe 2964 Kngcbpjc.exe 2344 Lphlck32.exe 2960 Llfcik32.exe 1152 Mdahnmck.exe 2128 Mkkpjg32.exe 1908 Mjpmkdpp.exe 1028 Mkpieggc.exe 1780 Mgfjjh32.exe 796 Mflgkd32.exe 668 Npdkdjhp.exe 2236 Necqbp32.exe 2156 Nfbmlckg.exe 1808 Npkaei32.exe 936 Nicfnn32.exe 2056 Nlabjj32.exe 2448 Odmgnl32.exe 2124 Ohkpdj32.exe 2420 Onehadbj.exe 2768 Odaqikaa.exe 3032 Oaeacppk.exe 2824 Obgmjh32.exe 2920 Olobcm32.exe 2316 Odfjdk32.exe 760 Pbkgegad.exe 3060 Pieobaiq.exe 2200 Paqdgcfl.exe 2072 Plfhdlfb.exe 2252 Peolmb32.exe 1104 Phmiimlf.exe 2132 Pmjaadjm.exe 2552 Phoeomjc.exe -
Loads dropped DLL 64 IoCs
pid Process 2888 b458e966c1162eb40f877e81933694245056b9e00be5d4f64c1d389571b677b2.exe 2888 b458e966c1162eb40f877e81933694245056b9e00be5d4f64c1d389571b677b2.exe 2504 Dpgedepn.exe 2504 Dpgedepn.exe 2928 Edenjc32.exe 2928 Edenjc32.exe 2188 Ekofgnna.exe 2188 Ekofgnna.exe 472 Elqcnfdp.exe 472 Elqcnfdp.exe 2688 Eigpmjqg.exe 2688 Eigpmjqg.exe 2468 Fhnjdfcl.exe 2468 Fhnjdfcl.exe 2008 Fkocfa32.exe 2008 Fkocfa32.exe 1428 Fhccoe32.exe 1428 Fhccoe32.exe 884 Gfmmanif.exe 884 Gfmmanif.exe 2064 Gmjbchnq.exe 2064 Gmjbchnq.exe 1692 Gbfklolh.exe 1692 Gbfklolh.exe 1376 Gfdcbmbn.exe 1376 Gfdcbmbn.exe 1180 Gfgpgmql.exe 1180 Gfgpgmql.exe 2080 Hqpahkmj.exe 2080 Hqpahkmj.exe 2456 Hbpmbndm.exe 2456 Hbpmbndm.exe 904 Hgobpd32.exe 904 Hgobpd32.exe 2196 Hjplao32.exe 2196 Hjplao32.exe 1360 Ilceog32.exe 1360 Ilceog32.exe 2136 Ifiilp32.exe 2136 Ifiilp32.exe 1536 Ihlbih32.exe 1536 Ihlbih32.exe 1752 Ieqbbl32.exe 1752 Ieqbbl32.exe 3024 Ibdclp32.exe 3024 Ibdclp32.exe 2176 Ihaldgak.exe 2176 Ihaldgak.exe 708 Jffhec32.exe 708 Jffhec32.exe 2380 Jpomnilc.exe 2380 Jpomnilc.exe 2116 Janihlcf.exe 2116 Janihlcf.exe 2828 Jkfnaa32.exe 2828 Jkfnaa32.exe 1996 Jpfcohfk.exe 1996 Jpfcohfk.exe 2868 Kokppd32.exe 2868 Kokppd32.exe 2996 Kiqdmm32.exe 2996 Kiqdmm32.exe 2840 Kegebn32.exe 2840 Kegebn32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ifiilp32.exe Ilceog32.exe File opened for modification C:\Windows\SysWOW64\Bnhjae32.exe Bgnaekil.exe File created C:\Windows\SysWOW64\Banndk32.dll Bnhjae32.exe File opened for modification C:\Windows\SysWOW64\Jbooen32.exe Jlegic32.exe File created C:\Windows\SysWOW64\Mdajff32.exe Mlfebcnd.exe File created C:\Windows\SysWOW64\Klfjpm32.dll Dggcbf32.exe File created C:\Windows\SysWOW64\Mkpaaa32.dll Dcnchg32.exe File created C:\Windows\SysWOW64\Nlabjj32.exe Nicfnn32.exe File created C:\Windows\SysWOW64\Cngfqi32.exe Cgmndokg.exe File created C:\Windows\SysWOW64\Fpihnbmk.exe Feccqime.exe File opened for modification C:\Windows\SysWOW64\Iabcbg32.exe Icnbic32.exe File created C:\Windows\SysWOW64\Feedfo32.dll Kmmiaknb.exe File created C:\Windows\SysWOW64\Heojjm32.dll Aggkdlod.exe File created C:\Windows\SysWOW64\Dbkgliff.dll Mfoqephq.exe File created C:\Windows\SysWOW64\Ojldok32.dll Iganmp32.exe File created C:\Windows\SysWOW64\Chfkjibh.dll Jpomnilc.exe File created C:\Windows\SysWOW64\Lolbjahp.exe Lednal32.exe File opened for modification C:\Windows\SysWOW64\Ljfckodo.exe Ldikbhfh.exe File created C:\Windows\SysWOW64\Eheblj32.exe Epinhg32.exe File opened for modification C:\Windows\SysWOW64\Nfbmlckg.exe Necqbp32.exe File created C:\Windows\SysWOW64\Nkbdbbop.exe Nbjpjm32.exe File opened for modification C:\Windows\SysWOW64\Mgfjjh32.exe Mkpieggc.exe File opened for modification C:\Windows\SysWOW64\Mdkmld32.exe Mjeholco.exe File created C:\Windows\SysWOW64\Qiekadkl.exe Qdhcinme.exe File opened for modification C:\Windows\SysWOW64\Gdpfbd32.exe Gnenfjdh.exe File created C:\Windows\SysWOW64\Liacqlhg.dll Kfcadq32.exe File opened for modification C:\Windows\SysWOW64\Hdolga32.exe Hgkknm32.exe File opened for modification C:\Windows\SysWOW64\Fmmjpoci.exe Flnnfllf.exe File created C:\Windows\SysWOW64\Odmgnl32.exe Nlabjj32.exe File created C:\Windows\SysWOW64\Ddaman32.dll Phmiimlf.exe File created C:\Windows\SysWOW64\Inajql32.exe Iggbdb32.exe File opened for modification C:\Windows\SysWOW64\Lamkllea.exe Ljfckodo.exe File created C:\Windows\SysWOW64\Pdqfnhpa.exe Ndbjgjqh.exe File created C:\Windows\SysWOW64\Kacakgip.exe Kdoaackf.exe File created C:\Windows\SysWOW64\Nmkklflj.exe Nqdjge32.exe File created C:\Windows\SysWOW64\Mgomoboc.exe Mliibj32.exe File opened for modification C:\Windows\SysWOW64\Qfedhb32.exe Pmmppm32.exe File created C:\Windows\SysWOW64\Mjpmkdpp.exe Mkkpjg32.exe File created C:\Windows\SysWOW64\Lbecjo32.dll Jekoljgo.exe File created C:\Windows\SysWOW64\Ggkoojip.exe Figoefkf.exe File created C:\Windows\SysWOW64\Dbfaopqo.exe Cgpmbgai.exe File created C:\Windows\SysWOW64\Qlbhlf32.dll Bhgaan32.exe File created C:\Windows\SysWOW64\Glgdlgmm.dll Gbfklolh.exe File opened for modification C:\Windows\SysWOW64\Hbpmbndm.exe Hqpahkmj.exe File created C:\Windows\SysWOW64\Cdjkhnje.dll Mjpmkdpp.exe File opened for modification C:\Windows\SysWOW64\Ckgmon32.exe Cbnhfhoc.exe File created C:\Windows\SysWOW64\Fdbgia32.exe Ddnaonia.exe File opened for modification C:\Windows\SysWOW64\Gknhjn32.exe Gddpndhp.exe File created C:\Windows\SysWOW64\Aapikqel.exe Alcqcjgd.exe File created C:\Windows\SysWOW64\Kgeahmik.dll Ggmldj32.exe File created C:\Windows\SysWOW64\Iofiimkd.exe Iiekkdjo.exe File created C:\Windows\SysWOW64\Pbqbioeb.exe Pfjbdn32.exe File created C:\Windows\SysWOW64\Bjjakg32.exe Bbolge32.exe File created C:\Windows\SysWOW64\Eneehhmp.dll Dmalmdcg.exe File opened for modification C:\Windows\SysWOW64\Kdgane32.exe Kmmiaknb.exe File created C:\Windows\SysWOW64\Lafekm32.exe Khnqbhdi.exe File created C:\Windows\SysWOW64\Eccdmmpk.exe Emilqb32.exe File created C:\Windows\SysWOW64\Ilgjmckn.dll Dpgedepn.exe File created C:\Windows\SysWOW64\Gfgpgmql.exe Gfdcbmbn.exe File created C:\Windows\SysWOW64\Gqemkl32.dll Npkaei32.exe File created C:\Windows\SysWOW64\Dcojbm32.exe Dnbbjf32.exe File created C:\Windows\SysWOW64\Boobcigh.dll Gljdlq32.exe File opened for modification C:\Windows\SysWOW64\Jpalmaad.exe Jjdcdjcm.exe File created C:\Windows\SysWOW64\Lmlofhmb.exe Lbgkhoml.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4776 4752 WerFault.exe 357 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iofiimkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjdcdjcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkjpncii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olobcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbkgegad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plfhdlfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpnfdbig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkqbhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieqbbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mahgejhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amfcfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnfodojp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbfklolh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdhcinme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbjoki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iefeaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lednal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okgnna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfedhb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bonenbgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibeloo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lndlamke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mliibj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcendc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkbdbbop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaeacppk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdgane32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klbfbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcedbefd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dajlhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fblpnepn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gocpcfeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmmiaknb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmgblphf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlfebcnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fidkep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acbieing.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpblne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khnqbhdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eccdmmpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkocfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abpohb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggqamh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpmhgc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aglhph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnenfjdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jidngh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpkocpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiccle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqpgll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llfcik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qamleagn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emilqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmmppm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdmklico.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohkpdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbflkcao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iganmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omhjejai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elbkbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hobjia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jekoljgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lamkllea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odmgnl32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} b458e966c1162eb40f877e81933694245056b9e00be5d4f64c1d389571b677b2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bqopmbed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gddpndhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pilcnl32.dll" Aagfffbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bnhjae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Klbfbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Akhndf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Edhmhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jjdcdjcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbndfacf.dll" Jnojjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbnnmian.dll" Keekeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qfedhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bnfodojp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkpaaa32.dll" Dcnchg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ghlell32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fpihnbmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lllihf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mfoqephq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eccdmmpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkkmkf32.dll" Nbjpjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmllmn32.dll" Bnfodojp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ohkpdj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pfaopc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cmgblphf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iiekkdjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ieqbbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hbhmfk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mkelcenm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dippfplg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Amfcfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eocmqiih.dll" Gmegkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gllabp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilgjmckn.dll" Dpgedepn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gbfklolh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlgeqb32.dll" Mnakjaoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mchjjo32.dll" Ndbjgjqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhfdkgij.dll" Emilqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmnpc32.dll" Edhmhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kiccle32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mdajff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihpfhhme.dll" Kdoaackf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lgdcom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhglil32.dll" Hqpahkmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ibdclp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mkpieggc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nfbmlckg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cgmndokg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpmggm32.dll" Jlegic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mgfjjh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qdhcinme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bkjfhile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kekgleob.dll" Kiccle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjhecdda.dll" Fidkep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpqlke32.dll" Bbjoki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lndlamke.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fhnjdfcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Necqbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cealdmqc.dll" Lllihf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pmmppm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Apjpglfn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jpnfdbig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bjgmka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhcheobh.dll" Glongpao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mdajff32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2888 wrote to memory of 2504 2888 b458e966c1162eb40f877e81933694245056b9e00be5d4f64c1d389571b677b2.exe 29 PID 2888 wrote to memory of 2504 2888 b458e966c1162eb40f877e81933694245056b9e00be5d4f64c1d389571b677b2.exe 29 PID 2888 wrote to memory of 2504 2888 b458e966c1162eb40f877e81933694245056b9e00be5d4f64c1d389571b677b2.exe 29 PID 2888 wrote to memory of 2504 2888 b458e966c1162eb40f877e81933694245056b9e00be5d4f64c1d389571b677b2.exe 29 PID 2504 wrote to memory of 2928 2504 Dpgedepn.exe 30 PID 2504 wrote to memory of 2928 2504 Dpgedepn.exe 30 PID 2504 wrote to memory of 2928 2504 Dpgedepn.exe 30 PID 2504 wrote to memory of 2928 2504 Dpgedepn.exe 30 PID 2928 wrote to memory of 2188 2928 Edenjc32.exe 31 PID 2928 wrote to memory of 2188 2928 Edenjc32.exe 31 PID 2928 wrote to memory of 2188 2928 Edenjc32.exe 31 PID 2928 wrote to memory of 2188 2928 Edenjc32.exe 31 PID 2188 wrote to memory of 472 2188 Ekofgnna.exe 32 PID 2188 wrote to memory of 472 2188 Ekofgnna.exe 32 PID 2188 wrote to memory of 472 2188 Ekofgnna.exe 32 PID 2188 wrote to memory of 472 2188 Ekofgnna.exe 32 PID 472 wrote to memory of 2688 472 Elqcnfdp.exe 33 PID 472 wrote to memory of 2688 472 Elqcnfdp.exe 33 PID 472 wrote to memory of 2688 472 Elqcnfdp.exe 33 PID 472 wrote to memory of 2688 472 Elqcnfdp.exe 33 PID 2688 wrote to memory of 2468 2688 Eigpmjqg.exe 34 PID 2688 wrote to memory of 2468 2688 Eigpmjqg.exe 34 PID 2688 wrote to memory of 2468 2688 Eigpmjqg.exe 34 PID 2688 wrote to memory of 2468 2688 Eigpmjqg.exe 34 PID 2468 wrote to memory of 2008 2468 Fhnjdfcl.exe 35 PID 2468 wrote to memory of 2008 2468 Fhnjdfcl.exe 35 PID 2468 wrote to memory of 2008 2468 Fhnjdfcl.exe 35 PID 2468 wrote to memory of 2008 2468 Fhnjdfcl.exe 35 PID 2008 wrote to memory of 1428 2008 Fkocfa32.exe 36 PID 2008 wrote to memory of 1428 2008 Fkocfa32.exe 36 PID 2008 wrote to memory of 1428 2008 Fkocfa32.exe 36 PID 2008 wrote to memory of 1428 2008 Fkocfa32.exe 36 PID 1428 wrote to memory of 884 1428 Fhccoe32.exe 37 PID 1428 wrote to memory of 884 1428 Fhccoe32.exe 37 PID 1428 wrote to memory of 884 1428 Fhccoe32.exe 37 PID 1428 wrote to memory of 884 1428 Fhccoe32.exe 37 PID 884 wrote to memory of 2064 884 Gfmmanif.exe 38 PID 884 wrote to memory of 2064 884 Gfmmanif.exe 38 PID 884 wrote to memory of 2064 884 Gfmmanif.exe 38 PID 884 wrote to memory of 2064 884 Gfmmanif.exe 38 PID 2064 wrote to memory of 1692 2064 Gmjbchnq.exe 39 PID 2064 wrote to memory of 1692 2064 Gmjbchnq.exe 39 PID 2064 wrote to memory of 1692 2064 Gmjbchnq.exe 39 PID 2064 wrote to memory of 1692 2064 Gmjbchnq.exe 39 PID 1692 wrote to memory of 1376 1692 Gbfklolh.exe 40 PID 1692 wrote to memory of 1376 1692 Gbfklolh.exe 40 PID 1692 wrote to memory of 1376 1692 Gbfklolh.exe 40 PID 1692 wrote to memory of 1376 1692 Gbfklolh.exe 40 PID 1376 wrote to memory of 1180 1376 Gfdcbmbn.exe 41 PID 1376 wrote to memory of 1180 1376 Gfdcbmbn.exe 41 PID 1376 wrote to memory of 1180 1376 Gfdcbmbn.exe 41 PID 1376 wrote to memory of 1180 1376 Gfdcbmbn.exe 41 PID 1180 wrote to memory of 2080 1180 Gfgpgmql.exe 42 PID 1180 wrote to memory of 2080 1180 Gfgpgmql.exe 42 PID 1180 wrote to memory of 2080 1180 Gfgpgmql.exe 42 PID 1180 wrote to memory of 2080 1180 Gfgpgmql.exe 42 PID 2080 wrote to memory of 2456 2080 Hqpahkmj.exe 43 PID 2080 wrote to memory of 2456 2080 Hqpahkmj.exe 43 PID 2080 wrote to memory of 2456 2080 Hqpahkmj.exe 43 PID 2080 wrote to memory of 2456 2080 Hqpahkmj.exe 43 PID 2456 wrote to memory of 904 2456 Hbpmbndm.exe 44 PID 2456 wrote to memory of 904 2456 Hbpmbndm.exe 44 PID 2456 wrote to memory of 904 2456 Hbpmbndm.exe 44 PID 2456 wrote to memory of 904 2456 Hbpmbndm.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\b458e966c1162eb40f877e81933694245056b9e00be5d4f64c1d389571b677b2.exe"C:\Users\Admin\AppData\Local\Temp\b458e966c1162eb40f877e81933694245056b9e00be5d4f64c1d389571b677b2.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Dpgedepn.exeC:\Windows\system32\Dpgedepn.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Edenjc32.exeC:\Windows\system32\Edenjc32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Ekofgnna.exeC:\Windows\system32\Ekofgnna.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Elqcnfdp.exeC:\Windows\system32\Elqcnfdp.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:472 -
C:\Windows\SysWOW64\Eigpmjqg.exeC:\Windows\system32\Eigpmjqg.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Fhnjdfcl.exeC:\Windows\system32\Fhnjdfcl.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Fkocfa32.exeC:\Windows\system32\Fkocfa32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\Fhccoe32.exeC:\Windows\system32\Fhccoe32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\SysWOW64\Gfmmanif.exeC:\Windows\system32\Gfmmanif.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Windows\SysWOW64\Gmjbchnq.exeC:\Windows\system32\Gmjbchnq.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\Gbfklolh.exeC:\Windows\system32\Gbfklolh.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\Gfdcbmbn.exeC:\Windows\system32\Gfdcbmbn.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\SysWOW64\Gfgpgmql.exeC:\Windows\system32\Gfgpgmql.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\SysWOW64\Hqpahkmj.exeC:\Windows\system32\Hqpahkmj.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\Hbpmbndm.exeC:\Windows\system32\Hbpmbndm.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Hgobpd32.exeC:\Windows\system32\Hgobpd32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:904 -
C:\Windows\SysWOW64\Hjplao32.exeC:\Windows\system32\Hjplao32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2196 -
C:\Windows\SysWOW64\Ilceog32.exeC:\Windows\system32\Ilceog32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1360 -
C:\Windows\SysWOW64\Ifiilp32.exeC:\Windows\system32\Ifiilp32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2136 -
C:\Windows\SysWOW64\Ihlbih32.exeC:\Windows\system32\Ihlbih32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1536 -
C:\Windows\SysWOW64\Ieqbbl32.exeC:\Windows\system32\Ieqbbl32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1752 -
C:\Windows\SysWOW64\Ibdclp32.exeC:\Windows\system32\Ibdclp32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3024 -
C:\Windows\SysWOW64\Ihaldgak.exeC:\Windows\system32\Ihaldgak.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2176 -
C:\Windows\SysWOW64\Jffhec32.exeC:\Windows\system32\Jffhec32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:708 -
C:\Windows\SysWOW64\Jpomnilc.exeC:\Windows\system32\Jpomnilc.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2380 -
C:\Windows\SysWOW64\Janihlcf.exeC:\Windows\system32\Janihlcf.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2116 -
C:\Windows\SysWOW64\Jkfnaa32.exeC:\Windows\system32\Jkfnaa32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2828 -
C:\Windows\SysWOW64\Jpfcohfk.exeC:\Windows\system32\Jpfcohfk.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1996 -
C:\Windows\SysWOW64\Kokppd32.exeC:\Windows\system32\Kokppd32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2868 -
C:\Windows\SysWOW64\Kiqdmm32.exeC:\Windows\system32\Kiqdmm32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2996 -
C:\Windows\SysWOW64\Kegebn32.exeC:\Windows\system32\Kegebn32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2840 -
C:\Windows\SysWOW64\Kejahn32.exeC:\Windows\system32\Kejahn32.exe33⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Khjkiikl.exeC:\Windows\system32\Khjkiikl.exe34⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Kngcbpjc.exeC:\Windows\system32\Kngcbpjc.exe35⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Lphlck32.exeC:\Windows\system32\Lphlck32.exe36⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Llfcik32.exeC:\Windows\system32\Llfcik32.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2960 -
C:\Windows\SysWOW64\Mdahnmck.exeC:\Windows\system32\Mdahnmck.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1152 -
C:\Windows\SysWOW64\Mkkpjg32.exeC:\Windows\system32\Mkkpjg32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2128 -
C:\Windows\SysWOW64\Mjpmkdpp.exeC:\Windows\system32\Mjpmkdpp.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1908 -
C:\Windows\SysWOW64\Mkpieggc.exeC:\Windows\system32\Mkpieggc.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1028 -
C:\Windows\SysWOW64\Mgfjjh32.exeC:\Windows\system32\Mgfjjh32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1780 -
C:\Windows\SysWOW64\Mflgkd32.exeC:\Windows\system32\Mflgkd32.exe43⤵
- Executes dropped EXE
PID:796 -
C:\Windows\SysWOW64\Npdkdjhp.exeC:\Windows\system32\Npdkdjhp.exe44⤵
- Executes dropped EXE
PID:668 -
C:\Windows\SysWOW64\Necqbp32.exeC:\Windows\system32\Necqbp32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2236 -
C:\Windows\SysWOW64\Nfbmlckg.exeC:\Windows\system32\Nfbmlckg.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:2156 -
C:\Windows\SysWOW64\Npkaei32.exeC:\Windows\system32\Npkaei32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1808 -
C:\Windows\SysWOW64\Nicfnn32.exeC:\Windows\system32\Nicfnn32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:936 -
C:\Windows\SysWOW64\Nlabjj32.exeC:\Windows\system32\Nlabjj32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2056 -
C:\Windows\SysWOW64\Odmgnl32.exeC:\Windows\system32\Odmgnl32.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2448 -
C:\Windows\SysWOW64\Ohkpdj32.exeC:\Windows\system32\Ohkpdj32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2124 -
C:\Windows\SysWOW64\Onehadbj.exeC:\Windows\system32\Onehadbj.exe52⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Odaqikaa.exeC:\Windows\system32\Odaqikaa.exe53⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Oaeacppk.exeC:\Windows\system32\Oaeacppk.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3032 -
C:\Windows\SysWOW64\Obgmjh32.exeC:\Windows\system32\Obgmjh32.exe55⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Olobcm32.exeC:\Windows\system32\Olobcm32.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2920 -
C:\Windows\SysWOW64\Odfjdk32.exeC:\Windows\system32\Odfjdk32.exe57⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Pbkgegad.exeC:\Windows\system32\Pbkgegad.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:760 -
C:\Windows\SysWOW64\Pieobaiq.exeC:\Windows\system32\Pieobaiq.exe59⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Paqdgcfl.exeC:\Windows\system32\Paqdgcfl.exe60⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Plfhdlfb.exeC:\Windows\system32\Plfhdlfb.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2072 -
C:\Windows\SysWOW64\Peolmb32.exeC:\Windows\system32\Peolmb32.exe62⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Phmiimlf.exeC:\Windows\system32\Phmiimlf.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1104 -
C:\Windows\SysWOW64\Pmjaadjm.exeC:\Windows\system32\Pmjaadjm.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Phoeomjc.exeC:\Windows\system32\Phoeomjc.exe65⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Pmlngdhk.exeC:\Windows\system32\Pmlngdhk.exe66⤵PID:1496
-
C:\Windows\SysWOW64\Qkpnph32.exeC:\Windows\system32\Qkpnph32.exe67⤵PID:1540
-
C:\Windows\SysWOW64\Qdhcinme.exeC:\Windows\system32\Qdhcinme.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1548 -
C:\Windows\SysWOW64\Qiekadkl.exeC:\Windows\system32\Qiekadkl.exe69⤵PID:1616
-
C:\Windows\SysWOW64\Acnpjj32.exeC:\Windows\system32\Acnpjj32.exe70⤵PID:1760
-
C:\Windows\SysWOW64\Ancdgcab.exeC:\Windows\system32\Ancdgcab.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:868 -
C:\Windows\SysWOW64\Aglhph32.exeC:\Windows\system32\Aglhph32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3000 -
C:\Windows\SysWOW64\Ahmehqna.exeC:\Windows\system32\Ahmehqna.exe73⤵PID:2800
-
C:\Windows\SysWOW64\Acbieing.exeC:\Windows\system32\Acbieing.exe74⤵
- System Location Discovery: System Language Discovery
PID:2644 -
C:\Windows\SysWOW64\Afqeaemk.exeC:\Windows\system32\Afqeaemk.exe75⤵PID:2576
-
C:\Windows\SysWOW64\Aagfffbo.exeC:\Windows\system32\Aagfffbo.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2708 -
C:\Windows\SysWOW64\Akpkok32.exeC:\Windows\system32\Akpkok32.exe77⤵PID:1972
-
C:\Windows\SysWOW64\Aggkdlod.exeC:\Windows\system32\Aggkdlod.exe78⤵
- Drops file in System32 directory
PID:2716 -
C:\Windows\SysWOW64\Bqopmbed.exeC:\Windows\system32\Bqopmbed.exe79⤵
- Modifies registry class
PID:828 -
C:\Windows\SysWOW64\Bbolge32.exeC:\Windows\system32\Bbolge32.exe80⤵
- Drops file in System32 directory
PID:940 -
C:\Windows\SysWOW64\Bjjakg32.exeC:\Windows\system32\Bjjakg32.exe81⤵PID:892
-
C:\Windows\SysWOW64\Bgnaekil.exeC:\Windows\system32\Bgnaekil.exe82⤵
- Drops file in System32 directory
PID:1268 -
C:\Windows\SysWOW64\Bnhjae32.exeC:\Windows\system32\Bnhjae32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2480 -
C:\Windows\SysWOW64\Bcdbjl32.exeC:\Windows\system32\Bcdbjl32.exe84⤵PID:2264
-
C:\Windows\SysWOW64\Biakbc32.exeC:\Windows\system32\Biakbc32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1944 -
C:\Windows\SysWOW64\Bbjoki32.exeC:\Windows\system32\Bbjoki32.exe86⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1716 -
C:\Windows\SysWOW64\Cicggcke.exeC:\Windows\system32\Cicggcke.exe87⤵PID:1060
-
C:\Windows\SysWOW64\Cbllph32.exeC:\Windows\system32\Cbllph32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:696 -
C:\Windows\SysWOW64\Cmapna32.exeC:\Windows\system32\Cmapna32.exe89⤵PID:1196
-
C:\Windows\SysWOW64\Cbnhfhoc.exeC:\Windows\system32\Cbnhfhoc.exe90⤵
- Drops file in System32 directory
PID:852 -
C:\Windows\SysWOW64\Ckgmon32.exeC:\Windows\system32\Ckgmon32.exe91⤵PID:2784
-
C:\Windows\SysWOW64\Cgmndokg.exeC:\Windows\system32\Cgmndokg.exe92⤵
- Drops file in System32 directory
- Modifies registry class
PID:2740 -
C:\Windows\SysWOW64\Cngfqi32.exeC:\Windows\system32\Cngfqi32.exe93⤵PID:1960
-
C:\Windows\SysWOW64\Cnjbfhqa.exeC:\Windows\system32\Cnjbfhqa.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1740 -
C:\Windows\SysWOW64\Dajlhc32.exeC:\Windows\system32\Dajlhc32.exe95⤵
- System Location Discovery: System Language Discovery
PID:1708 -
C:\Windows\SysWOW64\Dmalmdcg.exeC:\Windows\system32\Dmalmdcg.exe96⤵
- Drops file in System32 directory
PID:1416 -
C:\Windows\SysWOW64\Ddnaonia.exeC:\Windows\system32\Ddnaonia.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2472 -
C:\Windows\SysWOW64\Fdbgia32.exeC:\Windows\system32\Fdbgia32.exe98⤵PID:2076
-
C:\Windows\SysWOW64\Feccqime.exeC:\Windows\system32\Feccqime.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2084 -
C:\Windows\SysWOW64\Fpihnbmk.exeC:\Windows\system32\Fpihnbmk.exe100⤵
- Modifies registry class
PID:2892 -
C:\Windows\SysWOW64\Fhdlbd32.exeC:\Windows\system32\Fhdlbd32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1040 -
C:\Windows\SysWOW64\Fehmlh32.exeC:\Windows\system32\Fehmlh32.exe102⤵PID:1988
-
C:\Windows\SysWOW64\Foqadnpq.exeC:\Windows\system32\Foqadnpq.exe103⤵PID:1704
-
C:\Windows\SysWOW64\Gnenfjdh.exeC:\Windows\system32\Gnenfjdh.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2060 -
C:\Windows\SysWOW64\Gdpfbd32.exeC:\Windows\system32\Gdpfbd32.exe105⤵PID:2936
-
C:\Windows\SysWOW64\Gkiooocb.exeC:\Windows\system32\Gkiooocb.exe106⤵PID:2732
-
C:\Windows\SysWOW64\Gdbchd32.exeC:\Windows\system32\Gdbchd32.exe107⤵PID:2748
-
C:\Windows\SysWOW64\Gjolpkhj.exeC:\Windows\system32\Gjolpkhj.exe108⤵PID:2632
-
C:\Windows\SysWOW64\Gddpndhp.exeC:\Windows\system32\Gddpndhp.exe109⤵
- Drops file in System32 directory
- Modifies registry class
PID:3016 -
C:\Windows\SysWOW64\Gknhjn32.exeC:\Windows\system32\Gknhjn32.exe110⤵PID:2220
-
C:\Windows\SysWOW64\Gqkqbe32.exeC:\Windows\system32\Gqkqbe32.exe111⤵PID:1912
-
C:\Windows\SysWOW64\Gfhikl32.exeC:\Windows\system32\Gfhikl32.exe112⤵PID:2296
-
C:\Windows\SysWOW64\Gopnca32.exeC:\Windows\system32\Gopnca32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2452 -
C:\Windows\SysWOW64\Hobjia32.exeC:\Windows\system32\Hobjia32.exe114⤵
- System Location Discovery: System Language Discovery
PID:928 -
C:\Windows\SysWOW64\Hbafel32.exeC:\Windows\system32\Hbafel32.exe115⤵PID:628
-
C:\Windows\SysWOW64\Hmfkbeoc.exeC:\Windows\system32\Hmfkbeoc.exe116⤵PID:2096
-
C:\Windows\SysWOW64\Hcqcoo32.exeC:\Windows\system32\Hcqcoo32.exe117⤵PID:2324
-
C:\Windows\SysWOW64\Hklhca32.exeC:\Windows\system32\Hklhca32.exe118⤵PID:2940
-
C:\Windows\SysWOW64\Hbepplkh.exeC:\Windows\system32\Hbepplkh.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:340 -
C:\Windows\SysWOW64\Hgbhibio.exeC:\Windows\system32\Hgbhibio.exe120⤵PID:2528
-
C:\Windows\SysWOW64\Hbhmfk32.exeC:\Windows\system32\Hbhmfk32.exe121⤵
- Modifies registry class
PID:2524
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-