Analysis
-
max time kernel
58s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
19/09/2024, 04:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
934fe41e5de291a6f064045404d05e74faf9c31449b0594982d5a64c41ee247fN.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
934fe41e5de291a6f064045404d05e74faf9c31449b0594982d5a64c41ee247fN.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
934fe41e5de291a6f064045404d05e74faf9c31449b0594982d5a64c41ee247fN.exe
-
Size
78KB
-
MD5
f331aa0186d7f28237e8c18a9d4cddc0
-
SHA1
69fe5777a3212f04e33ddabfc324efb1c9f62c25
-
SHA256
934fe41e5de291a6f064045404d05e74faf9c31449b0594982d5a64c41ee247f
-
SHA512
a48f2d211899329f4c32c7416c3eb29fa3d046f534aaa3497cb60272cf1ed5ec73d099787fce1f1f1592a46e14d50cc39df61586370339da602c4b5975e72e24
-
SSDEEP
1536:c2Kh2nIrBdz18cf/yveh83dm+WiV5N+zL20gJi1ie:RIVdhLf8e63d/WiV5gzL20WKt
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihilqi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhdjdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imfeip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Deikhhhe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebekej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bclcfnih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgcbja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edkahbmo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpbhphie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nblaajbd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oojhfj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pikohg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hefginae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jiclnpjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkdnke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eaangfjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpmjjhmi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilblkh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbhphdab.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgmofbpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnbelong.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkaaee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kabobo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkpaoape.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnphfppi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cejhld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggbljogc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfhikl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqnhcgma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lflklaoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Poinkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohppjpkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qefihg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccolja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhjdjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cppjadhk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eopcmb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijjgkmqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Joenaf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boqgep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmggcmgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khkadoog.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdlqjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gklkdn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcljdpke.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbpcbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofmgmhgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnmdfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mchadifq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjakhcne.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldkeoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdgcnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lflklaoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lomidgkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnilfc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gknfaehi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbfcbdce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdpcep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddnhidmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iaipmm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlabjj32.exe -
Executes dropped EXE 64 IoCs
pid Process 1652 Biceoj32.exe 2348 Bmoaoikj.exe 2968 Cfgehn32.exe 2976 Cldnqe32.exe 2844 Cppjadhk.exe 2712 Caqfiloi.exe 1916 Cihojiok.exe 2504 Cbpcbo32.exe 2572 Cligkdlm.exe 2996 Cogdhpkp.exe 3024 Cfbhlb32.exe 2524 Cmlqimph.exe 900 Cpkmehol.exe 2364 Dicann32.exe 2216 Dpmjjhmi.exe 1512 Dbkffc32.exe 1368 Dgiomabc.exe 1780 Dmcgik32.exe 276 Ddmofeam.exe 1864 Dijgnm32.exe 1180 Dpdpkfga.exe 2176 Dcblgbfe.exe 3068 Deahcneh.exe 2584 Eoimlc32.exe 2076 Eagiho32.exe 2864 Eioaillo.exe 3020 Ekpmad32.exe 2660 Ecgeba32.exe 2720 Elpjkgip.exe 1604 Ekbjgd32.exe 572 Eehndm32.exe 476 Ehfkphnd.exe 3064 Egikle32.exe 3036 Eopcmb32.exe 2308 Encchoml.exe 1840 Eaooin32.exe 1896 Edmkei32.exe 2208 Ehhgfgla.exe 268 Ekgcbcke.exe 2468 Enepnoji.exe 2428 Eaalom32.exe 2152 Epdljjjm.exe 2244 Ecbhfeip.exe 1884 Egndgdai.exe 2304 Fjlqcppm.exe 2324 Fnhlcn32.exe 2352 Fqfipj32.exe 2812 Fdaephpc.exe 2780 Fgpalcog.exe 2828 Fjomhonj.exe 2672 Flmidkmn.exe 2488 Fqheei32.exe 1708 Fcgaae32.exe 1692 Ffenmp32.exe 2940 Fjajno32.exe 1924 Fmofjj32.exe 872 Fonbff32.exe 1144 Fcingdbh.exe 2088 Fhfgokap.exe 2168 Fmacpj32.exe 2344 Fopole32.exe 532 Fbnkha32.exe 1528 Fdmgdl32.exe 2608 Fmdpejgf.exe -
Loads dropped DLL 64 IoCs
pid Process 2024 934fe41e5de291a6f064045404d05e74faf9c31449b0594982d5a64c41ee247fN.exe 2024 934fe41e5de291a6f064045404d05e74faf9c31449b0594982d5a64c41ee247fN.exe 1652 Biceoj32.exe 1652 Biceoj32.exe 2348 Bmoaoikj.exe 2348 Bmoaoikj.exe 2968 Cfgehn32.exe 2968 Cfgehn32.exe 2976 Cldnqe32.exe 2976 Cldnqe32.exe 2844 Cppjadhk.exe 2844 Cppjadhk.exe 2712 Caqfiloi.exe 2712 Caqfiloi.exe 1916 Cihojiok.exe 1916 Cihojiok.exe 2504 Cbpcbo32.exe 2504 Cbpcbo32.exe 2572 Cligkdlm.exe 2572 Cligkdlm.exe 2996 Cogdhpkp.exe 2996 Cogdhpkp.exe 3024 Cfbhlb32.exe 3024 Cfbhlb32.exe 2524 Cmlqimph.exe 2524 Cmlqimph.exe 900 Cpkmehol.exe 900 Cpkmehol.exe 2364 Dicann32.exe 2364 Dicann32.exe 2216 Dpmjjhmi.exe 2216 Dpmjjhmi.exe 1512 Dbkffc32.exe 1512 Dbkffc32.exe 1368 Dgiomabc.exe 1368 Dgiomabc.exe 1780 Dmcgik32.exe 1780 Dmcgik32.exe 276 Ddmofeam.exe 276 Ddmofeam.exe 1864 Dijgnm32.exe 1864 Dijgnm32.exe 1180 Dpdpkfga.exe 1180 Dpdpkfga.exe 2176 Dcblgbfe.exe 2176 Dcblgbfe.exe 3068 Deahcneh.exe 3068 Deahcneh.exe 2584 Eoimlc32.exe 2584 Eoimlc32.exe 2076 Eagiho32.exe 2076 Eagiho32.exe 2864 Eioaillo.exe 2864 Eioaillo.exe 3020 Ekpmad32.exe 3020 Ekpmad32.exe 2660 Ecgeba32.exe 2660 Ecgeba32.exe 2720 Elpjkgip.exe 2720 Elpjkgip.exe 1604 Ekbjgd32.exe 1604 Ekbjgd32.exe 572 Eehndm32.exe 572 Eehndm32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ilpkel32.exe Iiaoip32.exe File created C:\Windows\SysWOW64\Hpofcajk.dll Kcqfahom.exe File opened for modification C:\Windows\SysWOW64\Bbifhddh.dll Dmiihjak.exe File opened for modification C:\Windows\SysWOW64\Jdplmflg.exe Process not Found File created C:\Windows\SysWOW64\Hnnkbd32.exe Hjcoaeol.exe File created C:\Windows\SysWOW64\Lpbcldef.dll Mgnkfjho.exe File opened for modification C:\Windows\SysWOW64\Jipjmena.dll Dibjcg32.exe File opened for modification C:\Windows\SysWOW64\Eajhgg32.exe Ebghkjjc.exe File opened for modification C:\Windows\SysWOW64\Ampncd32.exe Anmnhhmd.exe File created C:\Windows\SysWOW64\Gcikfhed.exe Gqknjlfp.exe File created C:\Windows\SysWOW64\Chekdhkl.dll Njcibgcf.exe File opened for modification C:\Windows\SysWOW64\Ieqbbl32.exe Ibbffq32.exe File created C:\Windows\SysWOW64\Qieklfmg.dll Lhenmm32.exe File created C:\Windows\SysWOW64\Gcfgfack.exe Gkoodd32.exe File created C:\Windows\SysWOW64\Hpdalj32.dll Hmlkhk32.exe File opened for modification C:\Windows\SysWOW64\Hnlqemal.exe Hojqjp32.exe File created C:\Windows\SysWOW64\Kalgdehn.dll Dicann32.exe File created C:\Windows\SysWOW64\Egcaic32.dll Fhccoe32.exe File created C:\Windows\SysWOW64\Jbbbed32.exe Jpcfih32.exe File opened for modification C:\Windows\SysWOW64\Almjcobe.exe Ahancp32.exe File created C:\Windows\SysWOW64\Dmlpkniq.dll Mmmpdp32.exe File created C:\Windows\SysWOW64\Naophfnm.dll Ndgdpn32.exe File created C:\Windows\SysWOW64\Ihooog32.exe Ieqbbl32.exe File created C:\Windows\SysWOW64\Hbgjmcba.exe Hnlnmd32.exe File created C:\Windows\SysWOW64\Abmgojdb.dll Emfbgg32.exe File created C:\Windows\SysWOW64\Gemfghek.exe Gnenfjdh.exe File created C:\Windows\SysWOW64\Fakhhk32.exe Fnplgl32.exe File created C:\Windows\SysWOW64\Fifjgemj.dll Process not Found File created C:\Windows\SysWOW64\Manbna32.dll Lbmicc32.exe File opened for modification C:\Windows\SysWOW64\Aklefm32.exe Adbmjbif.exe File created C:\Windows\SysWOW64\Hlhfem32.dll Fcoaebjc.exe File created C:\Windows\SysWOW64\Ihaldgak.exe Iecohl32.exe File opened for modification C:\Windows\SysWOW64\Kdincdcl.exe Process not Found File created C:\Windows\SysWOW64\Idpademd.dll Ilnqhddd.exe File created C:\Windows\SysWOW64\Goqeoiki.dll Jmmmbg32.exe File opened for modification C:\Windows\SysWOW64\Bbapgknp.exe Bkghjq32.exe File created C:\Windows\SysWOW64\Hgobpd32.exe Heqfdh32.exe File created C:\Windows\SysWOW64\Mkndijfb.dll Nlabjj32.exe File created C:\Windows\SysWOW64\Ohmljj32.exe Odaqikaa.exe File created C:\Windows\SysWOW64\Ppogok32.exe Phhonn32.exe File created C:\Windows\SysWOW64\Pkkeeikj.exe Plheil32.exe File created C:\Windows\SysWOW64\Qielqc32.dll Ehdpcahk.exe File opened for modification C:\Windows\SysWOW64\Nnhobgag.exe Nljcflbd.exe File opened for modification C:\Windows\SysWOW64\Cegbce32.exe Bbhfgj32.exe File opened for modification C:\Windows\SysWOW64\Lohiob32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Hjfbaj32.exe Hggeeo32.exe File opened for modification C:\Windows\SysWOW64\Ifloeo32.exe Igioiacg.exe File created C:\Windows\SysWOW64\Jaffca32.exe Jnjjcbiq.exe File created C:\Windows\SysWOW64\Fhnfnajf.dll Nepkia32.exe File created C:\Windows\SysWOW64\Oejgbonl.exe Naokbq32.exe File created C:\Windows\SysWOW64\Fmlbgc32.dll Abjcleqm.exe File created C:\Windows\SysWOW64\Gkchpcoc.exe Gielchpp.exe File created C:\Windows\SysWOW64\Dfnleh32.dll Boncej32.exe File created C:\Windows\SysWOW64\Omgdmenm.dll Kdjenkgh.exe File created C:\Windows\SysWOW64\Mdcdcmai.exe Mqhhbn32.exe File created C:\Windows\SysWOW64\Hjcnol32.dll Ehiiop32.exe File created C:\Windows\SysWOW64\Kldchgag.exe Process not Found File created C:\Windows\SysWOW64\Kfobmc32.exe Kcqfahom.exe File created C:\Windows\SysWOW64\Hpmmdj32.dll Bgkeol32.exe File opened for modification C:\Windows\SysWOW64\Hqpahkmj.exe Gnbelong.exe File opened for modification C:\Windows\SysWOW64\Peaibajp.exe Paemac32.exe File opened for modification C:\Windows\SysWOW64\Djqcki32.exe Dfegjknm.exe File created C:\Windows\SysWOW64\Idjfdadn.dll Process not Found File created C:\Windows\SysWOW64\Mjeffc32.exe Mfijfdca.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 10932 10788 Process not Found 1200 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbnbfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhifmcfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipecndab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jblpge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkaljdaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjolpkhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omdbdb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpndkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klijjnen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgqeea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eibgbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acnpjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnnkbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ollljo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dendcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekgcbcke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcajjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnlilb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cihqbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Higiih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phabdmgq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acplpjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgkanomj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbehgabe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plaoim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biceoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlgaek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqkqbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibjikk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iefeaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imchcplm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahllda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adbmjbif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aggkdlod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkgpaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdeaim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmeohnil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eajhgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmighemp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkljfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fefpfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ankabh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gicpnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnhlcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdcdcmai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqljdclg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boqgep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dibjcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbkdgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egimdmmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehiiop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahioobed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgaoec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jalmcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggpmkgab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhbfpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkcqfifp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnaiah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gngiba32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilmool32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jljgni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbfibj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iecohl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlodea32.dll" Fdpjcaij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imidgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibofbqpd.dll" Fgpalcog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knaqcabh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flccjn32.dll" Ifkfap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpnnbm32.dll" Pdamhocm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hekohm32.dll" Dlfina32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Deahcneh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aocgll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cppjadhk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbjoki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhjillah.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Biceoj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcpqfgol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jblpge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Biikne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcojjn32.dll" Fohbqpki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hldndp32.dll" Janihlcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdgcnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glpdbfek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flmidkmn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbgjmcba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdilkllh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fldbnb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idnppjcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmdoefnl.dll" Ciknhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fejjah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdapggln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkndiabh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pamnnemo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlkokm32.dll" Mqdbjp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbpmbndm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldbjfdld.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olbpmelm.dll" Fdbgia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooneiddj.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdnfhbgm.dll" Lbnbfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qpocno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oajojd32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iimenapo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jqngde32.dll" Nqakim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oejgbonl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfeqli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmfbkjnn.dll" Oedqcdim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkgqpjch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckdpinhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keniknoh.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdbppi32.dll" Kpkcdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oiifcdhn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lomidgkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdcadn32.dll" Bcgoolln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnoaan32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlgeqb32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pinnoafp.dll" Kpbiempj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anmnhhmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjnhce32.dll" Infjfblm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dankdeoi.dll" Gbkdgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plheil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cekfdc32.dll" Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2024 wrote to memory of 1652 2024 934fe41e5de291a6f064045404d05e74faf9c31449b0594982d5a64c41ee247fN.exe 30 PID 2024 wrote to memory of 1652 2024 934fe41e5de291a6f064045404d05e74faf9c31449b0594982d5a64c41ee247fN.exe 30 PID 2024 wrote to memory of 1652 2024 934fe41e5de291a6f064045404d05e74faf9c31449b0594982d5a64c41ee247fN.exe 30 PID 2024 wrote to memory of 1652 2024 934fe41e5de291a6f064045404d05e74faf9c31449b0594982d5a64c41ee247fN.exe 30 PID 1652 wrote to memory of 2348 1652 Biceoj32.exe 31 PID 1652 wrote to memory of 2348 1652 Biceoj32.exe 31 PID 1652 wrote to memory of 2348 1652 Biceoj32.exe 31 PID 1652 wrote to memory of 2348 1652 Biceoj32.exe 31 PID 2348 wrote to memory of 2968 2348 Bmoaoikj.exe 32 PID 2348 wrote to memory of 2968 2348 Bmoaoikj.exe 32 PID 2348 wrote to memory of 2968 2348 Bmoaoikj.exe 32 PID 2348 wrote to memory of 2968 2348 Bmoaoikj.exe 32 PID 2968 wrote to memory of 2976 2968 Cfgehn32.exe 33 PID 2968 wrote to memory of 2976 2968 Cfgehn32.exe 33 PID 2968 wrote to memory of 2976 2968 Cfgehn32.exe 33 PID 2968 wrote to memory of 2976 2968 Cfgehn32.exe 33 PID 2976 wrote to memory of 2844 2976 Cldnqe32.exe 34 PID 2976 wrote to memory of 2844 2976 Cldnqe32.exe 34 PID 2976 wrote to memory of 2844 2976 Cldnqe32.exe 34 PID 2976 wrote to memory of 2844 2976 Cldnqe32.exe 34 PID 2844 wrote to memory of 2712 2844 Cppjadhk.exe 35 PID 2844 wrote to memory of 2712 2844 Cppjadhk.exe 35 PID 2844 wrote to memory of 2712 2844 Cppjadhk.exe 35 PID 2844 wrote to memory of 2712 2844 Cppjadhk.exe 35 PID 2712 wrote to memory of 1916 2712 Caqfiloi.exe 36 PID 2712 wrote to memory of 1916 2712 Caqfiloi.exe 36 PID 2712 wrote to memory of 1916 2712 Caqfiloi.exe 36 PID 2712 wrote to memory of 1916 2712 Caqfiloi.exe 36 PID 1916 wrote to memory of 2504 1916 Cihojiok.exe 37 PID 1916 wrote to memory of 2504 1916 Cihojiok.exe 37 PID 1916 wrote to memory of 2504 1916 Cihojiok.exe 37 PID 1916 wrote to memory of 2504 1916 Cihojiok.exe 37 PID 2504 wrote to memory of 2572 2504 Cbpcbo32.exe 38 PID 2504 wrote to memory of 2572 2504 Cbpcbo32.exe 38 PID 2504 wrote to memory of 2572 2504 Cbpcbo32.exe 38 PID 2504 wrote to memory of 2572 2504 Cbpcbo32.exe 38 PID 2572 wrote to memory of 2996 2572 Cligkdlm.exe 39 PID 2572 wrote to memory of 2996 2572 Cligkdlm.exe 39 PID 2572 wrote to memory of 2996 2572 Cligkdlm.exe 39 PID 2572 wrote to memory of 2996 2572 Cligkdlm.exe 39 PID 2996 wrote to memory of 3024 2996 Cogdhpkp.exe 40 PID 2996 wrote to memory of 3024 2996 Cogdhpkp.exe 40 PID 2996 wrote to memory of 3024 2996 Cogdhpkp.exe 40 PID 2996 wrote to memory of 3024 2996 Cogdhpkp.exe 40 PID 3024 wrote to memory of 2524 3024 Cfbhlb32.exe 41 PID 3024 wrote to memory of 2524 3024 Cfbhlb32.exe 41 PID 3024 wrote to memory of 2524 3024 Cfbhlb32.exe 41 PID 3024 wrote to memory of 2524 3024 Cfbhlb32.exe 41 PID 2524 wrote to memory of 900 2524 Cmlqimph.exe 42 PID 2524 wrote to memory of 900 2524 Cmlqimph.exe 42 PID 2524 wrote to memory of 900 2524 Cmlqimph.exe 42 PID 2524 wrote to memory of 900 2524 Cmlqimph.exe 42 PID 900 wrote to memory of 2364 900 Cpkmehol.exe 43 PID 900 wrote to memory of 2364 900 Cpkmehol.exe 43 PID 900 wrote to memory of 2364 900 Cpkmehol.exe 43 PID 900 wrote to memory of 2364 900 Cpkmehol.exe 43 PID 2364 wrote to memory of 2216 2364 Dicann32.exe 44 PID 2364 wrote to memory of 2216 2364 Dicann32.exe 44 PID 2364 wrote to memory of 2216 2364 Dicann32.exe 44 PID 2364 wrote to memory of 2216 2364 Dicann32.exe 44 PID 2216 wrote to memory of 1512 2216 Dpmjjhmi.exe 45 PID 2216 wrote to memory of 1512 2216 Dpmjjhmi.exe 45 PID 2216 wrote to memory of 1512 2216 Dpmjjhmi.exe 45 PID 2216 wrote to memory of 1512 2216 Dpmjjhmi.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\934fe41e5de291a6f064045404d05e74faf9c31449b0594982d5a64c41ee247fN.exe"C:\Users\Admin\AppData\Local\Temp\934fe41e5de291a6f064045404d05e74faf9c31449b0594982d5a64c41ee247fN.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\Biceoj32.exeC:\Windows\system32\Biceoj32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\Bmoaoikj.exeC:\Windows\system32\Bmoaoikj.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\Cfgehn32.exeC:\Windows\system32\Cfgehn32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Cldnqe32.exeC:\Windows\system32\Cldnqe32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Cppjadhk.exeC:\Windows\system32\Cppjadhk.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Caqfiloi.exeC:\Windows\system32\Caqfiloi.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Cihojiok.exeC:\Windows\system32\Cihojiok.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\Cbpcbo32.exeC:\Windows\system32\Cbpcbo32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Cligkdlm.exeC:\Windows\system32\Cligkdlm.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Cogdhpkp.exeC:\Windows\system32\Cogdhpkp.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\Cfbhlb32.exeC:\Windows\system32\Cfbhlb32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\Cmlqimph.exeC:\Windows\system32\Cmlqimph.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Cpkmehol.exeC:\Windows\system32\Cpkmehol.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:900 -
C:\Windows\SysWOW64\Dicann32.exeC:\Windows\system32\Dicann32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\Dpmjjhmi.exeC:\Windows\system32\Dpmjjhmi.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Dbkffc32.exeC:\Windows\system32\Dbkffc32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1512 -
C:\Windows\SysWOW64\Dgiomabc.exeC:\Windows\system32\Dgiomabc.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1368 -
C:\Windows\SysWOW64\Dmcgik32.exeC:\Windows\system32\Dmcgik32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1780 -
C:\Windows\SysWOW64\Ddmofeam.exeC:\Windows\system32\Ddmofeam.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:276 -
C:\Windows\SysWOW64\Dijgnm32.exeC:\Windows\system32\Dijgnm32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1864 -
C:\Windows\SysWOW64\Dpdpkfga.exeC:\Windows\system32\Dpdpkfga.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1180 -
C:\Windows\SysWOW64\Dcblgbfe.exeC:\Windows\system32\Dcblgbfe.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2176 -
C:\Windows\SysWOW64\Deahcneh.exeC:\Windows\system32\Deahcneh.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3068 -
C:\Windows\SysWOW64\Eoimlc32.exeC:\Windows\system32\Eoimlc32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2584 -
C:\Windows\SysWOW64\Eagiho32.exeC:\Windows\system32\Eagiho32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2076 -
C:\Windows\SysWOW64\Eioaillo.exeC:\Windows\system32\Eioaillo.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2864 -
C:\Windows\SysWOW64\Ekpmad32.exeC:\Windows\system32\Ekpmad32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3020 -
C:\Windows\SysWOW64\Ecgeba32.exeC:\Windows\system32\Ecgeba32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2660 -
C:\Windows\SysWOW64\Elpjkgip.exeC:\Windows\system32\Elpjkgip.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2720 -
C:\Windows\SysWOW64\Ekbjgd32.exeC:\Windows\system32\Ekbjgd32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1604 -
C:\Windows\SysWOW64\Eehndm32.exeC:\Windows\system32\Eehndm32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:572 -
C:\Windows\SysWOW64\Ehfkphnd.exeC:\Windows\system32\Ehfkphnd.exe33⤵
- Executes dropped EXE
PID:476 -
C:\Windows\SysWOW64\Egikle32.exeC:\Windows\system32\Egikle32.exe34⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Eopcmb32.exeC:\Windows\system32\Eopcmb32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Encchoml.exeC:\Windows\system32\Encchoml.exe36⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Eaooin32.exeC:\Windows\system32\Eaooin32.exe37⤵
- Executes dropped EXE
PID:1840 -
C:\Windows\SysWOW64\Edmkei32.exeC:\Windows\system32\Edmkei32.exe38⤵
- Executes dropped EXE
PID:1896 -
C:\Windows\SysWOW64\Ehhgfgla.exeC:\Windows\system32\Ehhgfgla.exe39⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Ekgcbcke.exeC:\Windows\system32\Ekgcbcke.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:268 -
C:\Windows\SysWOW64\Enepnoji.exeC:\Windows\system32\Enepnoji.exe41⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Eaalom32.exeC:\Windows\system32\Eaalom32.exe42⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Epdljjjm.exeC:\Windows\system32\Epdljjjm.exe43⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Ecbhfeip.exeC:\Windows\system32\Ecbhfeip.exe44⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Egndgdai.exeC:\Windows\system32\Egndgdai.exe45⤵
- Executes dropped EXE
PID:1884 -
C:\Windows\SysWOW64\Fjlqcppm.exeC:\Windows\system32\Fjlqcppm.exe46⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Fnhlcn32.exeC:\Windows\system32\Fnhlcn32.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2324 -
C:\Windows\SysWOW64\Fqfipj32.exeC:\Windows\system32\Fqfipj32.exe48⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Fdaephpc.exeC:\Windows\system32\Fdaephpc.exe49⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Fgpalcog.exeC:\Windows\system32\Fgpalcog.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:2780 -
C:\Windows\SysWOW64\Fjomhonj.exeC:\Windows\system32\Fjomhonj.exe51⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Flmidkmn.exeC:\Windows\system32\Flmidkmn.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2672 -
C:\Windows\SysWOW64\Fqheei32.exeC:\Windows\system32\Fqheei32.exe53⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Fcgaae32.exeC:\Windows\system32\Fcgaae32.exe54⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Ffenmp32.exeC:\Windows\system32\Ffenmp32.exe55⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Fjajno32.exeC:\Windows\system32\Fjajno32.exe56⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Fmofjj32.exeC:\Windows\system32\Fmofjj32.exe57⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Fonbff32.exeC:\Windows\system32\Fonbff32.exe58⤵
- Executes dropped EXE
PID:872 -
C:\Windows\SysWOW64\Fcingdbh.exeC:\Windows\system32\Fcingdbh.exe59⤵
- Executes dropped EXE
PID:1144 -
C:\Windows\SysWOW64\Fhfgokap.exeC:\Windows\system32\Fhfgokap.exe60⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Fmacpj32.exeC:\Windows\system32\Fmacpj32.exe61⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Fopole32.exeC:\Windows\system32\Fopole32.exe62⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Fbnkha32.exeC:\Windows\system32\Fbnkha32.exe63⤵
- Executes dropped EXE
PID:532 -
C:\Windows\SysWOW64\Fdmgdl32.exeC:\Windows\system32\Fdmgdl32.exe64⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Fmdpejgf.exeC:\Windows\system32\Fmdpejgf.exe65⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Fkgpaf32.exeC:\Windows\system32\Fkgpaf32.exe66⤵
- System Location Discovery: System Language Discovery
PID:1988 -
C:\Windows\SysWOW64\Foblaefj.exeC:\Windows\system32\Foblaefj.exe67⤵PID:808
-
C:\Windows\SysWOW64\Fbqhnqen.exeC:\Windows\system32\Fbqhnqen.exe68⤵PID:1448
-
C:\Windows\SysWOW64\Gfldno32.exeC:\Windows\system32\Gfldno32.exe69⤵PID:2544
-
C:\Windows\SysWOW64\Gikpjk32.exeC:\Windows\system32\Gikpjk32.exe70⤵PID:2816
-
C:\Windows\SysWOW64\Ggnqfgce.exeC:\Windows\system32\Ggnqfgce.exe71⤵PID:2876
-
C:\Windows\SysWOW64\Godhgedg.exeC:\Windows\system32\Godhgedg.exe72⤵PID:1460
-
C:\Windows\SysWOW64\Gngiba32.exeC:\Windows\system32\Gngiba32.exe73⤵
- System Location Discovery: System Language Discovery
PID:280 -
C:\Windows\SysWOW64\Gqfeom32.exeC:\Windows\system32\Gqfeom32.exe74⤵PID:1192
-
C:\Windows\SysWOW64\Gimmpj32.exeC:\Windows\system32\Gimmpj32.exe75⤵PID:1332
-
C:\Windows\SysWOW64\Ggpmkgab.exeC:\Windows\system32\Ggpmkgab.exe76⤵
- System Location Discovery: System Language Discovery
PID:2044 -
C:\Windows\SysWOW64\Gjnigb32.exeC:\Windows\system32\Gjnigb32.exe77⤵PID:3056
-
C:\Windows\SysWOW64\Gbeaip32.exeC:\Windows\system32\Gbeaip32.exe78⤵PID:684
-
C:\Windows\SysWOW64\Gqhadmhc.exeC:\Windows\system32\Gqhadmhc.exe79⤵PID:2856
-
C:\Windows\SysWOW64\Gcgnphgf.exeC:\Windows\system32\Gcgnphgf.exe80⤵PID:860
-
C:\Windows\SysWOW64\Gknfaehi.exeC:\Windows\system32\Gknfaehi.exe81⤵PID:580
-
C:\Windows\SysWOW64\Gknfaehi.exeC:\Windows\system32\Gknfaehi.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2552 -
C:\Windows\SysWOW64\Gjqfmb32.exeC:\Windows\system32\Gjqfmb32.exe83⤵PID:1532
-
C:\Windows\SysWOW64\Gnlbnagl.exeC:\Windows\system32\Gnlbnagl.exe84⤵PID:1736
-
C:\Windows\SysWOW64\Gqknjlfp.exeC:\Windows\system32\Gqknjlfp.exe85⤵
- Drops file in System32 directory
PID:2496 -
C:\Windows\SysWOW64\Gcikfhed.exeC:\Windows\system32\Gcikfhed.exe86⤵PID:1964
-
C:\Windows\SysWOW64\Gfggbcdg.exeC:\Windows\system32\Gfggbcdg.exe87⤵PID:3000
-
C:\Windows\SysWOW64\Gjccbb32.exeC:\Windows\system32\Gjccbb32.exe88⤵PID:2668
-
C:\Windows\SysWOW64\Gamkol32.exeC:\Windows\system32\Gamkol32.exe89⤵PID:2716
-
C:\Windows\SysWOW64\Gckgkg32.exeC:\Windows\system32\Gckgkg32.exe90⤵PID:2132
-
C:\Windows\SysWOW64\Gggclfkj.exeC:\Windows\system32\Gggclfkj.exe91⤵PID:1156
-
C:\Windows\SysWOW64\Gfjcgc32.exeC:\Windows\system32\Gfjcgc32.exe92⤵PID:3052
-
C:\Windows\SysWOW64\Gihpcn32.exeC:\Windows\system32\Gihpcn32.exe93⤵PID:2992
-
C:\Windows\SysWOW64\Haohel32.exeC:\Windows\system32\Haohel32.exe94⤵PID:680
-
C:\Windows\SysWOW64\Hpbhphie.exeC:\Windows\system32\Hpbhphie.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1444 -
C:\Windows\SysWOW64\Hflpmb32.exeC:\Windows\system32\Hflpmb32.exe96⤵PID:2196
-
C:\Windows\SysWOW64\Hjhlnahk.exeC:\Windows\system32\Hjhlnahk.exe97⤵PID:1292
-
C:\Windows\SysWOW64\Hmfhjmho.exeC:\Windows\system32\Hmfhjmho.exe98⤵PID:1720
-
C:\Windows\SysWOW64\Hpdefh32.exeC:\Windows\system32\Hpdefh32.exe99⤵PID:1880
-
C:\Windows\SysWOW64\Hcpqfgol.exeC:\Windows\system32\Hcpqfgol.exe100⤵
- Modifies registry class
PID:1312 -
C:\Windows\SysWOW64\Hbcabc32.exeC:\Windows\system32\Hbcabc32.exe101⤵PID:2772
-
C:\Windows\SysWOW64\Heamno32.exeC:\Windows\system32\Heamno32.exe102⤵PID:2788
-
C:\Windows\SysWOW64\Himionmc.exeC:\Windows\system32\Himionmc.exe103⤵PID:2692
-
C:\Windows\SysWOW64\Hmheol32.exeC:\Windows\system32\Hmheol32.exe104⤵PID:1608
-
C:\Windows\SysWOW64\Hpgakh32.exeC:\Windows\system32\Hpgakh32.exe105⤵PID:760
-
C:\Windows\SysWOW64\Hnjagdlj.exeC:\Windows\system32\Hnjagdlj.exe106⤵PID:2752
-
C:\Windows\SysWOW64\Hfajhblm.exeC:\Windows\system32\Hfajhblm.exe107⤵PID:3016
-
C:\Windows\SysWOW64\Hecjco32.exeC:\Windows\system32\Hecjco32.exe108⤵PID:1552
-
C:\Windows\SysWOW64\Hhbfpj32.exeC:\Windows\system32\Hhbfpj32.exe109⤵
- System Location Discovery: System Language Discovery
PID:264 -
C:\Windows\SysWOW64\Hpinagbm.exeC:\Windows\system32\Hpinagbm.exe110⤵PID:1000
-
C:\Windows\SysWOW64\Hnlnmd32.exeC:\Windows\system32\Hnlnmd32.exe111⤵
- Drops file in System32 directory
PID:1136 -
C:\Windows\SysWOW64\Hbgjmcba.exeC:\Windows\system32\Hbgjmcba.exe112⤵
- Modifies registry class
PID:1620 -
C:\Windows\SysWOW64\Hefginae.exeC:\Windows\system32\Hefginae.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1592 -
C:\Windows\SysWOW64\Hhdcejph.exeC:\Windows\system32\Hhdcejph.exe114⤵PID:2796
-
C:\Windows\SysWOW64\Hjcoaeol.exeC:\Windows\system32\Hjcoaeol.exe115⤵
- Drops file in System32 directory
PID:2740 -
C:\Windows\SysWOW64\Hnnkbd32.exeC:\Windows\system32\Hnnkbd32.exe116⤵
- System Location Discovery: System Language Discovery
PID:2516 -
C:\Windows\SysWOW64\Hamgno32.exeC:\Windows\system32\Hamgno32.exe117⤵PID:2568
-
C:\Windows\SysWOW64\Hehconob.exeC:\Windows\system32\Hehconob.exe118⤵PID:2180
-
C:\Windows\SysWOW64\Ilblkh32.exeC:\Windows\system32\Ilblkh32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:308 -
C:\Windows\SysWOW64\Ijelgemi.exeC:\Windows\system32\Ijelgemi.exe120⤵PID:2380
-
C:\Windows\SysWOW64\Imchcplm.exeC:\Windows\system32\Imchcplm.exe121⤵
- System Location Discovery: System Language Discovery
PID:2624
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-