Analysis
-
max time kernel
63s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
03-10-2024 05:35
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b38350c75d0d7f9a7547254f9fad5bc7260ef1e0132b38ae8299e59ae82b9dc0N.exe
Resource
win7-20240729-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
b38350c75d0d7f9a7547254f9fad5bc7260ef1e0132b38ae8299e59ae82b9dc0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
b38350c75d0d7f9a7547254f9fad5bc7260ef1e0132b38ae8299e59ae82b9dc0N.exe
-
Size
64KB
-
MD5
ff76c58e80f803460d3954b791829820
-
SHA1
23293de9e60da43dc23476c1818af8372930e515
-
SHA256
b38350c75d0d7f9a7547254f9fad5bc7260ef1e0132b38ae8299e59ae82b9dc0
-
SHA512
f59230f89b0b7399ad9cfc06ac444003559f1de64bf9406dcd5f9379afc19ebb9c5c2fe5b568d32b3f1ca9ef9179ec960beb0434594164439e301ce76f6b9abc
-
SSDEEP
1536:cVMvVZ7269M89000lpWFc84kUXruCHcpzt/Idn:tvVZ7j9d000Oc8XpFwn
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iockhigl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihqilnig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlhmkbhb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cniajdkg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enngdgim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpimbcnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cppakj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnlnpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmacej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmgjee32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oomlfpdi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddhcbnnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdkaabnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Coldmfkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egchmfnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebofcd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idcqep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enbapf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijopjhfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbjkop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpdfemkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljjhdm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljbkig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mchokq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oacbdg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ollcee32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cofaog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnqhkcdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmmcfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmqgec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igcjgk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcaqmkpn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klonqpbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnbmoi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kioiffcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olgpff32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgqhgjbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Leqeed32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meeopdhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mffkgl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkdpmn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gieaef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfnkji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elbmkm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlekja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qkelme32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbodjofc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqpbpo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmgcepio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chofhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egflml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkjdcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pipjpj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gllpflng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihcfan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ninjjf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hehafe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkelme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aebjaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgoebmip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chblqlcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbpibm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oibpdico.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnejdiep.exe -
Executes dropped EXE 64 IoCs
pid Process 2944 Bacefpbg.exe 2952 Bhmmcjjd.exe 2840 Bphaglgo.exe 2896 Bfbjdf32.exe 2820 Biqfpb32.exe 656 Blobmm32.exe 1716 Bmnofp32.exe 1992 Bpmkbl32.exe 2912 Ceickb32.exe 2280 Clclhmin.exe 2272 Celpqbon.exe 1656 Chjmmnnb.exe 2184 Ckiiiine.exe 2088 Cabaec32.exe 976 Chmibmlo.exe 824 Cofaog32.exe 800 Cniajdkg.exe 1852 Cdcjgnbc.exe 1640 Chofhm32.exe 1664 Cgbfcjag.exe 988 Cnlnpd32.exe 2500 Cagjqbam.exe 1072 Cdfgmnpa.exe 1240 Chabmm32.exe 2320 Ckpoih32.exe 3004 Ddhcbnnn.exe 1872 Dckcnj32.exe 2724 Dkblohek.exe 1700 Dnqhkcdo.exe 444 Dpodgocb.exe 1952 Dcmpcjcf.exe 2340 Dgildi32.exe 2176 Djghpd32.exe 2916 Dleelp32.exe 2904 Dodahk32.exe 1592 Dcpmijqc.exe 2356 Dfniee32.exe 2188 Djjeedhp.exe 2192 Dlhaaogd.exe 596 Dpcnbn32.exe 1480 Dcbjni32.exe 2308 Dbejjfek.exe 2668 Dfpfke32.exe 1884 Djlbkcfn.exe 2456 Dhobgp32.exe 2608 Dbggpfci.exe 2440 Dfbbpd32.exe 1088 Ehaolpke.exe 2216 Ekpkhkji.exe 2716 Eokgij32.exe 2704 Enngdgim.exe 2784 Efeoedjo.exe 2476 Edhpaa32.exe 1496 Egflml32.exe 2908 Eomdoj32.exe 2392 Ehfhgogp.exe 2264 Ekddck32.exe 1928 Enbapf32.exe 2448 Eqamla32.exe 1948 Edmilpld.exe 2384 Egkehllh.exe 1608 Egkehllh.exe 1612 Enenef32.exe 1368 Emhnqbjo.exe -
Loads dropped DLL 64 IoCs
pid Process 1464 b38350c75d0d7f9a7547254f9fad5bc7260ef1e0132b38ae8299e59ae82b9dc0N.exe 1464 b38350c75d0d7f9a7547254f9fad5bc7260ef1e0132b38ae8299e59ae82b9dc0N.exe 2944 Bacefpbg.exe 2944 Bacefpbg.exe 2952 Bhmmcjjd.exe 2952 Bhmmcjjd.exe 2840 Bphaglgo.exe 2840 Bphaglgo.exe 2896 Bfbjdf32.exe 2896 Bfbjdf32.exe 2820 Biqfpb32.exe 2820 Biqfpb32.exe 656 Blobmm32.exe 656 Blobmm32.exe 1716 Bmnofp32.exe 1716 Bmnofp32.exe 1992 Bpmkbl32.exe 1992 Bpmkbl32.exe 2912 Ceickb32.exe 2912 Ceickb32.exe 2280 Clclhmin.exe 2280 Clclhmin.exe 2272 Celpqbon.exe 2272 Celpqbon.exe 1656 Chjmmnnb.exe 1656 Chjmmnnb.exe 2184 Ckiiiine.exe 2184 Ckiiiine.exe 2088 Cabaec32.exe 2088 Cabaec32.exe 976 Chmibmlo.exe 976 Chmibmlo.exe 824 Cofaog32.exe 824 Cofaog32.exe 800 Cniajdkg.exe 800 Cniajdkg.exe 1852 Cdcjgnbc.exe 1852 Cdcjgnbc.exe 1640 Chofhm32.exe 1640 Chofhm32.exe 1664 Cgbfcjag.exe 1664 Cgbfcjag.exe 988 Cnlnpd32.exe 988 Cnlnpd32.exe 2500 Cagjqbam.exe 2500 Cagjqbam.exe 1072 Cdfgmnpa.exe 1072 Cdfgmnpa.exe 1240 Chabmm32.exe 1240 Chabmm32.exe 3032 Dajgfboj.exe 3032 Dajgfboj.exe 3004 Ddhcbnnn.exe 3004 Ddhcbnnn.exe 1872 Dckcnj32.exe 1872 Dckcnj32.exe 2724 Dkblohek.exe 2724 Dkblohek.exe 1700 Dnqhkcdo.exe 1700 Dnqhkcdo.exe 444 Dpodgocb.exe 444 Dpodgocb.exe 1952 Dcmpcjcf.exe 1952 Dcmpcjcf.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Pncljmko.exe Pkepnalk.exe File opened for modification C:\Windows\SysWOW64\Kfdfdf32.exe Jcfjhj32.exe File created C:\Windows\SysWOW64\Hogcil32.exe Hlhfmqge.exe File opened for modification C:\Windows\SysWOW64\Anjojphb.exe Afcghbgp.exe File created C:\Windows\SysWOW64\Anckcdco.dll Bboahbio.exe File opened for modification C:\Windows\SysWOW64\Baigen32.exe Bbfgiabg.exe File created C:\Windows\SysWOW64\Mamcfo32.dll Ebabicfn.exe File opened for modification C:\Windows\SysWOW64\Geinjapb.exe Gbkaneao.exe File opened for modification C:\Windows\SysWOW64\Hlcbfnjk.exe Hidfjckg.exe File created C:\Windows\SysWOW64\Mqobfajn.dll Ehfhgogp.exe File created C:\Windows\SysWOW64\Mifkfhpa.exe Maocekoo.exe File created C:\Windows\SysWOW64\Lokfgk32.dll Fohphgce.exe File created C:\Windows\SysWOW64\Kcipdg32.dll Ollcee32.exe File opened for modification C:\Windows\SysWOW64\Iaobkf32.exe Iopeoknn.exe File opened for modification C:\Windows\SysWOW64\Maocekoo.exe Mblcin32.exe File created C:\Windows\SysWOW64\Hiohip32.dll Lbkchj32.exe File opened for modification C:\Windows\SysWOW64\Mffkgl32.exe Mchokq32.exe File created C:\Windows\SysWOW64\Mdpnaccc.dll Kkkhmadd.exe File created C:\Windows\SysWOW64\Gnkqpnqp.dll Npkfff32.exe File opened for modification C:\Windows\SysWOW64\Amplklmj.exe Ajapoqmf.exe File created C:\Windows\SysWOW64\Ifpjem32.dll Dlhaaogd.exe File opened for modification C:\Windows\SysWOW64\Iiipeb32.exe Iabhdefo.exe File created C:\Windows\SysWOW64\Cokdhpcc.dll Kdnlpaln.exe File opened for modification C:\Windows\SysWOW64\Dcbjni32.exe Dpcnbn32.exe File created C:\Windows\SysWOW64\Acheia32.dll Lgiobadq.exe File created C:\Windows\SysWOW64\Bojkib32.exe Bllomg32.exe File created C:\Windows\SysWOW64\Oiljcj32.exe Okijhmcm.exe File opened for modification C:\Windows\SysWOW64\Oacbdg32.exe Oiljcj32.exe File opened for modification C:\Windows\SysWOW64\Biqfpb32.exe Bfbjdf32.exe File created C:\Windows\SysWOW64\Bhnmcp32.dll Dcbjni32.exe File created C:\Windows\SysWOW64\Emhnqbjo.exe Enenef32.exe File opened for modification C:\Windows\SysWOW64\Keappgmg.exe Kbcddlnd.exe File opened for modification C:\Windows\SysWOW64\Gabofn32.exe Fmgcepio.exe File created C:\Windows\SysWOW64\Ijopjhfh.exe Icdhnn32.exe File created C:\Windows\SysWOW64\Lfnlcnih.exe Lcppgbjd.exe File created C:\Windows\SysWOW64\Iainddpg.exe Iokahhac.exe File created C:\Windows\SysWOW64\Kmfklepl.exe Kikokf32.exe File opened for modification C:\Windows\SysWOW64\Ehgaknbp.exe Efhenccl.exe File created C:\Windows\SysWOW64\Lbkchj32.exe Lchclmla.exe File created C:\Windows\SysWOW64\Kgdiho32.exe Kcimhpma.exe File created C:\Windows\SysWOW64\Mbginomj.exe Mpimbcnf.exe File created C:\Windows\SysWOW64\Ojfcdo32.exe Oggghc32.exe File created C:\Windows\SysWOW64\Omopkm32.dll Dchpnd32.exe File created C:\Windows\SysWOW64\Dkcebg32.exe Dlpdfjjp.exe File opened for modification C:\Windows\SysWOW64\Dnhgoa32.exe Dkjkcfjc.exe File created C:\Windows\SysWOW64\Lijepc32.exe Lfkhch32.exe File created C:\Windows\SysWOW64\Jddqgdii.exe Jbedkhie.exe File opened for modification C:\Windows\SysWOW64\Kcngcp32.exe Kobkbaac.exe File opened for modification C:\Windows\SysWOW64\Pipjpj32.exe Pfando32.exe File created C:\Windows\SysWOW64\Oifakkod.dll Dhgelk32.exe File created C:\Windows\SysWOW64\Dpdfemkm.exe Dabfjp32.exe File created C:\Windows\SysWOW64\Gekkpqnp.exe Gbmoceol.exe File opened for modification C:\Windows\SysWOW64\Gbheif32.exe Gnmihgkh.exe File opened for modification C:\Windows\SysWOW64\Chmibmlo.exe Cabaec32.exe File created C:\Windows\SysWOW64\Cniajdkg.exe Cofaog32.exe File created C:\Windows\SysWOW64\Poaamlnm.dll Hbboiknb.exe File opened for modification C:\Windows\SysWOW64\Aadakl32.exe Anfeop32.exe File created C:\Windows\SysWOW64\Knaaiakh.dll Blgeahoo.exe File created C:\Windows\SysWOW64\Ogjaqc32.dll Enmqjq32.exe File created C:\Windows\SysWOW64\Oijehm32.dll Gmcikd32.exe File created C:\Windows\SysWOW64\Jfidah32.dll Mpoppadq.exe File opened for modification C:\Windows\SysWOW64\Aiimfi32.exe Aemafjeg.exe File opened for modification C:\Windows\SysWOW64\Edpoeoea.exe Ebabicfn.exe File opened for modification C:\Windows\SysWOW64\Hagepa32.exe Hjmmcgha.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7744 7720 WerFault.exe 723 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcngcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Camqpnel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elpqemll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giejkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbpibm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glijnmdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iopeoknn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkepnalk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpapgnpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jakjjcnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khcbpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfiaojkq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhfjadim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcgqbq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdipfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbdlnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbkgig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbfobllj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkppcmjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kobkbaac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aiflpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enmqjq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbheif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcmpcjcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fppmcmah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bafkookd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Befpkmph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpkchm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nogmin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iigcobid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfando32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbkaneao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klonqpbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddhcbnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fiedfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcimhpma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kihbfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhkhgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bafkookd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbfhcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfilnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdndggcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cimooo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcepgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgoaap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpengf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlpdfjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnkpcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjkcod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgpock32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilkpac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mifkfhpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oafedmlb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iljifm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcchgini.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcaqmkpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oheppe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cofaog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbeqjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blnkbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebabicfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcoolj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Heijidbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hogcil32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ialadj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgppmpjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Leqeed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dajgfboj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcgpfpbq.dll" Nmhqokcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oajopl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhehfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhompmdf.dll" Dfbbpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qidckjae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehcgkpie.dll" Elndpnnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klonqpbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmogpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdnkkmej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Meeopdhb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkmghe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhikkb32.dll" Hfaqbh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlekja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjddnjdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edmilpld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phlaof32.dll" Ioaobjin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddhcbnnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Injlkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqaaok32.dll" Jkllnn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dchpnd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fqkieogp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlqfqo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Celpqbon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnqkjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgjkje32.dll" Fipdqmje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Liboodmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Biqfpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efbfbl32.dll" Kmoekf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pncljmko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbbedq32.dll" Pipjpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glaiak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcdmbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjhjon32.dll" Mnijnjbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edhpaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Miokdmmk.dll" Mfceom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knaaiakh.dll" Blgeahoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Keappgmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Inebpgbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lajmkhai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpimbcnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjmjhgbh.dll" Aepnkjcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfjihdcc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gllpflng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbkgig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hiockd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kheofahm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hehafe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkejnl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcngcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehaolpke.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbdlnf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idcqep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coelpahk.dll" Pbjkop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olimlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcpabfbj.dll" Oafedmlb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lchclmla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfjjkhhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mldgbcoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooicngen.dll" Nmacej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgohnp32.dll" Aadakl32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1464 wrote to memory of 2944 1464 b38350c75d0d7f9a7547254f9fad5bc7260ef1e0132b38ae8299e59ae82b9dc0N.exe 30 PID 1464 wrote to memory of 2944 1464 b38350c75d0d7f9a7547254f9fad5bc7260ef1e0132b38ae8299e59ae82b9dc0N.exe 30 PID 1464 wrote to memory of 2944 1464 b38350c75d0d7f9a7547254f9fad5bc7260ef1e0132b38ae8299e59ae82b9dc0N.exe 30 PID 1464 wrote to memory of 2944 1464 b38350c75d0d7f9a7547254f9fad5bc7260ef1e0132b38ae8299e59ae82b9dc0N.exe 30 PID 2944 wrote to memory of 2952 2944 Bacefpbg.exe 31 PID 2944 wrote to memory of 2952 2944 Bacefpbg.exe 31 PID 2944 wrote to memory of 2952 2944 Bacefpbg.exe 31 PID 2944 wrote to memory of 2952 2944 Bacefpbg.exe 31 PID 2952 wrote to memory of 2840 2952 Bhmmcjjd.exe 32 PID 2952 wrote to memory of 2840 2952 Bhmmcjjd.exe 32 PID 2952 wrote to memory of 2840 2952 Bhmmcjjd.exe 32 PID 2952 wrote to memory of 2840 2952 Bhmmcjjd.exe 32 PID 2840 wrote to memory of 2896 2840 Bphaglgo.exe 33 PID 2840 wrote to memory of 2896 2840 Bphaglgo.exe 33 PID 2840 wrote to memory of 2896 2840 Bphaglgo.exe 33 PID 2840 wrote to memory of 2896 2840 Bphaglgo.exe 33 PID 2896 wrote to memory of 2820 2896 Bfbjdf32.exe 34 PID 2896 wrote to memory of 2820 2896 Bfbjdf32.exe 34 PID 2896 wrote to memory of 2820 2896 Bfbjdf32.exe 34 PID 2896 wrote to memory of 2820 2896 Bfbjdf32.exe 34 PID 2820 wrote to memory of 656 2820 Biqfpb32.exe 35 PID 2820 wrote to memory of 656 2820 Biqfpb32.exe 35 PID 2820 wrote to memory of 656 2820 Biqfpb32.exe 35 PID 2820 wrote to memory of 656 2820 Biqfpb32.exe 35 PID 656 wrote to memory of 1716 656 Blobmm32.exe 36 PID 656 wrote to memory of 1716 656 Blobmm32.exe 36 PID 656 wrote to memory of 1716 656 Blobmm32.exe 36 PID 656 wrote to memory of 1716 656 Blobmm32.exe 36 PID 1716 wrote to memory of 1992 1716 Bmnofp32.exe 37 PID 1716 wrote to memory of 1992 1716 Bmnofp32.exe 37 PID 1716 wrote to memory of 1992 1716 Bmnofp32.exe 37 PID 1716 wrote to memory of 1992 1716 Bmnofp32.exe 37 PID 1992 wrote to memory of 2912 1992 Bpmkbl32.exe 38 PID 1992 wrote to memory of 2912 1992 Bpmkbl32.exe 38 PID 1992 wrote to memory of 2912 1992 Bpmkbl32.exe 38 PID 1992 wrote to memory of 2912 1992 Bpmkbl32.exe 38 PID 2912 wrote to memory of 2280 2912 Ceickb32.exe 39 PID 2912 wrote to memory of 2280 2912 Ceickb32.exe 39 PID 2912 wrote to memory of 2280 2912 Ceickb32.exe 39 PID 2912 wrote to memory of 2280 2912 Ceickb32.exe 39 PID 2280 wrote to memory of 2272 2280 Clclhmin.exe 40 PID 2280 wrote to memory of 2272 2280 Clclhmin.exe 40 PID 2280 wrote to memory of 2272 2280 Clclhmin.exe 40 PID 2280 wrote to memory of 2272 2280 Clclhmin.exe 40 PID 2272 wrote to memory of 1656 2272 Celpqbon.exe 41 PID 2272 wrote to memory of 1656 2272 Celpqbon.exe 41 PID 2272 wrote to memory of 1656 2272 Celpqbon.exe 41 PID 2272 wrote to memory of 1656 2272 Celpqbon.exe 41 PID 1656 wrote to memory of 2184 1656 Chjmmnnb.exe 42 PID 1656 wrote to memory of 2184 1656 Chjmmnnb.exe 42 PID 1656 wrote to memory of 2184 1656 Chjmmnnb.exe 42 PID 1656 wrote to memory of 2184 1656 Chjmmnnb.exe 42 PID 2184 wrote to memory of 2088 2184 Ckiiiine.exe 43 PID 2184 wrote to memory of 2088 2184 Ckiiiine.exe 43 PID 2184 wrote to memory of 2088 2184 Ckiiiine.exe 43 PID 2184 wrote to memory of 2088 2184 Ckiiiine.exe 43 PID 2088 wrote to memory of 976 2088 Cabaec32.exe 44 PID 2088 wrote to memory of 976 2088 Cabaec32.exe 44 PID 2088 wrote to memory of 976 2088 Cabaec32.exe 44 PID 2088 wrote to memory of 976 2088 Cabaec32.exe 44 PID 976 wrote to memory of 824 976 Chmibmlo.exe 45 PID 976 wrote to memory of 824 976 Chmibmlo.exe 45 PID 976 wrote to memory of 824 976 Chmibmlo.exe 45 PID 976 wrote to memory of 824 976 Chmibmlo.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\b38350c75d0d7f9a7547254f9fad5bc7260ef1e0132b38ae8299e59ae82b9dc0N.exe"C:\Users\Admin\AppData\Local\Temp\b38350c75d0d7f9a7547254f9fad5bc7260ef1e0132b38ae8299e59ae82b9dc0N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\SysWOW64\Bacefpbg.exeC:\Windows\system32\Bacefpbg.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Bhmmcjjd.exeC:\Windows\system32\Bhmmcjjd.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Bphaglgo.exeC:\Windows\system32\Bphaglgo.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Bfbjdf32.exeC:\Windows\system32\Bfbjdf32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Biqfpb32.exeC:\Windows\system32\Biqfpb32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Blobmm32.exeC:\Windows\system32\Blobmm32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:656 -
C:\Windows\SysWOW64\Bmnofp32.exeC:\Windows\system32\Bmnofp32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\Bpmkbl32.exeC:\Windows\system32\Bpmkbl32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\Ceickb32.exeC:\Windows\system32\Ceickb32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Clclhmin.exeC:\Windows\system32\Clclhmin.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\Celpqbon.exeC:\Windows\system32\Celpqbon.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\Chjmmnnb.exeC:\Windows\system32\Chjmmnnb.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\Ckiiiine.exeC:\Windows\system32\Ckiiiine.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Cabaec32.exeC:\Windows\system32\Cabaec32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Chmibmlo.exeC:\Windows\system32\Chmibmlo.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Windows\SysWOW64\Cofaog32.exeC:\Windows\system32\Cofaog32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:824 -
C:\Windows\SysWOW64\Cniajdkg.exeC:\Windows\system32\Cniajdkg.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:800 -
C:\Windows\SysWOW64\Cdcjgnbc.exeC:\Windows\system32\Cdcjgnbc.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1852 -
C:\Windows\SysWOW64\Chofhm32.exeC:\Windows\system32\Chofhm32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1640 -
C:\Windows\SysWOW64\Cgbfcjag.exeC:\Windows\system32\Cgbfcjag.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1664 -
C:\Windows\SysWOW64\Cnlnpd32.exeC:\Windows\system32\Cnlnpd32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:988 -
C:\Windows\SysWOW64\Cagjqbam.exeC:\Windows\system32\Cagjqbam.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2500 -
C:\Windows\SysWOW64\Cdfgmnpa.exeC:\Windows\system32\Cdfgmnpa.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1072 -
C:\Windows\SysWOW64\Chabmm32.exeC:\Windows\system32\Chabmm32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1240 -
C:\Windows\SysWOW64\Ckpoih32.exeC:\Windows\system32\Ckpoih32.exe26⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Dajgfboj.exeC:\Windows\system32\Dajgfboj.exe27⤵
- Loads dropped DLL
- Modifies registry class
PID:3032 -
C:\Windows\SysWOW64\Ddhcbnnn.exeC:\Windows\system32\Ddhcbnnn.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3004 -
C:\Windows\SysWOW64\Dckcnj32.exeC:\Windows\system32\Dckcnj32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1872 -
C:\Windows\SysWOW64\Dkblohek.exeC:\Windows\system32\Dkblohek.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2724 -
C:\Windows\SysWOW64\Dnqhkcdo.exeC:\Windows\system32\Dnqhkcdo.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1700 -
C:\Windows\SysWOW64\Dpodgocb.exeC:\Windows\system32\Dpodgocb.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:444 -
C:\Windows\SysWOW64\Dcmpcjcf.exeC:\Windows\system32\Dcmpcjcf.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1952 -
C:\Windows\SysWOW64\Dgildi32.exeC:\Windows\system32\Dgildi32.exe34⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Djghpd32.exeC:\Windows\system32\Djghpd32.exe35⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Dleelp32.exeC:\Windows\system32\Dleelp32.exe36⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Dodahk32.exeC:\Windows\system32\Dodahk32.exe37⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Dcpmijqc.exeC:\Windows\system32\Dcpmijqc.exe38⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Dfniee32.exeC:\Windows\system32\Dfniee32.exe39⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Djjeedhp.exeC:\Windows\system32\Djjeedhp.exe40⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Dlhaaogd.exeC:\Windows\system32\Dlhaaogd.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2192 -
C:\Windows\SysWOW64\Dpcnbn32.exeC:\Windows\system32\Dpcnbn32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:596 -
C:\Windows\SysWOW64\Dcbjni32.exeC:\Windows\system32\Dcbjni32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1480 -
C:\Windows\SysWOW64\Dbejjfek.exeC:\Windows\system32\Dbejjfek.exe44⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Dfpfke32.exeC:\Windows\system32\Dfpfke32.exe45⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Djlbkcfn.exeC:\Windows\system32\Djlbkcfn.exe46⤵
- Executes dropped EXE
PID:1884 -
C:\Windows\SysWOW64\Dhobgp32.exeC:\Windows\system32\Dhobgp32.exe47⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Dbggpfci.exeC:\Windows\system32\Dbggpfci.exe48⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Dfbbpd32.exeC:\Windows\system32\Dfbbpd32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:2440 -
C:\Windows\SysWOW64\Ehaolpke.exeC:\Windows\system32\Ehaolpke.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:1088 -
C:\Windows\SysWOW64\Ekpkhkji.exeC:\Windows\system32\Ekpkhkji.exe51⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Eokgij32.exeC:\Windows\system32\Eokgij32.exe52⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Enngdgim.exeC:\Windows\system32\Enngdgim.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Efeoedjo.exeC:\Windows\system32\Efeoedjo.exe54⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Edhpaa32.exeC:\Windows\system32\Edhpaa32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2476 -
C:\Windows\SysWOW64\Egflml32.exeC:\Windows\system32\Egflml32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Eomdoj32.exeC:\Windows\system32\Eomdoj32.exe57⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Ehfhgogp.exeC:\Windows\system32\Ehfhgogp.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2392 -
C:\Windows\SysWOW64\Ekddck32.exeC:\Windows\system32\Ekddck32.exe59⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Enbapf32.exeC:\Windows\system32\Enbapf32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Eqamla32.exeC:\Windows\system32\Eqamla32.exe61⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Edmilpld.exeC:\Windows\system32\Edmilpld.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:1948 -
C:\Windows\SysWOW64\Egkehllh.exeC:\Windows\system32\Egkehllh.exe63⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Egkehllh.exeC:\Windows\system32\Egkehllh.exe64⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Enenef32.exeC:\Windows\system32\Enenef32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1612 -
C:\Windows\SysWOW64\Emhnqbjo.exeC:\Windows\system32\Emhnqbjo.exe66⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\Eqcjaa32.exeC:\Windows\system32\Eqcjaa32.exe67⤵PID:2100
-
C:\Windows\SysWOW64\Efpbih32.exeC:\Windows\system32\Efpbih32.exe68⤵PID:872
-
C:\Windows\SysWOW64\Engjkeab.exeC:\Windows\system32\Engjkeab.exe69⤵PID:2488
-
C:\Windows\SysWOW64\Fgpock32.exeC:\Windows\system32\Fgpock32.exe70⤵
- System Location Discovery: System Language Discovery
PID:1056 -
C:\Windows\SysWOW64\Ffboohnm.exeC:\Windows\system32\Ffboohnm.exe71⤵PID:1636
-
C:\Windows\SysWOW64\Fmlglb32.exeC:\Windows\system32\Fmlglb32.exe72⤵PID:2172
-
C:\Windows\SysWOW64\Fpkchm32.exeC:\Windows\system32\Fpkchm32.exe73⤵
- System Location Discovery: System Language Discovery
PID:1904 -
C:\Windows\SysWOW64\Fbipdi32.exeC:\Windows\system32\Fbipdi32.exe74⤵PID:1180
-
C:\Windows\SysWOW64\Fichqckn.exeC:\Windows\system32\Fichqckn.exe75⤵PID:2720
-
C:\Windows\SysWOW64\Fmodaadg.exeC:\Windows\system32\Fmodaadg.exe76⤵PID:2900
-
C:\Windows\SysWOW64\Fcilnl32.exeC:\Windows\system32\Fcilnl32.exe77⤵PID:1696
-
C:\Windows\SysWOW64\Ffghjg32.exeC:\Windows\system32\Ffghjg32.exe78⤵PID:1016
-
C:\Windows\SysWOW64\Fiedfb32.exeC:\Windows\system32\Fiedfb32.exe79⤵
- System Location Discovery: System Language Discovery
PID:2544 -
C:\Windows\SysWOW64\Fppmcmah.exeC:\Windows\system32\Fppmcmah.exe80⤵
- System Location Discovery: System Language Discovery
PID:2116 -
C:\Windows\SysWOW64\Fnbmoi32.exeC:\Windows\system32\Fnbmoi32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2208 -
C:\Windows\SysWOW64\Fbniohpl.exeC:\Windows\system32\Fbniohpl.exe82⤵PID:2376
-
C:\Windows\SysWOW64\Fihalb32.exeC:\Windows\system32\Fihalb32.exe83⤵PID:2324
-
C:\Windows\SysWOW64\Flfnhnfm.exeC:\Windows\system32\Flfnhnfm.exe84⤵PID:1064
-
C:\Windows\SysWOW64\Fnejdiep.exeC:\Windows\system32\Fnejdiep.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1164 -
C:\Windows\SysWOW64\Fbpfeh32.exeC:\Windows\system32\Fbpfeh32.exe86⤵PID:1956
-
C:\Windows\SysWOW64\Feobac32.exeC:\Windows\system32\Feobac32.exe87⤵PID:3020
-
C:\Windows\SysWOW64\Fijnabef.exeC:\Windows\system32\Fijnabef.exe88⤵PID:2268
-
C:\Windows\SysWOW64\Glijnmdj.exeC:\Windows\system32\Glijnmdj.exe89⤵
- System Location Discovery: System Language Discovery
PID:636 -
C:\Windows\SysWOW64\Gbbbjg32.exeC:\Windows\system32\Gbbbjg32.exe90⤵PID:2688
-
C:\Windows\SysWOW64\Gaebfdba.exeC:\Windows\system32\Gaebfdba.exe91⤵PID:2548
-
C:\Windows\SysWOW64\Geaofc32.exeC:\Windows\system32\Geaofc32.exe92⤵PID:2948
-
C:\Windows\SysWOW64\Ghpkbn32.exeC:\Windows\system32\Ghpkbn32.exe93⤵PID:760
-
C:\Windows\SysWOW64\Gmlckehe.exeC:\Windows\system32\Gmlckehe.exe94⤵PID:2060
-
C:\Windows\SysWOW64\Gdflgo32.exeC:\Windows\system32\Gdflgo32.exe95⤵PID:2636
-
C:\Windows\SysWOW64\Gjpddigo.exeC:\Windows\system32\Gjpddigo.exe96⤵PID:1528
-
C:\Windows\SysWOW64\Gmoppefc.exeC:\Windows\system32\Gmoppefc.exe97⤵PID:2344
-
C:\Windows\SysWOW64\Ghddnnfi.exeC:\Windows\system32\Ghddnnfi.exe98⤵PID:2776
-
C:\Windows\SysWOW64\Gfgdij32.exeC:\Windows\system32\Gfgdij32.exe99⤵PID:1780
-
C:\Windows\SysWOW64\Gieaef32.exeC:\Windows\system32\Gieaef32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:676 -
C:\Windows\SysWOW64\Gmamfddp.exeC:\Windows\system32\Gmamfddp.exe101⤵PID:2000
-
C:\Windows\SysWOW64\Gpoibp32.exeC:\Windows\system32\Gpoibp32.exe102⤵PID:2872
-
C:\Windows\SysWOW64\Gbnenk32.exeC:\Windows\system32\Gbnenk32.exe103⤵PID:1168
-
C:\Windows\SysWOW64\Gfiaojkq.exeC:\Windows\system32\Gfiaojkq.exe104⤵
- System Location Discovery: System Language Discovery
PID:1988 -
C:\Windows\SysWOW64\Gihnkejd.exeC:\Windows\system32\Gihnkejd.exe105⤵PID:2160
-
C:\Windows\SysWOW64\Gmcikd32.exeC:\Windows\system32\Gmcikd32.exe106⤵
- Drops file in System32 directory
PID:1796 -
C:\Windows\SysWOW64\Gpafgp32.exeC:\Windows\system32\Gpafgp32.exe107⤵PID:560
-
C:\Windows\SysWOW64\Hbpbck32.exeC:\Windows\system32\Hbpbck32.exe108⤵PID:1628
-
C:\Windows\SysWOW64\Heonpf32.exeC:\Windows\system32\Heonpf32.exe109⤵PID:768
-
C:\Windows\SysWOW64\Hmefad32.exeC:\Windows\system32\Hmefad32.exe110⤵PID:2052
-
C:\Windows\SysWOW64\Hlhfmqge.exeC:\Windows\system32\Hlhfmqge.exe111⤵
- Drops file in System32 directory
PID:2920 -
C:\Windows\SysWOW64\Hogcil32.exeC:\Windows\system32\Hogcil32.exe112⤵
- System Location Discovery: System Language Discovery
PID:1668 -
C:\Windows\SysWOW64\Hbboiknb.exeC:\Windows\system32\Hbboiknb.exe113⤵
- Drops file in System32 directory
PID:2468 -
C:\Windows\SysWOW64\Hfnkji32.exeC:\Windows\system32\Hfnkji32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:948 -
C:\Windows\SysWOW64\Hilgfe32.exeC:\Windows\system32\Hilgfe32.exe115⤵PID:2232
-
C:\Windows\SysWOW64\Hlkcbp32.exeC:\Windows\system32\Hlkcbp32.exe116⤵PID:2524
-
C:\Windows\SysWOW64\Hoipnl32.exeC:\Windows\system32\Hoipnl32.exe117⤵PID:1408
-
C:\Windows\SysWOW64\Hbekojlp.exeC:\Windows\system32\Hbekojlp.exe118⤵PID:2556
-
C:\Windows\SysWOW64\Hechkfkc.exeC:\Windows\system32\Hechkfkc.exe119⤵PID:608
-
C:\Windows\SysWOW64\Hiockd32.exeC:\Windows\system32\Hiockd32.exe120⤵
- Modifies registry class
PID:1672 -
C:\Windows\SysWOW64\Hlmphp32.exeC:\Windows\system32\Hlmphp32.exe121⤵PID:2880
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-