Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05/10/2024, 13:35
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5deba015b0077e0a31d960ffb4d1503c20fb1ebcf89539a9b097a80fc60482c2N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
5deba015b0077e0a31d960ffb4d1503c20fb1ebcf89539a9b097a80fc60482c2N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
5deba015b0077e0a31d960ffb4d1503c20fb1ebcf89539a9b097a80fc60482c2N.exe
-
Size
56KB
-
MD5
5913437815500d1bf53a91e57759c720
-
SHA1
47279ed11176538296dc845b6f7b5667210b6e75
-
SHA256
5deba015b0077e0a31d960ffb4d1503c20fb1ebcf89539a9b097a80fc60482c2
-
SHA512
0d161dadc8e220c55a4fa80b3504d2cdd71c68c112767f1620ac2255b87439e04e4b7e9d963671f6dbe4616dd58d48007bb8a32ab2f523d8e2910af3c3121385
-
SSDEEP
1536:lhKkEInObytLLc9hXcErIRkkce1o1xxfE:rKkEIWytoBsRkM1oRfE
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlljjjnm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hakphqja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnmlhchd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpcqaf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjongcbl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Heihnoph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jchhkjhn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljffag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lccdel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmlhnagm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mponel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbcfadgl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqnejn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljffag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcagpl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lapnnafn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Modkfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpqdkf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjakmc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgcdki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngdifkpi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igakgfpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Meijhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Niebhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egoife32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqlhdo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcakaipc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhaikn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Joaeeklp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Laegiq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfdmggnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Niikceid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfmjgeaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nplmop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dknekeef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmfjha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mffimglk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nibebfpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlekia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhljdm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhngjmlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlnbeh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhdcji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Haiccald.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iamimc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikfmfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnaocmmi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbopgb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpcqaf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icfofg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecqqpgli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hojgfemq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjdilgpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpbheh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Figlolbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kicmdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljmlbfhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdacop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gohjaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iipgcaob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmgocb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Melfncqb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npojdpef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dglpbbbg.exe -
Executes dropped EXE 64 IoCs
pid Process 3064 Cahail32.exe 2848 Cdgneh32.exe 2700 Cnobnmpl.exe 2496 Cdikkg32.exe 2500 Ckccgane.exe 3012 Cnaocmmi.exe 996 Cdlgpgef.exe 2796 Dfmdho32.exe 2960 Dndlim32.exe 1548 Dpbheh32.exe 1996 Dglpbbbg.exe 1680 Djklnnaj.exe 340 Dogefd32.exe 2348 Dbfabp32.exe 2644 Dhpiojfb.exe 696 Dknekeef.exe 2872 Dbhnhp32.exe 2160 Dhbfdjdp.exe 1368 Dlnbeh32.exe 1692 Dnoomqbg.exe 2248 Dhdcji32.exe 572 Dggcffhg.exe 280 Enakbp32.exe 1832 Eqpgol32.exe 1892 Egjpkffe.exe 2672 Ekelld32.exe 2648 Endhhp32.exe 2572 Ednpej32.exe 2488 Ecqqpgli.exe 1612 Ejkima32.exe 792 Edpmjj32.exe 1572 Egoife32.exe 2924 Enhacojl.exe 2744 Eqgnokip.exe 1992 Ejobhppq.exe 1912 Eibbcm32.exe 2808 Emnndlod.exe 2124 Eplkpgnh.exe 2052 Echfaf32.exe 2420 Effcma32.exe 844 Fjaonpnn.exe 1136 Fidoim32.exe 2084 Fmpkjkma.exe 2792 Fpngfgle.exe 1484 Fcjcfe32.exe 2152 Ffhpbacb.exe 316 Fekpnn32.exe 2244 Figlolbf.exe 900 Flehkhai.exe 2732 Fpqdkf32.exe 2820 Fbopgb32.exe 2456 Ffklhqao.exe 2356 Fiihdlpc.exe 608 Fglipi32.exe 884 Fpcqaf32.exe 2920 Fnfamcoj.exe 1656 Fadminnn.exe 2340 Fepiimfg.exe 2756 Fikejl32.exe 1456 Fljafg32.exe 1684 Fnhnbb32.exe 2556 Fbdjbaea.exe 2388 Fagjnn32.exe 1172 Fcefji32.exe -
Loads dropped DLL 64 IoCs
pid Process 1344 5deba015b0077e0a31d960ffb4d1503c20fb1ebcf89539a9b097a80fc60482c2N.exe 1344 5deba015b0077e0a31d960ffb4d1503c20fb1ebcf89539a9b097a80fc60482c2N.exe 3064 Cahail32.exe 3064 Cahail32.exe 2848 Cdgneh32.exe 2848 Cdgneh32.exe 2700 Cnobnmpl.exe 2700 Cnobnmpl.exe 2496 Cdikkg32.exe 2496 Cdikkg32.exe 2500 Ckccgane.exe 2500 Ckccgane.exe 3012 Cnaocmmi.exe 3012 Cnaocmmi.exe 996 Cdlgpgef.exe 996 Cdlgpgef.exe 2796 Dfmdho32.exe 2796 Dfmdho32.exe 2960 Dndlim32.exe 2960 Dndlim32.exe 1548 Dpbheh32.exe 1548 Dpbheh32.exe 1996 Dglpbbbg.exe 1996 Dglpbbbg.exe 1680 Djklnnaj.exe 1680 Djklnnaj.exe 340 Dogefd32.exe 340 Dogefd32.exe 2348 Dbfabp32.exe 2348 Dbfabp32.exe 2644 Dhpiojfb.exe 2644 Dhpiojfb.exe 696 Dknekeef.exe 696 Dknekeef.exe 2872 Dbhnhp32.exe 2872 Dbhnhp32.exe 2160 Dhbfdjdp.exe 2160 Dhbfdjdp.exe 1368 Dlnbeh32.exe 1368 Dlnbeh32.exe 1692 Dnoomqbg.exe 1692 Dnoomqbg.exe 2248 Dhdcji32.exe 2248 Dhdcji32.exe 572 Dggcffhg.exe 572 Dggcffhg.exe 280 Enakbp32.exe 280 Enakbp32.exe 1832 Eqpgol32.exe 1832 Eqpgol32.exe 1892 Egjpkffe.exe 1892 Egjpkffe.exe 2672 Ekelld32.exe 2672 Ekelld32.exe 2648 Endhhp32.exe 2648 Endhhp32.exe 2572 Ednpej32.exe 2572 Ednpej32.exe 2488 Ecqqpgli.exe 2488 Ecqqpgli.exe 1612 Ejkima32.exe 1612 Ejkima32.exe 792 Edpmjj32.exe 792 Edpmjj32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Fidoim32.exe Fjaonpnn.exe File created C:\Windows\SysWOW64\Kocbkk32.exe Kmefooki.exe File opened for modification C:\Windows\SysWOW64\Ngfflj32.exe Nckjkl32.exe File created C:\Windows\SysWOW64\Heihnoph.exe Hanlnp32.exe File opened for modification C:\Windows\SysWOW64\Ipgbjl32.exe Inifnq32.exe File created C:\Windows\SysWOW64\Ihlfca32.dll Knmhgf32.exe File created C:\Windows\SysWOW64\Mbpgggol.exe Modkfi32.exe File created C:\Windows\SysWOW64\Fcjcfe32.exe Fpngfgle.exe File created C:\Windows\SysWOW64\Ffhpbacb.exe Fcjcfe32.exe File created C:\Windows\SysWOW64\Hoikeh32.dll Gfmemc32.exe File created C:\Windows\SysWOW64\Nmmhnm32.dll Hoopae32.exe File created C:\Windows\SysWOW64\Aohfbg32.dll Inifnq32.exe File created C:\Windows\SysWOW64\Ljibgg32.exe Lgjfkk32.exe File created C:\Windows\SysWOW64\Ckccgane.exe Cdikkg32.exe File opened for modification C:\Windows\SysWOW64\Ikkjbe32.exe Igonafba.exe File created C:\Windows\SysWOW64\Gdfjcc32.dll Ihgainbg.exe File created C:\Windows\SysWOW64\Laegiq32.exe Lmikibio.exe File created C:\Windows\SysWOW64\Mholen32.exe Mdcpdp32.exe File created C:\Windows\SysWOW64\Nekbmgcn.exe Ncmfqkdj.exe File opened for modification C:\Windows\SysWOW64\Fnfamcoj.exe Fpcqaf32.exe File created C:\Windows\SysWOW64\Mfbnag32.dll Hedocp32.exe File created C:\Windows\SysWOW64\Lmgefl32.dll Hbhomd32.exe File created C:\Windows\SysWOW64\Igakgfpn.exe Icfofg32.exe File opened for modification C:\Windows\SysWOW64\Kmgbdo32.exe Kjifhc32.exe File opened for modification C:\Windows\SysWOW64\Mffimglk.exe Mooaljkh.exe File opened for modification C:\Windows\SysWOW64\Fdbnmk32.dll Lccdel32.exe File created C:\Windows\SysWOW64\Flehkhai.exe Figlolbf.exe File created C:\Windows\SysWOW64\Djmffb32.dll Lpekon32.exe File created C:\Windows\SysWOW64\Dfmdho32.exe Cdlgpgef.exe File opened for modification C:\Windows\SysWOW64\Mgalqkbk.exe Mholen32.exe File opened for modification C:\Windows\SysWOW64\Mieeibkn.exe Meijhc32.exe File created C:\Windows\SysWOW64\Ogbknfbl.dll Kbfhbeek.exe File created C:\Windows\SysWOW64\Lcagpl32.exe Lpekon32.exe File created C:\Windows\SysWOW64\Khqpfa32.dll Lccdel32.exe File opened for modification C:\Windows\SysWOW64\Dogefd32.exe Djklnnaj.exe File created C:\Windows\SysWOW64\Kbfhbeek.exe Kohkfj32.exe File opened for modification C:\Windows\SysWOW64\Gakcimgf.exe Gmpgio32.exe File created C:\Windows\SysWOW64\Mpjqiq32.exe Magqncba.exe File opened for modification C:\Windows\SysWOW64\Gljnej32.exe Gmgninie.exe File opened for modification C:\Windows\SysWOW64\Dlnbeh32.exe Dhbfdjdp.exe File opened for modification C:\Windows\SysWOW64\Icfofg32.exe Ipgbjl32.exe File created C:\Windows\SysWOW64\Moanaiie.exe Mponel32.exe File opened for modification C:\Windows\SysWOW64\Nckjkl32.exe Ndhipoob.exe File created C:\Windows\SysWOW64\Cdikkg32.exe Cnobnmpl.exe File opened for modification C:\Windows\SysWOW64\Cdlgpgef.exe Cnaocmmi.exe File created C:\Windows\SysWOW64\Fmhbhf32.dll Hmdmcanc.exe File created C:\Windows\SysWOW64\Ngdfge32.dll Ioolqh32.exe File created C:\Windows\SysWOW64\Kmikde32.dll Kbdklf32.exe File created C:\Windows\SysWOW64\Apbfblll.dll Lgjfkk32.exe File created C:\Windows\SysWOW64\Jfdnjb32.dll Gifhnpea.exe File created C:\Windows\SysWOW64\Pbefefec.dll Kmgbdo32.exe File created C:\Windows\SysWOW64\Bpmiamoh.dll Kfbcbd32.exe File opened for modification C:\Windows\SysWOW64\Llohjo32.exe Lmlhnagm.exe File created C:\Windows\SysWOW64\Igchlf32.exe Ichllgfb.exe File opened for modification C:\Windows\SysWOW64\Ioolqh32.exe Ilqpdm32.exe File created C:\Windows\SysWOW64\Hkaglf32.exe Hlngpjlj.exe File opened for modification C:\Windows\SysWOW64\Ipjoplgo.exe Ilncom32.exe File opened for modification C:\Windows\SysWOW64\Ikfmfi32.exe Ilcmjl32.exe File created C:\Windows\SysWOW64\Cpbplnnk.dll Melfncqb.exe File opened for modification C:\Windows\SysWOW64\Gfmemc32.exe Gbaileio.exe File opened for modification C:\Windows\SysWOW64\Gbcfadgl.exe Gohjaf32.exe File created C:\Windows\SysWOW64\Igonafba.exe Hdqbekcm.exe File created C:\Windows\SysWOW64\Jcmafj32.exe Joaeeklp.exe File opened for modification C:\Windows\SysWOW64\Nekbmgcn.exe Ncmfqkdj.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3536 3364 WerFault.exe 311 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckccgane.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhdcji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fikejl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpgfki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iipgcaob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knmhgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmmkcoap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Haiccald.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihgainbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikhjki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljffag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmebnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlnbeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fekpnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Figlolbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gljnej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioolqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmgbdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lndohedg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mffimglk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egjpkffe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgjefg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhljdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhpiojfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdniqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkhnle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmihhelk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkpegi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljffag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llohjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dggcffhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpcqaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hedocp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ichllgfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kohkfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lanaiahq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Migbnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nckjkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmfjha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igonafba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfbcbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fadminnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbomfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfknbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meppiblm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cahail32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdlhjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcjdpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmlhnagm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meijhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdgneh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffklhqao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnfamcoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fepiimfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiqpop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjaonpnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gepehphc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljmlbfhi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Niebhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndhipoob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekelld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edpmjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghcoqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfjhgdck.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfbnag32.dll" Hedocp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aohfbg32.dll" Inifnq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikfmfi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjdilgpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihgainbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epecke32.dll" Joaeeklp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmefooki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlqdei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poceplpj.dll" Lpjdjmfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlfojn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndhipoob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odmfgh32.dll" Hdlhjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipgbjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icfofg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ioolqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ieidmbcc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kicmdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdqbekcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmeelpbm.dll" Jqgoiokm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbfphc32.dll" Fcjcfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmdmcanc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilcmjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idnaoohk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkcdafqb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Enakbp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpcqaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpjqiq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffklhqao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnmgmbhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbgafalg.dll" Jocflgga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfmjgeaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhdcji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbaileio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Godgob32.dll" Ginnnooi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhffckeo.dll" Mholen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljffag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcagpl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmikibio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjbgng32.dll" Npojdpef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fekpnn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnhnbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgecadnb.dll" Mdacop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Effcma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icfofg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lekjcmbe.dll" Jbdonb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hebpjd32.dll" Jcmafj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khqpfa32.dll" Lccdel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmdcie32.dll" Lcojjmea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hojgfemq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbhomd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iianmb32.dll" Ijbdha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmgocb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Niebhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khpnecca.dll" Jdgdempa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgmcqkkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Endhhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enhacojl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmmkcoap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkfagfop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmdgmd32.dll" Ejkima32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoogfn32.dll" Effcma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fekpnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngoohnkj.dll" Nigome32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgjefg32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1344 wrote to memory of 3064 1344 5deba015b0077e0a31d960ffb4d1503c20fb1ebcf89539a9b097a80fc60482c2N.exe 28 PID 1344 wrote to memory of 3064 1344 5deba015b0077e0a31d960ffb4d1503c20fb1ebcf89539a9b097a80fc60482c2N.exe 28 PID 1344 wrote to memory of 3064 1344 5deba015b0077e0a31d960ffb4d1503c20fb1ebcf89539a9b097a80fc60482c2N.exe 28 PID 1344 wrote to memory of 3064 1344 5deba015b0077e0a31d960ffb4d1503c20fb1ebcf89539a9b097a80fc60482c2N.exe 28 PID 3064 wrote to memory of 2848 3064 Cahail32.exe 29 PID 3064 wrote to memory of 2848 3064 Cahail32.exe 29 PID 3064 wrote to memory of 2848 3064 Cahail32.exe 29 PID 3064 wrote to memory of 2848 3064 Cahail32.exe 29 PID 2848 wrote to memory of 2700 2848 Cdgneh32.exe 30 PID 2848 wrote to memory of 2700 2848 Cdgneh32.exe 30 PID 2848 wrote to memory of 2700 2848 Cdgneh32.exe 30 PID 2848 wrote to memory of 2700 2848 Cdgneh32.exe 30 PID 2700 wrote to memory of 2496 2700 Cnobnmpl.exe 31 PID 2700 wrote to memory of 2496 2700 Cnobnmpl.exe 31 PID 2700 wrote to memory of 2496 2700 Cnobnmpl.exe 31 PID 2700 wrote to memory of 2496 2700 Cnobnmpl.exe 31 PID 2496 wrote to memory of 2500 2496 Cdikkg32.exe 32 PID 2496 wrote to memory of 2500 2496 Cdikkg32.exe 32 PID 2496 wrote to memory of 2500 2496 Cdikkg32.exe 32 PID 2496 wrote to memory of 2500 2496 Cdikkg32.exe 32 PID 2500 wrote to memory of 3012 2500 Ckccgane.exe 33 PID 2500 wrote to memory of 3012 2500 Ckccgane.exe 33 PID 2500 wrote to memory of 3012 2500 Ckccgane.exe 33 PID 2500 wrote to memory of 3012 2500 Ckccgane.exe 33 PID 3012 wrote to memory of 996 3012 Cnaocmmi.exe 34 PID 3012 wrote to memory of 996 3012 Cnaocmmi.exe 34 PID 3012 wrote to memory of 996 3012 Cnaocmmi.exe 34 PID 3012 wrote to memory of 996 3012 Cnaocmmi.exe 34 PID 996 wrote to memory of 2796 996 Cdlgpgef.exe 35 PID 996 wrote to memory of 2796 996 Cdlgpgef.exe 35 PID 996 wrote to memory of 2796 996 Cdlgpgef.exe 35 PID 996 wrote to memory of 2796 996 Cdlgpgef.exe 35 PID 2796 wrote to memory of 2960 2796 Dfmdho32.exe 36 PID 2796 wrote to memory of 2960 2796 Dfmdho32.exe 36 PID 2796 wrote to memory of 2960 2796 Dfmdho32.exe 36 PID 2796 wrote to memory of 2960 2796 Dfmdho32.exe 36 PID 2960 wrote to memory of 1548 2960 Dndlim32.exe 37 PID 2960 wrote to memory of 1548 2960 Dndlim32.exe 37 PID 2960 wrote to memory of 1548 2960 Dndlim32.exe 37 PID 2960 wrote to memory of 1548 2960 Dndlim32.exe 37 PID 1548 wrote to memory of 1996 1548 Dpbheh32.exe 38 PID 1548 wrote to memory of 1996 1548 Dpbheh32.exe 38 PID 1548 wrote to memory of 1996 1548 Dpbheh32.exe 38 PID 1548 wrote to memory of 1996 1548 Dpbheh32.exe 38 PID 1996 wrote to memory of 1680 1996 Dglpbbbg.exe 39 PID 1996 wrote to memory of 1680 1996 Dglpbbbg.exe 39 PID 1996 wrote to memory of 1680 1996 Dglpbbbg.exe 39 PID 1996 wrote to memory of 1680 1996 Dglpbbbg.exe 39 PID 1680 wrote to memory of 340 1680 Djklnnaj.exe 40 PID 1680 wrote to memory of 340 1680 Djklnnaj.exe 40 PID 1680 wrote to memory of 340 1680 Djklnnaj.exe 40 PID 1680 wrote to memory of 340 1680 Djklnnaj.exe 40 PID 340 wrote to memory of 2348 340 Dogefd32.exe 41 PID 340 wrote to memory of 2348 340 Dogefd32.exe 41 PID 340 wrote to memory of 2348 340 Dogefd32.exe 41 PID 340 wrote to memory of 2348 340 Dogefd32.exe 41 PID 2348 wrote to memory of 2644 2348 Dbfabp32.exe 42 PID 2348 wrote to memory of 2644 2348 Dbfabp32.exe 42 PID 2348 wrote to memory of 2644 2348 Dbfabp32.exe 42 PID 2348 wrote to memory of 2644 2348 Dbfabp32.exe 42 PID 2644 wrote to memory of 696 2644 Dhpiojfb.exe 43 PID 2644 wrote to memory of 696 2644 Dhpiojfb.exe 43 PID 2644 wrote to memory of 696 2644 Dhpiojfb.exe 43 PID 2644 wrote to memory of 696 2644 Dhpiojfb.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\5deba015b0077e0a31d960ffb4d1503c20fb1ebcf89539a9b097a80fc60482c2N.exe"C:\Users\Admin\AppData\Local\Temp\5deba015b0077e0a31d960ffb4d1503c20fb1ebcf89539a9b097a80fc60482c2N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Windows\SysWOW64\Cahail32.exeC:\Windows\system32\Cahail32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\Cdgneh32.exeC:\Windows\system32\Cdgneh32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Cnobnmpl.exeC:\Windows\system32\Cnobnmpl.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Cdikkg32.exeC:\Windows\system32\Cdikkg32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Ckccgane.exeC:\Windows\system32\Ckccgane.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\Cnaocmmi.exeC:\Windows\system32\Cnaocmmi.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\Cdlgpgef.exeC:\Windows\system32\Cdlgpgef.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:996 -
C:\Windows\SysWOW64\Dfmdho32.exeC:\Windows\system32\Dfmdho32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Dndlim32.exeC:\Windows\system32\Dndlim32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Dpbheh32.exeC:\Windows\system32\Dpbheh32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\SysWOW64\Dglpbbbg.exeC:\Windows\system32\Dglpbbbg.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\Djklnnaj.exeC:\Windows\system32\Djklnnaj.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\Dogefd32.exeC:\Windows\system32\Dogefd32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:340 -
C:\Windows\SysWOW64\Dbfabp32.exeC:\Windows\system32\Dbfabp32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\Dhpiojfb.exeC:\Windows\system32\Dhpiojfb.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Dknekeef.exeC:\Windows\system32\Dknekeef.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:696 -
C:\Windows\SysWOW64\Dbhnhp32.exeC:\Windows\system32\Dbhnhp32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2872 -
C:\Windows\SysWOW64\Dhbfdjdp.exeC:\Windows\system32\Dhbfdjdp.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2160 -
C:\Windows\SysWOW64\Dlnbeh32.exeC:\Windows\system32\Dlnbeh32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1368 -
C:\Windows\SysWOW64\Dnoomqbg.exeC:\Windows\system32\Dnoomqbg.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1692 -
C:\Windows\SysWOW64\Dhdcji32.exeC:\Windows\system32\Dhdcji32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2248 -
C:\Windows\SysWOW64\Dggcffhg.exeC:\Windows\system32\Dggcffhg.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:572 -
C:\Windows\SysWOW64\Enakbp32.exeC:\Windows\system32\Enakbp32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:280 -
C:\Windows\SysWOW64\Eqpgol32.exeC:\Windows\system32\Eqpgol32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1832 -
C:\Windows\SysWOW64\Egjpkffe.exeC:\Windows\system32\Egjpkffe.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1892 -
C:\Windows\SysWOW64\Ekelld32.exeC:\Windows\system32\Ekelld32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2672 -
C:\Windows\SysWOW64\Endhhp32.exeC:\Windows\system32\Endhhp32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2648 -
C:\Windows\SysWOW64\Ednpej32.exeC:\Windows\system32\Ednpej32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2572 -
C:\Windows\SysWOW64\Ecqqpgli.exeC:\Windows\system32\Ecqqpgli.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2488 -
C:\Windows\SysWOW64\Ejkima32.exeC:\Windows\system32\Ejkima32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1612 -
C:\Windows\SysWOW64\Edpmjj32.exeC:\Windows\system32\Edpmjj32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:792 -
C:\Windows\SysWOW64\Egoife32.exeC:\Windows\system32\Egoife32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1572 -
C:\Windows\SysWOW64\Enhacojl.exeC:\Windows\system32\Enhacojl.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2924 -
C:\Windows\SysWOW64\Eqgnokip.exeC:\Windows\system32\Eqgnokip.exe35⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Ejobhppq.exeC:\Windows\system32\Ejobhppq.exe36⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Eibbcm32.exeC:\Windows\system32\Eibbcm32.exe37⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Emnndlod.exeC:\Windows\system32\Emnndlod.exe38⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Eplkpgnh.exeC:\Windows\system32\Eplkpgnh.exe39⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Echfaf32.exeC:\Windows\system32\Echfaf32.exe40⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Effcma32.exeC:\Windows\system32\Effcma32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:2420 -
C:\Windows\SysWOW64\Fjaonpnn.exeC:\Windows\system32\Fjaonpnn.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:844 -
C:\Windows\SysWOW64\Fidoim32.exeC:\Windows\system32\Fidoim32.exe43⤵
- Executes dropped EXE
PID:1136 -
C:\Windows\SysWOW64\Fmpkjkma.exeC:\Windows\system32\Fmpkjkma.exe44⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Fpngfgle.exeC:\Windows\system32\Fpngfgle.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2792 -
C:\Windows\SysWOW64\Fcjcfe32.exeC:\Windows\system32\Fcjcfe32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1484 -
C:\Windows\SysWOW64\Ffhpbacb.exeC:\Windows\system32\Ffhpbacb.exe47⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Fekpnn32.exeC:\Windows\system32\Fekpnn32.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:316 -
C:\Windows\SysWOW64\Figlolbf.exeC:\Windows\system32\Figlolbf.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2244 -
C:\Windows\SysWOW64\Flehkhai.exeC:\Windows\system32\Flehkhai.exe50⤵
- Executes dropped EXE
PID:900 -
C:\Windows\SysWOW64\Fpqdkf32.exeC:\Windows\system32\Fpqdkf32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Fbopgb32.exeC:\Windows\system32\Fbopgb32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Ffklhqao.exeC:\Windows\system32\Ffklhqao.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2456 -
C:\Windows\SysWOW64\Fiihdlpc.exeC:\Windows\system32\Fiihdlpc.exe54⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Fglipi32.exeC:\Windows\system32\Fglipi32.exe55⤵
- Executes dropped EXE
PID:608 -
C:\Windows\SysWOW64\Fpcqaf32.exeC:\Windows\system32\Fpcqaf32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:884 -
C:\Windows\SysWOW64\Fnfamcoj.exeC:\Windows\system32\Fnfamcoj.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2920 -
C:\Windows\SysWOW64\Fadminnn.exeC:\Windows\system32\Fadminnn.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1656 -
C:\Windows\SysWOW64\Fepiimfg.exeC:\Windows\system32\Fepiimfg.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2340 -
C:\Windows\SysWOW64\Fikejl32.exeC:\Windows\system32\Fikejl32.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2756 -
C:\Windows\SysWOW64\Fljafg32.exeC:\Windows\system32\Fljafg32.exe61⤵
- Executes dropped EXE
PID:1456 -
C:\Windows\SysWOW64\Fnhnbb32.exeC:\Windows\system32\Fnhnbb32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:1684 -
C:\Windows\SysWOW64\Fbdjbaea.exeC:\Windows\system32\Fbdjbaea.exe63⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Fagjnn32.exeC:\Windows\system32\Fagjnn32.exe64⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Fcefji32.exeC:\Windows\system32\Fcefji32.exe65⤵
- Executes dropped EXE
PID:1172 -
C:\Windows\SysWOW64\Fcefji32.exeC:\Windows\system32\Fcefji32.exe66⤵PID:596
-
C:\Windows\SysWOW64\Fllnlg32.exeC:\Windows\system32\Fllnlg32.exe67⤵PID:2032
-
C:\Windows\SysWOW64\Fjongcbl.exeC:\Windows\system32\Fjongcbl.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1288 -
C:\Windows\SysWOW64\Fnkjhb32.exeC:\Windows\system32\Fnkjhb32.exe69⤵PID:1732
-
C:\Windows\SysWOW64\Fmmkcoap.exeC:\Windows\system32\Fmmkcoap.exe70⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1512 -
C:\Windows\SysWOW64\Faigdn32.exeC:\Windows\system32\Faigdn32.exe71⤵PID:2240
-
C:\Windows\SysWOW64\Gdgcpi32.exeC:\Windows\system32\Gdgcpi32.exe72⤵PID:1920
-
C:\Windows\SysWOW64\Ghcoqh32.exeC:\Windows\system32\Ghcoqh32.exe73⤵
- System Location Discovery: System Language Discovery
PID:2668 -
C:\Windows\SysWOW64\Gjakmc32.exeC:\Windows\system32\Gjakmc32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2484 -
C:\Windows\SysWOW64\Gnmgmbhb.exeC:\Windows\system32\Gnmgmbhb.exe75⤵
- Modifies registry class
PID:2536 -
C:\Windows\SysWOW64\Gmpgio32.exeC:\Windows\system32\Gmpgio32.exe76⤵
- Drops file in System32 directory
PID:1868 -
C:\Windows\SysWOW64\Gakcimgf.exeC:\Windows\system32\Gakcimgf.exe77⤵PID:584
-
C:\Windows\SysWOW64\Gdjpeifj.exeC:\Windows\system32\Gdjpeifj.exe78⤵PID:2992
-
C:\Windows\SysWOW64\Gdjpeifj.exeC:\Windows\system32\Gdjpeifj.exe79⤵PID:1628
-
C:\Windows\SysWOW64\Gfhladfn.exeC:\Windows\system32\Gfhladfn.exe80⤵PID:1232
-
C:\Windows\SysWOW64\Gjdhbc32.exeC:\Windows\system32\Gjdhbc32.exe81⤵PID:1780
-
C:\Windows\SysWOW64\Gifhnpea.exeC:\Windows\system32\Gifhnpea.exe82⤵
- Drops file in System32 directory
PID:1476 -
C:\Windows\SysWOW64\Ganpomec.exeC:\Windows\system32\Ganpomec.exe83⤵PID:1552
-
C:\Windows\SysWOW64\Gpqpjj32.exeC:\Windows\system32\Gpqpjj32.exe84⤵PID:2436
-
C:\Windows\SysWOW64\Gbomfe32.exeC:\Windows\system32\Gbomfe32.exe85⤵
- System Location Discovery: System Language Discovery
PID:3028 -
C:\Windows\SysWOW64\Gfjhgdck.exeC:\Windows\system32\Gfjhgdck.exe86⤵
- System Location Discovery: System Language Discovery
PID:2884 -
C:\Windows\SysWOW64\Giieco32.exeC:\Windows\system32\Giieco32.exe87⤵PID:2768
-
C:\Windows\SysWOW64\Gmdadnkh.exeC:\Windows\system32\Gmdadnkh.exe88⤵PID:1072
-
C:\Windows\SysWOW64\Glgaok32.exeC:\Windows\system32\Glgaok32.exe89⤵PID:860
-
C:\Windows\SysWOW64\Gdniqh32.exeC:\Windows\system32\Gdniqh32.exe90⤵
- System Location Discovery: System Language Discovery
PID:1896 -
C:\Windows\SysWOW64\Gbaileio.exeC:\Windows\system32\Gbaileio.exe91⤵
- Drops file in System32 directory
- Modifies registry class
PID:1528 -
C:\Windows\SysWOW64\Gfmemc32.exeC:\Windows\system32\Gfmemc32.exe92⤵
- Drops file in System32 directory
PID:2636 -
C:\Windows\SysWOW64\Gepehphc.exeC:\Windows\system32\Gepehphc.exe93⤵
- System Location Discovery: System Language Discovery
PID:2472 -
C:\Windows\SysWOW64\Gmgninie.exeC:\Windows\system32\Gmgninie.exe94⤵
- Drops file in System32 directory
PID:576 -
C:\Windows\SysWOW64\Gljnej32.exeC:\Windows\system32\Gljnej32.exe95⤵
- System Location Discovery: System Language Discovery
PID:2736 -
C:\Windows\SysWOW64\Gohjaf32.exeC:\Windows\system32\Gohjaf32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2976 -
C:\Windows\SysWOW64\Gbcfadgl.exeC:\Windows\system32\Gbcfadgl.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1940 -
C:\Windows\SysWOW64\Gebbnpfp.exeC:\Windows\system32\Gebbnpfp.exe98⤵PID:2776
-
C:\Windows\SysWOW64\Ginnnooi.exeC:\Windows\system32\Ginnnooi.exe99⤵
- Modifies registry class
PID:2312 -
C:\Windows\SysWOW64\Hlljjjnm.exeC:\Windows\system32\Hlljjjnm.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2692 -
C:\Windows\SysWOW64\Hpgfki32.exeC:\Windows\system32\Hpgfki32.exe101⤵
- System Location Discovery: System Language Discovery
PID:2120 -
C:\Windows\SysWOW64\Hojgfemq.exeC:\Windows\system32\Hojgfemq.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:704 -
C:\Windows\SysWOW64\Haiccald.exeC:\Windows\system32\Haiccald.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1600 -
C:\Windows\SysWOW64\Hedocp32.exeC:\Windows\system32\Hedocp32.exe104⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1596 -
C:\Windows\SysWOW64\Hipkdnmf.exeC:\Windows\system32\Hipkdnmf.exe105⤵PID:2252
-
C:\Windows\SysWOW64\Hlngpjlj.exeC:\Windows\system32\Hlngpjlj.exe106⤵
- Drops file in System32 directory
PID:2492 -
C:\Windows\SysWOW64\Hkaglf32.exeC:\Windows\system32\Hkaglf32.exe107⤵PID:2504
-
C:\Windows\SysWOW64\Hbhomd32.exeC:\Windows\system32\Hbhomd32.exe108⤵
- Drops file in System32 directory
- Modifies registry class
PID:1860 -
C:\Windows\SysWOW64\Hakphqja.exeC:\Windows\system32\Hakphqja.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:668 -
C:\Windows\SysWOW64\Heglio32.exeC:\Windows\system32\Heglio32.exe110⤵PID:1448
-
C:\Windows\SysWOW64\Hdildlie.exeC:\Windows\system32\Hdildlie.exe111⤵PID:2760
-
C:\Windows\SysWOW64\Hlqdei32.exeC:\Windows\system32\Hlqdei32.exe112⤵
- Modifies registry class
PID:2076 -
C:\Windows\SysWOW64\Hkcdafqb.exeC:\Windows\system32\Hkcdafqb.exe113⤵
- Modifies registry class
PID:1664 -
C:\Windows\SysWOW64\Hoopae32.exeC:\Windows\system32\Hoopae32.exe114⤵
- Drops file in System32 directory
PID:2220 -
C:\Windows\SysWOW64\Hanlnp32.exeC:\Windows\system32\Hanlnp32.exe115⤵
- Drops file in System32 directory
PID:1204 -
C:\Windows\SysWOW64\Heihnoph.exeC:\Windows\system32\Heihnoph.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:920 -
C:\Windows\SysWOW64\Hdlhjl32.exeC:\Windows\system32\Hdlhjl32.exe117⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1932 -
C:\Windows\SysWOW64\Hgjefg32.exeC:\Windows\system32\Hgjefg32.exe118⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2720 -
C:\Windows\SysWOW64\Hkfagfop.exeC:\Windows\system32\Hkfagfop.exe119⤵
- Modifies registry class
PID:264 -
C:\Windows\SysWOW64\Hmdmcanc.exeC:\Windows\system32\Hmdmcanc.exe120⤵
- Drops file in System32 directory
- Modifies registry class
PID:2784 -
C:\Windows\SysWOW64\Hhjapjmi.exeC:\Windows\system32\Hhjapjmi.exe121⤵PID:1976
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-