Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 22:53
Static task
static1
Behavioral task
behavioral1
Sample
667f9cf8ca2991199e78acde62eb3b50041d58672f8b4b4b2b635974e97e6b43N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
667f9cf8ca2991199e78acde62eb3b50041d58672f8b4b4b2b635974e97e6b43N.exe
Resource
win10v2004-20241007-en
General
-
Target
667f9cf8ca2991199e78acde62eb3b50041d58672f8b4b4b2b635974e97e6b43N.exe
-
Size
295KB
-
MD5
a762ead223629d9b003b5fa4f566a990
-
SHA1
b9c1eff57dad75b935556568b1109fbfc8de2969
-
SHA256
667f9cf8ca2991199e78acde62eb3b50041d58672f8b4b4b2b635974e97e6b43
-
SHA512
fffc765d4da8a3acc8de93e9a486224d0e8c84795f6613b54d2169f0b49241d8a5374dd06e16a3fcc7157866ce25ab5698654699b17379017ae4b8560ed4cc6a
-
SSDEEP
3072:2NnTJZSRhFipSQ1UkY1UkVHe1rUtst76UtoUtFVgtRQ2c+tlB5xpWJLM77OkeY:ITJZSPFq51PY1PRe19V+tbFOLM77OLY
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Olmela32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eifmimch.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gecpnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gehiioaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmkihbho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifmocb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imggplgm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifolhann.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fggmldfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmhkin32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqdgom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hffibceh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgeelf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpgmpk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmmfnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hjmlhbbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hadcipbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hnmacpfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfpibn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmhjdiap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjogcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Elibpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fppaej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lplbjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdbmfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Elgfkhpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jipaip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fgocmc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaojnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfcgbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iipejmko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jnagmc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpepkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkmmlgik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Agihgp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfoeil32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eifmimch.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eihjolae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gncnmane.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmmdin32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cncmcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eafkhn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gehiioaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgnokgcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oecmogln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpnladjl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmaeho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ifolhann.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jikhnaao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jpepkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Koflgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Paaddgkj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppmgfb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdpgph32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Giaidnkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iclbpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hifbdnbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfohgepi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnmiag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlilqbgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qhilkege.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aphjjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmaeho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Glbaei32.exe -
Executes dropped EXE 64 IoCs
pid Process 2716 Nlilqbgp.exe 2916 Omhhke32.exe 2352 Oecmogln.exe 2516 Olmela32.exe 2736 Ojbbmnhc.exe 3008 Objjnkie.exe 2116 Oflpgnld.exe 1608 Paaddgkj.exe 1652 Pdbmfb32.exe 948 Pfpibn32.exe 2372 Piabdiep.exe 2100 Ppmgfb32.exe 2216 Qhilkege.exe 3024 Qaapcj32.exe 2860 Qkielpdf.exe 292 Aognbnkm.exe 2476 Aphjjf32.exe 1664 Adfbpega.exe 1036 Anogijnb.exe 2260 Aejlnmkm.exe 1532 Ajehnk32.exe 1876 Agihgp32.exe 2428 Ajhddk32.exe 2460 Bcpimq32.exe 2668 Bfoeil32.exe 2660 Bogjaamh.exe 2840 Bknjfb32.exe 2676 Bnlgbnbp.exe 2536 Bdfooh32.exe 3000 Bdhleh32.exe 1756 Bkbdabog.exe 2112 Bqolji32.exe 1596 Ccnifd32.exe 2056 Cncmcm32.exe 588 Cfoaho32.exe 316 Cmhjdiap.exe 1028 Ccbbachm.exe 2092 Cmkfji32.exe 2080 Cceogcfj.exe 2972 Cjogcm32.exe 2892 Ckpckece.exe 1772 Cbjlhpkb.exe 888 Cehhdkjf.exe 284 Dpnladjl.exe 1560 Dblhmoio.exe 1420 Dekdikhc.exe 1684 Dncibp32.exe 384 Daaenlng.exe 868 Dihmpinj.exe 1584 Djjjga32.exe 2384 Dbabho32.exe 2680 Deondj32.exe 3044 Dlifadkk.exe 2328 Dmkcil32.exe 552 Dafoikjb.exe 2324 Dfcgbb32.exe 2576 Dnjoco32.exe 836 Dahkok32.exe 2344 Dpklkgoj.exe 420 Ejaphpnp.exe 344 Emoldlmc.exe 692 Epnhpglg.exe 1380 Efhqmadd.exe 1424 Eifmimch.exe -
Loads dropped DLL 64 IoCs
pid Process 2280 667f9cf8ca2991199e78acde62eb3b50041d58672f8b4b4b2b635974e97e6b43N.exe 2280 667f9cf8ca2991199e78acde62eb3b50041d58672f8b4b4b2b635974e97e6b43N.exe 2716 Nlilqbgp.exe 2716 Nlilqbgp.exe 2916 Omhhke32.exe 2916 Omhhke32.exe 2352 Oecmogln.exe 2352 Oecmogln.exe 2516 Olmela32.exe 2516 Olmela32.exe 2736 Ojbbmnhc.exe 2736 Ojbbmnhc.exe 3008 Objjnkie.exe 3008 Objjnkie.exe 2116 Oflpgnld.exe 2116 Oflpgnld.exe 1608 Paaddgkj.exe 1608 Paaddgkj.exe 1652 Pdbmfb32.exe 1652 Pdbmfb32.exe 948 Pfpibn32.exe 948 Pfpibn32.exe 2372 Piabdiep.exe 2372 Piabdiep.exe 2100 Ppmgfb32.exe 2100 Ppmgfb32.exe 2216 Qhilkege.exe 2216 Qhilkege.exe 3024 Qaapcj32.exe 3024 Qaapcj32.exe 2860 Qkielpdf.exe 2860 Qkielpdf.exe 292 Aognbnkm.exe 292 Aognbnkm.exe 2476 Aphjjf32.exe 2476 Aphjjf32.exe 1664 Adfbpega.exe 1664 Adfbpega.exe 1036 Anogijnb.exe 1036 Anogijnb.exe 2260 Aejlnmkm.exe 2260 Aejlnmkm.exe 1532 Ajehnk32.exe 1532 Ajehnk32.exe 1876 Agihgp32.exe 1876 Agihgp32.exe 2428 Ajhddk32.exe 2428 Ajhddk32.exe 2460 Bcpimq32.exe 2460 Bcpimq32.exe 2668 Bfoeil32.exe 2668 Bfoeil32.exe 2660 Bogjaamh.exe 2660 Bogjaamh.exe 2840 Bknjfb32.exe 2840 Bknjfb32.exe 2676 Bnlgbnbp.exe 2676 Bnlgbnbp.exe 2536 Bdfooh32.exe 2536 Bdfooh32.exe 3000 Bdhleh32.exe 3000 Bdhleh32.exe 1756 Bkbdabog.exe 1756 Bkbdabog.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kmkoadgf.dll Ieponofk.exe File created C:\Windows\SysWOW64\Ckmhkeef.dll Jpgmpk32.exe File opened for modification C:\Windows\SysWOW64\Kidjdpie.exe Kambcbhb.exe File created C:\Windows\SysWOW64\Kdbepm32.exe Kadica32.exe File created C:\Windows\SysWOW64\Gffdobll.dll Kbhbai32.exe File opened for modification C:\Windows\SysWOW64\Ajhddk32.exe Agihgp32.exe File created C:\Windows\SysWOW64\Injqmdki.exe Ikldqile.exe File created C:\Windows\SysWOW64\Bbjmif32.dll Aognbnkm.exe File created C:\Windows\SysWOW64\Pdbampij.dll Efljhq32.exe File opened for modification C:\Windows\SysWOW64\Kmkihbho.exe Kkmmlgik.exe File opened for modification C:\Windows\SysWOW64\Epbbkf32.exe Elgfkhpi.exe File opened for modification C:\Windows\SysWOW64\Elgfkhpi.exe Eihjolae.exe File created C:\Windows\SysWOW64\Iocgfhhc.exe Hmdkjmip.exe File opened for modification C:\Windows\SysWOW64\Iaimipjl.exe Injqmdki.exe File opened for modification C:\Windows\SysWOW64\Jimdcqom.exe Jfohgepi.exe File created C:\Windows\SysWOW64\Knfddo32.dll Jmkmjoec.exe File opened for modification C:\Windows\SysWOW64\Omhhke32.exe Nlilqbgp.exe File created C:\Windows\SysWOW64\Ehpcehcj.exe Eafkhn32.exe File created C:\Windows\SysWOW64\Dfggnkoj.dll Fmaeho32.exe File opened for modification C:\Windows\SysWOW64\Hgqlafap.exe Hqgddm32.exe File created C:\Windows\SysWOW64\Hffibceh.exe Hddmjk32.exe File opened for modification C:\Windows\SysWOW64\Hbofmcij.exe Hqnjek32.exe File created C:\Windows\SysWOW64\Klcgpkhh.exe Kidjdpie.exe File created C:\Windows\SysWOW64\Kocpbfei.exe Kjhcag32.exe File opened for modification C:\Windows\SysWOW64\Piabdiep.exe Pfpibn32.exe File opened for modification C:\Windows\SysWOW64\Goldfelp.exe Glnhjjml.exe File created C:\Windows\SysWOW64\Gaojnq32.exe Gncnmane.exe File opened for modification C:\Windows\SysWOW64\Jcnoejch.exe Japciodd.exe File created C:\Windows\SysWOW64\Pdjiflem.dll Dlifadkk.exe File opened for modification C:\Windows\SysWOW64\Efjmbaba.exe Ebnabb32.exe File opened for modification C:\Windows\SysWOW64\Dafoikjb.exe Dmkcil32.exe File created C:\Windows\SysWOW64\Piabdiep.exe Pfpibn32.exe File opened for modification C:\Windows\SysWOW64\Ccbbachm.exe Cmhjdiap.exe File created C:\Windows\SysWOW64\Mcbdnmap.dll Dpnladjl.exe File opened for modification C:\Windows\SysWOW64\Djjjga32.exe Dihmpinj.exe File opened for modification C:\Windows\SysWOW64\Deondj32.exe Dbabho32.exe File opened for modification C:\Windows\SysWOW64\Hmdkjmip.exe Hjfnnajl.exe File created C:\Windows\SysWOW64\Ikbilijo.dll Jbfilffm.exe File opened for modification C:\Windows\SysWOW64\Klcgpkhh.exe Kidjdpie.exe File created C:\Windows\SysWOW64\Hahkbf32.dll Bnlgbnbp.exe File opened for modification C:\Windows\SysWOW64\Hgnokgcc.exe Hdpcokdo.exe File created C:\Windows\SysWOW64\Ijcngenj.exe Icifjk32.exe File created C:\Windows\SysWOW64\Jnmiag32.exe Jmkmjoec.exe File opened for modification C:\Windows\SysWOW64\Kpieengb.exe Kmkihbho.exe File created C:\Windows\SysWOW64\Gefmcp32.exe Goldfelp.exe File opened for modification C:\Windows\SysWOW64\Dfcgbb32.exe Dafoikjb.exe File opened for modification C:\Windows\SysWOW64\Gefmcp32.exe Goldfelp.exe File opened for modification C:\Windows\SysWOW64\Gnfkba32.exe Gockgdeh.exe File created C:\Windows\SysWOW64\Hadcipbi.exe Hjmlhbbg.exe File created C:\Windows\SysWOW64\Mjmkeb32.dll Hmmdin32.exe File created C:\Windows\SysWOW64\Gkaobghp.dll Iknafhjb.exe File created C:\Windows\SysWOW64\Jbfilffm.exe Jpgmpk32.exe File created C:\Windows\SysWOW64\Obgmpo32.dll Bkbdabog.exe File opened for modification C:\Windows\SysWOW64\Lbjofi32.exe Lplbjm32.exe File created C:\Windows\SysWOW64\Cfoaho32.exe Cncmcm32.exe File created C:\Windows\SysWOW64\Qfomeb32.dll Gmhkin32.exe File opened for modification C:\Windows\SysWOW64\Hmmdin32.exe Hjohmbpd.exe File created C:\Windows\SysWOW64\Imbjcpnn.exe Ijcngenj.exe File opened for modification C:\Windows\SysWOW64\Aejlnmkm.exe Anogijnb.exe File opened for modification C:\Windows\SysWOW64\Efhqmadd.exe Epnhpglg.exe File opened for modification C:\Windows\SysWOW64\Gglbfg32.exe Ghibjjnk.exe File opened for modification C:\Windows\SysWOW64\Gqdgom32.exe Gnfkba32.exe File created C:\Windows\SysWOW64\Kqacnpdp.dll Hffibceh.exe File created C:\Windows\SysWOW64\Aejlnmkm.exe Anogijnb.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3188 3164 WerFault.exe 215 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkbdabog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daaenlng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehnfpifm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdpgph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hifbdnbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieponofk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iclbpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Japciodd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kidjdpie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klcgpkhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dncibp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deondj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dafoikjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghibjjnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jipaip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adfbpega.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aejlnmkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgeelf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqnjek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iakino32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbhbai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oflpgnld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckpckece.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flnlkgjq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kocpbfei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfcgbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glpepj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkebafoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifmocb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnagmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkmmlgik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmkcil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gglbfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgqlafap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 667f9cf8ca2991199e78acde62eb3b50041d58672f8b4b4b2b635974e97e6b43N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anogijnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elgfkhpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iknafhjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfmkbebl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jikhnaao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajehnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbabho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fihfnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agihgp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfoaho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emoldlmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhbpkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkefbcmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gehiioaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jggoqimd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhenjmbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fliook32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdphjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfodfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bogjaamh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djjjga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifolhann.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aphjjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebnabb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmaeho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jimdcqom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbjofi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkielpdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpnladjl.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ijcngenj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Imbjcpnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" 667f9cf8ca2991199e78acde62eb3b50041d58672f8b4b4b2b635974e97e6b43N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Objjnkie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqgpml32.dll" Hjfnnajl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igcphbih.dll" Bcpimq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hdpcokdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hqkmplen.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qaapcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elcmpi32.dll" Dekdikhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hmmdin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aejlnmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hqnjek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Epbbkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljnfmlph.dll" Jcnoejch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fhbpkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkaamgeg.dll" Injqmdki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmhkeef.dll" Jpgmpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dbabho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ellqil32.dll" Dafoikjb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ehnfpifm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jbfilffm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hapbpm32.dll" Jipaip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cmhjdiap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eihjolae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Glpepj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hjohmbpd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ajhddk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cceogcfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fppaej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iipejmko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmegnj32.dll" Koaclfgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gffdobll.dll" Kbhbai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooffgmde.dll" Pfpibn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmcjcekp.dll" Fhbpkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gqdgom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hgeelf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipjkcehe.dll" Omhhke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bogjaamh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iddiakkl.dll" Hqkmplen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkcfefdg.dll" Qhilkege.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acblbcob.dll" Dpklkgoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eplpdepa.dll" Jnmiag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kdphjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkkiehdc.dll" Pdbmfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dncibp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hjohmbpd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jimdcqom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jbfilffm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Anogijnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmnpam32.dll" Bfoeil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhpfip32.dll" Gehiioaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fggmldfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fppaej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifblipqh.dll" Imggplgm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fakdcnhh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gkebafoa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ieponofk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iipejmko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Piabdiep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oecfeg32.dll" Ajehnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pofhpf32.dll" Cbjlhpkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kocpbfei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kadica32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2280 wrote to memory of 2716 2280 667f9cf8ca2991199e78acde62eb3b50041d58672f8b4b4b2b635974e97e6b43N.exe 30 PID 2280 wrote to memory of 2716 2280 667f9cf8ca2991199e78acde62eb3b50041d58672f8b4b4b2b635974e97e6b43N.exe 30 PID 2280 wrote to memory of 2716 2280 667f9cf8ca2991199e78acde62eb3b50041d58672f8b4b4b2b635974e97e6b43N.exe 30 PID 2280 wrote to memory of 2716 2280 667f9cf8ca2991199e78acde62eb3b50041d58672f8b4b4b2b635974e97e6b43N.exe 30 PID 2716 wrote to memory of 2916 2716 Nlilqbgp.exe 31 PID 2716 wrote to memory of 2916 2716 Nlilqbgp.exe 31 PID 2716 wrote to memory of 2916 2716 Nlilqbgp.exe 31 PID 2716 wrote to memory of 2916 2716 Nlilqbgp.exe 31 PID 2916 wrote to memory of 2352 2916 Omhhke32.exe 32 PID 2916 wrote to memory of 2352 2916 Omhhke32.exe 32 PID 2916 wrote to memory of 2352 2916 Omhhke32.exe 32 PID 2916 wrote to memory of 2352 2916 Omhhke32.exe 32 PID 2352 wrote to memory of 2516 2352 Oecmogln.exe 33 PID 2352 wrote to memory of 2516 2352 Oecmogln.exe 33 PID 2352 wrote to memory of 2516 2352 Oecmogln.exe 33 PID 2352 wrote to memory of 2516 2352 Oecmogln.exe 33 PID 2516 wrote to memory of 2736 2516 Olmela32.exe 34 PID 2516 wrote to memory of 2736 2516 Olmela32.exe 34 PID 2516 wrote to memory of 2736 2516 Olmela32.exe 34 PID 2516 wrote to memory of 2736 2516 Olmela32.exe 34 PID 2736 wrote to memory of 3008 2736 Ojbbmnhc.exe 35 PID 2736 wrote to memory of 3008 2736 Ojbbmnhc.exe 35 PID 2736 wrote to memory of 3008 2736 Ojbbmnhc.exe 35 PID 2736 wrote to memory of 3008 2736 Ojbbmnhc.exe 35 PID 3008 wrote to memory of 2116 3008 Objjnkie.exe 36 PID 3008 wrote to memory of 2116 3008 Objjnkie.exe 36 PID 3008 wrote to memory of 2116 3008 Objjnkie.exe 36 PID 3008 wrote to memory of 2116 3008 Objjnkie.exe 36 PID 2116 wrote to memory of 1608 2116 Oflpgnld.exe 37 PID 2116 wrote to memory of 1608 2116 Oflpgnld.exe 37 PID 2116 wrote to memory of 1608 2116 Oflpgnld.exe 37 PID 2116 wrote to memory of 1608 2116 Oflpgnld.exe 37 PID 1608 wrote to memory of 1652 1608 Paaddgkj.exe 38 PID 1608 wrote to memory of 1652 1608 Paaddgkj.exe 38 PID 1608 wrote to memory of 1652 1608 Paaddgkj.exe 38 PID 1608 wrote to memory of 1652 1608 Paaddgkj.exe 38 PID 1652 wrote to memory of 948 1652 Pdbmfb32.exe 39 PID 1652 wrote to memory of 948 1652 Pdbmfb32.exe 39 PID 1652 wrote to memory of 948 1652 Pdbmfb32.exe 39 PID 1652 wrote to memory of 948 1652 Pdbmfb32.exe 39 PID 948 wrote to memory of 2372 948 Pfpibn32.exe 40 PID 948 wrote to memory of 2372 948 Pfpibn32.exe 40 PID 948 wrote to memory of 2372 948 Pfpibn32.exe 40 PID 948 wrote to memory of 2372 948 Pfpibn32.exe 40 PID 2372 wrote to memory of 2100 2372 Piabdiep.exe 41 PID 2372 wrote to memory of 2100 2372 Piabdiep.exe 41 PID 2372 wrote to memory of 2100 2372 Piabdiep.exe 41 PID 2372 wrote to memory of 2100 2372 Piabdiep.exe 41 PID 2100 wrote to memory of 2216 2100 Ppmgfb32.exe 42 PID 2100 wrote to memory of 2216 2100 Ppmgfb32.exe 42 PID 2100 wrote to memory of 2216 2100 Ppmgfb32.exe 42 PID 2100 wrote to memory of 2216 2100 Ppmgfb32.exe 42 PID 2216 wrote to memory of 3024 2216 Qhilkege.exe 43 PID 2216 wrote to memory of 3024 2216 Qhilkege.exe 43 PID 2216 wrote to memory of 3024 2216 Qhilkege.exe 43 PID 2216 wrote to memory of 3024 2216 Qhilkege.exe 43 PID 3024 wrote to memory of 2860 3024 Qaapcj32.exe 44 PID 3024 wrote to memory of 2860 3024 Qaapcj32.exe 44 PID 3024 wrote to memory of 2860 3024 Qaapcj32.exe 44 PID 3024 wrote to memory of 2860 3024 Qaapcj32.exe 44 PID 2860 wrote to memory of 292 2860 Qkielpdf.exe 45 PID 2860 wrote to memory of 292 2860 Qkielpdf.exe 45 PID 2860 wrote to memory of 292 2860 Qkielpdf.exe 45 PID 2860 wrote to memory of 292 2860 Qkielpdf.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\667f9cf8ca2991199e78acde62eb3b50041d58672f8b4b4b2b635974e97e6b43N.exe"C:\Users\Admin\AppData\Local\Temp\667f9cf8ca2991199e78acde62eb3b50041d58672f8b4b4b2b635974e97e6b43N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\Nlilqbgp.exeC:\Windows\system32\Nlilqbgp.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Omhhke32.exeC:\Windows\system32\Omhhke32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Oecmogln.exeC:\Windows\system32\Oecmogln.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Olmela32.exeC:\Windows\system32\Olmela32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\Ojbbmnhc.exeC:\Windows\system32\Ojbbmnhc.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Objjnkie.exeC:\Windows\system32\Objjnkie.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\Oflpgnld.exeC:\Windows\system32\Oflpgnld.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\Paaddgkj.exeC:\Windows\system32\Paaddgkj.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\SysWOW64\Pdbmfb32.exeC:\Windows\system32\Pdbmfb32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\Pfpibn32.exeC:\Windows\system32\Pfpibn32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Windows\SysWOW64\Piabdiep.exeC:\Windows\system32\Piabdiep.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\Ppmgfb32.exeC:\Windows\system32\Ppmgfb32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Qhilkege.exeC:\Windows\system32\Qhilkege.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Qaapcj32.exeC:\Windows\system32\Qaapcj32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\Qkielpdf.exeC:\Windows\system32\Qkielpdf.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Aognbnkm.exeC:\Windows\system32\Aognbnkm.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:292 -
C:\Windows\SysWOW64\Aphjjf32.exeC:\Windows\system32\Aphjjf32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2476 -
C:\Windows\SysWOW64\Adfbpega.exeC:\Windows\system32\Adfbpega.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1664 -
C:\Windows\SysWOW64\Anogijnb.exeC:\Windows\system32\Anogijnb.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1036 -
C:\Windows\SysWOW64\Aejlnmkm.exeC:\Windows\system32\Aejlnmkm.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2260 -
C:\Windows\SysWOW64\Ajehnk32.exeC:\Windows\system32\Ajehnk32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1532 -
C:\Windows\SysWOW64\Agihgp32.exeC:\Windows\system32\Agihgp32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1876 -
C:\Windows\SysWOW64\Ajhddk32.exeC:\Windows\system32\Ajhddk32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2428 -
C:\Windows\SysWOW64\Bcpimq32.exeC:\Windows\system32\Bcpimq32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2460 -
C:\Windows\SysWOW64\Bfoeil32.exeC:\Windows\system32\Bfoeil32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2668 -
C:\Windows\SysWOW64\Bogjaamh.exeC:\Windows\system32\Bogjaamh.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2660 -
C:\Windows\SysWOW64\Bknjfb32.exeC:\Windows\system32\Bknjfb32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2840 -
C:\Windows\SysWOW64\Bnlgbnbp.exeC:\Windows\system32\Bnlgbnbp.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2676 -
C:\Windows\SysWOW64\Bdfooh32.exeC:\Windows\system32\Bdfooh32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2536 -
C:\Windows\SysWOW64\Bdhleh32.exeC:\Windows\system32\Bdhleh32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3000 -
C:\Windows\SysWOW64\Bkbdabog.exeC:\Windows\system32\Bkbdabog.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1756 -
C:\Windows\SysWOW64\Bqolji32.exeC:\Windows\system32\Bqolji32.exe33⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Ccnifd32.exeC:\Windows\system32\Ccnifd32.exe34⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Cncmcm32.exeC:\Windows\system32\Cncmcm32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2056 -
C:\Windows\SysWOW64\Cfoaho32.exeC:\Windows\system32\Cfoaho32.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:588 -
C:\Windows\SysWOW64\Cmhjdiap.exeC:\Windows\system32\Cmhjdiap.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:316 -
C:\Windows\SysWOW64\Ccbbachm.exeC:\Windows\system32\Ccbbachm.exe38⤵
- Executes dropped EXE
PID:1028 -
C:\Windows\SysWOW64\Cmkfji32.exeC:\Windows\system32\Cmkfji32.exe39⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Cceogcfj.exeC:\Windows\system32\Cceogcfj.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2080 -
C:\Windows\SysWOW64\Cjogcm32.exeC:\Windows\system32\Cjogcm32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Ckpckece.exeC:\Windows\system32\Ckpckece.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2892 -
C:\Windows\SysWOW64\Cbjlhpkb.exeC:\Windows\system32\Cbjlhpkb.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:1772 -
C:\Windows\SysWOW64\Cehhdkjf.exeC:\Windows\system32\Cehhdkjf.exe44⤵
- Executes dropped EXE
PID:888 -
C:\Windows\SysWOW64\Dpnladjl.exeC:\Windows\system32\Dpnladjl.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:284 -
C:\Windows\SysWOW64\Dblhmoio.exeC:\Windows\system32\Dblhmoio.exe46⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Dekdikhc.exeC:\Windows\system32\Dekdikhc.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:1420 -
C:\Windows\SysWOW64\Dncibp32.exeC:\Windows\system32\Dncibp32.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1684 -
C:\Windows\SysWOW64\Daaenlng.exeC:\Windows\system32\Daaenlng.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:384 -
C:\Windows\SysWOW64\Dihmpinj.exeC:\Windows\system32\Dihmpinj.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:868 -
C:\Windows\SysWOW64\Djjjga32.exeC:\Windows\system32\Djjjga32.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1584 -
C:\Windows\SysWOW64\Dbabho32.exeC:\Windows\system32\Dbabho32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2384 -
C:\Windows\SysWOW64\Deondj32.exeC:\Windows\system32\Deondj32.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2680 -
C:\Windows\SysWOW64\Dlifadkk.exeC:\Windows\system32\Dlifadkk.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3044 -
C:\Windows\SysWOW64\Dmkcil32.exeC:\Windows\system32\Dmkcil32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2328 -
C:\Windows\SysWOW64\Dafoikjb.exeC:\Windows\system32\Dafoikjb.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:552 -
C:\Windows\SysWOW64\Dfcgbb32.exeC:\Windows\system32\Dfcgbb32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2324 -
C:\Windows\SysWOW64\Dnjoco32.exeC:\Windows\system32\Dnjoco32.exe58⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Dahkok32.exeC:\Windows\system32\Dahkok32.exe59⤵
- Executes dropped EXE
PID:836 -
C:\Windows\SysWOW64\Dpklkgoj.exeC:\Windows\system32\Dpklkgoj.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:2344 -
C:\Windows\SysWOW64\Ejaphpnp.exeC:\Windows\system32\Ejaphpnp.exe61⤵
- Executes dropped EXE
PID:420 -
C:\Windows\SysWOW64\Emoldlmc.exeC:\Windows\system32\Emoldlmc.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:344 -
C:\Windows\SysWOW64\Epnhpglg.exeC:\Windows\system32\Epnhpglg.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:692 -
C:\Windows\SysWOW64\Efhqmadd.exeC:\Windows\system32\Efhqmadd.exe64⤵
- Executes dropped EXE
PID:1380 -
C:\Windows\SysWOW64\Eifmimch.exeC:\Windows\system32\Eifmimch.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1424 -
C:\Windows\SysWOW64\Eppefg32.exeC:\Windows\system32\Eppefg32.exe66⤵PID:3052
-
C:\Windows\SysWOW64\Ebnabb32.exeC:\Windows\system32\Ebnabb32.exe67⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1752 -
C:\Windows\SysWOW64\Efjmbaba.exeC:\Windows\system32\Efjmbaba.exe68⤵PID:880
-
C:\Windows\SysWOW64\Eihjolae.exeC:\Windows\system32\Eihjolae.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1976 -
C:\Windows\SysWOW64\Elgfkhpi.exeC:\Windows\system32\Elgfkhpi.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2740 -
C:\Windows\SysWOW64\Epbbkf32.exeC:\Windows\system32\Epbbkf32.exe71⤵
- Modifies registry class
PID:2616 -
C:\Windows\SysWOW64\Efljhq32.exeC:\Windows\system32\Efljhq32.exe72⤵
- Drops file in System32 directory
PID:2828 -
C:\Windows\SysWOW64\Eikfdl32.exeC:\Windows\system32\Eikfdl32.exe73⤵PID:2732
-
C:\Windows\SysWOW64\Ehnfpifm.exeC:\Windows\system32\Ehnfpifm.exe74⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2776 -
C:\Windows\SysWOW64\Elibpg32.exeC:\Windows\system32\Elibpg32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2396 -
C:\Windows\SysWOW64\Eafkhn32.exeC:\Windows\system32\Eafkhn32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1748 -
C:\Windows\SysWOW64\Ehpcehcj.exeC:\Windows\system32\Ehpcehcj.exe77⤵PID:1248
-
C:\Windows\SysWOW64\Fbegbacp.exeC:\Windows\system32\Fbegbacp.exe78⤵PID:1600
-
C:\Windows\SysWOW64\Fhbpkh32.exeC:\Windows\system32\Fhbpkh32.exe79⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2152 -
C:\Windows\SysWOW64\Flnlkgjq.exeC:\Windows\system32\Flnlkgjq.exe80⤵
- System Location Discovery: System Language Discovery
PID:2212 -
C:\Windows\SysWOW64\Fmohco32.exeC:\Windows\system32\Fmohco32.exe81⤵PID:1820
-
C:\Windows\SysWOW64\Fakdcnhh.exeC:\Windows\system32\Fakdcnhh.exe82⤵
- Modifies registry class
PID:1592 -
C:\Windows\SysWOW64\Fggmldfp.exeC:\Windows\system32\Fggmldfp.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1768 -
C:\Windows\SysWOW64\Fkcilc32.exeC:\Windows\system32\Fkcilc32.exe84⤵PID:1524
-
C:\Windows\SysWOW64\Fmaeho32.exeC:\Windows\system32\Fmaeho32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2264 -
C:\Windows\SysWOW64\Fppaej32.exeC:\Windows\system32\Fppaej32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:876 -
C:\Windows\SysWOW64\Fkefbcmf.exeC:\Windows\system32\Fkefbcmf.exe87⤵
- System Location Discovery: System Language Discovery
PID:1968 -
C:\Windows\SysWOW64\Fihfnp32.exeC:\Windows\system32\Fihfnp32.exe88⤵
- System Location Discovery: System Language Discovery
PID:2052 -
C:\Windows\SysWOW64\Fpbnjjkm.exeC:\Windows\system32\Fpbnjjkm.exe89⤵PID:2696
-
C:\Windows\SysWOW64\Fcqjfeja.exeC:\Windows\system32\Fcqjfeja.exe90⤵PID:2548
-
C:\Windows\SysWOW64\Fliook32.exeC:\Windows\system32\Fliook32.exe91⤵
- System Location Discovery: System Language Discovery
PID:2564 -
C:\Windows\SysWOW64\Fdpgph32.exeC:\Windows\system32\Fdpgph32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1636 -
C:\Windows\SysWOW64\Fgocmc32.exeC:\Windows\system32\Fgocmc32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2700 -
C:\Windows\SysWOW64\Gmhkin32.exeC:\Windows\system32\Gmhkin32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2332 -
C:\Windows\SysWOW64\Gecpnp32.exeC:\Windows\system32\Gecpnp32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1824 -
C:\Windows\SysWOW64\Glnhjjml.exeC:\Windows\system32\Glnhjjml.exe96⤵
- Drops file in System32 directory
PID:444 -
C:\Windows\SysWOW64\Goldfelp.exeC:\Windows\system32\Goldfelp.exe97⤵
- Drops file in System32 directory
PID:1316 -
C:\Windows\SysWOW64\Gefmcp32.exeC:\Windows\system32\Gefmcp32.exe98⤵PID:1872
-
C:\Windows\SysWOW64\Giaidnkf.exeC:\Windows\system32\Giaidnkf.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1528 -
C:\Windows\SysWOW64\Glpepj32.exeC:\Windows\system32\Glpepj32.exe100⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2108 -
C:\Windows\SysWOW64\Gonale32.exeC:\Windows\system32\Gonale32.exe101⤵PID:2900
-
C:\Windows\SysWOW64\Gamnhq32.exeC:\Windows\system32\Gamnhq32.exe102⤵PID:2276
-
C:\Windows\SysWOW64\Gehiioaj.exeC:\Windows\system32\Gehiioaj.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1632 -
C:\Windows\SysWOW64\Glbaei32.exeC:\Windows\system32\Glbaei32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1980 -
C:\Windows\SysWOW64\Gkebafoa.exeC:\Windows\system32\Gkebafoa.exe105⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2364 -
C:\Windows\SysWOW64\Gncnmane.exeC:\Windows\system32\Gncnmane.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2748 -
C:\Windows\SysWOW64\Gaojnq32.exeC:\Windows\system32\Gaojnq32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2568 -
C:\Windows\SysWOW64\Ghibjjnk.exeC:\Windows\system32\Ghibjjnk.exe108⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2532 -
C:\Windows\SysWOW64\Gglbfg32.exeC:\Windows\system32\Gglbfg32.exe109⤵
- System Location Discovery: System Language Discovery
PID:2316 -
C:\Windows\SysWOW64\Gockgdeh.exeC:\Windows\system32\Gockgdeh.exe110⤵
- Drops file in System32 directory
PID:1520 -
C:\Windows\SysWOW64\Gnfkba32.exeC:\Windows\system32\Gnfkba32.exe111⤵
- Drops file in System32 directory
PID:1656 -
C:\Windows\SysWOW64\Gqdgom32.exeC:\Windows\system32\Gqdgom32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:616 -
C:\Windows\SysWOW64\Hdpcokdo.exeC:\Windows\system32\Hdpcokdo.exe113⤵
- Drops file in System32 directory
- Modifies registry class
PID:2208 -
C:\Windows\SysWOW64\Hgnokgcc.exeC:\Windows\system32\Hgnokgcc.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2240 -
C:\Windows\SysWOW64\Hjmlhbbg.exeC:\Windows\system32\Hjmlhbbg.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:896 -
C:\Windows\SysWOW64\Hadcipbi.exeC:\Windows\system32\Hadcipbi.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2004 -
C:\Windows\SysWOW64\Hqgddm32.exeC:\Windows\system32\Hqgddm32.exe117⤵
- Drops file in System32 directory
PID:2912 -
C:\Windows\SysWOW64\Hgqlafap.exeC:\Windows\system32\Hgqlafap.exe118⤵
- System Location Discovery: System Language Discovery
PID:3048 -
C:\Windows\SysWOW64\Hjohmbpd.exeC:\Windows\system32\Hjohmbpd.exe119⤵
- Drops file in System32 directory
- Modifies registry class
PID:1964 -
C:\Windows\SysWOW64\Hmmdin32.exeC:\Windows\system32\Hmmdin32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2664 -
C:\Windows\SysWOW64\Hddmjk32.exeC:\Windows\system32\Hddmjk32.exe121⤵
- Drops file in System32 directory
PID:2524 -
C:\Windows\SysWOW64\Hffibceh.exeC:\Windows\system32\Hffibceh.exe122⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2896
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-