Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-11-2024 09:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d3d5d8b2b12da657d57f7edd300b20b54a3fc702b7e726a3a66bf9c93037c6e9.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
d3d5d8b2b12da657d57f7edd300b20b54a3fc702b7e726a3a66bf9c93037c6e9.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
d3d5d8b2b12da657d57f7edd300b20b54a3fc702b7e726a3a66bf9c93037c6e9.exe
-
Size
295KB
-
MD5
df72a8c3887384037ec785d0b356713f
-
SHA1
921fd08d78dd367b90900a36cd0aeac8087cba35
-
SHA256
d3d5d8b2b12da657d57f7edd300b20b54a3fc702b7e726a3a66bf9c93037c6e9
-
SHA512
e196f71196dd990571db87d92c5589970d83fd8ea93c2f07e477d6aecf68ab8f8d22e2f9c219c5df06aac5b7d82b0f3850959d83fc10b9695082da2645ed60ee
-
SSDEEP
6144:TKqPV24dE8tOZt9WFLs1PY1PRe19V+tbFOLM77OLY:OiFdE8tOHAFA6fe0tsNM
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paggce32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Macjgadf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogofkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Flcojeak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gpjmnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qcmkhi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anadojlo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fggmldfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfkimhhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Geqlnjcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhjneadb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kngekdnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Enngdgim.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fijnabef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfaalh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mojbaham.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jfaeme32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egmbnkie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pchbmigj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ikgkei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbdipa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjfphf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbhkmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Imogcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kiecgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Macjgadf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afeaei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnlgbnbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieibdnnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gamifcmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oodjjign.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Japciodd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehmpeb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pidaba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhndnpnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knohpo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gajlac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmalgq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgnjke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kpfbegei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fllaopcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fpbqcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iebldo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcageqgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jcikog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnlnpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odkgec32.exe -
Executes dropped EXE 64 IoCs
pid Process 2744 Nlilqbgp.exe 2916 Ncpdbohb.exe 2884 Ofnpnkgf.exe 2572 Onlahm32.exe 2988 Olpbaa32.exe 1756 Odkgec32.exe 2112 Oaogognm.exe 272 Oflpgnld.exe 1504 Phklaacg.exe 588 Pmhejhao.exe 2332 Pioeoi32.exe 568 Pbgjgomc.exe 2192 Piabdiep.exe 444 Plbkfdba.exe 1984 Ppmgfb32.exe 2488 Qkghgpfi.exe 1768 Aacmij32.exe 1512 Agpeaa32.exe 1424 Aphjjf32.exe 2264 Ahpbkd32.exe 3052 Adfbpega.exe 384 Ageompfe.exe 2844 Anogijnb.exe 2292 Aejlnmkm.exe 1584 Anadojlo.exe 1576 Ajhddk32.exe 2156 Bfoeil32.exe 2828 Blinefnd.exe 2560 Bogjaamh.exe 2736 Blkjkflb.exe 1728 Bnlgbnbp.exe 2396 Bfcodkcb.exe 372 Bqmpdioa.exe 1604 Bgghac32.exe 1780 Bnapnm32.exe 1700 Bqolji32.exe 744 Ccnifd32.exe 532 Cncmcm32.exe 592 Cqaiph32.exe 3032 Cjjnhnbl.exe 1772 Cogfqe32.exe 2860 Cfanmogq.exe 1316 Cmkfji32.exe 2228 Cceogcfj.exe 1560 Cmmcpi32.exe 1156 Cbjlhpkb.exe 1344 Cidddj32.exe 1324 Dpnladjl.exe 868 Dnqlmq32.exe 2644 Difqji32.exe 2660 Dkdmfe32.exe 3040 Dboeco32.exe 2580 Demaoj32.exe 2792 Djjjga32.exe 552 Dadbdkld.exe 1692 Dgnjqe32.exe 1028 Djlfma32.exe 340 Dmkcil32.exe 540 Deakjjbk.exe 1276 Djocbqpb.exe 344 Dnjoco32.exe 692 Dahkok32.exe 2912 Dhbdleol.exe 2320 Ejaphpnp.exe -
Loads dropped DLL 64 IoCs
pid Process 3064 d3d5d8b2b12da657d57f7edd300b20b54a3fc702b7e726a3a66bf9c93037c6e9.exe 3064 d3d5d8b2b12da657d57f7edd300b20b54a3fc702b7e726a3a66bf9c93037c6e9.exe 2744 Nlilqbgp.exe 2744 Nlilqbgp.exe 2916 Ncpdbohb.exe 2916 Ncpdbohb.exe 2884 Ofnpnkgf.exe 2884 Ofnpnkgf.exe 2572 Onlahm32.exe 2572 Onlahm32.exe 2988 Olpbaa32.exe 2988 Olpbaa32.exe 1756 Odkgec32.exe 1756 Odkgec32.exe 2112 Oaogognm.exe 2112 Oaogognm.exe 272 Oflpgnld.exe 272 Oflpgnld.exe 1504 Phklaacg.exe 1504 Phklaacg.exe 588 Pmhejhao.exe 588 Pmhejhao.exe 2332 Pioeoi32.exe 2332 Pioeoi32.exe 568 Pbgjgomc.exe 568 Pbgjgomc.exe 2192 Piabdiep.exe 2192 Piabdiep.exe 444 Plbkfdba.exe 444 Plbkfdba.exe 1984 Ppmgfb32.exe 1984 Ppmgfb32.exe 2488 Qkghgpfi.exe 2488 Qkghgpfi.exe 1768 Aacmij32.exe 1768 Aacmij32.exe 1512 Agpeaa32.exe 1512 Agpeaa32.exe 1424 Aphjjf32.exe 1424 Aphjjf32.exe 2264 Ahpbkd32.exe 2264 Ahpbkd32.exe 3052 Adfbpega.exe 3052 Adfbpega.exe 384 Ageompfe.exe 384 Ageompfe.exe 2844 Anogijnb.exe 2844 Anogijnb.exe 2292 Aejlnmkm.exe 2292 Aejlnmkm.exe 1584 Anadojlo.exe 1584 Anadojlo.exe 1576 Ajhddk32.exe 1576 Ajhddk32.exe 2156 Bfoeil32.exe 2156 Bfoeil32.exe 2828 Blinefnd.exe 2828 Blinefnd.exe 2560 Bogjaamh.exe 2560 Bogjaamh.exe 2736 Blkjkflb.exe 2736 Blkjkflb.exe 1728 Bnlgbnbp.exe 1728 Bnlgbnbp.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bnfbaa32.dll Iemalkgd.exe File opened for modification C:\Windows\SysWOW64\Ckfeic32.exe Process not Found File created C:\Windows\SysWOW64\Fkpeem32.dll Ghgfekpn.exe File opened for modification C:\Windows\SysWOW64\Nbfnggeo.exe Nohaklfk.exe File created C:\Windows\SysWOW64\Allgoa32.exe Ainkcf32.exe File created C:\Windows\SysWOW64\Flabdecn.exe Ficehj32.exe File opened for modification C:\Windows\SysWOW64\Bfgdmjlp.exe Bchhqo32.exe File created C:\Windows\SysWOW64\Lficmm32.dll Amglgn32.exe File created C:\Windows\SysWOW64\Jnpojnle.dll Oflpgnld.exe File created C:\Windows\SysWOW64\Iegeonpc.exe Ibhicbao.exe File created C:\Windows\SysWOW64\Bkhjamcf.exe Bhjneadb.exe File opened for modification C:\Windows\SysWOW64\Afndjdpe.exe Acohnhab.exe File opened for modification C:\Windows\SysWOW64\Hhfmbq32.exe Process not Found File created C:\Windows\SysWOW64\Oemhjlha.exe Process not Found File created C:\Windows\SysWOW64\Aodkcd32.dll Process not Found File created C:\Windows\SysWOW64\Igmaaacj.dll Pepfnd32.exe File created C:\Windows\SysWOW64\Kigpbioo.dll Pflbpg32.exe File opened for modification C:\Windows\SysWOW64\Lffmpp32.exe Lchqcd32.exe File opened for modification C:\Windows\SysWOW64\Qjgcecja.exe Qfkgdd32.exe File opened for modification C:\Windows\SysWOW64\Npkdnnfk.exe Nnlhab32.exe File created C:\Windows\SysWOW64\Nqpmimbe.exe Nhhehpbc.exe File created C:\Windows\SysWOW64\Dafikqcd.dll Aalofa32.exe File created C:\Windows\SysWOW64\Eajkip32.dll Ceickb32.exe File opened for modification C:\Windows\SysWOW64\Ehpcehcj.exe Eimcjl32.exe File opened for modification C:\Windows\SysWOW64\Hoqjqhjf.exe Hifbdnbi.exe File opened for modification C:\Windows\SysWOW64\Cbpbgk32.exe Ckfjjqhd.exe File created C:\Windows\SysWOW64\Mehpga32.exe Mcidkf32.exe File created C:\Windows\SysWOW64\Dekeeonn.exe Process not Found File opened for modification C:\Windows\SysWOW64\Gbmoceol.exe Process not Found File created C:\Windows\SysWOW64\Cmmlkk32.dll Process not Found File created C:\Windows\SysWOW64\Ibkhgp32.dll Manjaldo.exe File created C:\Windows\SysWOW64\Edelakoq.exe Process not Found File created C:\Windows\SysWOW64\Engeeehn.dll Cfanmogq.exe File opened for modification C:\Windows\SysWOW64\Klecfkff.exe Kekkiq32.exe File opened for modification C:\Windows\SysWOW64\Ckfjjqhd.exe Clciod32.exe File opened for modification C:\Windows\SysWOW64\Aldfcpjn.exe Afgnkilf.exe File opened for modification C:\Windows\SysWOW64\Facfpddd.exe Flfnhnfm.exe File created C:\Windows\SysWOW64\Kjhhabcc.dll Process not Found File created C:\Windows\SysWOW64\Cgobcd32.exe Process not Found File created C:\Windows\SysWOW64\Kccian32.exe Process not Found File created C:\Windows\SysWOW64\Ppmgfb32.exe Plbkfdba.exe File opened for modification C:\Windows\SysWOW64\Lcadghnk.exe Llgljn32.exe File opened for modification C:\Windows\SysWOW64\Cfknhi32.exe Cbpbgk32.exe File created C:\Windows\SysWOW64\Domfmiic.dll Mkdbea32.exe File created C:\Windows\SysWOW64\Imggplgm.exe Iikkon32.exe File opened for modification C:\Windows\SysWOW64\Opodknco.exe Omphocck.exe File created C:\Windows\SysWOW64\Elmabenf.dll Process not Found File created C:\Windows\SysWOW64\Nbilhkig.exe Process not Found File created C:\Windows\SysWOW64\Llbnnq32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fgcdlj32.exe Process not Found File created C:\Windows\SysWOW64\Hgabfa32.dll Process not Found File created C:\Windows\SysWOW64\Ljnfmlph.dll Jgjkfi32.exe File created C:\Windows\SysWOW64\Mfdgjene.dll Nphghn32.exe File opened for modification C:\Windows\SysWOW64\Ngeljh32.exe Npkdnnfk.exe File created C:\Windows\SysWOW64\Necdin32.dll Cpiaipmh.exe File created C:\Windows\SysWOW64\Ncpdbohb.exe Nlilqbgp.exe File opened for modification C:\Windows\SysWOW64\Jjfkmdlg.exe Jggoqimd.exe File opened for modification C:\Windows\SysWOW64\Jgkdigfa.exe Jelhmlgm.exe File created C:\Windows\SysWOW64\Ljfnnkkc.dll Process not Found File created C:\Windows\SysWOW64\Ockinl32.exe Oehicoom.exe File opened for modification C:\Windows\SysWOW64\Cdpdnpif.exe Clilmbhd.exe File opened for modification C:\Windows\SysWOW64\Hflndjin.exe Process not Found File created C:\Windows\SysWOW64\Kqqdjceh.exe Process not Found File created C:\Windows\SysWOW64\Cbjlhpkb.exe Cmmcpi32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5676 5804 Process not Found 1496 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gockgdeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgjkfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjjdhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdphjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flfnhnfm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcjmmdbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejabqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqjibkek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajipkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djocbqpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fllaopcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdlipplq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejabqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kghmhegc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mohhea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apfici32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijlaloaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibibfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oknhdjko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnkffi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amglgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kageia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqinhcoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efjpkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmmcpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iknafhjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejklan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bacefpbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkcilc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfgdmjlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnfhqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbjpem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhjpnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghibjjnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpaehl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pidaba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eldiehbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndicnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojceef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hofjem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmcclolh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgghac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmfmkjdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keiqlihp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofjgaf32.dll" Qigebglj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Chjjde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Efoifiep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Egpena32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nomklqkm.dll" Jibpghbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ecoihm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fmlglb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eejnjgnc.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiqaih32.dll" Goiafp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ekghcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkolfk32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqdekgib.dll" Dadbdkld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lcmklh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pnfpjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ajipkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqaaok32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jocfacia.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojmklbll.dll" Ebnabb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daadna32.dll" Hclfag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nbfnggeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kickkg32.dll" Icbipe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iblola32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ppkmjlca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obaqda32.dll" Dlhaaogd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Engeeehn.dll" Cfanmogq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pcmoie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ahfgbkpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfglml32.dll" Bqolji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eldiehbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hdefnjkj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cpgecq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lknpan32.dll" Kndbko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkiinlj.dll" Pijgbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffffpb32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fimoek32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ckiiiine.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfpgeall.dll" Eejjnhgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bflpbe32.dll" Pfnoegaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpbffcca.dll" Blgcio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hdpehd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jcckibfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Llebnfpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phgjeonp.dll" Djeljd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Elaeeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmcnpjhd.dll" Gckfpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akpcdopi.dll" Blkmdodf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jcandb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kidjdpie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knohabdl.dll" Aljjjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ckfjjqhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gbmlkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Defhonof.dll" Pjpmdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhafjd32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikmfgnde.dll" Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3064 wrote to memory of 2744 3064 d3d5d8b2b12da657d57f7edd300b20b54a3fc702b7e726a3a66bf9c93037c6e9.exe 30 PID 3064 wrote to memory of 2744 3064 d3d5d8b2b12da657d57f7edd300b20b54a3fc702b7e726a3a66bf9c93037c6e9.exe 30 PID 3064 wrote to memory of 2744 3064 d3d5d8b2b12da657d57f7edd300b20b54a3fc702b7e726a3a66bf9c93037c6e9.exe 30 PID 3064 wrote to memory of 2744 3064 d3d5d8b2b12da657d57f7edd300b20b54a3fc702b7e726a3a66bf9c93037c6e9.exe 30 PID 2744 wrote to memory of 2916 2744 Nlilqbgp.exe 31 PID 2744 wrote to memory of 2916 2744 Nlilqbgp.exe 31 PID 2744 wrote to memory of 2916 2744 Nlilqbgp.exe 31 PID 2744 wrote to memory of 2916 2744 Nlilqbgp.exe 31 PID 2916 wrote to memory of 2884 2916 Ncpdbohb.exe 32 PID 2916 wrote to memory of 2884 2916 Ncpdbohb.exe 32 PID 2916 wrote to memory of 2884 2916 Ncpdbohb.exe 32 PID 2916 wrote to memory of 2884 2916 Ncpdbohb.exe 32 PID 2884 wrote to memory of 2572 2884 Ofnpnkgf.exe 33 PID 2884 wrote to memory of 2572 2884 Ofnpnkgf.exe 33 PID 2884 wrote to memory of 2572 2884 Ofnpnkgf.exe 33 PID 2884 wrote to memory of 2572 2884 Ofnpnkgf.exe 33 PID 2572 wrote to memory of 2988 2572 Onlahm32.exe 34 PID 2572 wrote to memory of 2988 2572 Onlahm32.exe 34 PID 2572 wrote to memory of 2988 2572 Onlahm32.exe 34 PID 2572 wrote to memory of 2988 2572 Onlahm32.exe 34 PID 2988 wrote to memory of 1756 2988 Olpbaa32.exe 35 PID 2988 wrote to memory of 1756 2988 Olpbaa32.exe 35 PID 2988 wrote to memory of 1756 2988 Olpbaa32.exe 35 PID 2988 wrote to memory of 1756 2988 Olpbaa32.exe 35 PID 1756 wrote to memory of 2112 1756 Odkgec32.exe 36 PID 1756 wrote to memory of 2112 1756 Odkgec32.exe 36 PID 1756 wrote to memory of 2112 1756 Odkgec32.exe 36 PID 1756 wrote to memory of 2112 1756 Odkgec32.exe 36 PID 2112 wrote to memory of 272 2112 Oaogognm.exe 37 PID 2112 wrote to memory of 272 2112 Oaogognm.exe 37 PID 2112 wrote to memory of 272 2112 Oaogognm.exe 37 PID 2112 wrote to memory of 272 2112 Oaogognm.exe 37 PID 272 wrote to memory of 1504 272 Oflpgnld.exe 38 PID 272 wrote to memory of 1504 272 Oflpgnld.exe 38 PID 272 wrote to memory of 1504 272 Oflpgnld.exe 38 PID 272 wrote to memory of 1504 272 Oflpgnld.exe 38 PID 1504 wrote to memory of 588 1504 Phklaacg.exe 39 PID 1504 wrote to memory of 588 1504 Phklaacg.exe 39 PID 1504 wrote to memory of 588 1504 Phklaacg.exe 39 PID 1504 wrote to memory of 588 1504 Phklaacg.exe 39 PID 588 wrote to memory of 2332 588 Pmhejhao.exe 40 PID 588 wrote to memory of 2332 588 Pmhejhao.exe 40 PID 588 wrote to memory of 2332 588 Pmhejhao.exe 40 PID 588 wrote to memory of 2332 588 Pmhejhao.exe 40 PID 2332 wrote to memory of 568 2332 Pioeoi32.exe 41 PID 2332 wrote to memory of 568 2332 Pioeoi32.exe 41 PID 2332 wrote to memory of 568 2332 Pioeoi32.exe 41 PID 2332 wrote to memory of 568 2332 Pioeoi32.exe 41 PID 568 wrote to memory of 2192 568 Pbgjgomc.exe 42 PID 568 wrote to memory of 2192 568 Pbgjgomc.exe 42 PID 568 wrote to memory of 2192 568 Pbgjgomc.exe 42 PID 568 wrote to memory of 2192 568 Pbgjgomc.exe 42 PID 2192 wrote to memory of 444 2192 Piabdiep.exe 43 PID 2192 wrote to memory of 444 2192 Piabdiep.exe 43 PID 2192 wrote to memory of 444 2192 Piabdiep.exe 43 PID 2192 wrote to memory of 444 2192 Piabdiep.exe 43 PID 444 wrote to memory of 1984 444 Plbkfdba.exe 44 PID 444 wrote to memory of 1984 444 Plbkfdba.exe 44 PID 444 wrote to memory of 1984 444 Plbkfdba.exe 44 PID 444 wrote to memory of 1984 444 Plbkfdba.exe 44 PID 1984 wrote to memory of 2488 1984 Ppmgfb32.exe 45 PID 1984 wrote to memory of 2488 1984 Ppmgfb32.exe 45 PID 1984 wrote to memory of 2488 1984 Ppmgfb32.exe 45 PID 1984 wrote to memory of 2488 1984 Ppmgfb32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\d3d5d8b2b12da657d57f7edd300b20b54a3fc702b7e726a3a66bf9c93037c6e9.exe"C:\Users\Admin\AppData\Local\Temp\d3d5d8b2b12da657d57f7edd300b20b54a3fc702b7e726a3a66bf9c93037c6e9.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\Nlilqbgp.exeC:\Windows\system32\Nlilqbgp.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Ncpdbohb.exeC:\Windows\system32\Ncpdbohb.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Ofnpnkgf.exeC:\Windows\system32\Ofnpnkgf.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Onlahm32.exeC:\Windows\system32\Onlahm32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Olpbaa32.exeC:\Windows\system32\Olpbaa32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Odkgec32.exeC:\Windows\system32\Odkgec32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\Oaogognm.exeC:\Windows\system32\Oaogognm.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\Oflpgnld.exeC:\Windows\system32\Oflpgnld.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:272 -
C:\Windows\SysWOW64\Phklaacg.exeC:\Windows\system32\Phklaacg.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\Pmhejhao.exeC:\Windows\system32\Pmhejhao.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:588 -
C:\Windows\SysWOW64\Pioeoi32.exeC:\Windows\system32\Pioeoi32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\Pbgjgomc.exeC:\Windows\system32\Pbgjgomc.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Windows\SysWOW64\Piabdiep.exeC:\Windows\system32\Piabdiep.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Plbkfdba.exeC:\Windows\system32\Plbkfdba.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:444 -
C:\Windows\SysWOW64\Ppmgfb32.exeC:\Windows\system32\Ppmgfb32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\Qkghgpfi.exeC:\Windows\system32\Qkghgpfi.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2488 -
C:\Windows\SysWOW64\Aacmij32.exeC:\Windows\system32\Aacmij32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1768 -
C:\Windows\SysWOW64\Agpeaa32.exeC:\Windows\system32\Agpeaa32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1512 -
C:\Windows\SysWOW64\Aphjjf32.exeC:\Windows\system32\Aphjjf32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1424 -
C:\Windows\SysWOW64\Ahpbkd32.exeC:\Windows\system32\Ahpbkd32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2264 -
C:\Windows\SysWOW64\Adfbpega.exeC:\Windows\system32\Adfbpega.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3052 -
C:\Windows\SysWOW64\Ageompfe.exeC:\Windows\system32\Ageompfe.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:384 -
C:\Windows\SysWOW64\Anogijnb.exeC:\Windows\system32\Anogijnb.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2844 -
C:\Windows\SysWOW64\Aejlnmkm.exeC:\Windows\system32\Aejlnmkm.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2292 -
C:\Windows\SysWOW64\Anadojlo.exeC:\Windows\system32\Anadojlo.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1584 -
C:\Windows\SysWOW64\Ajhddk32.exeC:\Windows\system32\Ajhddk32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1576 -
C:\Windows\SysWOW64\Bfoeil32.exeC:\Windows\system32\Bfoeil32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2156 -
C:\Windows\SysWOW64\Blinefnd.exeC:\Windows\system32\Blinefnd.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2828 -
C:\Windows\SysWOW64\Bogjaamh.exeC:\Windows\system32\Bogjaamh.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2560 -
C:\Windows\SysWOW64\Blkjkflb.exeC:\Windows\system32\Blkjkflb.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2736 -
C:\Windows\SysWOW64\Bnlgbnbp.exeC:\Windows\system32\Bnlgbnbp.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1728 -
C:\Windows\SysWOW64\Bfcodkcb.exeC:\Windows\system32\Bfcodkcb.exe33⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Bqmpdioa.exeC:\Windows\system32\Bqmpdioa.exe34⤵
- Executes dropped EXE
PID:372 -
C:\Windows\SysWOW64\Bgghac32.exeC:\Windows\system32\Bgghac32.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1604 -
C:\Windows\SysWOW64\Bnapnm32.exeC:\Windows\system32\Bnapnm32.exe36⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Bqolji32.exeC:\Windows\system32\Bqolji32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:1700 -
C:\Windows\SysWOW64\Ccnifd32.exeC:\Windows\system32\Ccnifd32.exe38⤵
- Executes dropped EXE
PID:744 -
C:\Windows\SysWOW64\Cncmcm32.exeC:\Windows\system32\Cncmcm32.exe39⤵
- Executes dropped EXE
PID:532 -
C:\Windows\SysWOW64\Cqaiph32.exeC:\Windows\system32\Cqaiph32.exe40⤵
- Executes dropped EXE
PID:592 -
C:\Windows\SysWOW64\Cjjnhnbl.exeC:\Windows\system32\Cjjnhnbl.exe41⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Cogfqe32.exeC:\Windows\system32\Cogfqe32.exe42⤵
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Cfanmogq.exeC:\Windows\system32\Cfanmogq.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2860 -
C:\Windows\SysWOW64\Cmkfji32.exeC:\Windows\system32\Cmkfji32.exe44⤵
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\Cceogcfj.exeC:\Windows\system32\Cceogcfj.exe45⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Cmmcpi32.exeC:\Windows\system32\Cmmcpi32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1560 -
C:\Windows\SysWOW64\Cbjlhpkb.exeC:\Windows\system32\Cbjlhpkb.exe47⤵
- Executes dropped EXE
PID:1156 -
C:\Windows\SysWOW64\Cidddj32.exeC:\Windows\system32\Cidddj32.exe48⤵
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\Dpnladjl.exeC:\Windows\system32\Dpnladjl.exe49⤵
- Executes dropped EXE
PID:1324 -
C:\Windows\SysWOW64\Dnqlmq32.exeC:\Windows\system32\Dnqlmq32.exe50⤵
- Executes dropped EXE
PID:868 -
C:\Windows\SysWOW64\Difqji32.exeC:\Windows\system32\Difqji32.exe51⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Dkdmfe32.exeC:\Windows\system32\Dkdmfe32.exe52⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Dboeco32.exeC:\Windows\system32\Dboeco32.exe53⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Demaoj32.exeC:\Windows\system32\Demaoj32.exe54⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Djjjga32.exeC:\Windows\system32\Djjjga32.exe55⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Dadbdkld.exeC:\Windows\system32\Dadbdkld.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:552 -
C:\Windows\SysWOW64\Dgnjqe32.exeC:\Windows\system32\Dgnjqe32.exe57⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Djlfma32.exeC:\Windows\system32\Djlfma32.exe58⤵
- Executes dropped EXE
PID:1028 -
C:\Windows\SysWOW64\Dmkcil32.exeC:\Windows\system32\Dmkcil32.exe59⤵
- Executes dropped EXE
PID:340 -
C:\Windows\SysWOW64\Deakjjbk.exeC:\Windows\system32\Deakjjbk.exe60⤵
- Executes dropped EXE
PID:540 -
C:\Windows\SysWOW64\Djocbqpb.exeC:\Windows\system32\Djocbqpb.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1276 -
C:\Windows\SysWOW64\Dnjoco32.exeC:\Windows\system32\Dnjoco32.exe62⤵
- Executes dropped EXE
PID:344 -
C:\Windows\SysWOW64\Dahkok32.exeC:\Windows\system32\Dahkok32.exe63⤵
- Executes dropped EXE
PID:692 -
C:\Windows\SysWOW64\Dhbdleol.exeC:\Windows\system32\Dhbdleol.exe64⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Ejaphpnp.exeC:\Windows\system32\Ejaphpnp.exe65⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Eicpcm32.exeC:\Windows\system32\Eicpcm32.exe66⤵PID:1148
-
C:\Windows\SysWOW64\Eakhdj32.exeC:\Windows\system32\Eakhdj32.exe67⤵PID:2952
-
C:\Windows\SysWOW64\Eblelb32.exeC:\Windows\system32\Eblelb32.exe68⤵PID:572
-
C:\Windows\SysWOW64\Efhqmadd.exeC:\Windows\system32\Efhqmadd.exe69⤵PID:1232
-
C:\Windows\SysWOW64\Eifmimch.exeC:\Windows\system32\Eifmimch.exe70⤵PID:2460
-
C:\Windows\SysWOW64\Eldiehbk.exeC:\Windows\system32\Eldiehbk.exe71⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2524 -
C:\Windows\SysWOW64\Eppefg32.exeC:\Windows\system32\Eppefg32.exe72⤵PID:2928
-
C:\Windows\SysWOW64\Ebnabb32.exeC:\Windows\system32\Ebnabb32.exe73⤵
- Modifies registry class
PID:2692 -
C:\Windows\SysWOW64\Eemnnn32.exeC:\Windows\system32\Eemnnn32.exe74⤵PID:2536
-
C:\Windows\SysWOW64\Eihjolae.exeC:\Windows\system32\Eihjolae.exe75⤵PID:2248
-
C:\Windows\SysWOW64\Elgfkhpi.exeC:\Windows\system32\Elgfkhpi.exe76⤵PID:2340
-
C:\Windows\SysWOW64\Ebqngb32.exeC:\Windows\system32\Ebqngb32.exe77⤵PID:1608
-
C:\Windows\SysWOW64\Eeojcmfi.exeC:\Windows\system32\Eeojcmfi.exe78⤵PID:1636
-
C:\Windows\SysWOW64\Epeoaffo.exeC:\Windows\system32\Epeoaffo.exe79⤵PID:2760
-
C:\Windows\SysWOW64\Eogolc32.exeC:\Windows\system32\Eogolc32.exe80⤵PID:836
-
C:\Windows\SysWOW64\Eimcjl32.exeC:\Windows\system32\Eimcjl32.exe81⤵
- Drops file in System32 directory
PID:2160 -
C:\Windows\SysWOW64\Ehpcehcj.exeC:\Windows\system32\Ehpcehcj.exe82⤵PID:608
-
C:\Windows\SysWOW64\Eojlbb32.exeC:\Windows\system32\Eojlbb32.exe83⤵PID:1076
-
C:\Windows\SysWOW64\Fahhnn32.exeC:\Windows\system32\Fahhnn32.exe84⤵PID:2864
-
C:\Windows\SysWOW64\Fdgdji32.exeC:\Windows\system32\Fdgdji32.exe85⤵PID:1684
-
C:\Windows\SysWOW64\Fkqlgc32.exeC:\Windows\system32\Fkqlgc32.exe86⤵PID:1760
-
C:\Windows\SysWOW64\Fmohco32.exeC:\Windows\system32\Fmohco32.exe87⤵PID:2664
-
C:\Windows\SysWOW64\Fefqdl32.exeC:\Windows\system32\Fefqdl32.exe88⤵PID:2772
-
C:\Windows\SysWOW64\Fggmldfp.exeC:\Windows\system32\Fggmldfp.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2588 -
C:\Windows\SysWOW64\Fkcilc32.exeC:\Windows\system32\Fkcilc32.exe90⤵
- System Location Discovery: System Language Discovery
PID:2028 -
C:\Windows\SysWOW64\Famaimfe.exeC:\Windows\system32\Famaimfe.exe91⤵PID:1500
-
C:\Windows\SysWOW64\Fkefbcmf.exeC:\Windows\system32\Fkefbcmf.exe92⤵PID:576
-
C:\Windows\SysWOW64\Fmdbnnlj.exeC:\Windows\system32\Fmdbnnlj.exe93⤵PID:1648
-
C:\Windows\SysWOW64\Fkhbgbkc.exeC:\Windows\system32\Fkhbgbkc.exe94⤵PID:2308
-
C:\Windows\SysWOW64\Fdpgph32.exeC:\Windows\system32\Fdpgph32.exe95⤵PID:2852
-
C:\Windows\SysWOW64\Gmhkin32.exeC:\Windows\system32\Gmhkin32.exe96⤵PID:2212
-
C:\Windows\SysWOW64\Gpggei32.exeC:\Windows\system32\Gpggei32.exe97⤵PID:2412
-
C:\Windows\SysWOW64\Gcedad32.exeC:\Windows\system32\Gcedad32.exe98⤵PID:1792
-
C:\Windows\SysWOW64\Ggapbcne.exeC:\Windows\system32\Ggapbcne.exe99⤵PID:2900
-
C:\Windows\SysWOW64\Ghbljk32.exeC:\Windows\system32\Ghbljk32.exe100⤵PID:1524
-
C:\Windows\SysWOW64\Gpidki32.exeC:\Windows\system32\Gpidki32.exe101⤵PID:2260
-
C:\Windows\SysWOW64\Gajqbakc.exeC:\Windows\system32\Gajqbakc.exe102⤵PID:1752
-
C:\Windows\SysWOW64\Giaidnkf.exeC:\Windows\system32\Giaidnkf.exe103⤵PID:1964
-
C:\Windows\SysWOW64\Gkcekfad.exeC:\Windows\system32\Gkcekfad.exe104⤵PID:2288
-
C:\Windows\SysWOW64\Gcjmmdbf.exeC:\Windows\system32\Gcjmmdbf.exe105⤵
- System Location Discovery: System Language Discovery
PID:2836 -
C:\Windows\SysWOW64\Gdkjdl32.exeC:\Windows\system32\Gdkjdl32.exe106⤵PID:2592
-
C:\Windows\SysWOW64\Ghgfekpn.exeC:\Windows\system32\Ghgfekpn.exe107⤵
- Drops file in System32 directory
PID:2328 -
C:\Windows\SysWOW64\Goqnae32.exeC:\Windows\system32\Goqnae32.exe108⤵PID:2376
-
C:\Windows\SysWOW64\Gncnmane.exeC:\Windows\system32\Gncnmane.exe109⤵PID:276
-
C:\Windows\SysWOW64\Gdnfjl32.exeC:\Windows\system32\Gdnfjl32.exe110⤵PID:1248
-
C:\Windows\SysWOW64\Ghibjjnk.exeC:\Windows\system32\Ghibjjnk.exe111⤵
- System Location Discovery: System Language Discovery
PID:2256 -
C:\Windows\SysWOW64\Gockgdeh.exeC:\Windows\system32\Gockgdeh.exe112⤵
- System Location Discovery: System Language Discovery
PID:2764 -
C:\Windows\SysWOW64\Gnfkba32.exeC:\Windows\system32\Gnfkba32.exe113⤵PID:1820
-
C:\Windows\SysWOW64\Gqdgom32.exeC:\Windows\system32\Gqdgom32.exe114⤵PID:2072
-
C:\Windows\SysWOW64\Hdpcokdo.exeC:\Windows\system32\Hdpcokdo.exe115⤵PID:792
-
C:\Windows\SysWOW64\Hkjkle32.exeC:\Windows\system32\Hkjkle32.exe116⤵PID:2492
-
C:\Windows\SysWOW64\Hjmlhbbg.exeC:\Windows\system32\Hjmlhbbg.exe117⤵PID:1364
-
C:\Windows\SysWOW64\Hqgddm32.exeC:\Windows\system32\Hqgddm32.exe118⤵PID:2108
-
C:\Windows\SysWOW64\Hdbpekam.exeC:\Windows\system32\Hdbpekam.exe119⤵PID:2424
-
C:\Windows\SysWOW64\Hgqlafap.exeC:\Windows\system32\Hgqlafap.exe120⤵PID:2712
-
C:\Windows\SysWOW64\Hnkdnqhm.exeC:\Windows\system32\Hnkdnqhm.exe121⤵PID:2384
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-