Analysis
-
max time kernel
87s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 04:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ff706a98d1d5a8a6874f1042ba7ac174ecdaabf40a093081c0026dd3cb9acf84.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
ff706a98d1d5a8a6874f1042ba7ac174ecdaabf40a093081c0026dd3cb9acf84.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
ff706a98d1d5a8a6874f1042ba7ac174ecdaabf40a093081c0026dd3cb9acf84.exe
-
Size
59KB
-
MD5
f1ee4e0b5db7ba20ff80d0ebf63ecc7c
-
SHA1
cb15885cd2cbcec46834694b883d395b1ca84d13
-
SHA256
ff706a98d1d5a8a6874f1042ba7ac174ecdaabf40a093081c0026dd3cb9acf84
-
SHA512
9c2bc94a065158df3b4381860bb2fae2f08d74383b0d020c2007d86f6a533b2dab31b6959779abf1402b81af7dc883479ddeccc077a1182a907d2968c3e331e8
-
SSDEEP
768:0HI4dJ2H7HdxGg9gC8RacRxxS7wdQzA4eMu7ju6KmSPSZ/1H5ZT5nf1fZMEBFEL7:GjJ2b9x34H5SW5jXjSPotNCyVs
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onhihepp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoqjhiie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kehjpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojjnioae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edafjiqe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iikgkq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbhhlo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqijck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejgkfn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjepib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnikno32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpjboi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dejnme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffdgef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akbmqmgg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmiccl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afhgkg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fncddc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kleeqp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaddaecl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfabfldd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpbadcbj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkjgiiln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcnchg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lneghd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fndfmljk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgpkobnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Piaiko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkclcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llkijb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qohkdkdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbjjfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpcgji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blaficqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdfmddff.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nabegpbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfkbfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgpkobnb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnboonmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgjjfe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lofafhck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nifhop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgbcha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpmpeiqg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgekdh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Genmab32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njdagbjd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejcaanfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Infhmmhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glaejokn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chpmocpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebgifo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Femlbjee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkoepj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnaihhgf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfmgmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jclpib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Padcqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Camlpldf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abghlk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Foeqlo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjqdjn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmicnhob.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpdhiaoi.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 3036 Kbikokin.exe 2792 Khfcgbge.exe 2772 Kblhdkgk.exe 2700 Kaaeegkc.exe 2836 Kmgekh32.exe 2716 Lkkfdmpq.exe 692 Lbgkhoml.exe 2440 Lmlofhmb.exe 2760 Lcignoki.exe 3020 Lmolkg32.exe 2988 Lejppj32.exe 2976 Lldhldpg.exe 1768 Lhkiae32.exe 676 Mkkbcpbl.exe 2392 Mgbcha32.exe 1084 Mdfcaegj.exe 928 Mjcljlea.exe 340 Mdhpgeeg.exe 1864 Mkbhco32.exe 1724 Mdkmld32.exe 960 Njgeel32.exe 1300 Nqamaeii.exe 1152 Nfnfjmgp.exe 108 Nfqbol32.exe 2340 Nfcoel32.exe 1428 Nbjpjm32.exe 1596 Onqaonnc.exe 2788 Ogiegc32.exe 2796 Obniel32.exe 2896 Ojjnioae.exe 2704 Ocbbbd32.exe 2856 Omjgkjof.exe 1188 Pjqdjn32.exe 2244 Pifakj32.exe 1808 Pihnqj32.exe 2752 Pnefiq32.exe 2512 Peooek32.exe 2972 Phmkaf32.exe 1668 Pafpjljk.exe 2232 Pmmppm32.exe 2184 Qdfhlggl.exe 2236 Qmomelml.exe 2128 Qhdabemb.exe 280 Amaiklki.exe 2456 Adkbgf32.exe 2632 Amcfpl32.exe 1748 Apglgfde.exe 2040 Ahbqliap.exe 612 Abgeiaaf.exe 1844 Bkbjmd32.exe 916 Bglghdbc.exe 2484 Bpdkajic.exe 1636 Bpfhfjgq.exe 2812 Bnjipn32.exe 2820 Cgcmiclk.exe 1720 Clpeajjb.exe 2292 Clbbfj32.exe 1236 Cfjgopop.exe 2784 Ckgogfmg.exe 2948 Cbagdq32.exe 2724 Chkpakla.exe 1372 Cbcdjpba.exe 2412 Cgpmbgai.exe 1288 Djoinbpm.exe -
Loads dropped DLL 64 IoCs
pid Process 1656 ff706a98d1d5a8a6874f1042ba7ac174ecdaabf40a093081c0026dd3cb9acf84.exe 1656 ff706a98d1d5a8a6874f1042ba7ac174ecdaabf40a093081c0026dd3cb9acf84.exe 3036 Kbikokin.exe 3036 Kbikokin.exe 2792 Khfcgbge.exe 2792 Khfcgbge.exe 2772 Kblhdkgk.exe 2772 Kblhdkgk.exe 2700 Kaaeegkc.exe 2700 Kaaeegkc.exe 2836 Kmgekh32.exe 2836 Kmgekh32.exe 2716 Lkkfdmpq.exe 2716 Lkkfdmpq.exe 692 Lbgkhoml.exe 692 Lbgkhoml.exe 2440 Lmlofhmb.exe 2440 Lmlofhmb.exe 2760 Lcignoki.exe 2760 Lcignoki.exe 3020 Lmolkg32.exe 3020 Lmolkg32.exe 2988 Lejppj32.exe 2988 Lejppj32.exe 2976 Lldhldpg.exe 2976 Lldhldpg.exe 1768 Lhkiae32.exe 1768 Lhkiae32.exe 676 Mkkbcpbl.exe 676 Mkkbcpbl.exe 2392 Mgbcha32.exe 2392 Mgbcha32.exe 1084 Mdfcaegj.exe 1084 Mdfcaegj.exe 928 Mjcljlea.exe 928 Mjcljlea.exe 340 Mdhpgeeg.exe 340 Mdhpgeeg.exe 1864 Mkbhco32.exe 1864 Mkbhco32.exe 1724 Mdkmld32.exe 1724 Mdkmld32.exe 960 Njgeel32.exe 960 Njgeel32.exe 1300 Nqamaeii.exe 1300 Nqamaeii.exe 1152 Nfnfjmgp.exe 1152 Nfnfjmgp.exe 108 Nfqbol32.exe 108 Nfqbol32.exe 2340 Nfcoel32.exe 2340 Nfcoel32.exe 1428 Nbjpjm32.exe 1428 Nbjpjm32.exe 1596 Onqaonnc.exe 1596 Onqaonnc.exe 2788 Ogiegc32.exe 2788 Ogiegc32.exe 2796 Obniel32.exe 2796 Obniel32.exe 2896 Ojjnioae.exe 2896 Ojjnioae.exe 2704 Ocbbbd32.exe 2704 Ocbbbd32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Gpihog32.exe Gepgni32.exe File opened for modification C:\Windows\SysWOW64\Deanooeb.exe Clhifj32.exe File created C:\Windows\SysWOW64\Ilggal32.exe Incfhh32.exe File created C:\Windows\SysWOW64\Bgaengmn.dll Lojhmjag.exe File created C:\Windows\SysWOW64\Gepgni32.exe Genkhidc.exe File opened for modification C:\Windows\SysWOW64\Nndjhi32.exe Meiedg32.exe File opened for modification C:\Windows\SysWOW64\Meonlkcm.exe Mgkncfdc.exe File opened for modification C:\Windows\SysWOW64\Epchbm32.exe Eiipfbgj.exe File created C:\Windows\SysWOW64\Oglgfk32.dll Enedml32.exe File opened for modification C:\Windows\SysWOW64\Gpncdfkl.exe Gmoghklh.exe File created C:\Windows\SysWOW64\Bcnllf32.dll Eeameodq.exe File created C:\Windows\SysWOW64\Iqnlpq32.exe Ikqcgj32.exe File created C:\Windows\SysWOW64\Iaocib32.dll Jnadfk32.exe File created C:\Windows\SysWOW64\Khojqj32.exe Kkkigf32.exe File opened for modification C:\Windows\SysWOW64\Inhfmmfi.exe Hgnnpc32.exe File created C:\Windows\SysWOW64\Fiikhf32.dll Pbkbff32.exe File created C:\Windows\SysWOW64\Bgkppkih.exe Bpqgcq32.exe File opened for modification C:\Windows\SysWOW64\Idqpjg32.exe Infhmmhi.exe File created C:\Windows\SysWOW64\Olopjkfk.dll Cbpbek32.exe File created C:\Windows\SysWOW64\Neagan32.exe Nmfblk32.exe File created C:\Windows\SysWOW64\Padcqp32.exe Pkjkdfjk.exe File opened for modification C:\Windows\SysWOW64\Abqlpn32.exe Aqapek32.exe File created C:\Windows\SysWOW64\Jmoijc32.exe Jmmmdd32.exe File created C:\Windows\SysWOW64\Jnqqfd32.dll Iadabljk.exe File created C:\Windows\SysWOW64\Ldkhgheg.dll Bakkad32.exe File opened for modification C:\Windows\SysWOW64\Hcaehhnd.exe Hhkakonn.exe File created C:\Windows\SysWOW64\Hhipcbdi.exe Hnpkkm32.exe File created C:\Windows\SysWOW64\Ikafpbon.exe Hbfalpab.exe File created C:\Windows\SysWOW64\Acfpilmp.exe Aeachphg.exe File created C:\Windows\SysWOW64\Cjobnf32.dll Jaflocqd.exe File created C:\Windows\SysWOW64\Bmgfoi32.exe Bcoafcjk.exe File opened for modification C:\Windows\SysWOW64\Ldpfoipj.exe Likbap32.exe File created C:\Windows\SysWOW64\Calgoken.exe Ckboba32.exe File opened for modification C:\Windows\SysWOW64\Bdbfpafn.exe Bbcjfn32.exe File opened for modification C:\Windows\SysWOW64\Ajkmbo32.exe Amglij32.exe File created C:\Windows\SysWOW64\Fdjcjebn.dll Hpnbjfjj.exe File created C:\Windows\SysWOW64\Hnfjgeee.dll Jlqniihl.exe File created C:\Windows\SysWOW64\Fjlaod32.exe Fimedaoe.exe File opened for modification C:\Windows\SysWOW64\Ggqamh32.exe Goemhfco.exe File created C:\Windows\SysWOW64\Kkmakd32.exe Kjmeaa32.exe File created C:\Windows\SysWOW64\Mogqlgbi.exe Macpcccp.exe File opened for modification C:\Windows\SysWOW64\Bmdehgcf.exe Bhglpqeo.exe File opened for modification C:\Windows\SysWOW64\Dggcbf32.exe Dmaoem32.exe File created C:\Windows\SysWOW64\Opebop32.dll Gaamobdf.exe File created C:\Windows\SysWOW64\Hcdgjbko.dll Odckho32.exe File created C:\Windows\SysWOW64\Hhmioa32.exe Hhklibbf.exe File opened for modification C:\Windows\SysWOW64\Mbcaoh32.exe Moedbl32.exe File opened for modification C:\Windows\SysWOW64\Khpccibp.exe Kikfbm32.exe File created C:\Windows\SysWOW64\Pfknenql.dll Oeibcnmf.exe File created C:\Windows\SysWOW64\Fmmjpoci.exe Fbhfcf32.exe File opened for modification C:\Windows\SysWOW64\Blabef32.exe Adenqd32.exe File opened for modification C:\Windows\SysWOW64\Ndkoemji.exe Mggoli32.exe File created C:\Windows\SysWOW64\Okjhdj32.dll Jknnoppp.exe File opened for modification C:\Windows\SysWOW64\Enpoje32.exe Eained32.exe File opened for modification C:\Windows\SysWOW64\Ffdgef32.exe Fgojdj32.exe File created C:\Windows\SysWOW64\Hqmmja32.exe Gknhlj32.exe File opened for modification C:\Windows\SysWOW64\Phmkaf32.exe Peooek32.exe File created C:\Windows\SysWOW64\Pafpjljk.exe Phmkaf32.exe File opened for modification C:\Windows\SysWOW64\Opmnle32.exe Ndfmgdeb.exe File created C:\Windows\SysWOW64\Bcoafcjk.exe Bqpejh32.exe File created C:\Windows\SysWOW64\Fipenn32.exe Fphqehda.exe File created C:\Windows\SysWOW64\Djjcnqkb.dll Mofnek32.exe File created C:\Windows\SysWOW64\Eebnhbbq.dll Djoinbpm.exe File created C:\Windows\SysWOW64\Adcidm32.dll Jgllof32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1376 2300 WerFault.exe 1049 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poqniegj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbmoeeod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjepib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgbdge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gigano32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkpekjie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpjpmqjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fljhojnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkkigf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjgihdib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpedmhfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mphfji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdfqomom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meonlkcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njgeel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpoeac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flkjffkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blkgdmbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdjnge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgnnpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhqpqp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gncblo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cflanc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gegecopf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqfjpnmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdfcaegj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enjcfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhipcbdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjjaak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbikokin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfpdcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkgonf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jllggbde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goemhfco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikafpbon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeecibci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kehjpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibgenaqk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chpmocpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmnpkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jekaeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkeppngm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfbmnpfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcipaien.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqnlpq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnleqj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmkgajnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjpdoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibibcanh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kikfbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egmhjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qohkdkdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndfmgdeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqkdenfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoflpbmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgcmiclk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikibkhla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjcigcmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flcjjdpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgaaiian.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lphjkfbq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kahedf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfqbol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnpdbg32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qmomelml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fflehp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iefdhf32.dll" Opaeok32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phcbmend.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcdgkioi.dll" Cfjfal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdidegec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pifakj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mckghggc.dll" Ikcpmieg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igjlnf32.dll" Pobhfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdijjmef.dll" Condfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkmlca32.dll" Gkclcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gigllafc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Limobelk.dll" Hgconl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmmppm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecahfibj.dll" Ljakkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oeipje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbikah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnokmp32.dll" Lhofpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pflnlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acgeldef.dll" Mkqnghfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enphee32.dll" Ojckmm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Deficgha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlodfmqd.dll" Ghpnihbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnqqfd32.dll" Iadabljk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcmlppdo.dll" Mkbhco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmigdend.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nndjhi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkfdlclg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mncijanc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcgphlkf.dll" Ocedieek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfipbdop.dll" Clcghk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcnmjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndjqeogf.dll" Meiigppp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajoiqg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccmpff32.dll" Lldhldpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjgoaflj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dindme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Haadlh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agfhmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oeipje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bglghdbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmnpkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnofbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmdehgcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihomai32.dll" Fkpfjnnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkfncn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceoomp32.dll" Opjjlo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oijnib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amglij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckhcon32.dll" Mknaahhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cchfha32.dll" Mggoli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngjial32.dll" Knocpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abbjcl32.dll" Mmolll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qjnajl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mchldhej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hegjbnaa.dll" Nfnfjmgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffccjk32.dll" Kmdbkbpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afamgpga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikafpbon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnpbejpb.dll" Gqgjlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejgkfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbeccb32.dll" Eioemj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alcclb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oogolo32.dll" Hecedmaa.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1656 wrote to memory of 3036 1656 ff706a98d1d5a8a6874f1042ba7ac174ecdaabf40a093081c0026dd3cb9acf84.exe 29 PID 1656 wrote to memory of 3036 1656 ff706a98d1d5a8a6874f1042ba7ac174ecdaabf40a093081c0026dd3cb9acf84.exe 29 PID 1656 wrote to memory of 3036 1656 ff706a98d1d5a8a6874f1042ba7ac174ecdaabf40a093081c0026dd3cb9acf84.exe 29 PID 1656 wrote to memory of 3036 1656 ff706a98d1d5a8a6874f1042ba7ac174ecdaabf40a093081c0026dd3cb9acf84.exe 29 PID 3036 wrote to memory of 2792 3036 Kbikokin.exe 30 PID 3036 wrote to memory of 2792 3036 Kbikokin.exe 30 PID 3036 wrote to memory of 2792 3036 Kbikokin.exe 30 PID 3036 wrote to memory of 2792 3036 Kbikokin.exe 30 PID 2792 wrote to memory of 2772 2792 Khfcgbge.exe 31 PID 2792 wrote to memory of 2772 2792 Khfcgbge.exe 31 PID 2792 wrote to memory of 2772 2792 Khfcgbge.exe 31 PID 2792 wrote to memory of 2772 2792 Khfcgbge.exe 31 PID 2772 wrote to memory of 2700 2772 Kblhdkgk.exe 32 PID 2772 wrote to memory of 2700 2772 Kblhdkgk.exe 32 PID 2772 wrote to memory of 2700 2772 Kblhdkgk.exe 32 PID 2772 wrote to memory of 2700 2772 Kblhdkgk.exe 32 PID 2700 wrote to memory of 2836 2700 Kaaeegkc.exe 33 PID 2700 wrote to memory of 2836 2700 Kaaeegkc.exe 33 PID 2700 wrote to memory of 2836 2700 Kaaeegkc.exe 33 PID 2700 wrote to memory of 2836 2700 Kaaeegkc.exe 33 PID 2836 wrote to memory of 2716 2836 Kmgekh32.exe 34 PID 2836 wrote to memory of 2716 2836 Kmgekh32.exe 34 PID 2836 wrote to memory of 2716 2836 Kmgekh32.exe 34 PID 2836 wrote to memory of 2716 2836 Kmgekh32.exe 34 PID 2716 wrote to memory of 692 2716 Lkkfdmpq.exe 35 PID 2716 wrote to memory of 692 2716 Lkkfdmpq.exe 35 PID 2716 wrote to memory of 692 2716 Lkkfdmpq.exe 35 PID 2716 wrote to memory of 692 2716 Lkkfdmpq.exe 35 PID 692 wrote to memory of 2440 692 Lbgkhoml.exe 36 PID 692 wrote to memory of 2440 692 Lbgkhoml.exe 36 PID 692 wrote to memory of 2440 692 Lbgkhoml.exe 36 PID 692 wrote to memory of 2440 692 Lbgkhoml.exe 36 PID 2440 wrote to memory of 2760 2440 Lmlofhmb.exe 37 PID 2440 wrote to memory of 2760 2440 Lmlofhmb.exe 37 PID 2440 wrote to memory of 2760 2440 Lmlofhmb.exe 37 PID 2440 wrote to memory of 2760 2440 Lmlofhmb.exe 37 PID 2760 wrote to memory of 3020 2760 Lcignoki.exe 38 PID 2760 wrote to memory of 3020 2760 Lcignoki.exe 38 PID 2760 wrote to memory of 3020 2760 Lcignoki.exe 38 PID 2760 wrote to memory of 3020 2760 Lcignoki.exe 38 PID 3020 wrote to memory of 2988 3020 Lmolkg32.exe 39 PID 3020 wrote to memory of 2988 3020 Lmolkg32.exe 39 PID 3020 wrote to memory of 2988 3020 Lmolkg32.exe 39 PID 3020 wrote to memory of 2988 3020 Lmolkg32.exe 39 PID 2988 wrote to memory of 2976 2988 Lejppj32.exe 40 PID 2988 wrote to memory of 2976 2988 Lejppj32.exe 40 PID 2988 wrote to memory of 2976 2988 Lejppj32.exe 40 PID 2988 wrote to memory of 2976 2988 Lejppj32.exe 40 PID 2976 wrote to memory of 1768 2976 Lldhldpg.exe 41 PID 2976 wrote to memory of 1768 2976 Lldhldpg.exe 41 PID 2976 wrote to memory of 1768 2976 Lldhldpg.exe 41 PID 2976 wrote to memory of 1768 2976 Lldhldpg.exe 41 PID 1768 wrote to memory of 676 1768 Lhkiae32.exe 42 PID 1768 wrote to memory of 676 1768 Lhkiae32.exe 42 PID 1768 wrote to memory of 676 1768 Lhkiae32.exe 42 PID 1768 wrote to memory of 676 1768 Lhkiae32.exe 42 PID 676 wrote to memory of 2392 676 Mkkbcpbl.exe 43 PID 676 wrote to memory of 2392 676 Mkkbcpbl.exe 43 PID 676 wrote to memory of 2392 676 Mkkbcpbl.exe 43 PID 676 wrote to memory of 2392 676 Mkkbcpbl.exe 43 PID 2392 wrote to memory of 1084 2392 Mgbcha32.exe 44 PID 2392 wrote to memory of 1084 2392 Mgbcha32.exe 44 PID 2392 wrote to memory of 1084 2392 Mgbcha32.exe 44 PID 2392 wrote to memory of 1084 2392 Mgbcha32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\ff706a98d1d5a8a6874f1042ba7ac174ecdaabf40a093081c0026dd3cb9acf84.exe"C:\Users\Admin\AppData\Local\Temp\ff706a98d1d5a8a6874f1042ba7ac174ecdaabf40a093081c0026dd3cb9acf84.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\Kbikokin.exeC:\Windows\system32\Kbikokin.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\Khfcgbge.exeC:\Windows\system32\Khfcgbge.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Kblhdkgk.exeC:\Windows\system32\Kblhdkgk.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Kaaeegkc.exeC:\Windows\system32\Kaaeegkc.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Kmgekh32.exeC:\Windows\system32\Kmgekh32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Lkkfdmpq.exeC:\Windows\system32\Lkkfdmpq.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Lbgkhoml.exeC:\Windows\system32\Lbgkhoml.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:692 -
C:\Windows\SysWOW64\Lmlofhmb.exeC:\Windows\system32\Lmlofhmb.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\Lcignoki.exeC:\Windows\system32\Lcignoki.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Lmolkg32.exeC:\Windows\system32\Lmolkg32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\Lejppj32.exeC:\Windows\system32\Lejppj32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Lldhldpg.exeC:\Windows\system32\Lldhldpg.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Lhkiae32.exeC:\Windows\system32\Lhkiae32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\Mkkbcpbl.exeC:\Windows\system32\Mkkbcpbl.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Windows\SysWOW64\Mgbcha32.exeC:\Windows\system32\Mgbcha32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\Mdfcaegj.exeC:\Windows\system32\Mdfcaegj.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1084 -
C:\Windows\SysWOW64\Mjcljlea.exeC:\Windows\system32\Mjcljlea.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:928 -
C:\Windows\SysWOW64\Mdhpgeeg.exeC:\Windows\system32\Mdhpgeeg.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:340 -
C:\Windows\SysWOW64\Mkbhco32.exeC:\Windows\system32\Mkbhco32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1864 -
C:\Windows\SysWOW64\Mdkmld32.exeC:\Windows\system32\Mdkmld32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1724 -
C:\Windows\SysWOW64\Njgeel32.exeC:\Windows\system32\Njgeel32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:960 -
C:\Windows\SysWOW64\Nqamaeii.exeC:\Windows\system32\Nqamaeii.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1300 -
C:\Windows\SysWOW64\Nfnfjmgp.exeC:\Windows\system32\Nfnfjmgp.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1152 -
C:\Windows\SysWOW64\Nfqbol32.exeC:\Windows\system32\Nfqbol32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:108 -
C:\Windows\SysWOW64\Nfcoel32.exeC:\Windows\system32\Nfcoel32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2340 -
C:\Windows\SysWOW64\Nbjpjm32.exeC:\Windows\system32\Nbjpjm32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1428 -
C:\Windows\SysWOW64\Onqaonnc.exeC:\Windows\system32\Onqaonnc.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1596 -
C:\Windows\SysWOW64\Ogiegc32.exeC:\Windows\system32\Ogiegc32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2788 -
C:\Windows\SysWOW64\Obniel32.exeC:\Windows\system32\Obniel32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2796 -
C:\Windows\SysWOW64\Ojjnioae.exeC:\Windows\system32\Ojjnioae.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2896 -
C:\Windows\SysWOW64\Ocbbbd32.exeC:\Windows\system32\Ocbbbd32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2704 -
C:\Windows\SysWOW64\Omjgkjof.exeC:\Windows\system32\Omjgkjof.exe33⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Pjqdjn32.exeC:\Windows\system32\Pjqdjn32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1188 -
C:\Windows\SysWOW64\Pifakj32.exeC:\Windows\system32\Pifakj32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2244 -
C:\Windows\SysWOW64\Pihnqj32.exeC:\Windows\system32\Pihnqj32.exe36⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Pnefiq32.exeC:\Windows\system32\Pnefiq32.exe37⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Peooek32.exeC:\Windows\system32\Peooek32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2512 -
C:\Windows\SysWOW64\Phmkaf32.exeC:\Windows\system32\Phmkaf32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2972 -
C:\Windows\SysWOW64\Pafpjljk.exeC:\Windows\system32\Pafpjljk.exe40⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Pmmppm32.exeC:\Windows\system32\Pmmppm32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:2232 -
C:\Windows\SysWOW64\Qdfhlggl.exeC:\Windows\system32\Qdfhlggl.exe42⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Qmomelml.exeC:\Windows\system32\Qmomelml.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:2236 -
C:\Windows\SysWOW64\Qhdabemb.exeC:\Windows\system32\Qhdabemb.exe44⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Amaiklki.exeC:\Windows\system32\Amaiklki.exe45⤵
- Executes dropped EXE
PID:280 -
C:\Windows\SysWOW64\Adkbgf32.exeC:\Windows\system32\Adkbgf32.exe46⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Amcfpl32.exeC:\Windows\system32\Amcfpl32.exe47⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Apglgfde.exeC:\Windows\system32\Apglgfde.exe48⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Ahbqliap.exeC:\Windows\system32\Ahbqliap.exe49⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Abgeiaaf.exeC:\Windows\system32\Abgeiaaf.exe50⤵
- Executes dropped EXE
PID:612 -
C:\Windows\SysWOW64\Bkbjmd32.exeC:\Windows\system32\Bkbjmd32.exe51⤵
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Bglghdbc.exeC:\Windows\system32\Bglghdbc.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:916 -
C:\Windows\SysWOW64\Bpdkajic.exeC:\Windows\system32\Bpdkajic.exe53⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Bpfhfjgq.exeC:\Windows\system32\Bpfhfjgq.exe54⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Bnjipn32.exeC:\Windows\system32\Bnjipn32.exe55⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Cgcmiclk.exeC:\Windows\system32\Cgcmiclk.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2820 -
C:\Windows\SysWOW64\Clpeajjb.exeC:\Windows\system32\Clpeajjb.exe57⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Clbbfj32.exeC:\Windows\system32\Clbbfj32.exe58⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Cfjgopop.exeC:\Windows\system32\Cfjgopop.exe59⤵
- Executes dropped EXE
PID:1236 -
C:\Windows\SysWOW64\Ckgogfmg.exeC:\Windows\system32\Ckgogfmg.exe60⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Cbagdq32.exeC:\Windows\system32\Cbagdq32.exe61⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Chkpakla.exeC:\Windows\system32\Chkpakla.exe62⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Cbcdjpba.exeC:\Windows\system32\Cbcdjpba.exe63⤵
- Executes dropped EXE
PID:1372 -
C:\Windows\SysWOW64\Cgpmbgai.exeC:\Windows\system32\Cgpmbgai.exe64⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Djoinbpm.exeC:\Windows\system32\Djoinbpm.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1288 -
C:\Windows\SysWOW64\Dddmkkpb.exeC:\Windows\system32\Dddmkkpb.exe66⤵PID:968
-
C:\Windows\SysWOW64\Dknehe32.exeC:\Windows\system32\Dknehe32.exe67⤵PID:2560
-
C:\Windows\SysWOW64\Dmobpn32.exeC:\Windows\system32\Dmobpn32.exe68⤵PID:1712
-
C:\Windows\SysWOW64\Dfhficcn.exeC:\Windows\system32\Dfhficcn.exe69⤵PID:940
-
C:\Windows\SysWOW64\Dmaoem32.exeC:\Windows\system32\Dmaoem32.exe70⤵
- Drops file in System32 directory
PID:568 -
C:\Windows\SysWOW64\Dggcbf32.exeC:\Windows\system32\Dggcbf32.exe71⤵PID:2252
-
C:\Windows\SysWOW64\Djfooa32.exeC:\Windows\system32\Djfooa32.exe72⤵PID:1608
-
C:\Windows\SysWOW64\Dcnchg32.exeC:\Windows\system32\Dcnchg32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2928 -
C:\Windows\SysWOW64\Djhldahb.exeC:\Windows\system32\Djhldahb.exe74⤵PID:2908
-
C:\Windows\SysWOW64\Dpedmhfi.exeC:\Windows\system32\Dpedmhfi.exe75⤵
- System Location Discovery: System Language Discovery
PID:1144 -
C:\Windows\SysWOW64\Eeameodq.exeC:\Windows\system32\Eeameodq.exe76⤵
- Drops file in System32 directory
PID:2848 -
C:\Windows\SysWOW64\Emieflec.exeC:\Windows\system32\Emieflec.exe77⤵PID:2036
-
C:\Windows\SysWOW64\Enjand32.exeC:\Windows\system32\Enjand32.exe78⤵PID:3016
-
C:\Windows\SysWOW64\Eedijo32.exeC:\Windows\system32\Eedijo32.exe79⤵PID:640
-
C:\Windows\SysWOW64\Elnagijk.exeC:\Windows\system32\Elnagijk.exe80⤵PID:1164
-
C:\Windows\SysWOW64\Ebhjdc32.exeC:\Windows\system32\Ebhjdc32.exe81⤵PID:2984
-
C:\Windows\SysWOW64\Eheblj32.exeC:\Windows\system32\Eheblj32.exe82⤵PID:1664
-
C:\Windows\SysWOW64\Ebjfiboe.exeC:\Windows\system32\Ebjfiboe.exe83⤵PID:2204
-
C:\Windows\SysWOW64\Eckcak32.exeC:\Windows\system32\Eckcak32.exe84⤵PID:1308
-
C:\Windows\SysWOW64\Ejeknelp.exeC:\Windows\system32\Ejeknelp.exe85⤵PID:1368
-
C:\Windows\SysWOW64\Eekpknlf.exeC:\Windows\system32\Eekpknlf.exe86⤵PID:1796
-
C:\Windows\SysWOW64\Fncddc32.exeC:\Windows\system32\Fncddc32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2280 -
C:\Windows\SysWOW64\Fpdqlkhe.exeC:\Windows\system32\Fpdqlkhe.exe88⤵PID:1588
-
C:\Windows\SysWOW64\Fhlhmi32.exeC:\Windows\system32\Fhlhmi32.exe89⤵PID:2124
-
C:\Windows\SysWOW64\Fimedaoe.exeC:\Windows\system32\Fimedaoe.exe90⤵
- Drops file in System32 directory
PID:2936 -
C:\Windows\SysWOW64\Fjlaod32.exeC:\Windows\system32\Fjlaod32.exe91⤵PID:2120
-
C:\Windows\SysWOW64\Fbhfcf32.exeC:\Windows\system32\Fbhfcf32.exe92⤵
- Drops file in System32 directory
PID:3060 -
C:\Windows\SysWOW64\Fmmjpoci.exeC:\Windows\system32\Fmmjpoci.exe93⤵PID:2960
-
C:\Windows\SysWOW64\Fooghg32.exeC:\Windows\system32\Fooghg32.exe94⤵PID:2720
-
C:\Windows\SysWOW64\Fhgkqmph.exeC:\Windows\system32\Fhgkqmph.exe95⤵PID:2452
-
C:\Windows\SysWOW64\Faopib32.exeC:\Windows\system32\Faopib32.exe96⤵PID:924
-
C:\Windows\SysWOW64\Gledgkfn.exeC:\Windows\system32\Gledgkfn.exe97⤵PID:2968
-
C:\Windows\SysWOW64\Gaamobdf.exeC:\Windows\system32\Gaamobdf.exe98⤵
- Drops file in System32 directory
PID:2108 -
C:\Windows\SysWOW64\Glgqlkdl.exeC:\Windows\system32\Glgqlkdl.exe99⤵PID:2624
-
C:\Windows\SysWOW64\Goemhfco.exeC:\Windows\system32\Goemhfco.exe100⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:864 -
C:\Windows\SysWOW64\Ggqamh32.exeC:\Windows\system32\Ggqamh32.exe101⤵PID:2000
-
C:\Windows\SysWOW64\Gaffja32.exeC:\Windows\system32\Gaffja32.exe102⤵PID:2480
-
C:\Windows\SysWOW64\Ggcnbh32.exeC:\Windows\system32\Ggcnbh32.exe103⤵PID:2852
-
C:\Windows\SysWOW64\Gpkckneh.exeC:\Windows\system32\Gpkckneh.exe104⤵PID:2116
-
C:\Windows\SysWOW64\Gidgdcli.exeC:\Windows\system32\Gidgdcli.exe105⤵PID:2060
-
C:\Windows\SysWOW64\Hdilalko.exeC:\Windows\system32\Hdilalko.exe106⤵PID:2132
-
C:\Windows\SysWOW64\Hekhid32.exeC:\Windows\system32\Hekhid32.exe107⤵PID:2652
-
C:\Windows\SysWOW64\Hpplfm32.exeC:\Windows\system32\Hpplfm32.exe108⤵PID:1260
-
C:\Windows\SysWOW64\Hcohbh32.exeC:\Windows\system32\Hcohbh32.exe109⤵PID:272
-
C:\Windows\SysWOW64\Hhkakonn.exeC:\Windows\system32\Hhkakonn.exe110⤵
- Drops file in System32 directory
PID:1536 -
C:\Windows\SysWOW64\Hcaehhnd.exeC:\Windows\system32\Hcaehhnd.exe111⤵PID:560
-
C:\Windows\SysWOW64\Hhnnpolk.exeC:\Windows\system32\Hhnnpolk.exe112⤵PID:1800
-
C:\Windows\SysWOW64\Hohfmi32.exeC:\Windows\system32\Hohfmi32.exe113⤵PID:2260
-
C:\Windows\SysWOW64\Hddoep32.exeC:\Windows\system32\Hddoep32.exe114⤵PID:1996
-
C:\Windows\SysWOW64\Hkngbj32.exeC:\Windows\system32\Hkngbj32.exe115⤵PID:2880
-
C:\Windows\SysWOW64\Hfdkoc32.exeC:\Windows\system32\Hfdkoc32.exe116⤵PID:2672
-
C:\Windows\SysWOW64\Ikqcgj32.exeC:\Windows\system32\Ikqcgj32.exe117⤵
- Drops file in System32 directory
PID:2248 -
C:\Windows\SysWOW64\Iqnlpq32.exeC:\Windows\system32\Iqnlpq32.exe118⤵
- System Location Discovery: System Language Discovery
PID:1216 -
C:\Windows\SysWOW64\Ikcpmieg.exeC:\Windows\system32\Ikcpmieg.exe119⤵
- Modifies registry class
PID:2168 -
C:\Windows\SysWOW64\Ibmhjc32.exeC:\Windows\system32\Ibmhjc32.exe120⤵PID:936
-
C:\Windows\SysWOW64\Igjabj32.exeC:\Windows\system32\Igjabj32.exe121⤵PID:3064
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-