Analysis
-
max time kernel
125s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
06-08-2024 02:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c05cea0c41a05d3f1fc8031cb672afec042cfd5419b68944b84e1931570799d4.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
c05cea0c41a05d3f1fc8031cb672afec042cfd5419b68944b84e1931570799d4.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
c05cea0c41a05d3f1fc8031cb672afec042cfd5419b68944b84e1931570799d4.exe
-
Size
224KB
-
MD5
f4dd6368f58820e3802eeb4a2330dcd1
-
SHA1
e70869f5f79a6e0eb7cae548bba8dc5a22f196df
-
SHA256
c05cea0c41a05d3f1fc8031cb672afec042cfd5419b68944b84e1931570799d4
-
SHA512
6546b3e7cb4881031f4cbba7edf7d5b5315d11e2646479e2dccf01134af3005176b8a0ec6302b766fbc595062a0d9af6a50b0bfe8e8f32dbcf1b7ac2f56e6794
-
SSDEEP
3072:/JkxMclihJIuYUvIMDrFDHZtOgxBOXXwwfBoD6N3h8N5G2qVUDrFDHZtOgtSU:axzev4s5tTDUZNSN58VU5tTtf
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldqfddml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjoeoedo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ficlmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akipic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdfapjbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbjmih32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojopki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckafkfkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjbjlpga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Geeecogb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcklac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Canocm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daeddlco.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmfecgim.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmlhpaji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qfcjhphd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfaijand.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iolfmcbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmqggncn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oacmchcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olfgcj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blnoad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mciokcgg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deejpjgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnkdpgnh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkgkqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dofpqfof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcbikd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogdofo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ieknpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbkbkbfo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djoohk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ionbcb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Himgjbii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akkmocjl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aljefena.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obanqgkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpchbhjl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akopoi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgbdmfnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emanepld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jabgkpad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebifha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlponebi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkgbjkac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apfhajjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cokgonmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akgcdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdeghfhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahnclp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cefega32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmheph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Miflehaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddpjjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qojeabie.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cadcfd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlialb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mncmck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eieplhlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkcdfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppepkmhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjhdkajh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqbagd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opdpih32.exe -
Executes dropped EXE 64 IoCs
pid Process 4100 Mpchbhjl.exe 1928 Miklkm32.exe 4168 Mabdlk32.exe 2660 Mjkiephp.exe 4228 Mdcmnfop.exe 4796 Nfaijand.exe 4064 Nipffmmg.exe 3616 Npjnbg32.exe 4068 Nhcbidcd.exe 4988 Nalgbi32.exe 2396 Ngipjp32.exe 1680 Nmbhgjoi.exe 1068 Nkghqo32.exe 1868 Ndomiddc.exe 1824 Oacmchcl.exe 3420 Opfnne32.exe 1556 Ogpfko32.exe 4776 Ohobebig.exe 972 Oahgnh32.exe 5016 Ogdofo32.exe 5008 Oajccgmd.exe 4740 Odhppclh.exe 4304 Onqdhh32.exe 4612 Pkedbmab.exe 1380 Ppamjcpj.exe 3500 Pgkegn32.exe 1760 Pnenchoc.exe 2444 Ppdjpcng.exe 3624 Pnhjig32.exe 2296 Pjoknhbe.exe 864 Pafcofcg.exe 60 Pgbkgmao.exe 1612 Pnlcdg32.exe 1668 Qpkppbho.exe 2516 Qkqdnkge.exe 2568 Qnopjfgi.exe 5088 Qpmmfbfl.exe 1116 Qggebl32.exe 3340 Qnamofdf.exe 1880 Adkelplc.exe 4632 Akenij32.exe 4504 Ancjef32.exe 3024 Adnbapjp.exe 5012 Akgjnj32.exe 1484 Ababkdij.exe 4860 Akjgdjoj.exe 3464 Anhcpeon.exe 3988 Agqhik32.exe 2760 Ajodef32.exe 868 Aqilaplo.exe 4468 Akopoi32.exe 3588 Anmmkd32.exe 1848 Bhbahm32.exe 32 Bjcmpepm.exe 3040 Bqnemp32.exe 4948 Bjfjee32.exe 4368 Bqpbboeg.exe 1904 Bjhgke32.exe 4628 Bdnkhn32.exe 4112 Bnfoac32.exe 1172 Bgodjiio.exe 3456 Cbdhgaid.exe 4660 Cqghcn32.exe 3232 Cbfema32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kcfiof32.exe Kaemgn32.exe File created C:\Windows\SysWOW64\Baeepd32.dll Mikepg32.exe File created C:\Windows\SysWOW64\Mmaimd32.dll Lnanadfi.exe File created C:\Windows\SysWOW64\Cadcfd32.exe Coegih32.exe File created C:\Windows\SysWOW64\Jkjikd32.dll Ebplhp32.exe File opened for modification C:\Windows\SysWOW64\Glbapoqh.exe Gkcdfl32.exe File created C:\Windows\SysWOW64\Oipicg32.dll Obccpj32.exe File opened for modification C:\Windows\SysWOW64\Majoikof.exe Mkpglqgj.exe File created C:\Windows\SysWOW64\Fbnfgneq.dll Gffkpa32.exe File opened for modification C:\Windows\SysWOW64\Ldkfno32.exe Lnanadfi.exe File created C:\Windows\SysWOW64\Fngmjikh.dll Odbgbb32.exe File opened for modification C:\Windows\SysWOW64\Kfbmgo32.exe Kjlmbnof.exe File created C:\Windows\SysWOW64\Qkkcinhf.dll Iplkje32.exe File created C:\Windows\SysWOW64\Panemeei.dll Booaii32.exe File created C:\Windows\SysWOW64\Poqckdap.exe Pbjbfclk.exe File opened for modification C:\Windows\SysWOW64\Ecnbgian.exe Eobffk32.exe File created C:\Windows\SysWOW64\Hmeqhlfm.dll Kanffogf.exe File created C:\Windows\SysWOW64\Pipniemf.dll Mjednmla.exe File opened for modification C:\Windows\SysWOW64\Acmomgoa.exe Apobakpn.exe File opened for modification C:\Windows\SysWOW64\Piepnfnj.exe Pejdmh32.exe File created C:\Windows\SysWOW64\Bghifmbc.dll Elccpife.exe File created C:\Windows\SysWOW64\Odpjmcjp.exe Obanqgkl.exe File created C:\Windows\SysWOW64\Cpdcmkpj.dll Nffljjfc.exe File opened for modification C:\Windows\SysWOW64\Lfimmhkg.exe Loodqn32.exe File opened for modification C:\Windows\SysWOW64\Lqfpoope.exe Lnhdbc32.exe File opened for modification C:\Windows\SysWOW64\Cbofdg32.exe Bifblbad.exe File opened for modification C:\Windows\SysWOW64\Bdnkhn32.exe Bjhgke32.exe File created C:\Windows\SysWOW64\Fajgfiag.exe Fjpoio32.exe File created C:\Windows\SysWOW64\Mboqnm32.exe Miflehaf.exe File opened for modification C:\Windows\SysWOW64\Mikepg32.exe Mflidl32.exe File created C:\Windows\SysWOW64\Akipao32.dll Jbfphh32.exe File opened for modification C:\Windows\SysWOW64\Lmnjan32.exe Lgdbedmc.exe File created C:\Windows\SysWOW64\Pbfepjng.dll Pgbkgmao.exe File created C:\Windows\SysWOW64\Hejpbbip.dll Dgplai32.exe File created C:\Windows\SysWOW64\Hhjqec32.exe Hmdlhk32.exe File opened for modification C:\Windows\SysWOW64\Pnhjig32.exe Ppdjpcng.exe File created C:\Windows\SysWOW64\Nohonheg.dll Ngodlgka.exe File created C:\Windows\SysWOW64\Dpoohgim.dll Deiblamk.exe File opened for modification C:\Windows\SysWOW64\Ibjqlj32.exe Ipldpo32.exe File created C:\Windows\SysWOW64\Fidgmfgl.dll Jcmkjeko.exe File opened for modification C:\Windows\SysWOW64\Kgbljkca.exe Kafcadej.exe File created C:\Windows\SysWOW64\Diblgnen.dll Ibhdgjap.exe File created C:\Windows\SysWOW64\Dglpfmji.dll Fagcfc32.exe File opened for modification C:\Windows\SysWOW64\Bodano32.exe Bjgifhep.exe File opened for modification C:\Windows\SysWOW64\Hcbgen32.exe Hmioicek.exe File opened for modification C:\Windows\SysWOW64\Ioeicajh.exe Ihkpgg32.exe File created C:\Windows\SysWOW64\Gffkpa32.exe Gplbcgbg.exe File created C:\Windows\SysWOW64\Hmjeggme.dll Imbhiial.exe File created C:\Windows\SysWOW64\Kikjjfkp.dll Bbecnipp.exe File created C:\Windows\SysWOW64\Eaenkj32.exe Eacaej32.exe File opened for modification C:\Windows\SysWOW64\Obkiqi32.exe Ofdhlh32.exe File created C:\Windows\SysWOW64\Falmabki.exe Fhchhm32.exe File created C:\Windows\SysWOW64\Inoeep32.dll Fmbnfcam.exe File opened for modification C:\Windows\SysWOW64\Ciioaa32.exe Cbofdg32.exe File created C:\Windows\SysWOW64\Eiijfg32.dll Lcmopeae.exe File opened for modification C:\Windows\SysWOW64\Pqihgcma.exe Ojopki32.exe File created C:\Windows\SysWOW64\Qednnm32.exe Qojeabie.exe File created C:\Windows\SysWOW64\Bidefbcg.exe Bbjmih32.exe File opened for modification C:\Windows\SysWOW64\Gobicbgf.exe Fihqfh32.exe File opened for modification C:\Windows\SysWOW64\Mdaedgdb.exe Lngmhm32.exe File opened for modification C:\Windows\SysWOW64\Eaqdpjia.exe Eieplhlf.exe File created C:\Windows\SysWOW64\Homemqgo.dll Jmepcj32.exe File created C:\Windows\SysWOW64\Kfggbope.exe Kcikfcab.exe File created C:\Windows\SysWOW64\Fnkdpgnh.exe Febogbhg.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 14456 14372 WerFault.exe 937 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaenkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qojeabie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aepmjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aacjofkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdkhkflh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmejlcoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihicah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jndhkmfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcceifof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khkbcopl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efgono32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikhghi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfcjhphd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihkila32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnoalehl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ondleo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npighq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apobakpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fndgfffm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgqhki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pejdmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdmfcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnalem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpjjhj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mieeka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpnoigpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhjknljl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndomiddc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daeddlco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eimelg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlknbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmfecgim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkgkqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdfapjbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdeghfhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bojohp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igkmbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kabpan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pafcofcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jddnah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoibmmpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihcclb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeqagi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngbgmpcq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgliapic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mciokcgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qednnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cojqdhid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijaimg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjpllgme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqomdppm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Booaii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijigfaol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khimhefk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fejlbgek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cqkkcghn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eobffk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnaghb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abjdbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnboma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkepeaaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piepnfnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dapcab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnjbdj32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jloibkhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfbmgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqhhdgfp.dll" Cckmklac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Foajai32.dll" Ffeaichg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngekmf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akjgdjoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glbapoqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enigjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcccjf32.dll" Eggbbhkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dajnol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edjmknkk.dll" Pbmffi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnkjaaqb.dll" Ghfnej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hndibn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnlfclip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fngmjikh.dll" Odbgbb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkedbmab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmmgae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idpdfija.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aagpjm32.dll" Obdbqm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fqcilgji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qggebl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gafnik32.dll" Ancjef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jchaoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epgpajdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oihkgo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blnoad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obgofmjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fegiba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihcclb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bedpjdoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdcbbbbi.dll" Bhdilold.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmqefmcl.dll" Nbjhph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pldljbmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdbfph32.dll" Heohinog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlipfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Banlia32.dll" Hmlicp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blnoad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghkgkc.dll" Jhapmphg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeomnh32.dll" Mhihkjfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akkmocjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gehbio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jajdff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgplai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kknhjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdnhjgbo.dll" Kcphpdil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjabgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcmibojk.dll" Glmqjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfjgbapo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdkmkijf.dll" Qfcjhphd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpodmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdbchp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ondleo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcklac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbihep32.dll" Mfofjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cqkkcghn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgalejf.dll" Aoenbkll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpfcf32.dll" Mabdlk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Opdpih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifhpbcgm.dll" Dqhpjohb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efolidno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nccmog32.dll" Nipffmmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjhfnc32.dll" Dnmgni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cabgompp.dll" Nldjnk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ommjnlnd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1128 wrote to memory of 4100 1128 c05cea0c41a05d3f1fc8031cb672afec042cfd5419b68944b84e1931570799d4.exe 92 PID 1128 wrote to memory of 4100 1128 c05cea0c41a05d3f1fc8031cb672afec042cfd5419b68944b84e1931570799d4.exe 92 PID 1128 wrote to memory of 4100 1128 c05cea0c41a05d3f1fc8031cb672afec042cfd5419b68944b84e1931570799d4.exe 92 PID 4100 wrote to memory of 1928 4100 Mpchbhjl.exe 93 PID 4100 wrote to memory of 1928 4100 Mpchbhjl.exe 93 PID 4100 wrote to memory of 1928 4100 Mpchbhjl.exe 93 PID 1928 wrote to memory of 4168 1928 Miklkm32.exe 94 PID 1928 wrote to memory of 4168 1928 Miklkm32.exe 94 PID 1928 wrote to memory of 4168 1928 Miklkm32.exe 94 PID 4168 wrote to memory of 2660 4168 Mabdlk32.exe 95 PID 4168 wrote to memory of 2660 4168 Mabdlk32.exe 95 PID 4168 wrote to memory of 2660 4168 Mabdlk32.exe 95 PID 2660 wrote to memory of 4228 2660 Mjkiephp.exe 96 PID 2660 wrote to memory of 4228 2660 Mjkiephp.exe 96 PID 2660 wrote to memory of 4228 2660 Mjkiephp.exe 96 PID 4228 wrote to memory of 4796 4228 Mdcmnfop.exe 97 PID 4228 wrote to memory of 4796 4228 Mdcmnfop.exe 97 PID 4228 wrote to memory of 4796 4228 Mdcmnfop.exe 97 PID 4796 wrote to memory of 4064 4796 Nfaijand.exe 98 PID 4796 wrote to memory of 4064 4796 Nfaijand.exe 98 PID 4796 wrote to memory of 4064 4796 Nfaijand.exe 98 PID 4064 wrote to memory of 3616 4064 Nipffmmg.exe 100 PID 4064 wrote to memory of 3616 4064 Nipffmmg.exe 100 PID 4064 wrote to memory of 3616 4064 Nipffmmg.exe 100 PID 3616 wrote to memory of 4068 3616 Npjnbg32.exe 101 PID 3616 wrote to memory of 4068 3616 Npjnbg32.exe 101 PID 3616 wrote to memory of 4068 3616 Npjnbg32.exe 101 PID 4068 wrote to memory of 4988 4068 Nhcbidcd.exe 102 PID 4068 wrote to memory of 4988 4068 Nhcbidcd.exe 102 PID 4068 wrote to memory of 4988 4068 Nhcbidcd.exe 102 PID 4988 wrote to memory of 2396 4988 Nalgbi32.exe 103 PID 4988 wrote to memory of 2396 4988 Nalgbi32.exe 103 PID 4988 wrote to memory of 2396 4988 Nalgbi32.exe 103 PID 2396 wrote to memory of 1680 2396 Ngipjp32.exe 104 PID 2396 wrote to memory of 1680 2396 Ngipjp32.exe 104 PID 2396 wrote to memory of 1680 2396 Ngipjp32.exe 104 PID 1680 wrote to memory of 1068 1680 Nmbhgjoi.exe 105 PID 1680 wrote to memory of 1068 1680 Nmbhgjoi.exe 105 PID 1680 wrote to memory of 1068 1680 Nmbhgjoi.exe 105 PID 1068 wrote to memory of 1868 1068 Nkghqo32.exe 106 PID 1068 wrote to memory of 1868 1068 Nkghqo32.exe 106 PID 1068 wrote to memory of 1868 1068 Nkghqo32.exe 106 PID 1868 wrote to memory of 1824 1868 Ndomiddc.exe 107 PID 1868 wrote to memory of 1824 1868 Ndomiddc.exe 107 PID 1868 wrote to memory of 1824 1868 Ndomiddc.exe 107 PID 1824 wrote to memory of 3420 1824 Oacmchcl.exe 108 PID 1824 wrote to memory of 3420 1824 Oacmchcl.exe 108 PID 1824 wrote to memory of 3420 1824 Oacmchcl.exe 108 PID 3420 wrote to memory of 1556 3420 Opfnne32.exe 109 PID 3420 wrote to memory of 1556 3420 Opfnne32.exe 109 PID 3420 wrote to memory of 1556 3420 Opfnne32.exe 109 PID 1556 wrote to memory of 4776 1556 Ogpfko32.exe 110 PID 1556 wrote to memory of 4776 1556 Ogpfko32.exe 110 PID 1556 wrote to memory of 4776 1556 Ogpfko32.exe 110 PID 4776 wrote to memory of 972 4776 Ohobebig.exe 111 PID 4776 wrote to memory of 972 4776 Ohobebig.exe 111 PID 4776 wrote to memory of 972 4776 Ohobebig.exe 111 PID 972 wrote to memory of 5016 972 Oahgnh32.exe 112 PID 972 wrote to memory of 5016 972 Oahgnh32.exe 112 PID 972 wrote to memory of 5016 972 Oahgnh32.exe 112 PID 5016 wrote to memory of 5008 5016 Ogdofo32.exe 113 PID 5016 wrote to memory of 5008 5016 Ogdofo32.exe 113 PID 5016 wrote to memory of 5008 5016 Ogdofo32.exe 113 PID 5008 wrote to memory of 4740 5008 Oajccgmd.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\c05cea0c41a05d3f1fc8031cb672afec042cfd5419b68944b84e1931570799d4.exe"C:\Users\Admin\AppData\Local\Temp\c05cea0c41a05d3f1fc8031cb672afec042cfd5419b68944b84e1931570799d4.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Windows\SysWOW64\Mpchbhjl.exeC:\Windows\system32\Mpchbhjl.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4100 -
C:\Windows\SysWOW64\Miklkm32.exeC:\Windows\system32\Miklkm32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\Mabdlk32.exeC:\Windows\system32\Mabdlk32.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4168 -
C:\Windows\SysWOW64\Mjkiephp.exeC:\Windows\system32\Mjkiephp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Mdcmnfop.exeC:\Windows\system32\Mdcmnfop.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Windows\SysWOW64\Nfaijand.exeC:\Windows\system32\Nfaijand.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Windows\SysWOW64\Nipffmmg.exeC:\Windows\system32\Nipffmmg.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Windows\SysWOW64\Npjnbg32.exeC:\Windows\system32\Npjnbg32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Windows\SysWOW64\Nhcbidcd.exeC:\Windows\system32\Nhcbidcd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Windows\SysWOW64\Nalgbi32.exeC:\Windows\system32\Nalgbi32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Windows\SysWOW64\Ngipjp32.exeC:\Windows\system32\Ngipjp32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\Nmbhgjoi.exeC:\Windows\system32\Nmbhgjoi.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\Nkghqo32.exeC:\Windows\system32\Nkghqo32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\SysWOW64\Ndomiddc.exeC:\Windows\system32\Ndomiddc.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\Oacmchcl.exeC:\Windows\system32\Oacmchcl.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\Opfnne32.exeC:\Windows\system32\Opfnne32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3420 -
C:\Windows\SysWOW64\Ogpfko32.exeC:\Windows\system32\Ogpfko32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\Ohobebig.exeC:\Windows\system32\Ohobebig.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Windows\SysWOW64\Oahgnh32.exeC:\Windows\system32\Oahgnh32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Windows\SysWOW64\Ogdofo32.exeC:\Windows\system32\Ogdofo32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\SysWOW64\Oajccgmd.exeC:\Windows\system32\Oajccgmd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Windows\SysWOW64\Odhppclh.exeC:\Windows\system32\Odhppclh.exe23⤵
- Executes dropped EXE
PID:4740 -
C:\Windows\SysWOW64\Onqdhh32.exeC:\Windows\system32\Onqdhh32.exe24⤵
- Executes dropped EXE
PID:4304 -
C:\Windows\SysWOW64\Pkedbmab.exeC:\Windows\system32\Pkedbmab.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:4612 -
C:\Windows\SysWOW64\Ppamjcpj.exeC:\Windows\system32\Ppamjcpj.exe26⤵
- Executes dropped EXE
PID:1380 -
C:\Windows\SysWOW64\Pgkegn32.exeC:\Windows\system32\Pgkegn32.exe27⤵
- Executes dropped EXE
PID:3500 -
C:\Windows\SysWOW64\Pnenchoc.exeC:\Windows\system32\Pnenchoc.exe28⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Ppdjpcng.exeC:\Windows\system32\Ppdjpcng.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2444 -
C:\Windows\SysWOW64\Pnhjig32.exeC:\Windows\system32\Pnhjig32.exe30⤵
- Executes dropped EXE
PID:3624 -
C:\Windows\SysWOW64\Pjoknhbe.exeC:\Windows\system32\Pjoknhbe.exe31⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Pafcofcg.exeC:\Windows\system32\Pafcofcg.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:864 -
C:\Windows\SysWOW64\Pgbkgmao.exeC:\Windows\system32\Pgbkgmao.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:60 -
C:\Windows\SysWOW64\Pnlcdg32.exeC:\Windows\system32\Pnlcdg32.exe34⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Qpkppbho.exeC:\Windows\system32\Qpkppbho.exe35⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Qkqdnkge.exeC:\Windows\system32\Qkqdnkge.exe36⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Qnopjfgi.exeC:\Windows\system32\Qnopjfgi.exe37⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Qpmmfbfl.exeC:\Windows\system32\Qpmmfbfl.exe38⤵
- Executes dropped EXE
PID:5088 -
C:\Windows\SysWOW64\Qggebl32.exeC:\Windows\system32\Qggebl32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:1116 -
C:\Windows\SysWOW64\Qnamofdf.exeC:\Windows\system32\Qnamofdf.exe40⤵
- Executes dropped EXE
PID:3340 -
C:\Windows\SysWOW64\Adkelplc.exeC:\Windows\system32\Adkelplc.exe41⤵
- Executes dropped EXE
PID:1880 -
C:\Windows\SysWOW64\Akenij32.exeC:\Windows\system32\Akenij32.exe42⤵
- Executes dropped EXE
PID:4632 -
C:\Windows\SysWOW64\Ancjef32.exeC:\Windows\system32\Ancjef32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:4504 -
C:\Windows\SysWOW64\Adnbapjp.exeC:\Windows\system32\Adnbapjp.exe44⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Akgjnj32.exeC:\Windows\system32\Akgjnj32.exe45⤵
- Executes dropped EXE
PID:5012 -
C:\Windows\SysWOW64\Ababkdij.exeC:\Windows\system32\Ababkdij.exe46⤵
- Executes dropped EXE
PID:1484 -
C:\Windows\SysWOW64\Akjgdjoj.exeC:\Windows\system32\Akjgdjoj.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:4860 -
C:\Windows\SysWOW64\Anhcpeon.exeC:\Windows\system32\Anhcpeon.exe48⤵
- Executes dropped EXE
PID:3464 -
C:\Windows\SysWOW64\Agqhik32.exeC:\Windows\system32\Agqhik32.exe49⤵
- Executes dropped EXE
PID:3988 -
C:\Windows\SysWOW64\Ajodef32.exeC:\Windows\system32\Ajodef32.exe50⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Aqilaplo.exeC:\Windows\system32\Aqilaplo.exe51⤵
- Executes dropped EXE
PID:868 -
C:\Windows\SysWOW64\Akopoi32.exeC:\Windows\system32\Akopoi32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4468 -
C:\Windows\SysWOW64\Anmmkd32.exeC:\Windows\system32\Anmmkd32.exe53⤵
- Executes dropped EXE
PID:3588 -
C:\Windows\SysWOW64\Bhbahm32.exeC:\Windows\system32\Bhbahm32.exe54⤵
- Executes dropped EXE
PID:1848 -
C:\Windows\SysWOW64\Bjcmpepm.exeC:\Windows\system32\Bjcmpepm.exe55⤵
- Executes dropped EXE
PID:32 -
C:\Windows\SysWOW64\Bqnemp32.exeC:\Windows\system32\Bqnemp32.exe56⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Bjfjee32.exeC:\Windows\system32\Bjfjee32.exe57⤵
- Executes dropped EXE
PID:4948 -
C:\Windows\SysWOW64\Bqpbboeg.exeC:\Windows\system32\Bqpbboeg.exe58⤵
- Executes dropped EXE
PID:4368 -
C:\Windows\SysWOW64\Bjhgke32.exeC:\Windows\system32\Bjhgke32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1904 -
C:\Windows\SysWOW64\Bdnkhn32.exeC:\Windows\system32\Bdnkhn32.exe60⤵
- Executes dropped EXE
PID:4628 -
C:\Windows\SysWOW64\Bnfoac32.exeC:\Windows\system32\Bnfoac32.exe61⤵
- Executes dropped EXE
PID:4112 -
C:\Windows\SysWOW64\Bgodjiio.exeC:\Windows\system32\Bgodjiio.exe62⤵
- Executes dropped EXE
PID:1172 -
C:\Windows\SysWOW64\Cbdhgaid.exeC:\Windows\system32\Cbdhgaid.exe63⤵
- Executes dropped EXE
PID:3456 -
C:\Windows\SysWOW64\Cqghcn32.exeC:\Windows\system32\Cqghcn32.exe64⤵
- Executes dropped EXE
PID:4660 -
C:\Windows\SysWOW64\Cbfema32.exeC:\Windows\system32\Cbfema32.exe65⤵
- Executes dropped EXE
PID:3232 -
C:\Windows\SysWOW64\Cgcmeh32.exeC:\Windows\system32\Cgcmeh32.exe66⤵PID:4408
-
C:\Windows\SysWOW64\Cnmebblf.exeC:\Windows\system32\Cnmebblf.exe67⤵PID:3304
-
C:\Windows\SysWOW64\Calbnnkj.exeC:\Windows\system32\Calbnnkj.exe68⤵PID:4116
-
C:\Windows\SysWOW64\Ckafkfkp.exeC:\Windows\system32\Ckafkfkp.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1572 -
C:\Windows\SysWOW64\Canocm32.exeC:\Windows\system32\Canocm32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:944 -
C:\Windows\SysWOW64\Cnboma32.exeC:\Windows\system32\Cnboma32.exe71⤵
- System Location Discovery: System Language Discovery
PID:1544 -
C:\Windows\SysWOW64\Cigcjj32.exeC:\Windows\system32\Cigcjj32.exe72⤵PID:3716
-
C:\Windows\SysWOW64\Cgjcfgoa.exeC:\Windows\system32\Cgjcfgoa.exe73⤵PID:2580
-
C:\Windows\SysWOW64\Dijppjfd.exeC:\Windows\system32\Dijppjfd.exe74⤵PID:5160
-
C:\Windows\SysWOW64\Djklgb32.exeC:\Windows\system32\Djklgb32.exe75⤵PID:5200
-
C:\Windows\SysWOW64\Daeddlco.exeC:\Windows\system32\Daeddlco.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5240 -
C:\Windows\SysWOW64\Djmima32.exeC:\Windows\system32\Djmima32.exe77⤵PID:5280
-
C:\Windows\SysWOW64\Decmjjie.exeC:\Windows\system32\Decmjjie.exe78⤵PID:5320
-
C:\Windows\SysWOW64\Dioiki32.exeC:\Windows\system32\Dioiki32.exe79⤵PID:5360
-
C:\Windows\SysWOW64\Dajnol32.exeC:\Windows\system32\Dajnol32.exe80⤵
- Modifies registry class
PID:5400 -
C:\Windows\SysWOW64\Deejpjgc.exeC:\Windows\system32\Deejpjgc.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5440 -
C:\Windows\SysWOW64\Djbbhafj.exeC:\Windows\system32\Djbbhafj.exe82⤵PID:5484
-
C:\Windows\SysWOW64\Dehgejep.exeC:\Windows\system32\Dehgejep.exe83⤵PID:5524
-
C:\Windows\SysWOW64\Eieplhlf.exeC:\Windows\system32\Eieplhlf.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5572 -
C:\Windows\SysWOW64\Eaqdpjia.exeC:\Windows\system32\Eaqdpjia.exe85⤵PID:5616
-
C:\Windows\SysWOW64\Eacaej32.exeC:\Windows\system32\Eacaej32.exe86⤵
- Drops file in System32 directory
PID:5660 -
C:\Windows\SysWOW64\Eaenkj32.exeC:\Windows\system32\Eaenkj32.exe87⤵
- System Location Discovery: System Language Discovery
PID:5704 -
C:\Windows\SysWOW64\Eimelg32.exeC:\Windows\system32\Eimelg32.exe88⤵
- System Location Discovery: System Language Discovery
PID:5752 -
C:\Windows\SysWOW64\Ejnbdp32.exeC:\Windows\system32\Ejnbdp32.exe89⤵PID:5800
-
C:\Windows\SysWOW64\Eiobbgcl.exeC:\Windows\system32\Eiobbgcl.exe90⤵PID:5872
-
C:\Windows\SysWOW64\Fjpoio32.exeC:\Windows\system32\Fjpoio32.exe91⤵
- Drops file in System32 directory
PID:5916 -
C:\Windows\SysWOW64\Fajgfiag.exeC:\Windows\system32\Fajgfiag.exe92⤵PID:5960
-
C:\Windows\SysWOW64\Flpkcbqm.exeC:\Windows\system32\Flpkcbqm.exe93⤵PID:6004
-
C:\Windows\SysWOW64\Fehplggn.exeC:\Windows\system32\Fehplggn.exe94⤵PID:6048
-
C:\Windows\SysWOW64\Ficlmf32.exeC:\Windows\system32\Ficlmf32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6096 -
C:\Windows\SysWOW64\Fkehdnee.exeC:\Windows\system32\Fkehdnee.exe96⤵PID:6140
-
C:\Windows\SysWOW64\Fejlbgek.exeC:\Windows\system32\Fejlbgek.exe97⤵
- System Location Discovery: System Language Discovery
PID:5152 -
C:\Windows\SysWOW64\Fhiinbdo.exeC:\Windows\system32\Fhiinbdo.exe98⤵PID:212
-
C:\Windows\SysWOW64\Fkgejncb.exeC:\Windows\system32\Fkgejncb.exe99⤵PID:2216
-
C:\Windows\SysWOW64\Femigg32.exeC:\Windows\system32\Femigg32.exe100⤵PID:3648
-
C:\Windows\SysWOW64\Fkiapn32.exeC:\Windows\system32\Fkiapn32.exe101⤵PID:5288
-
C:\Windows\SysWOW64\Fbqiak32.exeC:\Windows\system32\Fbqiak32.exe102⤵PID:5352
-
C:\Windows\SysWOW64\Gikbneio.exeC:\Windows\system32\Gikbneio.exe103⤵PID:5432
-
C:\Windows\SysWOW64\Gklnem32.exeC:\Windows\system32\Gklnem32.exe104⤵PID:5508
-
C:\Windows\SysWOW64\Gbcffk32.exeC:\Windows\system32\Gbcffk32.exe105⤵PID:5564
-
C:\Windows\SysWOW64\Ghpooanf.exeC:\Windows\system32\Ghpooanf.exe106⤵PID:5648
-
C:\Windows\SysWOW64\Gbecljnl.exeC:\Windows\system32\Gbecljnl.exe107⤵PID:5688
-
C:\Windows\SysWOW64\Gedohfmp.exeC:\Windows\system32\Gedohfmp.exe108⤵PID:5784
-
C:\Windows\SysWOW64\Gkqhpmkg.exeC:\Windows\system32\Gkqhpmkg.exe109⤵PID:5864
-
C:\Windows\SysWOW64\Golcak32.exeC:\Windows\system32\Golcak32.exe110⤵PID:5936
-
C:\Windows\SysWOW64\Gkcdfl32.exeC:\Windows\system32\Gkcdfl32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6000 -
C:\Windows\SysWOW64\Glbapoqh.exeC:\Windows\system32\Glbapoqh.exe112⤵
- Modifies registry class
PID:6076 -
C:\Windows\SysWOW64\Hifaic32.exeC:\Windows\system32\Hifaic32.exe113⤵PID:6136
-
C:\Windows\SysWOW64\Hlgjko32.exeC:\Windows\system32\Hlgjko32.exe114⤵PID:2312
-
C:\Windows\SysWOW64\Hcabhido.exeC:\Windows\system32\Hcabhido.exe115⤵PID:2184
-
C:\Windows\SysWOW64\Hepoddcc.exeC:\Windows\system32\Hepoddcc.exe116⤵PID:5264
-
C:\Windows\SysWOW64\Hklglk32.exeC:\Windows\system32\Hklglk32.exe117⤵PID:5392
-
C:\Windows\SysWOW64\Himgjbii.exeC:\Windows\system32\Himgjbii.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5516 -
C:\Windows\SysWOW64\Hipdpbgf.exeC:\Windows\system32\Hipdpbgf.exe119⤵PID:5612
-
C:\Windows\SysWOW64\Icjengld.exeC:\Windows\system32\Icjengld.exe120⤵PID:5680
-
C:\Windows\SysWOW64\Ikejbjip.exeC:\Windows\system32\Ikejbjip.exe121⤵PID:5808
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-