Analysis
-
max time kernel
63s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
17-08-2024 23:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
60c4b252e7c036870afac61e127ca9ba3fbac67d0e1540040dd33e96848d8b57.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
60c4b252e7c036870afac61e127ca9ba3fbac67d0e1540040dd33e96848d8b57.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
60c4b252e7c036870afac61e127ca9ba3fbac67d0e1540040dd33e96848d8b57.exe
-
Size
89KB
-
MD5
073e6109b0665084ed837c74d225eb09
-
SHA1
9e25edc56f4a48364e67d6051cbb7f2a06620e93
-
SHA256
60c4b252e7c036870afac61e127ca9ba3fbac67d0e1540040dd33e96848d8b57
-
SHA512
b592eccd9473831f40820fa6371bfddc43ca33237cdd583e08867a1592bf63b3c2a5d6f61dcae345e378be384a265f5adaff428e10dea93797f48ea4da0dd968
-
SSDEEP
1536:MR7RewAV4tthWcK5rDCA7eqY/CGRQeR+KRFR3RzR1URJrCiuiNj5QkMMWRklpjCY:MzewptthWc0n7+Veejb5ZXUf2iuOj22T
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gddpndhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Llalgdbj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojlkonpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pddlggin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bgnaekil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ifahpnfl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfhcknpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fbdpjgjf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obniel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckebbgoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phabdmgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pdjpmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Conbmfif.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhlogo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ggkoojip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jpdibapb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nalnmahf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aodqok32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbidof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nmmgafjh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmholgpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Imkqmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dcojbm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpnfdbig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfiofefm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnljkf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfemdp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqpgll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bjjakg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dijjgegh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gklkdn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldfgbb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqcffi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgpmbgai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppmkilbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jjjdjp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcfenn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Khkmba32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goemhfco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qckcdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fhifmcfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Efifjg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgfqii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iekbmfdc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jocceo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmkmlk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkddjkej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdbdgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ebhjdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nmjicn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfcadq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pddlggin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bcmeogam.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncnmhajo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eipekmjg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pldknmhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Paemac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dfnjqifb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dmfhqmge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dlnjjc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njobpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qlqdmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hkdkhl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qolmip32.exe -
Executes dropped EXE 64 IoCs
pid Process 2232 Cghkepdm.exe 2764 Cpcpjbah.exe 2724 Cfoellgb.exe 2780 Dlnjjc32.exe 2860 Doapanne.exe 2692 Dmgmbj32.exe 2412 Dadehh32.exe 552 Elqcnfdp.exe 2476 Eabeal32.exe 968 Fepnhjdh.exe 2116 Fdggofgn.exe 2096 Fghppa32.exe 2404 Gcankb32.exe 2228 Gbfklolh.exe 2808 Gbkdgn32.exe 1740 Helmiiec.exe 1636 Hcfceeff.exe 1724 Imqdcjkd.exe 1036 Ifkfap32.exe 1536 Iijbnkne.exe 2352 Iljkofkg.exe 800 Iaipmm32.exe 1716 Jhfepfme.exe 2432 Jmbnhm32.exe 2216 Jdobjgqg.exe 2772 Kiqdmm32.exe 1700 Kopikdgn.exe 2936 Kdlbckee.exe 2624 Kdakoj32.exe 2640 Ldchdjom.exe 2600 Lfedlb32.exe 1344 Lbnbfb32.exe 3040 Lflklaoc.exe 2720 Mbbkabdh.exe 2608 Mkkpjg32.exe 684 Mdcdcmai.exe 1304 Mnlilb32.exe 1816 Mkpieggc.exe 1408 Mdhnnl32.exe 1844 Mjeffc32.exe 1808 Mcmkoi32.exe 2960 Nmeohnil.exe 1348 Nilpmo32.exe 3024 Ncbdjhnf.exe 916 Nmjicn32.exe 2700 Niaihojk.exe 592 Nalnmahf.exe 1760 Nnpofe32.exe 2872 Oaaghp32.exe 1684 Omhhma32.exe 2920 Ohmljj32.exe 2756 Obgmjh32.exe 2168 Opkndldc.exe 2572 Ppmkilbp.exe 3064 Pldknmhd.exe 2592 Pkihpi32.exe 3048 Pdamhocm.exe 1800 Paemac32.exe 1600 Poinkg32.exe 1588 Phabdmgq.exe 108 Qckcdj32.exe 2064 Acnpjj32.exe 1356 Aodqok32.exe 1720 Ajjeld32.exe -
Loads dropped DLL 64 IoCs
pid Process 2300 60c4b252e7c036870afac61e127ca9ba3fbac67d0e1540040dd33e96848d8b57.exe 2300 60c4b252e7c036870afac61e127ca9ba3fbac67d0e1540040dd33e96848d8b57.exe 2232 Cghkepdm.exe 2232 Cghkepdm.exe 2764 Cpcpjbah.exe 2764 Cpcpjbah.exe 2724 Cfoellgb.exe 2724 Cfoellgb.exe 2780 Dlnjjc32.exe 2780 Dlnjjc32.exe 2860 Doapanne.exe 2860 Doapanne.exe 2692 Dmgmbj32.exe 2692 Dmgmbj32.exe 2412 Dadehh32.exe 2412 Dadehh32.exe 552 Elqcnfdp.exe 552 Elqcnfdp.exe 2476 Eabeal32.exe 2476 Eabeal32.exe 968 Fepnhjdh.exe 968 Fepnhjdh.exe 2116 Fdggofgn.exe 2116 Fdggofgn.exe 2096 Fghppa32.exe 2096 Fghppa32.exe 2404 Gcankb32.exe 2404 Gcankb32.exe 2228 Gbfklolh.exe 2228 Gbfklolh.exe 2808 Gbkdgn32.exe 2808 Gbkdgn32.exe 1740 Helmiiec.exe 1740 Helmiiec.exe 1636 Hcfceeff.exe 1636 Hcfceeff.exe 1724 Imqdcjkd.exe 1724 Imqdcjkd.exe 1036 Ifkfap32.exe 1036 Ifkfap32.exe 1536 Iijbnkne.exe 1536 Iijbnkne.exe 2352 Iljkofkg.exe 2352 Iljkofkg.exe 800 Iaipmm32.exe 800 Iaipmm32.exe 1716 Jhfepfme.exe 1716 Jhfepfme.exe 2432 Jmbnhm32.exe 2432 Jmbnhm32.exe 2216 Jdobjgqg.exe 2216 Jdobjgqg.exe 2772 Kiqdmm32.exe 2772 Kiqdmm32.exe 1700 Kopikdgn.exe 1700 Kopikdgn.exe 2936 Kdlbckee.exe 2936 Kdlbckee.exe 2624 Kdakoj32.exe 2624 Kdakoj32.exe 2640 Ldchdjom.exe 2640 Ldchdjom.exe 2600 Lfedlb32.exe 2600 Lfedlb32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ekblplgo.exe Edidcb32.exe File created C:\Windows\SysWOW64\Ghpngkhm.exe Ggqamh32.exe File opened for modification C:\Windows\SysWOW64\Ldangbhd.exe Khkmba32.exe File opened for modification C:\Windows\SysWOW64\Bonenbgj.exe Aolihc32.exe File opened for modification C:\Windows\SysWOW64\Kopikdgn.exe Kiqdmm32.exe File opened for modification C:\Windows\SysWOW64\Pmbdfolj.exe Pdjpmi32.exe File created C:\Windows\SysWOW64\Bjjcdp32.exe Bncboo32.exe File created C:\Windows\SysWOW64\Dmfhqmge.exe Dqpgll32.exe File opened for modification C:\Windows\SysWOW64\Ghpngkhm.exe Ggqamh32.exe File created C:\Windows\SysWOW64\Eigaib32.dll Mbbkabdh.exe File created C:\Windows\SysWOW64\Kfbjjjci.exe Jecnpg32.exe File created C:\Windows\SysWOW64\Okgiokkl.dll Pnbjca32.exe File opened for modification C:\Windows\SysWOW64\Qhdabemb.exe Qolmip32.exe File opened for modification C:\Windows\SysWOW64\Efolib32.exe Dmfhqmge.exe File created C:\Windows\SysWOW64\Paemac32.exe Pdamhocm.exe File created C:\Windows\SysWOW64\Nilpmo32.exe Nmeohnil.exe File opened for modification C:\Windows\SysWOW64\Eipekmjg.exe Enjand32.exe File opened for modification C:\Windows\SysWOW64\Cghkepdm.exe 60c4b252e7c036870afac61e127ca9ba3fbac67d0e1540040dd33e96848d8b57.exe File created C:\Windows\SysWOW64\Dmalmdcg.exe Dcihdo32.exe File created C:\Windows\SysWOW64\Jgdicbgi.dll Efifjg32.exe File opened for modification C:\Windows\SysWOW64\Njjbjk32.exe Ncnmhajo.exe File created C:\Windows\SysWOW64\Cfemdp32.exe Bfcqoqeh.exe File created C:\Windows\SysWOW64\Khebqq32.dll Ohmljj32.exe File created C:\Windows\SysWOW64\Cgkanomj.exe Bokcom32.exe File created C:\Windows\SysWOW64\Gjcekj32.exe Glpdbfek.exe File opened for modification C:\Windows\SysWOW64\Kfcadq32.exe Jmkmlk32.exe File created C:\Windows\SysWOW64\Ngfhbd32.exe Nmmgafjh.exe File opened for modification C:\Windows\SysWOW64\Ppmkilbp.exe Opkndldc.exe File created C:\Windows\SysWOW64\Pqpbhhnh.dll Ifahpnfl.exe File created C:\Windows\SysWOW64\Bbfojg32.dll Nbodpo32.exe File created C:\Windows\SysWOW64\Mdajff32.exe Mlfebcnd.exe File created C:\Windows\SysWOW64\Mjkjek32.dll Cfemdp32.exe File created C:\Windows\SysWOW64\Aadlgk32.dll Ldchdjom.exe File created C:\Windows\SysWOW64\Bmnqaanm.dll Aodqok32.exe File opened for modification C:\Windows\SysWOW64\Foqadnpq.exe Ficilgai.exe File created C:\Windows\SysWOW64\Ifoljn32.exe Imfgahao.exe File created C:\Windows\SysWOW64\Eleobngo.exe Efifjg32.exe File opened for modification C:\Windows\SysWOW64\Pihnqj32.exe Pnbjca32.exe File opened for modification C:\Windows\SysWOW64\Cgpmbgai.exe Cbcdjpba.exe File created C:\Windows\SysWOW64\Fkpeojha.exe Fbdpjgjf.exe File created C:\Windows\SysWOW64\Dknehe32.exe Dbfaopqo.exe File created C:\Windows\SysWOW64\Lindbn32.dll Enjand32.exe File created C:\Windows\SysWOW64\Ffmicb32.dll Lflklaoc.exe File opened for modification C:\Windows\SysWOW64\Mcmkoi32.exe Mjeffc32.exe File opened for modification C:\Windows\SysWOW64\Mccaodgj.exe Lohiob32.exe File created C:\Windows\SysWOW64\Ahgdbk32.exe Qlqdmj32.exe File created C:\Windows\SysWOW64\Bfnnpbnn.exe Bkhjcing.exe File opened for modification C:\Windows\SysWOW64\Gcankb32.exe Fghppa32.exe File created C:\Windows\SysWOW64\Qkbefj32.dll Fmpnpe32.exe File created C:\Windows\SysWOW64\Gcifdj32.exe Gaiijgbi.exe File created C:\Windows\SysWOW64\Oemfahcn.exe Obniel32.exe File opened for modification C:\Windows\SysWOW64\Abpohb32.exe Amcfpl32.exe File opened for modification C:\Windows\SysWOW64\Mnlilb32.exe Mdcdcmai.exe File created C:\Windows\SysWOW64\Mjeffc32.exe Mdhnnl32.exe File created C:\Windows\SysWOW64\Hmpjieck.dll Phabdmgq.exe File created C:\Windows\SysWOW64\Qlbphm32.dll Adfbbabc.exe File created C:\Windows\SysWOW64\Dacbha32.dll Bjnjfffm.exe File created C:\Windows\SysWOW64\Ggkoojip.exe Fmbkfd32.exe File created C:\Windows\SysWOW64\Cfoellgb.exe Cpcpjbah.exe File created C:\Windows\SysWOW64\Lciijbkd.dll Mojaceln.exe File opened for modification C:\Windows\SysWOW64\Jmqckf32.exe Jchobqnc.exe File created C:\Windows\SysWOW64\Ponfcl32.dll Kfbjjjci.exe File opened for modification C:\Windows\SysWOW64\Nmmgafjh.exe Nhookh32.exe File created C:\Windows\SysWOW64\Kkooeblb.dll Qahlpkhh.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3596 3068 WerFault.exe 340 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aolihc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efolib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fghppa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehgmiq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmholgpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhlogo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chfffk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gocpcfeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkddjkej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjnjfffm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olgehh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opennf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkkaik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckilmfke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lflklaoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgmndokg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjlgna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlnjjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imkqmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmbkfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlfebcnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnbjca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poinkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmkmlk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmbdfolj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoamoefh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dknehe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oahpahel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eabeal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdggofgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iijbnkne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohhcokmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ficilgai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhndcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldangbhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnpofe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiocbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbdpjgjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adkbgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abpohb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kemgqm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eleobngo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oemfahcn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gljdlq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnlilb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkihpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acnpjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aodqok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glpdbfek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iceiibef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jiaaaicm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kejdqffo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjeffc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndbjgjqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boifinfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmalmdcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojakdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgnaekil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Achlch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdhigo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nalnmahf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjcekj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmfhqmge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpcpjbah.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Poinkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dlcfnk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ggkoojip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpmigi32.dll" Jcaahofh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bjjcdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqollm32.dll" Cghkepdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmfala32.dll" Kblooa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Piiekp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hkdkhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cejnde32.dll" Hcfenn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cakoqh32.dll" Jmqckf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Llalgdbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eipekmjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jicfkpch.dll" Lfedlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lohiob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjaocifl.dll" Dmaoem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeannooi.dll" Gocpcfeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Doapanne.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bjdqfajl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pmbdfolj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ffoihepa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akinoefk.dll" Fpgmak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mjeffc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gljdlq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Njjbjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ifoljn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lflklaoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bokcom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dihmae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Imkqmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pdjpmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifabli32.dll" Cfpgee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fghppa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpaihe32.dll" Mkpieggc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pkihpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qomcdf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kejdqffo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kdlbckee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dcihdo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ikbndqnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pddlggin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bjjcdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bomink32.dll" Iljkofkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hfiofefm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lknbjlnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idkkjpdd.dll" Bcmeogam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Glpdbfek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ohhcokmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cgkanomj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kadkmila.dll" Eolljk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ehgmiq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Goemhfco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fghppa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aecdpmbm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ecnpgj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fmpnpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egcpbc32.dll" Jdobjgqg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Achlch32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dnpedghl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bfcqoqeh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 60c4b252e7c036870afac61e127ca9ba3fbac67d0e1540040dd33e96848d8b57.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fmpnpe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ikhqbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iljkofkg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2300 wrote to memory of 2232 2300 60c4b252e7c036870afac61e127ca9ba3fbac67d0e1540040dd33e96848d8b57.exe 29 PID 2300 wrote to memory of 2232 2300 60c4b252e7c036870afac61e127ca9ba3fbac67d0e1540040dd33e96848d8b57.exe 29 PID 2300 wrote to memory of 2232 2300 60c4b252e7c036870afac61e127ca9ba3fbac67d0e1540040dd33e96848d8b57.exe 29 PID 2300 wrote to memory of 2232 2300 60c4b252e7c036870afac61e127ca9ba3fbac67d0e1540040dd33e96848d8b57.exe 29 PID 2232 wrote to memory of 2764 2232 Cghkepdm.exe 30 PID 2232 wrote to memory of 2764 2232 Cghkepdm.exe 30 PID 2232 wrote to memory of 2764 2232 Cghkepdm.exe 30 PID 2232 wrote to memory of 2764 2232 Cghkepdm.exe 30 PID 2764 wrote to memory of 2724 2764 Cpcpjbah.exe 31 PID 2764 wrote to memory of 2724 2764 Cpcpjbah.exe 31 PID 2764 wrote to memory of 2724 2764 Cpcpjbah.exe 31 PID 2764 wrote to memory of 2724 2764 Cpcpjbah.exe 31 PID 2724 wrote to memory of 2780 2724 Cfoellgb.exe 32 PID 2724 wrote to memory of 2780 2724 Cfoellgb.exe 32 PID 2724 wrote to memory of 2780 2724 Cfoellgb.exe 32 PID 2724 wrote to memory of 2780 2724 Cfoellgb.exe 32 PID 2780 wrote to memory of 2860 2780 Dlnjjc32.exe 33 PID 2780 wrote to memory of 2860 2780 Dlnjjc32.exe 33 PID 2780 wrote to memory of 2860 2780 Dlnjjc32.exe 33 PID 2780 wrote to memory of 2860 2780 Dlnjjc32.exe 33 PID 2860 wrote to memory of 2692 2860 Doapanne.exe 34 PID 2860 wrote to memory of 2692 2860 Doapanne.exe 34 PID 2860 wrote to memory of 2692 2860 Doapanne.exe 34 PID 2860 wrote to memory of 2692 2860 Doapanne.exe 34 PID 2692 wrote to memory of 2412 2692 Dmgmbj32.exe 35 PID 2692 wrote to memory of 2412 2692 Dmgmbj32.exe 35 PID 2692 wrote to memory of 2412 2692 Dmgmbj32.exe 35 PID 2692 wrote to memory of 2412 2692 Dmgmbj32.exe 35 PID 2412 wrote to memory of 552 2412 Dadehh32.exe 36 PID 2412 wrote to memory of 552 2412 Dadehh32.exe 36 PID 2412 wrote to memory of 552 2412 Dadehh32.exe 36 PID 2412 wrote to memory of 552 2412 Dadehh32.exe 36 PID 552 wrote to memory of 2476 552 Elqcnfdp.exe 37 PID 552 wrote to memory of 2476 552 Elqcnfdp.exe 37 PID 552 wrote to memory of 2476 552 Elqcnfdp.exe 37 PID 552 wrote to memory of 2476 552 Elqcnfdp.exe 37 PID 2476 wrote to memory of 968 2476 Eabeal32.exe 38 PID 2476 wrote to memory of 968 2476 Eabeal32.exe 38 PID 2476 wrote to memory of 968 2476 Eabeal32.exe 38 PID 2476 wrote to memory of 968 2476 Eabeal32.exe 38 PID 968 wrote to memory of 2116 968 Fepnhjdh.exe 39 PID 968 wrote to memory of 2116 968 Fepnhjdh.exe 39 PID 968 wrote to memory of 2116 968 Fepnhjdh.exe 39 PID 968 wrote to memory of 2116 968 Fepnhjdh.exe 39 PID 2116 wrote to memory of 2096 2116 Fdggofgn.exe 40 PID 2116 wrote to memory of 2096 2116 Fdggofgn.exe 40 PID 2116 wrote to memory of 2096 2116 Fdggofgn.exe 40 PID 2116 wrote to memory of 2096 2116 Fdggofgn.exe 40 PID 2096 wrote to memory of 2404 2096 Fghppa32.exe 41 PID 2096 wrote to memory of 2404 2096 Fghppa32.exe 41 PID 2096 wrote to memory of 2404 2096 Fghppa32.exe 41 PID 2096 wrote to memory of 2404 2096 Fghppa32.exe 41 PID 2404 wrote to memory of 2228 2404 Gcankb32.exe 42 PID 2404 wrote to memory of 2228 2404 Gcankb32.exe 42 PID 2404 wrote to memory of 2228 2404 Gcankb32.exe 42 PID 2404 wrote to memory of 2228 2404 Gcankb32.exe 42 PID 2228 wrote to memory of 2808 2228 Gbfklolh.exe 43 PID 2228 wrote to memory of 2808 2228 Gbfklolh.exe 43 PID 2228 wrote to memory of 2808 2228 Gbfklolh.exe 43 PID 2228 wrote to memory of 2808 2228 Gbfklolh.exe 43 PID 2808 wrote to memory of 1740 2808 Gbkdgn32.exe 44 PID 2808 wrote to memory of 1740 2808 Gbkdgn32.exe 44 PID 2808 wrote to memory of 1740 2808 Gbkdgn32.exe 44 PID 2808 wrote to memory of 1740 2808 Gbkdgn32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\60c4b252e7c036870afac61e127ca9ba3fbac67d0e1540040dd33e96848d8b57.exe"C:\Users\Admin\AppData\Local\Temp\60c4b252e7c036870afac61e127ca9ba3fbac67d0e1540040dd33e96848d8b57.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\Cghkepdm.exeC:\Windows\system32\Cghkepdm.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\Cpcpjbah.exeC:\Windows\system32\Cpcpjbah.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Cfoellgb.exeC:\Windows\system32\Cfoellgb.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Dlnjjc32.exeC:\Windows\system32\Dlnjjc32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Doapanne.exeC:\Windows\system32\Doapanne.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Dmgmbj32.exeC:\Windows\system32\Dmgmbj32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Dadehh32.exeC:\Windows\system32\Dadehh32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Elqcnfdp.exeC:\Windows\system32\Elqcnfdp.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\SysWOW64\Eabeal32.exeC:\Windows\system32\Eabeal32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Fepnhjdh.exeC:\Windows\system32\Fepnhjdh.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Windows\SysWOW64\Fdggofgn.exeC:\Windows\system32\Fdggofgn.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\Fghppa32.exeC:\Windows\system32\Fghppa32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\Gcankb32.exeC:\Windows\system32\Gcankb32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\Gbfklolh.exeC:\Windows\system32\Gbfklolh.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\Gbkdgn32.exeC:\Windows\system32\Gbkdgn32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Helmiiec.exeC:\Windows\system32\Helmiiec.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1740 -
C:\Windows\SysWOW64\Hcfceeff.exeC:\Windows\system32\Hcfceeff.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1636 -
C:\Windows\SysWOW64\Imqdcjkd.exeC:\Windows\system32\Imqdcjkd.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1724 -
C:\Windows\SysWOW64\Ifkfap32.exeC:\Windows\system32\Ifkfap32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1036 -
C:\Windows\SysWOW64\Iijbnkne.exeC:\Windows\system32\Iijbnkne.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1536 -
C:\Windows\SysWOW64\Iljkofkg.exeC:\Windows\system32\Iljkofkg.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2352 -
C:\Windows\SysWOW64\Iaipmm32.exeC:\Windows\system32\Iaipmm32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:800 -
C:\Windows\SysWOW64\Jhfepfme.exeC:\Windows\system32\Jhfepfme.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1716 -
C:\Windows\SysWOW64\Jmbnhm32.exeC:\Windows\system32\Jmbnhm32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2432 -
C:\Windows\SysWOW64\Jdobjgqg.exeC:\Windows\system32\Jdobjgqg.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2216 -
C:\Windows\SysWOW64\Kiqdmm32.exeC:\Windows\system32\Kiqdmm32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2772 -
C:\Windows\SysWOW64\Kopikdgn.exeC:\Windows\system32\Kopikdgn.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1700 -
C:\Windows\SysWOW64\Kdlbckee.exeC:\Windows\system32\Kdlbckee.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2936 -
C:\Windows\SysWOW64\Kdakoj32.exeC:\Windows\system32\Kdakoj32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2624 -
C:\Windows\SysWOW64\Ldchdjom.exeC:\Windows\system32\Ldchdjom.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2640 -
C:\Windows\SysWOW64\Lfedlb32.exeC:\Windows\system32\Lfedlb32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2600 -
C:\Windows\SysWOW64\Lbnbfb32.exeC:\Windows\system32\Lbnbfb32.exe33⤵
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\Lflklaoc.exeC:\Windows\system32\Lflklaoc.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3040 -
C:\Windows\SysWOW64\Mbbkabdh.exeC:\Windows\system32\Mbbkabdh.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2720 -
C:\Windows\SysWOW64\Mkkpjg32.exeC:\Windows\system32\Mkkpjg32.exe36⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Mdcdcmai.exeC:\Windows\system32\Mdcdcmai.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:684 -
C:\Windows\SysWOW64\Mnlilb32.exeC:\Windows\system32\Mnlilb32.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1304 -
C:\Windows\SysWOW64\Mkpieggc.exeC:\Windows\system32\Mkpieggc.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:1816 -
C:\Windows\SysWOW64\Mdhnnl32.exeC:\Windows\system32\Mdhnnl32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1408 -
C:\Windows\SysWOW64\Mjeffc32.exeC:\Windows\system32\Mjeffc32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1844 -
C:\Windows\SysWOW64\Mcmkoi32.exeC:\Windows\system32\Mcmkoi32.exe42⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Nmeohnil.exeC:\Windows\system32\Nmeohnil.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2960 -
C:\Windows\SysWOW64\Nilpmo32.exeC:\Windows\system32\Nilpmo32.exe44⤵
- Executes dropped EXE
PID:1348 -
C:\Windows\SysWOW64\Ncbdjhnf.exeC:\Windows\system32\Ncbdjhnf.exe45⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Nmjicn32.exeC:\Windows\system32\Nmjicn32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:916 -
C:\Windows\SysWOW64\Niaihojk.exeC:\Windows\system32\Niaihojk.exe47⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Nalnmahf.exeC:\Windows\system32\Nalnmahf.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:592 -
C:\Windows\SysWOW64\Nnpofe32.exeC:\Windows\system32\Nnpofe32.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1760 -
C:\Windows\SysWOW64\Ohhcokmp.exeC:\Windows\system32\Ohhcokmp.exe50⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2264 -
C:\Windows\SysWOW64\Oaaghp32.exeC:\Windows\system32\Oaaghp32.exe51⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Omhhma32.exeC:\Windows\system32\Omhhma32.exe52⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Ohmljj32.exeC:\Windows\system32\Ohmljj32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2920 -
C:\Windows\SysWOW64\Obgmjh32.exeC:\Windows\system32\Obgmjh32.exe54⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Opkndldc.exeC:\Windows\system32\Opkndldc.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2168 -
C:\Windows\SysWOW64\Ppmkilbp.exeC:\Windows\system32\Ppmkilbp.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Pldknmhd.exeC:\Windows\system32\Pldknmhd.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Pkihpi32.exeC:\Windows\system32\Pkihpi32.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2592 -
C:\Windows\SysWOW64\Pdamhocm.exeC:\Windows\system32\Pdamhocm.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3048 -
C:\Windows\SysWOW64\Paemac32.exeC:\Windows\system32\Paemac32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\Poinkg32.exeC:\Windows\system32\Poinkg32.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1600 -
C:\Windows\SysWOW64\Phabdmgq.exeC:\Windows\system32\Phabdmgq.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1588 -
C:\Windows\SysWOW64\Qckcdj32.exeC:\Windows\system32\Qckcdj32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:108 -
C:\Windows\SysWOW64\Acnpjj32.exeC:\Windows\system32\Acnpjj32.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2064 -
C:\Windows\SysWOW64\Aodqok32.exeC:\Windows\system32\Aodqok32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1356 -
C:\Windows\SysWOW64\Ajjeld32.exeC:\Windows\system32\Ajjeld32.exe66⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Acbieing.exeC:\Windows\system32\Acbieing.exe67⤵PID:960
-
C:\Windows\SysWOW64\Adfbbabc.exeC:\Windows\system32\Adfbbabc.exe68⤵
- Drops file in System32 directory
PID:1424 -
C:\Windows\SysWOW64\Aggkdlod.exeC:\Windows\system32\Aggkdlod.exe69⤵PID:1752
-
C:\Windows\SysWOW64\Bdklnq32.exeC:\Windows\system32\Bdklnq32.exe70⤵PID:2148
-
C:\Windows\SysWOW64\Bkddjkej.exeC:\Windows\system32\Bkddjkej.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1548 -
C:\Windows\SysWOW64\Bjjakg32.exeC:\Windows\system32\Bjjakg32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2824 -
C:\Windows\SysWOW64\Bgnaekil.exeC:\Windows\system32\Bgnaekil.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2784 -
C:\Windows\SysWOW64\Boifinfg.exeC:\Windows\system32\Boifinfg.exe74⤵
- System Location Discovery: System Language Discovery
PID:2732 -
C:\Windows\SysWOW64\Bjnjfffm.exeC:\Windows\system32\Bjnjfffm.exe75⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1824 -
C:\Windows\SysWOW64\Bokcom32.exeC:\Windows\system32\Bokcom32.exe76⤵
- Drops file in System32 directory
- Modifies registry class
PID:2464 -
C:\Windows\SysWOW64\Cgkanomj.exeC:\Windows\system32\Cgkanomj.exe77⤵
- Modifies registry class
PID:1308 -
C:\Windows\SysWOW64\Cgmndokg.exeC:\Windows\system32\Cgmndokg.exe78⤵
- System Location Discovery: System Language Discovery
PID:2668 -
C:\Windows\SysWOW64\Cnjbfhqa.exeC:\Windows\system32\Cnjbfhqa.exe79⤵PID:1932
-
C:\Windows\SysWOW64\Djqcki32.exeC:\Windows\system32\Djqcki32.exe80⤵PID:2988
-
C:\Windows\SysWOW64\Dcihdo32.exeC:\Windows\system32\Dcihdo32.exe81⤵
- Drops file in System32 directory
- Modifies registry class
PID:1820 -
C:\Windows\SysWOW64\Dmalmdcg.exeC:\Windows\system32\Dmalmdcg.exe82⤵
- System Location Discovery: System Language Discovery
PID:1708 -
C:\Windows\SysWOW64\Dihmae32.exeC:\Windows\system32\Dihmae32.exe83⤵
- Modifies registry class
PID:1668 -
C:\Windows\SysWOW64\Dijjgegh.exeC:\Windows\system32\Dijjgegh.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:580 -
C:\Windows\SysWOW64\Dfnjqifb.exeC:\Windows\system32\Dfnjqifb.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1020 -
C:\Windows\SysWOW64\Eiocbd32.exeC:\Windows\system32\Eiocbd32.exe86⤵
- System Location Discovery: System Language Discovery
PID:1336 -
C:\Windows\SysWOW64\Eolljk32.exeC:\Windows\system32\Eolljk32.exe87⤵
- Modifies registry class
PID:2900 -
C:\Windows\SysWOW64\Edidcb32.exeC:\Windows\system32\Edidcb32.exe88⤵
- Drops file in System32 directory
PID:604 -
C:\Windows\SysWOW64\Ekblplgo.exeC:\Windows\system32\Ekblplgo.exe89⤵PID:2184
-
C:\Windows\SysWOW64\Ehgmiq32.exeC:\Windows\system32\Ehgmiq32.exe90⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2736 -
C:\Windows\SysWOW64\Emceag32.exeC:\Windows\system32\Emceag32.exe91⤵PID:2644
-
C:\Windows\SysWOW64\Eaangfjf.exeC:\Windows\system32\Eaangfjf.exe92⤵PID:2916
-
C:\Windows\SysWOW64\Fmholgpj.exeC:\Windows\system32\Fmholgpj.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2340 -
C:\Windows\SysWOW64\Fcegdnna.exeC:\Windows\system32\Fcegdnna.exe94⤵PID:1324
-
C:\Windows\SysWOW64\Fiopah32.exeC:\Windows\system32\Fiopah32.exe95⤵PID:2176
-
C:\Windows\SysWOW64\Fgcpkldh.exeC:\Windows\system32\Fgcpkldh.exe96⤵PID:2532
-
C:\Windows\SysWOW64\Ficilgai.exeC:\Windows\system32\Ficilgai.exe97⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2080 -
C:\Windows\SysWOW64\Foqadnpq.exeC:\Windows\system32\Foqadnpq.exe98⤵PID:876
-
C:\Windows\SysWOW64\Fhifmcfa.exeC:\Windows\system32\Fhifmcfa.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2972 -
C:\Windows\SysWOW64\Goekpm32.exeC:\Windows\system32\Goekpm32.exe100⤵PID:524
-
C:\Windows\SysWOW64\Gklkdn32.exeC:\Windows\system32\Gklkdn32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:544 -
C:\Windows\SysWOW64\Gddpndhp.exeC:\Windows\system32\Gddpndhp.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1276 -
C:\Windows\SysWOW64\Glpdbfek.exeC:\Windows\system32\Glpdbfek.exe103⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2324 -
C:\Windows\SysWOW64\Gjcekj32.exeC:\Windows\system32\Gjcekj32.exe104⤵
- System Location Discovery: System Language Discovery
PID:2712 -
C:\Windows\SysWOW64\Gcljdpke.exeC:\Windows\system32\Gcljdpke.exe105⤵PID:2880
-
C:\Windows\SysWOW64\Hbafel32.exeC:\Windows\system32\Hbafel32.exe106⤵PID:2672
-
C:\Windows\SysWOW64\Hmfkbeoc.exeC:\Windows\system32\Hmfkbeoc.exe107⤵PID:2420
-
C:\Windows\SysWOW64\Hogddpld.exeC:\Windows\system32\Hogddpld.exe108⤵PID:2104
-
C:\Windows\SysWOW64\Hiphmf32.exeC:\Windows\system32\Hiphmf32.exe109⤵PID:2512
-
C:\Windows\SysWOW64\Hibebeqb.exeC:\Windows\system32\Hibebeqb.exe110⤵PID:1776
-
C:\Windows\SysWOW64\Hjcajn32.exeC:\Windows\system32\Hjcajn32.exe111⤵PID:2260
-
C:\Windows\SysWOW64\Ikbndqnc.exeC:\Windows\system32\Ikbndqnc.exe112⤵
- Modifies registry class
PID:636 -
C:\Windows\SysWOW64\Iekbmfdc.exeC:\Windows\system32\Iekbmfdc.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:928 -
C:\Windows\SysWOW64\Imfgahao.exeC:\Windows\system32\Imfgahao.exe114⤵
- Drops file in System32 directory
PID:972 -
C:\Windows\SysWOW64\Ifoljn32.exeC:\Windows\system32\Ifoljn32.exe115⤵
- Modifies registry class
PID:1104 -
C:\Windows\SysWOW64\Ifahpnfl.exeC:\Windows\system32\Ifahpnfl.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1584 -
C:\Windows\SysWOW64\Imkqmh32.exeC:\Windows\system32\Imkqmh32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:528 -
C:\Windows\SysWOW64\Iceiibef.exeC:\Windows\system32\Iceiibef.exe118⤵
- System Location Discovery: System Language Discovery
PID:3060 -
C:\Windows\SysWOW64\Jiaaaicm.exeC:\Windows\system32\Jiaaaicm.exe119⤵
- System Location Discovery: System Language Discovery
PID:2436 -
C:\Windows\SysWOW64\Jplinckj.exeC:\Windows\system32\Jplinckj.exe120⤵PID:2944
-
C:\Windows\SysWOW64\Jpnfdbig.exeC:\Windows\system32\Jpnfdbig.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2996
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-