Analysis
-
max time kernel
38s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
19-08-2024 12:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
67335e3230c5e651d22ffe07e1130ae0N.exe
Resource
win7-20240705-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
67335e3230c5e651d22ffe07e1130ae0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
67335e3230c5e651d22ffe07e1130ae0N.exe
-
Size
160KB
-
MD5
67335e3230c5e651d22ffe07e1130ae0
-
SHA1
e5da6cc88763084709b5b352b3a43dfc39786b91
-
SHA256
c104d3885f5714744be82e95ed0d9db62aafa82d6024f94fdb5382e671845327
-
SHA512
93f87f804a84d941dc4d3da8587599d447a1d062eaf4e1aa5ec736ae54dec905ffc9abd2ce15da602794ab724dcc4fe333b134c3e47c91f84500ffeafabb3da6
-
SSDEEP
3072:qtgBli821VMJCvS5DSCopsIm81+jq2832dp5Xp+7+10K03Rq/gho:qaBli8IMovSZSCZj81+jq4peBK034Y+
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okciddnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfaachpa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggabhmge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gqenfc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpecad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihhehoci.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcooinfc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Poqniegj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khgnff32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jngfei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpgpfdoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkhfhaea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acncngpl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bglhcihn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iiiapg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Japfphle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfcajekc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmnoapba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Genmab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hchcmnlj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khgnff32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gglimm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjmbohhl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imenpfap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chldbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dghgdg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgbkdkdk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdoblckh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qqiqam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aogqihcm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbhikcpn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amidmldj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbmdpg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhobbqkc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dadikaaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcohih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffbjpfmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihehbpel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omaepoml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajcbpbkn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjfkde32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajfoea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hleegpgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlepmnhq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joomnm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Janijh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hinolcbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idjlbqmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imenpfap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppkahi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amidmldj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgfannba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffomjgoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggjmhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbpaef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnfajgbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Joomnm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ainhln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Beibln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chldbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkkgnmqb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjbqei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibdcnm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkhjin32.exe -
Executes dropped EXE 64 IoCs
pid Process 3040 Okciddnh.exe 2308 Omaepoml.exe 2716 Okefjcle.exe 3056 Oaonfncb.exe 2804 Okhboc32.exe 2612 Oaaklmao.exe 2640 Occgce32.exe 2268 Okjoec32.exe 2124 Ocedieek.exe 2908 Oecpeqdo.exe 2872 Ppidbidd.exe 2920 Pgcmoc32.exe 2984 Phdiglap.exe 1732 Ppkahi32.exe 2760 Pjdeaohb.exe 1276 Plbbmjhf.exe 2104 Poqniegj.exe 3012 Pdnfalea.exe 1692 Pkgonf32.exe 1480 Pockoeeg.exe 704 Pdpcgl32.exe 1736 Pkjkdfjk.exe 760 Pnhhpaio.exe 1484 Pqfdlmic.exe 1460 Qklhifhi.exe 2240 Qqiqam32.exe 2676 Qgcingnm.exe 2692 Aqkmgl32.exe 2728 Ageedflj.exe 2740 Ajcbpbkn.exe 2580 Aggbif32.exe 952 Ajfoea32.exe 2388 Acncngpl.exe 2440 Afmokbop.exe 2628 Ajhkka32.exe 2744 Aoedch32.exe 984 Ainhln32.exe 956 Amidmldj.exe 1368 Aogqihcm.exe 2036 Afaieb32.exe 2352 Bojmogak.exe 3020 Bbhikcpn.exe 2132 Bkqnchgo.exe 1700 Bnojpdfb.exe 2152 Bbkfpb32.exe 1528 Beibln32.exe 2224 Bggohi32.exe 1056 Bjfkde32.exe 2712 Bnagecdp.exe 3064 Bapcaocc.exe 2116 Bcnomjbg.exe 2584 Bjhgjdjd.exe 2864 Bmfdfpih.exe 2432 Babpgo32.exe 836 Bglhcihn.exe 1640 Bfohoe32.exe 1184 Bjjdpdga.exe 2456 Bmiqlpge.exe 2212 Bccihj32.exe 1996 Cbfidfem.exe 2184 Cipaqqli.exe 936 Clnmmlkm.exe 472 Cbhejf32.exe 1776 Cfcajekc.exe -
Loads dropped DLL 64 IoCs
pid Process 2260 67335e3230c5e651d22ffe07e1130ae0N.exe 2260 67335e3230c5e651d22ffe07e1130ae0N.exe 3040 Okciddnh.exe 3040 Okciddnh.exe 2308 Omaepoml.exe 2308 Omaepoml.exe 2716 Okefjcle.exe 2716 Okefjcle.exe 3056 Oaonfncb.exe 3056 Oaonfncb.exe 2804 Okhboc32.exe 2804 Okhboc32.exe 2612 Oaaklmao.exe 2612 Oaaklmao.exe 2640 Occgce32.exe 2640 Occgce32.exe 2268 Okjoec32.exe 2268 Okjoec32.exe 2124 Ocedieek.exe 2124 Ocedieek.exe 2908 Oecpeqdo.exe 2908 Oecpeqdo.exe 2872 Ppidbidd.exe 2872 Ppidbidd.exe 2920 Pgcmoc32.exe 2920 Pgcmoc32.exe 2984 Phdiglap.exe 2984 Phdiglap.exe 1732 Ppkahi32.exe 1732 Ppkahi32.exe 2760 Pjdeaohb.exe 2760 Pjdeaohb.exe 1276 Plbbmjhf.exe 1276 Plbbmjhf.exe 2104 Poqniegj.exe 2104 Poqniegj.exe 3012 Pdnfalea.exe 3012 Pdnfalea.exe 1692 Pkgonf32.exe 1692 Pkgonf32.exe 1480 Pockoeeg.exe 1480 Pockoeeg.exe 704 Pdpcgl32.exe 704 Pdpcgl32.exe 1736 Pkjkdfjk.exe 1736 Pkjkdfjk.exe 760 Pnhhpaio.exe 760 Pnhhpaio.exe 1484 Pqfdlmic.exe 1484 Pqfdlmic.exe 1460 Qklhifhi.exe 1460 Qklhifhi.exe 2240 Qqiqam32.exe 2240 Qqiqam32.exe 2676 Qgcingnm.exe 2676 Qgcingnm.exe 2692 Aqkmgl32.exe 2692 Aqkmgl32.exe 2728 Ageedflj.exe 2728 Ageedflj.exe 2740 Ajcbpbkn.exe 2740 Ajcbpbkn.exe 2580 Aggbif32.exe 2580 Aggbif32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dhgehheg.dll Giiibqdp.exe File opened for modification C:\Windows\SysWOW64\Jngfei32.exe Jkhjin32.exe File created C:\Windows\SysWOW64\Cbacjdbg.dll Pkgonf32.exe File created C:\Windows\SysWOW64\Hppekf32.dll Cidklp32.exe File created C:\Windows\SysWOW64\Didgkc32.exe Dkafofde.exe File created C:\Windows\SysWOW64\Bbiangbo.dll Eemded32.exe File created C:\Windows\SysWOW64\Ffoehg32.dll Ipqmgbbf.exe File created C:\Windows\SysWOW64\Idofmp32.exe Ipcjlaqd.exe File opened for modification C:\Windows\SysWOW64\Pdpcgl32.exe Pockoeeg.exe File created C:\Windows\SysWOW64\Icpijl32.dll Bmiqlpge.exe File opened for modification C:\Windows\SysWOW64\Enblpe32.exe Ejfpofkh.exe File created C:\Windows\SysWOW64\Bccihj32.exe Bmiqlpge.exe File opened for modification C:\Windows\SysWOW64\Gepjgaid.exe Gqenfc32.exe File opened for modification C:\Windows\SysWOW64\Gnkkeg32.exe Gjpodhfi.exe File opened for modification C:\Windows\SysWOW64\Hgconl32.exe Hchcmnlj.exe File created C:\Windows\SysWOW64\Hepffelp.exe Hbajjiml.exe File opened for modification C:\Windows\SysWOW64\Knlpphnd.exe Kjpdoj32.exe File created C:\Windows\SysWOW64\Opgqdo32.dll Aqkmgl32.exe File opened for modification C:\Windows\SysWOW64\Aogqihcm.exe Amidmldj.exe File created C:\Windows\SysWOW64\Bmiqlpge.exe Bjjdpdga.exe File opened for modification C:\Windows\SysWOW64\Fpphlp32.exe Enblpe32.exe File opened for modification C:\Windows\SysWOW64\Gmlokdgp.exe Gjmbohhl.exe File created C:\Windows\SysWOW64\Ddjkhl32.exe Dpnogmbl.exe File created C:\Windows\SysWOW64\Lboeoagk.dll Hcjpcmjg.exe File created C:\Windows\SysWOW64\Lcnojqdi.dll Knlpphnd.exe File created C:\Windows\SysWOW64\Kbpbokop.exe Koafcppm.exe File created C:\Windows\SysWOW64\Afmokbop.exe Acncngpl.exe File opened for modification C:\Windows\SysWOW64\Ajhkka32.exe Afmokbop.exe File opened for modification C:\Windows\SysWOW64\Hpaaho32.exe Hleegpgb.exe File opened for modification C:\Windows\SysWOW64\Ifhinl32.exe Ihehbpel.exe File created C:\Windows\SysWOW64\Bmfdfpih.exe Bjhgjdjd.exe File opened for modification C:\Windows\SysWOW64\Clqjblij.exe Cefbfa32.exe File created C:\Windows\SysWOW64\Cablfb32.exe Cocpjf32.exe File opened for modification C:\Windows\SysWOW64\Elgmbnfn.exe Eemded32.exe File created C:\Windows\SysWOW64\Gjpodhfi.exe Ggabhmge.exe File created C:\Windows\SysWOW64\Hinolcbf.exe Hebckd32.exe File created C:\Windows\SysWOW64\Mmgiqkpb.dll Gndedhdj.exe File opened for modification C:\Windows\SysWOW64\Jckiolgm.exe Joomnm32.exe File opened for modification C:\Windows\SysWOW64\Ekacnjfp.exe Ehbgbngm.exe File created C:\Windows\SysWOW64\Hbajjiml.exe Hnfnik32.exe File created C:\Windows\SysWOW64\Jdlefd32.exe Janijh32.exe File created C:\Windows\SysWOW64\Agbledno.dll Qgcingnm.exe File created C:\Windows\SysWOW64\Cipaqqli.exe Cbfidfem.exe File opened for modification C:\Windows\SysWOW64\Clcghk32.exe Cidklp32.exe File created C:\Windows\SysWOW64\Mncdbqde.dll Cocpjf32.exe File created C:\Windows\SysWOW64\Pmnfmdnb.dll Hmeaaboe.exe File created C:\Windows\SysWOW64\Fkaomm32.exe Fmnoapba.exe File created C:\Windows\SysWOW64\Nlhaqbbc.dll Bnagecdp.exe File created C:\Windows\SysWOW64\Edenlp32.exe Eafapd32.exe File opened for modification C:\Windows\SysWOW64\Fhpflblk.exe Ffbjpfmg.exe File created C:\Windows\SysWOW64\Okhboc32.exe Oaonfncb.exe File opened for modification C:\Windows\SysWOW64\Phdiglap.exe Pgcmoc32.exe File opened for modification C:\Windows\SysWOW64\Pkjkdfjk.exe Pdpcgl32.exe File created C:\Windows\SysWOW64\Dkmmdg32.exe Dfaachpa.exe File opened for modification C:\Windows\SysWOW64\Ehbgbngm.exe Edgkap32.exe File created C:\Windows\SysWOW64\Fojnhlch.exe Fmlblq32.exe File opened for modification C:\Windows\SysWOW64\Ihehbpel.exe Idjlbqmb.exe File created C:\Windows\SysWOW64\Ppidbidd.exe Oecpeqdo.exe File created C:\Windows\SysWOW64\Phdiglap.exe Pgcmoc32.exe File created C:\Windows\SysWOW64\Knlpef32.dll Bccihj32.exe File opened for modification C:\Windows\SysWOW64\Fgmmnj32.exe Fdnabo32.exe File opened for modification C:\Windows\SysWOW64\Kpoegc32.exe Khgnff32.exe File created C:\Windows\SysWOW64\Filfpd32.dll Omaepoml.exe File created C:\Windows\SysWOW64\Ppkahi32.exe Phdiglap.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3332 3188 WerFault.exe 302 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coacdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddbegmqm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkmmdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpphlp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jckiolgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qqiqam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddgnbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckjqog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eojbii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkaomm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdicfbpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhchlcjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ainhln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doclijgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enblpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbhkdgbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idofmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afaieb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doflofbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddjkhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaigab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oecpeqdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggjmhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbpaef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqenfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjpodhfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hidledja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhaogp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjbqei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbhikcpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eafapd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gceghn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clnmmlkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fffckf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipcjlaqd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmiqlpge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beibln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocedieek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fliefa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpjlldmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llefld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flgiaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmqlgppo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gigllafc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jinkkgeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbfidfem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Japfphle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clqjblij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmpckbci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dghgdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hchcmnlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hinolcbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idjlbqmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbhejf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aogqihcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ianmke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdaoacif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpgpfdoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pockoeeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cablfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifkecl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Janijh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfcajekc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddeammok.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bakhhhfi.dll" Jndjoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oaaklmao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omahjkbe.dll" Dkafofde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Memghn32.dll" Gnkkeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iecmji32.dll" Hbomdjoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idjlbqmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipcjlaqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knlpef32.dll" Bccihj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlaqba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 67335e3230c5e651d22ffe07e1130ae0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajhkka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibghnjnm.dll" Ddgnbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmlblq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jinkkgeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jabhmpjh.dll" Ckjqog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eafapd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jckiolgm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpjlldmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmiqlpge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Clecnk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehbgbngm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fohacl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aebfof32.dll" Idofmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dibjec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imenpfap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdckgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpneniod.dll" Acncngpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enblpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijocej32.dll" Jdlefd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkddne32.dll" Oaonfncb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dibjec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dobmdbeg.dll" Enpoje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbjapi32.dll" Fhpflblk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gqenfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hppjland.dll" Gepjgaid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbkfpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdoblckh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkockb32.dll" Jmigke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbhejf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbjbof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgddin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llefld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caapeidl.dll" Doclijgd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cffnpdip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdmcqp32.dll" Ggjmhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imenpfap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohkmdami.dll" Jinkkgeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpmqkp32.dll" Qqiqam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajhkka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amidmldj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnoagg32.dll" Ibdcnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anegij32.dll" Iaicpepa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekhnoc32.dll" Llefld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omaepoml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppidbidd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdnfalea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkqnchgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmadfapb.dll" Fkaomm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdlplb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ocedieek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdpcgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epcdai32.dll" Jdoblckh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klqmaebl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mncdbqde.dll" Cocpjf32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2260 wrote to memory of 3040 2260 67335e3230c5e651d22ffe07e1130ae0N.exe 29 PID 2260 wrote to memory of 3040 2260 67335e3230c5e651d22ffe07e1130ae0N.exe 29 PID 2260 wrote to memory of 3040 2260 67335e3230c5e651d22ffe07e1130ae0N.exe 29 PID 2260 wrote to memory of 3040 2260 67335e3230c5e651d22ffe07e1130ae0N.exe 29 PID 3040 wrote to memory of 2308 3040 Okciddnh.exe 30 PID 3040 wrote to memory of 2308 3040 Okciddnh.exe 30 PID 3040 wrote to memory of 2308 3040 Okciddnh.exe 30 PID 3040 wrote to memory of 2308 3040 Okciddnh.exe 30 PID 2308 wrote to memory of 2716 2308 Omaepoml.exe 31 PID 2308 wrote to memory of 2716 2308 Omaepoml.exe 31 PID 2308 wrote to memory of 2716 2308 Omaepoml.exe 31 PID 2308 wrote to memory of 2716 2308 Omaepoml.exe 31 PID 2716 wrote to memory of 3056 2716 Okefjcle.exe 32 PID 2716 wrote to memory of 3056 2716 Okefjcle.exe 32 PID 2716 wrote to memory of 3056 2716 Okefjcle.exe 32 PID 2716 wrote to memory of 3056 2716 Okefjcle.exe 32 PID 3056 wrote to memory of 2804 3056 Oaonfncb.exe 33 PID 3056 wrote to memory of 2804 3056 Oaonfncb.exe 33 PID 3056 wrote to memory of 2804 3056 Oaonfncb.exe 33 PID 3056 wrote to memory of 2804 3056 Oaonfncb.exe 33 PID 2804 wrote to memory of 2612 2804 Okhboc32.exe 34 PID 2804 wrote to memory of 2612 2804 Okhboc32.exe 34 PID 2804 wrote to memory of 2612 2804 Okhboc32.exe 34 PID 2804 wrote to memory of 2612 2804 Okhboc32.exe 34 PID 2612 wrote to memory of 2640 2612 Oaaklmao.exe 35 PID 2612 wrote to memory of 2640 2612 Oaaklmao.exe 35 PID 2612 wrote to memory of 2640 2612 Oaaklmao.exe 35 PID 2612 wrote to memory of 2640 2612 Oaaklmao.exe 35 PID 2640 wrote to memory of 2268 2640 Occgce32.exe 36 PID 2640 wrote to memory of 2268 2640 Occgce32.exe 36 PID 2640 wrote to memory of 2268 2640 Occgce32.exe 36 PID 2640 wrote to memory of 2268 2640 Occgce32.exe 36 PID 2268 wrote to memory of 2124 2268 Okjoec32.exe 37 PID 2268 wrote to memory of 2124 2268 Okjoec32.exe 37 PID 2268 wrote to memory of 2124 2268 Okjoec32.exe 37 PID 2268 wrote to memory of 2124 2268 Okjoec32.exe 37 PID 2124 wrote to memory of 2908 2124 Ocedieek.exe 38 PID 2124 wrote to memory of 2908 2124 Ocedieek.exe 38 PID 2124 wrote to memory of 2908 2124 Ocedieek.exe 38 PID 2124 wrote to memory of 2908 2124 Ocedieek.exe 38 PID 2908 wrote to memory of 2872 2908 Oecpeqdo.exe 39 PID 2908 wrote to memory of 2872 2908 Oecpeqdo.exe 39 PID 2908 wrote to memory of 2872 2908 Oecpeqdo.exe 39 PID 2908 wrote to memory of 2872 2908 Oecpeqdo.exe 39 PID 2872 wrote to memory of 2920 2872 Ppidbidd.exe 40 PID 2872 wrote to memory of 2920 2872 Ppidbidd.exe 40 PID 2872 wrote to memory of 2920 2872 Ppidbidd.exe 40 PID 2872 wrote to memory of 2920 2872 Ppidbidd.exe 40 PID 2920 wrote to memory of 2984 2920 Pgcmoc32.exe 41 PID 2920 wrote to memory of 2984 2920 Pgcmoc32.exe 41 PID 2920 wrote to memory of 2984 2920 Pgcmoc32.exe 41 PID 2920 wrote to memory of 2984 2920 Pgcmoc32.exe 41 PID 2984 wrote to memory of 1732 2984 Phdiglap.exe 42 PID 2984 wrote to memory of 1732 2984 Phdiglap.exe 42 PID 2984 wrote to memory of 1732 2984 Phdiglap.exe 42 PID 2984 wrote to memory of 1732 2984 Phdiglap.exe 42 PID 1732 wrote to memory of 2760 1732 Ppkahi32.exe 43 PID 1732 wrote to memory of 2760 1732 Ppkahi32.exe 43 PID 1732 wrote to memory of 2760 1732 Ppkahi32.exe 43 PID 1732 wrote to memory of 2760 1732 Ppkahi32.exe 43 PID 2760 wrote to memory of 1276 2760 Pjdeaohb.exe 44 PID 2760 wrote to memory of 1276 2760 Pjdeaohb.exe 44 PID 2760 wrote to memory of 1276 2760 Pjdeaohb.exe 44 PID 2760 wrote to memory of 1276 2760 Pjdeaohb.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\67335e3230c5e651d22ffe07e1130ae0N.exe"C:\Users\Admin\AppData\Local\Temp\67335e3230c5e651d22ffe07e1130ae0N.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\Okciddnh.exeC:\Windows\system32\Okciddnh.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Omaepoml.exeC:\Windows\system32\Omaepoml.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\Okefjcle.exeC:\Windows\system32\Okefjcle.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Oaonfncb.exeC:\Windows\system32\Oaonfncb.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\Okhboc32.exeC:\Windows\system32\Okhboc32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Oaaklmao.exeC:\Windows\system32\Oaaklmao.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Occgce32.exeC:\Windows\system32\Occgce32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Okjoec32.exeC:\Windows\system32\Okjoec32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\Ocedieek.exeC:\Windows\system32\Ocedieek.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\Oecpeqdo.exeC:\Windows\system32\Oecpeqdo.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Ppidbidd.exeC:\Windows\system32\Ppidbidd.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Pgcmoc32.exeC:\Windows\system32\Pgcmoc32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Phdiglap.exeC:\Windows\system32\Phdiglap.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Ppkahi32.exeC:\Windows\system32\Ppkahi32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\Pjdeaohb.exeC:\Windows\system32\Pjdeaohb.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Plbbmjhf.exeC:\Windows\system32\Plbbmjhf.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1276 -
C:\Windows\SysWOW64\Poqniegj.exeC:\Windows\system32\Poqniegj.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2104 -
C:\Windows\SysWOW64\Pdnfalea.exeC:\Windows\system32\Pdnfalea.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3012 -
C:\Windows\SysWOW64\Pkgonf32.exeC:\Windows\system32\Pkgonf32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1692 -
C:\Windows\SysWOW64\Pockoeeg.exeC:\Windows\system32\Pockoeeg.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1480 -
C:\Windows\SysWOW64\Pdpcgl32.exeC:\Windows\system32\Pdpcgl32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:704 -
C:\Windows\SysWOW64\Pkjkdfjk.exeC:\Windows\system32\Pkjkdfjk.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1736 -
C:\Windows\SysWOW64\Pnhhpaio.exeC:\Windows\system32\Pnhhpaio.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:760 -
C:\Windows\SysWOW64\Pqfdlmic.exeC:\Windows\system32\Pqfdlmic.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1484 -
C:\Windows\SysWOW64\Qklhifhi.exeC:\Windows\system32\Qklhifhi.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1460 -
C:\Windows\SysWOW64\Qqiqam32.exeC:\Windows\system32\Qqiqam32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2240 -
C:\Windows\SysWOW64\Qgcingnm.exeC:\Windows\system32\Qgcingnm.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2676 -
C:\Windows\SysWOW64\Aqkmgl32.exeC:\Windows\system32\Aqkmgl32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2692 -
C:\Windows\SysWOW64\Ageedflj.exeC:\Windows\system32\Ageedflj.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2728 -
C:\Windows\SysWOW64\Ajcbpbkn.exeC:\Windows\system32\Ajcbpbkn.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2740 -
C:\Windows\SysWOW64\Aggbif32.exeC:\Windows\system32\Aggbif32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2580 -
C:\Windows\SysWOW64\Ajfoea32.exeC:\Windows\system32\Ajfoea32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:952 -
C:\Windows\SysWOW64\Acncngpl.exeC:\Windows\system32\Acncngpl.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2388 -
C:\Windows\SysWOW64\Afmokbop.exeC:\Windows\system32\Afmokbop.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2440 -
C:\Windows\SysWOW64\Ajhkka32.exeC:\Windows\system32\Ajhkka32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2628 -
C:\Windows\SysWOW64\Aoedch32.exeC:\Windows\system32\Aoedch32.exe37⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Ainhln32.exeC:\Windows\system32\Ainhln32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:984 -
C:\Windows\SysWOW64\Amidmldj.exeC:\Windows\system32\Amidmldj.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:956 -
C:\Windows\SysWOW64\Aogqihcm.exeC:\Windows\system32\Aogqihcm.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1368 -
C:\Windows\SysWOW64\Afaieb32.exeC:\Windows\system32\Afaieb32.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2036 -
C:\Windows\SysWOW64\Bojmogak.exeC:\Windows\system32\Bojmogak.exe42⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Bbhikcpn.exeC:\Windows\system32\Bbhikcpn.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3020 -
C:\Windows\SysWOW64\Bkqnchgo.exeC:\Windows\system32\Bkqnchgo.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:2132 -
C:\Windows\SysWOW64\Bnojpdfb.exeC:\Windows\system32\Bnojpdfb.exe45⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Bbkfpb32.exeC:\Windows\system32\Bbkfpb32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:2152 -
C:\Windows\SysWOW64\Beibln32.exeC:\Windows\system32\Beibln32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1528 -
C:\Windows\SysWOW64\Bggohi32.exeC:\Windows\system32\Bggohi32.exe48⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Bjfkde32.exeC:\Windows\system32\Bjfkde32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1056 -
C:\Windows\SysWOW64\Bnagecdp.exeC:\Windows\system32\Bnagecdp.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2712 -
C:\Windows\SysWOW64\Bapcaocc.exeC:\Windows\system32\Bapcaocc.exe51⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Bcnomjbg.exeC:\Windows\system32\Bcnomjbg.exe52⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Bjhgjdjd.exeC:\Windows\system32\Bjhgjdjd.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2584 -
C:\Windows\SysWOW64\Bmfdfpih.exeC:\Windows\system32\Bmfdfpih.exe54⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Babpgo32.exeC:\Windows\system32\Babpgo32.exe55⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Bglhcihn.exeC:\Windows\system32\Bglhcihn.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:836 -
C:\Windows\SysWOW64\Bfohoe32.exeC:\Windows\system32\Bfohoe32.exe57⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Bjjdpdga.exeC:\Windows\system32\Bjjdpdga.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1184 -
C:\Windows\SysWOW64\Bmiqlpge.exeC:\Windows\system32\Bmiqlpge.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2456 -
C:\Windows\SysWOW64\Bccihj32.exeC:\Windows\system32\Bccihj32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2212 -
C:\Windows\SysWOW64\Cbfidfem.exeC:\Windows\system32\Cbfidfem.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1996 -
C:\Windows\SysWOW64\Cipaqqli.exeC:\Windows\system32\Cipaqqli.exe62⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Clnmmlkm.exeC:\Windows\system32\Clnmmlkm.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:936 -
C:\Windows\SysWOW64\Cbhejf32.exeC:\Windows\system32\Cbhejf32.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:472 -
C:\Windows\SysWOW64\Cfcajekc.exeC:\Windows\system32\Cfcajekc.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1776 -
C:\Windows\SysWOW64\Cefbfa32.exeC:\Windows\system32\Cefbfa32.exe66⤵
- Drops file in System32 directory
PID:1636 -
C:\Windows\SysWOW64\Clqjblij.exeC:\Windows\system32\Clqjblij.exe67⤵
- System Location Discovery: System Language Discovery
PID:1588 -
C:\Windows\SysWOW64\Cbjbof32.exeC:\Windows\system32\Cbjbof32.exe68⤵
- Modifies registry class
PID:2792 -
C:\Windows\SysWOW64\Cffnpdip.exeC:\Windows\system32\Cffnpdip.exe69⤵
- Modifies registry class
PID:2600 -
C:\Windows\SysWOW64\Cidklp32.exeC:\Windows\system32\Cidklp32.exe70⤵
- Drops file in System32 directory
PID:2752 -
C:\Windows\SysWOW64\Clcghk32.exeC:\Windows\system32\Clcghk32.exe71⤵PID:1632
-
C:\Windows\SysWOW64\Coacdg32.exeC:\Windows\system32\Coacdg32.exe72⤵
- System Location Discovery: System Language Discovery
PID:1660 -
C:\Windows\SysWOW64\Cekkaanh.exeC:\Windows\system32\Cekkaanh.exe73⤵PID:556
-
C:\Windows\SysWOW64\Ciggap32.exeC:\Windows\system32\Ciggap32.exe74⤵PID:2888
-
C:\Windows\SysWOW64\Clecnk32.exeC:\Windows\system32\Clecnk32.exe75⤵
- Modifies registry class
PID:2952 -
C:\Windows\SysWOW64\Cocpjf32.exeC:\Windows\system32\Cocpjf32.exe76⤵
- Drops file in System32 directory
- Modifies registry class
PID:2944 -
C:\Windows\SysWOW64\Cablfb32.exeC:\Windows\system32\Cablfb32.exe77⤵
- System Location Discovery: System Language Discovery
PID:2168 -
C:\Windows\SysWOW64\Chldbl32.exeC:\Windows\system32\Chldbl32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1152 -
C:\Windows\SysWOW64\Ckjqog32.exeC:\Windows\system32\Ckjqog32.exe79⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2956 -
C:\Windows\SysWOW64\Doflofbf.exeC:\Windows\system32\Doflofbf.exe80⤵
- System Location Discovery: System Language Discovery
PID:2064 -
C:\Windows\SysWOW64\Dadikaaj.exeC:\Windows\system32\Dadikaaj.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1512 -
C:\Windows\SysWOW64\Ddbegmqm.exeC:\Windows\system32\Ddbegmqm.exe82⤵
- System Location Discovery: System Language Discovery
PID:1524 -
C:\Windows\SysWOW64\Dfaachpa.exeC:\Windows\system32\Dfaachpa.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1580 -
C:\Windows\SysWOW64\Dkmmdg32.exeC:\Windows\system32\Dkmmdg32.exe84⤵
- System Location Discovery: System Language Discovery
PID:2836 -
C:\Windows\SysWOW64\Dafeaapg.exeC:\Windows\system32\Dafeaapg.exe85⤵PID:2980
-
C:\Windows\SysWOW64\Ddeammok.exeC:\Windows\system32\Ddeammok.exe86⤵
- System Location Discovery: System Language Discovery
PID:808 -
C:\Windows\SysWOW64\Dgcnihnn.exeC:\Windows\system32\Dgcnihnn.exe87⤵PID:2904
-
C:\Windows\SysWOW64\Dibjec32.exeC:\Windows\system32\Dibjec32.exe88⤵
- Modifies registry class
PID:336 -
C:\Windows\SysWOW64\Daibfa32.exeC:\Windows\system32\Daibfa32.exe89⤵PID:1232
-
C:\Windows\SysWOW64\Ddgnbl32.exeC:\Windows\system32\Ddgnbl32.exe90⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2548 -
C:\Windows\SysWOW64\Dbjonicb.exeC:\Windows\system32\Dbjonicb.exe91⤵PID:2400
-
C:\Windows\SysWOW64\Dkafofde.exeC:\Windows\system32\Dkafofde.exe92⤵
- Drops file in System32 directory
- Modifies registry class
PID:2968 -
C:\Windows\SysWOW64\Didgkc32.exeC:\Windows\system32\Didgkc32.exe93⤵PID:920
-
C:\Windows\SysWOW64\Dmpckbci.exeC:\Windows\system32\Dmpckbci.exe94⤵
- System Location Discovery: System Language Discovery
PID:844 -
C:\Windows\SysWOW64\Dpnogmbl.exeC:\Windows\system32\Dpnogmbl.exe95⤵
- Drops file in System32 directory
PID:2492 -
C:\Windows\SysWOW64\Ddjkhl32.exeC:\Windows\system32\Ddjkhl32.exe96⤵
- System Location Discovery: System Language Discovery
PID:2648 -
C:\Windows\SysWOW64\Dghgdg32.exeC:\Windows\system32\Dghgdg32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2828 -
C:\Windows\SysWOW64\Dekgpdqc.exeC:\Windows\system32\Dekgpdqc.exe98⤵PID:2568
-
C:\Windows\SysWOW64\Difcpc32.exeC:\Windows\system32\Difcpc32.exe99⤵PID:108
-
C:\Windows\SysWOW64\Dlepmnhq.exeC:\Windows\system32\Dlepmnhq.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1744 -
C:\Windows\SysWOW64\Doclijgd.exeC:\Windows\system32\Doclijgd.exe101⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2848 -
C:\Windows\SysWOW64\Dcohih32.exeC:\Windows\system32\Dcohih32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:896 -
C:\Windows\SysWOW64\Eemded32.exeC:\Windows\system32\Eemded32.exe103⤵
- Drops file in System32 directory
PID:3068 -
C:\Windows\SysWOW64\Elgmbnfn.exeC:\Windows\system32\Elgmbnfn.exe104⤵PID:2972
-
C:\Windows\SysWOW64\Eoeiniea.exeC:\Windows\system32\Eoeiniea.exe105⤵PID:2360
-
C:\Windows\SysWOW64\Eadejede.exeC:\Windows\system32\Eadejede.exe106⤵PID:1740
-
C:\Windows\SysWOW64\Eikmkbeg.exeC:\Windows\system32\Eikmkbeg.exe107⤵PID:3060
-
C:\Windows\SysWOW64\Eljihn32.exeC:\Windows\system32\Eljihn32.exe108⤵PID:1712
-
C:\Windows\SysWOW64\Eohedi32.exeC:\Windows\system32\Eohedi32.exe109⤵PID:2700
-
C:\Windows\SysWOW64\Eafapd32.exeC:\Windows\system32\Eafapd32.exe110⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1492 -
C:\Windows\SysWOW64\Edenlp32.exeC:\Windows\system32\Edenlp32.exe111⤵PID:2428
-
C:\Windows\SysWOW64\Ellfmm32.exeC:\Windows\system32\Ellfmm32.exe112⤵PID:2636
-
C:\Windows\SysWOW64\Eojbii32.exeC:\Windows\system32\Eojbii32.exe113⤵
- System Location Discovery: System Language Discovery
PID:2544 -
C:\Windows\SysWOW64\Eained32.exeC:\Windows\system32\Eained32.exe114⤵PID:2356
-
C:\Windows\SysWOW64\Edgkap32.exeC:\Windows\system32\Edgkap32.exe115⤵
- Drops file in System32 directory
PID:588 -
C:\Windows\SysWOW64\Ehbgbngm.exeC:\Windows\system32\Ehbgbngm.exe116⤵
- Drops file in System32 directory
- Modifies registry class
PID:2040 -
C:\Windows\SysWOW64\Ekacnjfp.exeC:\Windows\system32\Ekacnjfp.exe117⤵PID:2592
-
C:\Windows\SysWOW64\Enpoje32.exeC:\Windows\system32\Enpoje32.exe118⤵
- Modifies registry class
PID:572 -
C:\Windows\SysWOW64\Epnkfq32.exeC:\Windows\system32\Epnkfq32.exe119⤵PID:2296
-
C:\Windows\SysWOW64\Ekcpdi32.exeC:\Windows\system32\Ekcpdi32.exe120⤵PID:2504
-
C:\Windows\SysWOW64\Ejfpofkh.exeC:\Windows\system32\Ejfpofkh.exe121⤵
- Drops file in System32 directory
PID:1300
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-