Analysis
-
max time kernel
47s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
22/08/2024, 16:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ead07b332b3aeee72977c0dbf4cd9d80N.exe
Resource
win7-20240705-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
ead07b332b3aeee72977c0dbf4cd9d80N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
ead07b332b3aeee72977c0dbf4cd9d80N.exe
-
Size
104KB
-
MD5
ead07b332b3aeee72977c0dbf4cd9d80
-
SHA1
162b8de5ce4deb566d30534a21c76834eb163c5d
-
SHA256
2c31b4f98c950ddfe99e76d1aeab3b73d386e7386473b43f20d4a51ed7d9bfa5
-
SHA512
0e0509edf4e027aef64e9530e6f9edbca199a9d82da513c5b9556320fe750eb38ce7c16fee2f4805ff257450b1e93983d5d57339bcf95e8b6249631d54865af7
-
SSDEEP
3072:ts8nSdFDZv6RVkn/gkeZdddduPSe5jx7cEGrhkngpDvchkqbAIQS:ofWOYkeZdddduPp5jx4brq2Ahn
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcgdjmlo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcjqpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mfamko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nqgngk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngcbie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaiglnih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llgllj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnlolhoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Faonqiod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jlegic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ppgfciee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dicmlpje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hobcok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fondonbc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhgnbehe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kplfmfmf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhbjmg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phhonn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Icponb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ifahpnfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Panpgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bapejd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ckamihfm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqidme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Keodflee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cklpml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fhifmcfa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iimhfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Degqka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Boainhic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Paemac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnhkkjbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gjcekj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jiaaaicm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ppqqbjkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbhpddbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpojlp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bblpae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bjgdfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bkgqpjch.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehpgha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gcgpiq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmijgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cbnhfhoc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbfcoedi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Alcqcjgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hmlmacfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ebhani32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hdailaib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bfcnfh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjljpjjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mdigakic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdpnlo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfpkfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cjfjjd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdklnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hggeeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oikeal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Olokighn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdlialfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hqhiab32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfjfpkji.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adqbml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Emilqb32.exe -
Executes dropped EXE 64 IoCs
pid Process 2272 Ododdlcd.exe 2188 Ohkpdj32.exe 2932 Onehadbj.exe 2788 Onehadbj.exe 2996 Ohmljj32.exe 2704 Ojlife32.exe 2816 Omjeba32.exe 2904 Obgmjh32.exe 2152 Oiqegb32.exe 3036 Odfjdk32.exe 2972 Ofefqf32.exe 2828 Omonmpcm.exe 2000 Plaoim32.exe 1140 Pbkgegad.exe 1100 Pieobaiq.exe 2556 Phhonn32.exe 2244 Pbnckg32.exe 2140 Pihlhagn.exe 1080 Plfhdlfb.exe 2088 Peolmb32.exe 1500 Pdamhocm.exe 544 Pkkeeikj.exe 2588 Paemac32.exe 2056 Peaibajp.exe 1656 Pgbejj32.exe 3000 Poinkg32.exe 1636 Qgdbpi32.exe 2656 Qajfmbna.exe 2672 Qdhcinme.exe 2644 Qggoeilh.exe 2720 Qnagbc32.exe 904 Agilkijf.exe 2432 Ancdgcab.exe 2824 Apapcnaf.exe 3024 Aenileon.exe 2892 Ahmehqna.exe 1056 Aogmdk32.exe 1372 Acbieing.exe 1768 Alknnodh.exe 336 Aagfffbo.exe 2500 Adfbbabc.exe 2084 Ahancp32.exe 652 Aokfpjai.exe 1704 Abjcleqm.exe 1672 Ahdkhp32.exe 1088 Akbgdkgm.exe 2032 Boncej32.exe 1092 Bblpae32.exe 1696 Bdklnq32.exe 2224 Bgihjl32.exe 2684 Bjgdfg32.exe 3012 Bncpffdn.exe 2668 Bbolge32.exe 2744 Bdmhcp32.exe 3056 Bkgqpjch.exe 1628 Bjjakg32.exe 2360 Bnemlf32.exe 1412 Bmhmgbif.exe 1052 Bcbedm32.exe 2288 Bgnaekil.exe 2540 Bjlnaghp.exe 2404 Bmjjmbgc.exe 2004 Bqffna32.exe 1296 Bcdbjl32.exe -
Loads dropped DLL 64 IoCs
pid Process 1820 ead07b332b3aeee72977c0dbf4cd9d80N.exe 1820 ead07b332b3aeee72977c0dbf4cd9d80N.exe 2272 Ododdlcd.exe 2272 Ododdlcd.exe 2188 Ohkpdj32.exe 2188 Ohkpdj32.exe 2932 Onehadbj.exe 2932 Onehadbj.exe 2788 Onehadbj.exe 2788 Onehadbj.exe 2996 Ohmljj32.exe 2996 Ohmljj32.exe 2704 Ojlife32.exe 2704 Ojlife32.exe 2816 Omjeba32.exe 2816 Omjeba32.exe 2904 Obgmjh32.exe 2904 Obgmjh32.exe 2152 Oiqegb32.exe 2152 Oiqegb32.exe 3036 Odfjdk32.exe 3036 Odfjdk32.exe 2972 Ofefqf32.exe 2972 Ofefqf32.exe 2828 Omonmpcm.exe 2828 Omonmpcm.exe 2000 Plaoim32.exe 2000 Plaoim32.exe 1140 Pbkgegad.exe 1140 Pbkgegad.exe 1100 Pieobaiq.exe 1100 Pieobaiq.exe 2556 Phhonn32.exe 2556 Phhonn32.exe 2244 Pbnckg32.exe 2244 Pbnckg32.exe 2140 Pihlhagn.exe 2140 Pihlhagn.exe 1080 Plfhdlfb.exe 1080 Plfhdlfb.exe 2088 Peolmb32.exe 2088 Peolmb32.exe 1500 Pdamhocm.exe 1500 Pdamhocm.exe 544 Pkkeeikj.exe 544 Pkkeeikj.exe 2588 Paemac32.exe 2588 Paemac32.exe 2056 Peaibajp.exe 2056 Peaibajp.exe 1656 Pgbejj32.exe 1656 Pgbejj32.exe 3000 Poinkg32.exe 3000 Poinkg32.exe 1636 Qgdbpi32.exe 1636 Qgdbpi32.exe 2656 Qajfmbna.exe 2656 Qajfmbna.exe 2672 Qdhcinme.exe 2672 Qdhcinme.exe 2644 Qggoeilh.exe 2644 Qggoeilh.exe 2720 Qnagbc32.exe 2720 Qnagbc32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Fofhdidp.exe Flhkhnel.exe File created C:\Windows\SysWOW64\Plodbd32.dll Dijjgegh.exe File created C:\Windows\SysWOW64\Qlnghj32.exe Phckglbq.exe File created C:\Windows\SysWOW64\Hejmhaqc.dll Jplinckj.exe File opened for modification C:\Windows\SysWOW64\Qggoeilh.exe Qdhcinme.exe File opened for modification C:\Windows\SysWOW64\Cbllph32.exe Ccileljk.exe File created C:\Windows\SysWOW64\Hfmbfkhf.exe Hfmbfkhf.exe File created C:\Windows\SysWOW64\Pikaqppk.exe Pfmeddag.exe File opened for modification C:\Windows\SysWOW64\Bofbih32.exe Blgfml32.exe File opened for modification C:\Windows\SysWOW64\Ancdgcab.exe Agilkijf.exe File created C:\Windows\SysWOW64\Ekblplgo.exe Ehdpcahk.exe File created C:\Windows\SysWOW64\Pihlhagn.exe Pbnckg32.exe File created C:\Windows\SysWOW64\Qgdbpi32.exe Poinkg32.exe File opened for modification C:\Windows\SysWOW64\Hggeeo32.exe Gqmmhdka.exe File created C:\Windows\SysWOW64\Gokmnlcf.exe Gphmbolk.exe File created C:\Windows\SysWOW64\Opqdcgib.exe Nfhpjaba.exe File created C:\Windows\SysWOW64\Mmfolail.dll Qakppa32.exe File created C:\Windows\SysWOW64\Dbmnjenb.exe Djffihmp.exe File created C:\Windows\SysWOW64\Fngplbcl.dll Aoamoefh.exe File created C:\Windows\SysWOW64\Flhkhnel.exe Fhlogo32.exe File created C:\Windows\SysWOW64\Fcnbll32.dll Ckbccnji.exe File opened for modification C:\Windows\SysWOW64\Cngfqi32.exe Cjljpjjk.exe File created C:\Windows\SysWOW64\Mhgpgjoj.exe Mdkcgk32.exe File created C:\Windows\SysWOW64\Pjligacm.dll Hkfgnldd.exe File created C:\Windows\SysWOW64\Plfhdlfb.exe Pihlhagn.exe File created C:\Windows\SysWOW64\Qggoeilh.exe Qdhcinme.exe File opened for modification C:\Windows\SysWOW64\Hfookk32.exe Hbccklmj.exe File created C:\Windows\SysWOW64\Ebgiin32.dll Icnbic32.exe File created C:\Windows\SysWOW64\Hgpeimhf.exe Hdailaib.exe File created C:\Windows\SysWOW64\Ajkmmb32.dll Dbidof32.exe File opened for modification C:\Windows\SysWOW64\Edfqclni.exe Eagdgaoe.exe File opened for modification C:\Windows\SysWOW64\Glhhgahg.exe Giikkehc.exe File opened for modification C:\Windows\SysWOW64\Gokmnlcf.exe Gphmbolk.exe File opened for modification C:\Windows\SysWOW64\Copljmpo.exe Ckdpinhf.exe File created C:\Windows\SysWOW64\Jfadoaih.exe Jdbhcfjd.exe File created C:\Windows\SysWOW64\Bhjngnod.exe Bjgmka32.exe File opened for modification C:\Windows\SysWOW64\Bfpkfb32.exe Bbdoec32.exe File created C:\Windows\SysWOW64\Ajqmqmfm.dll Hqjfgb32.exe File created C:\Windows\SysWOW64\Peaibajp.exe Paemac32.exe File created C:\Windows\SysWOW64\Hnlqemal.exe Hkndiabh.exe File created C:\Windows\SysWOW64\Iimhfj32.exe Ifoljn32.exe File created C:\Windows\SysWOW64\Iqmcmaja.exe Imaglc32.exe File created C:\Windows\SysWOW64\Jcgmedpl.dll Bjjakg32.exe File created C:\Windows\SysWOW64\Mcoinndc.dll Dfegjknm.exe File opened for modification C:\Windows\SysWOW64\Adekhkng.exe Alncgn32.exe File created C:\Windows\SysWOW64\Onfadc32.exe Olgehh32.exe File created C:\Windows\SysWOW64\Oafjfokk.exe Onhnjclg.exe File opened for modification C:\Windows\SysWOW64\Nidoamch.exe Njaoeq32.exe File created C:\Windows\SysWOW64\Pmgnan32.exe Pikaqppk.exe File created C:\Windows\SysWOW64\Ohmljj32.exe Onehadbj.exe File opened for modification C:\Windows\SysWOW64\Jephgi32.exe Jmhpfl32.exe File opened for modification C:\Windows\SysWOW64\Nglmifca.exe Ndnplk32.exe File created C:\Windows\SysWOW64\Aagfffbo.exe Alknnodh.exe File opened for modification C:\Windows\SysWOW64\Cbnhfhoc.exe Copljmpo.exe File opened for modification C:\Windows\SysWOW64\Hqpjndio.exe Hhhblgim.exe File created C:\Windows\SysWOW64\Iiicgkof.dll Mdkcgk32.exe File created C:\Windows\SysWOW64\Nnhakp32.exe Njmejaqb.exe File created C:\Windows\SysWOW64\Gkfkoi32.exe Gcocnk32.exe File opened for modification C:\Windows\SysWOW64\Gcapckod.exe Gdophn32.exe File created C:\Windows\SysWOW64\Kjonihkc.dll Cbnhfhoc.exe File created C:\Windows\SysWOW64\Feccqime.exe Feccqime.exe File created C:\Windows\SysWOW64\Folhio32.exe Flmlmc32.exe File opened for modification C:\Windows\SysWOW64\Pfmeddag.exe Pbaide32.exe File opened for modification C:\Windows\SysWOW64\Agonig32.exe Adqbml32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6580 6504 WerFault.exe 672 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfekkgla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jidngh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lamkllea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldlghhde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qbhpddbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bapejd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhqdgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgihjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfhcknpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apgcbmha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Denglpkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iiekkdjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkkeeikj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paemac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cejhld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifahpnfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlpmndba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfhpjaba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eccdmmpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehjbaooe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djqcki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dajlhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjolpkhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hggeeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oakcan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbdoec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnkpjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cicggcke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlgcncli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jephgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoanij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghcbga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gafcahil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pinnfonh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkiooocb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkafib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdhcinme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmjjmbgc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcfknooi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmighemp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giikkehc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhikhefb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfhlie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnodjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmijgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Degqka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhcehngk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gomjckqc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igioiacg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlnbmikh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onhnjclg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alcqcjgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fillabde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjljpjjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifceemdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omddmkhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phckglbq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkfgnldd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpbenpqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnhkkjbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfcadq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qoopie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkhhie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmllgo32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hfmbfkhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ibhieo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdkklgcn.dll" Kghkppbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Adqbml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ghkbccdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ifoljn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbgdlq32.dll" Gdmcbojl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gcapckod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hqhiab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Johlpoij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mojaceln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dabkla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldhpen32.dll" Eiplecnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Onfadc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Alncgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kennjb32.dll" Bncpffdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Flmlmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gcifdj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Agmacgcc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cjbpoeoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hnljkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Obgmjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjonihkc.dll" Cbnhfhoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ehgmiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lamkllea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjmcibej.dll" Iekbmfdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgihlk32.dll" Jnafop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Elaego32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aagfffbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fcegdnna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cffgqn32.dll" Gcgpiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijhemglp.dll" Iapfmg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fagqed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oiqegb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bcbedm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ebekej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nnhakp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ompgqonl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Foidii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmdapnnp.dll" Hjnaehgj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aagfffbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkpnji32.dll" Cjljpjjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lcqdidim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nidoamch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bjgdfg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dlfbck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhoeadlm.dll" Gafcahil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgpbhg32.dll" Hedllgjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdfpegkn.dll" Nccmng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ohkpdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bjdqfajl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ebmjihqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpehnofm.dll" Laknfmgd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ldikbhfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Llgllj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bapejd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kiamql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdldjnpc.dll" Ldlghhde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dbidof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fhfbmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ojlife32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djffdk32.dll" Fimclh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fejjah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gklkdn32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1820 wrote to memory of 2272 1820 ead07b332b3aeee72977c0dbf4cd9d80N.exe 29 PID 1820 wrote to memory of 2272 1820 ead07b332b3aeee72977c0dbf4cd9d80N.exe 29 PID 1820 wrote to memory of 2272 1820 ead07b332b3aeee72977c0dbf4cd9d80N.exe 29 PID 1820 wrote to memory of 2272 1820 ead07b332b3aeee72977c0dbf4cd9d80N.exe 29 PID 2272 wrote to memory of 2188 2272 Ododdlcd.exe 30 PID 2272 wrote to memory of 2188 2272 Ododdlcd.exe 30 PID 2272 wrote to memory of 2188 2272 Ododdlcd.exe 30 PID 2272 wrote to memory of 2188 2272 Ododdlcd.exe 30 PID 2188 wrote to memory of 2932 2188 Ohkpdj32.exe 31 PID 2188 wrote to memory of 2932 2188 Ohkpdj32.exe 31 PID 2188 wrote to memory of 2932 2188 Ohkpdj32.exe 31 PID 2188 wrote to memory of 2932 2188 Ohkpdj32.exe 31 PID 2932 wrote to memory of 2788 2932 Onehadbj.exe 32 PID 2932 wrote to memory of 2788 2932 Onehadbj.exe 32 PID 2932 wrote to memory of 2788 2932 Onehadbj.exe 32 PID 2932 wrote to memory of 2788 2932 Onehadbj.exe 32 PID 2788 wrote to memory of 2996 2788 Onehadbj.exe 33 PID 2788 wrote to memory of 2996 2788 Onehadbj.exe 33 PID 2788 wrote to memory of 2996 2788 Onehadbj.exe 33 PID 2788 wrote to memory of 2996 2788 Onehadbj.exe 33 PID 2996 wrote to memory of 2704 2996 Ohmljj32.exe 34 PID 2996 wrote to memory of 2704 2996 Ohmljj32.exe 34 PID 2996 wrote to memory of 2704 2996 Ohmljj32.exe 34 PID 2996 wrote to memory of 2704 2996 Ohmljj32.exe 34 PID 2704 wrote to memory of 2816 2704 Ojlife32.exe 35 PID 2704 wrote to memory of 2816 2704 Ojlife32.exe 35 PID 2704 wrote to memory of 2816 2704 Ojlife32.exe 35 PID 2704 wrote to memory of 2816 2704 Ojlife32.exe 35 PID 2816 wrote to memory of 2904 2816 Omjeba32.exe 36 PID 2816 wrote to memory of 2904 2816 Omjeba32.exe 36 PID 2816 wrote to memory of 2904 2816 Omjeba32.exe 36 PID 2816 wrote to memory of 2904 2816 Omjeba32.exe 36 PID 2904 wrote to memory of 2152 2904 Obgmjh32.exe 37 PID 2904 wrote to memory of 2152 2904 Obgmjh32.exe 37 PID 2904 wrote to memory of 2152 2904 Obgmjh32.exe 37 PID 2904 wrote to memory of 2152 2904 Obgmjh32.exe 37 PID 2152 wrote to memory of 3036 2152 Oiqegb32.exe 38 PID 2152 wrote to memory of 3036 2152 Oiqegb32.exe 38 PID 2152 wrote to memory of 3036 2152 Oiqegb32.exe 38 PID 2152 wrote to memory of 3036 2152 Oiqegb32.exe 38 PID 3036 wrote to memory of 2972 3036 Odfjdk32.exe 39 PID 3036 wrote to memory of 2972 3036 Odfjdk32.exe 39 PID 3036 wrote to memory of 2972 3036 Odfjdk32.exe 39 PID 3036 wrote to memory of 2972 3036 Odfjdk32.exe 39 PID 2972 wrote to memory of 2828 2972 Ofefqf32.exe 40 PID 2972 wrote to memory of 2828 2972 Ofefqf32.exe 40 PID 2972 wrote to memory of 2828 2972 Ofefqf32.exe 40 PID 2972 wrote to memory of 2828 2972 Ofefqf32.exe 40 PID 2828 wrote to memory of 2000 2828 Omonmpcm.exe 41 PID 2828 wrote to memory of 2000 2828 Omonmpcm.exe 41 PID 2828 wrote to memory of 2000 2828 Omonmpcm.exe 41 PID 2828 wrote to memory of 2000 2828 Omonmpcm.exe 41 PID 2000 wrote to memory of 1140 2000 Plaoim32.exe 42 PID 2000 wrote to memory of 1140 2000 Plaoim32.exe 42 PID 2000 wrote to memory of 1140 2000 Plaoim32.exe 42 PID 2000 wrote to memory of 1140 2000 Plaoim32.exe 42 PID 1140 wrote to memory of 1100 1140 Pbkgegad.exe 43 PID 1140 wrote to memory of 1100 1140 Pbkgegad.exe 43 PID 1140 wrote to memory of 1100 1140 Pbkgegad.exe 43 PID 1140 wrote to memory of 1100 1140 Pbkgegad.exe 43 PID 1100 wrote to memory of 2556 1100 Pieobaiq.exe 44 PID 1100 wrote to memory of 2556 1100 Pieobaiq.exe 44 PID 1100 wrote to memory of 2556 1100 Pieobaiq.exe 44 PID 1100 wrote to memory of 2556 1100 Pieobaiq.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\ead07b332b3aeee72977c0dbf4cd9d80N.exe"C:\Users\Admin\AppData\Local\Temp\ead07b332b3aeee72977c0dbf4cd9d80N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\Ododdlcd.exeC:\Windows\system32\Ododdlcd.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\Ohkpdj32.exeC:\Windows\system32\Ohkpdj32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Onehadbj.exeC:\Windows\system32\Onehadbj.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Onehadbj.exeC:\Windows\system32\Onehadbj.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Ohmljj32.exeC:\Windows\system32\Ohmljj32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\Ojlife32.exeC:\Windows\system32\Ojlife32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Omjeba32.exeC:\Windows\system32\Omjeba32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Obgmjh32.exeC:\Windows\system32\Obgmjh32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Oiqegb32.exeC:\Windows\system32\Oiqegb32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\Odfjdk32.exeC:\Windows\system32\Odfjdk32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\Ofefqf32.exeC:\Windows\system32\Ofefqf32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Omonmpcm.exeC:\Windows\system32\Omonmpcm.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Plaoim32.exeC:\Windows\system32\Plaoim32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\Pbkgegad.exeC:\Windows\system32\Pbkgegad.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\SysWOW64\Pieobaiq.exeC:\Windows\system32\Pieobaiq.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\Phhonn32.exeC:\Windows\system32\Phhonn32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2556 -
C:\Windows\SysWOW64\Pbnckg32.exeC:\Windows\system32\Pbnckg32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2244 -
C:\Windows\SysWOW64\Pihlhagn.exeC:\Windows\system32\Pihlhagn.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2140 -
C:\Windows\SysWOW64\Plfhdlfb.exeC:\Windows\system32\Plfhdlfb.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1080 -
C:\Windows\SysWOW64\Peolmb32.exeC:\Windows\system32\Peolmb32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2088 -
C:\Windows\SysWOW64\Pdamhocm.exeC:\Windows\system32\Pdamhocm.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1500 -
C:\Windows\SysWOW64\Pkkeeikj.exeC:\Windows\system32\Pkkeeikj.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:544 -
C:\Windows\SysWOW64\Paemac32.exeC:\Windows\system32\Paemac32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2588 -
C:\Windows\SysWOW64\Peaibajp.exeC:\Windows\system32\Peaibajp.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2056 -
C:\Windows\SysWOW64\Pgbejj32.exeC:\Windows\system32\Pgbejj32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1656 -
C:\Windows\SysWOW64\Poinkg32.exeC:\Windows\system32\Poinkg32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3000 -
C:\Windows\SysWOW64\Qgdbpi32.exeC:\Windows\system32\Qgdbpi32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1636 -
C:\Windows\SysWOW64\Qajfmbna.exeC:\Windows\system32\Qajfmbna.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2656 -
C:\Windows\SysWOW64\Qdhcinme.exeC:\Windows\system32\Qdhcinme.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2672 -
C:\Windows\SysWOW64\Qggoeilh.exeC:\Windows\system32\Qggoeilh.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2644 -
C:\Windows\SysWOW64\Qnagbc32.exeC:\Windows\system32\Qnagbc32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2720 -
C:\Windows\SysWOW64\Agilkijf.exeC:\Windows\system32\Agilkijf.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:904 -
C:\Windows\SysWOW64\Ancdgcab.exeC:\Windows\system32\Ancdgcab.exe34⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Apapcnaf.exeC:\Windows\system32\Apapcnaf.exe35⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Aenileon.exeC:\Windows\system32\Aenileon.exe36⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Ahmehqna.exeC:\Windows\system32\Ahmehqna.exe37⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Aogmdk32.exeC:\Windows\system32\Aogmdk32.exe38⤵
- Executes dropped EXE
PID:1056 -
C:\Windows\SysWOW64\Acbieing.exeC:\Windows\system32\Acbieing.exe39⤵
- Executes dropped EXE
PID:1372 -
C:\Windows\SysWOW64\Alknnodh.exeC:\Windows\system32\Alknnodh.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1768 -
C:\Windows\SysWOW64\Aagfffbo.exeC:\Windows\system32\Aagfffbo.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:336 -
C:\Windows\SysWOW64\Adfbbabc.exeC:\Windows\system32\Adfbbabc.exe42⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Ahancp32.exeC:\Windows\system32\Ahancp32.exe43⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Aokfpjai.exeC:\Windows\system32\Aokfpjai.exe44⤵
- Executes dropped EXE
PID:652 -
C:\Windows\SysWOW64\Abjcleqm.exeC:\Windows\system32\Abjcleqm.exe45⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Ahdkhp32.exeC:\Windows\system32\Ahdkhp32.exe46⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Akbgdkgm.exeC:\Windows\system32\Akbgdkgm.exe47⤵
- Executes dropped EXE
PID:1088 -
C:\Windows\SysWOW64\Boncej32.exeC:\Windows\system32\Boncej32.exe48⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Bblpae32.exeC:\Windows\system32\Bblpae32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Bdklnq32.exeC:\Windows\system32\Bdklnq32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Bgihjl32.exeC:\Windows\system32\Bgihjl32.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2224 -
C:\Windows\SysWOW64\Bjgdfg32.exeC:\Windows\system32\Bjgdfg32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2684 -
C:\Windows\SysWOW64\Bncpffdn.exeC:\Windows\system32\Bncpffdn.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:3012 -
C:\Windows\SysWOW64\Bbolge32.exeC:\Windows\system32\Bbolge32.exe54⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Bdmhcp32.exeC:\Windows\system32\Bdmhcp32.exe55⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Bkgqpjch.exeC:\Windows\system32\Bkgqpjch.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Bjjakg32.exeC:\Windows\system32\Bjjakg32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1628 -
C:\Windows\SysWOW64\Bnemlf32.exeC:\Windows\system32\Bnemlf32.exe58⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Bmhmgbif.exeC:\Windows\system32\Bmhmgbif.exe59⤵
- Executes dropped EXE
PID:1412 -
C:\Windows\SysWOW64\Bcbedm32.exeC:\Windows\system32\Bcbedm32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:1052 -
C:\Windows\SysWOW64\Bgnaekil.exeC:\Windows\system32\Bgnaekil.exe61⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Bjlnaghp.exeC:\Windows\system32\Bjlnaghp.exe62⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Bmjjmbgc.exeC:\Windows\system32\Bmjjmbgc.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2404 -
C:\Windows\SysWOW64\Bqffna32.exeC:\Windows\system32\Bqffna32.exe64⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Bcdbjl32.exeC:\Windows\system32\Bcdbjl32.exe65⤵
- Executes dropped EXE
PID:1296 -
C:\Windows\SysWOW64\Bfcnfh32.exeC:\Windows\system32\Bfcnfh32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2100 -
C:\Windows\SysWOW64\Biakbc32.exeC:\Windows\system32\Biakbc32.exe67⤵PID:2520
-
C:\Windows\SysWOW64\Bmmgbbeq.exeC:\Windows\system32\Bmmgbbeq.exe68⤵PID:2968
-
C:\Windows\SysWOW64\Bokcom32.exeC:\Windows\system32\Bokcom32.exe69⤵PID:2960
-
C:\Windows\SysWOW64\Bbjoki32.exeC:\Windows\system32\Bbjoki32.exe70⤵PID:2724
-
C:\Windows\SysWOW64\Cfekkgla.exeC:\Windows\system32\Cfekkgla.exe71⤵
- System Location Discovery: System Language Discovery
PID:2352 -
C:\Windows\SysWOW64\Cicggcke.exeC:\Windows\system32\Cicggcke.exe72⤵
- System Location Discovery: System Language Discovery
PID:1692 -
C:\Windows\SysWOW64\Ckbccnji.exeC:\Windows\system32\Ckbccnji.exe73⤵
- Drops file in System32 directory
PID:2412 -
C:\Windows\SysWOW64\Ccileljk.exeC:\Windows\system32\Ccileljk.exe74⤵
- Drops file in System32 directory
PID:708 -
C:\Windows\SysWOW64\Cbllph32.exeC:\Windows\system32\Cbllph32.exe75⤵PID:2848
-
C:\Windows\SysWOW64\Cejhld32.exeC:\Windows\system32\Cejhld32.exe76⤵
- System Location Discovery: System Language Discovery
PID:1720 -
C:\Windows\SysWOW64\Cifdmbib.exeC:\Windows\system32\Cifdmbib.exe77⤵PID:1340
-
C:\Windows\SysWOW64\Ckdpinhf.exeC:\Windows\system32\Ckdpinhf.exe78⤵
- Drops file in System32 directory
PID:2116 -
C:\Windows\SysWOW64\Copljmpo.exeC:\Windows\system32\Copljmpo.exe79⤵
- Drops file in System32 directory
PID:800 -
C:\Windows\SysWOW64\Cbnhfhoc.exeC:\Windows\system32\Cbnhfhoc.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:112 -
C:\Windows\SysWOW64\Cfjdfg32.exeC:\Windows\system32\Cfjdfg32.exe81⤵PID:1524
-
C:\Windows\SysWOW64\Cgkanomj.exeC:\Windows\system32\Cgkanomj.exe82⤵PID:1552
-
C:\Windows\SysWOW64\Ckgmon32.exeC:\Windows\system32\Ckgmon32.exe83⤵PID:1712
-
C:\Windows\SysWOW64\Cneiki32.exeC:\Windows\system32\Cneiki32.exe84⤵PID:2860
-
C:\Windows\SysWOW64\Cbqekhmp.exeC:\Windows\system32\Cbqekhmp.exe85⤵PID:2784
-
C:\Windows\SysWOW64\Ceoagcld.exeC:\Windows\system32\Ceoagcld.exe86⤵PID:2284
-
C:\Windows\SysWOW64\Cgmndokg.exeC:\Windows\system32\Cgmndokg.exe87⤵PID:1396
-
C:\Windows\SysWOW64\Cjljpjjk.exeC:\Windows\system32\Cjljpjjk.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2736 -
C:\Windows\SysWOW64\Cngfqi32.exeC:\Windows\system32\Cngfqi32.exe89⤵PID:2636
-
C:\Windows\SysWOW64\Cafbmdbh.exeC:\Windows\system32\Cafbmdbh.exe90⤵PID:1556
-
C:\Windows\SysWOW64\Ceanmc32.exeC:\Windows\system32\Ceanmc32.exe91⤵PID:2512
-
C:\Windows\SysWOW64\Cgpjin32.exeC:\Windows\system32\Cgpjin32.exe92⤵PID:1764
-
C:\Windows\SysWOW64\Cjngej32.exeC:\Windows\system32\Cjngej32.exe93⤵PID:568
-
C:\Windows\SysWOW64\Cmmcae32.exeC:\Windows\system32\Cmmcae32.exe94⤵PID:1780
-
C:\Windows\SysWOW64\Dedkbb32.exeC:\Windows\system32\Dedkbb32.exe95⤵PID:264
-
C:\Windows\SysWOW64\Dcfknooi.exeC:\Windows\system32\Dcfknooi.exe96⤵
- System Location Discovery: System Language Discovery
PID:960 -
C:\Windows\SysWOW64\Dfegjknm.exeC:\Windows\system32\Dfegjknm.exe97⤵
- Drops file in System32 directory
PID:2472 -
C:\Windows\SysWOW64\Djqcki32.exeC:\Windows\system32\Djqcki32.exe98⤵
- System Location Discovery: System Language Discovery
PID:2664 -
C:\Windows\SysWOW64\Dnlolhoo.exeC:\Windows\system32\Dnlolhoo.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2148 -
C:\Windows\SysWOW64\Dajlhc32.exeC:\Windows\system32\Dajlhc32.exe100⤵
- System Location Discovery: System Language Discovery
PID:2408 -
C:\Windows\SysWOW64\Dpmlcpdm.exeC:\Windows\system32\Dpmlcpdm.exe101⤵PID:2980
-
C:\Windows\SysWOW64\Dfgdpj32.exeC:\Windows\system32\Dfgdpj32.exe102⤵PID:2624
-
C:\Windows\SysWOW64\Djcpqidc.exeC:\Windows\system32\Djcpqidc.exe103⤵PID:1944
-
C:\Windows\SysWOW64\Damhmc32.exeC:\Windows\system32\Damhmc32.exe104⤵PID:2524
-
C:\Windows\SysWOW64\Dpphipbk.exeC:\Windows\system32\Dpphipbk.exe105⤵PID:2248
-
C:\Windows\SysWOW64\Dfjaej32.exeC:\Windows\system32\Dfjaej32.exe106⤵PID:2596
-
C:\Windows\SysWOW64\Dihmae32.exeC:\Windows\system32\Dihmae32.exe107⤵PID:2424
-
C:\Windows\SysWOW64\Dlfina32.exeC:\Windows\system32\Dlfina32.exe108⤵PID:2936
-
C:\Windows\SysWOW64\Dpbenpqh.exeC:\Windows\system32\Dpbenpqh.exe109⤵
- System Location Discovery: System Language Discovery
PID:1624 -
C:\Windows\SysWOW64\Dflnkjhe.exeC:\Windows\system32\Dflnkjhe.exe110⤵PID:1956
-
C:\Windows\SysWOW64\Dflnkjhe.exeC:\Windows\system32\Dflnkjhe.exe111⤵PID:2400
-
C:\Windows\SysWOW64\Dijjgegh.exeC:\Windows\system32\Dijjgegh.exe112⤵
- Drops file in System32 directory
PID:2144 -
C:\Windows\SysWOW64\Dogbolep.exeC:\Windows\system32\Dogbolep.exe113⤵PID:3040
-
C:\Windows\SysWOW64\Dfnjqifb.exeC:\Windows\system32\Dfnjqifb.exe114⤵PID:2628
-
C:\Windows\SysWOW64\Deajlf32.exeC:\Windows\system32\Deajlf32.exe115⤵PID:2584
-
C:\Windows\SysWOW64\Ehpgha32.exeC:\Windows\system32\Ehpgha32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2620 -
C:\Windows\SysWOW64\Eojoelcm.exeC:\Windows\system32\Eojoelcm.exe117⤵PID:2044
-
C:\Windows\SysWOW64\Ebekej32.exeC:\Windows\system32\Ebekej32.exe118⤵
- Modifies registry class
PID:2324 -
C:\Windows\SysWOW64\Eecgafkj.exeC:\Windows\system32\Eecgafkj.exe119⤵PID:2956
-
C:\Windows\SysWOW64\Ehbcnajn.exeC:\Windows\system32\Ehbcnajn.exe120⤵PID:3048
-
C:\Windows\SysWOW64\Ekppjmia.exeC:\Windows\system32\Ekppjmia.exe121⤵PID:3064
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-