Analysis
-
max time kernel
64s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
23-08-2024 03:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
89848e1a5857b705e237a0c2dc4f14b0N.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
89848e1a5857b705e237a0c2dc4f14b0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
89848e1a5857b705e237a0c2dc4f14b0N.exe
-
Size
640KB
-
MD5
89848e1a5857b705e237a0c2dc4f14b0
-
SHA1
3801304b2a6006a4c740d9be3e6649343df68a2b
-
SHA256
91043a65bd1f793a4aa7feea0265f59f9b51aa084f36daeba9a3ca31b82a6417
-
SHA512
f4681fe3e20c37822b4886ca3edff7d6175e54bfae387de7b09aee83d653563a2adaed1113b605c5a20ce49b381e9dc1aade985c9061a0a369e59e7043f28eae
-
SSDEEP
12288:vNVXdXHaINIVIIVy2oIvPKiK13fS2hEYM9RIPk:v/dXHfNIVIIVy2jU13fS2hEYM9RIPk
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddcadd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dglkba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mginjnnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acjfpokk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdggofgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iadnon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oacdmpan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Incgfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjikaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpajdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nilpmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljjjmeie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pobgjhgh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckgmon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pihbbgjj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqoocmcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cihojiok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekbjgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iekpdn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqbfdp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecmhqp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckijdm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkjdpp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbmlal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljhppo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhniebne.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekbjgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hajkip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqfooonp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlklik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjqfmb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oepghe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgcpkldh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chmkkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilpkel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpigonhd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfobmc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfncad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmbghgdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dajlhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbooen32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcgaae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjqfmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pllhib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Peolmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlpmndba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljbkig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdqifajl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ealbcngg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfbckagm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fldbnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmcgik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfldno32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlqgob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgmofbpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eijffhjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Miiaogio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cealdjcm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meidib32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phgfko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbpolb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnmjgkpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Faikbkhj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kloqiijm.exe -
Executes dropped EXE 64 IoCs
pid Process 2368 Idgjqook.exe 2860 Jkdoci32.exe 2820 Jjilde32.exe 2804 Jhniebne.exe 2884 Jhqeka32.exe 2792 Kdgfpbaf.exe 1740 Komjmk32.exe 1052 Kdlpkb32.exe 1664 Kjihci32.exe 2124 Kngaig32.exe 2692 Kdqifajl.exe 1780 Ljbkig32.exe 2416 Lkcgapjl.exe 2088 Lenioenj.exe 2456 Milaecdp.exe 2484 Mjpkbk32.exe 1248 Mhckloge.exe 2204 Mfihml32.exe 1076 Mmcpjfcj.exe 1756 Mfkebkjk.exe 2688 Miiaogio.exe 852 Nfmahkhh.exe 1256 Nilndfgl.exe 2640 Nebnigmp.exe 2084 Nhakecld.exe 2664 Nokcbm32.exe 2864 Niqgof32.exe 2160 Neghdg32.exe 2924 Nhfdqb32.exe 2888 Ndmeecmb.exe 1316 Ngkaaolf.exe 936 Odoakckp.exe 1912 Ogmngn32.exe 3052 Odanqb32.exe 2776 Ocdnloph.exe 2308 Odckfb32.exe 2096 Oeegnj32.exe 764 Opjlkc32.exe 2676 Ocihgo32.exe 2056 Oegdcj32.exe 2248 Olalpdbc.exe 1788 Oophlpag.exe 2256 Peiaij32.exe 2564 Piemih32.exe 3056 Pkfiaqgk.exe 276 Phjjkefd.exe 1048 Pkifgpeh.exe 2012 Pngbcldl.exe 2052 Pdajpf32.exe 2984 Pgogla32.exe 3000 Pniohk32.exe 2744 Pdcgeejf.exe 1900 Pkmobp32.exe 1948 Pnllnk32.exe 3064 Pchdfb32.exe 2900 Qnnhcknd.exe 1956 Qqldpfmh.exe 2268 Qckalamk.exe 2208 Qjeihl32.exe 2392 Qmcedg32.exe 832 Qgiibp32.exe 444 Aijfihip.exe 2236 Aodnfbpm.exe 2348 Abbjbnoq.exe -
Loads dropped DLL 64 IoCs
pid Process 808 89848e1a5857b705e237a0c2dc4f14b0N.exe 808 89848e1a5857b705e237a0c2dc4f14b0N.exe 2368 Idgjqook.exe 2368 Idgjqook.exe 2860 Jkdoci32.exe 2860 Jkdoci32.exe 2820 Jjilde32.exe 2820 Jjilde32.exe 2804 Jhniebne.exe 2804 Jhniebne.exe 2884 Jhqeka32.exe 2884 Jhqeka32.exe 2792 Kdgfpbaf.exe 2792 Kdgfpbaf.exe 1740 Komjmk32.exe 1740 Komjmk32.exe 1052 Kdlpkb32.exe 1052 Kdlpkb32.exe 1664 Kjihci32.exe 1664 Kjihci32.exe 2124 Kngaig32.exe 2124 Kngaig32.exe 2692 Kdqifajl.exe 2692 Kdqifajl.exe 1780 Ljbkig32.exe 1780 Ljbkig32.exe 2416 Lkcgapjl.exe 2416 Lkcgapjl.exe 2088 Lenioenj.exe 2088 Lenioenj.exe 2456 Milaecdp.exe 2456 Milaecdp.exe 2484 Mjpkbk32.exe 2484 Mjpkbk32.exe 1248 Mhckloge.exe 1248 Mhckloge.exe 2204 Mfihml32.exe 2204 Mfihml32.exe 1076 Mmcpjfcj.exe 1076 Mmcpjfcj.exe 1756 Mfkebkjk.exe 1756 Mfkebkjk.exe 2688 Miiaogio.exe 2688 Miiaogio.exe 852 Nfmahkhh.exe 852 Nfmahkhh.exe 1256 Nilndfgl.exe 1256 Nilndfgl.exe 2640 Nebnigmp.exe 2640 Nebnigmp.exe 2084 Nhakecld.exe 2084 Nhakecld.exe 2664 Nokcbm32.exe 2664 Nokcbm32.exe 2864 Niqgof32.exe 2864 Niqgof32.exe 2160 Neghdg32.exe 2160 Neghdg32.exe 2924 Nhfdqb32.exe 2924 Nhfdqb32.exe 2888 Ndmeecmb.exe 2888 Ndmeecmb.exe 1316 Ngkaaolf.exe 1316 Ngkaaolf.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Gqendf32.exe Gjkfglom.exe File opened for modification C:\Windows\SysWOW64\Edkopifk.exe Ealbcngg.exe File created C:\Windows\SysWOW64\Cbfeam32.exe Cpgieb32.exe File opened for modification C:\Windows\SysWOW64\Dmiihjak.exe Dkkmln32.exe File created C:\Windows\SysWOW64\Iemlfm32.dll Jlddpkgh.exe File opened for modification C:\Windows\SysWOW64\Lqbfdp32.exe Lmfjcajl.exe File opened for modification C:\Windows\SysWOW64\Jhfepfme.exe Jpomnilc.exe File created C:\Windows\SysWOW64\Lciijbkd.dll Mjofanld.exe File opened for modification C:\Windows\SysWOW64\Aoihaa32.exe Aeccdila.exe File created C:\Windows\SysWOW64\Kobmkj32.exe Kldaon32.exe File created C:\Windows\SysWOW64\Dqnkig32.dll Ifloeo32.exe File created C:\Windows\SysWOW64\Lhjcendg.dll Kgjgepqm.exe File opened for modification C:\Windows\SysWOW64\Lkccob32.exe Ldikbhfh.exe File opened for modification C:\Windows\SysWOW64\Qnoklc32.exe Qgdbpi32.exe File created C:\Windows\SysWOW64\Ifoljn32.exe Iglkoaad.exe File opened for modification C:\Windows\SysWOW64\Jbooen32.exe Jlegic32.exe File opened for modification C:\Windows\SysWOW64\Ojnelefl.exe Oddmokoo.exe File created C:\Windows\SysWOW64\Ggncop32.exe Gemfghek.exe File opened for modification C:\Windows\SysWOW64\Hjcoaeol.exe Hefginae.exe File created C:\Windows\SysWOW64\Mlaoip32.dll Nmkpnd32.exe File created C:\Windows\SysWOW64\Nigbpkok.dll Ghqchi32.exe File opened for modification C:\Windows\SysWOW64\Dpflqfeo.exe Dhodpidl.exe File created C:\Windows\SysWOW64\Aomdncho.dll Okailkhd.exe File created C:\Windows\SysWOW64\Gmpoce32.dll Kekkkm32.exe File created C:\Windows\SysWOW64\Mkmmpg32.exe Mhopcl32.exe File opened for modification C:\Windows\SysWOW64\Nfppfcmj.exe Ncbdjhnf.exe File created C:\Windows\SysWOW64\Pbjkiamp.dll Hefibg32.exe File opened for modification C:\Windows\SysWOW64\Gkkilfjk.exe Gimmpj32.exe File opened for modification C:\Windows\SysWOW64\Echoepmo.exe Eagbnh32.exe File opened for modification C:\Windows\SysWOW64\Dfnjqifb.exe Dbcnpk32.exe File created C:\Windows\SysWOW64\Niqcoabo.dll Fhdlbd32.exe File created C:\Windows\SysWOW64\Ilpkel32.exe Ifcbme32.exe File created C:\Windows\SysWOW64\Eqjmdg32.dll Ceioieei.exe File created C:\Windows\SysWOW64\Ieelnkpd.exe Imndmnob.exe File opened for modification C:\Windows\SysWOW64\Opkndldc.exe Ojnelefl.exe File opened for modification C:\Windows\SysWOW64\Bbjoki32.exe Bmmgbbeq.exe File created C:\Windows\SysWOW64\Cdcchjaf.dll Chmkkf32.exe File opened for modification C:\Windows\SysWOW64\Kknklg32.exe Jgbolhoa.exe File created C:\Windows\SysWOW64\Hgobpd32.exe Heqfdh32.exe File created C:\Windows\SysWOW64\Iecbce32.dll Ncbdjhnf.exe File opened for modification C:\Windows\SysWOW64\Nqijmkfm.exe Nnknqpgi.exe File created C:\Windows\SysWOW64\Olfclj32.dll Bghfacem.exe File opened for modification C:\Windows\SysWOW64\Dabicikf.exe Dkhpfo32.exe File created C:\Windows\SysWOW64\Hkfeec32.exe Hgjieedg.exe File created C:\Windows\SysWOW64\Hgimkf32.dll Pdljjplb.exe File created C:\Windows\SysWOW64\Kciifc32.exe Kloqiijm.exe File created C:\Windows\SysWOW64\Ijenpn32.exe Iclfccmq.exe File created C:\Windows\SysWOW64\Kfcadq32.exe Khpaidpk.exe File created C:\Windows\SysWOW64\Mhbflj32.exe Mjofanld.exe File created C:\Windows\SysWOW64\Hijmin32.exe Hcndag32.exe File created C:\Windows\SysWOW64\Mipgnbnn.exe Mcbofk32.exe File opened for modification C:\Windows\SysWOW64\Oahdce32.exe Obfdgiji.exe File created C:\Windows\SysWOW64\Ecmhqp32.exe Epnldd32.exe File opened for modification C:\Windows\SysWOW64\Kdjenkgh.exe Kegebn32.exe File created C:\Windows\SysWOW64\Ephcll32.dll Ggbljogc.exe File created C:\Windows\SysWOW64\Emkfmioh.exe Eganqo32.exe File created C:\Windows\SysWOW64\Dgpdlk32.dll Nijcgp32.exe File opened for modification C:\Windows\SysWOW64\Lamkllea.exe Lnaokn32.exe File opened for modification C:\Windows\SysWOW64\Nndhpqma.exe Mgjpcf32.exe File created C:\Windows\SysWOW64\Pfiffp32.dll Nbmcjc32.exe File created C:\Windows\SysWOW64\Khilfg32.dll Afpchl32.exe File created C:\Windows\SysWOW64\Kcododfd.dll Opbopn32.exe File created C:\Windows\SysWOW64\Dlepjbmo.exe Dekhnh32.exe File created C:\Windows\SysWOW64\Lednal32.exe Lnmfpnqn.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7768 2368 WerFault.exe 835 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlpmndba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkccob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jklnggjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnbelong.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Almjcobe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llomhllh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqdaal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekgcbcke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjqfmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dabicikf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbcfme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfjdfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdapggln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkiknb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cealdjcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epnldd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkjbpkag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcneklck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Midqiaih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oejgbonl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkifgpeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knodnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmdnme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Incgfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhlcnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdbgia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flphccbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhodpidl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elgioe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqgngk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bncpffdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nndhpqma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbapgknp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbgakd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnmfpnqn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abbjbnoq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnihneon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bemfjgdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgamgken.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcqdidim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nidoamch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pihbbgjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkghjq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkfeec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kejahn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oikeal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhahcjcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dajlhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjolpkhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nokcbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpjfjalp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdbhcfjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnmcge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egikle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdmgdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceioieei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lohiob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhaefepn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phabdmgq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojlife32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmmgbbeq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eokiabjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bebiifka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egdjfo32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ancdgcab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmcpjfcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hiofdmkq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofefqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbppqf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bcbedm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dckdio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ealleg32.dll" Dckdio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlnbqijd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipcjje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dihmae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfclj32.dll" Bghfacem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcopmpmb.dll" Ipdaek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkegkb32.dll" Mqfooonp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkfeec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hajdniep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpajdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lckfbdjp.dll" Jehbfjia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjipeebb.dll" Nhakecld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flmidkmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pealef32.dll" Idkcjk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpomnilc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhlcnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mafibkqg.dll" Fmholgpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogmngn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eaalom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgmkef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oclpdf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acemeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Henjnica.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blcikifh.dll" Mcbofk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nidoamch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oplmkm32.dll" Jhfljm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilfadg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhfepfme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Boifinfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oamkpm32.dll" Iglkoaad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Baecehhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Impcbm32.dll" Inqhhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dajlhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlegic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Joicje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lodoefed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnknqpgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fopjnd32.dll" Bbhfgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ieiegf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okeceaep.dll" Qamjmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bedene32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agloko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adffdidl.dll" Cmbghgdg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjodhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plneoace.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdaaokbn.dll" Bnhqll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccjbobnf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khjkiikl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flphccbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Haohel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhheim32.dll" Jifhdphd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncejcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phklcn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jehbfjia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlhfem32.dll" Fgjmfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgaoec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlegic32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 808 wrote to memory of 2368 808 89848e1a5857b705e237a0c2dc4f14b0N.exe 30 PID 808 wrote to memory of 2368 808 89848e1a5857b705e237a0c2dc4f14b0N.exe 30 PID 808 wrote to memory of 2368 808 89848e1a5857b705e237a0c2dc4f14b0N.exe 30 PID 808 wrote to memory of 2368 808 89848e1a5857b705e237a0c2dc4f14b0N.exe 30 PID 2368 wrote to memory of 2860 2368 Idgjqook.exe 31 PID 2368 wrote to memory of 2860 2368 Idgjqook.exe 31 PID 2368 wrote to memory of 2860 2368 Idgjqook.exe 31 PID 2368 wrote to memory of 2860 2368 Idgjqook.exe 31 PID 2860 wrote to memory of 2820 2860 Jkdoci32.exe 32 PID 2860 wrote to memory of 2820 2860 Jkdoci32.exe 32 PID 2860 wrote to memory of 2820 2860 Jkdoci32.exe 32 PID 2860 wrote to memory of 2820 2860 Jkdoci32.exe 32 PID 2820 wrote to memory of 2804 2820 Jjilde32.exe 33 PID 2820 wrote to memory of 2804 2820 Jjilde32.exe 33 PID 2820 wrote to memory of 2804 2820 Jjilde32.exe 33 PID 2820 wrote to memory of 2804 2820 Jjilde32.exe 33 PID 2804 wrote to memory of 2884 2804 Jhniebne.exe 34 PID 2804 wrote to memory of 2884 2804 Jhniebne.exe 34 PID 2804 wrote to memory of 2884 2804 Jhniebne.exe 34 PID 2804 wrote to memory of 2884 2804 Jhniebne.exe 34 PID 2884 wrote to memory of 2792 2884 Jhqeka32.exe 35 PID 2884 wrote to memory of 2792 2884 Jhqeka32.exe 35 PID 2884 wrote to memory of 2792 2884 Jhqeka32.exe 35 PID 2884 wrote to memory of 2792 2884 Jhqeka32.exe 35 PID 2792 wrote to memory of 1740 2792 Kdgfpbaf.exe 36 PID 2792 wrote to memory of 1740 2792 Kdgfpbaf.exe 36 PID 2792 wrote to memory of 1740 2792 Kdgfpbaf.exe 36 PID 2792 wrote to memory of 1740 2792 Kdgfpbaf.exe 36 PID 1740 wrote to memory of 1052 1740 Komjmk32.exe 37 PID 1740 wrote to memory of 1052 1740 Komjmk32.exe 37 PID 1740 wrote to memory of 1052 1740 Komjmk32.exe 37 PID 1740 wrote to memory of 1052 1740 Komjmk32.exe 37 PID 1052 wrote to memory of 1664 1052 Kdlpkb32.exe 38 PID 1052 wrote to memory of 1664 1052 Kdlpkb32.exe 38 PID 1052 wrote to memory of 1664 1052 Kdlpkb32.exe 38 PID 1052 wrote to memory of 1664 1052 Kdlpkb32.exe 38 PID 1664 wrote to memory of 2124 1664 Kjihci32.exe 39 PID 1664 wrote to memory of 2124 1664 Kjihci32.exe 39 PID 1664 wrote to memory of 2124 1664 Kjihci32.exe 39 PID 1664 wrote to memory of 2124 1664 Kjihci32.exe 39 PID 2124 wrote to memory of 2692 2124 Kngaig32.exe 40 PID 2124 wrote to memory of 2692 2124 Kngaig32.exe 40 PID 2124 wrote to memory of 2692 2124 Kngaig32.exe 40 PID 2124 wrote to memory of 2692 2124 Kngaig32.exe 40 PID 2692 wrote to memory of 1780 2692 Kdqifajl.exe 41 PID 2692 wrote to memory of 1780 2692 Kdqifajl.exe 41 PID 2692 wrote to memory of 1780 2692 Kdqifajl.exe 41 PID 2692 wrote to memory of 1780 2692 Kdqifajl.exe 41 PID 1780 wrote to memory of 2416 1780 Ljbkig32.exe 42 PID 1780 wrote to memory of 2416 1780 Ljbkig32.exe 42 PID 1780 wrote to memory of 2416 1780 Ljbkig32.exe 42 PID 1780 wrote to memory of 2416 1780 Ljbkig32.exe 42 PID 2416 wrote to memory of 2088 2416 Lkcgapjl.exe 43 PID 2416 wrote to memory of 2088 2416 Lkcgapjl.exe 43 PID 2416 wrote to memory of 2088 2416 Lkcgapjl.exe 43 PID 2416 wrote to memory of 2088 2416 Lkcgapjl.exe 43 PID 2088 wrote to memory of 2456 2088 Lenioenj.exe 44 PID 2088 wrote to memory of 2456 2088 Lenioenj.exe 44 PID 2088 wrote to memory of 2456 2088 Lenioenj.exe 44 PID 2088 wrote to memory of 2456 2088 Lenioenj.exe 44 PID 2456 wrote to memory of 2484 2456 Milaecdp.exe 45 PID 2456 wrote to memory of 2484 2456 Milaecdp.exe 45 PID 2456 wrote to memory of 2484 2456 Milaecdp.exe 45 PID 2456 wrote to memory of 2484 2456 Milaecdp.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\89848e1a5857b705e237a0c2dc4f14b0N.exe"C:\Users\Admin\AppData\Local\Temp\89848e1a5857b705e237a0c2dc4f14b0N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Windows\SysWOW64\Idgjqook.exeC:\Windows\system32\Idgjqook.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\Jkdoci32.exeC:\Windows\system32\Jkdoci32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Jjilde32.exeC:\Windows\system32\Jjilde32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Jhniebne.exeC:\Windows\system32\Jhniebne.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Jhqeka32.exeC:\Windows\system32\Jhqeka32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Kdgfpbaf.exeC:\Windows\system32\Kdgfpbaf.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Komjmk32.exeC:\Windows\system32\Komjmk32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\Kdlpkb32.exeC:\Windows\system32\Kdlpkb32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\Kjihci32.exeC:\Windows\system32\Kjihci32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\Kngaig32.exeC:\Windows\system32\Kngaig32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\Kdqifajl.exeC:\Windows\system32\Kdqifajl.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Ljbkig32.exeC:\Windows\system32\Ljbkig32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\Lkcgapjl.exeC:\Windows\system32\Lkcgapjl.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Lenioenj.exeC:\Windows\system32\Lenioenj.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Milaecdp.exeC:\Windows\system32\Milaecdp.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Mjpkbk32.exeC:\Windows\system32\Mjpkbk32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2484 -
C:\Windows\SysWOW64\Mhckloge.exeC:\Windows\system32\Mhckloge.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1248 -
C:\Windows\SysWOW64\Mfihml32.exeC:\Windows\system32\Mfihml32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2204 -
C:\Windows\SysWOW64\Mmcpjfcj.exeC:\Windows\system32\Mmcpjfcj.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1076 -
C:\Windows\SysWOW64\Mfkebkjk.exeC:\Windows\system32\Mfkebkjk.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1756 -
C:\Windows\SysWOW64\Miiaogio.exeC:\Windows\system32\Miiaogio.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2688 -
C:\Windows\SysWOW64\Nfmahkhh.exeC:\Windows\system32\Nfmahkhh.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:852 -
C:\Windows\SysWOW64\Nilndfgl.exeC:\Windows\system32\Nilndfgl.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1256 -
C:\Windows\SysWOW64\Nebnigmp.exeC:\Windows\system32\Nebnigmp.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2640 -
C:\Windows\SysWOW64\Nhakecld.exeC:\Windows\system32\Nhakecld.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2084 -
C:\Windows\SysWOW64\Nokcbm32.exeC:\Windows\system32\Nokcbm32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2664 -
C:\Windows\SysWOW64\Niqgof32.exeC:\Windows\system32\Niqgof32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2864 -
C:\Windows\SysWOW64\Neghdg32.exeC:\Windows\system32\Neghdg32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2160 -
C:\Windows\SysWOW64\Nhfdqb32.exeC:\Windows\system32\Nhfdqb32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2924 -
C:\Windows\SysWOW64\Ndmeecmb.exeC:\Windows\system32\Ndmeecmb.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2888 -
C:\Windows\SysWOW64\Ngkaaolf.exeC:\Windows\system32\Ngkaaolf.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1316 -
C:\Windows\SysWOW64\Odoakckp.exeC:\Windows\system32\Odoakckp.exe33⤵
- Executes dropped EXE
PID:936 -
C:\Windows\SysWOW64\Ogmngn32.exeC:\Windows\system32\Ogmngn32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:1912 -
C:\Windows\SysWOW64\Odanqb32.exeC:\Windows\system32\Odanqb32.exe35⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Ocdnloph.exeC:\Windows\system32\Ocdnloph.exe36⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Odckfb32.exeC:\Windows\system32\Odckfb32.exe37⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Oeegnj32.exeC:\Windows\system32\Oeegnj32.exe38⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Opjlkc32.exeC:\Windows\system32\Opjlkc32.exe39⤵
- Executes dropped EXE
PID:764 -
C:\Windows\SysWOW64\Ocihgo32.exeC:\Windows\system32\Ocihgo32.exe40⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Oegdcj32.exeC:\Windows\system32\Oegdcj32.exe41⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Olalpdbc.exeC:\Windows\system32\Olalpdbc.exe42⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Oophlpag.exeC:\Windows\system32\Oophlpag.exe43⤵
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\Peiaij32.exeC:\Windows\system32\Peiaij32.exe44⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Piemih32.exeC:\Windows\system32\Piemih32.exe45⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Pkfiaqgk.exeC:\Windows\system32\Pkfiaqgk.exe46⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Phjjkefd.exeC:\Windows\system32\Phjjkefd.exe47⤵
- Executes dropped EXE
PID:276 -
C:\Windows\SysWOW64\Pkifgpeh.exeC:\Windows\system32\Pkifgpeh.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1048 -
C:\Windows\SysWOW64\Pngbcldl.exeC:\Windows\system32\Pngbcldl.exe49⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Pdajpf32.exeC:\Windows\system32\Pdajpf32.exe50⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Pgogla32.exeC:\Windows\system32\Pgogla32.exe51⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Pniohk32.exeC:\Windows\system32\Pniohk32.exe52⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Pdcgeejf.exeC:\Windows\system32\Pdcgeejf.exe53⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Pkmobp32.exeC:\Windows\system32\Pkmobp32.exe54⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Pnllnk32.exeC:\Windows\system32\Pnllnk32.exe55⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Pchdfb32.exeC:\Windows\system32\Pchdfb32.exe56⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Qnnhcknd.exeC:\Windows\system32\Qnnhcknd.exe57⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Qqldpfmh.exeC:\Windows\system32\Qqldpfmh.exe58⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Qckalamk.exeC:\Windows\system32\Qckalamk.exe59⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Qjeihl32.exeC:\Windows\system32\Qjeihl32.exe60⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Qmcedg32.exeC:\Windows\system32\Qmcedg32.exe61⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Qgiibp32.exeC:\Windows\system32\Qgiibp32.exe62⤵
- Executes dropped EXE
PID:832 -
C:\Windows\SysWOW64\Aijfihip.exeC:\Windows\system32\Aijfihip.exe63⤵
- Executes dropped EXE
PID:444 -
C:\Windows\SysWOW64\Aodnfbpm.exeC:\Windows\system32\Aodnfbpm.exe64⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Abbjbnoq.exeC:\Windows\system32\Abbjbnoq.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2348 -
C:\Windows\SysWOW64\Ailboh32.exeC:\Windows\system32\Ailboh32.exe66⤵PID:1616
-
C:\Windows\SysWOW64\Acbglq32.exeC:\Windows\system32\Acbglq32.exe67⤵PID:736
-
C:\Windows\SysWOW64\Afpchl32.exeC:\Windows\system32\Afpchl32.exe68⤵
- Drops file in System32 directory
PID:1156 -
C:\Windows\SysWOW64\Aeccdila.exeC:\Windows\system32\Aeccdila.exe69⤵
- Drops file in System32 directory
PID:1128 -
C:\Windows\SysWOW64\Aoihaa32.exeC:\Windows\system32\Aoihaa32.exe70⤵PID:2988
-
C:\Windows\SysWOW64\Afbpnlcd.exeC:\Windows\system32\Afbpnlcd.exe71⤵PID:2880
-
C:\Windows\SysWOW64\Akphfbbl.exeC:\Windows\system32\Akphfbbl.exe72⤵PID:1672
-
C:\Windows\SysWOW64\Aokdga32.exeC:\Windows\system32\Aokdga32.exe73⤵PID:2324
-
C:\Windows\SysWOW64\Akbelbpi.exeC:\Windows\system32\Akbelbpi.exe74⤵PID:3016
-
C:\Windows\SysWOW64\Ajdego32.exeC:\Windows\system32\Ajdego32.exe75⤵PID:2276
-
C:\Windows\SysWOW64\Aaondi32.exeC:\Windows\system32\Aaondi32.exe76⤵PID:2004
-
C:\Windows\SysWOW64\Bghfacem.exeC:\Windows\system32\Bghfacem.exe77⤵
- Drops file in System32 directory
- Modifies registry class
PID:1276 -
C:\Windows\SysWOW64\Bnbnnm32.exeC:\Windows\system32\Bnbnnm32.exe78⤵PID:2436
-
C:\Windows\SysWOW64\Bemfjgdg.exeC:\Windows\system32\Bemfjgdg.exe79⤵
- System Location Discovery: System Language Discovery
PID:868 -
C:\Windows\SysWOW64\Bgkbfcck.exeC:\Windows\system32\Bgkbfcck.exe80⤵PID:1880
-
C:\Windows\SysWOW64\Bjiobnbn.exeC:\Windows\system32\Bjiobnbn.exe81⤵PID:1624
-
C:\Windows\SysWOW64\Bpfgke32.exeC:\Windows\system32\Bpfgke32.exe82⤵PID:2488
-
C:\Windows\SysWOW64\Biolckgf.exeC:\Windows\system32\Biolckgf.exe83⤵PID:280
-
C:\Windows\SysWOW64\Baecehhh.exeC:\Windows\system32\Baecehhh.exe84⤵
- Modifies registry class
PID:864 -
C:\Windows\SysWOW64\Bphdpe32.exeC:\Windows\system32\Bphdpe32.exe85⤵PID:2824
-
C:\Windows\SysWOW64\Bjnhnn32.exeC:\Windows\system32\Bjnhnn32.exe86⤵PID:2868
-
C:\Windows\SysWOW64\Bmldji32.exeC:\Windows\system32\Bmldji32.exe87⤵PID:1988
-
C:\Windows\SysWOW64\Bbimbpld.exeC:\Windows\system32\Bbimbpld.exe88⤵PID:1656
-
C:\Windows\SysWOW64\Biceoj32.exeC:\Windows\system32\Biceoj32.exe89⤵PID:1292
-
C:\Windows\SysWOW64\Cpmmkdkn.exeC:\Windows\system32\Cpmmkdkn.exe90⤵PID:1120
-
C:\Windows\SysWOW64\Cbljgpja.exeC:\Windows\system32\Cbljgpja.exe91⤵PID:576
-
C:\Windows\SysWOW64\Ciebdj32.exeC:\Windows\system32\Ciebdj32.exe92⤵PID:2064
-
C:\Windows\SysWOW64\Cppjadhk.exeC:\Windows\system32\Cppjadhk.exe93⤵PID:2216
-
C:\Windows\SysWOW64\Cbnfmo32.exeC:\Windows\system32\Cbnfmo32.exe94⤵PID:112
-
C:\Windows\SysWOW64\Cihojiok.exeC:\Windows\system32\Cihojiok.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:624 -
C:\Windows\SysWOW64\Cjikaa32.exeC:\Windows\system32\Cjikaa32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1732 -
C:\Windows\SysWOW64\Cbpcbo32.exeC:\Windows\system32\Cbpcbo32.exe97⤵PID:2312
-
C:\Windows\SysWOW64\Chmkkf32.exeC:\Windows\system32\Chmkkf32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1564 -
C:\Windows\SysWOW64\Ckkhga32.exeC:\Windows\system32\Ckkhga32.exe99⤵PID:1464
-
C:\Windows\SysWOW64\Cealdjcm.exeC:\Windows\system32\Cealdjcm.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2876 -
C:\Windows\SysWOW64\Cfbhlb32.exeC:\Windows\system32\Cfbhlb32.exe101⤵PID:2764
-
C:\Windows\SysWOW64\Coiqmp32.exeC:\Windows\system32\Coiqmp32.exe102⤵PID:2712
-
C:\Windows\SysWOW64\Cahmik32.exeC:\Windows\system32\Cahmik32.exe103⤵PID:2700
-
C:\Windows\SysWOW64\Dhaefepn.exeC:\Windows\system32\Dhaefepn.exe104⤵
- System Location Discovery: System Language Discovery
PID:2968 -
C:\Windows\SysWOW64\Dkpabqoa.exeC:\Windows\system32\Dkpabqoa.exe105⤵PID:1072
-
C:\Windows\SysWOW64\Dajiok32.exeC:\Windows\system32\Dajiok32.exe106⤵PID:2388
-
C:\Windows\SysWOW64\Ddhekfeb.exeC:\Windows\system32\Ddhekfeb.exe107⤵PID:2240
-
C:\Windows\SysWOW64\Dkbnhq32.exeC:\Windows\system32\Dkbnhq32.exe108⤵PID:1712
-
C:\Windows\SysWOW64\Dalfdjdl.exeC:\Windows\system32\Dalfdjdl.exe109⤵PID:2552
-
C:\Windows\SysWOW64\Dgiomabc.exeC:\Windows\system32\Dgiomabc.exe110⤵PID:2336
-
C:\Windows\SysWOW64\Dkekmp32.exeC:\Windows\system32\Dkekmp32.exe111⤵PID:1684
-
C:\Windows\SysWOW64\Dmcgik32.exeC:\Windows\system32\Dmcgik32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2428 -
C:\Windows\SysWOW64\Dglkba32.exeC:\Windows\system32\Dglkba32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2932 -
C:\Windows\SysWOW64\Dijgnm32.exeC:\Windows\system32\Dijgnm32.exe114⤵PID:2740
-
C:\Windows\SysWOW64\Dlhdjh32.exeC:\Windows\system32\Dlhdjh32.exe115⤵PID:1324
-
C:\Windows\SysWOW64\Dcblgbfe.exeC:\Windows\system32\Dcblgbfe.exe116⤵PID:1080
-
C:\Windows\SysWOW64\Deahcneh.exeC:\Windows\system32\Deahcneh.exe117⤵PID:2228
-
C:\Windows\SysWOW64\Dhodpidl.exeC:\Windows\system32\Dhodpidl.exe118⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1760 -
C:\Windows\SysWOW64\Dpflqfeo.exeC:\Windows\system32\Dpflqfeo.exe119⤵PID:2404
-
C:\Windows\SysWOW64\Eagiho32.exeC:\Windows\system32\Eagiho32.exe120⤵PID:2316
-
C:\Windows\SysWOW64\Ehaaei32.exeC:\Windows\system32\Ehaaei32.exe121⤵PID:860
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-