Analysis
-
max time kernel
149s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
23/08/2024, 19:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2dea04b333b6be7b546c8201f163d7219499e176c81481b357981bdc0a05646f.exe
Resource
win7-20240705-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
2dea04b333b6be7b546c8201f163d7219499e176c81481b357981bdc0a05646f.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
2dea04b333b6be7b546c8201f163d7219499e176c81481b357981bdc0a05646f.exe
-
Size
512KB
-
MD5
4da4d1f417aea7431293718aea5c7e4d
-
SHA1
de1a1659bab48d6315065380a059e21b91d17c7a
-
SHA256
2dea04b333b6be7b546c8201f163d7219499e176c81481b357981bdc0a05646f
-
SHA512
09731c5b787500454cd27cb4617fb5cffaab5b70f2667e0e8d7a35d4113c7a1f11e73b2dc151287e28b8cc5dcfdd8459ea9cebfab7c2f38150bf88129743eef0
-
SSDEEP
6144:rA9k+OBOvMe6UK+42GTQMJSZO5f7M0rx7/hP66qve6UK+42GTQMJSZO5f7wj7vKn:rA9kZ4kY660fIaDZkY660f8jTK/Xhdz
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omaepoml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aogqihcm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enblpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ifhinl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dkelhemb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fgbpmh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnefpq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Goadik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omqnfiip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcnmne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfobndnj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Famhqclj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Penlon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfpphp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbfpcl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnhjok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Anepooja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Epdafl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmnnomnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmbpaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddeammok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qcgmnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hhobbqkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jelbqg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Anbcio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkibbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hggegknp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lekeak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlkfli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmdapoil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ilohnopg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jelbqg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Phcbmend.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ppacfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Amjmpk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Impdeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oijlpjma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fieiephm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ianmke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agikmeeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aclfigao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pgdfbb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jphcgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbkgjgqi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfdcdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Idhplaoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lbghpjih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abnpjnem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpdeghgk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nikflm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iaicpepa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qddmbkoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pkdknq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkboiamh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anbcio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqmmja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jegheghc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fcaankpf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbkgjgqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qpfmageg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bqhffj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elmoqlmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bclbhkdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eemded32.exe -
Executes dropped EXE 64 IoCs
pid Process 1224 Kjhajo32.exe 2664 Lnejqmie.exe 2776 Ljljenoi.exe 2580 Lgpkobnb.exe 2948 Ljogknmf.exe 2688 Lpnlid32.exe 272 Lekeak32.exe 2928 Mgkncfdc.exe 1792 Mnefpq32.exe 2432 Mafoal32.exe 1228 Mjocja32.exe 2960 Mfedobef.exe 308 Mmolll32.exe 1972 Mdidhfdp.exe 2552 Njcmeqkl.exe 2216 Nmaialjp.exe 2176 Ndlanf32.exe 1936 Njeikpij.exe 2388 Nlgfbh32.exe 1540 Nikflm32.exe 752 Oakdkn32.exe 2524 Odiagj32.exe 1908 Omaepoml.exe 1260 Okefjcle.exe 1988 Oaonfncb.exe 2760 Okhboc32.exe 660 Omfoko32.exe 2728 Okjoec32.exe 2608 Olklmk32.exe 2888 Opghmjfg.exe 2584 Oecpeqdo.exe 2644 Ppidbidd.exe 2812 Pgcmoc32.exe 2488 Piaiko32.exe 1696 Ponadfim.exe 2984 Phgfmk32.exe 2944 Pkebig32.exe 2212 Pekffp32.exe 3028 Pldobjec.exe 1332 Pnfkjb32.exe 2136 Pdpcgl32.exe 1468 Pgnpcg32.exe 2308 Pnhhpaio.exe 2400 Qdbpml32.exe 1432 Qklhifhi.exe 2764 Qbfqfppe.exe 1976 Qddmbkoi.exe 1604 Qcgmnh32.exe 2036 Qkoeoe32.exe 1508 Qjaejbmq.exe 2868 Aqkmgl32.exe 3008 Acjjch32.exe 2600 Ajcbpbkn.exe 1656 Aclfigao.exe 2064 Aggbif32.exe 600 Ajfoea32.exe 2968 Amdkam32.exe 576 Abacjd32.exe 1648 Ajhkka32.exe 2420 Aikkgnnc.exe 1036 Aoedch32.exe 2296 Abcppcdc.exe 2556 Ainhln32.exe 568 Aogqihcm.exe -
Loads dropped DLL 64 IoCs
pid Process 1712 2dea04b333b6be7b546c8201f163d7219499e176c81481b357981bdc0a05646f.exe 1712 2dea04b333b6be7b546c8201f163d7219499e176c81481b357981bdc0a05646f.exe 1224 Kjhajo32.exe 1224 Kjhajo32.exe 2664 Lnejqmie.exe 2664 Lnejqmie.exe 2776 Ljljenoi.exe 2776 Ljljenoi.exe 2580 Lgpkobnb.exe 2580 Lgpkobnb.exe 2948 Ljogknmf.exe 2948 Ljogknmf.exe 2688 Lpnlid32.exe 2688 Lpnlid32.exe 272 Lekeak32.exe 272 Lekeak32.exe 2928 Mgkncfdc.exe 2928 Mgkncfdc.exe 1792 Mnefpq32.exe 1792 Mnefpq32.exe 2432 Mafoal32.exe 2432 Mafoal32.exe 1228 Mjocja32.exe 1228 Mjocja32.exe 2960 Mfedobef.exe 2960 Mfedobef.exe 308 Mmolll32.exe 308 Mmolll32.exe 1972 Mdidhfdp.exe 1972 Mdidhfdp.exe 2552 Njcmeqkl.exe 2552 Njcmeqkl.exe 2216 Nmaialjp.exe 2216 Nmaialjp.exe 2176 Ndlanf32.exe 2176 Ndlanf32.exe 1936 Njeikpij.exe 1936 Njeikpij.exe 2388 Nlgfbh32.exe 2388 Nlgfbh32.exe 1540 Nikflm32.exe 1540 Nikflm32.exe 752 Oakdkn32.exe 752 Oakdkn32.exe 2524 Odiagj32.exe 2524 Odiagj32.exe 1908 Omaepoml.exe 1908 Omaepoml.exe 1260 Okefjcle.exe 1260 Okefjcle.exe 1988 Oaonfncb.exe 1988 Oaonfncb.exe 2760 Okhboc32.exe 2760 Okhboc32.exe 660 Omfoko32.exe 660 Omfoko32.exe 2728 Okjoec32.exe 2728 Okjoec32.exe 2608 Olklmk32.exe 2608 Olklmk32.exe 2888 Opghmjfg.exe 2888 Opghmjfg.exe 2584 Oecpeqdo.exe 2584 Oecpeqdo.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jffjbfpf.dll Dpnogmbl.exe File created C:\Windows\SysWOW64\Dekmoh32.dll Akfdcckn.exe File created C:\Windows\SysWOW64\Bihdfkoe.exe Bbnlia32.exe File created C:\Windows\SysWOW64\Lpoinb32.dll Deckeo32.exe File created C:\Windows\SysWOW64\Gmdapoil.exe Gfjicd32.exe File created C:\Windows\SysWOW64\Hcnech32.dll Gcnjmi32.exe File created C:\Windows\SysWOW64\Ljogknmf.exe Lgpkobnb.exe File created C:\Windows\SysWOW64\Pmdolc32.dll Chldbl32.exe File opened for modification C:\Windows\SysWOW64\Hjlhcegl.exe Hgnkgjgh.exe File created C:\Windows\SysWOW64\Pffdfm32.dll Gbhpidak.exe File created C:\Windows\SysWOW64\Ibglhhdf.exe Ipipllec.exe File opened for modification C:\Windows\SysWOW64\Mgkncfdc.exe Lekeak32.exe File opened for modification C:\Windows\SysWOW64\Cjpgnbol.exe Cgbjbgph.exe File opened for modification C:\Windows\SysWOW64\Cpdeghgk.exe Cmfikmhg.exe File created C:\Windows\SysWOW64\Pckoinol.dll Cpdeghgk.exe File opened for modification C:\Windows\SysWOW64\Fgelbhmg.exe Fqkdenfj.exe File created C:\Windows\SysWOW64\Ffppjh32.dll Ibjing32.exe File created C:\Windows\SysWOW64\Lbiapmah.dll Ndlanf32.exe File opened for modification C:\Windows\SysWOW64\Mfngdmgb.exe Mcokhaho.exe File opened for modification C:\Windows\SysWOW64\Khgnff32.exe Kgfannba.exe File created C:\Windows\SysWOW64\Mghjcq32.exe Mcmnbbja.exe File created C:\Windows\SysWOW64\Fcnmne32.exe Fldeakgp.exe File created C:\Windows\SysWOW64\Gnobopip.dll Hnfnik32.exe File created C:\Windows\SysWOW64\Kgoknohj.exe Kdaoacif.exe File created C:\Windows\SysWOW64\Fgelbhmg.exe Fqkdenfj.exe File opened for modification C:\Windows\SysWOW64\Hjjknfin.exe Hfnomgqe.exe File opened for modification C:\Windows\SysWOW64\Jhchlcjj.exe Jgbkdkdk.exe File opened for modification C:\Windows\SysWOW64\Afbbiafj.exe Acdemegf.exe File opened for modification C:\Windows\SysWOW64\Nejjfh32.exe Nannejni.exe File created C:\Windows\SysWOW64\Phaegfpg.exe Pmlajm32.exe File created C:\Windows\SysWOW64\Pnedpl32.exe Penlon32.exe File opened for modification C:\Windows\SysWOW64\Adjoqjfc.exe Aomghchl.exe File created C:\Windows\SysWOW64\Dehdpnok.exe Dbihccpg.exe File opened for modification C:\Windows\SysWOW64\Elahkl32.exe Eiclop32.exe File opened for modification C:\Windows\SysWOW64\Oecpeqdo.exe Opghmjfg.exe File created C:\Windows\SysWOW64\Iploja32.dll Jphcgq32.exe File opened for modification C:\Windows\SysWOW64\Dmkipb32.exe Dkmmdg32.exe File created C:\Windows\SysWOW64\Flgiaa32.exe Fkflii32.exe File opened for modification C:\Windows\SysWOW64\Ibafhmph.exe Ipcjlaqd.exe File created C:\Windows\SysWOW64\Kjpdoj32.exe Kkmddmop.exe File created C:\Windows\SysWOW64\Mblcbkbh.dll Ldqkqf32.exe File opened for modification C:\Windows\SysWOW64\Pnedpl32.exe Penlon32.exe File opened for modification C:\Windows\SysWOW64\Lnejqmie.exe Kjhajo32.exe File created C:\Windows\SysWOW64\Lpnlid32.exe Ljogknmf.exe File created C:\Windows\SysWOW64\Diofenki.exe Deckeo32.exe File opened for modification C:\Windows\SysWOW64\Dajkjphd.exe Dolondiq.exe File created C:\Windows\SysWOW64\Giemme32.dll Gmhkkn32.exe File created C:\Windows\SysWOW64\Hpjifj32.dll Bmacqj32.exe File opened for modification C:\Windows\SysWOW64\Cmfikmhg.exe Cijmjn32.exe File created C:\Windows\SysWOW64\Dlgaokci.dll Ipcjlaqd.exe File created C:\Windows\SysWOW64\Pfbkplni.dll Janijh32.exe File opened for modification C:\Windows\SysWOW64\Kgfannba.exe Kooimpao.exe File created C:\Windows\SysWOW64\Milcphgf.exe Mfngdmgb.exe File created C:\Windows\SysWOW64\Benolo32.dll Mfdmdlaj.exe File created C:\Windows\SysWOW64\Mckmmjof.dll Obngnphg.exe File opened for modification C:\Windows\SysWOW64\Okefjcle.exe Omaepoml.exe File created C:\Windows\SysWOW64\Qaibiqdo.dll Hidledja.exe File created C:\Windows\SysWOW64\Plfhfiqc.exe Pkdknq32.exe File opened for modification C:\Windows\SysWOW64\Cmclem32.exe Cfidhcbm.exe File created C:\Windows\SysWOW64\Dnfchj32.dll Gckmgi32.exe File created C:\Windows\SysWOW64\Gldgomqc.dll Hjjknfin.exe File created C:\Windows\SysWOW64\Cidklp32.exe Cbjbof32.exe File created C:\Windows\SysWOW64\Dmpckbci.exe Dkafofde.exe File created C:\Windows\SysWOW64\Dhplgonm.dll Phcbmend.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6028 5968 WerFault.exe 537 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhlgaedj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cahbem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfidhcbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdidhfdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnipilbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Diackmif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nannejni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbbedqcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baeepm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaigab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jegheghc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbiadm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fahdja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgbpmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbhpidak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqkmgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhobbqkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljbmdmfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oecpeqdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olablfbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egpfheoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbjmodph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Niqijkel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmappn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Diljpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghkbepop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnfkjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgbemjqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imbakfcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joomnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipipllec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdlefd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fogkhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iidajaiq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njcmeqkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgnpcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkmmdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnedpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcnmne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Foencfda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hilbfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndfmgdeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbnlia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doibhekc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nagakhfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljogknmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbhikcpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhodgebh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgadba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbomdjoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ponadfim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inkgdjqn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilohnopg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmocjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgebcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnhjok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppacfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajfoea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajhkka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofgfio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qokjcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cipaqqli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gigllafc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipcjlaqd.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Piaiko32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gjmbohhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hgconl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibkhjfkh.dll" Mfngdmgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbogkp32.dll" Bbbedqcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fjqlid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aikkgnnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cmnjgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dobmdbeg.dll" Enpoje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpjlca32.dll" Ianmke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlfpml32.dll" Lhodgebh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oaeqeljm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oejbgc32.dll" Bmcpfj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cflanc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dhfpljnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qkoeoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Edenlp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Klqmaebl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aomghchl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgfemm32.dll" Pldobjec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qdbpml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fcodhl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fhpflblk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Higikdhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pabhlikn.dll" Kkkgnmqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mniiepja.dll" Pmlajm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahmbdm32.dll" Epnkfq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chncajid.dll" Fcodhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jbfpcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emjggf32.dll" Oijlpjma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ndlanf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fkphcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gjjoob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ihehbpel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kdehmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mobfhl32.dll" Okhboc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgqhfi32.dll" Bccihj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahganf32.dll" Qljaah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hggegknp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mnefpq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cpjimk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kjbqei32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lhodgebh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgjpfago.dll" Obbpio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qjnajl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmfjmn32.dll" Bmogkkkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cgpnlgak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deepbglo.dll" Cijmjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gfobndnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iblfcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caenln32.dll" Bglhcihn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nagakhfn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bmacqj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cjbccb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llfkmdlc.dll" Dmcidqlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Emjoep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eddgaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cickgk32.dll" Oecpeqdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpidah32.dll" Chigmlml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nldbbbno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nmjhejph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nmaialjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jpjpmqjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Koafcppm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1712 wrote to memory of 1224 1712 2dea04b333b6be7b546c8201f163d7219499e176c81481b357981bdc0a05646f.exe 29 PID 1712 wrote to memory of 1224 1712 2dea04b333b6be7b546c8201f163d7219499e176c81481b357981bdc0a05646f.exe 29 PID 1712 wrote to memory of 1224 1712 2dea04b333b6be7b546c8201f163d7219499e176c81481b357981bdc0a05646f.exe 29 PID 1712 wrote to memory of 1224 1712 2dea04b333b6be7b546c8201f163d7219499e176c81481b357981bdc0a05646f.exe 29 PID 1224 wrote to memory of 2664 1224 Kjhajo32.exe 30 PID 1224 wrote to memory of 2664 1224 Kjhajo32.exe 30 PID 1224 wrote to memory of 2664 1224 Kjhajo32.exe 30 PID 1224 wrote to memory of 2664 1224 Kjhajo32.exe 30 PID 2664 wrote to memory of 2776 2664 Lnejqmie.exe 31 PID 2664 wrote to memory of 2776 2664 Lnejqmie.exe 31 PID 2664 wrote to memory of 2776 2664 Lnejqmie.exe 31 PID 2664 wrote to memory of 2776 2664 Lnejqmie.exe 31 PID 2776 wrote to memory of 2580 2776 Ljljenoi.exe 32 PID 2776 wrote to memory of 2580 2776 Ljljenoi.exe 32 PID 2776 wrote to memory of 2580 2776 Ljljenoi.exe 32 PID 2776 wrote to memory of 2580 2776 Ljljenoi.exe 32 PID 2580 wrote to memory of 2948 2580 Lgpkobnb.exe 33 PID 2580 wrote to memory of 2948 2580 Lgpkobnb.exe 33 PID 2580 wrote to memory of 2948 2580 Lgpkobnb.exe 33 PID 2580 wrote to memory of 2948 2580 Lgpkobnb.exe 33 PID 2948 wrote to memory of 2688 2948 Ljogknmf.exe 34 PID 2948 wrote to memory of 2688 2948 Ljogknmf.exe 34 PID 2948 wrote to memory of 2688 2948 Ljogknmf.exe 34 PID 2948 wrote to memory of 2688 2948 Ljogknmf.exe 34 PID 2688 wrote to memory of 272 2688 Lpnlid32.exe 35 PID 2688 wrote to memory of 272 2688 Lpnlid32.exe 35 PID 2688 wrote to memory of 272 2688 Lpnlid32.exe 35 PID 2688 wrote to memory of 272 2688 Lpnlid32.exe 35 PID 272 wrote to memory of 2928 272 Lekeak32.exe 36 PID 272 wrote to memory of 2928 272 Lekeak32.exe 36 PID 272 wrote to memory of 2928 272 Lekeak32.exe 36 PID 272 wrote to memory of 2928 272 Lekeak32.exe 36 PID 2928 wrote to memory of 1792 2928 Mgkncfdc.exe 37 PID 2928 wrote to memory of 1792 2928 Mgkncfdc.exe 37 PID 2928 wrote to memory of 1792 2928 Mgkncfdc.exe 37 PID 2928 wrote to memory of 1792 2928 Mgkncfdc.exe 37 PID 1792 wrote to memory of 2432 1792 Mnefpq32.exe 38 PID 1792 wrote to memory of 2432 1792 Mnefpq32.exe 38 PID 1792 wrote to memory of 2432 1792 Mnefpq32.exe 38 PID 1792 wrote to memory of 2432 1792 Mnefpq32.exe 38 PID 2432 wrote to memory of 1228 2432 Mafoal32.exe 39 PID 2432 wrote to memory of 1228 2432 Mafoal32.exe 39 PID 2432 wrote to memory of 1228 2432 Mafoal32.exe 39 PID 2432 wrote to memory of 1228 2432 Mafoal32.exe 39 PID 1228 wrote to memory of 2960 1228 Mjocja32.exe 40 PID 1228 wrote to memory of 2960 1228 Mjocja32.exe 40 PID 1228 wrote to memory of 2960 1228 Mjocja32.exe 40 PID 1228 wrote to memory of 2960 1228 Mjocja32.exe 40 PID 2960 wrote to memory of 308 2960 Mfedobef.exe 41 PID 2960 wrote to memory of 308 2960 Mfedobef.exe 41 PID 2960 wrote to memory of 308 2960 Mfedobef.exe 41 PID 2960 wrote to memory of 308 2960 Mfedobef.exe 41 PID 308 wrote to memory of 1972 308 Mmolll32.exe 42 PID 308 wrote to memory of 1972 308 Mmolll32.exe 42 PID 308 wrote to memory of 1972 308 Mmolll32.exe 42 PID 308 wrote to memory of 1972 308 Mmolll32.exe 42 PID 1972 wrote to memory of 2552 1972 Mdidhfdp.exe 43 PID 1972 wrote to memory of 2552 1972 Mdidhfdp.exe 43 PID 1972 wrote to memory of 2552 1972 Mdidhfdp.exe 43 PID 1972 wrote to memory of 2552 1972 Mdidhfdp.exe 43 PID 2552 wrote to memory of 2216 2552 Njcmeqkl.exe 44 PID 2552 wrote to memory of 2216 2552 Njcmeqkl.exe 44 PID 2552 wrote to memory of 2216 2552 Njcmeqkl.exe 44 PID 2552 wrote to memory of 2216 2552 Njcmeqkl.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\2dea04b333b6be7b546c8201f163d7219499e176c81481b357981bdc0a05646f.exe"C:\Users\Admin\AppData\Local\Temp\2dea04b333b6be7b546c8201f163d7219499e176c81481b357981bdc0a05646f.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\Kjhajo32.exeC:\Windows\system32\Kjhajo32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\SysWOW64\Lnejqmie.exeC:\Windows\system32\Lnejqmie.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Ljljenoi.exeC:\Windows\system32\Ljljenoi.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Lgpkobnb.exeC:\Windows\system32\Lgpkobnb.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Ljogknmf.exeC:\Windows\system32\Ljogknmf.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Lpnlid32.exeC:\Windows\system32\Lpnlid32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Lekeak32.exeC:\Windows\system32\Lekeak32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:272 -
C:\Windows\SysWOW64\Mgkncfdc.exeC:\Windows\system32\Mgkncfdc.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Mnefpq32.exeC:\Windows\system32\Mnefpq32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\Mafoal32.exeC:\Windows\system32\Mafoal32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\Mjocja32.exeC:\Windows\system32\Mjocja32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\SysWOW64\Mfedobef.exeC:\Windows\system32\Mfedobef.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Mmolll32.exeC:\Windows\system32\Mmolll32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:308 -
C:\Windows\SysWOW64\Mdidhfdp.exeC:\Windows\system32\Mdidhfdp.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\Njcmeqkl.exeC:\Windows\system32\Njcmeqkl.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Nmaialjp.exeC:\Windows\system32\Nmaialjp.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2216 -
C:\Windows\SysWOW64\Ndlanf32.exeC:\Windows\system32\Ndlanf32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2176 -
C:\Windows\SysWOW64\Njeikpij.exeC:\Windows\system32\Njeikpij.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1936 -
C:\Windows\SysWOW64\Nlgfbh32.exeC:\Windows\system32\Nlgfbh32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2388 -
C:\Windows\SysWOW64\Nikflm32.exeC:\Windows\system32\Nikflm32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1540 -
C:\Windows\SysWOW64\Oakdkn32.exeC:\Windows\system32\Oakdkn32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:752 -
C:\Windows\SysWOW64\Odiagj32.exeC:\Windows\system32\Odiagj32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2524 -
C:\Windows\SysWOW64\Omaepoml.exeC:\Windows\system32\Omaepoml.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1908 -
C:\Windows\SysWOW64\Okefjcle.exeC:\Windows\system32\Okefjcle.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1260 -
C:\Windows\SysWOW64\Oaonfncb.exeC:\Windows\system32\Oaonfncb.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1988 -
C:\Windows\SysWOW64\Okhboc32.exeC:\Windows\system32\Okhboc32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2760 -
C:\Windows\SysWOW64\Omfoko32.exeC:\Windows\system32\Omfoko32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:660 -
C:\Windows\SysWOW64\Okjoec32.exeC:\Windows\system32\Okjoec32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2728 -
C:\Windows\SysWOW64\Olklmk32.exeC:\Windows\system32\Olklmk32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2608 -
C:\Windows\SysWOW64\Opghmjfg.exeC:\Windows\system32\Opghmjfg.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2888 -
C:\Windows\SysWOW64\Oecpeqdo.exeC:\Windows\system32\Oecpeqdo.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2584 -
C:\Windows\SysWOW64\Ppidbidd.exeC:\Windows\system32\Ppidbidd.exe33⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Pgcmoc32.exeC:\Windows\system32\Pgcmoc32.exe34⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Piaiko32.exeC:\Windows\system32\Piaiko32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2488 -
C:\Windows\SysWOW64\Ponadfim.exeC:\Windows\system32\Ponadfim.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1696 -
C:\Windows\SysWOW64\Phgfmk32.exeC:\Windows\system32\Phgfmk32.exe37⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Pkebig32.exeC:\Windows\system32\Pkebig32.exe38⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Pekffp32.exeC:\Windows\system32\Pekffp32.exe39⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Pldobjec.exeC:\Windows\system32\Pldobjec.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:3028 -
C:\Windows\SysWOW64\Pnfkjb32.exeC:\Windows\system32\Pnfkjb32.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1332 -
C:\Windows\SysWOW64\Pdpcgl32.exeC:\Windows\system32\Pdpcgl32.exe42⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Pgnpcg32.exeC:\Windows\system32\Pgnpcg32.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1468 -
C:\Windows\SysWOW64\Pnhhpaio.exeC:\Windows\system32\Pnhhpaio.exe44⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Qdbpml32.exeC:\Windows\system32\Qdbpml32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:2400 -
C:\Windows\SysWOW64\Qklhifhi.exeC:\Windows\system32\Qklhifhi.exe46⤵
- Executes dropped EXE
PID:1432 -
C:\Windows\SysWOW64\Qbfqfppe.exeC:\Windows\system32\Qbfqfppe.exe47⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Qddmbkoi.exeC:\Windows\system32\Qddmbkoi.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Qcgmnh32.exeC:\Windows\system32\Qcgmnh32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Qkoeoe32.exeC:\Windows\system32\Qkoeoe32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:2036 -
C:\Windows\SysWOW64\Qjaejbmq.exeC:\Windows\system32\Qjaejbmq.exe51⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Aqkmgl32.exeC:\Windows\system32\Aqkmgl32.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2868 -
C:\Windows\SysWOW64\Acjjch32.exeC:\Windows\system32\Acjjch32.exe53⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Ajcbpbkn.exeC:\Windows\system32\Ajcbpbkn.exe54⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Aclfigao.exeC:\Windows\system32\Aclfigao.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Aggbif32.exeC:\Windows\system32\Aggbif32.exe56⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Ajfoea32.exeC:\Windows\system32\Ajfoea32.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:600 -
C:\Windows\SysWOW64\Amdkam32.exeC:\Windows\system32\Amdkam32.exe58⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Abacjd32.exeC:\Windows\system32\Abacjd32.exe59⤵
- Executes dropped EXE
PID:576 -
C:\Windows\SysWOW64\Ajhkka32.exeC:\Windows\system32\Ajhkka32.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1648 -
C:\Windows\SysWOW64\Aikkgnnc.exeC:\Windows\system32\Aikkgnnc.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2420 -
C:\Windows\SysWOW64\Aoedch32.exeC:\Windows\system32\Aoedch32.exe62⤵
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\Abcppcdc.exeC:\Windows\system32\Abcppcdc.exe63⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Ainhln32.exeC:\Windows\system32\Ainhln32.exe64⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Aogqihcm.exeC:\Windows\system32\Aogqihcm.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:568 -
C:\Windows\SysWOW64\Abfmecba.exeC:\Windows\system32\Abfmecba.exe66⤵PID:3064
-
C:\Windows\SysWOW64\Afaieb32.exeC:\Windows\system32\Afaieb32.exe67⤵PID:2328
-
C:\Windows\SysWOW64\Bgbemjqh.exeC:\Windows\system32\Bgbemjqh.exe68⤵
- System Location Discovery: System Language Discovery
PID:1996 -
C:\Windows\SysWOW64\Bbhikcpn.exeC:\Windows\system32\Bbhikcpn.exe69⤵
- System Location Discovery: System Language Discovery
PID:1608 -
C:\Windows\SysWOW64\Bakjfp32.exeC:\Windows\system32\Bakjfp32.exe70⤵PID:3024
-
C:\Windows\SysWOW64\Bgebcj32.exeC:\Windows\system32\Bgebcj32.exe71⤵
- System Location Discovery: System Language Discovery
PID:2864 -
C:\Windows\SysWOW64\Bjcnoe32.exeC:\Windows\system32\Bjcnoe32.exe72⤵PID:2696
-
C:\Windows\SysWOW64\Beibln32.exeC:\Windows\system32\Beibln32.exe73⤵PID:1788
-
C:\Windows\SysWOW64\Bclbhkdj.exeC:\Windows\system32\Bclbhkdj.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2484 -
C:\Windows\SysWOW64\Bkckihel.exeC:\Windows\system32\Bkckihel.exe75⤵PID:2796
-
C:\Windows\SysWOW64\Bmdgqp32.exeC:\Windows\system32\Bmdgqp32.exe76⤵PID:2912
-
C:\Windows\SysWOW64\Bcnomjbg.exeC:\Windows\system32\Bcnomjbg.exe77⤵PID:548
-
C:\Windows\SysWOW64\Bgjknijp.exeC:\Windows\system32\Bgjknijp.exe78⤵PID:2228
-
C:\Windows\SysWOW64\Bjhgjdjd.exeC:\Windows\system32\Bjhgjdjd.exe79⤵PID:2116
-
C:\Windows\SysWOW64\Bndckc32.exeC:\Windows\system32\Bndckc32.exe80⤵PID:1136
-
C:\Windows\SysWOW64\Bglhcihn.exeC:\Windows\system32\Bglhcihn.exe81⤵
- Modifies registry class
PID:2528 -
C:\Windows\SysWOW64\Bjjdpdga.exeC:\Windows\system32\Bjjdpdga.exe82⤵PID:1948
-
C:\Windows\SysWOW64\Badlln32.exeC:\Windows\system32\Badlln32.exe83⤵PID:3056
-
C:\Windows\SysWOW64\Bccihj32.exeC:\Windows\system32\Bccihj32.exe84⤵
- Modifies registry class
PID:1240 -
C:\Windows\SysWOW64\Cfaedeme.exeC:\Windows\system32\Cfaedeme.exe85⤵PID:1704
-
C:\Windows\SysWOW64\Cipaqqli.exeC:\Windows\system32\Cipaqqli.exe86⤵
- System Location Discovery: System Language Discovery
PID:2940 -
C:\Windows\SysWOW64\Cmkmao32.exeC:\Windows\system32\Cmkmao32.exe87⤵PID:2732
-
C:\Windows\SysWOW64\Cpjimk32.exeC:\Windows\system32\Cpjimk32.exe88⤵
- Modifies registry class
PID:2832 -
C:\Windows\SysWOW64\Cefbfa32.exeC:\Windows\system32\Cefbfa32.exe89⤵PID:2172
-
C:\Windows\SysWOW64\Cibnfpjg.exeC:\Windows\system32\Cibnfpjg.exe90⤵PID:2404
-
C:\Windows\SysWOW64\Cmnjgo32.exeC:\Windows\system32\Cmnjgo32.exe91⤵
- Modifies registry class
PID:2844 -
C:\Windows\SysWOW64\Clqjblij.exeC:\Windows\system32\Clqjblij.exe92⤵PID:2560
-
C:\Windows\SysWOW64\Cbjbof32.exeC:\Windows\system32\Cbjbof32.exe93⤵
- Drops file in System32 directory
PID:2344 -
C:\Windows\SysWOW64\Cidklp32.exeC:\Windows\system32\Cidklp32.exe94⤵PID:1456
-
C:\Windows\SysWOW64\Clcghk32.exeC:\Windows\system32\Clcghk32.exe95⤵PID:852
-
C:\Windows\SysWOW64\Cbmoeeod.exeC:\Windows\system32\Cbmoeeod.exe96⤵PID:2140
-
C:\Windows\SysWOW64\Chigmlml.exeC:\Windows\system32\Chigmlml.exe97⤵
- Modifies registry class
PID:1440 -
C:\Windows\SysWOW64\Ckhdihlp.exeC:\Windows\system32\Ckhdihlp.exe98⤵PID:2268
-
C:\Windows\SysWOW64\Cablfb32.exeC:\Windows\system32\Cablfb32.exe99⤵PID:2448
-
C:\Windows\SysWOW64\Chldbl32.exeC:\Windows\system32\Chldbl32.exe100⤵
- Drops file in System32 directory
PID:2780 -
C:\Windows\SysWOW64\Dmimkc32.exeC:\Windows\system32\Dmimkc32.exe101⤵PID:2860
-
C:\Windows\SysWOW64\Depelp32.exeC:\Windows\system32\Depelp32.exe102⤵PID:2740
-
C:\Windows\SysWOW64\Ddbegmqm.exeC:\Windows\system32\Ddbegmqm.exe103⤵PID:2204
-
C:\Windows\SysWOW64\Dkmmdg32.exeC:\Windows\system32\Dkmmdg32.exe104⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2476 -
C:\Windows\SysWOW64\Dmkipb32.exeC:\Windows\system32\Dmkipb32.exe105⤵PID:2932
-
C:\Windows\SysWOW64\Ddeammok.exeC:\Windows\system32\Ddeammok.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2988 -
C:\Windows\SysWOW64\Dhqnnk32.exeC:\Windows\system32\Dhqnnk32.exe107⤵PID:1940
-
C:\Windows\SysWOW64\Dibjec32.exeC:\Windows\system32\Dibjec32.exe108⤵PID:2372
-
C:\Windows\SysWOW64\Daibfa32.exeC:\Windows\system32\Daibfa32.exe109⤵PID:1108
-
C:\Windows\SysWOW64\Dbjonicb.exeC:\Windows\system32\Dbjonicb.exe110⤵PID:676
-
C:\Windows\SysWOW64\Dkafofde.exeC:\Windows\system32\Dkafofde.exe111⤵
- Drops file in System32 directory
PID:628 -
C:\Windows\SysWOW64\Dmpckbci.exeC:\Windows\system32\Dmpckbci.exe112⤵PID:2120
-
C:\Windows\SysWOW64\Dpnogmbl.exeC:\Windows\system32\Dpnogmbl.exe113⤵
- Drops file in System32 directory
PID:2304 -
C:\Windows\SysWOW64\Dghgdg32.exeC:\Windows\system32\Dghgdg32.exe114⤵PID:2884
-
C:\Windows\SysWOW64\Dekgpdqc.exeC:\Windows\system32\Dekgpdqc.exe115⤵PID:2156
-
C:\Windows\SysWOW64\Dmbpaa32.exeC:\Windows\system32\Dmbpaa32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2024 -
C:\Windows\SysWOW64\Dpqlmm32.exeC:\Windows\system32\Dpqlmm32.exe117⤵PID:872
-
C:\Windows\SysWOW64\Dcohih32.exeC:\Windows\system32\Dcohih32.exe118⤵PID:2492
-
C:\Windows\SysWOW64\Eemded32.exeC:\Windows\system32\Eemded32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2108 -
C:\Windows\SysWOW64\Eiipfbgj.exeC:\Windows\system32\Eiipfbgj.exe120⤵PID:1672
-
C:\Windows\SysWOW64\Epchbm32.exeC:\Windows\system32\Epchbm32.exe121⤵PID:3048
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-