Analysis
-
max time kernel
148s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
25-08-2024 05:47
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d10279f8321ade09637f8c84f691cc2f07deb6e38d43de47d3c3a098bcf615ee.exe
Resource
win7-20240705-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
d10279f8321ade09637f8c84f691cc2f07deb6e38d43de47d3c3a098bcf615ee.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
d10279f8321ade09637f8c84f691cc2f07deb6e38d43de47d3c3a098bcf615ee.exe
-
Size
415KB
-
MD5
8c52462a8b99c6731e5add7d8b942884
-
SHA1
62760666ea6cb08e3c95fce8b685a6fe0e053e58
-
SHA256
d10279f8321ade09637f8c84f691cc2f07deb6e38d43de47d3c3a098bcf615ee
-
SHA512
74035edc2350a3ea2837cf011a31e5dee8d1abe5eb9a13058a4f76d8f3f9d0f454d8dc4eb014151f571cf9def8ac03814e4d011551c0d4c743bde6770063896e
-
SSDEEP
12288:hlAoWj7NtInBBBBBBBBBBBBBBBBBBBBBBBBB0kfBBBBBBBBBBBBBBBBBBBBBBBBL:DAklp
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Piljqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egimam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klmickld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lldodjel.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnakgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opijokdo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmbemc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Keefaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehmfoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iligje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Namgmp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbjhkhqa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfbeaiaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmoqnijp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdgocmmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cepjhb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhmqncai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cphbeakl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knfoloio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnjefage.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qemefdnj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpaejlmh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkomipoa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmkkdg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikejlq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgqdlaka.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dojhek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odkhmhcb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmkdbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkgnebjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihdaje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdbdoini.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldpdhmcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njhhke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Allfnnba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgojej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgkicecm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plophihc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jijgmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfomabme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aojcji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imlimgkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lohnndlj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ionigpcn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldlphf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mqejajgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkknocga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgglka32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgfnnaee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jaeegi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kodhda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kepmfkbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijndkaoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikejlq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpbhoigk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdgocmmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmpnbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Popijded.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egimam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iahlhl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jambbn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iaeihfen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmenmj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iafpbl32.exe -
Executes dropped EXE 64 IoCs
pid Process 3004 Cphbeakl.exe 1476 Ciagnf32.exe 2112 Cpkokq32.exe 2224 Canhhhme.exe 2816 Dhhpdb32.exe 2532 Dkiifnab.exe 2008 Deoncfai.exe 2656 Dphodd32.exe 2672 Dknbam32.exe 2604 Dcigfo32.exe 924 Dicpbibe.exe 2600 Epoddcgp.exe 2680 Egimam32.exe 1576 Eodafp32.exe 2856 Eeojbj32.exe 3020 Ehmfoe32.exe 2004 Enlkll32.exe 2476 Fokhfo32.exe 2480 Fnnhbkmj.exe 1988 Fpmdngln.exe 1344 Fgglka32.exe 2204 Fnqdgkkg.exe 1136 Fdkmde32.exe 2084 Flfaigpo.exe 3012 Fqanif32.exe 2972 Fgkffpoe.exe 2468 Fjjbblni.exe 1596 Fmhnngnl.exe 1724 Fcbfka32.exe 2108 Fmkkdg32.exe 2676 Gcdcqacf.exe 2760 Gialihan.exe 3000 Gkphecpa.exe 2624 Gfelblph.exe 2152 Gkbdjc32.exe 2952 Gfhihl32.exe 2688 Gifedg32.exe 2784 Gqajhi32.exe 2756 Gemfihbm.exe 2892 Gkgnebjj.exe 1588 Gqcfniha.exe 1072 Gcbcjdge.exe 2384 Hjlkfo32.exe 2340 Hngggmgk.exe 1584 Hafccifn.exe 2232 Hcdppdeb.exe 868 Hfcllpdf.exe 1768 Hmmdhjlb.exe 3048 Hpkpdekf.exe 2436 Hjqdankl.exe 2444 Hmoqnijp.exe 2988 Hpmmjeic.exe 2528 Hblifphg.exe 2652 Hjcagnii.exe 2632 Hmamci32.exe 3068 Hckepcoj.exe 2848 Hfjbloon.exe 2464 Hihnhjna.exe 2864 Hpbfed32.exe 2908 Ieoomk32.exe 2928 Iijknjlo.exe 1140 Iligje32.exe 2336 Ingcfq32.exe 1472 Iafpbl32.exe -
Loads dropped DLL 64 IoCs
pid Process 1592 d10279f8321ade09637f8c84f691cc2f07deb6e38d43de47d3c3a098bcf615ee.exe 1592 d10279f8321ade09637f8c84f691cc2f07deb6e38d43de47d3c3a098bcf615ee.exe 3004 Cphbeakl.exe 3004 Cphbeakl.exe 1476 Ciagnf32.exe 1476 Ciagnf32.exe 2112 Cpkokq32.exe 2112 Cpkokq32.exe 2224 Canhhhme.exe 2224 Canhhhme.exe 2816 Dhhpdb32.exe 2816 Dhhpdb32.exe 2532 Dkiifnab.exe 2532 Dkiifnab.exe 2008 Deoncfai.exe 2008 Deoncfai.exe 2656 Dphodd32.exe 2656 Dphodd32.exe 2672 Dknbam32.exe 2672 Dknbam32.exe 2604 Dcigfo32.exe 2604 Dcigfo32.exe 924 Dicpbibe.exe 924 Dicpbibe.exe 2600 Epoddcgp.exe 2600 Epoddcgp.exe 2680 Egimam32.exe 2680 Egimam32.exe 1576 Eodafp32.exe 1576 Eodafp32.exe 2856 Eeojbj32.exe 2856 Eeojbj32.exe 3020 Ehmfoe32.exe 3020 Ehmfoe32.exe 2004 Enlkll32.exe 2004 Enlkll32.exe 2476 Fokhfo32.exe 2476 Fokhfo32.exe 2480 Fnnhbkmj.exe 2480 Fnnhbkmj.exe 1988 Fpmdngln.exe 1988 Fpmdngln.exe 1344 Fgglka32.exe 1344 Fgglka32.exe 2204 Fnqdgkkg.exe 2204 Fnqdgkkg.exe 1136 Fdkmde32.exe 1136 Fdkmde32.exe 2084 Flfaigpo.exe 2084 Flfaigpo.exe 3012 Fqanif32.exe 3012 Fqanif32.exe 2972 Fgkffpoe.exe 2972 Fgkffpoe.exe 2468 Fjjbblni.exe 2468 Fjjbblni.exe 1596 Fmhnngnl.exe 1596 Fmhnngnl.exe 1724 Fcbfka32.exe 1724 Fcbfka32.exe 2108 Fmkkdg32.exe 2108 Fmkkdg32.exe 2676 Gcdcqacf.exe 2676 Gcdcqacf.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jijgmm32.exe Jflkqa32.exe File created C:\Windows\SysWOW64\Qbnlci32.dll Mpbhoigk.exe File created C:\Windows\SysWOW64\Phkecmkb.exe Oemigaln.exe File created C:\Windows\SysWOW64\Blghbpig.dll Mkfedd32.exe File created C:\Windows\SysWOW64\Henkhmqh.dll Lldodjel.exe File created C:\Windows\SysWOW64\Cgljnn32.exe Cfkmgfee.exe File created C:\Windows\SysWOW64\Dikbgd32.exe Depggelh.exe File created C:\Windows\SysWOW64\Imimgg32.exe Ijkqkl32.exe File created C:\Windows\SysWOW64\Fmkdbe32.exe Eiphagch.exe File opened for modification C:\Windows\SysWOW64\Icfaia32.exe Ilojhc32.exe File opened for modification C:\Windows\SysWOW64\Lgejfc32.exe Lcineean.exe File created C:\Windows\SysWOW64\Mcijdh32.exe Mdfjikmo.exe File created C:\Windows\SysWOW64\Flelopgd.dll Ajhmffin.exe File opened for modification C:\Windows\SysWOW64\Bfhqaf32.exe Bbmeqgoo.exe File opened for modification C:\Windows\SysWOW64\Nediboam.exe Nbemfc32.exe File created C:\Windows\SysWOW64\Pclleiah.exe Pakpma32.exe File created C:\Windows\SysWOW64\Jmpojp32.dll Lhpidjgk.exe File created C:\Windows\SysWOW64\Kodhda32.exe Klelhf32.exe File created C:\Windows\SysWOW64\Mfgpfmoa.exe Momgic32.exe File created C:\Windows\SysWOW64\Mkfedd32.exe Mgkicecm.exe File created C:\Windows\SysWOW64\Fmhnngnl.exe Fjjbblni.exe File created C:\Windows\SysWOW64\Omeonfci.dll Opgmilfa.exe File created C:\Windows\SysWOW64\Cebgmbgj.exe Ckjbdlaj.exe File created C:\Windows\SysWOW64\Lgfcib32.exe Keefaj32.exe File created C:\Windows\SysWOW64\Nmfdgq32.exe Njhhke32.exe File opened for modification C:\Windows\SysWOW64\Bbmeqgoo.exe Bkcldm32.exe File created C:\Windows\SysWOW64\Pphochbo.exe Plmcbj32.exe File created C:\Windows\SysWOW64\Bpmqofpn.dll Gkgnebjj.exe File created C:\Windows\SysWOW64\Jekopgog.dll Mdfjikmo.exe File opened for modification C:\Windows\SysWOW64\Aafbaebk.exe Apefim32.exe File opened for modification C:\Windows\SysWOW64\Gjpdpjec.exe Ghnhib32.exe File created C:\Windows\SysWOW64\Ldomnfok.exe Llhemioi.exe File opened for modification C:\Windows\SysWOW64\Niehal32.exe Njbheojf.exe File opened for modification C:\Windows\SysWOW64\Gkgnebjj.exe Gemfihbm.exe File opened for modification C:\Windows\SysWOW64\Jdnodf32.exe Ikejlq32.exe File created C:\Windows\SysWOW64\Pidgldkh.exe Pgekphld.exe File opened for modification C:\Windows\SysWOW64\Caihbc32.exe Cmnladee.exe File created C:\Windows\SysWOW64\Mfillm32.exe Mnbdjp32.exe File created C:\Windows\SysWOW64\Ajhbbh32.dll Dphodd32.exe File opened for modification C:\Windows\SysWOW64\Fqanif32.exe Flfaigpo.exe File opened for modification C:\Windows\SysWOW64\Ihdaje32.exe Iajimked.exe File opened for modification C:\Windows\SysWOW64\Jlmmdhii.exe Jioqhlje.exe File created C:\Windows\SysWOW64\Bbjhkhqa.exe Bchhpk32.exe File created C:\Windows\SysWOW64\Cpcbpk32.exe Cgljnn32.exe File created C:\Windows\SysWOW64\Dbajkj32.exe Ddojomfj.exe File created C:\Windows\SysWOW64\Egalekdd.exe Ecfpem32.exe File created C:\Windows\SysWOW64\Nkkckpkg.dll Lcineean.exe File created C:\Windows\SysWOW64\Nefagl32.dll Adihhp32.exe File created C:\Windows\SysWOW64\Cocdmifd.dll Hjdjjmdi.exe File opened for modification C:\Windows\SysWOW64\Omhampgn.exe Njjeqegj.exe File created C:\Windows\SysWOW64\Odfldm32.dll Bibcbbjq.exe File created C:\Windows\SysWOW64\Elnnjh32.dll Gkoajmmf.exe File created C:\Windows\SysWOW64\Hicncd32.exe Hqlfag32.exe File opened for modification C:\Windows\SysWOW64\Hafccifn.exe Hngggmgk.exe File opened for modification C:\Windows\SysWOW64\Lnhhab32.exe Lkilef32.exe File created C:\Windows\SysWOW64\Hbkfck32.dll Ndnpnkbp.exe File opened for modification C:\Windows\SysWOW64\Jjkmjopm.exe Jhmqncai.exe File created C:\Windows\SysWOW64\Npdjie32.exe Nmenmj32.exe File opened for modification C:\Windows\SysWOW64\Mdlmgjdj.exe Mfillm32.exe File created C:\Windows\SysWOW64\Capilg32.dll Ponlddgf.exe File created C:\Windows\SysWOW64\Cpmhklal.dll Qejafomq.exe File created C:\Windows\SysWOW64\Obgoppog.exe Ojpgocod.exe File created C:\Windows\SysWOW64\Dlnbhedc.dll Imommm32.exe File opened for modification C:\Windows\SysWOW64\Lgfcib32.exe Keefaj32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5472 5264 WerFault.exe 564 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kachbmoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpbhoigk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgfnnaee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iajimked.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndnpnkbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghikmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifpdjmeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgmeieak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cphbeakl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eodafp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bchhpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpaejlmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpokce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqajhi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkcldm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eedlah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldjcbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqhjhgcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpbfed32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Palippfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pohjffpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgagjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgcpomdk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnbcqk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcijdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aojcji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckjbdlaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pklneh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daidaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncfccedl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmoqnijp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkbjed32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohihnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifmhemgk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhcomiph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpmdngln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdbdoini.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfocqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lngafl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmhnngnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieakckac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jambbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Andife32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfhmpiic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeiimd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fofcplid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hofpop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfnndc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qeoald32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cboafgll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hghkdacc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgkicecm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npopnfhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjqdankl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhffnloe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjjhaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apefim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcqaol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hihnhjna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lclkkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Naocbpcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mokkdc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijndkaoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jiamnlhb.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcineean.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlgggeie.dll" Aafbaebk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpmhklal.dll" Qejafomq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Daidaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnpjlhjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcbjhekd.dll" Mfillm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ionigpcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knfoloio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fadiicba.dll" Bfdgfgkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekcepk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Koqbkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmfhhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgbjmi32.dll" Daidaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edcpipdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aofglhim.dll" Nbemfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adkenpkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ollpqnpd.dll" Plophihc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dcigfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhdbdjon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldbfeb32.dll" Depggelh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjmfaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bchhpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eeiimd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncmiddod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jojbgiee.dll" Oiobba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Allfnnba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnbcqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmofgomd.dll" Landlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkfedd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbjmcldi.dll" Mkhaic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmmdhjlb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbinpe32.dll" Lkgoog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmiifjpq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keomak32.dll" Ikejlq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njjkmi32.dll" Mcbmjgko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adgkbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbonej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gcjfooja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfocqh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oeelllnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjldoc32.dll" Oiokgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flelopgd.dll" Ajhmffin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dapggpgh.dll" Ifbapm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbkkjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkmeob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdejgggf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahcjlh32.dll" Cebgmbgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eoanfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abjemf32.dll" Ibibenij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbkkjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llhemioi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbanmg32.dll" Egimam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gcbcjdge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfomabme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbfaim32.dll" Obhfkgcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glbjbiba.dll" Edcpipdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fadmqm32.dll" Dikbgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldohdn32.dll" Gqqcnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imimgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihhgcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keohee32.dll" Llhemioi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfnkcn32.dll" Lhabgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlehphcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmgcbdll.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1592 wrote to memory of 3004 1592 d10279f8321ade09637f8c84f691cc2f07deb6e38d43de47d3c3a098bcf615ee.exe 29 PID 1592 wrote to memory of 3004 1592 d10279f8321ade09637f8c84f691cc2f07deb6e38d43de47d3c3a098bcf615ee.exe 29 PID 1592 wrote to memory of 3004 1592 d10279f8321ade09637f8c84f691cc2f07deb6e38d43de47d3c3a098bcf615ee.exe 29 PID 1592 wrote to memory of 3004 1592 d10279f8321ade09637f8c84f691cc2f07deb6e38d43de47d3c3a098bcf615ee.exe 29 PID 3004 wrote to memory of 1476 3004 Cphbeakl.exe 30 PID 3004 wrote to memory of 1476 3004 Cphbeakl.exe 30 PID 3004 wrote to memory of 1476 3004 Cphbeakl.exe 30 PID 3004 wrote to memory of 1476 3004 Cphbeakl.exe 30 PID 1476 wrote to memory of 2112 1476 Ciagnf32.exe 31 PID 1476 wrote to memory of 2112 1476 Ciagnf32.exe 31 PID 1476 wrote to memory of 2112 1476 Ciagnf32.exe 31 PID 1476 wrote to memory of 2112 1476 Ciagnf32.exe 31 PID 2112 wrote to memory of 2224 2112 Cpkokq32.exe 32 PID 2112 wrote to memory of 2224 2112 Cpkokq32.exe 32 PID 2112 wrote to memory of 2224 2112 Cpkokq32.exe 32 PID 2112 wrote to memory of 2224 2112 Cpkokq32.exe 32 PID 2224 wrote to memory of 2816 2224 Canhhhme.exe 33 PID 2224 wrote to memory of 2816 2224 Canhhhme.exe 33 PID 2224 wrote to memory of 2816 2224 Canhhhme.exe 33 PID 2224 wrote to memory of 2816 2224 Canhhhme.exe 33 PID 2816 wrote to memory of 2532 2816 Dhhpdb32.exe 34 PID 2816 wrote to memory of 2532 2816 Dhhpdb32.exe 34 PID 2816 wrote to memory of 2532 2816 Dhhpdb32.exe 34 PID 2816 wrote to memory of 2532 2816 Dhhpdb32.exe 34 PID 2532 wrote to memory of 2008 2532 Dkiifnab.exe 35 PID 2532 wrote to memory of 2008 2532 Dkiifnab.exe 35 PID 2532 wrote to memory of 2008 2532 Dkiifnab.exe 35 PID 2532 wrote to memory of 2008 2532 Dkiifnab.exe 35 PID 2008 wrote to memory of 2656 2008 Deoncfai.exe 36 PID 2008 wrote to memory of 2656 2008 Deoncfai.exe 36 PID 2008 wrote to memory of 2656 2008 Deoncfai.exe 36 PID 2008 wrote to memory of 2656 2008 Deoncfai.exe 36 PID 2656 wrote to memory of 2672 2656 Dphodd32.exe 37 PID 2656 wrote to memory of 2672 2656 Dphodd32.exe 37 PID 2656 wrote to memory of 2672 2656 Dphodd32.exe 37 PID 2656 wrote to memory of 2672 2656 Dphodd32.exe 37 PID 2672 wrote to memory of 2604 2672 Dknbam32.exe 38 PID 2672 wrote to memory of 2604 2672 Dknbam32.exe 38 PID 2672 wrote to memory of 2604 2672 Dknbam32.exe 38 PID 2672 wrote to memory of 2604 2672 Dknbam32.exe 38 PID 2604 wrote to memory of 924 2604 Dcigfo32.exe 39 PID 2604 wrote to memory of 924 2604 Dcigfo32.exe 39 PID 2604 wrote to memory of 924 2604 Dcigfo32.exe 39 PID 2604 wrote to memory of 924 2604 Dcigfo32.exe 39 PID 924 wrote to memory of 2600 924 Dicpbibe.exe 40 PID 924 wrote to memory of 2600 924 Dicpbibe.exe 40 PID 924 wrote to memory of 2600 924 Dicpbibe.exe 40 PID 924 wrote to memory of 2600 924 Dicpbibe.exe 40 PID 2600 wrote to memory of 2680 2600 Epoddcgp.exe 41 PID 2600 wrote to memory of 2680 2600 Epoddcgp.exe 41 PID 2600 wrote to memory of 2680 2600 Epoddcgp.exe 41 PID 2600 wrote to memory of 2680 2600 Epoddcgp.exe 41 PID 2680 wrote to memory of 1576 2680 Egimam32.exe 42 PID 2680 wrote to memory of 1576 2680 Egimam32.exe 42 PID 2680 wrote to memory of 1576 2680 Egimam32.exe 42 PID 2680 wrote to memory of 1576 2680 Egimam32.exe 42 PID 1576 wrote to memory of 2856 1576 Eodafp32.exe 43 PID 1576 wrote to memory of 2856 1576 Eodafp32.exe 43 PID 1576 wrote to memory of 2856 1576 Eodafp32.exe 43 PID 1576 wrote to memory of 2856 1576 Eodafp32.exe 43 PID 2856 wrote to memory of 3020 2856 Eeojbj32.exe 44 PID 2856 wrote to memory of 3020 2856 Eeojbj32.exe 44 PID 2856 wrote to memory of 3020 2856 Eeojbj32.exe 44 PID 2856 wrote to memory of 3020 2856 Eeojbj32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\d10279f8321ade09637f8c84f691cc2f07deb6e38d43de47d3c3a098bcf615ee.exe"C:\Users\Admin\AppData\Local\Temp\d10279f8321ade09637f8c84f691cc2f07deb6e38d43de47d3c3a098bcf615ee.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\SysWOW64\Cphbeakl.exeC:\Windows\system32\Cphbeakl.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\Ciagnf32.exeC:\Windows\system32\Ciagnf32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\SysWOW64\Cpkokq32.exeC:\Windows\system32\Cpkokq32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\Canhhhme.exeC:\Windows\system32\Canhhhme.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\Dhhpdb32.exeC:\Windows\system32\Dhhpdb32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Dkiifnab.exeC:\Windows\system32\Dkiifnab.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\Deoncfai.exeC:\Windows\system32\Deoncfai.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\Dphodd32.exeC:\Windows\system32\Dphodd32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Dknbam32.exeC:\Windows\system32\Dknbam32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Dcigfo32.exeC:\Windows\system32\Dcigfo32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Dicpbibe.exeC:\Windows\system32\Dicpbibe.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:924 -
C:\Windows\SysWOW64\Epoddcgp.exeC:\Windows\system32\Epoddcgp.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Egimam32.exeC:\Windows\system32\Egimam32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Eodafp32.exeC:\Windows\system32\Eodafp32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\Eeojbj32.exeC:\Windows\system32\Eeojbj32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Ehmfoe32.exeC:\Windows\system32\Ehmfoe32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:3020 -
C:\Windows\SysWOW64\Enlkll32.exeC:\Windows\system32\Enlkll32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2004 -
C:\Windows\SysWOW64\Fokhfo32.exeC:\Windows\system32\Fokhfo32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2476 -
C:\Windows\SysWOW64\Fnnhbkmj.exeC:\Windows\system32\Fnnhbkmj.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2480 -
C:\Windows\SysWOW64\Fpmdngln.exeC:\Windows\system32\Fpmdngln.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1988 -
C:\Windows\SysWOW64\Fgglka32.exeC:\Windows\system32\Fgglka32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1344 -
C:\Windows\SysWOW64\Fnqdgkkg.exeC:\Windows\system32\Fnqdgkkg.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2204 -
C:\Windows\SysWOW64\Fdkmde32.exeC:\Windows\system32\Fdkmde32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1136 -
C:\Windows\SysWOW64\Flfaigpo.exeC:\Windows\system32\Flfaigpo.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2084 -
C:\Windows\SysWOW64\Fqanif32.exeC:\Windows\system32\Fqanif32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3012 -
C:\Windows\SysWOW64\Fgkffpoe.exeC:\Windows\system32\Fgkffpoe.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2972 -
C:\Windows\SysWOW64\Fjjbblni.exeC:\Windows\system32\Fjjbblni.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2468 -
C:\Windows\SysWOW64\Fmhnngnl.exeC:\Windows\system32\Fmhnngnl.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1596 -
C:\Windows\SysWOW64\Fcbfka32.exeC:\Windows\system32\Fcbfka32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1724 -
C:\Windows\SysWOW64\Fmkkdg32.exeC:\Windows\system32\Fmkkdg32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2108 -
C:\Windows\SysWOW64\Gcdcqacf.exeC:\Windows\system32\Gcdcqacf.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2676 -
C:\Windows\SysWOW64\Gialihan.exeC:\Windows\system32\Gialihan.exe33⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Gkphecpa.exeC:\Windows\system32\Gkphecpa.exe34⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Gfelblph.exeC:\Windows\system32\Gfelblph.exe35⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Gkbdjc32.exeC:\Windows\system32\Gkbdjc32.exe36⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Gfhihl32.exeC:\Windows\system32\Gfhihl32.exe37⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Gifedg32.exeC:\Windows\system32\Gifedg32.exe38⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Gqajhi32.exeC:\Windows\system32\Gqajhi32.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2784 -
C:\Windows\SysWOW64\Gemfihbm.exeC:\Windows\system32\Gemfihbm.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2756 -
C:\Windows\SysWOW64\Gkgnebjj.exeC:\Windows\system32\Gkgnebjj.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2892 -
C:\Windows\SysWOW64\Gqcfniha.exeC:\Windows\system32\Gqcfniha.exe42⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Gcbcjdge.exeC:\Windows\system32\Gcbcjdge.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:1072 -
C:\Windows\SysWOW64\Hjlkfo32.exeC:\Windows\system32\Hjlkfo32.exe44⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Hngggmgk.exeC:\Windows\system32\Hngggmgk.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2340 -
C:\Windows\SysWOW64\Hafccifn.exeC:\Windows\system32\Hafccifn.exe46⤵
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\Hcdppdeb.exeC:\Windows\system32\Hcdppdeb.exe47⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Hfcllpdf.exeC:\Windows\system32\Hfcllpdf.exe48⤵
- Executes dropped EXE
PID:868 -
C:\Windows\SysWOW64\Hmmdhjlb.exeC:\Windows\system32\Hmmdhjlb.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:1768 -
C:\Windows\SysWOW64\Hpkpdekf.exeC:\Windows\system32\Hpkpdekf.exe50⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Hjqdankl.exeC:\Windows\system32\Hjqdankl.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2436 -
C:\Windows\SysWOW64\Hmoqnijp.exeC:\Windows\system32\Hmoqnijp.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2444 -
C:\Windows\SysWOW64\Hpmmjeic.exeC:\Windows\system32\Hpmmjeic.exe53⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Hblifphg.exeC:\Windows\system32\Hblifphg.exe54⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Hjcagnii.exeC:\Windows\system32\Hjcagnii.exe55⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Hmamci32.exeC:\Windows\system32\Hmamci32.exe56⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Hckepcoj.exeC:\Windows\system32\Hckepcoj.exe57⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Hfjbloon.exeC:\Windows\system32\Hfjbloon.exe58⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Hihnhjna.exeC:\Windows\system32\Hihnhjna.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2464 -
C:\Windows\SysWOW64\Hpbfed32.exeC:\Windows\system32\Hpbfed32.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2864 -
C:\Windows\SysWOW64\Ieoomk32.exeC:\Windows\system32\Ieoomk32.exe61⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Iijknjlo.exeC:\Windows\system32\Iijknjlo.exe62⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Iligje32.exeC:\Windows\system32\Iligje32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\Ingcfq32.exeC:\Windows\system32\Ingcfq32.exe64⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Iafpbl32.exeC:\Windows\system32\Iafpbl32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\Ieakckac.exeC:\Windows\system32\Ieakckac.exe66⤵
- System Location Discovery: System Language Discovery
PID:1252 -
C:\Windows\SysWOW64\Ihphofpg.exeC:\Windows\system32\Ihphofpg.exe67⤵PID:2184
-
C:\Windows\SysWOW64\Ijndkaoj.exeC:\Windows\system32\Ijndkaoj.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1740 -
C:\Windows\SysWOW64\Iahlhl32.exeC:\Windows\system32\Iahlhl32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1236 -
C:\Windows\SysWOW64\Idfhdg32.exeC:\Windows\system32\Idfhdg32.exe70⤵PID:2424
-
C:\Windows\SysWOW64\Ilnqed32.exeC:\Windows\system32\Ilnqed32.exe71⤵PID:2512
-
C:\Windows\SysWOW64\Imommm32.exeC:\Windows\system32\Imommm32.exe72⤵
- Drops file in System32 directory
PID:2936 -
C:\Windows\SysWOW64\Iajimked.exeC:\Windows\system32\Iajimked.exe73⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2668 -
C:\Windows\SysWOW64\Ihdaje32.exeC:\Windows\system32\Ihdaje32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3056 -
C:\Windows\SysWOW64\Ionigpcn.exeC:\Windows\system32\Ionigpcn.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1256 -
C:\Windows\SysWOW64\Ihgnpe32.exeC:\Windows\system32\Ihgnpe32.exe76⤵PID:1636
-
C:\Windows\SysWOW64\Ifjnkbai.exeC:\Windows\system32\Ifjnkbai.exe77⤵PID:1056
-
C:\Windows\SysWOW64\Ikejlq32.exeC:\Windows\system32\Ikejlq32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2776 -
C:\Windows\SysWOW64\Jdnodf32.exeC:\Windows\system32\Jdnodf32.exe79⤵PID:2396
-
C:\Windows\SysWOW64\Jflkqa32.exeC:\Windows\system32\Jflkqa32.exe80⤵
- Drops file in System32 directory
PID:2372 -
C:\Windows\SysWOW64\Jijgmm32.exeC:\Windows\system32\Jijgmm32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1680 -
C:\Windows\SysWOW64\Jlicih32.exeC:\Windows\system32\Jlicih32.exe82⤵PID:1572
-
C:\Windows\SysWOW64\Jbblfbdk.exeC:\Windows\system32\Jbblfbdk.exe83⤵PID:1220
-
C:\Windows\SysWOW64\Jeahbndo.exeC:\Windows\system32\Jeahbndo.exe84⤵PID:3032
-
C:\Windows\SysWOW64\Jmhpckdq.exeC:\Windows\system32\Jmhpckdq.exe85⤵PID:2148
-
C:\Windows\SysWOW64\Joilkcjo.exeC:\Windows\system32\Joilkcjo.exe86⤵PID:2416
-
C:\Windows\SysWOW64\Jgqdlaka.exeC:\Windows\system32\Jgqdlaka.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:980 -
C:\Windows\SysWOW64\Jioqhlje.exeC:\Windows\system32\Jioqhlje.exe88⤵
- Drops file in System32 directory
PID:2560 -
C:\Windows\SysWOW64\Jlmmdhii.exeC:\Windows\system32\Jlmmdhii.exe89⤵PID:2580
-
C:\Windows\SysWOW64\Jpiief32.exeC:\Windows\system32\Jpiief32.exe90⤵PID:2544
-
C:\Windows\SysWOW64\Jiamnlhb.exeC:\Windows\system32\Jiamnlhb.exe91⤵
- System Location Discovery: System Language Discovery
PID:3064 -
C:\Windows\SysWOW64\Jhdmii32.exeC:\Windows\system32\Jhdmii32.exe92⤵PID:2492
-
C:\Windows\SysWOW64\Jkbjed32.exeC:\Windows\system32\Jkbjed32.exe93⤵
- System Location Discovery: System Language Discovery
PID:2400 -
C:\Windows\SysWOW64\Jambbn32.exeC:\Windows\system32\Jambbn32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1296 -
C:\Windows\SysWOW64\Khfjohmj.exeC:\Windows\system32\Khfjohmj.exe95⤵PID:2076
-
C:\Windows\SysWOW64\Kkefkdln.exeC:\Windows\system32\Kkefkdln.exe96⤵PID:3008
-
C:\Windows\SysWOW64\Koqbkb32.exeC:\Windows\system32\Koqbkb32.exe97⤵
- Modifies registry class
PID:3028 -
C:\Windows\SysWOW64\Kaoogn32.exeC:\Windows\system32\Kaoogn32.exe98⤵PID:2324
-
C:\Windows\SysWOW64\Kdmkci32.exeC:\Windows\system32\Kdmkci32.exe99⤵PID:836
-
C:\Windows\SysWOW64\Kglgpe32.exeC:\Windows\system32\Kglgpe32.exe100⤵PID:2800
-
C:\Windows\SysWOW64\Kkgcpcjk.exeC:\Windows\system32\Kkgcpcjk.exe101⤵PID:448
-
C:\Windows\SysWOW64\Knfoloio.exeC:\Windows\system32\Knfoloio.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2712 -
C:\Windows\SysWOW64\Khkcjh32.exeC:\Windows\system32\Khkcjh32.exe103⤵PID:1932
-
C:\Windows\SysWOW64\Kachbmoe.exeC:\Windows\system32\Kachbmoe.exe104⤵
- System Location Discovery: System Language Discovery
PID:2956 -
C:\Windows\SysWOW64\Kdbdoini.exeC:\Windows\system32\Kdbdoini.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2884 -
C:\Windows\SysWOW64\Kgpqkdmm.exeC:\Windows\system32\Kgpqkdmm.exe106⤵PID:2872
-
C:\Windows\SysWOW64\Kjomgpmq.exeC:\Windows\system32\Kjomgpmq.exe107⤵PID:2300
-
C:\Windows\SysWOW64\Knjign32.exeC:\Windows\system32\Knjign32.exe108⤵PID:2304
-
C:\Windows\SysWOW64\Klmickld.exeC:\Windows\system32\Klmickld.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2696 -
C:\Windows\SysWOW64\Kcgapeca.exeC:\Windows\system32\Kcgapeca.exe110⤵PID:2296
-
C:\Windows\SysWOW64\Kjaimo32.exeC:\Windows\system32\Kjaimo32.exe111⤵PID:1232
-
C:\Windows\SysWOW64\Klpfik32.exeC:\Windows\system32\Klpfik32.exe112⤵PID:2240
-
C:\Windows\SysWOW64\Lcineean.exeC:\Windows\system32\Lcineean.exe113⤵
- Drops file in System32 directory
- Modifies registry class
PID:2276 -
C:\Windows\SysWOW64\Lgejfc32.exeC:\Windows\system32\Lgejfc32.exe114⤵PID:2808
-
C:\Windows\SysWOW64\Ljcfbo32.exeC:\Windows\system32\Ljcfbo32.exe115⤵PID:2524
-
C:\Windows\SysWOW64\Lhffnloe.exeC:\Windows\system32\Lhffnloe.exe116⤵
- System Location Discovery: System Language Discovery
PID:2180 -
C:\Windows\SysWOW64\Lpmnoiph.exeC:\Windows\system32\Lpmnoiph.exe117⤵PID:2748
-
C:\Windows\SysWOW64\Lclkkd32.exeC:\Windows\system32\Lclkkd32.exe118⤵
- System Location Discovery: System Language Discovery
PID:1244 -
C:\Windows\SysWOW64\Ljfcgofh.exeC:\Windows\system32\Ljfcgofh.exe119⤵PID:2064
-
C:\Windows\SysWOW64\Lldodjel.exeC:\Windows\system32\Lldodjel.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:632 -
C:\Windows\SysWOW64\Lkgoog32.exeC:\Windows\system32\Lkgoog32.exe121⤵
- Modifies registry class
PID:2828
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-