Analysis
-
max time kernel
112s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
29/08/2024, 06:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0ed612aa85ac3fa8e38dd388e5a12ca0N.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
0ed612aa85ac3fa8e38dd388e5a12ca0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
0ed612aa85ac3fa8e38dd388e5a12ca0N.exe
-
Size
1.5MB
-
MD5
0ed612aa85ac3fa8e38dd388e5a12ca0
-
SHA1
be2ae99e86c242de739f116500bced8c9255e81d
-
SHA256
e8143ba389da52a18c9e83a7db4dadcb72a822cdb2ef499c2bc8cabed9870d70
-
SHA512
ba10db6a2c454d04fe78622fa82beac69b5bf5b263b5007ff6ffe9224911621159f4b9ffc1a104951ba1a471577e281b2007465e69979281735d4fbb90a677d8
-
SSDEEP
12288:ujPbWGRdA6sQx4HCXwpnsKvNA+XTvZHWuEo3oWB+:uepsKv2EvZHp3oWB+
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdblkoco.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbfhcf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfdmhh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioheci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjgonf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpcmlnnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olopjddf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iabhdefo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idemkp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igffmkno.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jofdll32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgmilmkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhfdqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpoofm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgogla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hibidc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbkgig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmcdkbao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Majcoepi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbpibm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aicipgqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cahmik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edelakoq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ileoknhh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcdmbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abeghmmn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amjkefmd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bemfjgdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjmmcgha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfbinf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpoppadq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akmlacdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bphdpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbnblb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 0ed612aa85ac3fa8e38dd388e5a12ca0N.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mchokq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpoppadq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nokcbm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phmfpddb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddpbfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmbjjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdnkkmej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Liboodmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Neghdg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Docjne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpjilj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jghcbjll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omgfdhbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olopjddf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akphfbbl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnmmidhm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpcblkje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpeafo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oeegnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abbjbnoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dihkimag.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhehfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcakbjpl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knbgnhfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cobjmq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Caqfiloi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmecokhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Peiaij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfimhmlo.exe -
Executes dropped EXE 64 IoCs
pid Process 2344 Cdlmlidp.exe 2356 Chgimh32.exe 2864 Cmdaeo32.exe 2872 Defljp32.exe 2848 Dhehfk32.exe 2772 Docjne32.exe 1584 Dabfjp32.exe 3048 Ddpbfl32.exe 632 Dhlogjko.exe 2776 Djmknb32.exe 1788 Dadcppbp.exe 1052 Dcepgh32.exe 600 Edelakoq.exe 2400 Effhic32.exe 2136 Elpqemll.exe 872 Eoomai32.exe 1252 Egeecf32.exe 1768 Ejdaoa32.exe 880 Elbmkm32.exe 1696 Ebofcd32.exe 2680 Ehinpnpm.exe 2320 Ekhjlioa.exe 1976 Ecobmg32.exe 2300 Efmoib32.exe 2852 Ehlkfn32.exe 2800 Ekjgbi32.exe 2216 Ebdoocdk.exe 2868 Fdblkoco.exe 2964 Fgqhgjbb.exe 1152 Fnkpcd32.exe 2760 Fgcdlj32.exe 2008 Fnmmidhm.exe 1720 Fdgefn32.exe 1964 Fkambhgf.exe 1500 Fmbjjp32.exe 1576 Fclbgj32.exe 2652 Fnafdc32.exe 1772 Fpcblkje.exe 900 Fikgda32.exe 1544 Gpeoakhc.exe 1660 Gcakbjpl.exe 1320 Gfogneop.exe 2956 Gmipko32.exe 2980 Gphlgk32.exe 2892 Gbfhcf32.exe 2584 Geddoa32.exe 2884 Gmlmpo32.exe 1796 Gpjilj32.exe 2156 Gfdaid32.exe 2212 Gibmep32.exe 2004 Gnofng32.exe 3120 Ganbjb32.exe 3168 Geinjapb.exe 3224 Glcfgk32.exe 3280 Gnabcf32.exe 3340 Gapoob32.exe 3400 Gdnkkmej.exe 3460 Hlecmkel.exe 3524 Hmgodc32.exe 3588 Hengep32.exe 3652 Hhlcal32.exe 3708 Hjkpng32.exe 3768 Hmiljb32.exe 3832 Hpghfn32.exe -
Loads dropped DLL 64 IoCs
pid Process 3060 0ed612aa85ac3fa8e38dd388e5a12ca0N.exe 3060 0ed612aa85ac3fa8e38dd388e5a12ca0N.exe 2344 Cdlmlidp.exe 2344 Cdlmlidp.exe 2356 Chgimh32.exe 2356 Chgimh32.exe 2864 Cmdaeo32.exe 2864 Cmdaeo32.exe 2872 Defljp32.exe 2872 Defljp32.exe 2848 Dhehfk32.exe 2848 Dhehfk32.exe 2772 Docjne32.exe 2772 Docjne32.exe 1584 Dabfjp32.exe 1584 Dabfjp32.exe 3048 Ddpbfl32.exe 3048 Ddpbfl32.exe 632 Dhlogjko.exe 632 Dhlogjko.exe 2776 Djmknb32.exe 2776 Djmknb32.exe 1788 Dadcppbp.exe 1788 Dadcppbp.exe 1052 Dcepgh32.exe 1052 Dcepgh32.exe 600 Edelakoq.exe 600 Edelakoq.exe 2400 Effhic32.exe 2400 Effhic32.exe 2136 Elpqemll.exe 2136 Elpqemll.exe 872 Eoomai32.exe 872 Eoomai32.exe 1252 Egeecf32.exe 1252 Egeecf32.exe 1768 Ejdaoa32.exe 1768 Ejdaoa32.exe 880 Elbmkm32.exe 880 Elbmkm32.exe 1696 Ebofcd32.exe 1696 Ebofcd32.exe 2680 Ehinpnpm.exe 2680 Ehinpnpm.exe 2320 Ekhjlioa.exe 2320 Ekhjlioa.exe 1976 Ecobmg32.exe 1976 Ecobmg32.exe 2300 Efmoib32.exe 2300 Efmoib32.exe 2852 Ehlkfn32.exe 2852 Ehlkfn32.exe 2800 Ekjgbi32.exe 2800 Ekjgbi32.exe 2216 Ebdoocdk.exe 2216 Ebdoocdk.exe 2868 Fdblkoco.exe 2868 Fdblkoco.exe 2964 Fgqhgjbb.exe 2964 Fgqhgjbb.exe 1152 Fnkpcd32.exe 1152 Fnkpcd32.exe 2760 Fgcdlj32.exe 2760 Fgcdlj32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ckabkdol.dll Dhehfk32.exe File created C:\Windows\SysWOW64\Opjlkc32.exe Olopjddf.exe File created C:\Windows\SysWOW64\Cbkingcj.dll Pgdpgqgg.exe File created C:\Windows\SysWOW64\Bmhkojab.exe Bjiobnbn.exe File created C:\Windows\SysWOW64\Eejqea32.dll Dicann32.exe File created C:\Windows\SysWOW64\Pcbqhkfi.dll Mnkfcjqe.exe File opened for modification C:\Windows\SysWOW64\Akphfbbl.exe Aialjgbh.exe File created C:\Windows\SysWOW64\Diencmcj.exe Dggbgadf.exe File created C:\Windows\SysWOW64\Fdgefn32.exe Fnmmidhm.exe File created C:\Windows\SysWOW64\Mojjfdkn.dll Ioheci32.exe File created C:\Windows\SysWOW64\Jghcbjll.exe Jdjgfomh.exe File created C:\Windows\SysWOW64\Jbijcgbc.exe Jojnglco.exe File opened for modification C:\Windows\SysWOW64\Plffkc32.exe Pdonjf32.exe File created C:\Windows\SysWOW64\Ieppjclf.exe Iofhmi32.exe File created C:\Windows\SysWOW64\Ondomh32.dll Idemkp32.exe File created C:\Windows\SysWOW64\Nggbjggc.dll Ocdnloph.exe File opened for modification C:\Windows\SysWOW64\Pdcgeejf.exe Pqhkdg32.exe File created C:\Windows\SysWOW64\Pidoei32.dll Pchdfb32.exe File created C:\Windows\SysWOW64\Olfclj32.dll Bkdbab32.exe File created C:\Windows\SysWOW64\Cobjmq32.exe Cejfckie.exe File opened for modification C:\Windows\SysWOW64\Chohqebq.exe Cealdjcm.exe File created C:\Windows\SysWOW64\Lgmekpmn.exe Lfkhch32.exe File opened for modification C:\Windows\SysWOW64\Ocdnloph.exe Opebpdad.exe File opened for modification C:\Windows\SysWOW64\Jdjgfomh.exe Jakjjcnd.exe File created C:\Windows\SysWOW64\Pmhikf32.dll Lpcmlnnp.exe File created C:\Windows\SysWOW64\Eikkoh32.dll Okijhmcm.exe File created C:\Windows\SysWOW64\Bkdbab32.exe Bcmjpd32.exe File created C:\Windows\SysWOW64\Dbkffc32.exe Dpmjjhmi.exe File created C:\Windows\SysWOW64\Libiii32.dll Ejdaoa32.exe File opened for modification C:\Windows\SysWOW64\Hfaqbh32.exe Hpghfn32.exe File opened for modification C:\Windows\SysWOW64\Nomphm32.exe Nlocka32.exe File opened for modification C:\Windows\SysWOW64\Deahcneh.exe Dcblgbfe.exe File created C:\Windows\SysWOW64\Oegdcj32.exe Ocihgo32.exe File created C:\Windows\SysWOW64\Codgbqmc.exe Cjikaa32.exe File created C:\Windows\SysWOW64\Cdlmlidp.exe 0ed612aa85ac3fa8e38dd388e5a12ca0N.exe File opened for modification C:\Windows\SysWOW64\Iockhigl.exe Ileoknhh.exe File created C:\Windows\SysWOW64\Eoldfbid.dll Ieppjclf.exe File created C:\Windows\SysWOW64\Eecpggap.dll Pabncj32.exe File opened for modification C:\Windows\SysWOW64\Pjppmlhm.exe Pgacaaij.exe File created C:\Windows\SysWOW64\Elbmkm32.exe Ejdaoa32.exe File created C:\Windows\SysWOW64\Iljifm32.exe Idcqep32.exe File created C:\Windows\SysWOW64\Ckkfef32.dll Jghcbjll.exe File opened for modification C:\Windows\SysWOW64\Oheppe32.exe Oegdcj32.exe File opened for modification C:\Windows\SysWOW64\Olalpdbc.exe Oheppe32.exe File opened for modification C:\Windows\SysWOW64\Jcocgkbp.exe Jdlclo32.exe File opened for modification C:\Windows\SysWOW64\Fgqhgjbb.exe Fdblkoco.exe File opened for modification C:\Windows\SysWOW64\Milaecdp.exe Laeidfdn.exe File opened for modification C:\Windows\SysWOW64\Eoomai32.exe Elpqemll.exe File opened for modification C:\Windows\SysWOW64\Gnofng32.exe Gibmep32.exe File created C:\Windows\SysWOW64\Hjidml32.dll Lffohikd.exe File opened for modification C:\Windows\SysWOW64\Bbgplq32.exe Bphdpe32.exe File opened for modification C:\Windows\SysWOW64\Caqfiloi.exe Cobjmq32.exe File created C:\Windows\SysWOW64\Dmajdl32.exe Diencmcj.exe File created C:\Windows\SysWOW64\Ifhgcgjq.exe Hpoofm32.exe File created C:\Windows\SysWOW64\Bpkphm32.dll Lchclmla.exe File created C:\Windows\SysWOW64\Pkgjak32.dll Omgfdhbq.exe File created C:\Windows\SysWOW64\Onlooh32.exe Oeegnj32.exe File created C:\Windows\SysWOW64\Phhmeehg.exe Peiaij32.exe File created C:\Windows\SysWOW64\Pjppmlhm.exe Pgacaaij.exe File created C:\Windows\SysWOW64\Gadflkok.dll Bmhkojab.exe File created C:\Windows\SysWOW64\Cpeocnpg.dll Claake32.exe File opened for modification C:\Windows\SysWOW64\Dogpfc32.exe Dpdpkfga.exe File created C:\Windows\SysWOW64\Nciija32.dll Hengep32.exe File created C:\Windows\SysWOW64\Idemkp32.exe Iagaod32.exe -
Program crash 1 IoCs
pid pid_target Process 6360 6336 WerFault.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Majcoepi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nokcbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgogla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pchdfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cobjmq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekjgbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjmmcgha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjnanhhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbijcgbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdqifajl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Milaecdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkdpmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opjlkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dabfjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilhlan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jndhddaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Behinlkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdcgeejf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akbelbpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdblkoco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fikgda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjddnjdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Docjne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnpeijla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aofklbnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amebjgai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iigcobid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kheofahm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmemoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cealdjcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpmjjhmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmajdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpcblkje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jidbifmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfdbcing.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akmlacdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igffmkno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfmahkhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nilndfgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Niqgof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcmabnhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elbmkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfogneop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idcqep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coiqmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjppmlhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqjhjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgfmlp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmhkojab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caccnllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmpbja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okijhmcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqhkdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jojnglco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcffgnnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Manljd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Claake32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgcdlj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fclbgj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcakbjpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhaefepn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlqfqo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oegdcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkdbab32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iokahhac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iainddpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfpmifoa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdlmlidp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chgimh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcepgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddmofeam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fikgda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gibmep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iiipeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inpiogfm.dll" Dmecokhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeoedmpg.dll" Nfmahkhh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebofcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlekja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpoppadq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iofhmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgmekpmn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmcpjfcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edljdb32.dll" Nkdpmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogmngn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glcfgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glcfgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hengep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aaondi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nemfepee.dll" Behinlkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oophlpag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klhejn32.dll" Pdcgeejf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amebjgai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bemfjgdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnfhdk32.dll" Gmlmpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nfpnnk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akbelbpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcdifkdm.dll" Fdblkoco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkdpmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akphfbbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okhjcncb.dll" Gdnkkmej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fapapi32.dll" Oegdcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Papank32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfhpbo32.dll" Gpeoakhc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjmmcgha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcicjgkh.dll" Kgjlgm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bcackdio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhaefepn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dajiok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkolkfab.dll" Ekhjlioa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdeall32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aialjgbh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbkgig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knbgnhfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gadflkok.dll" Bmhkojab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nadann32.dll" Chkoef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifhgcgjq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnijnjbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfclj32.dll" Bkdbab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dabfjp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecobmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofnkap32.dll" Fpcblkje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cahmik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egeecf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aodnfbpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Coiqmp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oeegnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmdaeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpghfn32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3060 wrote to memory of 2344 3060 0ed612aa85ac3fa8e38dd388e5a12ca0N.exe 30 PID 3060 wrote to memory of 2344 3060 0ed612aa85ac3fa8e38dd388e5a12ca0N.exe 30 PID 3060 wrote to memory of 2344 3060 0ed612aa85ac3fa8e38dd388e5a12ca0N.exe 30 PID 3060 wrote to memory of 2344 3060 0ed612aa85ac3fa8e38dd388e5a12ca0N.exe 30 PID 2344 wrote to memory of 2356 2344 Cdlmlidp.exe 31 PID 2344 wrote to memory of 2356 2344 Cdlmlidp.exe 31 PID 2344 wrote to memory of 2356 2344 Cdlmlidp.exe 31 PID 2344 wrote to memory of 2356 2344 Cdlmlidp.exe 31 PID 2356 wrote to memory of 2864 2356 Chgimh32.exe 32 PID 2356 wrote to memory of 2864 2356 Chgimh32.exe 32 PID 2356 wrote to memory of 2864 2356 Chgimh32.exe 32 PID 2356 wrote to memory of 2864 2356 Chgimh32.exe 32 PID 2864 wrote to memory of 2872 2864 Cmdaeo32.exe 33 PID 2864 wrote to memory of 2872 2864 Cmdaeo32.exe 33 PID 2864 wrote to memory of 2872 2864 Cmdaeo32.exe 33 PID 2864 wrote to memory of 2872 2864 Cmdaeo32.exe 33 PID 2872 wrote to memory of 2848 2872 Defljp32.exe 34 PID 2872 wrote to memory of 2848 2872 Defljp32.exe 34 PID 2872 wrote to memory of 2848 2872 Defljp32.exe 34 PID 2872 wrote to memory of 2848 2872 Defljp32.exe 34 PID 2848 wrote to memory of 2772 2848 Dhehfk32.exe 35 PID 2848 wrote to memory of 2772 2848 Dhehfk32.exe 35 PID 2848 wrote to memory of 2772 2848 Dhehfk32.exe 35 PID 2848 wrote to memory of 2772 2848 Dhehfk32.exe 35 PID 2772 wrote to memory of 1584 2772 Docjne32.exe 36 PID 2772 wrote to memory of 1584 2772 Docjne32.exe 36 PID 2772 wrote to memory of 1584 2772 Docjne32.exe 36 PID 2772 wrote to memory of 1584 2772 Docjne32.exe 36 PID 1584 wrote to memory of 3048 1584 Dabfjp32.exe 37 PID 1584 wrote to memory of 3048 1584 Dabfjp32.exe 37 PID 1584 wrote to memory of 3048 1584 Dabfjp32.exe 37 PID 1584 wrote to memory of 3048 1584 Dabfjp32.exe 37 PID 3048 wrote to memory of 632 3048 Ddpbfl32.exe 38 PID 3048 wrote to memory of 632 3048 Ddpbfl32.exe 38 PID 3048 wrote to memory of 632 3048 Ddpbfl32.exe 38 PID 3048 wrote to memory of 632 3048 Ddpbfl32.exe 38 PID 632 wrote to memory of 2776 632 Dhlogjko.exe 39 PID 632 wrote to memory of 2776 632 Dhlogjko.exe 39 PID 632 wrote to memory of 2776 632 Dhlogjko.exe 39 PID 632 wrote to memory of 2776 632 Dhlogjko.exe 39 PID 2776 wrote to memory of 1788 2776 Djmknb32.exe 40 PID 2776 wrote to memory of 1788 2776 Djmknb32.exe 40 PID 2776 wrote to memory of 1788 2776 Djmknb32.exe 40 PID 2776 wrote to memory of 1788 2776 Djmknb32.exe 40 PID 1788 wrote to memory of 1052 1788 Dadcppbp.exe 41 PID 1788 wrote to memory of 1052 1788 Dadcppbp.exe 41 PID 1788 wrote to memory of 1052 1788 Dadcppbp.exe 41 PID 1788 wrote to memory of 1052 1788 Dadcppbp.exe 41 PID 1052 wrote to memory of 600 1052 Dcepgh32.exe 42 PID 1052 wrote to memory of 600 1052 Dcepgh32.exe 42 PID 1052 wrote to memory of 600 1052 Dcepgh32.exe 42 PID 1052 wrote to memory of 600 1052 Dcepgh32.exe 42 PID 600 wrote to memory of 2400 600 Edelakoq.exe 43 PID 600 wrote to memory of 2400 600 Edelakoq.exe 43 PID 600 wrote to memory of 2400 600 Edelakoq.exe 43 PID 600 wrote to memory of 2400 600 Edelakoq.exe 43 PID 2400 wrote to memory of 2136 2400 Effhic32.exe 44 PID 2400 wrote to memory of 2136 2400 Effhic32.exe 44 PID 2400 wrote to memory of 2136 2400 Effhic32.exe 44 PID 2400 wrote to memory of 2136 2400 Effhic32.exe 44 PID 2136 wrote to memory of 872 2136 Elpqemll.exe 45 PID 2136 wrote to memory of 872 2136 Elpqemll.exe 45 PID 2136 wrote to memory of 872 2136 Elpqemll.exe 45 PID 2136 wrote to memory of 872 2136 Elpqemll.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ed612aa85ac3fa8e38dd388e5a12ca0N.exe"C:\Users\Admin\AppData\Local\Temp\0ed612aa85ac3fa8e38dd388e5a12ca0N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\Cdlmlidp.exeC:\Windows\system32\Cdlmlidp.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Chgimh32.exeC:\Windows\system32\Chgimh32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\Cmdaeo32.exeC:\Windows\system32\Cmdaeo32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Defljp32.exeC:\Windows\system32\Defljp32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Dhehfk32.exeC:\Windows\system32\Dhehfk32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Docjne32.exeC:\Windows\system32\Docjne32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Dabfjp32.exeC:\Windows\system32\Dabfjp32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\Ddpbfl32.exeC:\Windows\system32\Ddpbfl32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\Dhlogjko.exeC:\Windows\system32\Dhlogjko.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\SysWOW64\Djmknb32.exeC:\Windows\system32\Djmknb32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Dadcppbp.exeC:\Windows\system32\Dadcppbp.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SysWOW64\Dcepgh32.exeC:\Windows\system32\Dcepgh32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\Edelakoq.exeC:\Windows\system32\Edelakoq.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:600 -
C:\Windows\SysWOW64\Effhic32.exeC:\Windows\system32\Effhic32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\Elpqemll.exeC:\Windows\system32\Elpqemll.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\Eoomai32.exeC:\Windows\system32\Eoomai32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:872 -
C:\Windows\SysWOW64\Egeecf32.exeC:\Windows\system32\Egeecf32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1252 -
C:\Windows\SysWOW64\Ejdaoa32.exeC:\Windows\system32\Ejdaoa32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1768 -
C:\Windows\SysWOW64\Elbmkm32.exeC:\Windows\system32\Elbmkm32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:880 -
C:\Windows\SysWOW64\Ebofcd32.exeC:\Windows\system32\Ebofcd32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1696 -
C:\Windows\SysWOW64\Ehinpnpm.exeC:\Windows\system32\Ehinpnpm.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2680 -
C:\Windows\SysWOW64\Ekhjlioa.exeC:\Windows\system32\Ekhjlioa.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2320 -
C:\Windows\SysWOW64\Ecobmg32.exeC:\Windows\system32\Ecobmg32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1976 -
C:\Windows\SysWOW64\Efmoib32.exeC:\Windows\system32\Efmoib32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2300 -
C:\Windows\SysWOW64\Ehlkfn32.exeC:\Windows\system32\Ehlkfn32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2852 -
C:\Windows\SysWOW64\Ekjgbi32.exeC:\Windows\system32\Ekjgbi32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2800 -
C:\Windows\SysWOW64\Ebdoocdk.exeC:\Windows\system32\Ebdoocdk.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2216 -
C:\Windows\SysWOW64\Fdblkoco.exeC:\Windows\system32\Fdblkoco.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2868 -
C:\Windows\SysWOW64\Fgqhgjbb.exeC:\Windows\system32\Fgqhgjbb.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2964 -
C:\Windows\SysWOW64\Fnkpcd32.exeC:\Windows\system32\Fnkpcd32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1152 -
C:\Windows\SysWOW64\Fgcdlj32.exeC:\Windows\system32\Fgcdlj32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2760 -
C:\Windows\SysWOW64\Fnmmidhm.exeC:\Windows\system32\Fnmmidhm.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2008 -
C:\Windows\SysWOW64\Fdgefn32.exeC:\Windows\system32\Fdgefn32.exe34⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Fkambhgf.exeC:\Windows\system32\Fkambhgf.exe35⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Fmbjjp32.exeC:\Windows\system32\Fmbjjp32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Fclbgj32.exeC:\Windows\system32\Fclbgj32.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1576 -
C:\Windows\SysWOW64\Fnafdc32.exeC:\Windows\system32\Fnafdc32.exe38⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Fpcblkje.exeC:\Windows\system32\Fpcblkje.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1772 -
C:\Windows\SysWOW64\Fikgda32.exeC:\Windows\system32\Fikgda32.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:900 -
C:\Windows\SysWOW64\Gpeoakhc.exeC:\Windows\system32\Gpeoakhc.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:1544 -
C:\Windows\SysWOW64\Gcakbjpl.exeC:\Windows\system32\Gcakbjpl.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1660 -
C:\Windows\SysWOW64\Gfogneop.exeC:\Windows\system32\Gfogneop.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1320 -
C:\Windows\SysWOW64\Gmipko32.exeC:\Windows\system32\Gmipko32.exe44⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Gphlgk32.exeC:\Windows\system32\Gphlgk32.exe45⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Gbfhcf32.exeC:\Windows\system32\Gbfhcf32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Geddoa32.exeC:\Windows\system32\Geddoa32.exe47⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Gmlmpo32.exeC:\Windows\system32\Gmlmpo32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:2884 -
C:\Windows\SysWOW64\Gpjilj32.exeC:\Windows\system32\Gpjilj32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Gfdaid32.exeC:\Windows\system32\Gfdaid32.exe50⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Gibmep32.exeC:\Windows\system32\Gibmep32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2212 -
C:\Windows\SysWOW64\Gnofng32.exeC:\Windows\system32\Gnofng32.exe52⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Ganbjb32.exeC:\Windows\system32\Ganbjb32.exe53⤵
- Executes dropped EXE
PID:3120 -
C:\Windows\SysWOW64\Geinjapb.exeC:\Windows\system32\Geinjapb.exe54⤵
- Executes dropped EXE
PID:3168 -
C:\Windows\SysWOW64\Glcfgk32.exeC:\Windows\system32\Glcfgk32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:3224 -
C:\Windows\SysWOW64\Gnabcf32.exeC:\Windows\system32\Gnabcf32.exe56⤵
- Executes dropped EXE
PID:3280 -
C:\Windows\SysWOW64\Gapoob32.exeC:\Windows\system32\Gapoob32.exe57⤵
- Executes dropped EXE
PID:3340 -
C:\Windows\SysWOW64\Gdnkkmej.exeC:\Windows\system32\Gdnkkmej.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3400 -
C:\Windows\SysWOW64\Hlecmkel.exeC:\Windows\system32\Hlecmkel.exe59⤵
- Executes dropped EXE
PID:3460 -
C:\Windows\SysWOW64\Hmgodc32.exeC:\Windows\system32\Hmgodc32.exe60⤵
- Executes dropped EXE
PID:3524 -
C:\Windows\SysWOW64\Hengep32.exeC:\Windows\system32\Hengep32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3588 -
C:\Windows\SysWOW64\Hhlcal32.exeC:\Windows\system32\Hhlcal32.exe62⤵
- Executes dropped EXE
PID:3652 -
C:\Windows\SysWOW64\Hjkpng32.exeC:\Windows\system32\Hjkpng32.exe63⤵
- Executes dropped EXE
PID:3708 -
C:\Windows\SysWOW64\Hmiljb32.exeC:\Windows\system32\Hmiljb32.exe64⤵
- Executes dropped EXE
PID:3768 -
C:\Windows\SysWOW64\Hpghfn32.exeC:\Windows\system32\Hpghfn32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3832 -
C:\Windows\SysWOW64\Hfaqbh32.exeC:\Windows\system32\Hfaqbh32.exe66⤵PID:3888
-
C:\Windows\SysWOW64\Hjmmcgha.exeC:\Windows\system32\Hjmmcgha.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3944 -
C:\Windows\SysWOW64\Hagepa32.exeC:\Windows\system32\Hagepa32.exe68⤵PID:4000
-
C:\Windows\SysWOW64\Hdeall32.exeC:\Windows\system32\Hdeall32.exe69⤵
- Modifies registry class
PID:4060 -
C:\Windows\SysWOW64\Hfdmhh32.exeC:\Windows\system32\Hfdmhh32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:844 -
C:\Windows\SysWOW64\Hibidc32.exeC:\Windows\system32\Hibidc32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2440 -
C:\Windows\SysWOW64\Hlqfqo32.exeC:\Windows\system32\Hlqfqo32.exe72⤵
- System Location Discovery: System Language Discovery
PID:2844 -
C:\Windows\SysWOW64\Hdhnal32.exeC:\Windows\system32\Hdhnal32.exe73⤵PID:2052
-
C:\Windows\SysWOW64\Hbknmicj.exeC:\Windows\system32\Hbknmicj.exe74⤵PID:2804
-
C:\Windows\SysWOW64\Heijidbn.exeC:\Windows\system32\Heijidbn.exe75⤵PID:1308
-
C:\Windows\SysWOW64\Hmpbja32.exeC:\Windows\system32\Hmpbja32.exe76⤵
- System Location Discovery: System Language Discovery
PID:1324 -
C:\Windows\SysWOW64\Hpoofm32.exeC:\Windows\system32\Hpoofm32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1752 -
C:\Windows\SysWOW64\Ifhgcgjq.exeC:\Windows\system32\Ifhgcgjq.exe78⤵
- Modifies registry class
PID:3108 -
C:\Windows\SysWOW64\Iigcobid.exeC:\Windows\system32\Iigcobid.exe79⤵
- System Location Discovery: System Language Discovery
PID:3188 -
C:\Windows\SysWOW64\Ileoknhh.exeC:\Windows\system32\Ileoknhh.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3248 -
C:\Windows\SysWOW64\Iockhigl.exeC:\Windows\system32\Iockhigl.exe81⤵PID:3316
-
C:\Windows\SysWOW64\Iabhdefo.exeC:\Windows\system32\Iabhdefo.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3372 -
C:\Windows\SysWOW64\Iiipeb32.exeC:\Windows\system32\Iiipeb32.exe83⤵
- Modifies registry class
PID:3428 -
C:\Windows\SysWOW64\Ilhlan32.exeC:\Windows\system32\Ilhlan32.exe84⤵
- System Location Discovery: System Language Discovery
PID:3492 -
C:\Windows\SysWOW64\Iofhmi32.exeC:\Windows\system32\Iofhmi32.exe85⤵
- Drops file in System32 directory
- Modifies registry class
PID:3628 -
C:\Windows\SysWOW64\Ieppjclf.exeC:\Windows\system32\Ieppjclf.exe86⤵
- Drops file in System32 directory
PID:3724 -
C:\Windows\SysWOW64\Idcqep32.exeC:\Windows\system32\Idcqep32.exe87⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2824 -
C:\Windows\SysWOW64\Iljifm32.exeC:\Windows\system32\Iljifm32.exe88⤵PID:3696
-
C:\Windows\SysWOW64\Ioheci32.exeC:\Windows\system32\Ioheci32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3776 -
C:\Windows\SysWOW64\Iagaod32.exeC:\Windows\system32\Iagaod32.exe90⤵
- Drops file in System32 directory
PID:3804 -
C:\Windows\SysWOW64\Idemkp32.exeC:\Windows\system32\Idemkp32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:892 -
C:\Windows\SysWOW64\Igcjgk32.exeC:\Windows\system32\Igcjgk32.exe92⤵PID:3924
-
C:\Windows\SysWOW64\Iokahhac.exeC:\Windows\system32\Iokahhac.exe93⤵
- Modifies registry class
PID:1508 -
C:\Windows\SysWOW64\Iainddpg.exeC:\Windows\system32\Iainddpg.exe94⤵
- Modifies registry class
PID:2432 -
C:\Windows\SysWOW64\Idgjqook.exeC:\Windows\system32\Idgjqook.exe95⤵PID:2252
-
C:\Windows\SysWOW64\Igffmkno.exeC:\Windows\system32\Igffmkno.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2944 -
C:\Windows\SysWOW64\Jidbifmb.exeC:\Windows\system32\Jidbifmb.exe97⤵
- System Location Discovery: System Language Discovery
PID:2200 -
C:\Windows\SysWOW64\Jakjjcnd.exeC:\Windows\system32\Jakjjcnd.exe98⤵
- Drops file in System32 directory
PID:1688 -
C:\Windows\SysWOW64\Jdjgfomh.exeC:\Windows\system32\Jdjgfomh.exe99⤵
- Drops file in System32 directory
PID:3024 -
C:\Windows\SysWOW64\Jghcbjll.exeC:\Windows\system32\Jghcbjll.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2152 -
C:\Windows\SysWOW64\Jjgonf32.exeC:\Windows\system32\Jjgonf32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3128 -
C:\Windows\SysWOW64\Jlekja32.exeC:\Windows\system32\Jlekja32.exe102⤵
- Modifies registry class
PID:2444 -
C:\Windows\SysWOW64\Jdlclo32.exeC:\Windows\system32\Jdlclo32.exe103⤵
- Drops file in System32 directory
PID:3152 -
C:\Windows\SysWOW64\Jcocgkbp.exeC:\Windows\system32\Jcocgkbp.exe104⤵PID:3320
-
C:\Windows\SysWOW64\Jjilde32.exeC:\Windows\system32\Jjilde32.exe105⤵PID:3432
-
C:\Windows\SysWOW64\Jndhddaf.exeC:\Windows\system32\Jndhddaf.exe106⤵
- System Location Discovery: System Language Discovery
PID:3456 -
C:\Windows\SysWOW64\Jofdll32.exeC:\Windows\system32\Jofdll32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2704 -
C:\Windows\SysWOW64\Jcaqmkpn.exeC:\Windows\system32\Jcaqmkpn.exe108⤵PID:3556
-
C:\Windows\SysWOW64\Jfpmifoa.exeC:\Windows\system32\Jfpmifoa.exe109⤵
- Modifies registry class
PID:3740 -
C:\Windows\SysWOW64\Jhniebne.exeC:\Windows\system32\Jhniebne.exe110⤵PID:3760
-
C:\Windows\SysWOW64\Jpeafo32.exeC:\Windows\system32\Jpeafo32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3868 -
C:\Windows\SysWOW64\Jcdmbk32.exeC:\Windows\system32\Jcdmbk32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3996 -
C:\Windows\SysWOW64\Jfbinf32.exeC:\Windows\system32\Jfbinf32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3976 -
C:\Windows\SysWOW64\Jllakpdk.exeC:\Windows\system32\Jllakpdk.exe114⤵PID:2636
-
C:\Windows\SysWOW64\Jojnglco.exeC:\Windows\system32\Jojnglco.exe115⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4048 -
C:\Windows\SysWOW64\Jbijcgbc.exeC:\Windows\system32\Jbijcgbc.exe116⤵
- System Location Discovery: System Language Discovery
PID:1504 -
C:\Windows\SysWOW64\Khcbpa32.exeC:\Windows\system32\Khcbpa32.exe117⤵PID:2280
-
C:\Windows\SysWOW64\Kbkgig32.exeC:\Windows\system32\Kbkgig32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2820 -
C:\Windows\SysWOW64\Kheofahm.exeC:\Windows\system32\Kheofahm.exe119⤵
- System Location Discovery: System Language Discovery
PID:916 -
C:\Windows\SysWOW64\Kkckblgq.exeC:\Windows\system32\Kkckblgq.exe120⤵PID:1724
-
C:\Windows\SysWOW64\Knbgnhfd.exeC:\Windows\system32\Knbgnhfd.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1644
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-