Analysis
-
max time kernel
38s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
29-08-2024 12:47
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7c63768f98b4f11045d2a9de6a6f8d90N.exe
Resource
win7-20240729-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
7c63768f98b4f11045d2a9de6a6f8d90N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
7c63768f98b4f11045d2a9de6a6f8d90N.exe
-
Size
96KB
-
MD5
7c63768f98b4f11045d2a9de6a6f8d90
-
SHA1
62a823296d8ee007b16db91b8acf86fd7f51a968
-
SHA256
d31cdd35fedfd2ebb7efe1e2f45d0e8a4d44185b1ac1dd48fba3f45cb77512ba
-
SHA512
0e86a972c63009bb967cb81b21af47bcbd327f8342506787c75f98dd8d32f9590201fae7c0fcee308a2c898b30c24ab097fc789d05a59b93b4662e632aad0d7e
-
SSDEEP
1536:GS1hXw7AvSEpxzo8l/0toNrK4EPHGZqVmpblxpBYduV9jojTIvjrH:D1BwoSwM8lctoNfgHGZqGvpBYd69jc0X
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jdjgfomh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meeopdhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbdlnf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iokahhac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgkphj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kbkgig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fclbgj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hplbamdf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mecbjd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odanqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lgmekpmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ekhjlioa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gindjqnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmiljb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jnbkodci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jlekja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lighjd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lndqbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdgefn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hlecmkel.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlmffa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmbmii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhhqfb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpgglifo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hplbamdf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdnkkmej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgjlgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gphlgk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcffgnnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kbncof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljbkig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjkehhjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oacbdg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecobmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gcchgini.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnabcf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iagaod32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfilnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mhckloge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhibakmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpgckm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oipcnieb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gindjqnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Okijhmcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffpkob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nebnigmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Malpee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmiljb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jlghpa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikjlmjmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjmnmk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ileoknhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iabhdefo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Miiaogio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Npffaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddpbfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kccian32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihlpqonl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbkgig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fqnfkoen.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdhnal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gfadcemm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Liboodmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlapaapg.exe -
Executes dropped EXE 64 IoCs
pid Process 2644 Cdnjaibm.exe 2840 Cikbjpqd.exe 2816 Clinfk32.exe 2452 Cpgglifo.exe 2856 Cgaoic32.exe 2756 Cipleo32.exe 2260 Coldmfkf.exe 2396 Dakpiajj.exe 264 Dlpdfjjp.exe 2988 Dooqceid.exe 2760 Dhgelk32.exe 316 Doamhe32.exe 2664 Dekeeonn.exe 840 Dhibakmb.exe 2204 Dnfjiali.exe 2636 Ddpbfl32.exe 2132 Djmknb32.exe 952 Dpgckm32.exe 552 Dcepgh32.exe 2208 Ejohdbok.exe 1000 Echlmh32.exe 2200 Effhic32.exe 2152 Ecjibgdh.exe 1080 Egeecf32.exe 1340 Elbmkm32.exe 2380 Eclfhgaf.exe 2188 Ehinpnpm.exe 2888 Ekhjlioa.exe 2968 Ecobmg32.exe 2900 Emggflfc.exe 2684 Ffpkob32.exe 2240 Fdblkoco.exe 1160 Fdehpn32.exe 2100 Fgcdlj32.exe 816 Fdgefn32.exe 2752 Fcjeakfd.exe 2428 Fjdnne32.exe 2780 Fqnfkoen.exe 1576 Fclbgj32.exe 2940 Fghngimj.exe 2108 Fmgcepio.exe 2148 Gpeoakhc.exe 2076 Gbdlnf32.exe 1760 Gindjqnc.exe 2068 Gmipko32.exe 2572 Gphlgk32.exe 1056 Gcchgini.exe 1532 Gfadcemm.exe 1796 Gipqpplq.exe 2896 Gpjilj32.exe 2800 Gnmihgkh.exe 2920 Gfdaid32.exe 2944 Gegaeabe.exe 1344 Gplebjbk.exe 2432 Gbkaneao.exe 2012 Ganbjb32.exe 3000 Geinjapb.exe 2548 Glcfgk32.exe 2344 Gnabcf32.exe 1624 Gapoob32.exe 2112 Gdnkkmej.exe 2072 Hlecmkel.exe 2008 Hndoifdp.exe 1712 Hmgodc32.exe -
Loads dropped DLL 64 IoCs
pid Process 2296 7c63768f98b4f11045d2a9de6a6f8d90N.exe 2296 7c63768f98b4f11045d2a9de6a6f8d90N.exe 2644 Cdnjaibm.exe 2644 Cdnjaibm.exe 2840 Cikbjpqd.exe 2840 Cikbjpqd.exe 2816 Clinfk32.exe 2816 Clinfk32.exe 2452 Cpgglifo.exe 2452 Cpgglifo.exe 2856 Cgaoic32.exe 2856 Cgaoic32.exe 2756 Cipleo32.exe 2756 Cipleo32.exe 2260 Coldmfkf.exe 2260 Coldmfkf.exe 2396 Dakpiajj.exe 2396 Dakpiajj.exe 264 Dlpdfjjp.exe 264 Dlpdfjjp.exe 2988 Dooqceid.exe 2988 Dooqceid.exe 2760 Dhgelk32.exe 2760 Dhgelk32.exe 316 Doamhe32.exe 316 Doamhe32.exe 2664 Dekeeonn.exe 2664 Dekeeonn.exe 840 Dhibakmb.exe 840 Dhibakmb.exe 2204 Dnfjiali.exe 2204 Dnfjiali.exe 2636 Ddpbfl32.exe 2636 Ddpbfl32.exe 2132 Djmknb32.exe 2132 Djmknb32.exe 952 Dpgckm32.exe 952 Dpgckm32.exe 552 Dcepgh32.exe 552 Dcepgh32.exe 2208 Ejohdbok.exe 2208 Ejohdbok.exe 1000 Echlmh32.exe 1000 Echlmh32.exe 2200 Effhic32.exe 2200 Effhic32.exe 2152 Ecjibgdh.exe 2152 Ecjibgdh.exe 1080 Egeecf32.exe 1080 Egeecf32.exe 1340 Elbmkm32.exe 1340 Elbmkm32.exe 2380 Eclfhgaf.exe 2380 Eclfhgaf.exe 2188 Ehinpnpm.exe 2188 Ehinpnpm.exe 2888 Ekhjlioa.exe 2888 Ekhjlioa.exe 2968 Ecobmg32.exe 2968 Ecobmg32.exe 2900 Emggflfc.exe 2900 Emggflfc.exe 2684 Ffpkob32.exe 2684 Ffpkob32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Cenqenin.dll Cpgglifo.exe File opened for modification C:\Windows\SysWOW64\Lenioenj.exe Lfkhch32.exe File created C:\Windows\SysWOW64\Jhenggfi.dll Mmpcdfem.exe File opened for modification C:\Windows\SysWOW64\Nphbfplf.exe Nlmffa32.exe File created C:\Windows\SysWOW64\Ffpkob32.exe Emggflfc.exe File created C:\Windows\SysWOW64\Fqnfkoen.exe Fjdnne32.exe File created C:\Windows\SysWOW64\Komjmk32.exe Khcbpa32.exe File opened for modification C:\Windows\SysWOW64\Oacbdg32.exe Omgfdhbq.exe File created C:\Windows\SysWOW64\Kdjceb32.exe Kbkgig32.exe File opened for modification C:\Windows\SysWOW64\Nlapaapg.exe Ndjhpcoe.exe File opened for modification C:\Windows\SysWOW64\Oegdcj32.exe Ocihgo32.exe File created C:\Windows\SysWOW64\Nkdegmha.dll Ejohdbok.exe File opened for modification C:\Windows\SysWOW64\Fgcdlj32.exe Fdehpn32.exe File created C:\Windows\SysWOW64\Idkhbked.dll Hpghfn32.exe File created C:\Windows\SysWOW64\Fphepgbl.dll Hdhnal32.exe File opened for modification C:\Windows\SysWOW64\Jafmngde.exe Johaalea.exe File created C:\Windows\SysWOW64\Ifnpchjd.dll Kfdfdf32.exe File created C:\Windows\SysWOW64\Eohhqjab.dll Lmqgec32.exe File created C:\Windows\SysWOW64\Fapapi32.dll Oibpdico.exe File created C:\Windows\SysWOW64\Dakpiajj.exe Coldmfkf.exe File created C:\Windows\SysWOW64\Fdehpn32.exe Fdblkoco.exe File opened for modification C:\Windows\SysWOW64\Iekgod32.exe Ifhgcgjq.exe File created C:\Windows\SysWOW64\Jnbkodci.exe Jkdoci32.exe File opened for modification C:\Windows\SysWOW64\Jdjgfomh.exe Jakjjcnd.exe File opened for modification C:\Windows\SysWOW64\Kghoan32.exe Kdjceb32.exe File created C:\Windows\SysWOW64\Kjihci32.exe Kgjlgm32.exe File opened for modification C:\Windows\SysWOW64\Magfjebk.exe Mnijnjbh.exe File created C:\Windows\SysWOW64\Dekeeonn.exe Doamhe32.exe File created C:\Windows\SysWOW64\Cflibl32.dll Hibidc32.exe File created C:\Windows\SysWOW64\Cgdomige.dll Jfbinf32.exe File created C:\Windows\SysWOW64\Kfbemi32.exe Kccian32.exe File opened for modification C:\Windows\SysWOW64\Gplebjbk.exe Gegaeabe.exe File created C:\Windows\SysWOW64\Hjoiiffo.exe Hdeall32.exe File created C:\Windows\SysWOW64\Njfiqneo.dll Hffjng32.exe File created C:\Windows\SysWOW64\Ogmngn32.exe Odoakckp.exe File opened for modification C:\Windows\SysWOW64\Lmqgec32.exe Ljbkig32.exe File created C:\Windows\SysWOW64\Iekgod32.exe Ifhgcgjq.exe File created C:\Windows\SysWOW64\Iijfeeok.dll Iokahhac.exe File created C:\Windows\SysWOW64\Dpgdad32.dll Jcfjhj32.exe File opened for modification C:\Windows\SysWOW64\Kmjaddii.exe Kjkehhjf.exe File created C:\Windows\SysWOW64\Mdmlljbm.dll Jgkphj32.exe File created C:\Windows\SysWOW64\Oacbdg32.exe Omgfdhbq.exe File created C:\Windows\SysWOW64\Giedhjnn.dll Oingii32.exe File created C:\Windows\SysWOW64\Hidnidah.dll Olopjddf.exe File opened for modification C:\Windows\SysWOW64\Jgmlmj32.exe Jofdll32.exe File created C:\Windows\SysWOW64\Afokoc32.dll Ddpbfl32.exe File created C:\Windows\SysWOW64\Engmglod.dll Ffpkob32.exe File opened for modification C:\Windows\SysWOW64\Fdgefn32.exe Fgcdlj32.exe File created C:\Windows\SysWOW64\Hhopgkin.exe Hpghfn32.exe File opened for modification C:\Windows\SysWOW64\Nbfobllj.exe Nphbfplf.exe File created C:\Windows\SysWOW64\Fclbgj32.exe Fqnfkoen.exe File opened for modification C:\Windows\SysWOW64\Hndoifdp.exe Hlecmkel.exe File created C:\Windows\SysWOW64\Kjnanhhc.exe Kfbemi32.exe File opened for modification C:\Windows\SysWOW64\Ljbkig32.exe Lbkchj32.exe File opened for modification C:\Windows\SysWOW64\Mjpkbk32.exe Mganfp32.exe File opened for modification C:\Windows\SysWOW64\Mmcpjfcj.exe Mfihml32.exe File opened for modification C:\Windows\SysWOW64\Nejdjf32.exe Nmbmii32.exe File opened for modification C:\Windows\SysWOW64\Egeecf32.exe Ecjibgdh.exe File created C:\Windows\SysWOW64\Jkolkfab.dll Ekhjlioa.exe File opened for modification C:\Windows\SysWOW64\Fmgcepio.exe Fghngimj.exe File created C:\Windows\SysWOW64\Dkpgohdb.dll Jafmngde.exe File created C:\Windows\SysWOW64\Malpee32.exe Mmpcdfem.exe File opened for modification C:\Windows\SysWOW64\Npffaq32.exe Nilndfgl.exe File created C:\Windows\SysWOW64\Djmknb32.exe Ddpbfl32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3308 3336 WerFault.exe 257 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqjfpbmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lighjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cipleo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnijnjbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jllakpdk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igffmkno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnbkodci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jafmngde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdjceb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbpibm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfkebkjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oibpdico.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmipko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mecbjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dekeeonn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdgefn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogpjmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npffaq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfbemi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjpkbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hibidc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfdfdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikjlmjmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iokahhac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kccian32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljbkig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iagaod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpgglifo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iockhigl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jljeeqfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7c63768f98b4f11045d2a9de6a6f8d90N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdehpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnmihgkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ileoknhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbmpnjai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npcika32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cikbjpqd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmiljb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlekja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meeopdhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opjlkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdnjaibm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecjibgdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmgcepio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjmmcgha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcepgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gegaeabe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbfobllj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omgfdhbq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddpbfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mganfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eclfhgaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nepach32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcchgini.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbbiii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihnmfoli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjnanhhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmqgec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjbghkfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Manljd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlpdfjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaqeogll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odoakckp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koogbk32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcihik32.dll" Ogpjmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ophoecoa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ecjibgdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gipqpplq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nbbegl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ihlpqonl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jlekja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lbbiii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhenggfi.dll" Mmpcdfem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dhibakmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epjqgm32.dll" Hlecmkel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hlcbfnjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Djmknb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ioheci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlkmcjlp.dll" Nbbegl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdkniice.dll" Gfadcemm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djhnco32.dll" Gpjilj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iockhigl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lbkchj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfgbdo32.dll" Lenioenj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 7c63768f98b4f11045d2a9de6a6f8d90N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cikbjpqd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fmgcepio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Meeopdhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baipij32.dll" Jkdoci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lighjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fdgefn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hagepa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnpkcl32.dll" Hlcbfnjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fdblkoco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hjmmcgha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jafmngde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Manljd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nilndfgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cpgglifo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idkhbked.dll" Hpghfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jnbkodci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jdjgfomh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfgmna32.dll" Mbpibm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Miiaogio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Noifmmec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Olopjddf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cipleo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hjoiiffo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Palkap32.dll" Ibadnhmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iainddpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Koogbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Leqeed32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nfpnnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nphbfplf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmdkjqpq.dll" Nhhqfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nhhqfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jdlclo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kdjceb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lbkchj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kghoan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Elbmkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phlaof32.dll" Ifhgcgjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eejnjgnc.dll" Ieppjclf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhmgakjn.dll" Elbmkm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fdblkoco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcfabpac.dll" Iainddpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kmjaddii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cblmfa32.dll" Kjnanhhc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2296 wrote to memory of 2644 2296 7c63768f98b4f11045d2a9de6a6f8d90N.exe 30 PID 2296 wrote to memory of 2644 2296 7c63768f98b4f11045d2a9de6a6f8d90N.exe 30 PID 2296 wrote to memory of 2644 2296 7c63768f98b4f11045d2a9de6a6f8d90N.exe 30 PID 2296 wrote to memory of 2644 2296 7c63768f98b4f11045d2a9de6a6f8d90N.exe 30 PID 2644 wrote to memory of 2840 2644 Cdnjaibm.exe 31 PID 2644 wrote to memory of 2840 2644 Cdnjaibm.exe 31 PID 2644 wrote to memory of 2840 2644 Cdnjaibm.exe 31 PID 2644 wrote to memory of 2840 2644 Cdnjaibm.exe 31 PID 2840 wrote to memory of 2816 2840 Cikbjpqd.exe 32 PID 2840 wrote to memory of 2816 2840 Cikbjpqd.exe 32 PID 2840 wrote to memory of 2816 2840 Cikbjpqd.exe 32 PID 2840 wrote to memory of 2816 2840 Cikbjpqd.exe 32 PID 2816 wrote to memory of 2452 2816 Clinfk32.exe 33 PID 2816 wrote to memory of 2452 2816 Clinfk32.exe 33 PID 2816 wrote to memory of 2452 2816 Clinfk32.exe 33 PID 2816 wrote to memory of 2452 2816 Clinfk32.exe 33 PID 2452 wrote to memory of 2856 2452 Cpgglifo.exe 34 PID 2452 wrote to memory of 2856 2452 Cpgglifo.exe 34 PID 2452 wrote to memory of 2856 2452 Cpgglifo.exe 34 PID 2452 wrote to memory of 2856 2452 Cpgglifo.exe 34 PID 2856 wrote to memory of 2756 2856 Cgaoic32.exe 35 PID 2856 wrote to memory of 2756 2856 Cgaoic32.exe 35 PID 2856 wrote to memory of 2756 2856 Cgaoic32.exe 35 PID 2856 wrote to memory of 2756 2856 Cgaoic32.exe 35 PID 2756 wrote to memory of 2260 2756 Cipleo32.exe 36 PID 2756 wrote to memory of 2260 2756 Cipleo32.exe 36 PID 2756 wrote to memory of 2260 2756 Cipleo32.exe 36 PID 2756 wrote to memory of 2260 2756 Cipleo32.exe 36 PID 2260 wrote to memory of 2396 2260 Coldmfkf.exe 37 PID 2260 wrote to memory of 2396 2260 Coldmfkf.exe 37 PID 2260 wrote to memory of 2396 2260 Coldmfkf.exe 37 PID 2260 wrote to memory of 2396 2260 Coldmfkf.exe 37 PID 2396 wrote to memory of 264 2396 Dakpiajj.exe 38 PID 2396 wrote to memory of 264 2396 Dakpiajj.exe 38 PID 2396 wrote to memory of 264 2396 Dakpiajj.exe 38 PID 2396 wrote to memory of 264 2396 Dakpiajj.exe 38 PID 264 wrote to memory of 2988 264 Dlpdfjjp.exe 39 PID 264 wrote to memory of 2988 264 Dlpdfjjp.exe 39 PID 264 wrote to memory of 2988 264 Dlpdfjjp.exe 39 PID 264 wrote to memory of 2988 264 Dlpdfjjp.exe 39 PID 2988 wrote to memory of 2760 2988 Dooqceid.exe 40 PID 2988 wrote to memory of 2760 2988 Dooqceid.exe 40 PID 2988 wrote to memory of 2760 2988 Dooqceid.exe 40 PID 2988 wrote to memory of 2760 2988 Dooqceid.exe 40 PID 2760 wrote to memory of 316 2760 Dhgelk32.exe 41 PID 2760 wrote to memory of 316 2760 Dhgelk32.exe 41 PID 2760 wrote to memory of 316 2760 Dhgelk32.exe 41 PID 2760 wrote to memory of 316 2760 Dhgelk32.exe 41 PID 316 wrote to memory of 2664 316 Doamhe32.exe 42 PID 316 wrote to memory of 2664 316 Doamhe32.exe 42 PID 316 wrote to memory of 2664 316 Doamhe32.exe 42 PID 316 wrote to memory of 2664 316 Doamhe32.exe 42 PID 2664 wrote to memory of 840 2664 Dekeeonn.exe 43 PID 2664 wrote to memory of 840 2664 Dekeeonn.exe 43 PID 2664 wrote to memory of 840 2664 Dekeeonn.exe 43 PID 2664 wrote to memory of 840 2664 Dekeeonn.exe 43 PID 840 wrote to memory of 2204 840 Dhibakmb.exe 44 PID 840 wrote to memory of 2204 840 Dhibakmb.exe 44 PID 840 wrote to memory of 2204 840 Dhibakmb.exe 44 PID 840 wrote to memory of 2204 840 Dhibakmb.exe 44 PID 2204 wrote to memory of 2636 2204 Dnfjiali.exe 45 PID 2204 wrote to memory of 2636 2204 Dnfjiali.exe 45 PID 2204 wrote to memory of 2636 2204 Dnfjiali.exe 45 PID 2204 wrote to memory of 2636 2204 Dnfjiali.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\7c63768f98b4f11045d2a9de6a6f8d90N.exe"C:\Users\Admin\AppData\Local\Temp\7c63768f98b4f11045d2a9de6a6f8d90N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\Cdnjaibm.exeC:\Windows\system32\Cdnjaibm.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Cikbjpqd.exeC:\Windows\system32\Cikbjpqd.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Clinfk32.exeC:\Windows\system32\Clinfk32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Cpgglifo.exeC:\Windows\system32\Cpgglifo.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\Cgaoic32.exeC:\Windows\system32\Cgaoic32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Cipleo32.exeC:\Windows\system32\Cipleo32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Coldmfkf.exeC:\Windows\system32\Coldmfkf.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\Dakpiajj.exeC:\Windows\system32\Dakpiajj.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\Dlpdfjjp.exeC:\Windows\system32\Dlpdfjjp.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:264 -
C:\Windows\SysWOW64\Dooqceid.exeC:\Windows\system32\Dooqceid.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Dhgelk32.exeC:\Windows\system32\Dhgelk32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Doamhe32.exeC:\Windows\system32\Doamhe32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\SysWOW64\Dekeeonn.exeC:\Windows\system32\Dekeeonn.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Dhibakmb.exeC:\Windows\system32\Dhibakmb.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\SysWOW64\Dnfjiali.exeC:\Windows\system32\Dnfjiali.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\Ddpbfl32.exeC:\Windows\system32\Ddpbfl32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2636 -
C:\Windows\SysWOW64\Djmknb32.exeC:\Windows\system32\Djmknb32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2132 -
C:\Windows\SysWOW64\Dpgckm32.exeC:\Windows\system32\Dpgckm32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:952 -
C:\Windows\SysWOW64\Dcepgh32.exeC:\Windows\system32\Dcepgh32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:552 -
C:\Windows\SysWOW64\Ejohdbok.exeC:\Windows\system32\Ejohdbok.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2208 -
C:\Windows\SysWOW64\Echlmh32.exeC:\Windows\system32\Echlmh32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1000 -
C:\Windows\SysWOW64\Effhic32.exeC:\Windows\system32\Effhic32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2200 -
C:\Windows\SysWOW64\Ecjibgdh.exeC:\Windows\system32\Ecjibgdh.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2152 -
C:\Windows\SysWOW64\Egeecf32.exeC:\Windows\system32\Egeecf32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1080 -
C:\Windows\SysWOW64\Elbmkm32.exeC:\Windows\system32\Elbmkm32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1340 -
C:\Windows\SysWOW64\Eclfhgaf.exeC:\Windows\system32\Eclfhgaf.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2380 -
C:\Windows\SysWOW64\Ehinpnpm.exeC:\Windows\system32\Ehinpnpm.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2188 -
C:\Windows\SysWOW64\Ekhjlioa.exeC:\Windows\system32\Ekhjlioa.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2888 -
C:\Windows\SysWOW64\Ecobmg32.exeC:\Windows\system32\Ecobmg32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2968 -
C:\Windows\SysWOW64\Emggflfc.exeC:\Windows\system32\Emggflfc.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2900 -
C:\Windows\SysWOW64\Ffpkob32.exeC:\Windows\system32\Ffpkob32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2684 -
C:\Windows\SysWOW64\Fdblkoco.exeC:\Windows\system32\Fdblkoco.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2240 -
C:\Windows\SysWOW64\Fdehpn32.exeC:\Windows\system32\Fdehpn32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1160 -
C:\Windows\SysWOW64\Fgcdlj32.exeC:\Windows\system32\Fgcdlj32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2100 -
C:\Windows\SysWOW64\Fdgefn32.exeC:\Windows\system32\Fdgefn32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:816 -
C:\Windows\SysWOW64\Fcjeakfd.exeC:\Windows\system32\Fcjeakfd.exe37⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Fjdnne32.exeC:\Windows\system32\Fjdnne32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2428 -
C:\Windows\SysWOW64\Fqnfkoen.exeC:\Windows\system32\Fqnfkoen.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2780 -
C:\Windows\SysWOW64\Fclbgj32.exeC:\Windows\system32\Fclbgj32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Fghngimj.exeC:\Windows\system32\Fghngimj.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2940 -
C:\Windows\SysWOW64\Fmgcepio.exeC:\Windows\system32\Fmgcepio.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2108 -
C:\Windows\SysWOW64\Gpeoakhc.exeC:\Windows\system32\Gpeoakhc.exe43⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Gbdlnf32.exeC:\Windows\system32\Gbdlnf32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Gindjqnc.exeC:\Windows\system32\Gindjqnc.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Gmipko32.exeC:\Windows\system32\Gmipko32.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2068 -
C:\Windows\SysWOW64\Gphlgk32.exeC:\Windows\system32\Gphlgk32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Gcchgini.exeC:\Windows\system32\Gcchgini.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1056 -
C:\Windows\SysWOW64\Gfadcemm.exeC:\Windows\system32\Gfadcemm.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1532 -
C:\Windows\SysWOW64\Gipqpplq.exeC:\Windows\system32\Gipqpplq.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:1796 -
C:\Windows\SysWOW64\Gpjilj32.exeC:\Windows\system32\Gpjilj32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:2896 -
C:\Windows\SysWOW64\Gnmihgkh.exeC:\Windows\system32\Gnmihgkh.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2800 -
C:\Windows\SysWOW64\Gfdaid32.exeC:\Windows\system32\Gfdaid32.exe53⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Gegaeabe.exeC:\Windows\system32\Gegaeabe.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2944 -
C:\Windows\SysWOW64\Gplebjbk.exeC:\Windows\system32\Gplebjbk.exe55⤵
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\Gbkaneao.exeC:\Windows\system32\Gbkaneao.exe56⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Ganbjb32.exeC:\Windows\system32\Ganbjb32.exe57⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Geinjapb.exeC:\Windows\system32\Geinjapb.exe58⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Glcfgk32.exeC:\Windows\system32\Glcfgk32.exe59⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Gnabcf32.exeC:\Windows\system32\Gnabcf32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Gapoob32.exeC:\Windows\system32\Gapoob32.exe61⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Gdnkkmej.exeC:\Windows\system32\Gdnkkmej.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Hlecmkel.exeC:\Windows\system32\Hlecmkel.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2072 -
C:\Windows\SysWOW64\Hndoifdp.exeC:\Windows\system32\Hndoifdp.exe64⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Hmgodc32.exeC:\Windows\system32\Hmgodc32.exe65⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Hengep32.exeC:\Windows\system32\Hengep32.exe66⤵PID:1332
-
C:\Windows\SysWOW64\Hjkpng32.exeC:\Windows\system32\Hjkpng32.exe67⤵PID:568
-
C:\Windows\SysWOW64\Hmiljb32.exeC:\Windows\system32\Hmiljb32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1216 -
C:\Windows\SysWOW64\Hpghfn32.exeC:\Windows\system32\Hpghfn32.exe69⤵
- Drops file in System32 directory
- Modifies registry class
PID:2604 -
C:\Windows\SysWOW64\Hhopgkin.exeC:\Windows\system32\Hhopgkin.exe70⤵PID:2976
-
C:\Windows\SysWOW64\Hjmmcgha.exeC:\Windows\system32\Hjmmcgha.exe71⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2928 -
C:\Windows\SysWOW64\Hmkiobge.exeC:\Windows\system32\Hmkiobge.exe72⤵PID:2692
-
C:\Windows\SysWOW64\Hagepa32.exeC:\Windows\system32\Hagepa32.exe73⤵
- Modifies registry class
PID:2740 -
C:\Windows\SysWOW64\Hdeall32.exeC:\Windows\system32\Hdeall32.exe74⤵
- Drops file in System32 directory
PID:1616 -
C:\Windows\SysWOW64\Hjoiiffo.exeC:\Windows\system32\Hjoiiffo.exe75⤵
- Modifies registry class
PID:1620 -
C:\Windows\SysWOW64\Hibidc32.exeC:\Windows\system32\Hibidc32.exe76⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1408 -
C:\Windows\SysWOW64\Hplbamdf.exeC:\Windows\system32\Hplbamdf.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2356 -
C:\Windows\SysWOW64\Hdhnal32.exeC:\Windows\system32\Hdhnal32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2084 -
C:\Windows\SysWOW64\Hffjng32.exeC:\Windows\system32\Hffjng32.exe79⤵
- Drops file in System32 directory
PID:1868 -
C:\Windows\SysWOW64\Hidfjckg.exeC:\Windows\system32\Hidfjckg.exe80⤵PID:2004
-
C:\Windows\SysWOW64\Hlcbfnjk.exeC:\Windows\system32\Hlcbfnjk.exe81⤵
- Modifies registry class
PID:1556 -
C:\Windows\SysWOW64\Ifhgcgjq.exeC:\Windows\system32\Ifhgcgjq.exe82⤵
- Drops file in System32 directory
- Modifies registry class
PID:2272 -
C:\Windows\SysWOW64\Iekgod32.exeC:\Windows\system32\Iekgod32.exe83⤵PID:2640
-
C:\Windows\SysWOW64\Iigcobid.exeC:\Windows\system32\Iigcobid.exe84⤵PID:884
-
C:\Windows\SysWOW64\Ileoknhh.exeC:\Windows\system32\Ileoknhh.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1308 -
C:\Windows\SysWOW64\Iockhigl.exeC:\Windows\system32\Iockhigl.exe86⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2880 -
C:\Windows\SysWOW64\Iabhdefo.exeC:\Windows\system32\Iabhdefo.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2712 -
C:\Windows\SysWOW64\Iiipeb32.exeC:\Windows\system32\Iiipeb32.exe88⤵PID:2276
-
C:\Windows\SysWOW64\Ihlpqonl.exeC:\Windows\system32\Ihlpqonl.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1520 -
C:\Windows\SysWOW64\Ikjlmjmp.exeC:\Windows\system32\Ikjlmjmp.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3016 -
C:\Windows\SysWOW64\Ibadnhmb.exeC:\Windows\system32\Ibadnhmb.exe91⤵
- Modifies registry class
PID:1964 -
C:\Windows\SysWOW64\Ieppjclf.exeC:\Windows\system32\Ieppjclf.exe92⤵
- Modifies registry class
PID:2096 -
C:\Windows\SysWOW64\Ihnmfoli.exeC:\Windows\system32\Ihnmfoli.exe93⤵
- System Location Discovery: System Language Discovery
PID:2672 -
C:\Windows\SysWOW64\Ioheci32.exeC:\Windows\system32\Ioheci32.exe94⤵
- Modifies registry class
PID:336 -
C:\Windows\SysWOW64\Iagaod32.exeC:\Windows\system32\Iagaod32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2300 -
C:\Windows\SysWOW64\Iebmpcjc.exeC:\Windows\system32\Iebmpcjc.exe96⤵PID:1680
-
C:\Windows\SysWOW64\Ihqilnig.exeC:\Windows\system32\Ihqilnig.exe97⤵PID:344
-
C:\Windows\SysWOW64\Iokahhac.exeC:\Windows\system32\Iokahhac.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1152 -
C:\Windows\SysWOW64\Iainddpg.exeC:\Windows\system32\Iainddpg.exe99⤵
- Modifies registry class
PID:612 -
C:\Windows\SysWOW64\Ihcfan32.exeC:\Windows\system32\Ihcfan32.exe100⤵PID:2236
-
C:\Windows\SysWOW64\Igffmkno.exeC:\Windows\system32\Igffmkno.exe101⤵
- System Location Discovery: System Language Discovery
PID:2736 -
C:\Windows\SysWOW64\Jidbifmb.exeC:\Windows\system32\Jidbifmb.exe102⤵PID:2056
-
C:\Windows\SysWOW64\Jakjjcnd.exeC:\Windows\system32\Jakjjcnd.exe103⤵
- Drops file in System32 directory
PID:2340 -
C:\Windows\SysWOW64\Jdjgfomh.exeC:\Windows\system32\Jdjgfomh.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2612 -
C:\Windows\SysWOW64\Jkdoci32.exeC:\Windows\system32\Jkdoci32.exe105⤵
- Drops file in System32 directory
- Modifies registry class
PID:1088 -
C:\Windows\SysWOW64\Jnbkodci.exeC:\Windows\system32\Jnbkodci.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1584 -
C:\Windows\SysWOW64\Jlekja32.exeC:\Windows\system32\Jlekja32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1780 -
C:\Windows\SysWOW64\Jdlclo32.exeC:\Windows\system32\Jdlclo32.exe108⤵
- Modifies registry class
PID:2248 -
C:\Windows\SysWOW64\Jgkphj32.exeC:\Windows\system32\Jgkphj32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2584 -
C:\Windows\SysWOW64\Jjilde32.exeC:\Windows\system32\Jjilde32.exe110⤵PID:692
-
C:\Windows\SysWOW64\Jlghpa32.exeC:\Windows\system32\Jlghpa32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2600 -
C:\Windows\SysWOW64\Jofdll32.exeC:\Windows\system32\Jofdll32.exe112⤵
- Drops file in System32 directory
PID:2824 -
C:\Windows\SysWOW64\Jgmlmj32.exeC:\Windows\system32\Jgmlmj32.exe113⤵PID:2804
-
C:\Windows\SysWOW64\Jjkiie32.exeC:\Windows\system32\Jjkiie32.exe114⤵PID:1276
-
C:\Windows\SysWOW64\Jljeeqfn.exeC:\Windows\system32\Jljeeqfn.exe115⤵
- System Location Discovery: System Language Discovery
PID:1960 -
C:\Windows\SysWOW64\Johaalea.exeC:\Windows\system32\Johaalea.exe116⤵
- Drops file in System32 directory
PID:3012 -
C:\Windows\SysWOW64\Jafmngde.exeC:\Windows\system32\Jafmngde.exe117⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1224 -
C:\Windows\SysWOW64\Jfbinf32.exeC:\Windows\system32\Jfbinf32.exe118⤵
- Drops file in System32 directory
PID:2224 -
C:\Windows\SysWOW64\Jllakpdk.exeC:\Windows\system32\Jllakpdk.exe119⤵
- System Location Discovery: System Language Discovery
PID:1676 -
C:\Windows\SysWOW64\Jcfjhj32.exeC:\Windows\system32\Jcfjhj32.exe120⤵
- Drops file in System32 directory
PID:2832 -
C:\Windows\SysWOW64\Kfdfdf32.exeC:\Windows\system32\Kfdfdf32.exe121⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2924
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-