Analysis
-
max time kernel
113s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/09/2024, 07:44
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4de534d238f43ae2fd502374a4496e90N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
4de534d238f43ae2fd502374a4496e90N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
4de534d238f43ae2fd502374a4496e90N.exe
-
Size
64KB
-
MD5
4de534d238f43ae2fd502374a4496e90
-
SHA1
d2b08c06fc97113db6229d7c4f5dd191dda20508
-
SHA256
16949a8f9e217bbdea0afa59f21b6d723d17966f941c6c0f2b87371a7ed9bd58
-
SHA512
ea82ac5b48ddb8da1a615ed7350439f64726d002ccc1b184c5568eb4f638cd21de5a03bb758cc81f5a7a04539d0f22fbc50b072cce8c35dbed792aebbea9834a
-
SSDEEP
1536:FlDywbhUWrOm93OPL2FM2LyFCYrum8SPE:vU1m9EKFOVT8SE
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gomjckqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klapha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enagnc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhnemdbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edpoeoea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhjdjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbqajk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mglpjc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Foidii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjmmcgha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omeini32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmfhjmho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckijdm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egimdmmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aioppl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnhljnhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kngcbpjc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggeiooea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moahdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fangfcki.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njgeel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldihjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cklpml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cccgni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibeeeijg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oblmom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfdaid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Giejkp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpjgag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bineidcj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehlmnfeo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbdadl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fipdqmje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdnkkmej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgmlmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbljgpja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enepnoji.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgacaaij.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eoimlc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkimff32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhpabdqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oemhjlha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdlmlidp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqkieogp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iebmpcjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkbhco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaamhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpipkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoegoqng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jehbfjia.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekhjlioa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpmeojbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pojgnf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fijolbfh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hengep32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpbokj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dadcppbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgmilmkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gikpjk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jonqfq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhmpbc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiabjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oicbma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlgcncli.exe -
Executes dropped EXE 64 IoCs
pid Process 2216 Dncdqcbl.exe 628 Dcpmijqc.exe 2784 Dbejjfek.exe 2640 Ehaolpke.exe 2908 Efeoedjo.exe 2536 Edjlgq32.exe 512 Ecoihm32.exe 1548 Edofbpja.exe 2396 Emjjfb32.exe 2612 Fbipdi32.exe 3020 Fcilnl32.exe 1948 Fbniohpl.exe 2168 Fbpfeh32.exe 2004 Gjljij32.exe 1148 Gahpkd32.exe 2060 Gnlpeh32.exe 968 Gamifcmi.exe 1008 Gihnkejd.exe 1348 Hflndjin.exe 1396 Hmefad32.exe 2052 Hhogaamj.exe 1620 Hoipnl32.exe 1608 Hhadgakg.exe 2212 Hhdqma32.exe 836 Hdkaabnh.exe 1044 Iaobkf32.exe 2672 Igkjcm32.exe 2736 Iilceh32.exe 2732 Idbgbahq.exe 2192 Iphhgb32.exe 2636 Ieeqpi32.exe 2748 Ihdmld32.exe 3044 Jopbnn32.exe 264 Jneoojeb.exe 2488 Joekimld.exe 3008 Jhmpbc32.exe 3012 Jgbmco32.exe 2092 Kqkalenn.exe 1192 Kckjmpko.exe 2188 Kobkbaac.exe 2024 Kfopdk32.exe 1116 Lefikg32.exe 1752 Lnqkjl32.exe 608 Lcncbc32.exe 1472 Lmfgkh32.exe 828 Ljjhdm32.exe 1488 Mmkafhnb.exe 2204 Mbginomj.exe 1412 Mmmnkglp.exe 2280 Mbjfcnkg.exe 2928 Mhfoleio.exe 1564 Maocekoo.exe 1556 Mifkfhpa.exe 2364 Maapjjml.exe 2596 Nacmpj32.exe 2868 Nhnemdbf.exe 2344 Nmjmekan.exe 2824 Nhpabdqd.exe 2700 Nknnnoph.exe 1960 Nahfkigd.exe 1964 Ngencpel.exe 1284 Nlbgkgcc.exe 1364 Nifgekbm.exe 2376 Oemhjlha.exe -
Loads dropped DLL 64 IoCs
pid Process 468 4de534d238f43ae2fd502374a4496e90N.exe 468 4de534d238f43ae2fd502374a4496e90N.exe 2216 Dncdqcbl.exe 2216 Dncdqcbl.exe 628 Dcpmijqc.exe 628 Dcpmijqc.exe 2784 Dbejjfek.exe 2784 Dbejjfek.exe 2640 Ehaolpke.exe 2640 Ehaolpke.exe 2908 Efeoedjo.exe 2908 Efeoedjo.exe 2536 Edjlgq32.exe 2536 Edjlgq32.exe 512 Ecoihm32.exe 512 Ecoihm32.exe 1548 Edofbpja.exe 1548 Edofbpja.exe 2396 Emjjfb32.exe 2396 Emjjfb32.exe 2612 Fbipdi32.exe 2612 Fbipdi32.exe 3020 Fcilnl32.exe 3020 Fcilnl32.exe 1948 Fbniohpl.exe 1948 Fbniohpl.exe 2168 Fbpfeh32.exe 2168 Fbpfeh32.exe 2004 Gjljij32.exe 2004 Gjljij32.exe 1148 Gahpkd32.exe 1148 Gahpkd32.exe 2060 Gnlpeh32.exe 2060 Gnlpeh32.exe 968 Gamifcmi.exe 968 Gamifcmi.exe 1008 Gihnkejd.exe 1008 Gihnkejd.exe 1348 Hflndjin.exe 1348 Hflndjin.exe 1396 Hmefad32.exe 1396 Hmefad32.exe 2052 Hhogaamj.exe 2052 Hhogaamj.exe 1620 Hoipnl32.exe 1620 Hoipnl32.exe 1608 Hhadgakg.exe 1608 Hhadgakg.exe 2212 Hhdqma32.exe 2212 Hhdqma32.exe 836 Hdkaabnh.exe 836 Hdkaabnh.exe 1044 Iaobkf32.exe 1044 Iaobkf32.exe 2672 Igkjcm32.exe 2672 Igkjcm32.exe 2736 Iilceh32.exe 2736 Iilceh32.exe 2732 Idbgbahq.exe 2732 Idbgbahq.exe 2192 Iphhgb32.exe 2192 Iphhgb32.exe 2636 Ieeqpi32.exe 2636 Ieeqpi32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Maocekoo.exe Mhfoleio.exe File created C:\Windows\SysWOW64\Flingf32.dll Lobbpg32.exe File opened for modification C:\Windows\SysWOW64\Olehbh32.exe Nfhpjaba.exe File opened for modification C:\Windows\SysWOW64\Lgpjcnhh.exe Kfnmnojj.exe File created C:\Windows\SysWOW64\Cdlmlidp.exe Cfhlbe32.exe File opened for modification C:\Windows\SysWOW64\Eibikc32.exe Ebhani32.exe File created C:\Windows\SysWOW64\Ggmldj32.exe Ggkoojip.exe File created C:\Windows\SysWOW64\Kfnmnojj.exe Kelqff32.exe File created C:\Windows\SysWOW64\Hgcmgfgc.dll Fbniohpl.exe File opened for modification C:\Windows\SysWOW64\Afhpca32.exe Amplklmj.exe File opened for modification C:\Windows\SysWOW64\Lbnbfb32.exe Lpmeojbo.exe File created C:\Windows\SysWOW64\Oagkfqbe.dll Nhmbfhfd.exe File opened for modification C:\Windows\SysWOW64\Pncljmko.exe Pcnhmdli.exe File created C:\Windows\SysWOW64\Nlgqod32.dll Dmdkkm32.exe File opened for modification C:\Windows\SysWOW64\Qnciiq32.exe Qifpqi32.exe File opened for modification C:\Windows\SysWOW64\Mjpkbk32.exe Mbdfni32.exe File created C:\Windows\SysWOW64\Laokdncm.dll Pojgnf32.exe File created C:\Windows\SysWOW64\Qpabid32.dll Hkfgnldd.exe File created C:\Windows\SysWOW64\Lehqli32.dll Dggcbf32.exe File opened for modification C:\Windows\SysWOW64\Ekhjlioa.exe Ejfnda32.exe File created C:\Windows\SysWOW64\Jkmaja32.dll Kkljfj32.exe File opened for modification C:\Windows\SysWOW64\Ljhngfkh.exe Lqpiopdh.exe File created C:\Windows\SysWOW64\Kbnnhm32.dll Legcjjjm.exe File created C:\Windows\SysWOW64\Nmkgcloo.dll Caepdk32.exe File created C:\Windows\SysWOW64\Mmdigbbj.dll Fijolbfh.exe File created C:\Windows\SysWOW64\Ikmjnnah.exe Ibeeeijg.exe File created C:\Windows\SysWOW64\Eoecbheg.exe Edpoeoea.exe File created C:\Windows\SysWOW64\Fhdaigqo.dll Biahijec.exe File created C:\Windows\SysWOW64\Jljgni32.exe Jepoao32.exe File opened for modification C:\Windows\SysWOW64\Dcpmijqc.exe Dncdqcbl.exe File created C:\Windows\SysWOW64\Khklgjgf.dll Qnciiq32.exe File created C:\Windows\SysWOW64\Qkgjae32.dll Hlcbfnjk.exe File created C:\Windows\SysWOW64\Hmchfbme.dll Elpjkgip.exe File created C:\Windows\SysWOW64\Opfdim32.exe Ohkpdj32.exe File opened for modification C:\Windows\SysWOW64\Ebhani32.exe Ejmljg32.exe File created C:\Windows\SysWOW64\Ifgpnf32.dll Fehodaqd.exe File opened for modification C:\Windows\SysWOW64\Odfofhic.exe Oojfnakl.exe File created C:\Windows\SysWOW64\Nmefoa32.dll Ogpjmn32.exe File created C:\Windows\SysWOW64\Jbldej32.dll Jehpna32.exe File opened for modification C:\Windows\SysWOW64\Lcfhpf32.exe Lnipgp32.exe File created C:\Windows\SysWOW64\Glaiak32.exe Gfdaid32.exe File created C:\Windows\SysWOW64\Cjfgalcq.exe Cghkepdm.exe File created C:\Windows\SysWOW64\Qiekadkl.exe Oicbma32.exe File created C:\Windows\SysWOW64\Ldcpnjhf.dll Gamifcmi.exe File opened for modification C:\Windows\SysWOW64\Mmkafhnb.exe Ljjhdm32.exe File created C:\Windows\SysWOW64\Miafbgjl.dll Fjaqhe32.exe File created C:\Windows\SysWOW64\Mginjnnp.exe Midqiaih.exe File created C:\Windows\SysWOW64\Imcaijia.exe Icjmpd32.exe File created C:\Windows\SysWOW64\Fillabde.exe Fofhdidp.exe File created C:\Windows\SysWOW64\Hqmepa32.dll Acjfpokk.exe File opened for modification C:\Windows\SysWOW64\Jemkai32.exe Jifkmh32.exe File created C:\Windows\SysWOW64\Jdgphqgg.dll Dabkla32.exe File created C:\Windows\SysWOW64\Oolbcaij.exe Odfofhic.exe File created C:\Windows\SysWOW64\Pipjpj32.exe Pfando32.exe File created C:\Windows\SysWOW64\Hmheol32.exe Hmfhjmho.exe File opened for modification C:\Windows\SysWOW64\Lkngkj32.exe Kkljfj32.exe File created C:\Windows\SysWOW64\Gjljij32.exe Fbpfeh32.exe File created C:\Windows\SysWOW64\Ebabicfn.exe Ekhjlioa.exe File created C:\Windows\SysWOW64\Qpcegn32.dll Cmlqimph.exe File opened for modification C:\Windows\SysWOW64\Cnjbfhqa.exe Ccdnipal.exe File created C:\Windows\SysWOW64\Ieiegf32.exe Hibebeqb.exe File opened for modification C:\Windows\SysWOW64\Ncjcnfcn.exe Njaoeq32.exe File opened for modification C:\Windows\SysWOW64\Akmgoehg.exe Apgcbmha.exe File opened for modification C:\Windows\SysWOW64\Jchobqnc.exe Ikmjnnah.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4184 1396 WerFault.exe 716 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cikbjpqd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iockhigl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiabjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhbdmeoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djhldahb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjoiiffo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oheppe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biahijec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldikbhfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fomndhng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chdjpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkdpmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjplao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfijfdca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlcbfnjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgmilmkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhljpmlm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gghloe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfknjfbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckebbgoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cccgni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmfgkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cojghf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnoiocfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbljgpja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iilocklc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbflkcao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbkaneao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qbkljd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghlell32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbapgknp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhlapc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egfglocf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpmeojbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cacegd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcobdgoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcdele32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lolpah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odmgnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oenmkngi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epmahmcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggphji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpnfdbig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdqfnhpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoipnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcncbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bclqme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmcdkbao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcingdbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnlbnagl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgfghodj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdbfjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljhngfkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acjfpokk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edenjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Danaqbgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elnagijk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndjhpcoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bigohejb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnefiq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbjfcnkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgogla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aofklbnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caepdk32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liakqjpo.dll" Lednal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okcchbnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpejfjha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkjldmnf.dll" Cojghf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkokjpai.dll" Lijepc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iklbhdga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idegal32.dll" Jfadoaih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmfhqmge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpfbjp32.dll" Fbpfeh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Giejkp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iebmpcjc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkkaik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lejppj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lilmmghh.dll" Cobkhe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gomjckqc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amjkefmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gppoqa32.dll" Npkaei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebgefbed.dll" Dcgmgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhckimed.dll" Aoamoefh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdncfedn.dll" Lejppj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glaiak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nakahn32.dll" Hpghfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcpbpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jepoao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhahcjcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qibhao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Popfkjma.dll" Kfobmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kllccpoi.dll" Ienfml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqgaenpf.dll" Hancef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anckcdco.dll" Bclqme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gocnjn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkplnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Palkap32.dll" Iiipeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdjkhnje.dll" Mchadifq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpalmaad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpmdff32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mqoqlfkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljhnpb32.dll" Fncddc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leialh32.dll" Ihaldgak.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jljgni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfgiimk.dll" Eiefqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obkoniem.dll" Odiklh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dglkba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ienfml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onmgeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdihddlc.dll" Mqoqlfkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fqkieogp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phkfglid.dll" Gmipko32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbfeam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djemfibq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgacaaij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcipqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckijdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfgdpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpmjno32.dll" Fdmjmenh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikooof32.dll" Ibnodj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mofjof32.dll" Pldnge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbdjgbdg.dll" Oemhjlha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpjilj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifhgcgjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oheppe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfdkaj32.dll" Aofklbnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elefkiaj.dll" Kaillp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npdmdbpm.dll" Gahpkd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 468 wrote to memory of 2216 468 4de534d238f43ae2fd502374a4496e90N.exe 30 PID 468 wrote to memory of 2216 468 4de534d238f43ae2fd502374a4496e90N.exe 30 PID 468 wrote to memory of 2216 468 4de534d238f43ae2fd502374a4496e90N.exe 30 PID 468 wrote to memory of 2216 468 4de534d238f43ae2fd502374a4496e90N.exe 30 PID 2216 wrote to memory of 628 2216 Dncdqcbl.exe 31 PID 2216 wrote to memory of 628 2216 Dncdqcbl.exe 31 PID 2216 wrote to memory of 628 2216 Dncdqcbl.exe 31 PID 2216 wrote to memory of 628 2216 Dncdqcbl.exe 31 PID 628 wrote to memory of 2784 628 Dcpmijqc.exe 32 PID 628 wrote to memory of 2784 628 Dcpmijqc.exe 32 PID 628 wrote to memory of 2784 628 Dcpmijqc.exe 32 PID 628 wrote to memory of 2784 628 Dcpmijqc.exe 32 PID 2784 wrote to memory of 2640 2784 Dbejjfek.exe 33 PID 2784 wrote to memory of 2640 2784 Dbejjfek.exe 33 PID 2784 wrote to memory of 2640 2784 Dbejjfek.exe 33 PID 2784 wrote to memory of 2640 2784 Dbejjfek.exe 33 PID 2640 wrote to memory of 2908 2640 Ehaolpke.exe 34 PID 2640 wrote to memory of 2908 2640 Ehaolpke.exe 34 PID 2640 wrote to memory of 2908 2640 Ehaolpke.exe 34 PID 2640 wrote to memory of 2908 2640 Ehaolpke.exe 34 PID 2908 wrote to memory of 2536 2908 Efeoedjo.exe 35 PID 2908 wrote to memory of 2536 2908 Efeoedjo.exe 35 PID 2908 wrote to memory of 2536 2908 Efeoedjo.exe 35 PID 2908 wrote to memory of 2536 2908 Efeoedjo.exe 35 PID 2536 wrote to memory of 512 2536 Edjlgq32.exe 36 PID 2536 wrote to memory of 512 2536 Edjlgq32.exe 36 PID 2536 wrote to memory of 512 2536 Edjlgq32.exe 36 PID 2536 wrote to memory of 512 2536 Edjlgq32.exe 36 PID 512 wrote to memory of 1548 512 Ecoihm32.exe 37 PID 512 wrote to memory of 1548 512 Ecoihm32.exe 37 PID 512 wrote to memory of 1548 512 Ecoihm32.exe 37 PID 512 wrote to memory of 1548 512 Ecoihm32.exe 37 PID 1548 wrote to memory of 2396 1548 Edofbpja.exe 38 PID 1548 wrote to memory of 2396 1548 Edofbpja.exe 38 PID 1548 wrote to memory of 2396 1548 Edofbpja.exe 38 PID 1548 wrote to memory of 2396 1548 Edofbpja.exe 38 PID 2396 wrote to memory of 2612 2396 Emjjfb32.exe 39 PID 2396 wrote to memory of 2612 2396 Emjjfb32.exe 39 PID 2396 wrote to memory of 2612 2396 Emjjfb32.exe 39 PID 2396 wrote to memory of 2612 2396 Emjjfb32.exe 39 PID 2612 wrote to memory of 3020 2612 Fbipdi32.exe 40 PID 2612 wrote to memory of 3020 2612 Fbipdi32.exe 40 PID 2612 wrote to memory of 3020 2612 Fbipdi32.exe 40 PID 2612 wrote to memory of 3020 2612 Fbipdi32.exe 40 PID 3020 wrote to memory of 1948 3020 Fcilnl32.exe 41 PID 3020 wrote to memory of 1948 3020 Fcilnl32.exe 41 PID 3020 wrote to memory of 1948 3020 Fcilnl32.exe 41 PID 3020 wrote to memory of 1948 3020 Fcilnl32.exe 41 PID 1948 wrote to memory of 2168 1948 Fbniohpl.exe 42 PID 1948 wrote to memory of 2168 1948 Fbniohpl.exe 42 PID 1948 wrote to memory of 2168 1948 Fbniohpl.exe 42 PID 1948 wrote to memory of 2168 1948 Fbniohpl.exe 42 PID 2168 wrote to memory of 2004 2168 Fbpfeh32.exe 43 PID 2168 wrote to memory of 2004 2168 Fbpfeh32.exe 43 PID 2168 wrote to memory of 2004 2168 Fbpfeh32.exe 43 PID 2168 wrote to memory of 2004 2168 Fbpfeh32.exe 43 PID 2004 wrote to memory of 1148 2004 Gjljij32.exe 44 PID 2004 wrote to memory of 1148 2004 Gjljij32.exe 44 PID 2004 wrote to memory of 1148 2004 Gjljij32.exe 44 PID 2004 wrote to memory of 1148 2004 Gjljij32.exe 44 PID 1148 wrote to memory of 2060 1148 Gahpkd32.exe 45 PID 1148 wrote to memory of 2060 1148 Gahpkd32.exe 45 PID 1148 wrote to memory of 2060 1148 Gahpkd32.exe 45 PID 1148 wrote to memory of 2060 1148 Gahpkd32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\4de534d238f43ae2fd502374a4496e90N.exe"C:\Users\Admin\AppData\Local\Temp\4de534d238f43ae2fd502374a4496e90N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:468 -
C:\Windows\SysWOW64\Dncdqcbl.exeC:\Windows\system32\Dncdqcbl.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Dcpmijqc.exeC:\Windows\system32\Dcpmijqc.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Windows\SysWOW64\Dbejjfek.exeC:\Windows\system32\Dbejjfek.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Ehaolpke.exeC:\Windows\system32\Ehaolpke.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Efeoedjo.exeC:\Windows\system32\Efeoedjo.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Edjlgq32.exeC:\Windows\system32\Edjlgq32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\Ecoihm32.exeC:\Windows\system32\Ecoihm32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:512 -
C:\Windows\SysWOW64\Edofbpja.exeC:\Windows\system32\Edofbpja.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\SysWOW64\Emjjfb32.exeC:\Windows\system32\Emjjfb32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\Fbipdi32.exeC:\Windows\system32\Fbipdi32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Fcilnl32.exeC:\Windows\system32\Fcilnl32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\Fbniohpl.exeC:\Windows\system32\Fbniohpl.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\Fbpfeh32.exeC:\Windows\system32\Fbpfeh32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\Gjljij32.exeC:\Windows\system32\Gjljij32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\Gahpkd32.exeC:\Windows\system32\Gahpkd32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\Gnlpeh32.exeC:\Windows\system32\Gnlpeh32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2060 -
C:\Windows\SysWOW64\Gamifcmi.exeC:\Windows\system32\Gamifcmi.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:968 -
C:\Windows\SysWOW64\Gihnkejd.exeC:\Windows\system32\Gihnkejd.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1008 -
C:\Windows\SysWOW64\Hflndjin.exeC:\Windows\system32\Hflndjin.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1348 -
C:\Windows\SysWOW64\Hmefad32.exeC:\Windows\system32\Hmefad32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1396 -
C:\Windows\SysWOW64\Hhogaamj.exeC:\Windows\system32\Hhogaamj.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2052 -
C:\Windows\SysWOW64\Hoipnl32.exeC:\Windows\system32\Hoipnl32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1620 -
C:\Windows\SysWOW64\Hhadgakg.exeC:\Windows\system32\Hhadgakg.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1608 -
C:\Windows\SysWOW64\Hhdqma32.exeC:\Windows\system32\Hhdqma32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2212 -
C:\Windows\SysWOW64\Hdkaabnh.exeC:\Windows\system32\Hdkaabnh.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:836 -
C:\Windows\SysWOW64\Iaobkf32.exeC:\Windows\system32\Iaobkf32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1044 -
C:\Windows\SysWOW64\Igkjcm32.exeC:\Windows\system32\Igkjcm32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2672 -
C:\Windows\SysWOW64\Iilceh32.exeC:\Windows\system32\Iilceh32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2736 -
C:\Windows\SysWOW64\Idbgbahq.exeC:\Windows\system32\Idbgbahq.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2732 -
C:\Windows\SysWOW64\Iphhgb32.exeC:\Windows\system32\Iphhgb32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2192 -
C:\Windows\SysWOW64\Ieeqpi32.exeC:\Windows\system32\Ieeqpi32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2636 -
C:\Windows\SysWOW64\Ihdmld32.exeC:\Windows\system32\Ihdmld32.exe33⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Jopbnn32.exeC:\Windows\system32\Jopbnn32.exe34⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Jneoojeb.exeC:\Windows\system32\Jneoojeb.exe35⤵
- Executes dropped EXE
PID:264 -
C:\Windows\SysWOW64\Joekimld.exeC:\Windows\system32\Joekimld.exe36⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Jhmpbc32.exeC:\Windows\system32\Jhmpbc32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Jgbmco32.exeC:\Windows\system32\Jgbmco32.exe38⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Kqkalenn.exeC:\Windows\system32\Kqkalenn.exe39⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Kckjmpko.exeC:\Windows\system32\Kckjmpko.exe40⤵
- Executes dropped EXE
PID:1192 -
C:\Windows\SysWOW64\Kobkbaac.exeC:\Windows\system32\Kobkbaac.exe41⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Kfopdk32.exeC:\Windows\system32\Kfopdk32.exe42⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Lefikg32.exeC:\Windows\system32\Lefikg32.exe43⤵
- Executes dropped EXE
PID:1116 -
C:\Windows\SysWOW64\Lnqkjl32.exeC:\Windows\system32\Lnqkjl32.exe44⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Lcncbc32.exeC:\Windows\system32\Lcncbc32.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:608 -
C:\Windows\SysWOW64\Lmfgkh32.exeC:\Windows\system32\Lmfgkh32.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1472 -
C:\Windows\SysWOW64\Ljjhdm32.exeC:\Windows\system32\Ljjhdm32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:828 -
C:\Windows\SysWOW64\Mmkafhnb.exeC:\Windows\system32\Mmkafhnb.exe48⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Mbginomj.exeC:\Windows\system32\Mbginomj.exe49⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Mmmnkglp.exeC:\Windows\system32\Mmmnkglp.exe50⤵
- Executes dropped EXE
PID:1412 -
C:\Windows\SysWOW64\Mbjfcnkg.exeC:\Windows\system32\Mbjfcnkg.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2280 -
C:\Windows\SysWOW64\Mhfoleio.exeC:\Windows\system32\Mhfoleio.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2928 -
C:\Windows\SysWOW64\Maocekoo.exeC:\Windows\system32\Maocekoo.exe53⤵
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\Mifkfhpa.exeC:\Windows\system32\Mifkfhpa.exe54⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Maapjjml.exeC:\Windows\system32\Maapjjml.exe55⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Nacmpj32.exeC:\Windows\system32\Nacmpj32.exe56⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Nhnemdbf.exeC:\Windows\system32\Nhnemdbf.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Nmjmekan.exeC:\Windows\system32\Nmjmekan.exe58⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Nhpabdqd.exeC:\Windows\system32\Nhpabdqd.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Nknnnoph.exeC:\Windows\system32\Nknnnoph.exe60⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Nahfkigd.exeC:\Windows\system32\Nahfkigd.exe61⤵
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Ngencpel.exeC:\Windows\system32\Ngencpel.exe62⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Nlbgkgcc.exeC:\Windows\system32\Nlbgkgcc.exe63⤵
- Executes dropped EXE
PID:1284 -
C:\Windows\SysWOW64\Nifgekbm.exeC:\Windows\system32\Nifgekbm.exe64⤵
- Executes dropped EXE
PID:1364 -
C:\Windows\SysWOW64\Oemhjlha.exeC:\Windows\system32\Oemhjlha.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2376 -
C:\Windows\SysWOW64\Oeoeplfn.exeC:\Windows\system32\Oeoeplfn.exe66⤵PID:768
-
C:\Windows\SysWOW64\Oogiha32.exeC:\Windows\system32\Oogiha32.exe67⤵PID:1012
-
C:\Windows\SysWOW64\Oeaael32.exeC:\Windows\system32\Oeaael32.exe68⤵PID:1816
-
C:\Windows\SysWOW64\Oojfnakl.exeC:\Windows\system32\Oojfnakl.exe69⤵
- Drops file in System32 directory
PID:868 -
C:\Windows\SysWOW64\Odfofhic.exeC:\Windows\system32\Odfofhic.exe70⤵
- Drops file in System32 directory
PID:1612 -
C:\Windows\SysWOW64\Oolbcaij.exeC:\Windows\system32\Oolbcaij.exe71⤵PID:928
-
C:\Windows\SysWOW64\Odiklh32.exeC:\Windows\system32\Odiklh32.exe72⤵
- Modifies registry class
PID:1392 -
C:\Windows\SysWOW64\Okcchbnn.exeC:\Windows\system32\Okcchbnn.exe73⤵
- Modifies registry class
PID:2720 -
C:\Windows\SysWOW64\Pamlel32.exeC:\Windows\system32\Pamlel32.exe74⤵PID:2756
-
C:\Windows\SysWOW64\Pcnhmdli.exeC:\Windows\system32\Pcnhmdli.exe75⤵
- Drops file in System32 directory
PID:2576 -
C:\Windows\SysWOW64\Pncljmko.exeC:\Windows\system32\Pncljmko.exe76⤵PID:316
-
C:\Windows\SysWOW64\Pfoanp32.exeC:\Windows\system32\Pfoanp32.exe77⤵PID:2620
-
C:\Windows\SysWOW64\Pnfipm32.exeC:\Windows\system32\Pnfipm32.exe78⤵PID:1824
-
C:\Windows\SysWOW64\Pfando32.exeC:\Windows\system32\Pfando32.exe79⤵
- Drops file in System32 directory
PID:2924 -
C:\Windows\SysWOW64\Pipjpj32.exeC:\Windows\system32\Pipjpj32.exe80⤵PID:3016
-
C:\Windows\SysWOW64\Pcenmcea.exeC:\Windows\system32\Pcenmcea.exe81⤵PID:2964
-
C:\Windows\SysWOW64\Pjofjm32.exeC:\Windows\system32\Pjofjm32.exe82⤵PID:972
-
C:\Windows\SysWOW64\Pffgonbb.exeC:\Windows\system32\Pffgonbb.exe83⤵PID:1384
-
C:\Windows\SysWOW64\Qonlhd32.exeC:\Windows\system32\Qonlhd32.exe84⤵PID:1308
-
C:\Windows\SysWOW64\Qifpqi32.exeC:\Windows\system32\Qifpqi32.exe85⤵
- Drops file in System32 directory
PID:2944 -
C:\Windows\SysWOW64\Qnciiq32.exeC:\Windows\system32\Qnciiq32.exe86⤵
- Drops file in System32 directory
PID:2284 -
C:\Windows\SysWOW64\Akgibd32.exeC:\Windows\system32\Akgibd32.exe87⤵PID:2096
-
C:\Windows\SysWOW64\Aepnkjcd.exeC:\Windows\system32\Aepnkjcd.exe88⤵PID:2068
-
C:\Windows\SysWOW64\Akjfhdka.exeC:\Windows\system32\Akjfhdka.exe89⤵PID:2684
-
C:\Windows\SysWOW64\Afcghbgp.exeC:\Windows\system32\Afcghbgp.exe90⤵PID:2740
-
C:\Windows\SysWOW64\Aaikfkgf.exeC:\Windows\system32\Aaikfkgf.exe91⤵PID:2176
-
C:\Windows\SysWOW64\Agccbenc.exeC:\Windows\system32\Agccbenc.exe92⤵PID:1296
-
C:\Windows\SysWOW64\Amplklmj.exeC:\Windows\system32\Amplklmj.exe93⤵
- Drops file in System32 directory
PID:2888 -
C:\Windows\SysWOW64\Afhpca32.exeC:\Windows\system32\Afhpca32.exe94⤵PID:1760
-
C:\Windows\SysWOW64\Bclqme32.exeC:\Windows\system32\Bclqme32.exe95⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2968 -
C:\Windows\SysWOW64\Biiiempl.exeC:\Windows\system32\Biiiempl.exe96⤵PID:1252
-
C:\Windows\SysWOW64\Bbannb32.exeC:\Windows\system32\Bbannb32.exe97⤵PID:1236
-
C:\Windows\SysWOW64\Bikfklni.exeC:\Windows\system32\Bikfklni.exe98⤵PID:748
-
C:\Windows\SysWOW64\Blibghmm.exeC:\Windows\system32\Blibghmm.exe99⤵PID:1736
-
C:\Windows\SysWOW64\Bimbql32.exeC:\Windows\system32\Bimbql32.exe100⤵PID:832
-
C:\Windows\SysWOW64\Bojkib32.exeC:\Windows\system32\Bojkib32.exe101⤵PID:2296
-
C:\Windows\SysWOW64\Bjalndpb.exeC:\Windows\system32\Bjalndpb.exe102⤵PID:2080
-
C:\Windows\SysWOW64\Cfhlbe32.exeC:\Windows\system32\Cfhlbe32.exe103⤵
- Drops file in System32 directory
PID:2580 -
C:\Windows\SysWOW64\Cdlmlidp.exeC:\Windows\system32\Cdlmlidp.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1656 -
C:\Windows\SysWOW64\Cmdaeo32.exeC:\Windows\system32\Cmdaeo32.exe105⤵PID:2072
-
C:\Windows\SysWOW64\Cpbnaj32.exeC:\Windows\system32\Cpbnaj32.exe106⤵PID:2852
-
C:\Windows\SysWOW64\Cikbjpqd.exeC:\Windows\system32\Cikbjpqd.exe107⤵
- System Location Discovery: System Language Discovery
PID:568 -
C:\Windows\SysWOW64\Cpejfjha.exeC:\Windows\system32\Cpejfjha.exe108⤵
- Modifies registry class
PID:1956 -
C:\Windows\SysWOW64\Cpgglifo.exeC:\Windows\system32\Cpgglifo.exe109⤵PID:1080
-
C:\Windows\SysWOW64\Cojghf32.exeC:\Windows\system32\Cojghf32.exe110⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:896 -
C:\Windows\SysWOW64\Cipleo32.exeC:\Windows\system32\Cipleo32.exe111⤵PID:2372
-
C:\Windows\SysWOW64\Cpidai32.exeC:\Windows\system32\Cpidai32.exe112⤵PID:2036
-
C:\Windows\SysWOW64\Dakpiajj.exeC:\Windows\system32\Dakpiajj.exe113⤵PID:1320
-
C:\Windows\SysWOW64\Dabfjp32.exeC:\Windows\system32\Dabfjp32.exe114⤵PID:1744
-
C:\Windows\SysWOW64\Dadcppbp.exeC:\Windows\system32\Dadcppbp.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2652 -
C:\Windows\SysWOW64\Edelakoq.exeC:\Windows\system32\Edelakoq.exe116⤵PID:2556
-
C:\Windows\SysWOW64\Enmqjq32.exeC:\Windows\system32\Enmqjq32.exe117⤵PID:924
-
C:\Windows\SysWOW64\Eplmflde.exeC:\Windows\system32\Eplmflde.exe118⤵PID:2512
-
C:\Windows\SysWOW64\Egeecf32.exeC:\Windows\system32\Egeecf32.exe119⤵PID:1272
-
C:\Windows\SysWOW64\Eoajgh32.exeC:\Windows\system32\Eoajgh32.exe120⤵PID:2436
-
C:\Windows\SysWOW64\Ejfnda32.exeC:\Windows\system32\Ejfnda32.exe121⤵
- Drops file in System32 directory
PID:1100
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-