Analysis
-
max time kernel
64s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12/09/2024, 02:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4d578edc4165a378f7018a3d9396b510N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
4d578edc4165a378f7018a3d9396b510N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
4d578edc4165a378f7018a3d9396b510N.exe
-
Size
90KB
-
MD5
4d578edc4165a378f7018a3d9396b510
-
SHA1
6a3e3a1021f26e987df0b1cb9e2285f0cc6ed803
-
SHA256
dc1ebdcf0a84da2842f57b1bda2ca486914b8acbdea13b2d6914e813984c8540
-
SHA512
68fd743408c0d72ee00c3890124907ae6c2edf85ab086958ea372a79e3864e8b0338c8daad9596a285c840cb1ecd0111b21b3880c716a48d3976dc60872aa0cf
-
SSDEEP
1536:f4GVeu/ebQ6wG2trofG+mg0OqRhgyX5XqMbUfG5u/Ub0VkVNK:fXVzm12t+lmp/nbUfG5u/Ub0+NK
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qggoeilh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfcnfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Epbamc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glhhgahg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pligbekc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bnafjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ofbikf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aogmdk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbepplkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdbhcfjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Adkbgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pddlggin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgigpgkd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojlife32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fgnfpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibjikk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lnmfpnqn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkepdbkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebkndibq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Npkaei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afqeaemk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbdadl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kphbmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njgeel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ehdpcahk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fehmlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gcgpiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hfjfpkji.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fijolbfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lckdcn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljpqlqmd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqffna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oedclm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hngppgae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdfcaegj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afngoand.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ehjbaooe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Infjfblm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbepplkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iglkoaad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnobfn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nplkhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oedclm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Efbpihoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Happkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Anngkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kekkkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hgbanlfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qolmip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gjkfglom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkgbioee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhhkbqea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbegonmd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adkbgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdhnnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fcegdnna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lhbjmg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lckdcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aihjpman.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gccjpb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llcfck32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neemgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojlife32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Panpgn32.exe -
Executes dropped EXE 64 IoCs
pid Process 2728 Cnacbj32.exe 2892 Cpemob32.exe 2164 Cpgieb32.exe 2900 Dpjfjalp.exe 2640 Degobhjg.exe 2220 Dekhnh32.exe 1080 Ddqeodjj.exe 1984 Eagbnh32.exe 2004 Empphi32.exe 2120 Epqhjdhc.exe 2464 Ekjikadb.exe 2008 Fljfdd32.exe 2256 Fhqfie32.exe 2440 Fqnhcgma.exe 2432 Fjfllm32.exe 1620 Gjkfglom.exe 1172 Gccjpb32.exe 1020 Gmloigln.exe 1804 Gmnlog32.exe 1568 Gnbelong.exe 940 Hqbnnj32.exe 2484 Hfbckagm.exe 2380 Hgaoec32.exe 2460 Hpmdjf32.exe 1728 Ilceog32.exe 2208 Ienfml32.exe 2888 Infjfblm.exe 2788 Idepdhia.exe 2884 Iaipmm32.exe 856 Jffhec32.exe 2808 Jpajdi32.exe 2832 Jljgni32.exe 2268 Kaliaphd.exe 2940 Knbjgq32.exe 2128 Kapbmo32.exe 832 Kabobo32.exe 1740 Ljpqlqmd.exe 1632 Lckbkfbb.exe 2436 Llcfck32.exe 2428 Mbbkabdh.exe 236 Mkkpjg32.exe 1452 Mbehgabe.exe 772 Mkmmpg32.exe 2296 Mqjehngm.exe 1868 Mgdmeh32.exe 628 Mdhnnl32.exe 2600 Mfijfdca.exe 1692 Mmcbbo32.exe 1204 Mgigpgkd.exe 1724 Nmeohnil.exe 1684 Nfncad32.exe 2776 Nlklik32.exe 2880 Niombolm.exe 2672 Nnkekfkd.exe 1656 Neemgp32.exe 1120 Npkaei32.exe 2944 Nehjmppo.exe 2000 Njdbefnf.exe 968 Oldooi32.exe 1084 Ododdlcd.exe 2200 Opfdim32.exe 1936 Ojlife32.exe 2508 Ofbikf32.exe 2080 Oiqegb32.exe -
Loads dropped DLL 64 IoCs
pid Process 2248 4d578edc4165a378f7018a3d9396b510N.exe 2248 4d578edc4165a378f7018a3d9396b510N.exe 2728 Cnacbj32.exe 2728 Cnacbj32.exe 2892 Cpemob32.exe 2892 Cpemob32.exe 2164 Cpgieb32.exe 2164 Cpgieb32.exe 2900 Dpjfjalp.exe 2900 Dpjfjalp.exe 2640 Degobhjg.exe 2640 Degobhjg.exe 2220 Dekhnh32.exe 2220 Dekhnh32.exe 1080 Ddqeodjj.exe 1080 Ddqeodjj.exe 1984 Eagbnh32.exe 1984 Eagbnh32.exe 2004 Empphi32.exe 2004 Empphi32.exe 2120 Epqhjdhc.exe 2120 Epqhjdhc.exe 2464 Ekjikadb.exe 2464 Ekjikadb.exe 2008 Fljfdd32.exe 2008 Fljfdd32.exe 2256 Fhqfie32.exe 2256 Fhqfie32.exe 2440 Fqnhcgma.exe 2440 Fqnhcgma.exe 2432 Fjfllm32.exe 2432 Fjfllm32.exe 1620 Gjkfglom.exe 1620 Gjkfglom.exe 1172 Gccjpb32.exe 1172 Gccjpb32.exe 1020 Gmloigln.exe 1020 Gmloigln.exe 1804 Gmnlog32.exe 1804 Gmnlog32.exe 1568 Gnbelong.exe 1568 Gnbelong.exe 940 Hqbnnj32.exe 940 Hqbnnj32.exe 2484 Hfbckagm.exe 2484 Hfbckagm.exe 2380 Hgaoec32.exe 2380 Hgaoec32.exe 2460 Hpmdjf32.exe 2460 Hpmdjf32.exe 1728 Ilceog32.exe 1728 Ilceog32.exe 2208 Ienfml32.exe 2208 Ienfml32.exe 2888 Infjfblm.exe 2888 Infjfblm.exe 2788 Idepdhia.exe 2788 Idepdhia.exe 2884 Iaipmm32.exe 2884 Iaipmm32.exe 856 Jffhec32.exe 856 Jffhec32.exe 2808 Jpajdi32.exe 2808 Jpajdi32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pmiaidbj.dll Dmgokcja.exe File opened for modification C:\Windows\SysWOW64\Akpmhdqd.exe Aecdpmbm.exe File created C:\Windows\SysWOW64\Fpojlp32.exe Fijolbfh.exe File created C:\Windows\SysWOW64\Hceebpid.dll Hmojfcdk.exe File created C:\Windows\SysWOW64\Pligbekc.exe Peooek32.exe File created C:\Windows\SysWOW64\Hondclnf.dll Dqiakm32.exe File opened for modification C:\Windows\SysWOW64\Fhqfie32.exe Fljfdd32.exe File created C:\Windows\SysWOW64\Kabobo32.exe Kapbmo32.exe File created C:\Windows\SysWOW64\Conpdm32.exe Cfekkgla.exe File opened for modification C:\Windows\SysWOW64\Imfgahao.exe Icnbic32.exe File created C:\Windows\SysWOW64\Lckdcn32.exe Legcjjjm.exe File created C:\Windows\SysWOW64\Mbbkabdh.exe Llcfck32.exe File created C:\Windows\SysWOW64\Ckcpfp32.dll Plaoim32.exe File created C:\Windows\SysWOW64\Ancdgcab.exe Qpocno32.exe File created C:\Windows\SysWOW64\Pgpdjb32.dll Dbidof32.exe File created C:\Windows\SysWOW64\Lgbfin32.exe Lmjbphod.exe File opened for modification C:\Windows\SysWOW64\Mahgejhf.exe Mhobldaf.exe File opened for modification C:\Windows\SysWOW64\Ndfppije.exe Nkmkgc32.exe File opened for modification C:\Windows\SysWOW64\Bpbokj32.exe Bgijbede.exe File created C:\Windows\SysWOW64\Obnkqlae.dll Fjfllm32.exe File created C:\Windows\SysWOW64\Epbamc32.exe Ekeiel32.exe File opened for modification C:\Windows\SysWOW64\Qpjchicb.exe Pojgnf32.exe File created C:\Windows\SysWOW64\Ejkdfong.dll Klimcf32.exe File opened for modification C:\Windows\SysWOW64\Apgcbmha.exe Akjjifji.exe File created C:\Windows\SysWOW64\Nkhbkg32.dll Bjdqfajl.exe File created C:\Windows\SysWOW64\Ikcoomeg.dll Ebkndibq.exe File created C:\Windows\SysWOW64\Gloibpen.dll Lgbfin32.exe File created C:\Windows\SysWOW64\Dbqajk32.exe Dcihdo32.exe File created C:\Windows\SysWOW64\Fompem32.dll Epbamc32.exe File created C:\Windows\SysWOW64\Gcgpiq32.exe Gqidme32.exe File opened for modification C:\Windows\SysWOW64\Jcmhmp32.exe Jckkhplq.exe File created C:\Windows\SysWOW64\Imahgj32.dll Lldhldpg.exe File opened for modification C:\Windows\SysWOW64\Kldchgag.exe Kekkkm32.exe File created C:\Windows\SysWOW64\Pdjpmi32.exe Ojakdd32.exe File opened for modification C:\Windows\SysWOW64\Gilhpe32.exe Glhhgahg.exe File created C:\Windows\SysWOW64\Llcfck32.exe Lckbkfbb.exe File created C:\Windows\SysWOW64\Aaijbd32.dll Ojlife32.exe File opened for modification C:\Windows\SysWOW64\Goekpm32.exe Gdpfbd32.exe File created C:\Windows\SysWOW64\Ghihfl32.exe Flbgak32.exe File opened for modification C:\Windows\SysWOW64\Jnojjp32.exe Jiaaaicm.exe File created C:\Windows\SysWOW64\Ofcldoef.exe Ocdohdfc.exe File created C:\Windows\SysWOW64\Pdqfaiab.dll Bnafjo32.exe File opened for modification C:\Windows\SysWOW64\Elbkbh32.exe Enokidgl.exe File created C:\Windows\SysWOW64\Bqffna32.exe Bgnaekil.exe File created C:\Windows\SysWOW64\Cdjabn32.exe Cnpieceq.exe File opened for modification C:\Windows\SysWOW64\Ijbjpg32.exe Hchbcmlh.exe File opened for modification C:\Windows\SysWOW64\Cghmni32.exe Cdjabn32.exe File created C:\Windows\SysWOW64\Cocbbk32.exe Cghmni32.exe File created C:\Windows\SysWOW64\Danaqbgp.exe Dkaihkih.exe File created C:\Windows\SysWOW64\Inofameg.dll Hdailaib.exe File created C:\Windows\SysWOW64\Iniidj32.exe Ibbioilj.exe File created C:\Windows\SysWOW64\Hpgbod32.dll Ekjikadb.exe File created C:\Windows\SysWOW64\Hbfein32.dll Mdhnnl32.exe File opened for modification C:\Windows\SysWOW64\Dcihdo32.exe Dcfknooi.exe File opened for modification C:\Windows\SysWOW64\Mkkbcpbl.exe Mcpmonea.exe File created C:\Windows\SysWOW64\Aojbpoih.dll Bgagnjbi.exe File created C:\Windows\SysWOW64\Cfemdp32.exe Bjomoo32.exe File created C:\Windows\SysWOW64\Emailhfb.exe Ehdpcahk.exe File opened for modification C:\Windows\SysWOW64\Fmholgpj.exe Fgnfpm32.exe File created C:\Windows\SysWOW64\Hdapggln.exe Hoegoqng.exe File opened for modification C:\Windows\SysWOW64\Oepianef.exe Obamebfc.exe File opened for modification C:\Windows\SysWOW64\Gjpakdbl.exe Ghaeaaki.exe File opened for modification C:\Windows\SysWOW64\Cpkaai32.exe Cfemdp32.exe File created C:\Windows\SysWOW64\Flccjn32.dll Ilceog32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4404 4332 WerFault.exe 391 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kapbmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Conpdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbflkcao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aecdpmbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpmdjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpajdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgnaekil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojdlkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boolhikf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afngoand.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnbelong.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfpgee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnnhjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adkbgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njdbefnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfjfpkji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obamebfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cklpml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hancef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imepgbnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofehiocd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddqeodjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfijfdca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofefqf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nccmng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgagnjbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glhhgahg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eagbnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aodqok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfemdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbjchfaq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ododdlcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lllihf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbaide32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akjjifji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcpmonea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peooek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kabobo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gklkdn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnpieceq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdfcaegj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neemgp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjjakg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghaeaaki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmelfeqn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edkahbmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epdncb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbidof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcfknooi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emnelbdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njjbjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lafekm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpmiahlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbolce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghihfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqbnnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ancdgcab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qifnjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aihjpman.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmdkkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmhaep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idepdhia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jljgni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdapggln.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ijbjpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfnalqca.dll" Jbbenlof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jbdadl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dimfmeef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fpkdca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lglpbp32.dll" Ofehiocd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jbgbjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mdfcaegj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eecgafkj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jifkmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jjbgok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kapbmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dcihdo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hbepplkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ebkndibq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fdbibjok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Neemgp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qggoeilh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Obamebfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Didlinpd.dll" Akjjifji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qifnjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdqfaiab.dll" Bnafjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cdbqflae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hondclnf.dll" Dqiakm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dbqajk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inonmdda.dll" Hoegoqng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmocok32.dll" Enjand32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gdjblboj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbldcifi.dll" Hgbanlfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Knbjgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlhbc32.dll" Jdbhcfjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceahlg32.dll" Lkepdbkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mlfebcnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mpmdff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkneka32.dll" Gmloigln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liakqjpo.dll" Lnmfpnqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Emnelbdi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hibebeqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkhbkg32.dll" Bjdqfajl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bjjcdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kphbmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mjeholco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oiqegb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Afqeaemk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Akhndf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kphbmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pligbekc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Flbgak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfcgkfo.dll" Mqjehngm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Opfdim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqlpph32.dll" Peooek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbjpjphf.dll" Goekpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikcoomeg.dll" Ebkndibq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cklpml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajkain32.dll" Mcpmonea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ibjikk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pebbeq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cklpml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onkhggej.dll" Bpbokj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hpmdjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ojakdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Imfgahao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kihcakpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lllihf32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2248 wrote to memory of 2728 2248 4d578edc4165a378f7018a3d9396b510N.exe 29 PID 2248 wrote to memory of 2728 2248 4d578edc4165a378f7018a3d9396b510N.exe 29 PID 2248 wrote to memory of 2728 2248 4d578edc4165a378f7018a3d9396b510N.exe 29 PID 2248 wrote to memory of 2728 2248 4d578edc4165a378f7018a3d9396b510N.exe 29 PID 2728 wrote to memory of 2892 2728 Cnacbj32.exe 30 PID 2728 wrote to memory of 2892 2728 Cnacbj32.exe 30 PID 2728 wrote to memory of 2892 2728 Cnacbj32.exe 30 PID 2728 wrote to memory of 2892 2728 Cnacbj32.exe 30 PID 2892 wrote to memory of 2164 2892 Cpemob32.exe 31 PID 2892 wrote to memory of 2164 2892 Cpemob32.exe 31 PID 2892 wrote to memory of 2164 2892 Cpemob32.exe 31 PID 2892 wrote to memory of 2164 2892 Cpemob32.exe 31 PID 2164 wrote to memory of 2900 2164 Cpgieb32.exe 32 PID 2164 wrote to memory of 2900 2164 Cpgieb32.exe 32 PID 2164 wrote to memory of 2900 2164 Cpgieb32.exe 32 PID 2164 wrote to memory of 2900 2164 Cpgieb32.exe 32 PID 2900 wrote to memory of 2640 2900 Dpjfjalp.exe 33 PID 2900 wrote to memory of 2640 2900 Dpjfjalp.exe 33 PID 2900 wrote to memory of 2640 2900 Dpjfjalp.exe 33 PID 2900 wrote to memory of 2640 2900 Dpjfjalp.exe 33 PID 2640 wrote to memory of 2220 2640 Degobhjg.exe 34 PID 2640 wrote to memory of 2220 2640 Degobhjg.exe 34 PID 2640 wrote to memory of 2220 2640 Degobhjg.exe 34 PID 2640 wrote to memory of 2220 2640 Degobhjg.exe 34 PID 2220 wrote to memory of 1080 2220 Dekhnh32.exe 35 PID 2220 wrote to memory of 1080 2220 Dekhnh32.exe 35 PID 2220 wrote to memory of 1080 2220 Dekhnh32.exe 35 PID 2220 wrote to memory of 1080 2220 Dekhnh32.exe 35 PID 1080 wrote to memory of 1984 1080 Ddqeodjj.exe 36 PID 1080 wrote to memory of 1984 1080 Ddqeodjj.exe 36 PID 1080 wrote to memory of 1984 1080 Ddqeodjj.exe 36 PID 1080 wrote to memory of 1984 1080 Ddqeodjj.exe 36 PID 1984 wrote to memory of 2004 1984 Eagbnh32.exe 37 PID 1984 wrote to memory of 2004 1984 Eagbnh32.exe 37 PID 1984 wrote to memory of 2004 1984 Eagbnh32.exe 37 PID 1984 wrote to memory of 2004 1984 Eagbnh32.exe 37 PID 2004 wrote to memory of 2120 2004 Empphi32.exe 38 PID 2004 wrote to memory of 2120 2004 Empphi32.exe 38 PID 2004 wrote to memory of 2120 2004 Empphi32.exe 38 PID 2004 wrote to memory of 2120 2004 Empphi32.exe 38 PID 2120 wrote to memory of 2464 2120 Epqhjdhc.exe 39 PID 2120 wrote to memory of 2464 2120 Epqhjdhc.exe 39 PID 2120 wrote to memory of 2464 2120 Epqhjdhc.exe 39 PID 2120 wrote to memory of 2464 2120 Epqhjdhc.exe 39 PID 2464 wrote to memory of 2008 2464 Ekjikadb.exe 40 PID 2464 wrote to memory of 2008 2464 Ekjikadb.exe 40 PID 2464 wrote to memory of 2008 2464 Ekjikadb.exe 40 PID 2464 wrote to memory of 2008 2464 Ekjikadb.exe 40 PID 2008 wrote to memory of 2256 2008 Fljfdd32.exe 41 PID 2008 wrote to memory of 2256 2008 Fljfdd32.exe 41 PID 2008 wrote to memory of 2256 2008 Fljfdd32.exe 41 PID 2008 wrote to memory of 2256 2008 Fljfdd32.exe 41 PID 2256 wrote to memory of 2440 2256 Fhqfie32.exe 42 PID 2256 wrote to memory of 2440 2256 Fhqfie32.exe 42 PID 2256 wrote to memory of 2440 2256 Fhqfie32.exe 42 PID 2256 wrote to memory of 2440 2256 Fhqfie32.exe 42 PID 2440 wrote to memory of 2432 2440 Fqnhcgma.exe 43 PID 2440 wrote to memory of 2432 2440 Fqnhcgma.exe 43 PID 2440 wrote to memory of 2432 2440 Fqnhcgma.exe 43 PID 2440 wrote to memory of 2432 2440 Fqnhcgma.exe 43 PID 2432 wrote to memory of 1620 2432 Fjfllm32.exe 44 PID 2432 wrote to memory of 1620 2432 Fjfllm32.exe 44 PID 2432 wrote to memory of 1620 2432 Fjfllm32.exe 44 PID 2432 wrote to memory of 1620 2432 Fjfllm32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\4d578edc4165a378f7018a3d9396b510N.exe"C:\Users\Admin\AppData\Local\Temp\4d578edc4165a378f7018a3d9396b510N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\Cnacbj32.exeC:\Windows\system32\Cnacbj32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Cpemob32.exeC:\Windows\system32\Cpemob32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Cpgieb32.exeC:\Windows\system32\Cpgieb32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Dpjfjalp.exeC:\Windows\system32\Dpjfjalp.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Degobhjg.exeC:\Windows\system32\Degobhjg.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Dekhnh32.exeC:\Windows\system32\Dekhnh32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\Ddqeodjj.exeC:\Windows\system32\Ddqeodjj.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\SysWOW64\Eagbnh32.exeC:\Windows\system32\Eagbnh32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\Empphi32.exeC:\Windows\system32\Empphi32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\Epqhjdhc.exeC:\Windows\system32\Epqhjdhc.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\Ekjikadb.exeC:\Windows\system32\Ekjikadb.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\Fljfdd32.exeC:\Windows\system32\Fljfdd32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\Fhqfie32.exeC:\Windows\system32\Fhqfie32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\Fqnhcgma.exeC:\Windows\system32\Fqnhcgma.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\Fjfllm32.exeC:\Windows\system32\Fjfllm32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\Gjkfglom.exeC:\Windows\system32\Gjkfglom.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1620 -
C:\Windows\SysWOW64\Gccjpb32.exeC:\Windows\system32\Gccjpb32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1172 -
C:\Windows\SysWOW64\Gmloigln.exeC:\Windows\system32\Gmloigln.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1020 -
C:\Windows\SysWOW64\Gmnlog32.exeC:\Windows\system32\Gmnlog32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1804 -
C:\Windows\SysWOW64\Gnbelong.exeC:\Windows\system32\Gnbelong.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1568 -
C:\Windows\SysWOW64\Hqbnnj32.exeC:\Windows\system32\Hqbnnj32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:940 -
C:\Windows\SysWOW64\Hfbckagm.exeC:\Windows\system32\Hfbckagm.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2484 -
C:\Windows\SysWOW64\Hgaoec32.exeC:\Windows\system32\Hgaoec32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2380 -
C:\Windows\SysWOW64\Hpmdjf32.exeC:\Windows\system32\Hpmdjf32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2460 -
C:\Windows\SysWOW64\Ilceog32.exeC:\Windows\system32\Ilceog32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1728 -
C:\Windows\SysWOW64\Ienfml32.exeC:\Windows\system32\Ienfml32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2208 -
C:\Windows\SysWOW64\Infjfblm.exeC:\Windows\system32\Infjfblm.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2888 -
C:\Windows\SysWOW64\Idepdhia.exeC:\Windows\system32\Idepdhia.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2788 -
C:\Windows\SysWOW64\Iaipmm32.exeC:\Windows\system32\Iaipmm32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2884 -
C:\Windows\SysWOW64\Jffhec32.exeC:\Windows\system32\Jffhec32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:856 -
C:\Windows\SysWOW64\Jpajdi32.exeC:\Windows\system32\Jpajdi32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2808 -
C:\Windows\SysWOW64\Jljgni32.exeC:\Windows\system32\Jljgni32.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2832 -
C:\Windows\SysWOW64\Kaliaphd.exeC:\Windows\system32\Kaliaphd.exe34⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Knbjgq32.exeC:\Windows\system32\Knbjgq32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2940 -
C:\Windows\SysWOW64\Kapbmo32.exeC:\Windows\system32\Kapbmo32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2128 -
C:\Windows\SysWOW64\Kabobo32.exeC:\Windows\system32\Kabobo32.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:832 -
C:\Windows\SysWOW64\Ljpqlqmd.exeC:\Windows\system32\Ljpqlqmd.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Lckbkfbb.exeC:\Windows\system32\Lckbkfbb.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1632 -
C:\Windows\SysWOW64\Llcfck32.exeC:\Windows\system32\Llcfck32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2436 -
C:\Windows\SysWOW64\Mbbkabdh.exeC:\Windows\system32\Mbbkabdh.exe41⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Mkkpjg32.exeC:\Windows\system32\Mkkpjg32.exe42⤵
- Executes dropped EXE
PID:236 -
C:\Windows\SysWOW64\Mbehgabe.exeC:\Windows\system32\Mbehgabe.exe43⤵
- Executes dropped EXE
PID:1452 -
C:\Windows\SysWOW64\Mkmmpg32.exeC:\Windows\system32\Mkmmpg32.exe44⤵
- Executes dropped EXE
PID:772 -
C:\Windows\SysWOW64\Mqjehngm.exeC:\Windows\system32\Mqjehngm.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:2296 -
C:\Windows\SysWOW64\Mgdmeh32.exeC:\Windows\system32\Mgdmeh32.exe46⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Mdhnnl32.exeC:\Windows\system32\Mdhnnl32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:628 -
C:\Windows\SysWOW64\Mfijfdca.exeC:\Windows\system32\Mfijfdca.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2600 -
C:\Windows\SysWOW64\Mmcbbo32.exeC:\Windows\system32\Mmcbbo32.exe49⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Mgigpgkd.exeC:\Windows\system32\Mgigpgkd.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1204 -
C:\Windows\SysWOW64\Nmeohnil.exeC:\Windows\system32\Nmeohnil.exe51⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Nfncad32.exeC:\Windows\system32\Nfncad32.exe52⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Nlklik32.exeC:\Windows\system32\Nlklik32.exe53⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Niombolm.exeC:\Windows\system32\Niombolm.exe54⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Nnkekfkd.exeC:\Windows\system32\Nnkekfkd.exe55⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Neemgp32.exeC:\Windows\system32\Neemgp32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1656 -
C:\Windows\SysWOW64\Npkaei32.exeC:\Windows\system32\Npkaei32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1120 -
C:\Windows\SysWOW64\Nehjmppo.exeC:\Windows\system32\Nehjmppo.exe58⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Njdbefnf.exeC:\Windows\system32\Njdbefnf.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2000 -
C:\Windows\SysWOW64\Oldooi32.exeC:\Windows\system32\Oldooi32.exe60⤵
- Executes dropped EXE
PID:968 -
C:\Windows\SysWOW64\Ododdlcd.exeC:\Windows\system32\Ododdlcd.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1084 -
C:\Windows\SysWOW64\Opfdim32.exeC:\Windows\system32\Opfdim32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:2200 -
C:\Windows\SysWOW64\Ojlife32.exeC:\Windows\system32\Ojlife32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1936 -
C:\Windows\SysWOW64\Ofbikf32.exeC:\Windows\system32\Ofbikf32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Oiqegb32.exeC:\Windows\system32\Oiqegb32.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:2080 -
C:\Windows\SysWOW64\Opkndldc.exeC:\Windows\system32\Opkndldc.exe66⤵PID:2372
-
C:\Windows\SysWOW64\Ofefqf32.exeC:\Windows\system32\Ofefqf32.exe67⤵
- System Location Discovery: System Language Discovery
PID:944 -
C:\Windows\SysWOW64\Plaoim32.exeC:\Windows\system32\Plaoim32.exe68⤵
- Drops file in System32 directory
PID:1736 -
C:\Windows\SysWOW64\Phhonn32.exeC:\Windows\system32\Phhonn32.exe69⤵PID:2568
-
C:\Windows\SysWOW64\Pobgjhgh.exeC:\Windows\system32\Pobgjhgh.exe70⤵PID:3040
-
C:\Windows\SysWOW64\Plfhdlfb.exeC:\Windows\system32\Plfhdlfb.exe71⤵PID:1596
-
C:\Windows\SysWOW64\Plheil32.exeC:\Windows\system32\Plheil32.exe72⤵PID:2820
-
C:\Windows\SysWOW64\Paemac32.exeC:\Windows\system32\Paemac32.exe73⤵PID:2828
-
C:\Windows\SysWOW64\Poinkg32.exeC:\Windows\system32\Poinkg32.exe74⤵PID:2656
-
C:\Windows\SysWOW64\Phabdmgq.exeC:\Windows\system32\Phabdmgq.exe75⤵PID:2236
-
C:\Windows\SysWOW64\Qggoeilh.exeC:\Windows\system32\Qggoeilh.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1680 -
C:\Windows\SysWOW64\Qpocno32.exeC:\Windows\system32\Qpocno32.exe77⤵
- Drops file in System32 directory
PID:1052 -
C:\Windows\SysWOW64\Ancdgcab.exeC:\Windows\system32\Ancdgcab.exe78⤵
- System Location Discovery: System Language Discovery
PID:2448 -
C:\Windows\SysWOW64\Aodqok32.exeC:\Windows\system32\Aodqok32.exe79⤵
- System Location Discovery: System Language Discovery
PID:1636 -
C:\Windows\SysWOW64\Aogmdk32.exeC:\Windows\system32\Aogmdk32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1364 -
C:\Windows\SysWOW64\Afqeaemk.exeC:\Windows\system32\Afqeaemk.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2300 -
C:\Windows\SysWOW64\Adfbbabc.exeC:\Windows\system32\Adfbbabc.exe82⤵PID:2308
-
C:\Windows\SysWOW64\Anngkg32.exeC:\Windows\system32\Anngkg32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:524 -
C:\Windows\SysWOW64\Aggkdlod.exeC:\Windows\system32\Aggkdlod.exe84⤵PID:1332
-
C:\Windows\SysWOW64\Bdklnq32.exeC:\Windows\system32\Bdklnq32.exe85⤵PID:1472
-
C:\Windows\SysWOW64\Bbolge32.exeC:\Windows\system32\Bbolge32.exe86⤵PID:2732
-
C:\Windows\SysWOW64\Bjjakg32.exeC:\Windows\system32\Bjjakg32.exe87⤵
- System Location Discovery: System Language Discovery
PID:2340 -
C:\Windows\SysWOW64\Bgnaekil.exeC:\Windows\system32\Bgnaekil.exe88⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2928 -
C:\Windows\SysWOW64\Bqffna32.exeC:\Windows\system32\Bqffna32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2876 -
C:\Windows\SysWOW64\Bfcnfh32.exeC:\Windows\system32\Bfcnfh32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2768 -
C:\Windows\SysWOW64\Bqhbcqmj.exeC:\Windows\system32\Bqhbcqmj.exe91⤵PID:2756
-
C:\Windows\SysWOW64\Cfekkgla.exeC:\Windows\system32\Cfekkgla.exe92⤵
- Drops file in System32 directory
PID:688 -
C:\Windows\SysWOW64\Conpdm32.exeC:\Windows\system32\Conpdm32.exe93⤵
- System Location Discovery: System Language Discovery
PID:2932 -
C:\Windows\SysWOW64\Cejhld32.exeC:\Windows\system32\Cejhld32.exe94⤵PID:2676
-
C:\Windows\SysWOW64\Dcfknooi.exeC:\Windows\system32\Dcfknooi.exe95⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:896 -
C:\Windows\SysWOW64\Dcihdo32.exeC:\Windows\system32\Dcihdo32.exe96⤵
- Drops file in System32 directory
- Modifies registry class
PID:2072 -
C:\Windows\SysWOW64\Dbqajk32.exeC:\Windows\system32\Dbqajk32.exe97⤵
- Modifies registry class
PID:976 -
C:\Windows\SysWOW64\Dpdbdo32.exeC:\Windows\system32\Dpdbdo32.exe98⤵PID:376
-
C:\Windows\SysWOW64\Dimfmeef.exeC:\Windows\system32\Dimfmeef.exe99⤵
- Modifies registry class
PID:1456 -
C:\Windows\SysWOW64\Eojoelcm.exeC:\Windows\system32\Eojoelcm.exe100⤵PID:2204
-
C:\Windows\SysWOW64\Eecgafkj.exeC:\Windows\system32\Eecgafkj.exe101⤵
- Modifies registry class
PID:2392 -
C:\Windows\SysWOW64\Ekppjmia.exeC:\Windows\system32\Ekppjmia.exe102⤵PID:2792
-
C:\Windows\SysWOW64\Ehdpcahk.exeC:\Windows\system32\Ehdpcahk.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2796 -
C:\Windows\SysWOW64\Emailhfb.exeC:\Windows\system32\Emailhfb.exe104⤵PID:3052
-
C:\Windows\SysWOW64\Edkahbmo.exeC:\Windows\system32\Edkahbmo.exe105⤵
- System Location Discovery: System Language Discovery
PID:928 -
C:\Windows\SysWOW64\Ekeiel32.exeC:\Windows\system32\Ekeiel32.exe106⤵
- Drops file in System32 directory
PID:2020 -
C:\Windows\SysWOW64\Epbamc32.exeC:\Windows\system32\Epbamc32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1712 -
C:\Windows\SysWOW64\Epdncb32.exeC:\Windows\system32\Epdncb32.exe108⤵
- System Location Discovery: System Language Discovery
PID:2984 -
C:\Windows\SysWOW64\Fgnfpm32.exeC:\Windows\system32\Fgnfpm32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1800 -
C:\Windows\SysWOW64\Fmholgpj.exeC:\Windows\system32\Fmholgpj.exe110⤵PID:1180
-
C:\Windows\SysWOW64\Fcegdnna.exeC:\Windows\system32\Fcegdnna.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:656 -
C:\Windows\SysWOW64\Flmlmc32.exeC:\Windows\system32\Flmlmc32.exe112⤵PID:112
-
C:\Windows\SysWOW64\Fgcpkldh.exeC:\Windows\system32\Fgcpkldh.exe113⤵PID:1168
-
C:\Windows\SysWOW64\Fhdlbd32.exeC:\Windows\system32\Fhdlbd32.exe114⤵PID:888
-
C:\Windows\SysWOW64\Fpkdca32.exeC:\Windows\system32\Fpkdca32.exe115⤵
- Modifies registry class
PID:2780 -
C:\Windows\SysWOW64\Fehmlh32.exeC:\Windows\system32\Fehmlh32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2812 -
C:\Windows\SysWOW64\Fclmem32.exeC:\Windows\system32\Fclmem32.exe117⤵PID:3060
-
C:\Windows\SysWOW64\Fhifmcfa.exeC:\Windows\system32\Fhifmcfa.exe118⤵PID:2156
-
C:\Windows\SysWOW64\Gkgbioee.exeC:\Windows\system32\Gkgbioee.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:932 -
C:\Windows\SysWOW64\Gdpfbd32.exeC:\Windows\system32\Gdpfbd32.exe120⤵
- Drops file in System32 directory
PID:1644 -
C:\Windows\SysWOW64\Goekpm32.exeC:\Windows\system32\Goekpm32.exe121⤵
- Modifies registry class
PID:2284
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-