Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
12/09/2024, 14:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
39600ecead1ff6896582a76af5bd9270N.exe
Resource
win7-20240708-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
39600ecead1ff6896582a76af5bd9270N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
39600ecead1ff6896582a76af5bd9270N.exe
-
Size
379KB
-
MD5
39600ecead1ff6896582a76af5bd9270
-
SHA1
164c00ef66d348b36fc1e4976e00aea6f0f6842b
-
SHA256
7f3104fb0315bfcfe8275d95b8a4ba45c7fda67ed00e2db10664d671dc6697c4
-
SHA512
0a10214c4bfda39395ceafd7bb5a15e90691c58fa5fa9c47a9aff5f2ea5bcdbbdbe71f1a77406177c01c27a12d25da2e99b7f7c36ed7e0725353cb59b15c9229
-
SSDEEP
6144:loS+jMKivli7O/0xLxli7O//yb1c3ccU0S6GyTgfiEkrE:lo7jTE6vxr6lGHaXyTg6EkrE
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjbafi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cblfdg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlkail32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jolghndm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpgffe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oplelf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkomjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qiioon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgjfek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kddomchg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bceibfgj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkfddc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njbdea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jedcpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfhiplmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Calcpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcmfmlen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcnbhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Objaha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooicid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfagpiam.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okpcoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhdjgoha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmmfaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnoiio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnkmqkbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eklqcl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hahnac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jefpeh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbcoio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckcepj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcnejk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfmbek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oghhfg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcjeon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmjnak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmfafgbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcnkhmdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Maefamlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdmdacnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pljlbf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjoofhgc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbjdjjdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hihlqeib.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oghhfg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfdenafn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibfaopoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coacbfii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amcbankf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjdnlhco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klehgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Heealhla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnkakl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Becpap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccpcckck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkchmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nenkqi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chqoipkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anbkipok.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnhoag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egmojnlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hinqgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omefkplm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hifpke32.exe -
Executes dropped EXE 64 IoCs
pid Process 2528 Mgebdipp.exe 2296 Mnojacgm.exe 2904 Mnaggcej.exe 2908 Mfllkece.exe 2788 Mabphn32.exe 2656 Mlkail32.exe 1732 Medeaaej.exe 688 Noljjglk.exe 1112 Nefbga32.exe 2860 Nidkmojn.exe 1780 Naopaa32.exe 2680 Neklbppb.exe 1904 Nmfqgbmm.exe 2524 Noemqe32.exe 996 Nadimacd.exe 836 Oaffbqaa.exe 1056 Ocgbji32.exe 1520 Odgodl32.exe 1504 Ogekpg32.exe 2484 Onocmadb.exe 2152 Olbchn32.exe 1340 Ooqpdj32.exe 2100 Oghhfg32.exe 2584 Ohidmoaa.exe 2516 Ooclji32.exe 2936 Oemegc32.exe 1820 Olgmcmgh.exe 2716 Padeldeo.exe 2820 Phnnho32.exe 2928 Pkljdj32.exe 1684 Pafbadcm.exe 2644 Pkofjijm.exe 556 Pnmcfeia.exe 2824 Pdgkco32.exe 1912 Phbgcnig.exe 1972 Pclhdl32.exe 2856 Pggdejno.exe 376 Pqphnp32.exe 2284 Pcnejk32.exe 3036 Qfmafg32.exe 2340 Qmgibqjc.exe 1492 Qoeeolig.exe 1292 Qfonkfqd.exe 916 Accnekon.exe 2444 Abfnpg32.exe 2076 Ajmfad32.exe 880 Amkbnp32.exe 2384 Acekjjmk.exe 2412 Afdgfelo.exe 2260 Aibcba32.exe 2740 Akqpom32.exe 2636 Aollokco.exe 2624 Aidphq32.exe 2684 Akcldl32.exe 3068 Anahqh32.exe 1256 Abmdafpp.exe 1704 Aigmnqgm.exe 2712 Agjmim32.exe 764 Ajhiei32.exe 592 Aboaff32.exe 2492 Aababceh.exe 2056 Agljom32.exe 1712 Akhfoldn.exe 2416 Bnfblgca.exe -
Loads dropped DLL 64 IoCs
pid Process 1724 39600ecead1ff6896582a76af5bd9270N.exe 1724 39600ecead1ff6896582a76af5bd9270N.exe 2528 Mgebdipp.exe 2528 Mgebdipp.exe 2296 Mnojacgm.exe 2296 Mnojacgm.exe 2904 Mnaggcej.exe 2904 Mnaggcej.exe 2908 Mfllkece.exe 2908 Mfllkece.exe 2788 Mabphn32.exe 2788 Mabphn32.exe 2656 Mlkail32.exe 2656 Mlkail32.exe 1732 Medeaaej.exe 1732 Medeaaej.exe 688 Noljjglk.exe 688 Noljjglk.exe 1112 Nefbga32.exe 1112 Nefbga32.exe 2860 Nidkmojn.exe 2860 Nidkmojn.exe 1780 Naopaa32.exe 1780 Naopaa32.exe 2680 Neklbppb.exe 2680 Neklbppb.exe 1904 Nmfqgbmm.exe 1904 Nmfqgbmm.exe 2524 Noemqe32.exe 2524 Noemqe32.exe 996 Nadimacd.exe 996 Nadimacd.exe 836 Oaffbqaa.exe 836 Oaffbqaa.exe 1056 Ocgbji32.exe 1056 Ocgbji32.exe 1520 Odgodl32.exe 1520 Odgodl32.exe 1504 Ogekpg32.exe 1504 Ogekpg32.exe 2484 Onocmadb.exe 2484 Onocmadb.exe 2152 Olbchn32.exe 2152 Olbchn32.exe 1340 Ooqpdj32.exe 1340 Ooqpdj32.exe 2100 Oghhfg32.exe 2100 Oghhfg32.exe 2584 Ohidmoaa.exe 2584 Ohidmoaa.exe 2516 Ooclji32.exe 2516 Ooclji32.exe 2936 Oemegc32.exe 2936 Oemegc32.exe 1820 Olgmcmgh.exe 1820 Olgmcmgh.exe 2716 Padeldeo.exe 2716 Padeldeo.exe 2820 Phnnho32.exe 2820 Phnnho32.exe 2928 Pkljdj32.exe 2928 Pkljdj32.exe 1684 Pafbadcm.exe 1684 Pafbadcm.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Oghhfg32.exe Ooqpdj32.exe File created C:\Windows\SysWOW64\Piaincdp.dll Dlgnmb32.exe File opened for modification C:\Windows\SysWOW64\Eolmip32.exe Enkpahon.exe File created C:\Windows\SysWOW64\Ogiaif32.exe Ohfqmi32.exe File opened for modification C:\Windows\SysWOW64\Eelkeeah.exe Ecnoijbd.exe File created C:\Windows\SysWOW64\Cjhkej32.dll Gnaooi32.exe File created C:\Windows\SysWOW64\Hmoofdea.exe Hfegij32.exe File opened for modification C:\Windows\SysWOW64\Illbhp32.exe Ihpfgalh.exe File opened for modification C:\Windows\SysWOW64\Mnojacgm.exe Mgebdipp.exe File created C:\Windows\SysWOW64\Nanbnb32.dll Fhikme32.exe File created C:\Windows\SysWOW64\Kgfoie32.exe Kokjdb32.exe File opened for modification C:\Windows\SysWOW64\Ohcdhi32.exe Odhhgkib.exe File opened for modification C:\Windows\SysWOW64\Omcifpnp.exe Ogiaif32.exe File created C:\Windows\SysWOW64\Apgahbgk.dll Iedfqeka.exe File opened for modification C:\Windows\SysWOW64\Pepcelel.exe Pbagipfi.exe File created C:\Windows\SysWOW64\Oghhfg32.exe Ooqpdj32.exe File created C:\Windows\SysWOW64\Qfmafg32.exe Pcnejk32.exe File opened for modification C:\Windows\SysWOW64\Bnihdemo.exe Bofgii32.exe File opened for modification C:\Windows\SysWOW64\Jdnmma32.exe Jmdepg32.exe File created C:\Windows\SysWOW64\Gqeddbgm.dll Gmpjagfa.exe File opened for modification C:\Windows\SysWOW64\Hjfcpo32.exe Hdlkcdog.exe File opened for modification C:\Windows\SysWOW64\Ijclol32.exe Idicbbpi.exe File opened for modification C:\Windows\SysWOW64\Mnaggcej.exe Mnojacgm.exe File created C:\Windows\SysWOW64\Fbcqem32.dll Ejpdai32.exe File opened for modification C:\Windows\SysWOW64\Jmfafgbd.exe Jikeeh32.exe File created C:\Windows\SysWOW64\Nipdkieg.exe Nedhjj32.exe File created C:\Windows\SysWOW64\Loqhnifk.dll Ilcoce32.exe File created C:\Windows\SysWOW64\Naffihgj.dll Debplg32.exe File created C:\Windows\SysWOW64\Afhgaocl.dll Fjhcegll.exe File created C:\Windows\SysWOW64\Idgglb32.exe Iedfqeka.exe File opened for modification C:\Windows\SysWOW64\Jbqmhnbo.exe Jdnmma32.exe File opened for modification C:\Windows\SysWOW64\Jpdnbbah.exe Jmfafgbd.exe File opened for modification C:\Windows\SysWOW64\Oaffbqaa.exe Nadimacd.exe File opened for modification C:\Windows\SysWOW64\Odgodl32.exe Ocgbji32.exe File created C:\Windows\SysWOW64\Mkdfahce.dll Ejkkfjkj.exe File created C:\Windows\SysWOW64\Opglafab.exe Omioekbo.exe File created C:\Windows\SysWOW64\Qobbofgn.exe Phhjblpa.exe File created C:\Windows\SysWOW64\Cejmcm32.dll Bbbgod32.exe File created C:\Windows\SysWOW64\Mklcadfn.exe Mimgeigj.exe File created C:\Windows\SysWOW64\Mgcchb32.dll Nmfbpk32.exe File created C:\Windows\SysWOW64\Egmmgd32.dll Mabphn32.exe File created C:\Windows\SysWOW64\Accnekon.exe Qfonkfqd.exe File opened for modification C:\Windows\SysWOW64\Ffkoai32.exe Fcmben32.exe File opened for modification C:\Windows\SysWOW64\Bnnaoe32.exe Bkpeci32.exe File created C:\Windows\SysWOW64\Gedjkeaj.dll Iliebpfc.exe File opened for modification C:\Windows\SysWOW64\Njpgpbpf.exe Nfdkoc32.exe File created C:\Windows\SysWOW64\Oiljam32.exe Neqnqofm.exe File created C:\Windows\SysWOW64\Jagjihoe.dll Peedka32.exe File created C:\Windows\SysWOW64\Dgeaoinb.exe Ddfebnoo.exe File created C:\Windows\SysWOW64\Hfjpdjjo.exe Hcldhnkk.exe File created C:\Windows\SysWOW64\Daddfpbk.dll Ipjahd32.exe File created C:\Windows\SysWOW64\Omppei32.dll Lblcfnhj.exe File opened for modification C:\Windows\SysWOW64\Gcgnnlle.exe Gmmfaa32.exe File created C:\Windows\SysWOW64\Dombicdm.dll Ooabmbbe.exe File opened for modification C:\Windows\SysWOW64\Nmnclmoj.exe Njpgpbpf.exe File created C:\Windows\SysWOW64\Pmibbi32.dll Bkpeci32.exe File opened for modification C:\Windows\SysWOW64\Cmfkfa32.exe Cjgoje32.exe File opened for modification C:\Windows\SysWOW64\Eaheeecg.exe Eoiiijcc.exe File created C:\Windows\SysWOW64\Olnldn32.dll Hihlqeib.exe File opened for modification C:\Windows\SysWOW64\Opglafab.exe Omioekbo.exe File created C:\Windows\SysWOW64\Qpbglhjq.exe Qlgkki32.exe File created C:\Windows\SysWOW64\Akcldl32.exe Aidphq32.exe File opened for modification C:\Windows\SysWOW64\Hnpbjnpo.exe Hjdfjo32.exe File opened for modification C:\Windows\SysWOW64\Fcnkhmdp.exe Fdkklp32.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\system32†Dhhhbg32.¿xe Dpapaj32.exe File opened for modification C:\Windows\system32†Dhhhbg32.¿xe Dpapaj32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7536 7460 WerFault.exe 804 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqcmmjko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhpglecl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omcifpnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fggkcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iliebpfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihglhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljddjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pohhna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apedah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cegoqlof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkecij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nigafnck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eddeladm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpapaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hndlem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iigpli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfoojj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oemegc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcopdb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbnljqic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdmdacnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqeqqk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blchcpko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgjfek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dobgihgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkfddc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkbojpna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmhglq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbcjnnpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmgpbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcomce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfnoogbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pebpkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bekmle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnghel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peedka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qiioon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aidphq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmqpam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcgnnlle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olpilg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbafjlaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eecafd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilnomp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bagkmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goiehm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcqombic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkjdndjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npdfhhhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iedfqeka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhjphfgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgbfnngi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdgmlhha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adifpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akcldl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjihalag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfbbjpgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmfafgbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Napbjjom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohncbdbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpbglhjq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmnclmoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Comdkipe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdcmbgkj.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfeoelgo.dll" Cemjae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alqqcl32.dll" Ibmgpoia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Necogkbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lonpma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goejbpjh.dll" Lboiol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpdidmdg.dll" Nbjeinje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 39600ecead1ff6896582a76af5bd9270N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjfcpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coalledf.dll" Cjjkpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljddjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nefdpjkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfdkid32.dll" Nibqqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehkhaqpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Noljjglk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pclhdl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nigafnck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iikifegp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnfqccna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Calcpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejpdai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mklcadfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icpafcmd.dll" Danmmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbfiaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgabdlfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bplkhj32.dll" Npdfhhhe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pejmfqan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afhgaocl.dll" Fjhcegll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Baojapfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfdoodan.dll" Jbcjnnpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mimgeigj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbpjpn32.dll" Abmdafpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjmglpp.dll" Dbafjlaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpkadj32.dll" Mejlalji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkecij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbmapj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmqpam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlfgcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpnmgdli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjdaldla.dll" Mnmpdlac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcomce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omefkplm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pljcllqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epbpbnan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejloak32.dll" Jimbkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnaggcej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lqcmmjko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fcbecl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jondnnbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eheecbia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpabcbdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbfnoac.dll" Ldoimh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cplpppdf.dll" Lbicoamh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cchlkipc.dll" Hfpdkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnjbeh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iafnjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnaiol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Caifjn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckcepj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iplnnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ooabmbbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pohhna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmlael32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlnipl32.dll" Mndmoaog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdakniag.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1724 wrote to memory of 2528 1724 39600ecead1ff6896582a76af5bd9270N.exe 30 PID 1724 wrote to memory of 2528 1724 39600ecead1ff6896582a76af5bd9270N.exe 30 PID 1724 wrote to memory of 2528 1724 39600ecead1ff6896582a76af5bd9270N.exe 30 PID 1724 wrote to memory of 2528 1724 39600ecead1ff6896582a76af5bd9270N.exe 30 PID 2528 wrote to memory of 2296 2528 Mgebdipp.exe 31 PID 2528 wrote to memory of 2296 2528 Mgebdipp.exe 31 PID 2528 wrote to memory of 2296 2528 Mgebdipp.exe 31 PID 2528 wrote to memory of 2296 2528 Mgebdipp.exe 31 PID 2296 wrote to memory of 2904 2296 Mnojacgm.exe 32 PID 2296 wrote to memory of 2904 2296 Mnojacgm.exe 32 PID 2296 wrote to memory of 2904 2296 Mnojacgm.exe 32 PID 2296 wrote to memory of 2904 2296 Mnojacgm.exe 32 PID 2904 wrote to memory of 2908 2904 Mnaggcej.exe 33 PID 2904 wrote to memory of 2908 2904 Mnaggcej.exe 33 PID 2904 wrote to memory of 2908 2904 Mnaggcej.exe 33 PID 2904 wrote to memory of 2908 2904 Mnaggcej.exe 33 PID 2908 wrote to memory of 2788 2908 Mfllkece.exe 34 PID 2908 wrote to memory of 2788 2908 Mfllkece.exe 34 PID 2908 wrote to memory of 2788 2908 Mfllkece.exe 34 PID 2908 wrote to memory of 2788 2908 Mfllkece.exe 34 PID 2788 wrote to memory of 2656 2788 Mabphn32.exe 35 PID 2788 wrote to memory of 2656 2788 Mabphn32.exe 35 PID 2788 wrote to memory of 2656 2788 Mabphn32.exe 35 PID 2788 wrote to memory of 2656 2788 Mabphn32.exe 35 PID 2656 wrote to memory of 1732 2656 Mlkail32.exe 36 PID 2656 wrote to memory of 1732 2656 Mlkail32.exe 36 PID 2656 wrote to memory of 1732 2656 Mlkail32.exe 36 PID 2656 wrote to memory of 1732 2656 Mlkail32.exe 36 PID 1732 wrote to memory of 688 1732 Medeaaej.exe 37 PID 1732 wrote to memory of 688 1732 Medeaaej.exe 37 PID 1732 wrote to memory of 688 1732 Medeaaej.exe 37 PID 1732 wrote to memory of 688 1732 Medeaaej.exe 37 PID 688 wrote to memory of 1112 688 Noljjglk.exe 38 PID 688 wrote to memory of 1112 688 Noljjglk.exe 38 PID 688 wrote to memory of 1112 688 Noljjglk.exe 38 PID 688 wrote to memory of 1112 688 Noljjglk.exe 38 PID 1112 wrote to memory of 2860 1112 Nefbga32.exe 39 PID 1112 wrote to memory of 2860 1112 Nefbga32.exe 39 PID 1112 wrote to memory of 2860 1112 Nefbga32.exe 39 PID 1112 wrote to memory of 2860 1112 Nefbga32.exe 39 PID 2860 wrote to memory of 1780 2860 Nidkmojn.exe 40 PID 2860 wrote to memory of 1780 2860 Nidkmojn.exe 40 PID 2860 wrote to memory of 1780 2860 Nidkmojn.exe 40 PID 2860 wrote to memory of 1780 2860 Nidkmojn.exe 40 PID 1780 wrote to memory of 2680 1780 Naopaa32.exe 41 PID 1780 wrote to memory of 2680 1780 Naopaa32.exe 41 PID 1780 wrote to memory of 2680 1780 Naopaa32.exe 41 PID 1780 wrote to memory of 2680 1780 Naopaa32.exe 41 PID 2680 wrote to memory of 1904 2680 Neklbppb.exe 42 PID 2680 wrote to memory of 1904 2680 Neklbppb.exe 42 PID 2680 wrote to memory of 1904 2680 Neklbppb.exe 42 PID 2680 wrote to memory of 1904 2680 Neklbppb.exe 42 PID 1904 wrote to memory of 2524 1904 Nmfqgbmm.exe 43 PID 1904 wrote to memory of 2524 1904 Nmfqgbmm.exe 43 PID 1904 wrote to memory of 2524 1904 Nmfqgbmm.exe 43 PID 1904 wrote to memory of 2524 1904 Nmfqgbmm.exe 43 PID 2524 wrote to memory of 996 2524 Noemqe32.exe 44 PID 2524 wrote to memory of 996 2524 Noemqe32.exe 44 PID 2524 wrote to memory of 996 2524 Noemqe32.exe 44 PID 2524 wrote to memory of 996 2524 Noemqe32.exe 44 PID 996 wrote to memory of 836 996 Nadimacd.exe 45 PID 996 wrote to memory of 836 996 Nadimacd.exe 45 PID 996 wrote to memory of 836 996 Nadimacd.exe 45 PID 996 wrote to memory of 836 996 Nadimacd.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\39600ecead1ff6896582a76af5bd9270N.exe"C:\Users\Admin\AppData\Local\Temp\39600ecead1ff6896582a76af5bd9270N.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\Mgebdipp.exeC:\Windows\system32\Mgebdipp.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\Mnojacgm.exeC:\Windows\system32\Mnojacgm.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\Mnaggcej.exeC:\Windows\system32\Mnaggcej.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Mfllkece.exeC:\Windows\system32\Mfllkece.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Mabphn32.exeC:\Windows\system32\Mabphn32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Mlkail32.exeC:\Windows\system32\Mlkail32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Medeaaej.exeC:\Windows\system32\Medeaaej.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\Noljjglk.exeC:\Windows\system32\Noljjglk.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:688 -
C:\Windows\SysWOW64\Nefbga32.exeC:\Windows\system32\Nefbga32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Windows\SysWOW64\Nidkmojn.exeC:\Windows\system32\Nidkmojn.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Naopaa32.exeC:\Windows\system32\Naopaa32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\Neklbppb.exeC:\Windows\system32\Neklbppb.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Nmfqgbmm.exeC:\Windows\system32\Nmfqgbmm.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\SysWOW64\Noemqe32.exeC:\Windows\system32\Noemqe32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Nadimacd.exeC:\Windows\system32\Nadimacd.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:996 -
C:\Windows\SysWOW64\Oaffbqaa.exeC:\Windows\system32\Oaffbqaa.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:836 -
C:\Windows\SysWOW64\Ocgbji32.exeC:\Windows\system32\Ocgbji32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1056 -
C:\Windows\SysWOW64\Odgodl32.exeC:\Windows\system32\Odgodl32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1520 -
C:\Windows\SysWOW64\Ogekpg32.exeC:\Windows\system32\Ogekpg32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1504 -
C:\Windows\SysWOW64\Onocmadb.exeC:\Windows\system32\Onocmadb.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2484 -
C:\Windows\SysWOW64\Olbchn32.exeC:\Windows\system32\Olbchn32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2152 -
C:\Windows\SysWOW64\Ooqpdj32.exeC:\Windows\system32\Ooqpdj32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1340 -
C:\Windows\SysWOW64\Oghhfg32.exeC:\Windows\system32\Oghhfg32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2100 -
C:\Windows\SysWOW64\Ohidmoaa.exeC:\Windows\system32\Ohidmoaa.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2584 -
C:\Windows\SysWOW64\Ooclji32.exeC:\Windows\system32\Ooclji32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2516 -
C:\Windows\SysWOW64\Oemegc32.exeC:\Windows\system32\Oemegc32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2936 -
C:\Windows\SysWOW64\Olgmcmgh.exeC:\Windows\system32\Olgmcmgh.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1820 -
C:\Windows\SysWOW64\Padeldeo.exeC:\Windows\system32\Padeldeo.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2716 -
C:\Windows\SysWOW64\Phnnho32.exeC:\Windows\system32\Phnnho32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2820 -
C:\Windows\SysWOW64\Pkljdj32.exeC:\Windows\system32\Pkljdj32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2928 -
C:\Windows\SysWOW64\Pafbadcm.exeC:\Windows\system32\Pafbadcm.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1684 -
C:\Windows\SysWOW64\Pkofjijm.exeC:\Windows\system32\Pkofjijm.exe33⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Pnmcfeia.exeC:\Windows\system32\Pnmcfeia.exe34⤵
- Executes dropped EXE
PID:556 -
C:\Windows\SysWOW64\Pdgkco32.exeC:\Windows\system32\Pdgkco32.exe35⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Phbgcnig.exeC:\Windows\system32\Phbgcnig.exe36⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Pclhdl32.exeC:\Windows\system32\Pclhdl32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:1972 -
C:\Windows\SysWOW64\Pggdejno.exeC:\Windows\system32\Pggdejno.exe38⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Pqphnp32.exeC:\Windows\system32\Pqphnp32.exe39⤵
- Executes dropped EXE
PID:376 -
C:\Windows\SysWOW64\Pcnejk32.exeC:\Windows\system32\Pcnejk32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2284 -
C:\Windows\SysWOW64\Qfmafg32.exeC:\Windows\system32\Qfmafg32.exe41⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Qmgibqjc.exeC:\Windows\system32\Qmgibqjc.exe42⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Qoeeolig.exeC:\Windows\system32\Qoeeolig.exe43⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\Qfonkfqd.exeC:\Windows\system32\Qfonkfqd.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1292 -
C:\Windows\SysWOW64\Accnekon.exeC:\Windows\system32\Accnekon.exe45⤵
- Executes dropped EXE
PID:916 -
C:\Windows\SysWOW64\Abfnpg32.exeC:\Windows\system32\Abfnpg32.exe46⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Ajmfad32.exeC:\Windows\system32\Ajmfad32.exe47⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Amkbnp32.exeC:\Windows\system32\Amkbnp32.exe48⤵
- Executes dropped EXE
PID:880 -
C:\Windows\SysWOW64\Acekjjmk.exeC:\Windows\system32\Acekjjmk.exe49⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Afdgfelo.exeC:\Windows\system32\Afdgfelo.exe50⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Aibcba32.exeC:\Windows\system32\Aibcba32.exe51⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Akqpom32.exeC:\Windows\system32\Akqpom32.exe52⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Aollokco.exeC:\Windows\system32\Aollokco.exe53⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Aidphq32.exeC:\Windows\system32\Aidphq32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2624 -
C:\Windows\SysWOW64\Akcldl32.exeC:\Windows\system32\Akcldl32.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2684 -
C:\Windows\SysWOW64\Anahqh32.exeC:\Windows\system32\Anahqh32.exe56⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Abmdafpp.exeC:\Windows\system32\Abmdafpp.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:1256 -
C:\Windows\SysWOW64\Aigmnqgm.exeC:\Windows\system32\Aigmnqgm.exe58⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Agjmim32.exeC:\Windows\system32\Agjmim32.exe59⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Ajhiei32.exeC:\Windows\system32\Ajhiei32.exe60⤵
- Executes dropped EXE
PID:764 -
C:\Windows\SysWOW64\Aboaff32.exeC:\Windows\system32\Aboaff32.exe61⤵
- Executes dropped EXE
PID:592 -
C:\Windows\SysWOW64\Aababceh.exeC:\Windows\system32\Aababceh.exe62⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Agljom32.exeC:\Windows\system32\Agljom32.exe63⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Akhfoldn.exeC:\Windows\system32\Akhfoldn.exe64⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Bnfblgca.exeC:\Windows\system32\Bnfblgca.exe65⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Badnhbce.exeC:\Windows\system32\Badnhbce.exe66⤵PID:1616
-
C:\Windows\SysWOW64\Bccjdnbi.exeC:\Windows\system32\Bccjdnbi.exe67⤵PID:2696
-
C:\Windows\SysWOW64\Bfagpiam.exeC:\Windows\system32\Bfagpiam.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2796 -
C:\Windows\SysWOW64\Bnhoag32.exeC:\Windows\system32\Bnhoag32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2920 -
C:\Windows\SysWOW64\Bagkmb32.exeC:\Windows\system32\Bagkmb32.exe70⤵
- System Location Discovery: System Language Discovery
PID:2804 -
C:\Windows\SysWOW64\Bpjkiogm.exeC:\Windows\system32\Bpjkiogm.exe71⤵PID:2640
-
C:\Windows\SysWOW64\Bgqcjlhp.exeC:\Windows\system32\Bgqcjlhp.exe72⤵PID:3060
-
C:\Windows\SysWOW64\Bjoofhgc.exeC:\Windows\system32\Bjoofhgc.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2660 -
C:\Windows\SysWOW64\Bmnlbcfg.exeC:\Windows\system32\Bmnlbcfg.exe74⤵PID:1648
-
C:\Windows\SysWOW64\Baigca32.exeC:\Windows\system32\Baigca32.exe75⤵PID:1284
-
C:\Windows\SysWOW64\Bcgdom32.exeC:\Windows\system32\Bcgdom32.exe76⤵PID:2600
-
C:\Windows\SysWOW64\Bbjdjjdn.exeC:\Windows\system32\Bbjdjjdn.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1320 -
C:\Windows\SysWOW64\Bjallg32.exeC:\Windows\system32\Bjallg32.exe78⤵PID:576
-
C:\Windows\SysWOW64\Bidlgdlk.exeC:\Windows\system32\Bidlgdlk.exe79⤵PID:1432
-
C:\Windows\SysWOW64\Blchcpko.exeC:\Windows\system32\Blchcpko.exe80⤵
- System Location Discovery: System Language Discovery
PID:2792 -
C:\Windows\SysWOW64\Bcjqdmla.exeC:\Windows\system32\Bcjqdmla.exe81⤵PID:2124
-
C:\Windows\SysWOW64\Bbmapj32.exeC:\Windows\system32\Bbmapj32.exe82⤵
- Modifies registry class
PID:2380 -
C:\Windows\SysWOW64\Bfhmqhkd.exeC:\Windows\system32\Bfhmqhkd.exe83⤵PID:2020
-
C:\Windows\SysWOW64\Bekmle32.exeC:\Windows\system32\Bekmle32.exe84⤵
- System Location Discovery: System Language Discovery
PID:2536 -
C:\Windows\SysWOW64\Bmbemb32.exeC:\Windows\system32\Bmbemb32.exe85⤵PID:1856
-
C:\Windows\SysWOW64\Bleeioil.exeC:\Windows\system32\Bleeioil.exe86⤵PID:2104
-
C:\Windows\SysWOW64\Bbonei32.exeC:\Windows\system32\Bbonei32.exe87⤵PID:2780
-
C:\Windows\SysWOW64\Cemjae32.exeC:\Windows\system32\Cemjae32.exe88⤵
- Modifies registry class
PID:2732 -
C:\Windows\SysWOW64\Ciifbchf.exeC:\Windows\system32\Ciifbchf.exe89⤵PID:2184
-
C:\Windows\SysWOW64\Cpcnonob.exeC:\Windows\system32\Cpcnonob.exe90⤵PID:1796
-
C:\Windows\SysWOW64\Cbajkiof.exeC:\Windows\system32\Cbajkiof.exe91⤵PID:1952
-
C:\Windows\SysWOW64\Cepfgdnj.exeC:\Windows\system32\Cepfgdnj.exe92⤵PID:2944
-
C:\Windows\SysWOW64\Cikbhc32.exeC:\Windows\system32\Cikbhc32.exe93⤵PID:2596
-
C:\Windows\SysWOW64\Cljodo32.exeC:\Windows\system32\Cljodo32.exe94⤵PID:968
-
C:\Windows\SysWOW64\Cjmopkla.exeC:\Windows\system32\Cjmopkla.exe95⤵PID:1644
-
C:\Windows\SysWOW64\Cohkpj32.exeC:\Windows\system32\Cohkpj32.exe96⤵PID:888
-
C:\Windows\SysWOW64\Cafgle32.exeC:\Windows\system32\Cafgle32.exe97⤵PID:1028
-
C:\Windows\SysWOW64\Cebcmdlg.exeC:\Windows\system32\Cebcmdlg.exe98⤵PID:896
-
C:\Windows\SysWOW64\Chqoipkk.exeC:\Windows\system32\Chqoipkk.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1584 -
C:\Windows\SysWOW64\Cojhejbh.exeC:\Windows\system32\Cojhejbh.exe100⤵PID:2776
-
C:\Windows\SysWOW64\Cmmhaf32.exeC:\Windows\system32\Cmmhaf32.exe101⤵PID:2608
-
C:\Windows\SysWOW64\Cedpbd32.exeC:\Windows\system32\Cedpbd32.exe102⤵PID:2832
-
C:\Windows\SysWOW64\Cffljlpc.exeC:\Windows\system32\Cffljlpc.exe103⤵PID:1600
-
C:\Windows\SysWOW64\Comdkipe.exeC:\Windows\system32\Comdkipe.exe104⤵
- System Location Discovery: System Language Discovery
PID:2000 -
C:\Windows\SysWOW64\Cakqgeoi.exeC:\Windows\system32\Cakqgeoi.exe105⤵PID:816
-
C:\Windows\SysWOW64\Cdjmcpnl.exeC:\Windows\system32\Cdjmcpnl.exe106⤵PID:780
-
C:\Windows\SysWOW64\Cfhiplmp.exeC:\Windows\system32\Cfhiplmp.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1348 -
C:\Windows\SysWOW64\Ckcepj32.exeC:\Windows\system32\Ckcepj32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1536 -
C:\Windows\SysWOW64\Cifelgmd.exeC:\Windows\system32\Cifelgmd.exe109⤵PID:1836
-
C:\Windows\SysWOW64\Danmmd32.exeC:\Windows\system32\Danmmd32.exe110⤵
- Modifies registry class
PID:1700 -
C:\Windows\SysWOW64\Ddliip32.exeC:\Windows\system32\Ddliip32.exe111⤵PID:2984
-
C:\Windows\SysWOW64\Dgjfek32.exeC:\Windows\system32\Dgjfek32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2616 -
C:\Windows\SysWOW64\Dlgnmb32.exeC:\Windows\system32\Dlgnmb32.exe113⤵
- Drops file in System32 directory
PID:2148 -
C:\Windows\SysWOW64\Ddnfop32.exeC:\Windows\system32\Ddnfop32.exe114⤵PID:1620
-
C:\Windows\SysWOW64\Dbafjlaa.exeC:\Windows\system32\Dbafjlaa.exe115⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1792 -
C:\Windows\SysWOW64\Dikogf32.exeC:\Windows\system32\Dikogf32.exe116⤵PID:568
-
C:\Windows\SysWOW64\Dljkcb32.exeC:\Windows\system32\Dljkcb32.exe117⤵PID:700
-
C:\Windows\SysWOW64\Dohgomgf.exeC:\Windows\system32\Dohgomgf.exe118⤵PID:820
-
C:\Windows\SysWOW64\Dcccpl32.exeC:\Windows\system32\Dcccpl32.exe119⤵PID:2404
-
C:\Windows\SysWOW64\Debplg32.exeC:\Windows\system32\Debplg32.exe120⤵
- Drops file in System32 directory
PID:800 -
C:\Windows\SysWOW64\Dhplhc32.exeC:\Windows\system32\Dhplhc32.exe121⤵PID:2900
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-