Analysis
-
max time kernel
71s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
01-08-2024 23:00
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
17be80e82b771abd08a14b7f77946760N.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
17be80e82b771abd08a14b7f77946760N.exe
Resource
win10v2004-20240730-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
17be80e82b771abd08a14b7f77946760N.exe
-
Size
64KB
-
MD5
17be80e82b771abd08a14b7f77946760
-
SHA1
30172b7448a8261e5fc95074d8a574d5cdb78c90
-
SHA256
0071f088fc91d3087fa3967e9124e90f2f5b54ffc3f75026a86dde698d4ff95a
-
SHA512
35f198e8a588ebb9da22e1e9e283a71827c56832861ee3cfbab15b9660004036900c4ab3c1e8d6a64d1c1f97a94a57e9048f275d1be1d7e3b7b4db441176ff40
-
SSDEEP
768:hHRWv1Pd/stBcpfXvfnFMfGuUYaY/nufQrE6//1H5NPeOEFEkzWpeAbMb6LqyizC:hUvdaWFIlaY/nS6FPeO6XKhbMbt2
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Koelibnh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqgahh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdjceb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjgqcj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgjelg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nplhooec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhqfie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijhkembk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmgnan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppgfciee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnmhogjo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afffgjma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhqfie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aggkdlod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijhkembk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebhani32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbengc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olgboogb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihooog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhopcl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfjdfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajbdpblo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbfhjfdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhaefepn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlhdjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bphmfo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cedbmi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgfckbfa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmgjee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okijhmcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knaqcabh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkngkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhlogo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apapcnaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbkchj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akbelbpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Codgbqmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jongag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmgenh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jiinmnaa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moloidjl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fadagl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdlialfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plcied32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmjdcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjnjfffm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igdndl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgibijkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmjaddii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdmhfpkg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joqdfghn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjbhgolp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoijjjcl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dahobdpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nadoiccn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbllph32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gklkdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmlngdhk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebhani32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnecjgch.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbljfdoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opebpdad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkgbioee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qoopie32.exe -
Executes dropped EXE 64 IoCs
pid Process 2980 Hdcdfmqe.exe 2852 Hipmoc32.exe 2820 Hdeall32.exe 2864 Hjoiiffo.exe 2744 Hpoofm32.exe 2772 Iencdc32.exe 2680 Ibadnhmb.exe 1080 Ioheci32.exe 1796 Ihqilnig.exe 2004 Iplnpq32.exe 3000 Igffmkno.exe 616 Jjgonf32.exe 1912 Jpqgkpcl.exe 2472 Jempcgad.exe 2240 Jlghpa32.exe 696 Jgmlmj32.exe 784 Jljeeqfn.exe 1448 Jfbinf32.exe 928 Jkobgm32.exe 920 Jbijcgbc.exe 1832 Klonqpbi.exe 2112 Kdjceb32.exe 1932 Koogbk32.exe 2304 Kjihci32.exe 2348 Kbppdfmk.exe 1944 Kkhdml32.exe 2956 Kmjaddii.exe 1904 Kccian32.exe 2904 Lqgjkbop.exe 484 Ljpnch32.exe 2696 Lqjfpbmm.exe 2268 Lbkchj32.exe 840 Lmqgec32.exe 2100 Lkfdfo32.exe 2332 Lfkhch32.exe 1472 Laeidfdn.exe 1212 Mljnaocd.exe 1268 Magfjebk.exe 2664 Majcoepi.exe 2172 Mchokq32.exe 2404 Malpee32.exe 1640 Mcjlap32.exe 2512 Migdig32.exe 2424 Mdmhfpkg.exe 1460 Mjgqcj32.exe 2636 Mmemoe32.exe 2344 Nfmahkhh.exe 2644 Nmgjee32.exe 1240 Npffaq32.exe 2308 Nfpnnk32.exe 2936 Nhakecld.exe 1676 Naionh32.exe 2724 Nlocka32.exe 1652 Nbilhkig.exe 1176 Ndjhpcoe.exe 2164 Nlapaapg.exe 2232 Nmbmii32.exe 2096 Ndmeecmb.exe 3056 Okfmbm32.exe 2248 Omeini32.exe 1924 Ohjmlaci.exe 1780 Okijhmcm.exe 1772 Opebpdad.exe 2384 Opjlkc32.exe -
Loads dropped DLL 64 IoCs
pid Process 1104 17be80e82b771abd08a14b7f77946760N.exe 1104 17be80e82b771abd08a14b7f77946760N.exe 2980 Hdcdfmqe.exe 2980 Hdcdfmqe.exe 2852 Hipmoc32.exe 2852 Hipmoc32.exe 2820 Hdeall32.exe 2820 Hdeall32.exe 2864 Hjoiiffo.exe 2864 Hjoiiffo.exe 2744 Hpoofm32.exe 2744 Hpoofm32.exe 2772 Iencdc32.exe 2772 Iencdc32.exe 2680 Ibadnhmb.exe 2680 Ibadnhmb.exe 1080 Ioheci32.exe 1080 Ioheci32.exe 1796 Ihqilnig.exe 1796 Ihqilnig.exe 2004 Iplnpq32.exe 2004 Iplnpq32.exe 3000 Igffmkno.exe 3000 Igffmkno.exe 616 Jjgonf32.exe 616 Jjgonf32.exe 1912 Jpqgkpcl.exe 1912 Jpqgkpcl.exe 2472 Jempcgad.exe 2472 Jempcgad.exe 2240 Jlghpa32.exe 2240 Jlghpa32.exe 696 Jgmlmj32.exe 696 Jgmlmj32.exe 784 Jljeeqfn.exe 784 Jljeeqfn.exe 1448 Jfbinf32.exe 1448 Jfbinf32.exe 928 Jkobgm32.exe 928 Jkobgm32.exe 920 Jbijcgbc.exe 920 Jbijcgbc.exe 1832 Klonqpbi.exe 1832 Klonqpbi.exe 2112 Kdjceb32.exe 2112 Kdjceb32.exe 1932 Koogbk32.exe 1932 Koogbk32.exe 2304 Kjihci32.exe 2304 Kjihci32.exe 2348 Kbppdfmk.exe 2348 Kbppdfmk.exe 1944 Kkhdml32.exe 1944 Kkhdml32.exe 2956 Kmjaddii.exe 2956 Kmjaddii.exe 1904 Kccian32.exe 1904 Kccian32.exe 2904 Lqgjkbop.exe 2904 Lqgjkbop.exe 484 Ljpnch32.exe 484 Ljpnch32.exe 2696 Lqjfpbmm.exe 2696 Lqjfpbmm.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Moloidjl.exe Mfdjpo32.exe File created C:\Windows\SysWOW64\Epmahmcm.exe Ebhani32.exe File created C:\Windows\SysWOW64\Eenckc32.exe Epakcm32.exe File opened for modification C:\Windows\SysWOW64\Mqdbjp32.exe Lmfjcajl.exe File created C:\Windows\SysWOW64\Fopjnd32.dll Bjanfl32.exe File created C:\Windows\SysWOW64\Lbpolb32.exe Lfingaaf.exe File created C:\Windows\SysWOW64\Ojnelefl.exe Oaeacppk.exe File opened for modification C:\Windows\SysWOW64\Ljpnch32.exe Lqgjkbop.exe File created C:\Windows\SysWOW64\Mcjlap32.exe Malpee32.exe File created C:\Windows\SysWOW64\Ohjmlaci.exe Omeini32.exe File created C:\Windows\SysWOW64\Fhcjilcb.exe Fgbnbcmd.exe File opened for modification C:\Windows\SysWOW64\Clkfjman.exe Cjljpjjk.exe File created C:\Windows\SysWOW64\Eiocbd32.exe Ebekej32.exe File created C:\Windows\SysWOW64\Iioajkkj.dll Fejjah32.exe File created C:\Windows\SysWOW64\Idgdenml.dll Gkgbioee.exe File opened for modification C:\Windows\SysWOW64\Dndoof32.exe Dapnfb32.exe File created C:\Windows\SysWOW64\Imqfik32.dll Imfeip32.exe File created C:\Windows\SysWOW64\Hnjompcl.dll Jiinmnaa.exe File created C:\Windows\SysWOW64\Dahobdpe.exe Clkfjman.exe File created C:\Windows\SysWOW64\Fjiegbjj.dll Kccian32.exe File opened for modification C:\Windows\SysWOW64\Bejiehfi.exe Akbelbpi.exe File created C:\Windows\SysWOW64\Cobjmq32.exe Ciebdj32.exe File created C:\Windows\SysWOW64\Bpcoppdl.dll Ehdnkh32.exe File created C:\Windows\SysWOW64\Eehkmm32.dll Mfdjpo32.exe File created C:\Windows\SysWOW64\Moeodd32.dll Ljpnch32.exe File created C:\Windows\SysWOW64\Jeofnpke.exe Joenaf32.exe File created C:\Windows\SysWOW64\Cmgpcg32.exe Cnacbj32.exe File opened for modification C:\Windows\SysWOW64\Jafilj32.exe Jjlqpp32.exe File opened for modification C:\Windows\SysWOW64\Eijffhjd.exe Eaoaafli.exe File created C:\Windows\SysWOW64\Pnngpaop.dll Fgqcel32.exe File created C:\Windows\SysWOW64\Ppqqbjkm.exe Oakcan32.exe File created C:\Windows\SysWOW64\Mepmffng.dll Codgbqmc.exe File created C:\Windows\SysWOW64\Kcipqi32.exe Kahciaog.exe File created C:\Windows\SysWOW64\Ebkggjeg.dll Ohbmppia.exe File created C:\Windows\SysWOW64\Bgglmgeb.dll Bjnjfffm.exe File opened for modification C:\Windows\SysWOW64\Jogjgf32.exe Jeofnpke.exe File opened for modification C:\Windows\SysWOW64\Jigagocd.exe Jdjioh32.exe File created C:\Windows\SysWOW64\Mgodjico.exe Lbpolb32.exe File opened for modification C:\Windows\SysWOW64\Dfegjknm.exe Dahobdpe.exe File created C:\Windows\SysWOW64\Ghdehmnj.dll Iekbmfdc.exe File created C:\Windows\SysWOW64\Nfdgdh32.dll Kblooa32.exe File created C:\Windows\SysWOW64\Dcecef32.dll Agonig32.exe File created C:\Windows\SysWOW64\Bgkbfcck.exe Bnbnnm32.exe File opened for modification C:\Windows\SysWOW64\Gcankb32.exe Gmgenh32.exe File created C:\Windows\SysWOW64\Jgmofbpk.exe Jiinmnaa.exe File created C:\Windows\SysWOW64\Aaeiqf32.exe Ahmehqna.exe File opened for modification C:\Windows\SysWOW64\Hehconob.exe Hbjgbbpn.exe File created C:\Windows\SysWOW64\Abdpngjb.exe Agolpnjl.exe File created C:\Windows\SysWOW64\Fohbqpki.exe Fadagl32.exe File created C:\Windows\SysWOW64\Ibmmkaik.exe Hjbhgolp.exe File created C:\Windows\SysWOW64\Jdekhe32.dll Lmqgec32.exe File created C:\Windows\SysWOW64\Akgdjm32.dll Phjjkefd.exe File created C:\Windows\SysWOW64\Dgiomabc.exe Dmomnlne.exe File opened for modification C:\Windows\SysWOW64\Eonfgbhc.exe Ehdnkh32.exe File opened for modification C:\Windows\SysWOW64\Pkihpi32.exe Pelpgb32.exe File created C:\Windows\SysWOW64\Dieiap32.exe Dkaihkih.exe File created C:\Windows\SysWOW64\Bkbopl32.dll Gomjckqc.exe File created C:\Windows\SysWOW64\Folhio32.exe Fgqcel32.exe File opened for modification C:\Windows\SysWOW64\Fialggcl.exe Folhio32.exe File opened for modification C:\Windows\SysWOW64\Fbbcdh32.exe Fhlogo32.exe File created C:\Windows\SysWOW64\Alnfce32.dll Eonfgbhc.exe File created C:\Windows\SysWOW64\Pkjgomho.dll Abdpngjb.exe File created C:\Windows\SysWOW64\Okdpmh32.dll Epqhjdhc.exe File created C:\Windows\SysWOW64\Dnlolhoo.exe Dfegjknm.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2940 3020 WerFault.exe 516 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkobgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmcedg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bigohejb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjnjfffm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Copljmpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kblooa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgmlmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bejiehfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceoooj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcagkmaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amnanefa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kanfgofa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phabdmgq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omeini32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gomjckqc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmjaddii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hojqjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keodflee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkjeod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjgonf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfmbfkhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iflmlfcn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnekcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oppbjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lolbjahp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amhopfof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kahciaog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lddagi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abeghmmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okfmbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhaefepn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jogjgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qakppa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glajmppm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihqilnig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Codgbqmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfhcknpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ginefe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Naionh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkdckgpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojnelefl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcjlap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lolpah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koelibnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnjehaio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geaaolbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epakcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geeekf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjoiiffo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iiobcq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilhnjfmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkngkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phjjkefd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiabjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmgenh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khcdijac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndjhpcoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joqdfghn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejmljg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opjlkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilblkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmfjcajl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gklkdn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbbcdh32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pngjlfla.dll" Idepdhia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elefkiaj.dll" Khcdijac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aellfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agdfjc32.dll" Aggkdlod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcgmedpl.dll" Bdmhcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lqjfpbmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Codgbqmc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hehconob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gggadc32.dll" Joepjokm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mheohk32.dll" Jdhlih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkfle32.dll" Ofnppgbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kebdmn32.dll" Lolbjahp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbaafocg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phckglbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" 17be80e82b771abd08a14b7f77946760N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelhjebf.dll" Pjblcl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjfllm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qkbkfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhabgpel.dll" Bgnaekil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akljeqga.dll" Mcjlap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omeini32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hccfoehi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bqhbcqmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijhemglp.dll" Ijenpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igdndl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjgonf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlfpln32.dll" Dlhdjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibbjgneh.dll" Ppogok32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgmlmj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epdncb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmmgdk32.dll" Oelcho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdpnlo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebmjihqn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfblmofp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nemfepee.dll" Bfeibo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgmfjdbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkfeec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkihpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmmcnf32.dll" Pmlngdhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfegjknm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgjcdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Encbem32.dll" Hipmoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmnmnedn.dll" Agolpnjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkjgomho.dll" Abdpngjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adcobk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mqgahh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 17be80e82b771abd08a14b7f77946760N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcipdfmd.dll" Dhlapc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlklik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlbphm32.dll" Afeold32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aggkdlod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cekfdc32.dll" Lghgocek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkngmm32.dll" Cghmni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imfeip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pccdqloh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gghloe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oidqcdjh.dll" Klamohhj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcmkoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmpgopjh.dll" Fkmhij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Majcoepi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acpjga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oedqcdim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edicfeme.dll" Gicpnhbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iekbmfdc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1104 wrote to memory of 2980 1104 17be80e82b771abd08a14b7f77946760N.exe 30 PID 1104 wrote to memory of 2980 1104 17be80e82b771abd08a14b7f77946760N.exe 30 PID 1104 wrote to memory of 2980 1104 17be80e82b771abd08a14b7f77946760N.exe 30 PID 1104 wrote to memory of 2980 1104 17be80e82b771abd08a14b7f77946760N.exe 30 PID 2980 wrote to memory of 2852 2980 Hdcdfmqe.exe 31 PID 2980 wrote to memory of 2852 2980 Hdcdfmqe.exe 31 PID 2980 wrote to memory of 2852 2980 Hdcdfmqe.exe 31 PID 2980 wrote to memory of 2852 2980 Hdcdfmqe.exe 31 PID 2852 wrote to memory of 2820 2852 Hipmoc32.exe 32 PID 2852 wrote to memory of 2820 2852 Hipmoc32.exe 32 PID 2852 wrote to memory of 2820 2852 Hipmoc32.exe 32 PID 2852 wrote to memory of 2820 2852 Hipmoc32.exe 32 PID 2820 wrote to memory of 2864 2820 Hdeall32.exe 33 PID 2820 wrote to memory of 2864 2820 Hdeall32.exe 33 PID 2820 wrote to memory of 2864 2820 Hdeall32.exe 33 PID 2820 wrote to memory of 2864 2820 Hdeall32.exe 33 PID 2864 wrote to memory of 2744 2864 Hjoiiffo.exe 34 PID 2864 wrote to memory of 2744 2864 Hjoiiffo.exe 34 PID 2864 wrote to memory of 2744 2864 Hjoiiffo.exe 34 PID 2864 wrote to memory of 2744 2864 Hjoiiffo.exe 34 PID 2744 wrote to memory of 2772 2744 Hpoofm32.exe 35 PID 2744 wrote to memory of 2772 2744 Hpoofm32.exe 35 PID 2744 wrote to memory of 2772 2744 Hpoofm32.exe 35 PID 2744 wrote to memory of 2772 2744 Hpoofm32.exe 35 PID 2772 wrote to memory of 2680 2772 Iencdc32.exe 36 PID 2772 wrote to memory of 2680 2772 Iencdc32.exe 36 PID 2772 wrote to memory of 2680 2772 Iencdc32.exe 36 PID 2772 wrote to memory of 2680 2772 Iencdc32.exe 36 PID 2680 wrote to memory of 1080 2680 Ibadnhmb.exe 37 PID 2680 wrote to memory of 1080 2680 Ibadnhmb.exe 37 PID 2680 wrote to memory of 1080 2680 Ibadnhmb.exe 37 PID 2680 wrote to memory of 1080 2680 Ibadnhmb.exe 37 PID 1080 wrote to memory of 1796 1080 Ioheci32.exe 38 PID 1080 wrote to memory of 1796 1080 Ioheci32.exe 38 PID 1080 wrote to memory of 1796 1080 Ioheci32.exe 38 PID 1080 wrote to memory of 1796 1080 Ioheci32.exe 38 PID 1796 wrote to memory of 2004 1796 Ihqilnig.exe 39 PID 1796 wrote to memory of 2004 1796 Ihqilnig.exe 39 PID 1796 wrote to memory of 2004 1796 Ihqilnig.exe 39 PID 1796 wrote to memory of 2004 1796 Ihqilnig.exe 39 PID 2004 wrote to memory of 3000 2004 Iplnpq32.exe 40 PID 2004 wrote to memory of 3000 2004 Iplnpq32.exe 40 PID 2004 wrote to memory of 3000 2004 Iplnpq32.exe 40 PID 2004 wrote to memory of 3000 2004 Iplnpq32.exe 40 PID 3000 wrote to memory of 616 3000 Igffmkno.exe 41 PID 3000 wrote to memory of 616 3000 Igffmkno.exe 41 PID 3000 wrote to memory of 616 3000 Igffmkno.exe 41 PID 3000 wrote to memory of 616 3000 Igffmkno.exe 41 PID 616 wrote to memory of 1912 616 Jjgonf32.exe 42 PID 616 wrote to memory of 1912 616 Jjgonf32.exe 42 PID 616 wrote to memory of 1912 616 Jjgonf32.exe 42 PID 616 wrote to memory of 1912 616 Jjgonf32.exe 42 PID 1912 wrote to memory of 2472 1912 Jpqgkpcl.exe 43 PID 1912 wrote to memory of 2472 1912 Jpqgkpcl.exe 43 PID 1912 wrote to memory of 2472 1912 Jpqgkpcl.exe 43 PID 1912 wrote to memory of 2472 1912 Jpqgkpcl.exe 43 PID 2472 wrote to memory of 2240 2472 Jempcgad.exe 44 PID 2472 wrote to memory of 2240 2472 Jempcgad.exe 44 PID 2472 wrote to memory of 2240 2472 Jempcgad.exe 44 PID 2472 wrote to memory of 2240 2472 Jempcgad.exe 44 PID 2240 wrote to memory of 696 2240 Jlghpa32.exe 45 PID 2240 wrote to memory of 696 2240 Jlghpa32.exe 45 PID 2240 wrote to memory of 696 2240 Jlghpa32.exe 45 PID 2240 wrote to memory of 696 2240 Jlghpa32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\17be80e82b771abd08a14b7f77946760N.exe"C:\Users\Admin\AppData\Local\Temp\17be80e82b771abd08a14b7f77946760N.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\SysWOW64\Hdcdfmqe.exeC:\Windows\system32\Hdcdfmqe.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Hipmoc32.exeC:\Windows\system32\Hipmoc32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Hdeall32.exeC:\Windows\system32\Hdeall32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Hjoiiffo.exeC:\Windows\system32\Hjoiiffo.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Hpoofm32.exeC:\Windows\system32\Hpoofm32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Iencdc32.exeC:\Windows\system32\Iencdc32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Ibadnhmb.exeC:\Windows\system32\Ibadnhmb.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Ioheci32.exeC:\Windows\system32\Ioheci32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\SysWOW64\Ihqilnig.exeC:\Windows\system32\Ihqilnig.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\Iplnpq32.exeC:\Windows\system32\Iplnpq32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\Igffmkno.exeC:\Windows\system32\Igffmkno.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\Jjgonf32.exeC:\Windows\system32\Jjgonf32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:616 -
C:\Windows\SysWOW64\Jpqgkpcl.exeC:\Windows\system32\Jpqgkpcl.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\Jempcgad.exeC:\Windows\system32\Jempcgad.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\Jlghpa32.exeC:\Windows\system32\Jlghpa32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Jgmlmj32.exeC:\Windows\system32\Jgmlmj32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:696 -
C:\Windows\SysWOW64\Jljeeqfn.exeC:\Windows\system32\Jljeeqfn.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:784 -
C:\Windows\SysWOW64\Jfbinf32.exeC:\Windows\system32\Jfbinf32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1448 -
C:\Windows\SysWOW64\Jkobgm32.exeC:\Windows\system32\Jkobgm32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:928 -
C:\Windows\SysWOW64\Jbijcgbc.exeC:\Windows\system32\Jbijcgbc.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:920 -
C:\Windows\SysWOW64\Klonqpbi.exeC:\Windows\system32\Klonqpbi.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1832 -
C:\Windows\SysWOW64\Kdjceb32.exeC:\Windows\system32\Kdjceb32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2112 -
C:\Windows\SysWOW64\Koogbk32.exeC:\Windows\system32\Koogbk32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1932 -
C:\Windows\SysWOW64\Kjihci32.exeC:\Windows\system32\Kjihci32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2304 -
C:\Windows\SysWOW64\Kbppdfmk.exeC:\Windows\system32\Kbppdfmk.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2348 -
C:\Windows\SysWOW64\Kkhdml32.exeC:\Windows\system32\Kkhdml32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1944 -
C:\Windows\SysWOW64\Kmjaddii.exeC:\Windows\system32\Kmjaddii.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2956 -
C:\Windows\SysWOW64\Kccian32.exeC:\Windows\system32\Kccian32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1904 -
C:\Windows\SysWOW64\Lqgjkbop.exeC:\Windows\system32\Lqgjkbop.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2904 -
C:\Windows\SysWOW64\Ljpnch32.exeC:\Windows\system32\Ljpnch32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:484 -
C:\Windows\SysWOW64\Lqjfpbmm.exeC:\Windows\system32\Lqjfpbmm.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2696 -
C:\Windows\SysWOW64\Lbkchj32.exeC:\Windows\system32\Lbkchj32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Lmqgec32.exeC:\Windows\system32\Lmqgec32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:840 -
C:\Windows\SysWOW64\Lkfdfo32.exeC:\Windows\system32\Lkfdfo32.exe35⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Lfkhch32.exeC:\Windows\system32\Lfkhch32.exe36⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Laeidfdn.exeC:\Windows\system32\Laeidfdn.exe37⤵
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\Mljnaocd.exeC:\Windows\system32\Mljnaocd.exe38⤵
- Executes dropped EXE
PID:1212 -
C:\Windows\SysWOW64\Magfjebk.exeC:\Windows\system32\Magfjebk.exe39⤵
- Executes dropped EXE
PID:1268 -
C:\Windows\SysWOW64\Majcoepi.exeC:\Windows\system32\Majcoepi.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2664 -
C:\Windows\SysWOW64\Mchokq32.exeC:\Windows\system32\Mchokq32.exe41⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Malpee32.exeC:\Windows\system32\Malpee32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2404 -
C:\Windows\SysWOW64\Mcjlap32.exeC:\Windows\system32\Mcjlap32.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1640 -
C:\Windows\SysWOW64\Migdig32.exeC:\Windows\system32\Migdig32.exe44⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Mdmhfpkg.exeC:\Windows\system32\Mdmhfpkg.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Mjgqcj32.exeC:\Windows\system32\Mjgqcj32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1460 -
C:\Windows\SysWOW64\Mmemoe32.exeC:\Windows\system32\Mmemoe32.exe47⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Nfmahkhh.exeC:\Windows\system32\Nfmahkhh.exe48⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Nmgjee32.exeC:\Windows\system32\Nmgjee32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Npffaq32.exeC:\Windows\system32\Npffaq32.exe50⤵
- Executes dropped EXE
PID:1240 -
C:\Windows\SysWOW64\Nfpnnk32.exeC:\Windows\system32\Nfpnnk32.exe51⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Nhakecld.exeC:\Windows\system32\Nhakecld.exe52⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Naionh32.exeC:\Windows\system32\Naionh32.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1676 -
C:\Windows\SysWOW64\Nlocka32.exeC:\Windows\system32\Nlocka32.exe54⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Nbilhkig.exeC:\Windows\system32\Nbilhkig.exe55⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Ndjhpcoe.exeC:\Windows\system32\Ndjhpcoe.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1176 -
C:\Windows\SysWOW64\Nlapaapg.exeC:\Windows\system32\Nlapaapg.exe57⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Nmbmii32.exeC:\Windows\system32\Nmbmii32.exe58⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Ndmeecmb.exeC:\Windows\system32\Ndmeecmb.exe59⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Okfmbm32.exeC:\Windows\system32\Okfmbm32.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3056 -
C:\Windows\SysWOW64\Omeini32.exeC:\Windows\system32\Omeini32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2248 -
C:\Windows\SysWOW64\Ohjmlaci.exeC:\Windows\system32\Ohjmlaci.exe62⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Okijhmcm.exeC:\Windows\system32\Okijhmcm.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Opebpdad.exeC:\Windows\system32\Opebpdad.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Opjlkc32.exeC:\Windows\system32\Opjlkc32.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2384 -
C:\Windows\SysWOW64\Oegdcj32.exeC:\Windows\system32\Oegdcj32.exe66⤵PID:340
-
C:\Windows\SysWOW64\Opmhqc32.exeC:\Windows\system32\Opmhqc32.exe67⤵PID:1528
-
C:\Windows\SysWOW64\Panehkaj.exeC:\Windows\system32\Panehkaj.exe68⤵PID:776
-
C:\Windows\SysWOW64\Plcied32.exeC:\Windows\system32\Plcied32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2516 -
C:\Windows\SysWOW64\Pcmabnhm.exeC:\Windows\system32\Pcmabnhm.exe70⤵PID:1720
-
C:\Windows\SysWOW64\Phjjkefd.exeC:\Windows\system32\Phjjkefd.exe71⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2944 -
C:\Windows\SysWOW64\Podbgo32.exeC:\Windows\system32\Podbgo32.exe72⤵PID:1948
-
C:\Windows\SysWOW64\Pdajpf32.exeC:\Windows\system32\Pdajpf32.exe73⤵PID:3040
-
C:\Windows\SysWOW64\Pkkblp32.exeC:\Windows\system32\Pkkblp32.exe74⤵PID:652
-
C:\Windows\SysWOW64\Pniohk32.exeC:\Windows\system32\Pniohk32.exe75⤵PID:1076
-
C:\Windows\SysWOW64\Phocfd32.exeC:\Windows\system32\Phocfd32.exe76⤵PID:2692
-
C:\Windows\SysWOW64\Paghojip.exeC:\Windows\system32\Paghojip.exe77⤵PID:2880
-
C:\Windows\SysWOW64\Pjblcl32.exeC:\Windows\system32\Pjblcl32.exe78⤵
- Modifies registry class
PID:3020 -
C:\Windows\SysWOW64\Qmahog32.exeC:\Windows\system32\Qmahog32.exe79⤵PID:2208
-
C:\Windows\SysWOW64\Qfimhmlo.exeC:\Windows\system32\Qfimhmlo.exe80⤵PID:2144
-
C:\Windows\SysWOW64\Qmcedg32.exeC:\Windows\system32\Qmcedg32.exe81⤵
- System Location Discovery: System Language Discovery
PID:1056 -
C:\Windows\SysWOW64\Qgiibp32.exeC:\Windows\system32\Qgiibp32.exe82⤵PID:2220
-
C:\Windows\SysWOW64\Acpjga32.exeC:\Windows\system32\Acpjga32.exe83⤵
- Modifies registry class
PID:2084 -
C:\Windows\SysWOW64\Amhopfof.exeC:\Windows\system32\Amhopfof.exe84⤵
- System Location Discovery: System Language Discovery
PID:2452 -
C:\Windows\SysWOW64\Abeghmmn.exeC:\Windows\system32\Abeghmmn.exe85⤵
- System Location Discovery: System Language Discovery
PID:3068 -
C:\Windows\SysWOW64\Aioodg32.exeC:\Windows\system32\Aioodg32.exe86⤵PID:1272
-
C:\Windows\SysWOW64\Aoihaa32.exeC:\Windows\system32\Aoihaa32.exe87⤵PID:2976
-
C:\Windows\SysWOW64\Agdlfd32.exeC:\Windows\system32\Agdlfd32.exe88⤵PID:2872
-
C:\Windows\SysWOW64\Abiqcm32.exeC:\Windows\system32\Abiqcm32.exe89⤵PID:676
-
C:\Windows\SysWOW64\Akbelbpi.exeC:\Windows\system32\Akbelbpi.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2868 -
C:\Windows\SysWOW64\Bejiehfi.exeC:\Windows\system32\Bejiehfi.exe91⤵
- System Location Discovery: System Language Discovery
PID:2080 -
C:\Windows\SysWOW64\Bnbnnm32.exeC:\Windows\system32\Bnbnnm32.exe92⤵
- Drops file in System32 directory
PID:2964 -
C:\Windows\SysWOW64\Bgkbfcck.exeC:\Windows\system32\Bgkbfcck.exe93⤵PID:2244
-
C:\Windows\SysWOW64\Bnekcm32.exeC:\Windows\system32\Bnekcm32.exe94⤵
- System Location Discovery: System Language Discovery
PID:2180 -
C:\Windows\SysWOW64\Bcackdio.exeC:\Windows\system32\Bcackdio.exe95⤵PID:1044
-
C:\Windows\SysWOW64\Biolckgf.exeC:\Windows\system32\Biolckgf.exe96⤵PID:2892
-
C:\Windows\SysWOW64\Bphdpe32.exeC:\Windows\system32\Bphdpe32.exe97⤵PID:864
-
C:\Windows\SysWOW64\Bfblmofp.exeC:\Windows\system32\Bfblmofp.exe98⤵
- Modifies registry class
PID:1016 -
C:\Windows\SysWOW64\Bmldji32.exeC:\Windows\system32\Bmldji32.exe99⤵PID:400
-
C:\Windows\SysWOW64\Bfeibo32.exeC:\Windows\system32\Bfeibo32.exe100⤵
- Modifies registry class
PID:1680 -
C:\Windows\SysWOW64\Bmoaoikj.exeC:\Windows\system32\Bmoaoikj.exe101⤵PID:1608
-
C:\Windows\SysWOW64\Cnpnga32.exeC:\Windows\system32\Cnpnga32.exe102⤵PID:2412
-
C:\Windows\SysWOW64\Ciebdj32.exeC:\Windows\system32\Ciebdj32.exe103⤵
- Drops file in System32 directory
PID:1060 -
C:\Windows\SysWOW64\Cobjmq32.exeC:\Windows\system32\Cobjmq32.exe104⤵PID:2940
-
C:\Windows\SysWOW64\Celbik32.exeC:\Windows\system32\Celbik32.exe105⤵PID:1656
-
C:\Windows\SysWOW64\Codgbqmc.exeC:\Windows\system32\Codgbqmc.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2760 -
C:\Windows\SysWOW64\Ceoooj32.exeC:\Windows\system32\Ceoooj32.exe107⤵
- System Location Discovery: System Language Discovery
PID:1520 -
C:\Windows\SysWOW64\Cmjdcm32.exeC:\Windows\system32\Cmjdcm32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1280 -
C:\Windows\SysWOW64\Cealdjcm.exeC:\Windows\system32\Cealdjcm.exe109⤵PID:2204
-
C:\Windows\SysWOW64\Chohqebq.exeC:\Windows\system32\Chohqebq.exe110⤵PID:2564
-
C:\Windows\SysWOW64\Coiqmp32.exeC:\Windows\system32\Coiqmp32.exe111⤵PID:1588
-
C:\Windows\SysWOW64\Dhaefepn.exeC:\Windows\system32\Dhaefepn.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2456 -
C:\Windows\SysWOW64\Dmomnlne.exeC:\Windows\system32\Dmomnlne.exe113⤵
- Drops file in System32 directory
PID:3028 -
C:\Windows\SysWOW64\Dgiomabc.exeC:\Windows\system32\Dgiomabc.exe114⤵PID:1776
-
C:\Windows\SysWOW64\Dihkimag.exeC:\Windows\system32\Dihkimag.exe115⤵PID:2008
-
C:\Windows\SysWOW64\Dpaceg32.exeC:\Windows\system32\Dpaceg32.exe116⤵PID:2768
-
C:\Windows\SysWOW64\Dglkba32.exeC:\Windows\system32\Dglkba32.exe117⤵PID:1760
-
C:\Windows\SysWOW64\Dlhdjh32.exeC:\Windows\system32\Dlhdjh32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1616 -
C:\Windows\SysWOW64\Dcblgbfe.exeC:\Windows\system32\Dcblgbfe.exe119⤵PID:2576
-
C:\Windows\SysWOW64\Eioaillo.exeC:\Windows\system32\Eioaillo.exe120⤵PID:2548
-
C:\Windows\SysWOW64\Elmmegkb.exeC:\Windows\system32\Elmmegkb.exe121⤵PID:1748
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-