Analysis
-
max time kernel
37s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
08/08/2024, 01:35
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a433441d1cff54473ed0dd857e6444f3367242dbc55ae3100eb66be2c0704b11.exe
Resource
win7-20240705-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
a433441d1cff54473ed0dd857e6444f3367242dbc55ae3100eb66be2c0704b11.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
a433441d1cff54473ed0dd857e6444f3367242dbc55ae3100eb66be2c0704b11.exe
-
Size
99KB
-
MD5
b2f7f21e24e1f83131644b7eaf998255
-
SHA1
b4a43819bc89fe6917136b6a077d3149659d13a9
-
SHA256
a433441d1cff54473ed0dd857e6444f3367242dbc55ae3100eb66be2c0704b11
-
SHA512
3efd74f45dc9b9570270e060c6996789d708f426d48bba1b2eb1f55143a43c99f4d4a9996f0730d8f47c05fbc2334ce387e6f35ee8b7af7069ff3de578e75b38
-
SSDEEP
1536:xGfWHhdQ9xinah5psVywQuXz9VYwVbLVFgblQQa3+om13XRzG:xGfE1ajp8mMJVYOrgb3a3+X13XRzG
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Danaqbgp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdhigo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnimeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Agmacgcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfpkfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Glongpao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkmcni32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fofhdidp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnbbjf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfpcdh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amdmkb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbflkcao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdehgnqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cconcjae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hopgikop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hcdihn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmojfcdk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaiglnih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppejmj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhaibnim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Flmecm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkfgnldd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Achlch32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdgdlnop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Faedpdcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjgmka32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdehgnqc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Febmfcjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pbcfie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qoopie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epmahmcm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elcbmn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmnakege.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojoood32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojoood32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fholmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hkfgnldd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbblpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hdailaib.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmjoaofc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiplecnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfnnpbnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Faljqcmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdjblboj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfhlie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apllml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpccgppq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gjpakdbl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdloab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hgmhcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmeffp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ccakij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckopch32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eoanij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcdihn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfdqpdja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Galfpgpg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnecjgch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Olokighn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agchdfmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hnimeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbihpbpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dnfkefad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Giikkehc.exe -
Executes dropped EXE 64 IoCs
pid Process 2316 Opqdcgib.exe 2036 Oiiilm32.exe 1568 Olgehh32.exe 2836 Obamebfc.exe 2732 Oepianef.exe 1412 Obdjjb32.exe 2608 Oinbglkm.exe 2780 Ojoood32.exe 3024 Oaiglnih.exe 2944 Olokighn.exe 2920 Onmgeb32.exe 3036 Pegpamoo.exe 2852 Pfhlie32.exe 1052 Ppqqbjkm.exe 2344 Pfjiod32.exe 2188 Piiekp32.exe 1736 Ppcmhj32.exe 1740 Pfmeddag.exe 2496 Pjhaec32.exe 1436 Ppejmj32.exe 2244 Pbcfie32.exe 1168 Pbcfie32.exe 1760 Pebbeq32.exe 2560 Pinnfonh.exe 2172 Pedokpcm.exe 2164 Pipklo32.exe 1572 Qlnghj32.exe 2912 Qibhao32.exe 1912 Qkcdigpa.exe 2064 Qoopie32.exe 2728 Qbkljd32.exe 2784 Akfaof32.exe 2680 Amdmkb32.exe 744 Ahjahk32.exe 2968 Agmacgcc.exe 3008 Agonig32.exe 2988 Akjjifji.exe 2192 Adcobk32.exe 1044 Agakog32.exe 2384 Akmgoehg.exe 400 Achlch32.exe 2400 Agchdfmk.exe 2136 Ajbdpblo.exe 1988 Apllml32.exe 1648 Bgfdjfkh.exe 1724 Bfieec32.exe 916 Blcmbmip.exe 992 Bpnibl32.exe 2176 Bcmeogam.exe 988 Bfkakbpp.exe 2464 Bjgmka32.exe 2880 Blejgm32.exe 2616 Bkhjcing.exe 2768 Bocfch32.exe 2628 Bfnnpbnn.exe 2080 Bdpnlo32.exe 2224 Blgfml32.exe 3004 Bofbih32.exe 2960 Bbdoec32.exe 2580 Bfpkfb32.exe 2432 Bhngbm32.exe 1956 Bkmcni32.exe 2144 Bnkpjd32.exe 980 Bbflkcao.exe -
Loads dropped DLL 64 IoCs
pid Process 2504 a433441d1cff54473ed0dd857e6444f3367242dbc55ae3100eb66be2c0704b11.exe 2504 a433441d1cff54473ed0dd857e6444f3367242dbc55ae3100eb66be2c0704b11.exe 2316 Opqdcgib.exe 2316 Opqdcgib.exe 2036 Oiiilm32.exe 2036 Oiiilm32.exe 1568 Olgehh32.exe 1568 Olgehh32.exe 2836 Obamebfc.exe 2836 Obamebfc.exe 2732 Oepianef.exe 2732 Oepianef.exe 1412 Obdjjb32.exe 1412 Obdjjb32.exe 2608 Oinbglkm.exe 2608 Oinbglkm.exe 2780 Ojoood32.exe 2780 Ojoood32.exe 3024 Oaiglnih.exe 3024 Oaiglnih.exe 2944 Olokighn.exe 2944 Olokighn.exe 2920 Onmgeb32.exe 2920 Onmgeb32.exe 3036 Pegpamoo.exe 3036 Pegpamoo.exe 2852 Pfhlie32.exe 2852 Pfhlie32.exe 1052 Ppqqbjkm.exe 1052 Ppqqbjkm.exe 2344 Pfjiod32.exe 2344 Pfjiod32.exe 2188 Piiekp32.exe 2188 Piiekp32.exe 1736 Ppcmhj32.exe 1736 Ppcmhj32.exe 1740 Pfmeddag.exe 1740 Pfmeddag.exe 2496 Pjhaec32.exe 2496 Pjhaec32.exe 1436 Ppejmj32.exe 1436 Ppejmj32.exe 2244 Pbcfie32.exe 2244 Pbcfie32.exe 1168 Pbcfie32.exe 1168 Pbcfie32.exe 1760 Pebbeq32.exe 1760 Pebbeq32.exe 2560 Pinnfonh.exe 2560 Pinnfonh.exe 2172 Pedokpcm.exe 2172 Pedokpcm.exe 2164 Pipklo32.exe 2164 Pipklo32.exe 1572 Qlnghj32.exe 1572 Qlnghj32.exe 2912 Qibhao32.exe 2912 Qibhao32.exe 1912 Qkcdigpa.exe 1912 Qkcdigpa.exe 2064 Qoopie32.exe 2064 Qoopie32.exe 2728 Qbkljd32.exe 2728 Qbkljd32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Oncaei32.dll Pbcfie32.exe File created C:\Windows\SysWOW64\Lnolpa32.dll Ajbdpblo.exe File created C:\Windows\SysWOW64\Bdieho32.dll Ccakij32.exe File created C:\Windows\SysWOW64\Napdqm32.dll Epakcm32.exe File created C:\Windows\SysWOW64\Mbmffd32.dll Faljqcmk.exe File created C:\Windows\SysWOW64\Blcmbmip.exe Bfieec32.exe File created C:\Windows\SysWOW64\Phpjbcci.dll Ckopch32.exe File created C:\Windows\SysWOW64\Fkkdedfm.dll Foidii32.exe File created C:\Windows\SysWOW64\Opdnaj32.dll Gllabp32.exe File opened for modification C:\Windows\SysWOW64\Piiekp32.exe Pfjiod32.exe File created C:\Windows\SysWOW64\Fhfbmn32.exe Fpojlp32.exe File created C:\Windows\SysWOW64\Gofhgafa.dll Gohqhl32.exe File created C:\Windows\SysWOW64\Ccbpjqqq.dll Gokmnlcf.exe File created C:\Windows\SysWOW64\Hcfenn32.exe Hdcebagp.exe File created C:\Windows\SysWOW64\Pbcfie32.exe Pbcfie32.exe File opened for modification C:\Windows\SysWOW64\Bfieec32.exe Bgfdjfkh.exe File opened for modification C:\Windows\SysWOW64\Gkancm32.exe Glongpao.exe File opened for modification C:\Windows\SysWOW64\Hdloab32.exe Hancef32.exe File created C:\Windows\SysWOW64\Mkljhe32.dll Dhmchljg.exe File created C:\Windows\SysWOW64\Fillabde.exe Faedpdcc.exe File created C:\Windows\SysWOW64\Hmeanaca.dll Fkpeojha.exe File created C:\Windows\SysWOW64\Lekjbf32.dll Ginefe32.exe File created C:\Windows\SysWOW64\Ajbdpblo.exe Agchdfmk.exe File opened for modification C:\Windows\SysWOW64\Cghmni32.exe Cqneaodd.exe File created C:\Windows\SysWOW64\Agffkn32.dll Ebpgoh32.exe File created C:\Windows\SysWOW64\Fholmo32.exe Fillabde.exe File created C:\Windows\SysWOW64\Ngnlaehe.dll Fdhigo32.exe File opened for modification C:\Windows\SysWOW64\Glongpao.exe Gjpakdbl.exe File created C:\Windows\SysWOW64\Egkfbg32.dll Glongpao.exe File created C:\Windows\SysWOW64\Cfimppip.dll Galfpgpg.exe File created C:\Windows\SysWOW64\Laodbj32.dll Hnbgdh32.exe File created C:\Windows\SysWOW64\Hbblpf32.exe Hngppgae.exe File opened for modification C:\Windows\SysWOW64\Pfjiod32.exe Ppqqbjkm.exe File opened for modification C:\Windows\SysWOW64\Cmjoaofc.exe Cincaq32.exe File created C:\Windows\SysWOW64\Eelfedpa.exe Efifjg32.exe File created C:\Windows\SysWOW64\Fofhdidp.exe Flhkhnel.exe File created C:\Windows\SysWOW64\Fagqed32.exe Foidii32.exe File created C:\Windows\SysWOW64\Jkocglhl.dll Ggphji32.exe File opened for modification C:\Windows\SysWOW64\Ifgooikk.exe Hchbcmlh.exe File created C:\Windows\SysWOW64\Pkicij32.dll Piiekp32.exe File opened for modification C:\Windows\SysWOW64\Bhngbm32.exe Bfpkfb32.exe File opened for modification C:\Windows\SysWOW64\Cbihpbpl.exe Ckopch32.exe File created C:\Windows\SysWOW64\Dnbbjf32.exe Djffihmp.exe File opened for modification C:\Windows\SysWOW64\Dgjfbllj.exe Dapnfb32.exe File created C:\Windows\SysWOW64\Gpagbp32.exe Fkdoii32.exe File created C:\Windows\SysWOW64\Hdcebagp.exe Hmlmacfn.exe File opened for modification C:\Windows\SysWOW64\Qkcdigpa.exe Qibhao32.exe File created C:\Windows\SysWOW64\Cohlnkeg.exe Cmjoaofc.exe File created C:\Windows\SysWOW64\Dgemgm32.exe Dfdqpdja.exe File opened for modification C:\Windows\SysWOW64\Faljqcmk.exe Fomndhng.exe File created C:\Windows\SysWOW64\Gpoghg32.dll Gljdlq32.exe File created C:\Windows\SysWOW64\Hjpnjheg.exe Hgbanlfc.exe File opened for modification C:\Windows\SysWOW64\Bjgmka32.exe Bfkakbpp.exe File opened for modification C:\Windows\SysWOW64\Bkhjcing.exe Blejgm32.exe File opened for modification C:\Windows\SysWOW64\Cnpieceq.exe Cjdmee32.exe File created C:\Windows\SysWOW64\Ifabli32.dll Cmjoaofc.exe File created C:\Windows\SysWOW64\Pinnfonh.exe Pebbeq32.exe File opened for modification C:\Windows\SysWOW64\Bkmcni32.exe Bhngbm32.exe File opened for modification C:\Windows\SysWOW64\Dbmnjenb.exe Dnbbjf32.exe File created C:\Windows\SysWOW64\Kgggld32.dll a433441d1cff54473ed0dd857e6444f3367242dbc55ae3100eb66be2c0704b11.exe File created C:\Windows\SysWOW64\Jhckimed.dll Amdmkb32.exe File created C:\Windows\SysWOW64\Bbekbnge.dll Bhngbm32.exe File created C:\Windows\SysWOW64\Aobinedj.dll Ehopnk32.exe File created C:\Windows\SysWOW64\Ebpgoh32.exe Epakcm32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3584 3548 WerFault.exe 240 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hobcok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnpieceq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flhkhnel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gngdadoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggphji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apllml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbflkcao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnfkefad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olgehh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akfaof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeijpdbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgpeimhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnimeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgfqii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfpgee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcifdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hancef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfpkfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoanij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flmecm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaiijgbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obdjjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahjahk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfkakbpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjkdoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjgmka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmgblphf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agonig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blejgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cilfka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiiilm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcocnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Febmfcjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqjfgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edhmhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdhigo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcfenn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkcdigpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdgdlnop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbkaee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agmacgcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggkoojip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdjblboj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcmeogam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djffihmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebhani32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnbgdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkdoii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdcebagp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdehgnqc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cincaq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfpcdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhlogo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdailaib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjhaec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dapnfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Foidii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhjhgpcn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bocfch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfmeddag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmeffp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Faedpdcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feeilbhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehjbaooe.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Akfaof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fanhpabf.dll" Dnbbjf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Epakcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gohqhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gljdlq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oinbglkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bfieec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Blgfml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bbflkcao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Koocqj32.dll" Fomndhng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfffhk32.dll" Fpojlp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hbblpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bcmeogam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aojbpoih.dll" Bnkpjd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cqneaodd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdgdja32.dll" Flmecm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmdapnnp.dll" Hnimeg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Akjjifji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dapnfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dfpcdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgeahmik.dll" Gngdadoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnahndjj.dll" Dndoof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hqcpfcbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Benqjobn.dll" Ahjahk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhgglopo.dll" Bfnnpbnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejfagnkj.dll" Cfpgee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cmjoaofc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbacpl32.dll" Cincaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dfdqpdja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Adcobk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fhaibnim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcnnoo32.dll" Qkcdigpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Akfaof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhckimed.dll" Amdmkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Akjjifji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gjpakdbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hadpaf32.dll" Pbcfie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bhngbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dhmchljg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coccggfi.dll" Fillabde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ebkndibq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Epakcm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gdophn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gcifdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pfjiod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Akmgoehg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfeiad32.dll" Cilfka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dnbbjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hjkdoh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hcdihn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aebpnp32.dll" Cocbbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gdjblboj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hkfgnldd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ifgooikk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cgfqii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fgffck32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ggkoojip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gngdadoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hgmhcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pedokpcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmmfab32.dll" Cbihpbpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Geplpfnh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hopgikop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bdpnlo32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2504 wrote to memory of 2316 2504 a433441d1cff54473ed0dd857e6444f3367242dbc55ae3100eb66be2c0704b11.exe 29 PID 2504 wrote to memory of 2316 2504 a433441d1cff54473ed0dd857e6444f3367242dbc55ae3100eb66be2c0704b11.exe 29 PID 2504 wrote to memory of 2316 2504 a433441d1cff54473ed0dd857e6444f3367242dbc55ae3100eb66be2c0704b11.exe 29 PID 2504 wrote to memory of 2316 2504 a433441d1cff54473ed0dd857e6444f3367242dbc55ae3100eb66be2c0704b11.exe 29 PID 2316 wrote to memory of 2036 2316 Opqdcgib.exe 30 PID 2316 wrote to memory of 2036 2316 Opqdcgib.exe 30 PID 2316 wrote to memory of 2036 2316 Opqdcgib.exe 30 PID 2316 wrote to memory of 2036 2316 Opqdcgib.exe 30 PID 2036 wrote to memory of 1568 2036 Oiiilm32.exe 31 PID 2036 wrote to memory of 1568 2036 Oiiilm32.exe 31 PID 2036 wrote to memory of 1568 2036 Oiiilm32.exe 31 PID 2036 wrote to memory of 1568 2036 Oiiilm32.exe 31 PID 1568 wrote to memory of 2836 1568 Olgehh32.exe 32 PID 1568 wrote to memory of 2836 1568 Olgehh32.exe 32 PID 1568 wrote to memory of 2836 1568 Olgehh32.exe 32 PID 1568 wrote to memory of 2836 1568 Olgehh32.exe 32 PID 2836 wrote to memory of 2732 2836 Obamebfc.exe 33 PID 2836 wrote to memory of 2732 2836 Obamebfc.exe 33 PID 2836 wrote to memory of 2732 2836 Obamebfc.exe 33 PID 2836 wrote to memory of 2732 2836 Obamebfc.exe 33 PID 2732 wrote to memory of 1412 2732 Oepianef.exe 34 PID 2732 wrote to memory of 1412 2732 Oepianef.exe 34 PID 2732 wrote to memory of 1412 2732 Oepianef.exe 34 PID 2732 wrote to memory of 1412 2732 Oepianef.exe 34 PID 1412 wrote to memory of 2608 1412 Obdjjb32.exe 35 PID 1412 wrote to memory of 2608 1412 Obdjjb32.exe 35 PID 1412 wrote to memory of 2608 1412 Obdjjb32.exe 35 PID 1412 wrote to memory of 2608 1412 Obdjjb32.exe 35 PID 2608 wrote to memory of 2780 2608 Oinbglkm.exe 36 PID 2608 wrote to memory of 2780 2608 Oinbglkm.exe 36 PID 2608 wrote to memory of 2780 2608 Oinbglkm.exe 36 PID 2608 wrote to memory of 2780 2608 Oinbglkm.exe 36 PID 2780 wrote to memory of 3024 2780 Ojoood32.exe 37 PID 2780 wrote to memory of 3024 2780 Ojoood32.exe 37 PID 2780 wrote to memory of 3024 2780 Ojoood32.exe 37 PID 2780 wrote to memory of 3024 2780 Ojoood32.exe 37 PID 3024 wrote to memory of 2944 3024 Oaiglnih.exe 38 PID 3024 wrote to memory of 2944 3024 Oaiglnih.exe 38 PID 3024 wrote to memory of 2944 3024 Oaiglnih.exe 38 PID 3024 wrote to memory of 2944 3024 Oaiglnih.exe 38 PID 2944 wrote to memory of 2920 2944 Olokighn.exe 39 PID 2944 wrote to memory of 2920 2944 Olokighn.exe 39 PID 2944 wrote to memory of 2920 2944 Olokighn.exe 39 PID 2944 wrote to memory of 2920 2944 Olokighn.exe 39 PID 2920 wrote to memory of 3036 2920 Onmgeb32.exe 40 PID 2920 wrote to memory of 3036 2920 Onmgeb32.exe 40 PID 2920 wrote to memory of 3036 2920 Onmgeb32.exe 40 PID 2920 wrote to memory of 3036 2920 Onmgeb32.exe 40 PID 3036 wrote to memory of 2852 3036 Pegpamoo.exe 41 PID 3036 wrote to memory of 2852 3036 Pegpamoo.exe 41 PID 3036 wrote to memory of 2852 3036 Pegpamoo.exe 41 PID 3036 wrote to memory of 2852 3036 Pegpamoo.exe 41 PID 2852 wrote to memory of 1052 2852 Pfhlie32.exe 42 PID 2852 wrote to memory of 1052 2852 Pfhlie32.exe 42 PID 2852 wrote to memory of 1052 2852 Pfhlie32.exe 42 PID 2852 wrote to memory of 1052 2852 Pfhlie32.exe 42 PID 1052 wrote to memory of 2344 1052 Ppqqbjkm.exe 43 PID 1052 wrote to memory of 2344 1052 Ppqqbjkm.exe 43 PID 1052 wrote to memory of 2344 1052 Ppqqbjkm.exe 43 PID 1052 wrote to memory of 2344 1052 Ppqqbjkm.exe 43 PID 2344 wrote to memory of 2188 2344 Pfjiod32.exe 44 PID 2344 wrote to memory of 2188 2344 Pfjiod32.exe 44 PID 2344 wrote to memory of 2188 2344 Pfjiod32.exe 44 PID 2344 wrote to memory of 2188 2344 Pfjiod32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\a433441d1cff54473ed0dd857e6444f3367242dbc55ae3100eb66be2c0704b11.exe"C:\Users\Admin\AppData\Local\Temp\a433441d1cff54473ed0dd857e6444f3367242dbc55ae3100eb66be2c0704b11.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Opqdcgib.exeC:\Windows\system32\Opqdcgib.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Oiiilm32.exeC:\Windows\system32\Oiiilm32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\Olgehh32.exeC:\Windows\system32\Olgehh32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\SysWOW64\Obamebfc.exeC:\Windows\system32\Obamebfc.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Oepianef.exeC:\Windows\system32\Oepianef.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Obdjjb32.exeC:\Windows\system32\Obdjjb32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\SysWOW64\Oinbglkm.exeC:\Windows\system32\Oinbglkm.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Ojoood32.exeC:\Windows\system32\Ojoood32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Oaiglnih.exeC:\Windows\system32\Oaiglnih.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\Olokighn.exeC:\Windows\system32\Olokighn.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Onmgeb32.exeC:\Windows\system32\Onmgeb32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Pegpamoo.exeC:\Windows\system32\Pegpamoo.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\Pfhlie32.exeC:\Windows\system32\Pfhlie32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Ppqqbjkm.exeC:\Windows\system32\Ppqqbjkm.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\Pfjiod32.exeC:\Windows\system32\Pfjiod32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Piiekp32.exeC:\Windows\system32\Piiekp32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2188 -
C:\Windows\SysWOW64\Ppcmhj32.exeC:\Windows\system32\Ppcmhj32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1736 -
C:\Windows\SysWOW64\Pfmeddag.exeC:\Windows\system32\Pfmeddag.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1740 -
C:\Windows\SysWOW64\Pjhaec32.exeC:\Windows\system32\Pjhaec32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2496 -
C:\Windows\SysWOW64\Ppejmj32.exeC:\Windows\system32\Ppejmj32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1436 -
C:\Windows\SysWOW64\Pbcfie32.exeC:\Windows\system32\Pbcfie32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2244 -
C:\Windows\SysWOW64\Pbcfie32.exeC:\Windows\system32\Pbcfie32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1168 -
C:\Windows\SysWOW64\Pebbeq32.exeC:\Windows\system32\Pebbeq32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1760 -
C:\Windows\SysWOW64\Pinnfonh.exeC:\Windows\system32\Pinnfonh.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2560 -
C:\Windows\SysWOW64\Pedokpcm.exeC:\Windows\system32\Pedokpcm.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2172 -
C:\Windows\SysWOW64\Pipklo32.exeC:\Windows\system32\Pipklo32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2164 -
C:\Windows\SysWOW64\Qlnghj32.exeC:\Windows\system32\Qlnghj32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1572 -
C:\Windows\SysWOW64\Qibhao32.exeC:\Windows\system32\Qibhao32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2912 -
C:\Windows\SysWOW64\Qkcdigpa.exeC:\Windows\system32\Qkcdigpa.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1912 -
C:\Windows\SysWOW64\Qoopie32.exeC:\Windows\system32\Qoopie32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2064 -
C:\Windows\SysWOW64\Qbkljd32.exeC:\Windows\system32\Qbkljd32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2728 -
C:\Windows\SysWOW64\Akfaof32.exeC:\Windows\system32\Akfaof32.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2784 -
C:\Windows\SysWOW64\Amdmkb32.exeC:\Windows\system32\Amdmkb32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2680 -
C:\Windows\SysWOW64\Ahjahk32.exeC:\Windows\system32\Ahjahk32.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:744 -
C:\Windows\SysWOW64\Agmacgcc.exeC:\Windows\system32\Agmacgcc.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2968 -
C:\Windows\SysWOW64\Agonig32.exeC:\Windows\system32\Agonig32.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3008 -
C:\Windows\SysWOW64\Akjjifji.exeC:\Windows\system32\Akjjifji.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:2988 -
C:\Windows\SysWOW64\Adcobk32.exeC:\Windows\system32\Adcobk32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:2192 -
C:\Windows\SysWOW64\Agakog32.exeC:\Windows\system32\Agakog32.exe40⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Akmgoehg.exeC:\Windows\system32\Akmgoehg.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:2384 -
C:\Windows\SysWOW64\Achlch32.exeC:\Windows\system32\Achlch32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:400 -
C:\Windows\SysWOW64\Agchdfmk.exeC:\Windows\system32\Agchdfmk.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2400 -
C:\Windows\SysWOW64\Ajbdpblo.exeC:\Windows\system32\Ajbdpblo.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2136 -
C:\Windows\SysWOW64\Apllml32.exeC:\Windows\system32\Apllml32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1988 -
C:\Windows\SysWOW64\Bgfdjfkh.exeC:\Windows\system32\Bgfdjfkh.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1648 -
C:\Windows\SysWOW64\Bfieec32.exeC:\Windows\system32\Bfieec32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1724 -
C:\Windows\SysWOW64\Blcmbmip.exeC:\Windows\system32\Blcmbmip.exe48⤵
- Executes dropped EXE
PID:916 -
C:\Windows\SysWOW64\Bpnibl32.exeC:\Windows\system32\Bpnibl32.exe49⤵
- Executes dropped EXE
PID:992 -
C:\Windows\SysWOW64\Bcmeogam.exeC:\Windows\system32\Bcmeogam.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2176 -
C:\Windows\SysWOW64\Bfkakbpp.exeC:\Windows\system32\Bfkakbpp.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:988 -
C:\Windows\SysWOW64\Bjgmka32.exeC:\Windows\system32\Bjgmka32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2464 -
C:\Windows\SysWOW64\Blejgm32.exeC:\Windows\system32\Blejgm32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2880 -
C:\Windows\SysWOW64\Bkhjcing.exeC:\Windows\system32\Bkhjcing.exe54⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Bocfch32.exeC:\Windows\system32\Bocfch32.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2768 -
C:\Windows\SysWOW64\Bfnnpbnn.exeC:\Windows\system32\Bfnnpbnn.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2628 -
C:\Windows\SysWOW64\Bdpnlo32.exeC:\Windows\system32\Bdpnlo32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2080 -
C:\Windows\SysWOW64\Blgfml32.exeC:\Windows\system32\Blgfml32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2224 -
C:\Windows\SysWOW64\Bofbih32.exeC:\Windows\system32\Bofbih32.exe59⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Bbdoec32.exeC:\Windows\system32\Bbdoec32.exe60⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Bfpkfb32.exeC:\Windows\system32\Bfpkfb32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2580 -
C:\Windows\SysWOW64\Bhngbm32.exeC:\Windows\system32\Bhngbm32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2432 -
C:\Windows\SysWOW64\Bkmcni32.exeC:\Windows\system32\Bkmcni32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Bnkpjd32.exeC:\Windows\system32\Bnkpjd32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:2144 -
C:\Windows\SysWOW64\Bbflkcao.exeC:\Windows\system32\Bbflkcao.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:980 -
C:\Windows\SysWOW64\Bdehgnqc.exeC:\Windows\system32\Bdehgnqc.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2524 -
C:\Windows\SysWOW64\Bdehgnqc.exeC:\Windows\system32\Bdehgnqc.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2284 -
C:\Windows\SysWOW64\Bgcdcjpf.exeC:\Windows\system32\Bgcdcjpf.exe68⤵PID:1476
-
C:\Windows\SysWOW64\Ckopch32.exeC:\Windows\system32\Ckopch32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1940 -
C:\Windows\SysWOW64\Cbihpbpl.exeC:\Windows\system32\Cbihpbpl.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2440 -
C:\Windows\SysWOW64\Cdgdlnop.exeC:\Windows\system32\Cdgdlnop.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2516 -
C:\Windows\SysWOW64\Cgfqii32.exeC:\Windows\system32\Cgfqii32.exe72⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2808 -
C:\Windows\SysWOW64\Cjdmee32.exeC:\Windows\system32\Cjdmee32.exe73⤵
- Drops file in System32 directory
PID:2208 -
C:\Windows\SysWOW64\Cnpieceq.exeC:\Windows\system32\Cnpieceq.exe74⤵
- System Location Discovery: System Language Discovery
PID:2820 -
C:\Windows\SysWOW64\Cqneaodd.exeC:\Windows\system32\Cqneaodd.exe75⤵
- Drops file in System32 directory
- Modifies registry class
PID:2724 -
C:\Windows\SysWOW64\Cghmni32.exeC:\Windows\system32\Cghmni32.exe76⤵PID:1620
-
C:\Windows\SysWOW64\Cjfjjd32.exeC:\Windows\system32\Cjfjjd32.exe77⤵PID:2132
-
C:\Windows\SysWOW64\Cmeffp32.exeC:\Windows\system32\Cmeffp32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1672 -
C:\Windows\SysWOW64\Cqqbgoba.exeC:\Windows\system32\Cqqbgoba.exe79⤵PID:2348
-
C:\Windows\SysWOW64\Cocbbk32.exeC:\Windows\system32\Cocbbk32.exe80⤵
- Modifies registry class
PID:2536 -
C:\Windows\SysWOW64\Cconcjae.exeC:\Windows\system32\Cconcjae.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2264 -
C:\Windows\SysWOW64\Cilfka32.exeC:\Windows\system32\Cilfka32.exe82⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2128 -
C:\Windows\SysWOW64\Cmgblphf.exeC:\Windows\system32\Cmgblphf.exe83⤵
- System Location Discovery: System Language Discovery
PID:1124 -
C:\Windows\SysWOW64\Ccakij32.exeC:\Windows\system32\Ccakij32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2092 -
C:\Windows\SysWOW64\Cfpgee32.exeC:\Windows\system32\Cfpgee32.exe85⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:756 -
C:\Windows\SysWOW64\Cincaq32.exeC:\Windows\system32\Cincaq32.exe86⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2428 -
C:\Windows\SysWOW64\Cmjoaofc.exeC:\Windows\system32\Cmjoaofc.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2868 -
C:\Windows\SysWOW64\Cohlnkeg.exeC:\Windows\system32\Cohlnkeg.exe88⤵PID:2648
-
C:\Windows\SysWOW64\Cccgni32.exeC:\Windows\system32\Cccgni32.exe89⤵PID:2736
-
C:\Windows\SysWOW64\Dfbdje32.exeC:\Windows\system32\Dfbdje32.exe90⤵PID:1984
-
C:\Windows\SysWOW64\Dippfplg.exeC:\Windows\system32\Dippfplg.exe91⤵PID:2972
-
C:\Windows\SysWOW64\Dkolblkk.exeC:\Windows\system32\Dkolblkk.exe92⤵PID:2704
-
C:\Windows\SysWOW64\Dbidof32.exeC:\Windows\system32\Dbidof32.exe93⤵PID:1316
-
C:\Windows\SysWOW64\Dfdqpdja.exeC:\Windows\system32\Dfdqpdja.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1128 -
C:\Windows\SysWOW64\Dgemgm32.exeC:\Windows\system32\Dgemgm32.exe95⤵PID:2088
-
C:\Windows\SysWOW64\Dpmeij32.exeC:\Windows\system32\Dpmeij32.exe96⤵PID:2056
-
C:\Windows\SysWOW64\Dbkaee32.exeC:\Windows\system32\Dbkaee32.exe97⤵
- System Location Discovery: System Language Discovery
PID:1136 -
C:\Windows\SysWOW64\Danaqbgp.exeC:\Windows\system32\Danaqbgp.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1480 -
C:\Windows\SysWOW64\Dghjmlnm.exeC:\Windows\system32\Dghjmlnm.exe99⤵PID:1324
-
C:\Windows\SysWOW64\Djffihmp.exeC:\Windows\system32\Djffihmp.exe100⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2552 -
C:\Windows\SysWOW64\Dnbbjf32.exeC:\Windows\system32\Dnbbjf32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2760 -
C:\Windows\SysWOW64\Dbmnjenb.exeC:\Windows\system32\Dbmnjenb.exe102⤵PID:1808
-
C:\Windows\SysWOW64\Dapnfb32.exeC:\Windows\system32\Dapnfb32.exe103⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2872 -
C:\Windows\SysWOW64\Dgjfbllj.exeC:\Windows\system32\Dgjfbllj.exe104⤵PID:2476
-
C:\Windows\SysWOW64\Djibogkn.exeC:\Windows\system32\Djibogkn.exe105⤵PID:3048
-
C:\Windows\SysWOW64\Dndoof32.exeC:\Windows\system32\Dndoof32.exe106⤵
- Modifies registry class
PID:1776 -
C:\Windows\SysWOW64\Dabkla32.exeC:\Windows\system32\Dabkla32.exe107⤵PID:824
-
C:\Windows\SysWOW64\Dhmchljg.exeC:\Windows\system32\Dhmchljg.exe108⤵
- Drops file in System32 directory
- Modifies registry class
PID:1212 -
C:\Windows\SysWOW64\Dfpcdh32.exeC:\Windows\system32\Dfpcdh32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1528 -
C:\Windows\SysWOW64\Dnfkefad.exeC:\Windows\system32\Dnfkefad.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2252 -
C:\Windows\SysWOW64\Eaegaaah.exeC:\Windows\system32\Eaegaaah.exe111⤵PID:1176
-
C:\Windows\SysWOW64\Eccdmmpk.exeC:\Windows\system32\Eccdmmpk.exe112⤵PID:1372
-
C:\Windows\SysWOW64\Ehopnk32.exeC:\Windows\system32\Ehopnk32.exe113⤵
- Drops file in System32 directory
PID:2148 -
C:\Windows\SysWOW64\Eiplecnc.exeC:\Windows\system32\Eiplecnc.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2860 -
C:\Windows\SysWOW64\Emlhfb32.exeC:\Windows\system32\Emlhfb32.exe115⤵PID:1008
-
C:\Windows\SysWOW64\Edfqclni.exeC:\Windows\system32\Edfqclni.exe116⤵PID:2952
-
C:\Windows\SysWOW64\Ebhani32.exeC:\Windows\system32\Ebhani32.exe117⤵
- System Location Discovery: System Language Discovery
PID:3052 -
C:\Windows\SysWOW64\Ejpipf32.exeC:\Windows\system32\Ejpipf32.exe118⤵PID:2320
-
C:\Windows\SysWOW64\Eibikc32.exeC:\Windows\system32\Eibikc32.exe119⤵PID:1540
-
C:\Windows\SysWOW64\Epmahmcm.exeC:\Windows\system32\Epmahmcm.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2412 -
C:\Windows\SysWOW64\Edhmhl32.exeC:\Windows\system32\Edhmhl32.exe121⤵
- System Location Discovery: System Language Discovery
PID:1636
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-