Analysis
-
max time kernel
66s -
max time network
20s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
17/08/2024, 22:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6033c06338a9439506b12de59d71d130N.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
6033c06338a9439506b12de59d71d130N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
6033c06338a9439506b12de59d71d130N.exe
-
Size
96KB
-
MD5
6033c06338a9439506b12de59d71d130
-
SHA1
0d5fa905b0ede5b4d1379b4d421e787f8f6c307a
-
SHA256
55de8314d96ecce194788f74eca4c6ca6511ca0b143b36b2ba829451426863e5
-
SHA512
2b7734d3f585f46899497a8c1c0f240d601ea36cacc4336ac0192b1ce10f946c45d80ceee1052a516f103b99b641dbecb57b22c39e3f37b1ff6e465a4e8777b0
-
SSDEEP
1536:TV7BP14i++qYC7dqX/0Amc4GKOaj59TnPPAPEddXE2QTR57UqdLoXRXWduV9jojS:z+i+kCsX/d4Gl2MUkLoXZWd69jc0v
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpafhpaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpdjnefm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hjdfgojp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aqnjml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jokccnci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iiflgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cocpjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmbdlc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jqjdon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dejnme32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibfcei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmmaoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jhebij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfaachpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbomdjoo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndlanf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbijgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hoflpbmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kncmknkg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnkhfnea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eogckqkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Baecgdbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Imokbhjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nihgndip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ohifch32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpifln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkehhlef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iiiapg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gloppi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdiciboh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqjdon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Laacmc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgdcjjom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmbmbi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfmfjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ieglfd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dobcekld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffbjpfmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hfmfjh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hphljkfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndaaclac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlbcgo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbbbld32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noiiaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oggkklnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bfdlehlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kknkncbl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chghodgj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohljcnlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mpbfddef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eojbii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jdlefd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dnpgmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibnppn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eojbii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ogigpllh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cioohh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fjkgampo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiihcmoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dplbbndo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elgmbnfn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hldldq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jddfbf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghjjoeei.exe -
Executes dropped EXE 64 IoCs
pid Process 3056 Dlokegib.exe 2176 Dnpgmp32.exe 2392 Dbnpcn32.exe 2456 Dgkike32.exe 2960 Egaoldnf.exe 2904 Emadjj32.exe 2840 Elfakg32.exe 2648 Fijadk32.exe 2788 Fbbfmqdm.exe 332 Fhonegbd.exe 1236 Fmnccn32.exe 2592 Fjbdmbmb.exe 1132 Gigano32.exe 2200 Gpdfph32.exe 1036 Gbbbld32.exe 2420 Giogonlb.exe 2068 Gloppi32.exe 2164 Hopibdfd.exe 1732 Hobfgcdb.exe 1992 Hilghaqq.exe 1704 Hphljkfk.exe 2072 Igdqmeke.exe 1028 Ickaaf32.exe 2224 Iobbfggm.exe 2964 Ihjfolmn.exe 2532 Jgbpfhpc.exe 2092 Jcknqicd.exe 2204 Jmcbio32.exe 3012 Jcmjfiab.exe 2260 Jofhqiec.exe 2968 Kkmhej32.exe 2852 Kfcmcckn.exe 2892 Kbjmhd32.exe 2636 Kkbbqjgb.exe 912 Kldofi32.exe 436 Lmmaoq32.exe 824 Lbijgg32.exe 2848 Lblflgqk.exe 2860 Laacmc32.exe 2220 Moecghdl.exe 572 Mkldli32.exe 320 Mafmhcam.exe 2256 Mmojcceo.exe 1152 Mdibpn32.exe 308 Ncnoaj32.exe 1664 Nihgndip.exe 1832 Ncplfj32.exe 1848 Nijdcdgn.exe 1280 Noiiaj32.exe 888 Necandjo.exe 856 Najbbepc.exe 1592 Oggkklnk.exe 2112 Opoocb32.exe 2808 Ogigpllh.exe 2020 Okgpfjbo.exe 2620 Olhmnb32.exe 2724 Ognakk32.exe 1720 Omkidb32.exe 760 Ojojmfed.exe 1156 Oqibjq32.exe 1760 Pjafbfca.exe 836 Poplqm32.exe 1804 Pikmob32.exe 2496 Pjlifjjb.exe -
Loads dropped DLL 64 IoCs
pid Process 900 6033c06338a9439506b12de59d71d130N.exe 900 6033c06338a9439506b12de59d71d130N.exe 3056 Dlokegib.exe 3056 Dlokegib.exe 2176 Dnpgmp32.exe 2176 Dnpgmp32.exe 2392 Dbnpcn32.exe 2392 Dbnpcn32.exe 2456 Dgkike32.exe 2456 Dgkike32.exe 2960 Egaoldnf.exe 2960 Egaoldnf.exe 2904 Emadjj32.exe 2904 Emadjj32.exe 2840 Elfakg32.exe 2840 Elfakg32.exe 2648 Fijadk32.exe 2648 Fijadk32.exe 2788 Fbbfmqdm.exe 2788 Fbbfmqdm.exe 332 Fhonegbd.exe 332 Fhonegbd.exe 1236 Fmnccn32.exe 1236 Fmnccn32.exe 2592 Fjbdmbmb.exe 2592 Fjbdmbmb.exe 1132 Gigano32.exe 1132 Gigano32.exe 2200 Gpdfph32.exe 2200 Gpdfph32.exe 1036 Gbbbld32.exe 1036 Gbbbld32.exe 2420 Giogonlb.exe 2420 Giogonlb.exe 2068 Gloppi32.exe 2068 Gloppi32.exe 2164 Hopibdfd.exe 2164 Hopibdfd.exe 1732 Hobfgcdb.exe 1732 Hobfgcdb.exe 1992 Hilghaqq.exe 1992 Hilghaqq.exe 1704 Hphljkfk.exe 1704 Hphljkfk.exe 2072 Igdqmeke.exe 2072 Igdqmeke.exe 1028 Ickaaf32.exe 1028 Ickaaf32.exe 2224 Iobbfggm.exe 2224 Iobbfggm.exe 2964 Ihjfolmn.exe 2964 Ihjfolmn.exe 2912 Jqjdon32.exe 2912 Jqjdon32.exe 2092 Jcknqicd.exe 2092 Jcknqicd.exe 2204 Jmcbio32.exe 2204 Jmcbio32.exe 3012 Jcmjfiab.exe 3012 Jcmjfiab.exe 2260 Jofhqiec.exe 2260 Jofhqiec.exe 2968 Kkmhej32.exe 2968 Kkmhej32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Eakkkdnm.exe Ekacnjfp.exe File created C:\Windows\SysWOW64\Fmkdoedg.dll Hilghaqq.exe File opened for modification C:\Windows\SysWOW64\Liqnclia.exe Lfpebq32.exe File opened for modification C:\Windows\SysWOW64\Ogfdpfjo.exe Npjonlee.exe File created C:\Windows\SysWOW64\Hmmjhgce.dll Doipoldo.exe File created C:\Windows\SysWOW64\Imokbhjf.exe Idffib32.exe File opened for modification C:\Windows\SysWOW64\Elgmbnfn.exe Eiipfbgj.exe File created C:\Windows\SysWOW64\Mdhdigjp.dll Eccadhkh.exe File opened for modification C:\Windows\SysWOW64\Cpafhpaj.exe Chfadndo.exe File opened for modification C:\Windows\SysWOW64\Hidledja.exe Hffpiikm.exe File created C:\Windows\SysWOW64\Kkkgnmqb.exe Khlkba32.exe File created C:\Windows\SysWOW64\Njfoghho.dll Acldpojj.exe File created C:\Windows\SysWOW64\Ajlikd32.dll Ohifch32.exe File opened for modification C:\Windows\SysWOW64\Fjkije32.exe Fgmmnj32.exe File opened for modification C:\Windows\SysWOW64\Kiihcmoi.exe Kcjcefbd.exe File created C:\Windows\SysWOW64\Eaclgf32.exe Ehkgnpbe.exe File opened for modification C:\Windows\SysWOW64\Mafoal32.exe Meonlkcm.exe File created C:\Windows\SysWOW64\Maimbpld.dll Klcjfdqi.exe File created C:\Windows\SysWOW64\Moccaime.dll Ickaaf32.exe File created C:\Windows\SysWOW64\Cmhmca32.dll Ndlanf32.exe File created C:\Windows\SysWOW64\Bfipbdop.dll Clcghk32.exe File opened for modification C:\Windows\SysWOW64\Ckjqog32.exe Cdphbm32.exe File created C:\Windows\SysWOW64\Njjdqigf.dll Difcpc32.exe File created C:\Windows\SysWOW64\Dflbbm32.dll Igdqmeke.exe File opened for modification C:\Windows\SysWOW64\Dklkkoqf.exe Dpggnfap.exe File created C:\Windows\SysWOW64\Cajmbd32.exe Cbdpag32.exe File created C:\Windows\SysWOW64\Mafmhcam.exe Mkldli32.exe File created C:\Windows\SysWOW64\Behpcefk.exe Bdiciboh.exe File created C:\Windows\SysWOW64\Bjmool32.dll Fcinia32.exe File opened for modification C:\Windows\SysWOW64\Afaieb32.exe Aebllocg.exe File created C:\Windows\SysWOW64\Mmojcceo.exe Mafmhcam.exe File opened for modification C:\Windows\SysWOW64\Flqmddah.exe Fbhhlo32.exe File created C:\Windows\SysWOW64\Gdchifik.exe Gadkmj32.exe File created C:\Windows\SysWOW64\Bpfaqm32.dll Gdedoegh.exe File created C:\Windows\SysWOW64\Enoeagdc.dll Jficbn32.exe File opened for modification C:\Windows\SysWOW64\Fjpipkgi.exe Fiomhc32.exe File opened for modification C:\Windows\SysWOW64\Bkjbgk32.exe Bdpjjaiq.exe File created C:\Windows\SysWOW64\Dghekobe.exe Doqmjaac.exe File created C:\Windows\SysWOW64\Homkcdlb.dll Idffib32.exe File created C:\Windows\SysWOW64\Ofdkpo32.dll Jahflj32.exe File opened for modification C:\Windows\SysWOW64\Kqomai32.exe Khdhmg32.exe File created C:\Windows\SysWOW64\Ifkecl32.exe Ianmke32.exe File created C:\Windows\SysWOW64\Bbeaaiga.dll Dghekobe.exe File created C:\Windows\SysWOW64\Flnpoe32.exe Fcckjb32.exe File created C:\Windows\SysWOW64\Hgeamnhd.dll Hafdbmjp.exe File created C:\Windows\SysWOW64\Hppekf32.dll Cffnpdip.exe File opened for modification C:\Windows\SysWOW64\Hfmfjh32.exe Hlhamp32.exe File created C:\Windows\SysWOW64\Jnogne32.dll Haggkf32.exe File created C:\Windows\SysWOW64\Nnlloakf.dll Ipcjlaqd.exe File created C:\Windows\SysWOW64\Qolpolge.dll Kkmhej32.exe File opened for modification C:\Windows\SysWOW64\Aikine32.exe Acnqen32.exe File opened for modification C:\Windows\SysWOW64\Fjkgampo.exe Fcqoec32.exe File opened for modification C:\Windows\SysWOW64\Doipoldo.exe Cgnkkjgd.exe File created C:\Windows\SysWOW64\Bgfhllep.dll Nlgfbh32.exe File opened for modification C:\Windows\SysWOW64\Ohginhma.exe Oooeeb32.exe File opened for modification C:\Windows\SysWOW64\Dcohih32.exe Dpqlmm32.exe File created C:\Windows\SysWOW64\Aiclffeg.dll Hbomdjoo.exe File created C:\Windows\SysWOW64\Pkfbibki.dll Acnqen32.exe File opened for modification C:\Windows\SysWOW64\Bdpjjaiq.exe Bikemiik.exe File created C:\Windows\SysWOW64\Hehgbg32.exe Glpbiaqg.exe File created C:\Windows\SysWOW64\Nfgadbcc.exe Mnllppfh.exe File opened for modification C:\Windows\SysWOW64\Gnfoao32.exe Ghlgdecf.exe File created C:\Windows\SysWOW64\Oadnlc32.exe Ohljcnlh.exe File created C:\Windows\SysWOW64\Ecfednma.exe Egpdom32.exe -
Program crash 1 IoCs
pid pid_target Process 4404 4304 WerFault.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcmjfiab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jofhqiec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Najbbepc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Behpcefk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgdcjjom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jncqlj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hffpiikm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjkije32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffbjpfmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jinkkgeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ickaaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmcbio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghjjoeei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bknani32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cclmlm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efjklh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikiedq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgmmnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iiiapg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmifla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chfadndo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khdhmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbfidfem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhebij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpqlmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bimdka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkhenlcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gplgmodq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdoblckh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paihgboc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcflbpnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hafdbmjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aieihpgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idqpjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bndjei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcodhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eljihn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acdcdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dejnme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eepakc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hidledja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ianmke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knnmeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alnoepam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nijdcdgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olklmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jllggbde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phkohkkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giogonlb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmnccn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jojaje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oekaab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfpijngn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpejcnlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkhjin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipcjlaqd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpigeblb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckgapo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjkgampo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdedoegh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dphmiokb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpincd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdnfalea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncnoaj32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aikine32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cclmlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cobaapkk.dll" Glpbiaqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ikinjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ohljcnlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eaclgf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cipaqqli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jllggbde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hidledja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcjllicj.dll" Dgkike32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gbbbld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdngpe32.dll" Hobfgcdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkghem32.dll" Gioigf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mnllppfh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qbfqfppe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fjimefie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jhedachg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhplfp32.dll" Gigano32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Okgpfjbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cajmbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Doipoldo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbgniekp.dll" Phgfmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcfmeq32.dll" Bjhgjdjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifehecg.dll" Jhedachg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kkkgnmqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofjhkhke.dll" Jqjdon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gaghcjhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfebbh32.dll" Pnkhfnea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hbomdjoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ebkibk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gbmbgngb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Occgce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nohcedje.dll" Ncnoaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbecal32.dll" Aieihpgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fkfcdpfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilffkp32.dll" Ihmene32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbacjdbg.dll" Pdnfalea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gplgmodq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kbjmhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbclfmph.dll" Apeakonl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ebhlmlhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pomceb32.dll" Ogfdpfjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Chfadndo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmppfa32.dll" Kknkncbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ajfoea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kfknpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acgeldef.dll" Mafmhcam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eclejclg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kaeokg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ikafpbon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdndmmmb.dll" Gbbnkfjq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dgkike32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fijadk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfgfna32.dll" Ncplfj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ogigpllh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdmhfd32.dll" Kbhckm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Olklmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Chigmlml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oggkklnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Poplqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fbhhlo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ikiedq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fedgnqao.dll" Afojgiei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlilag32.dll" Lfpebq32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 900 wrote to memory of 3056 900 6033c06338a9439506b12de59d71d130N.exe 29 PID 900 wrote to memory of 3056 900 6033c06338a9439506b12de59d71d130N.exe 29 PID 900 wrote to memory of 3056 900 6033c06338a9439506b12de59d71d130N.exe 29 PID 900 wrote to memory of 3056 900 6033c06338a9439506b12de59d71d130N.exe 29 PID 3056 wrote to memory of 2176 3056 Dlokegib.exe 30 PID 3056 wrote to memory of 2176 3056 Dlokegib.exe 30 PID 3056 wrote to memory of 2176 3056 Dlokegib.exe 30 PID 3056 wrote to memory of 2176 3056 Dlokegib.exe 30 PID 2176 wrote to memory of 2392 2176 Dnpgmp32.exe 31 PID 2176 wrote to memory of 2392 2176 Dnpgmp32.exe 31 PID 2176 wrote to memory of 2392 2176 Dnpgmp32.exe 31 PID 2176 wrote to memory of 2392 2176 Dnpgmp32.exe 31 PID 2392 wrote to memory of 2456 2392 Dbnpcn32.exe 32 PID 2392 wrote to memory of 2456 2392 Dbnpcn32.exe 32 PID 2392 wrote to memory of 2456 2392 Dbnpcn32.exe 32 PID 2392 wrote to memory of 2456 2392 Dbnpcn32.exe 32 PID 2456 wrote to memory of 2960 2456 Dgkike32.exe 33 PID 2456 wrote to memory of 2960 2456 Dgkike32.exe 33 PID 2456 wrote to memory of 2960 2456 Dgkike32.exe 33 PID 2456 wrote to memory of 2960 2456 Dgkike32.exe 33 PID 2960 wrote to memory of 2904 2960 Egaoldnf.exe 34 PID 2960 wrote to memory of 2904 2960 Egaoldnf.exe 34 PID 2960 wrote to memory of 2904 2960 Egaoldnf.exe 34 PID 2960 wrote to memory of 2904 2960 Egaoldnf.exe 34 PID 2904 wrote to memory of 2840 2904 Emadjj32.exe 35 PID 2904 wrote to memory of 2840 2904 Emadjj32.exe 35 PID 2904 wrote to memory of 2840 2904 Emadjj32.exe 35 PID 2904 wrote to memory of 2840 2904 Emadjj32.exe 35 PID 2840 wrote to memory of 2648 2840 Elfakg32.exe 36 PID 2840 wrote to memory of 2648 2840 Elfakg32.exe 36 PID 2840 wrote to memory of 2648 2840 Elfakg32.exe 36 PID 2840 wrote to memory of 2648 2840 Elfakg32.exe 36 PID 2648 wrote to memory of 2788 2648 Fijadk32.exe 37 PID 2648 wrote to memory of 2788 2648 Fijadk32.exe 37 PID 2648 wrote to memory of 2788 2648 Fijadk32.exe 37 PID 2648 wrote to memory of 2788 2648 Fijadk32.exe 37 PID 2788 wrote to memory of 332 2788 Fbbfmqdm.exe 38 PID 2788 wrote to memory of 332 2788 Fbbfmqdm.exe 38 PID 2788 wrote to memory of 332 2788 Fbbfmqdm.exe 38 PID 2788 wrote to memory of 332 2788 Fbbfmqdm.exe 38 PID 332 wrote to memory of 1236 332 Fhonegbd.exe 39 PID 332 wrote to memory of 1236 332 Fhonegbd.exe 39 PID 332 wrote to memory of 1236 332 Fhonegbd.exe 39 PID 332 wrote to memory of 1236 332 Fhonegbd.exe 39 PID 1236 wrote to memory of 2592 1236 Fmnccn32.exe 40 PID 1236 wrote to memory of 2592 1236 Fmnccn32.exe 40 PID 1236 wrote to memory of 2592 1236 Fmnccn32.exe 40 PID 1236 wrote to memory of 2592 1236 Fmnccn32.exe 40 PID 2592 wrote to memory of 1132 2592 Fjbdmbmb.exe 41 PID 2592 wrote to memory of 1132 2592 Fjbdmbmb.exe 41 PID 2592 wrote to memory of 1132 2592 Fjbdmbmb.exe 41 PID 2592 wrote to memory of 1132 2592 Fjbdmbmb.exe 41 PID 1132 wrote to memory of 2200 1132 Gigano32.exe 42 PID 1132 wrote to memory of 2200 1132 Gigano32.exe 42 PID 1132 wrote to memory of 2200 1132 Gigano32.exe 42 PID 1132 wrote to memory of 2200 1132 Gigano32.exe 42 PID 2200 wrote to memory of 1036 2200 Gpdfph32.exe 43 PID 2200 wrote to memory of 1036 2200 Gpdfph32.exe 43 PID 2200 wrote to memory of 1036 2200 Gpdfph32.exe 43 PID 2200 wrote to memory of 1036 2200 Gpdfph32.exe 43 PID 1036 wrote to memory of 2420 1036 Gbbbld32.exe 44 PID 1036 wrote to memory of 2420 1036 Gbbbld32.exe 44 PID 1036 wrote to memory of 2420 1036 Gbbbld32.exe 44 PID 1036 wrote to memory of 2420 1036 Gbbbld32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\6033c06338a9439506b12de59d71d130N.exe"C:\Users\Admin\AppData\Local\Temp\6033c06338a9439506b12de59d71d130N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:900 -
C:\Windows\SysWOW64\Dlokegib.exeC:\Windows\system32\Dlokegib.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\Dnpgmp32.exeC:\Windows\system32\Dnpgmp32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\Dbnpcn32.exeC:\Windows\system32\Dbnpcn32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\Dgkike32.exeC:\Windows\system32\Dgkike32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Egaoldnf.exeC:\Windows\system32\Egaoldnf.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Emadjj32.exeC:\Windows\system32\Emadjj32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Elfakg32.exeC:\Windows\system32\Elfakg32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Fijadk32.exeC:\Windows\system32\Fijadk32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Fbbfmqdm.exeC:\Windows\system32\Fbbfmqdm.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Fhonegbd.exeC:\Windows\system32\Fhonegbd.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:332 -
C:\Windows\SysWOW64\Fmnccn32.exeC:\Windows\system32\Fmnccn32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\SysWOW64\Fjbdmbmb.exeC:\Windows\system32\Fjbdmbmb.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Gigano32.exeC:\Windows\system32\Gigano32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Windows\SysWOW64\Gpdfph32.exeC:\Windows\system32\Gpdfph32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\Gbbbld32.exeC:\Windows\system32\Gbbbld32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\SysWOW64\Giogonlb.exeC:\Windows\system32\Giogonlb.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2420 -
C:\Windows\SysWOW64\Gloppi32.exeC:\Windows\system32\Gloppi32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2068 -
C:\Windows\SysWOW64\Hopibdfd.exeC:\Windows\system32\Hopibdfd.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2164 -
C:\Windows\SysWOW64\Hobfgcdb.exeC:\Windows\system32\Hobfgcdb.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1732 -
C:\Windows\SysWOW64\Hilghaqq.exeC:\Windows\system32\Hilghaqq.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1992 -
C:\Windows\SysWOW64\Hphljkfk.exeC:\Windows\system32\Hphljkfk.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1704 -
C:\Windows\SysWOW64\Igdqmeke.exeC:\Windows\system32\Igdqmeke.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2072 -
C:\Windows\SysWOW64\Ickaaf32.exeC:\Windows\system32\Ickaaf32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1028 -
C:\Windows\SysWOW64\Iobbfggm.exeC:\Windows\system32\Iobbfggm.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2224 -
C:\Windows\SysWOW64\Ihjfolmn.exeC:\Windows\system32\Ihjfolmn.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2964 -
C:\Windows\SysWOW64\Jgbpfhpc.exeC:\Windows\system32\Jgbpfhpc.exe27⤵
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Jqjdon32.exeC:\Windows\system32\Jqjdon32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Modifies registry class
PID:2912 -
C:\Windows\SysWOW64\Jcknqicd.exeC:\Windows\system32\Jcknqicd.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2092 -
C:\Windows\SysWOW64\Jmcbio32.exeC:\Windows\system32\Jmcbio32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2204 -
C:\Windows\SysWOW64\Jcmjfiab.exeC:\Windows\system32\Jcmjfiab.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3012 -
C:\Windows\SysWOW64\Jofhqiec.exeC:\Windows\system32\Jofhqiec.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2260 -
C:\Windows\SysWOW64\Kkmhej32.exeC:\Windows\system32\Kkmhej32.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2968 -
C:\Windows\SysWOW64\Kfcmcckn.exeC:\Windows\system32\Kfcmcckn.exe34⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Kbjmhd32.exeC:\Windows\system32\Kbjmhd32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2892 -
C:\Windows\SysWOW64\Kkbbqjgb.exeC:\Windows\system32\Kkbbqjgb.exe36⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Kldofi32.exeC:\Windows\system32\Kldofi32.exe37⤵
- Executes dropped EXE
PID:912 -
C:\Windows\SysWOW64\Lmmaoq32.exeC:\Windows\system32\Lmmaoq32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:436 -
C:\Windows\SysWOW64\Lbijgg32.exeC:\Windows\system32\Lbijgg32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:824 -
C:\Windows\SysWOW64\Lblflgqk.exeC:\Windows\system32\Lblflgqk.exe40⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Laacmc32.exeC:\Windows\system32\Laacmc32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Moecghdl.exeC:\Windows\system32\Moecghdl.exe42⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Mkldli32.exeC:\Windows\system32\Mkldli32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:572 -
C:\Windows\SysWOW64\Mafmhcam.exeC:\Windows\system32\Mafmhcam.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:320 -
C:\Windows\SysWOW64\Mmojcceo.exeC:\Windows\system32\Mmojcceo.exe45⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Mdibpn32.exeC:\Windows\system32\Mdibpn32.exe46⤵
- Executes dropped EXE
PID:1152 -
C:\Windows\SysWOW64\Ncnoaj32.exeC:\Windows\system32\Ncnoaj32.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:308 -
C:\Windows\SysWOW64\Nihgndip.exeC:\Windows\system32\Nihgndip.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Ncplfj32.exeC:\Windows\system32\Ncplfj32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:1832 -
C:\Windows\SysWOW64\Nijdcdgn.exeC:\Windows\system32\Nijdcdgn.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1848 -
C:\Windows\SysWOW64\Noiiaj32.exeC:\Windows\system32\Noiiaj32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1280 -
C:\Windows\SysWOW64\Necandjo.exeC:\Windows\system32\Necandjo.exe52⤵
- Executes dropped EXE
PID:888 -
C:\Windows\SysWOW64\Najbbepc.exeC:\Windows\system32\Najbbepc.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:856 -
C:\Windows\SysWOW64\Oggkklnk.exeC:\Windows\system32\Oggkklnk.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1592 -
C:\Windows\SysWOW64\Opoocb32.exeC:\Windows\system32\Opoocb32.exe55⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Ogigpllh.exeC:\Windows\system32\Ogigpllh.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2808 -
C:\Windows\SysWOW64\Okgpfjbo.exeC:\Windows\system32\Okgpfjbo.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2020 -
C:\Windows\SysWOW64\Olhmnb32.exeC:\Windows\system32\Olhmnb32.exe58⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Ognakk32.exeC:\Windows\system32\Ognakk32.exe59⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Omkidb32.exeC:\Windows\system32\Omkidb32.exe60⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Ojojmfed.exeC:\Windows\system32\Ojojmfed.exe61⤵
- Executes dropped EXE
PID:760 -
C:\Windows\SysWOW64\Oqibjq32.exeC:\Windows\system32\Oqibjq32.exe62⤵
- Executes dropped EXE
PID:1156 -
C:\Windows\SysWOW64\Pjafbfca.exeC:\Windows\system32\Pjafbfca.exe63⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Poplqm32.exeC:\Windows\system32\Poplqm32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:836 -
C:\Windows\SysWOW64\Pikmob32.exeC:\Windows\system32\Pikmob32.exe65⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Pjlifjjb.exeC:\Windows\system32\Pjlifjjb.exe66⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Qjofljho.exeC:\Windows\system32\Qjofljho.exe67⤵PID:816
-
C:\Windows\SysWOW64\Qedjib32.exeC:\Windows\system32\Qedjib32.exe68⤵PID:1708
-
C:\Windows\SysWOW64\Afhcgjkq.exeC:\Windows\system32\Afhcgjkq.exe69⤵PID:632
-
C:\Windows\SysWOW64\Acldpojj.exeC:\Windows\system32\Acldpojj.exe70⤵
- Drops file in System32 directory
PID:2996 -
C:\Windows\SysWOW64\Acnqen32.exeC:\Windows\system32\Acnqen32.exe71⤵
- Drops file in System32 directory
PID:2124 -
C:\Windows\SysWOW64\Aikine32.exeC:\Windows\system32\Aikine32.exe72⤵
- Modifies registry class
PID:2444 -
C:\Windows\SysWOW64\Apeakonl.exeC:\Windows\system32\Apeakonl.exe73⤵
- Modifies registry class
PID:2276 -
C:\Windows\SysWOW64\Afojgiei.exeC:\Windows\system32\Afojgiei.exe74⤵
- Modifies registry class
PID:1696 -
C:\Windows\SysWOW64\Apgnpo32.exeC:\Windows\system32\Apgnpo32.exe75⤵PID:2756
-
C:\Windows\SysWOW64\Abejlj32.exeC:\Windows\system32\Abejlj32.exe76⤵PID:2916
-
C:\Windows\SysWOW64\Alnoepam.exeC:\Windows\system32\Alnoepam.exe77⤵
- System Location Discovery: System Language Discovery
PID:2668 -
C:\Windows\SysWOW64\Bakgmgpe.exeC:\Windows\system32\Bakgmgpe.exe78⤵PID:936
-
C:\Windows\SysWOW64\Bdiciboh.exeC:\Windows\system32\Bdiciboh.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2492 -
C:\Windows\SysWOW64\Behpcefk.exeC:\Windows\system32\Behpcefk.exe80⤵
- System Location Discovery: System Language Discovery
PID:2652 -
C:\Windows\SysWOW64\Baoahf32.exeC:\Windows\system32\Baoahf32.exe81⤵PID:1300
-
C:\Windows\SysWOW64\Bhiiepcl.exeC:\Windows\system32\Bhiiepcl.exe82⤵PID:2424
-
C:\Windows\SysWOW64\Bikemiik.exeC:\Windows\system32\Bikemiik.exe83⤵
- Drops file in System32 directory
PID:2700 -
C:\Windows\SysWOW64\Bdpjjaiq.exeC:\Windows\system32\Bdpjjaiq.exe84⤵
- Drops file in System32 directory
PID:2364 -
C:\Windows\SysWOW64\Bkjbgk32.exeC:\Windows\system32\Bkjbgk32.exe85⤵PID:1820
-
C:\Windows\SysWOW64\Bpgjob32.exeC:\Windows\system32\Bpgjob32.exe86⤵PID:640
-
C:\Windows\SysWOW64\Cioohh32.exeC:\Windows\system32\Cioohh32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2536 -
C:\Windows\SysWOW64\Cpigeblb.exeC:\Windows\system32\Cpigeblb.exe88⤵
- System Location Discovery: System Language Discovery
PID:2552 -
C:\Windows\SysWOW64\Cialng32.exeC:\Windows\system32\Cialng32.exe89⤵PID:2576
-
C:\Windows\SysWOW64\Ccjpfmic.exeC:\Windows\system32\Ccjpfmic.exe90⤵PID:2216
-
C:\Windows\SysWOW64\Chghodgj.exeC:\Windows\system32\Chghodgj.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2288 -
C:\Windows\SysWOW64\Cclmlm32.exeC:\Windows\system32\Cclmlm32.exe92⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2240 -
C:\Windows\SysWOW64\Ckgapo32.exeC:\Windows\system32\Ckgapo32.exe93⤵
- System Location Discovery: System Language Discovery
PID:1092 -
C:\Windows\SysWOW64\Caajmilh.exeC:\Windows\system32\Caajmilh.exe94⤵PID:2540
-
C:\Windows\SysWOW64\Dpggnfap.exeC:\Windows\system32\Dpggnfap.exe95⤵
- Drops file in System32 directory
PID:1608 -
C:\Windows\SysWOW64\Dklkkoqf.exeC:\Windows\system32\Dklkkoqf.exe96⤵PID:276
-
C:\Windows\SysWOW64\Doqmjaac.exeC:\Windows\system32\Doqmjaac.exe97⤵
- Drops file in System32 directory
PID:2944 -
C:\Windows\SysWOW64\Dghekobe.exeC:\Windows\system32\Dghekobe.exe98⤵
- Drops file in System32 directory
PID:2868 -
C:\Windows\SysWOW64\Djfagjai.exeC:\Windows\system32\Djfagjai.exe99⤵PID:236
-
C:\Windows\SysWOW64\Docjpa32.exeC:\Windows\system32\Docjpa32.exe100⤵PID:2028
-
C:\Windows\SysWOW64\Ekjjebed.exeC:\Windows\system32\Ekjjebed.exe101⤵PID:1604
-
C:\Windows\SysWOW64\Ebccal32.exeC:\Windows\system32\Ebccal32.exe102⤵PID:2136
-
C:\Windows\SysWOW64\Edbonh32.exeC:\Windows\system32\Edbonh32.exe103⤵PID:2696
-
C:\Windows\SysWOW64\Eogckqkk.exeC:\Windows\system32\Eogckqkk.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1596 -
C:\Windows\SysWOW64\Efakhk32.exeC:\Windows\system32\Efakhk32.exe105⤵PID:2824
-
C:\Windows\SysWOW64\Eojpqpih.exeC:\Windows\system32\Eojpqpih.exe106⤵PID:2608
-
C:\Windows\SysWOW64\Ebhlmlhl.exeC:\Windows\system32\Ebhlmlhl.exe107⤵
- Modifies registry class
PID:304 -
C:\Windows\SysWOW64\Edghighp.exeC:\Windows\system32\Edghighp.exe108⤵PID:2516
-
C:\Windows\SysWOW64\Ejcaanfg.exeC:\Windows\system32\Ejcaanfg.exe109⤵PID:1676
-
C:\Windows\SysWOW64\Ebkibk32.exeC:\Windows\system32\Ebkibk32.exe110⤵
- Modifies registry class
PID:2400 -
C:\Windows\SysWOW64\Eclejclg.exeC:\Windows\system32\Eclejclg.exe111⤵
- Modifies registry class
PID:2784 -
C:\Windows\SysWOW64\Ejfnfn32.exeC:\Windows\system32\Ejfnfn32.exe112⤵PID:828
-
C:\Windows\SysWOW64\Ecnbpcje.exeC:\Windows\system32\Ecnbpcje.exe113⤵PID:2336
-
C:\Windows\SysWOW64\Fjhjlm32.exeC:\Windows\system32\Fjhjlm32.exe114⤵PID:2052
-
C:\Windows\SysWOW64\Fmffhi32.exeC:\Windows\system32\Fmffhi32.exe115⤵PID:1520
-
C:\Windows\SysWOW64\Fcqoec32.exeC:\Windows\system32\Fcqoec32.exe116⤵
- Drops file in System32 directory
PID:2744 -
C:\Windows\SysWOW64\Fjkgampo.exeC:\Windows\system32\Fjkgampo.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2836 -
C:\Windows\SysWOW64\Fcckjb32.exeC:\Windows\system32\Fcckjb32.exe118⤵
- Drops file in System32 directory
PID:3004 -
C:\Windows\SysWOW64\Flnpoe32.exeC:\Windows\system32\Flnpoe32.exe119⤵PID:2404
-
C:\Windows\SysWOW64\Fbhhlo32.exeC:\Windows\system32\Fbhhlo32.exe120⤵
- Drops file in System32 directory
- Modifies registry class
PID:1632 -
C:\Windows\SysWOW64\Flqmddah.exeC:\Windows\system32\Flqmddah.exe121⤵PID:2980
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-