Analysis
-
max time kernel
119s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
21-08-2024 16:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
eba4f92efb4a8e145251198d40075040N.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
eba4f92efb4a8e145251198d40075040N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
eba4f92efb4a8e145251198d40075040N.exe
-
Size
350KB
-
MD5
eba4f92efb4a8e145251198d40075040
-
SHA1
62beb2e9090075cf74e7a962f905236bf94f26d6
-
SHA256
1eb47a3ff810272e6caa8319575e0e323f84db554a3a337657127a42c185b524
-
SHA512
0779fcb1eb0a4e2175fafb6ce08aa888036b8def121e078080f27e886b67edd6da6aea87be45a8d376dd82e3f4b1e5375ed40fd2c749f252d2b26bb884212e96
-
SSDEEP
6144:R+deg/tpHVILifyeYVDcfflXpX6LRifyeYVDc:kdegHyefyeYCdXpXZfyeY
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmbdlc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knkkngol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojdndi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idcdjmao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obfiijia.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eakkkdnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebnokjpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccoplcii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dblcnngi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcllii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkkiab32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccoplcii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knapen32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nocgbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qeeadi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjafbfca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acnqen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ildhcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhkiae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bncboo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iojoalda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imenpfap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nijdcdgn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fefnmdfo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chdeonfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdloab32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlndfa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knnagehi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfknpj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgbboa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgcmoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ponadfim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fqeagpop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jadnoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmigdend.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqcmdjjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nogjbbma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aipbidbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkalph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgoohk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oeeeeehe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkldli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mboekp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iniebmfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqgmnk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlifie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Achlch32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nidhfgpl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnjeoa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifikehii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mllcodig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fiepga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lppgfkpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qpnkjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npjonlee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jllggbde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbokoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgnflmia.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djnbdlla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmbdlc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgpgae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfbnfcli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fobodn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jchjqc32.exe -
Executes dropped EXE 64 IoCs
pid Process 2728 Oclpdf32.exe 2856 Oiiilm32.exe 2352 Oepianef.exe 2896 Oafjfokk.exe 2692 Onkjocjd.exe 2288 Ojakdd32.exe 2620 Pfhlie32.exe 2092 Phhhchlp.exe 2948 Pjhaec32.exe 2992 Pbcfie32.exe 2696 Pfaopc32.exe 2428 Qbhpddbf.exe 324 Qbkljd32.exe 2444 Amdmkb32.exe 2188 Adqbml32.exe 2536 Acfonhgd.exe 1384 Achlch32.exe 2412 Apllml32.exe 2040 Boainhic.exe 2224 Bkhjcing.exe 760 Bkjfhile.exe 1336 Bdbkaoce.exe 1948 Bdehgnqc.exe 1760 Ccjehkek.exe 2548 Cfknjfbl.exe 1184 Cgjjdijo.exe 2400 Cbdkdffm.exe 2876 Dfbdje32.exe 2880 Degqka32.exe 2852 Dbkaee32.exe 2952 Dapnfb32.exe 2936 Dmgokcja.exe 388 Eaegaaah.exe 1048 Fkmhij32.exe 3024 Fmpnpe32.exe 3056 Fangfcki.exe 888 Gcapckod.exe 2656 Gjpakdbl.exe 2280 Galfpgpg.exe 2588 Hdloab32.exe 2508 Hkidclbb.exe 3040 Hbblpf32.exe 2904 Hcdihn32.exe 1996 Homfboco.exe 1528 Ifikehii.exe 1104 Icmlnmgb.exe 264 Igoagpja.exe 556 Iionacad.exe 2380 Jchobqnc.exe 2196 Jalolemm.exe 940 Jjdcdjcm.exe 2028 Jmelfeqn.exe 1652 Jcaahofh.exe 2316 Klocba32.exe 944 Kblhdkgk.exe 2156 Kkiiom32.exe 2868 Lhmjha32.exe 2980 Lhkiae32.exe 2544 Macnjk32.exe 2984 Mlhbgc32.exe 2672 Mnlkdk32.exe 1708 Mkplnp32.exe 2260 Mnqdpj32.exe 1976 Nflidmic.exe -
Loads dropped DLL 64 IoCs
pid Process 2348 eba4f92efb4a8e145251198d40075040N.exe 2348 eba4f92efb4a8e145251198d40075040N.exe 2728 Oclpdf32.exe 2728 Oclpdf32.exe 2856 Oiiilm32.exe 2856 Oiiilm32.exe 2352 Oepianef.exe 2352 Oepianef.exe 2896 Oafjfokk.exe 2896 Oafjfokk.exe 2692 Onkjocjd.exe 2692 Onkjocjd.exe 2288 Ojakdd32.exe 2288 Ojakdd32.exe 2620 Pfhlie32.exe 2620 Pfhlie32.exe 2092 Phhhchlp.exe 2092 Phhhchlp.exe 2948 Pjhaec32.exe 2948 Pjhaec32.exe 2992 Pbcfie32.exe 2992 Pbcfie32.exe 2696 Pfaopc32.exe 2696 Pfaopc32.exe 2428 Qbhpddbf.exe 2428 Qbhpddbf.exe 324 Qbkljd32.exe 324 Qbkljd32.exe 2444 Amdmkb32.exe 2444 Amdmkb32.exe 2188 Adqbml32.exe 2188 Adqbml32.exe 2536 Acfonhgd.exe 2536 Acfonhgd.exe 1384 Achlch32.exe 1384 Achlch32.exe 2412 Apllml32.exe 2412 Apllml32.exe 2040 Boainhic.exe 2040 Boainhic.exe 2224 Bkhjcing.exe 2224 Bkhjcing.exe 760 Bkjfhile.exe 760 Bkjfhile.exe 1336 Bdbkaoce.exe 1336 Bdbkaoce.exe 1948 Bdehgnqc.exe 1948 Bdehgnqc.exe 1760 Ccjehkek.exe 1760 Ccjehkek.exe 2548 Cfknjfbl.exe 2548 Cfknjfbl.exe 1184 Cgjjdijo.exe 1184 Cgjjdijo.exe 2400 Cbdkdffm.exe 2400 Cbdkdffm.exe 2876 Dfbdje32.exe 2876 Dfbdje32.exe 2880 Degqka32.exe 2880 Degqka32.exe 2852 Dbkaee32.exe 2852 Dbkaee32.exe 2952 Dapnfb32.exe 2952 Dapnfb32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jekaeb32.exe Jnaihhgf.exe File created C:\Windows\SysWOW64\Obbonk32.exe Omeged32.exe File created C:\Windows\SysWOW64\Klehma32.dll Hejcggee.exe File created C:\Windows\SysWOW64\Cgnbepjp.exe Cdnicemo.exe File created C:\Windows\SysWOW64\Hoccdhpn.dll Cdnicemo.exe File created C:\Windows\SysWOW64\Cpflcp32.dll Ephihbnm.exe File opened for modification C:\Windows\SysWOW64\Oijbkpqm.exe Okefjcle.exe File created C:\Windows\SysWOW64\Gcapckod.exe Fangfcki.exe File created C:\Windows\SysWOW64\Ckdcepoh.dll Fpdjaeei.exe File created C:\Windows\SysWOW64\Kbgfmkep.dll Fnifbaja.exe File created C:\Windows\SysWOW64\Oepjmbka.exe Olhfdl32.exe File created C:\Windows\SysWOW64\Hljokk32.dll Dbkaee32.exe File opened for modification C:\Windows\SysWOW64\Jadnoc32.exe Jgljfmkd.exe File opened for modification C:\Windows\SysWOW64\Jfijmdbh.exe Jciaki32.exe File opened for modification C:\Windows\SysWOW64\Anpekggc.exe Qcfdji32.exe File opened for modification C:\Windows\SysWOW64\Pfhlie32.exe Ojakdd32.exe File opened for modification C:\Windows\SysWOW64\Ndnbeclb.exe Napfihmn.exe File opened for modification C:\Windows\SysWOW64\Pjhaec32.exe Phhhchlp.exe File created C:\Windows\SysWOW64\Achlch32.exe Acfonhgd.exe File opened for modification C:\Windows\SysWOW64\Nbjpjm32.exe Nkphmc32.exe File created C:\Windows\SysWOW64\Fadcae32.dll Ojdndi32.exe File opened for modification C:\Windows\SysWOW64\Kfknpj32.exe Kckeno32.exe File created C:\Windows\SysWOW64\Fggkpgmn.dll Jalolemm.exe File created C:\Windows\SysWOW64\Jjbpppeb.dll Ofaaghom.exe File created C:\Windows\SysWOW64\Pfjdmggb.exe Pdkgcd32.exe File opened for modification C:\Windows\SysWOW64\Jfkphnmj.exe Jcjffc32.exe File created C:\Windows\SysWOW64\Iopgjp32.exe Ibigeojp.exe File created C:\Windows\SysWOW64\Bfiqjo32.dll Behnkm32.exe File opened for modification C:\Windows\SysWOW64\Ceeibbgn.exe Cbdpag32.exe File created C:\Windows\SysWOW64\Meaiia32.exe Mkldli32.exe File opened for modification C:\Windows\SysWOW64\Nlfdjphd.exe Ndkoemji.exe File created C:\Windows\SysWOW64\Kheeallp.dll Bmahbhei.exe File opened for modification C:\Windows\SysWOW64\Dapnfb32.exe Dbkaee32.exe File opened for modification C:\Windows\SysWOW64\Bmpooiji.exe Bbkkbpjc.exe File opened for modification C:\Windows\SysWOW64\Nijdcdgn.exe Nlfdjphd.exe File opened for modification C:\Windows\SysWOW64\Hkoikcaq.exe Hepdml32.exe File created C:\Windows\SysWOW64\Qdbpml32.exe Pdpcgl32.exe File created C:\Windows\SysWOW64\Nghjkn32.dll Aijgemok.exe File created C:\Windows\SysWOW64\Empecnnl.dll Mphfji32.exe File created C:\Windows\SysWOW64\Hhcbdmon.dll Ncpjnahm.exe File opened for modification C:\Windows\SysWOW64\Plfjme32.exe Pfgeoo32.exe File created C:\Windows\SysWOW64\Djfnebhe.dll Hpckee32.exe File opened for modification C:\Windows\SysWOW64\Ibigeojp.exe Iiablido.exe File created C:\Windows\SysWOW64\Dpbgghhl.exe Dggcbf32.exe File created C:\Windows\SysWOW64\Gogqihmh.dll Ikiedq32.exe File created C:\Windows\SysWOW64\Mnlkdk32.exe Mlhbgc32.exe File created C:\Windows\SysWOW64\Dopnodpc.dll Kofnbk32.exe File created C:\Windows\SysWOW64\Ekeingln.dll Abkqle32.exe File created C:\Windows\SysWOW64\Ldomncbm.dll Bijobb32.exe File created C:\Windows\SysWOW64\Jcaahofh.exe Jmelfeqn.exe File created C:\Windows\SysWOW64\Mjoflc32.dll Plfjme32.exe File opened for modification C:\Windows\SysWOW64\Dkdhfdnj.exe Dfgpnm32.exe File created C:\Windows\SysWOW64\Ejqakjgg.dll Kcebpqcn.exe File created C:\Windows\SysWOW64\Ifhinl32.exe Ieglfd32.exe File opened for modification C:\Windows\SysWOW64\Icmlnmgb.exe Ifikehii.exe File opened for modification C:\Windows\SysWOW64\Pjafbfca.exe Ojojmfed.exe File created C:\Windows\SysWOW64\Kggeijok.dll Bdbkaoce.exe File created C:\Windows\SysWOW64\Mcjcpm32.dll Ndnbeclb.exe File created C:\Windows\SysWOW64\Geammipo.dll Nhlkkabh.exe File opened for modification C:\Windows\SysWOW64\Moecghdl.exe Mhkkjnmo.exe File opened for modification C:\Windows\SysWOW64\Ccjehkek.exe Bdehgnqc.exe File created C:\Windows\SysWOW64\Lcegdl32.dll Dfhficcn.exe File created C:\Windows\SysWOW64\Mjqplmck.dll Fhlhmi32.exe File created C:\Windows\SysWOW64\Bandoqmk.dll Gmlokdgp.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3356 2664 WerFault.exe 632 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncpjnahm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlcnaaog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkdhfdnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oabafcek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oafjfokk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jboanfmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqpfchka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcljjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkfncn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Behnkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blkoocfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmqmgedi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdidhfdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nogodcli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fncddc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqbbig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckdnpicb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkjfhile.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhlhmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oooeeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amaiklki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ildhcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofmknifp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hepdml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfmfjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipqmgbbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojgado32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Choejien.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkldli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iopgjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkojcgga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjdcdjcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjgmhaim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhedachg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fangfcki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egaoldnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfijmdbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nknmplji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dafchi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcjcefbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdbmnchk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkplnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpcaeghc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgnbepjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpdhiaoi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ombjpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjdjbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijokcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkfbmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckdlgq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeljmq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkolmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jocdqc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odpghiqc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acnqen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Medligko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkalph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgljfmkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apbblg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knkkngol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oekaab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkipiodd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlifie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpjimk32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggniapdj.dll" Ddbbod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mainpc32.dll" Eheblj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Inffdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgffpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gaamobdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oggkklnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdnicemo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jekaeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnchedie.dll" Kceganoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhiiepcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcpodaao.dll" Bjclfmfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcjihk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbdpag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbblpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kobamdkg.dll" Aihjpman.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpekln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmhfjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgcmoc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phhhchlp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apbblg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qnmfmoaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obddhc32.dll" Gjgmhaim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjfkao32.dll" Meolcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djnbdlla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncjmeinn.dll" Ljjnpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geolio32.dll" Hmphfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plfjme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajfcgoec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ceeibbgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnphenic.dll" Eomfiobe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcmlpd32.dll" Eakkkdnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcjcpm32.dll" Ndnbeclb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiggim32.dll" Ocjfgo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgkike32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Galfpgpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jchjqc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mibgho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aieihpgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acjleipk.dll" Hioefjfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpifgqmh.dll" Opghmjfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elajhc32.dll" Paqoef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fqdong32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhcanahm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhkiae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhljbpfd.dll" Nbjpjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akinoefk.dll" Fplgljbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afjgjj32.dll" Dcdlpklh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkkmgk32.dll" Hdbmnchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkejoo32.dll" Qegnii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfbnfcli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pinchq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aipbidbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iankbldh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lokpcekn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbkkbpjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imnaimag.dll" Eiheok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncbilimn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjpafanf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Capopb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pefone32.dll" Fjlaod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkolmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbibaaia.dll" Ndkoemji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgpgae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Anpekggc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2348 wrote to memory of 2728 2348 eba4f92efb4a8e145251198d40075040N.exe 29 PID 2348 wrote to memory of 2728 2348 eba4f92efb4a8e145251198d40075040N.exe 29 PID 2348 wrote to memory of 2728 2348 eba4f92efb4a8e145251198d40075040N.exe 29 PID 2348 wrote to memory of 2728 2348 eba4f92efb4a8e145251198d40075040N.exe 29 PID 2728 wrote to memory of 2856 2728 Oclpdf32.exe 30 PID 2728 wrote to memory of 2856 2728 Oclpdf32.exe 30 PID 2728 wrote to memory of 2856 2728 Oclpdf32.exe 30 PID 2728 wrote to memory of 2856 2728 Oclpdf32.exe 30 PID 2856 wrote to memory of 2352 2856 Oiiilm32.exe 31 PID 2856 wrote to memory of 2352 2856 Oiiilm32.exe 31 PID 2856 wrote to memory of 2352 2856 Oiiilm32.exe 31 PID 2856 wrote to memory of 2352 2856 Oiiilm32.exe 31 PID 2352 wrote to memory of 2896 2352 Oepianef.exe 32 PID 2352 wrote to memory of 2896 2352 Oepianef.exe 32 PID 2352 wrote to memory of 2896 2352 Oepianef.exe 32 PID 2352 wrote to memory of 2896 2352 Oepianef.exe 32 PID 2896 wrote to memory of 2692 2896 Oafjfokk.exe 33 PID 2896 wrote to memory of 2692 2896 Oafjfokk.exe 33 PID 2896 wrote to memory of 2692 2896 Oafjfokk.exe 33 PID 2896 wrote to memory of 2692 2896 Oafjfokk.exe 33 PID 2692 wrote to memory of 2288 2692 Onkjocjd.exe 34 PID 2692 wrote to memory of 2288 2692 Onkjocjd.exe 34 PID 2692 wrote to memory of 2288 2692 Onkjocjd.exe 34 PID 2692 wrote to memory of 2288 2692 Onkjocjd.exe 34 PID 2288 wrote to memory of 2620 2288 Ojakdd32.exe 35 PID 2288 wrote to memory of 2620 2288 Ojakdd32.exe 35 PID 2288 wrote to memory of 2620 2288 Ojakdd32.exe 35 PID 2288 wrote to memory of 2620 2288 Ojakdd32.exe 35 PID 2620 wrote to memory of 2092 2620 Pfhlie32.exe 36 PID 2620 wrote to memory of 2092 2620 Pfhlie32.exe 36 PID 2620 wrote to memory of 2092 2620 Pfhlie32.exe 36 PID 2620 wrote to memory of 2092 2620 Pfhlie32.exe 36 PID 2092 wrote to memory of 2948 2092 Phhhchlp.exe 37 PID 2092 wrote to memory of 2948 2092 Phhhchlp.exe 37 PID 2092 wrote to memory of 2948 2092 Phhhchlp.exe 37 PID 2092 wrote to memory of 2948 2092 Phhhchlp.exe 37 PID 2948 wrote to memory of 2992 2948 Pjhaec32.exe 38 PID 2948 wrote to memory of 2992 2948 Pjhaec32.exe 38 PID 2948 wrote to memory of 2992 2948 Pjhaec32.exe 38 PID 2948 wrote to memory of 2992 2948 Pjhaec32.exe 38 PID 2992 wrote to memory of 2696 2992 Pbcfie32.exe 39 PID 2992 wrote to memory of 2696 2992 Pbcfie32.exe 39 PID 2992 wrote to memory of 2696 2992 Pbcfie32.exe 39 PID 2992 wrote to memory of 2696 2992 Pbcfie32.exe 39 PID 2696 wrote to memory of 2428 2696 Pfaopc32.exe 40 PID 2696 wrote to memory of 2428 2696 Pfaopc32.exe 40 PID 2696 wrote to memory of 2428 2696 Pfaopc32.exe 40 PID 2696 wrote to memory of 2428 2696 Pfaopc32.exe 40 PID 2428 wrote to memory of 324 2428 Qbhpddbf.exe 41 PID 2428 wrote to memory of 324 2428 Qbhpddbf.exe 41 PID 2428 wrote to memory of 324 2428 Qbhpddbf.exe 41 PID 2428 wrote to memory of 324 2428 Qbhpddbf.exe 41 PID 324 wrote to memory of 2444 324 Qbkljd32.exe 42 PID 324 wrote to memory of 2444 324 Qbkljd32.exe 42 PID 324 wrote to memory of 2444 324 Qbkljd32.exe 42 PID 324 wrote to memory of 2444 324 Qbkljd32.exe 42 PID 2444 wrote to memory of 2188 2444 Amdmkb32.exe 43 PID 2444 wrote to memory of 2188 2444 Amdmkb32.exe 43 PID 2444 wrote to memory of 2188 2444 Amdmkb32.exe 43 PID 2444 wrote to memory of 2188 2444 Amdmkb32.exe 43 PID 2188 wrote to memory of 2536 2188 Adqbml32.exe 44 PID 2188 wrote to memory of 2536 2188 Adqbml32.exe 44 PID 2188 wrote to memory of 2536 2188 Adqbml32.exe 44 PID 2188 wrote to memory of 2536 2188 Adqbml32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\eba4f92efb4a8e145251198d40075040N.exe"C:\Users\Admin\AppData\Local\Temp\eba4f92efb4a8e145251198d40075040N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\Oclpdf32.exeC:\Windows\system32\Oclpdf32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Oiiilm32.exeC:\Windows\system32\Oiiilm32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Oepianef.exeC:\Windows\system32\Oepianef.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Oafjfokk.exeC:\Windows\system32\Oafjfokk.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Onkjocjd.exeC:\Windows\system32\Onkjocjd.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Ojakdd32.exeC:\Windows\system32\Ojakdd32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Pfhlie32.exeC:\Windows\system32\Pfhlie32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Phhhchlp.exeC:\Windows\system32\Phhhchlp.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\Pjhaec32.exeC:\Windows\system32\Pjhaec32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Pbcfie32.exeC:\Windows\system32\Pbcfie32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\Pfaopc32.exeC:\Windows\system32\Pfaopc32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Qbhpddbf.exeC:\Windows\system32\Qbhpddbf.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Qbkljd32.exeC:\Windows\system32\Qbkljd32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:324 -
C:\Windows\SysWOW64\Amdmkb32.exeC:\Windows\system32\Amdmkb32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\Adqbml32.exeC:\Windows\system32\Adqbml32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Acfonhgd.exeC:\Windows\system32\Acfonhgd.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2536 -
C:\Windows\SysWOW64\Achlch32.exeC:\Windows\system32\Achlch32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1384 -
C:\Windows\SysWOW64\Apllml32.exeC:\Windows\system32\Apllml32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2412 -
C:\Windows\SysWOW64\Boainhic.exeC:\Windows\system32\Boainhic.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2040 -
C:\Windows\SysWOW64\Bkhjcing.exeC:\Windows\system32\Bkhjcing.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2224 -
C:\Windows\SysWOW64\Bkjfhile.exeC:\Windows\system32\Bkjfhile.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:760 -
C:\Windows\SysWOW64\Bdbkaoce.exeC:\Windows\system32\Bdbkaoce.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1336 -
C:\Windows\SysWOW64\Bdehgnqc.exeC:\Windows\system32\Bdehgnqc.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1948 -
C:\Windows\SysWOW64\Ccjehkek.exeC:\Windows\system32\Ccjehkek.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1760 -
C:\Windows\SysWOW64\Cfknjfbl.exeC:\Windows\system32\Cfknjfbl.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2548 -
C:\Windows\SysWOW64\Cgjjdijo.exeC:\Windows\system32\Cgjjdijo.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1184 -
C:\Windows\SysWOW64\Cbdkdffm.exeC:\Windows\system32\Cbdkdffm.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2400 -
C:\Windows\SysWOW64\Dfbdje32.exeC:\Windows\system32\Dfbdje32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2876 -
C:\Windows\SysWOW64\Degqka32.exeC:\Windows\system32\Degqka32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2880 -
C:\Windows\SysWOW64\Dbkaee32.exeC:\Windows\system32\Dbkaee32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2852 -
C:\Windows\SysWOW64\Dapnfb32.exeC:\Windows\system32\Dapnfb32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2952 -
C:\Windows\SysWOW64\Dmgokcja.exeC:\Windows\system32\Dmgokcja.exe33⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Eaegaaah.exeC:\Windows\system32\Eaegaaah.exe34⤵
- Executes dropped EXE
PID:388 -
C:\Windows\SysWOW64\Fkmhij32.exeC:\Windows\system32\Fkmhij32.exe35⤵
- Executes dropped EXE
PID:1048 -
C:\Windows\SysWOW64\Fmpnpe32.exeC:\Windows\system32\Fmpnpe32.exe36⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Fangfcki.exeC:\Windows\system32\Fangfcki.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3056 -
C:\Windows\SysWOW64\Gcapckod.exeC:\Windows\system32\Gcapckod.exe38⤵
- Executes dropped EXE
PID:888 -
C:\Windows\SysWOW64\Gjpakdbl.exeC:\Windows\system32\Gjpakdbl.exe39⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Galfpgpg.exeC:\Windows\system32\Galfpgpg.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2280 -
C:\Windows\SysWOW64\Hdloab32.exeC:\Windows\system32\Hdloab32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Hkidclbb.exeC:\Windows\system32\Hkidclbb.exe42⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Hbblpf32.exeC:\Windows\system32\Hbblpf32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:3040 -
C:\Windows\SysWOW64\Hcdihn32.exeC:\Windows\system32\Hcdihn32.exe44⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Homfboco.exeC:\Windows\system32\Homfboco.exe45⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Ifikehii.exeC:\Windows\system32\Ifikehii.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1528 -
C:\Windows\SysWOW64\Icmlnmgb.exeC:\Windows\system32\Icmlnmgb.exe47⤵
- Executes dropped EXE
PID:1104 -
C:\Windows\SysWOW64\Igoagpja.exeC:\Windows\system32\Igoagpja.exe48⤵
- Executes dropped EXE
PID:264 -
C:\Windows\SysWOW64\Iionacad.exeC:\Windows\system32\Iionacad.exe49⤵
- Executes dropped EXE
PID:556 -
C:\Windows\SysWOW64\Jchobqnc.exeC:\Windows\system32\Jchobqnc.exe50⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Jalolemm.exeC:\Windows\system32\Jalolemm.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2196 -
C:\Windows\SysWOW64\Jjdcdjcm.exeC:\Windows\system32\Jjdcdjcm.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:940 -
C:\Windows\SysWOW64\Jmelfeqn.exeC:\Windows\system32\Jmelfeqn.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2028 -
C:\Windows\SysWOW64\Jcaahofh.exeC:\Windows\system32\Jcaahofh.exe54⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Klocba32.exeC:\Windows\system32\Klocba32.exe55⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Kblhdkgk.exeC:\Windows\system32\Kblhdkgk.exe56⤵
- Executes dropped EXE
PID:944 -
C:\Windows\SysWOW64\Kkiiom32.exeC:\Windows\system32\Kkiiom32.exe57⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Lhmjha32.exeC:\Windows\system32\Lhmjha32.exe58⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Lhkiae32.exeC:\Windows\system32\Lhkiae32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2980 -
C:\Windows\SysWOW64\Macnjk32.exeC:\Windows\system32\Macnjk32.exe60⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Mlhbgc32.exeC:\Windows\system32\Mlhbgc32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2984 -
C:\Windows\SysWOW64\Mnlkdk32.exeC:\Windows\system32\Mnlkdk32.exe62⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Mkplnp32.exeC:\Windows\system32\Mkplnp32.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1708 -
C:\Windows\SysWOW64\Mnqdpj32.exeC:\Windows\system32\Mnqdpj32.exe64⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Nflidmic.exeC:\Windows\system32\Nflidmic.exe65⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Ncpjnahm.exeC:\Windows\system32\Ncpjnahm.exe66⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:432 -
C:\Windows\SysWOW64\Nogjbbma.exeC:\Windows\system32\Nogjbbma.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2424 -
C:\Windows\SysWOW64\Nkmkgc32.exeC:\Windows\system32\Nkmkgc32.exe68⤵PID:2480
-
C:\Windows\SysWOW64\Nfcoel32.exeC:\Windows\system32\Nfcoel32.exe69⤵PID:912
-
C:\Windows\SysWOW64\Nkphmc32.exeC:\Windows\system32\Nkphmc32.exe70⤵
- Drops file in System32 directory
PID:2192 -
C:\Windows\SysWOW64\Nbjpjm32.exeC:\Windows\system32\Nbjpjm32.exe71⤵
- Modifies registry class
PID:2404 -
C:\Windows\SysWOW64\Nidhfgpl.exeC:\Windows\system32\Nidhfgpl.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2264 -
C:\Windows\SysWOW64\Oblmom32.exeC:\Windows\system32\Oblmom32.exe73⤵PID:1484
-
C:\Windows\SysWOW64\Ojgado32.exeC:\Windows\system32\Ojgado32.exe74⤵
- System Location Discovery: System Language Discovery
PID:2828 -
C:\Windows\SysWOW64\Onggom32.exeC:\Windows\system32\Onggom32.exe75⤵PID:2524
-
C:\Windows\SysWOW64\Opkpme32.exeC:\Windows\system32\Opkpme32.exe76⤵PID:840
-
C:\Windows\SysWOW64\Pfgeoo32.exeC:\Windows\system32\Pfgeoo32.exe77⤵
- Drops file in System32 directory
PID:3068 -
C:\Windows\SysWOW64\Plfjme32.exeC:\Windows\system32\Plfjme32.exe78⤵
- Drops file in System32 directory
- Modifies registry class
PID:3020 -
C:\Windows\SysWOW64\Phmkaf32.exeC:\Windows\system32\Phmkaf32.exe79⤵PID:2940
-
C:\Windows\SysWOW64\Pbcooo32.exeC:\Windows\system32\Pbcooo32.exe80⤵PID:1380
-
C:\Windows\SysWOW64\Plkchdiq.exeC:\Windows\system32\Plkchdiq.exe81⤵PID:360
-
C:\Windows\SysWOW64\Qhbdmeoe.exeC:\Windows\system32\Qhbdmeoe.exe82⤵PID:2676
-
C:\Windows\SysWOW64\Amaiklki.exeC:\Windows\system32\Amaiklki.exe83⤵
- System Location Discovery: System Language Discovery
PID:1688 -
C:\Windows\SysWOW64\Aihjpman.exeC:\Windows\system32\Aihjpman.exe84⤵
- Modifies registry class
PID:3016 -
C:\Windows\SysWOW64\Apbblg32.exeC:\Windows\system32\Apbblg32.exe85⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1212 -
C:\Windows\SysWOW64\Aijgemok.exeC:\Windows\system32\Aijgemok.exe86⤵
- Drops file in System32 directory
PID:1964 -
C:\Windows\SysWOW64\Abbknb32.exeC:\Windows\system32\Abbknb32.exe87⤵PID:2472
-
C:\Windows\SysWOW64\Aoilcc32.exeC:\Windows\system32\Aoilcc32.exe88⤵PID:2820
-
C:\Windows\SysWOW64\Aecdpmbm.exeC:\Windows\system32\Aecdpmbm.exe89⤵PID:972
-
C:\Windows\SysWOW64\Akpmhdqd.exeC:\Windows\system32\Akpmhdqd.exe90⤵PID:2552
-
C:\Windows\SysWOW64\Bhdmahpn.exeC:\Windows\system32\Bhdmahpn.exe91⤵PID:1924
-
C:\Windows\SysWOW64\Behnkm32.exeC:\Windows\system32\Behnkm32.exe92⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1044 -
C:\Windows\SysWOW64\Bncboo32.exeC:\Windows\system32\Bncboo32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2996 -
C:\Windows\SysWOW64\Bkgchckl.exeC:\Windows\system32\Bkgchckl.exe94⤵PID:880
-
C:\Windows\SysWOW64\Bpdkajic.exeC:\Windows\system32\Bpdkajic.exe95⤵PID:2168
-
C:\Windows\SysWOW64\Bdbdgh32.exeC:\Windows\system32\Bdbdgh32.exe96⤵PID:1604
-
C:\Windows\SysWOW64\Blmikkle.exeC:\Windows\system32\Blmikkle.exe97⤵PID:2608
-
C:\Windows\SysWOW64\Cfemdp32.exeC:\Windows\system32\Cfemdp32.exe98⤵PID:1004
-
C:\Windows\SysWOW64\Cblniaii.exeC:\Windows\system32\Cblniaii.exe99⤵PID:1824
-
C:\Windows\SysWOW64\Cbokoa32.exeC:\Windows\system32\Cbokoa32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2824 -
C:\Windows\SysWOW64\Cnekcblk.exeC:\Windows\system32\Cnekcblk.exe101⤵PID:908
-
C:\Windows\SysWOW64\Ckilmfke.exeC:\Windows\system32\Ckilmfke.exe102⤵PID:2096
-
C:\Windows\SysWOW64\Cgpmbgai.exeC:\Windows\system32\Cgpmbgai.exe103⤵PID:1672
-
C:\Windows\SysWOW64\Dnjeoa32.exeC:\Windows\system32\Dnjeoa32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1572 -
C:\Windows\SysWOW64\Dnmada32.exeC:\Windows\system32\Dnmada32.exe105⤵PID:1072
-
C:\Windows\SysWOW64\Dfhficcn.exeC:\Windows\system32\Dfhficcn.exe106⤵
- Drops file in System32 directory
PID:856 -
C:\Windows\SysWOW64\Dggcbf32.exeC:\Windows\system32\Dggcbf32.exe107⤵
- Drops file in System32 directory
PID:1460 -
C:\Windows\SysWOW64\Dpbgghhl.exeC:\Windows\system32\Dpbgghhl.exe108⤵PID:2884
-
C:\Windows\SysWOW64\Ebcqicem.exeC:\Windows\system32\Ebcqicem.exe109⤵PID:2848
-
C:\Windows\SysWOW64\Eheblj32.exeC:\Windows\system32\Eheblj32.exe110⤵
- Modifies registry class
PID:2796 -
C:\Windows\SysWOW64\Eamgeo32.exeC:\Windows\system32\Eamgeo32.exe111⤵PID:1984
-
C:\Windows\SysWOW64\Enagnc32.exeC:\Windows\system32\Enagnc32.exe112⤵PID:2068
-
C:\Windows\SysWOW64\Fncddc32.exeC:\Windows\system32\Fncddc32.exe113⤵
- System Location Discovery: System Language Discovery
PID:2452 -
C:\Windows\SysWOW64\Fhlhmi32.exeC:\Windows\system32\Fhlhmi32.exe114⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:688 -
C:\Windows\SysWOW64\Fmhaep32.exeC:\Windows\system32\Fmhaep32.exe115⤵PID:2152
-
C:\Windows\SysWOW64\Fjlaod32.exeC:\Windows\system32\Fjlaod32.exe116⤵
- Modifies registry class
PID:3036 -
C:\Windows\SysWOW64\Fdefgimi.exeC:\Windows\system32\Fdefgimi.exe117⤵PID:684
-
C:\Windows\SysWOW64\Fplgljbm.exeC:\Windows\system32\Fplgljbm.exe118⤵
- Modifies registry class
PID:1712 -
C:\Windows\SysWOW64\Ffeoid32.exeC:\Windows\system32\Ffeoid32.exe119⤵PID:2356
-
C:\Windows\SysWOW64\Gaamobdf.exeC:\Windows\system32\Gaamobdf.exe120⤵
- Modifies registry class
PID:1368 -
C:\Windows\SysWOW64\Glgqlkdl.exeC:\Windows\system32\Glgqlkdl.exe121⤵PID:2784
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-