Analysis
-
max time kernel
120s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
22-08-2024 22:39
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a949a2eca824d88d50f9a258da2e6fc0N.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
a949a2eca824d88d50f9a258da2e6fc0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
a949a2eca824d88d50f9a258da2e6fc0N.exe
-
Size
79KB
-
MD5
a949a2eca824d88d50f9a258da2e6fc0
-
SHA1
f6c0b33d5ddbc5cefb667f6922a0b53c7e4b13f1
-
SHA256
91df64132a435af1b1fe1556121080fcebc739649ded666a2f41f1631aaa4cfc
-
SHA512
bdba560278d40a3e410162bf1f120538e12e04afa49a351e710459687369b44f6ef353cd43d7efb9ff8feb2700f02766d6ac277e41fb5ec985addfc112fd39ce
-
SSDEEP
1536:gzSg/4aiVYGmOcRbKpZxqYAV/dFwiDq8UEBXiFkSIgiItKq9v6DK:uSciuDV1FwIvUEBXixtBtKq9vV
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiafff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfhmhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkcjlhdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbdepe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnnlfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdnabo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmnonqce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bodhlane.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmdehgcf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpdnjb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfcajekc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fniikj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmabaf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jikjcikm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abnbccia.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aolihc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkbjmd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdbeqmag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geeekf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjqpcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oecpeqdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdpcgl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkqjmlhm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgdkbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bagncl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmbgnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llhcad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgpnlgak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcfmacce.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djjlmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hahbam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dechlfkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfpkgblc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goemhfco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jigmeagl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfnnmboa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jodkkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Difcpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcfcai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aggbif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhqpqp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Niopgljl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbogchnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dchqkedl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjjohbgl.exe -
Executes dropped EXE 64 IoCs
pid Process 2192 Eeijpdbd.exe 1724 Eoanij32.exe 2324 Flhkhnel.exe 3020 Faedpdcc.exe 2788 Fhaibnim.exe 2764 Feeilbhg.exe 2644 Fdjfmolo.exe 2304 Gdmcbojl.exe 552 Gpccgppq.exe 1732 Gngdadoj.exe 2008 Gphmbolk.exe 2868 Geeekf32.exe 2516 Galfpgpg.exe 2244 Hnbgdh32.exe 3032 Hkidclbb.exe 532 Hdailaib.exe 2312 Hgbanlfc.exe 1800 Hnljkf32.exe 236 Iiekkdjo.exe 428 Ickoimie.exe 960 Imccab32.exe 1192 Icmlnmgb.exe 2280 Ingmoj32.exe 872 Iilalc32.exe 688 Jbgbjh32.exe 2096 Jgdkbo32.exe 2508 Jalolemm.exe 1604 Jmelfeqn.exe 2772 Jbbenlof.exe 2744 Jfpndkel.exe 2928 Kiafff32.exe 2640 Kalkjh32.exe 1716 Klapha32.exe 1664 Kkglim32.exe 1984 Kdoaackf.exe 1588 Ldangbhd.exe 2136 Lmjbphod.exe 2956 Lbgkhoml.exe 1788 Llooad32.exe 2396 Lmolkg32.exe 2256 Lielphqc.exe 1028 Lelmei32.exe 2188 Nncaejie.exe 952 Nfnfjmgp.exe 1964 Nmkklflj.exe 2572 Nbgcdmjb.exe 912 Nkphmc32.exe 2208 Nfeljlqh.exe 1504 Nkbdbbop.exe 1636 Oblmom32.exe 2428 Okdahbmm.exe 1700 Obniel32.exe 2892 Ocpfmd32.exe 2900 Oeobfgak.exe 2856 Onggom32.exe 1996 Ogpkhb32.exe 1364 Ojnhdn32.exe 1252 Obilip32.exe 3064 Picdejbg.exe 2408 Pciiccbm.exe 2228 Pifakj32.exe 1920 Pihnqj32.exe 668 Pnefiq32.exe 268 Pjlgna32.exe -
Loads dropped DLL 64 IoCs
pid Process 2552 a949a2eca824d88d50f9a258da2e6fc0N.exe 2552 a949a2eca824d88d50f9a258da2e6fc0N.exe 2192 Eeijpdbd.exe 2192 Eeijpdbd.exe 1724 Eoanij32.exe 1724 Eoanij32.exe 2324 Flhkhnel.exe 2324 Flhkhnel.exe 3020 Faedpdcc.exe 3020 Faedpdcc.exe 2788 Fhaibnim.exe 2788 Fhaibnim.exe 2764 Feeilbhg.exe 2764 Feeilbhg.exe 2644 Fdjfmolo.exe 2644 Fdjfmolo.exe 2304 Gdmcbojl.exe 2304 Gdmcbojl.exe 552 Gpccgppq.exe 552 Gpccgppq.exe 1732 Gngdadoj.exe 1732 Gngdadoj.exe 2008 Gphmbolk.exe 2008 Gphmbolk.exe 2868 Geeekf32.exe 2868 Geeekf32.exe 2516 Galfpgpg.exe 2516 Galfpgpg.exe 2244 Hnbgdh32.exe 2244 Hnbgdh32.exe 3032 Hkidclbb.exe 3032 Hkidclbb.exe 532 Hdailaib.exe 532 Hdailaib.exe 2312 Hgbanlfc.exe 2312 Hgbanlfc.exe 1800 Hnljkf32.exe 1800 Hnljkf32.exe 236 Iiekkdjo.exe 236 Iiekkdjo.exe 428 Ickoimie.exe 428 Ickoimie.exe 960 Imccab32.exe 960 Imccab32.exe 1192 Icmlnmgb.exe 1192 Icmlnmgb.exe 2280 Ingmoj32.exe 2280 Ingmoj32.exe 872 Iilalc32.exe 872 Iilalc32.exe 688 Jbgbjh32.exe 688 Jbgbjh32.exe 2096 Jgdkbo32.exe 2096 Jgdkbo32.exe 2508 Jalolemm.exe 2508 Jalolemm.exe 1604 Jmelfeqn.exe 1604 Jmelfeqn.exe 2772 Jbbenlof.exe 2772 Jbbenlof.exe 2744 Jfpndkel.exe 2744 Jfpndkel.exe 2928 Kiafff32.exe 2928 Kiafff32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Bhlmef32.exe Bodhlane.exe File created C:\Windows\SysWOW64\Fhpfpkog.dll Camlpldf.exe File opened for modification C:\Windows\SysWOW64\Edbjljpm.exe Eilfoapg.exe File opened for modification C:\Windows\SysWOW64\Kiafff32.exe Jfpndkel.exe File created C:\Windows\SysWOW64\Hnmcne32.exe Hddoep32.exe File opened for modification C:\Windows\SysWOW64\Kcpcjl32.exe Kldofi32.exe File opened for modification C:\Windows\SysWOW64\Aqkmgl32.exe Qjaejbmq.exe File created C:\Windows\SysWOW64\Aqpgblqh.exe Aggbif32.exe File opened for modification C:\Windows\SysWOW64\Ggabhmge.exe Gebflaga.exe File created C:\Windows\SysWOW64\Gmllmn32.dll Bcbhmehg.exe File opened for modification C:\Windows\SysWOW64\Mlgjce32.exe Mboekp32.exe File created C:\Windows\SysWOW64\Genklp32.dll Cbebjpaa.exe File created C:\Windows\SysWOW64\Hgamdk32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Enajgllm.exe Eclejclg.exe File created C:\Windows\SysWOW64\Ocbekmpi.exe Onelbfab.exe File created C:\Windows\SysWOW64\Edkbdf32.exe Enajgllm.exe File created C:\Windows\SysWOW64\Cojlfckj.exe Cgogbano.exe File created C:\Windows\SysWOW64\Icbhoe32.dll Process not Found File created C:\Windows\SysWOW64\Fdmkpenk.dll Process not Found File created C:\Windows\SysWOW64\Iicbdnjn.dll Dqknqleg.exe File opened for modification C:\Windows\SysWOW64\Oqcafg32.exe Process not Found File created C:\Windows\SysWOW64\Dakeak32.dll Hahbam32.exe File opened for modification C:\Windows\SysWOW64\Pjnbem32.exe Process not Found File created C:\Windows\SysWOW64\Eqfcpb32.dll Ohdmhhod.exe File opened for modification C:\Windows\SysWOW64\Hkbagjfi.exe Hgdhakpb.exe File opened for modification C:\Windows\SysWOW64\Nfbogh32.exe Nqffoa32.exe File created C:\Windows\SysWOW64\Omdokj32.dll Klnljghg.exe File created C:\Windows\SysWOW64\Bhgobc32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Koeqhp32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Picdejbg.exe Obilip32.exe File created C:\Windows\SysWOW64\Kjdnenjf.dll Ildjlmfb.exe File created C:\Windows\SysWOW64\Ooflne32.dll Process not Found File created C:\Windows\SysWOW64\Kqomai32.exe Kolcdahb.exe File created C:\Windows\SysWOW64\Ogpnakfp.exe Onhihepp.exe File created C:\Windows\SysWOW64\Ofiemojo.dll Nelgkhdp.exe File opened for modification C:\Windows\SysWOW64\Looajf32.exe Lgaoqdmk.exe File opened for modification C:\Windows\SysWOW64\Cfmceomm.exe Ckgogfmg.exe File created C:\Windows\SysWOW64\Goadik32.exe Goohckob.exe File created C:\Windows\SysWOW64\Ggppfg32.dll Process not Found File created C:\Windows\SysWOW64\Fdockgqp.exe Fhhbffkk.exe File created C:\Windows\SysWOW64\Bdlhjkpi.dll Pjafbfca.exe File opened for modification C:\Windows\SysWOW64\Hfhjfp32.exe Hakani32.exe File opened for modification C:\Windows\SysWOW64\Ilneef32.exe Haiagm32.exe File opened for modification C:\Windows\SysWOW64\Gloppi32.exe Gajlcp32.exe File created C:\Windows\SysWOW64\Boohgk32.exe Bhdpjaga.exe File created C:\Windows\SysWOW64\Idofmp32.exe Ifkecl32.exe File opened for modification C:\Windows\SysWOW64\Cfpmqg32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Hcmajo32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Epinhg32.exe Eipekmjg.exe File created C:\Windows\SysWOW64\Dohnfc32.exe Cjlenm32.exe File created C:\Windows\SysWOW64\Jeelld32.dll Oqnfqcjk.exe File created C:\Windows\SysWOW64\Dophid32.exe Ddkdkk32.exe File opened for modification C:\Windows\SysWOW64\Ejbgpk32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Dhbhloho.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ffjnpeen.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ljcdifag.exe Process not Found File created C:\Windows\SysWOW64\Dmlffcog.dll Bfdlehlc.exe File opened for modification C:\Windows\SysWOW64\Legohm32.exe Lnmglbgh.exe File created C:\Windows\SysWOW64\Llhcad32.exe Llefld32.exe File created C:\Windows\SysWOW64\Ipapko32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Abkncmhh.exe Qhejed32.exe File created C:\Windows\SysWOW64\Aibjlcli.exe Process not Found File created C:\Windows\SysWOW64\Gjingc32.dll Lpiqel32.exe File created C:\Windows\SysWOW64\Mlfgkleh.exe Memonbnl.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3020 2908 Process not Found 1409 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beqogc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npgknf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aggbif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpppifii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebemnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnofbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odknmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anepooja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddkdkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alpmep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdfmddff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndekok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppjfkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcnloa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbebjpaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlmcaijm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aiagck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkepfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iocekd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfhmhi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpiqel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opaeok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njiocobg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mocjeedn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jennjblp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cidklp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qecejnco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnkqih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apheke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdmbiojc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjhajo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Makhlkel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgqqcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjmchhhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pafacd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cialng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eligoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jolingnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghpngkhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkcjlhdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhlmef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dllnphkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoanij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obniel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpboan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kknfme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hifdjcif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opoocb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Naebmppm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgdhakpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbgbjh32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Makmnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnkggjpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iljjabfh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbcjkbdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajqbne32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omaepoml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbfpcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joccei32.dll" Dobcekld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbfpaf32.dll" Edgfpbcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gknjecab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jofjcfle.dll" Kcpcjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnnlfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edgcdc32.dll" Iiablido.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjmmld32.dll" Kjngjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdbqflae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohmllf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kniigilp.dll" Lhicao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcfnie32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqehcpaf.dll" Flhkhnel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jajcaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emjglkmo.dll" Jpkbfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moemgild.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gloibpen.dll" Lbgkhoml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfkldo32.dll" Cnhhia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgapfkgp.dll" Djcbib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Johmhhhj.dll" Ggabhmge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Inqjbhhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnicgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgbofije.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgbanlfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgeoda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnefiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Poldnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcbdkelg.dll" Pnhhpaio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kedonn32.dll" Ppnpfagc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlphof32.dll" Llfiemfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Momckfid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpcnmnnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Feofpqkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lopbcgno.dll" Dccgpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilffkp32.dll" Ihmene32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dijjbb32.dll" Bpdihedp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpfhfjgq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmpooiji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilneef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehbgbngm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lajfkpod.dll" Oipdhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kqomai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbngi32.dll" Afoqbpid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alnmhici.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iiicjf32.dll" Icmlnmgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpnooe32.dll" Pgkjji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agkfil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dekmoh32.dll" Abnpjnem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnlmqook.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhjnmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkbagjfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggeoka32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2552 wrote to memory of 2192 2552 a949a2eca824d88d50f9a258da2e6fc0N.exe 29 PID 2552 wrote to memory of 2192 2552 a949a2eca824d88d50f9a258da2e6fc0N.exe 29 PID 2552 wrote to memory of 2192 2552 a949a2eca824d88d50f9a258da2e6fc0N.exe 29 PID 2552 wrote to memory of 2192 2552 a949a2eca824d88d50f9a258da2e6fc0N.exe 29 PID 2192 wrote to memory of 1724 2192 Eeijpdbd.exe 30 PID 2192 wrote to memory of 1724 2192 Eeijpdbd.exe 30 PID 2192 wrote to memory of 1724 2192 Eeijpdbd.exe 30 PID 2192 wrote to memory of 1724 2192 Eeijpdbd.exe 30 PID 1724 wrote to memory of 2324 1724 Eoanij32.exe 31 PID 1724 wrote to memory of 2324 1724 Eoanij32.exe 31 PID 1724 wrote to memory of 2324 1724 Eoanij32.exe 31 PID 1724 wrote to memory of 2324 1724 Eoanij32.exe 31 PID 2324 wrote to memory of 3020 2324 Flhkhnel.exe 32 PID 2324 wrote to memory of 3020 2324 Flhkhnel.exe 32 PID 2324 wrote to memory of 3020 2324 Flhkhnel.exe 32 PID 2324 wrote to memory of 3020 2324 Flhkhnel.exe 32 PID 3020 wrote to memory of 2788 3020 Faedpdcc.exe 33 PID 3020 wrote to memory of 2788 3020 Faedpdcc.exe 33 PID 3020 wrote to memory of 2788 3020 Faedpdcc.exe 33 PID 3020 wrote to memory of 2788 3020 Faedpdcc.exe 33 PID 2788 wrote to memory of 2764 2788 Fhaibnim.exe 34 PID 2788 wrote to memory of 2764 2788 Fhaibnim.exe 34 PID 2788 wrote to memory of 2764 2788 Fhaibnim.exe 34 PID 2788 wrote to memory of 2764 2788 Fhaibnim.exe 34 PID 2764 wrote to memory of 2644 2764 Feeilbhg.exe 35 PID 2764 wrote to memory of 2644 2764 Feeilbhg.exe 35 PID 2764 wrote to memory of 2644 2764 Feeilbhg.exe 35 PID 2764 wrote to memory of 2644 2764 Feeilbhg.exe 35 PID 2644 wrote to memory of 2304 2644 Fdjfmolo.exe 36 PID 2644 wrote to memory of 2304 2644 Fdjfmolo.exe 36 PID 2644 wrote to memory of 2304 2644 Fdjfmolo.exe 36 PID 2644 wrote to memory of 2304 2644 Fdjfmolo.exe 36 PID 2304 wrote to memory of 552 2304 Gdmcbojl.exe 37 PID 2304 wrote to memory of 552 2304 Gdmcbojl.exe 37 PID 2304 wrote to memory of 552 2304 Gdmcbojl.exe 37 PID 2304 wrote to memory of 552 2304 Gdmcbojl.exe 37 PID 552 wrote to memory of 1732 552 Gpccgppq.exe 38 PID 552 wrote to memory of 1732 552 Gpccgppq.exe 38 PID 552 wrote to memory of 1732 552 Gpccgppq.exe 38 PID 552 wrote to memory of 1732 552 Gpccgppq.exe 38 PID 1732 wrote to memory of 2008 1732 Gngdadoj.exe 39 PID 1732 wrote to memory of 2008 1732 Gngdadoj.exe 39 PID 1732 wrote to memory of 2008 1732 Gngdadoj.exe 39 PID 1732 wrote to memory of 2008 1732 Gngdadoj.exe 39 PID 2008 wrote to memory of 2868 2008 Gphmbolk.exe 40 PID 2008 wrote to memory of 2868 2008 Gphmbolk.exe 40 PID 2008 wrote to memory of 2868 2008 Gphmbolk.exe 40 PID 2008 wrote to memory of 2868 2008 Gphmbolk.exe 40 PID 2868 wrote to memory of 2516 2868 Geeekf32.exe 41 PID 2868 wrote to memory of 2516 2868 Geeekf32.exe 41 PID 2868 wrote to memory of 2516 2868 Geeekf32.exe 41 PID 2868 wrote to memory of 2516 2868 Geeekf32.exe 41 PID 2516 wrote to memory of 2244 2516 Galfpgpg.exe 42 PID 2516 wrote to memory of 2244 2516 Galfpgpg.exe 42 PID 2516 wrote to memory of 2244 2516 Galfpgpg.exe 42 PID 2516 wrote to memory of 2244 2516 Galfpgpg.exe 42 PID 2244 wrote to memory of 3032 2244 Hnbgdh32.exe 43 PID 2244 wrote to memory of 3032 2244 Hnbgdh32.exe 43 PID 2244 wrote to memory of 3032 2244 Hnbgdh32.exe 43 PID 2244 wrote to memory of 3032 2244 Hnbgdh32.exe 43 PID 3032 wrote to memory of 532 3032 Hkidclbb.exe 44 PID 3032 wrote to memory of 532 3032 Hkidclbb.exe 44 PID 3032 wrote to memory of 532 3032 Hkidclbb.exe 44 PID 3032 wrote to memory of 532 3032 Hkidclbb.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\a949a2eca824d88d50f9a258da2e6fc0N.exe"C:\Users\Admin\AppData\Local\Temp\a949a2eca824d88d50f9a258da2e6fc0N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Eeijpdbd.exeC:\Windows\system32\Eeijpdbd.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Eoanij32.exeC:\Windows\system32\Eoanij32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\Flhkhnel.exeC:\Windows\system32\Flhkhnel.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\Faedpdcc.exeC:\Windows\system32\Faedpdcc.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\Fhaibnim.exeC:\Windows\system32\Fhaibnim.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Feeilbhg.exeC:\Windows\system32\Feeilbhg.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Fdjfmolo.exeC:\Windows\system32\Fdjfmolo.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Gdmcbojl.exeC:\Windows\system32\Gdmcbojl.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\Gpccgppq.exeC:\Windows\system32\Gpccgppq.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\SysWOW64\Gngdadoj.exeC:\Windows\system32\Gngdadoj.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\Gphmbolk.exeC:\Windows\system32\Gphmbolk.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\Geeekf32.exeC:\Windows\system32\Geeekf32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Galfpgpg.exeC:\Windows\system32\Galfpgpg.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\Hnbgdh32.exeC:\Windows\system32\Hnbgdh32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\Hkidclbb.exeC:\Windows\system32\Hkidclbb.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\Hdailaib.exeC:\Windows\system32\Hdailaib.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:532 -
C:\Windows\SysWOW64\Hgbanlfc.exeC:\Windows\system32\Hgbanlfc.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2312 -
C:\Windows\SysWOW64\Hnljkf32.exeC:\Windows\system32\Hnljkf32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1800 -
C:\Windows\SysWOW64\Iiekkdjo.exeC:\Windows\system32\Iiekkdjo.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:236 -
C:\Windows\SysWOW64\Ickoimie.exeC:\Windows\system32\Ickoimie.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:428 -
C:\Windows\SysWOW64\Imccab32.exeC:\Windows\system32\Imccab32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:960 -
C:\Windows\SysWOW64\Icmlnmgb.exeC:\Windows\system32\Icmlnmgb.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1192 -
C:\Windows\SysWOW64\Ingmoj32.exeC:\Windows\system32\Ingmoj32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2280 -
C:\Windows\SysWOW64\Iilalc32.exeC:\Windows\system32\Iilalc32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:872 -
C:\Windows\SysWOW64\Jbgbjh32.exeC:\Windows\system32\Jbgbjh32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:688 -
C:\Windows\SysWOW64\Jgdkbo32.exeC:\Windows\system32\Jgdkbo32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2096 -
C:\Windows\SysWOW64\Jalolemm.exeC:\Windows\system32\Jalolemm.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2508 -
C:\Windows\SysWOW64\Jmelfeqn.exeC:\Windows\system32\Jmelfeqn.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1604 -
C:\Windows\SysWOW64\Jbbenlof.exeC:\Windows\system32\Jbbenlof.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2772 -
C:\Windows\SysWOW64\Jfpndkel.exeC:\Windows\system32\Jfpndkel.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2744 -
C:\Windows\SysWOW64\Kiafff32.exeC:\Windows\system32\Kiafff32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2928 -
C:\Windows\SysWOW64\Kalkjh32.exeC:\Windows\system32\Kalkjh32.exe33⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Klapha32.exeC:\Windows\system32\Klapha32.exe34⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Kkglim32.exeC:\Windows\system32\Kkglim32.exe35⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Kdoaackf.exeC:\Windows\system32\Kdoaackf.exe36⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Ldangbhd.exeC:\Windows\system32\Ldangbhd.exe37⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Lmjbphod.exeC:\Windows\system32\Lmjbphod.exe38⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Lbgkhoml.exeC:\Windows\system32\Lbgkhoml.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:2956 -
C:\Windows\SysWOW64\Llooad32.exeC:\Windows\system32\Llooad32.exe40⤵
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\Lmolkg32.exeC:\Windows\system32\Lmolkg32.exe41⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Lielphqc.exeC:\Windows\system32\Lielphqc.exe42⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Lelmei32.exeC:\Windows\system32\Lelmei32.exe43⤵
- Executes dropped EXE
PID:1028 -
C:\Windows\SysWOW64\Nncaejie.exeC:\Windows\system32\Nncaejie.exe44⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Nfnfjmgp.exeC:\Windows\system32\Nfnfjmgp.exe45⤵
- Executes dropped EXE
PID:952 -
C:\Windows\SysWOW64\Nmkklflj.exeC:\Windows\system32\Nmkklflj.exe46⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Nbgcdmjb.exeC:\Windows\system32\Nbgcdmjb.exe47⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Nkphmc32.exeC:\Windows\system32\Nkphmc32.exe48⤵
- Executes dropped EXE
PID:912 -
C:\Windows\SysWOW64\Nfeljlqh.exeC:\Windows\system32\Nfeljlqh.exe49⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Nkbdbbop.exeC:\Windows\system32\Nkbdbbop.exe50⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Oblmom32.exeC:\Windows\system32\Oblmom32.exe51⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Okdahbmm.exeC:\Windows\system32\Okdahbmm.exe52⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Obniel32.exeC:\Windows\system32\Obniel32.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1700 -
C:\Windows\SysWOW64\Ocpfmd32.exeC:\Windows\system32\Ocpfmd32.exe54⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Oeobfgak.exeC:\Windows\system32\Oeobfgak.exe55⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Onggom32.exeC:\Windows\system32\Onggom32.exe56⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Ogpkhb32.exeC:\Windows\system32\Ogpkhb32.exe57⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Ojnhdn32.exeC:\Windows\system32\Ojnhdn32.exe58⤵
- Executes dropped EXE
PID:1364 -
C:\Windows\SysWOW64\Obilip32.exeC:\Windows\system32\Obilip32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1252 -
C:\Windows\SysWOW64\Picdejbg.exeC:\Windows\system32\Picdejbg.exe60⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Pciiccbm.exeC:\Windows\system32\Pciiccbm.exe61⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Pifakj32.exeC:\Windows\system32\Pifakj32.exe62⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Pihnqj32.exeC:\Windows\system32\Pihnqj32.exe63⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Pnefiq32.exeC:\Windows\system32\Pnefiq32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:668 -
C:\Windows\SysWOW64\Pjlgna32.exeC:\Windows\system32\Pjlgna32.exe65⤵
- Executes dropped EXE
PID:268 -
C:\Windows\SysWOW64\Pddlggin.exeC:\Windows\system32\Pddlggin.exe66⤵PID:1656
-
C:\Windows\SysWOW64\Pnjpdphd.exeC:\Windows\system32\Pnjpdphd.exe67⤵PID:1756
-
C:\Windows\SysWOW64\Qdfhlggl.exeC:\Windows\system32\Qdfhlggl.exe68⤵PID:2384
-
C:\Windows\SysWOW64\Qjqqianh.exeC:\Windows\system32\Qjqqianh.exe69⤵PID:1648
-
C:\Windows\SysWOW64\Qajiek32.exeC:\Windows\system32\Qajiek32.exe70⤵PID:848
-
C:\Windows\SysWOW64\Qifnjm32.exeC:\Windows\system32\Qifnjm32.exe71⤵PID:1652
-
C:\Windows\SysWOW64\Appfggjm.exeC:\Windows\system32\Appfggjm.exe72⤵PID:2860
-
C:\Windows\SysWOW64\Abnbccia.exeC:\Windows\system32\Abnbccia.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2960 -
C:\Windows\SysWOW64\Aihjpman.exeC:\Windows\system32\Aihjpman.exe74⤵PID:2676
-
C:\Windows\SysWOW64\Apbblg32.exeC:\Windows\system32\Apbblg32.exe75⤵PID:1868
-
C:\Windows\SysWOW64\Aflkiapg.exeC:\Windows\system32\Aflkiapg.exe76⤵PID:1116
-
C:\Windows\SysWOW64\Apdobg32.exeC:\Windows\system32\Apdobg32.exe77⤵PID:2404
-
C:\Windows\SysWOW64\Afngoand.exeC:\Windows\system32\Afngoand.exe78⤵PID:1828
-
C:\Windows\SysWOW64\Ahpdficc.exeC:\Windows\system32\Ahpdficc.exe79⤵PID:2272
-
C:\Windows\SysWOW64\Apglgfde.exeC:\Windows\system32\Apglgfde.exe80⤵PID:2296
-
C:\Windows\SysWOW64\Aecdpmbm.exeC:\Windows\system32\Aecdpmbm.exe81⤵PID:632
-
C:\Windows\SysWOW64\Aolihc32.exeC:\Windows\system32\Aolihc32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:580 -
C:\Windows\SysWOW64\Aefaemqj.exeC:\Windows\system32\Aefaemqj.exe83⤵PID:1816
-
C:\Windows\SysWOW64\Bkbjmd32.exeC:\Windows\system32\Bkbjmd32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2140 -
C:\Windows\SysWOW64\Bgijbede.exeC:\Windows\system32\Bgijbede.exe85⤵PID:1284
-
C:\Windows\SysWOW64\Boqbcbeh.exeC:\Windows\system32\Boqbcbeh.exe86⤵PID:864
-
C:\Windows\SysWOW64\Bdmklico.exeC:\Windows\system32\Bdmklico.exe87⤵PID:2156
-
C:\Windows\SysWOW64\Bkgchckl.exeC:\Windows\system32\Bkgchckl.exe88⤵PID:2832
-
C:\Windows\SysWOW64\Bcbhmehg.exeC:\Windows\system32\Bcbhmehg.exe89⤵
- Drops file in System32 directory
PID:2656 -
C:\Windows\SysWOW64\Bkjpncii.exeC:\Windows\system32\Bkjpncii.exe90⤵PID:2624
-
C:\Windows\SysWOW64\Bpfhfjgq.exeC:\Windows\system32\Bpfhfjgq.exe91⤵
- Modifies registry class
PID:1708 -
C:\Windows\SysWOW64\Bgqqcd32.exeC:\Windows\system32\Bgqqcd32.exe92⤵
- System Location Discovery: System Language Discovery
PID:2988 -
C:\Windows\SysWOW64\Blmikkle.exeC:\Windows\system32\Blmikkle.exe93⤵PID:2236
-
C:\Windows\SysWOW64\Ccgahe32.exeC:\Windows\system32\Ccgahe32.exe94⤵PID:2284
-
C:\Windows\SysWOW64\Clpeajjb.exeC:\Windows\system32\Clpeajjb.exe95⤵PID:2600
-
C:\Windows\SysWOW64\Cblniaii.exeC:\Windows\system32\Cblniaii.exe96⤵PID:692
-
C:\Windows\SysWOW64\Ckebbgoj.exeC:\Windows\system32\Ckebbgoj.exe97⤵PID:624
-
C:\Windows\SysWOW64\Cclkcdpl.exeC:\Windows\system32\Cclkcdpl.exe98⤵PID:2100
-
C:\Windows\SysWOW64\Ckgogfmg.exeC:\Windows\system32\Ckgogfmg.exe99⤵
- Drops file in System32 directory
PID:2548 -
C:\Windows\SysWOW64\Cfmceomm.exeC:\Windows\system32\Cfmceomm.exe100⤵PID:1048
-
C:\Windows\SysWOW64\Cnhhia32.exeC:\Windows\system32\Cnhhia32.exe101⤵
- Modifies registry class
PID:2784 -
C:\Windows\SysWOW64\Cdbqflae.exeC:\Windows\system32\Cdbqflae.exe102⤵
- Modifies registry class
PID:2740 -
C:\Windows\SysWOW64\Dnjeoa32.exeC:\Windows\system32\Dnjeoa32.exe103⤵PID:2704
-
C:\Windows\SysWOW64\Dqiakm32.exeC:\Windows\system32\Dqiakm32.exe104⤵PID:1072
-
C:\Windows\SysWOW64\Djaedbnj.exeC:\Windows\system32\Djaedbnj.exe105⤵PID:1736
-
C:\Windows\SysWOW64\Dqknqleg.exeC:\Windows\system32\Dqknqleg.exe106⤵
- Drops file in System32 directory
PID:3036 -
C:\Windows\SysWOW64\Djcbib32.exeC:\Windows\system32\Djcbib32.exe107⤵
- Modifies registry class
PID:1244 -
C:\Windows\SysWOW64\Dqmkflcd.exeC:\Windows\system32\Dqmkflcd.exe108⤵PID:948
-
C:\Windows\SysWOW64\Djfooa32.exeC:\Windows\system32\Djfooa32.exe109⤵PID:2120
-
C:\Windows\SysWOW64\Dqpgll32.exeC:\Windows\system32\Dqpgll32.exe110⤵PID:3040
-
C:\Windows\SysWOW64\Dkihli32.exeC:\Windows\system32\Dkihli32.exe111⤵PID:2080
-
C:\Windows\SysWOW64\Dcppmg32.exeC:\Windows\system32\Dcppmg32.exe112⤵PID:1608
-
C:\Windows\SysWOW64\Elleai32.exeC:\Windows\system32\Elleai32.exe113⤵PID:2840
-
C:\Windows\SysWOW64\Ebemnc32.exeC:\Windows\system32\Ebemnc32.exe114⤵
- System Location Discovery: System Language Discovery
PID:2124 -
C:\Windows\SysWOW64\Eipekmjg.exeC:\Windows\system32\Eipekmjg.exe115⤵
- Drops file in System32 directory
PID:2804 -
C:\Windows\SysWOW64\Epinhg32.exeC:\Windows\system32\Epinhg32.exe116⤵PID:768
-
C:\Windows\SysWOW64\Ejcohe32.exeC:\Windows\system32\Ejcohe32.exe117⤵PID:2052
-
C:\Windows\SysWOW64\Ebjfiboe.exeC:\Windows\system32\Ebjfiboe.exe118⤵PID:888
-
C:\Windows\SysWOW64\Eckcak32.exeC:\Windows\system32\Eckcak32.exe119⤵PID:2224
-
C:\Windows\SysWOW64\Elbkbh32.exeC:\Windows\system32\Elbkbh32.exe120⤵PID:1860
-
C:\Windows\SysWOW64\Emdgjpkd.exeC:\Windows\system32\Emdgjpkd.exe121⤵PID:3044
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-