Analysis
-
max time kernel
68s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
24/08/2024, 21:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0ba352cc28662a4a140bb50223041029c52e886e4fdea3a36fd7fdd24eed4bc4.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
0ba352cc28662a4a140bb50223041029c52e886e4fdea3a36fd7fdd24eed4bc4.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
0ba352cc28662a4a140bb50223041029c52e886e4fdea3a36fd7fdd24eed4bc4.exe
-
Size
664KB
-
MD5
8c097fb4396e3c47344294d555c0c5f0
-
SHA1
0c0e6495987329014f9b90b3e109dfc81b2bca6a
-
SHA256
0ba352cc28662a4a140bb50223041029c52e886e4fdea3a36fd7fdd24eed4bc4
-
SHA512
52c896e2defe2767ff07b0ee827fc9faed1787972fd8b59af2d1d46b6e36547484d0a2af7f4909f9db31351c68e8b6a3c7bf0bdd62208ea8cdf13342ba431b7b
-
SSDEEP
12288:dXnP4JpV6yYPVpV6yYPg058KpV6yYPNUir2MhNl6zX3w9As/xO23WM6tJmDYjmRS:dXQJWVWleKWNUir2MhNl6zX3w9As/xOX
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jblbpnhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mkbhco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgqeea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ifkfap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khjkiikl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jilmkffb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndfppije.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enlncdio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aaogbh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjdmee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bhdmahpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ankabh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fgjmfa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijmdql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pedokpcm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkonkpqk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jiinmnaa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djaedbnj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnpofe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ebmjihqn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faopib32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbjejojn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jajbfeop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kiccle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Egfglocf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdjddf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcfgfack.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llcfck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iefeaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oenmkngi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ihaldgak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ijmdql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Keehmobp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fkjbpkag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ohqbbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ifgooikk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgopak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfhikl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjfbaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Plfjme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jeblgodb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghnfci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhngbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fbbcdh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdieaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lqmliqfj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieqbbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jigagocd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bokcom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlnghj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aabfqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pgopak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Copljmpo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeokdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fehodaqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hgmhcm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfdbji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbhphdab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cmmcae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hojqjp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkdkhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aahhoo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdbqflae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nakeib32.exe -
Executes dropped EXE 64 IoCs
pid Process 2300 Lbhphdab.exe 2888 Lhbhdnio.exe 2344 Lqmliqfj.exe 2680 Lgiakjld.exe 2660 Mfakbf32.exe 2076 Mcekkkmc.exe 1948 Ndehjnpo.exe 840 Nakeib32.exe 2844 Nlefjpid.exe 2196 Pihbbgjj.exe 1384 Pgopak32.exe 1464 Pgamgken.exe 2164 Aaogbh32.exe 2376 Ankabh32.exe 2248 Bocckoom.exe 2368 Bgqeea32.exe 1924 Bkonkpqk.exe 1316 Daplmimi.exe 2452 Dmgmbj32.exe 2232 Dofilm32.exe 368 Ddcadd32.exe 2152 Eagbnh32.exe 612 Egdjfo32.exe 1772 Egfglocf.exe 2244 Eghdanac.exe 1332 Eenabkfk.exe 1664 Fcaaloed.exe 2764 Fdekigip.exe 2672 Fplknh32.exe 2584 Fdjddf32.exe 2696 Fgjmfa32.exe 1892 Ghnfci32.exe 2420 Gfbfln32.exe 2688 Gcfgfack.exe 976 Gnphfppi.exe 1092 Gkchpcoc.exe 1888 Hbnqln32.exe 1996 Hfbckagm.exe 1036 Hcfceeff.exe 2308 Hjbhgolp.exe 2356 Iigehk32.exe 2200 Ifkfap32.exe 1820 Ilhnjfmi.exe 1860 Ieqbbl32.exe 1864 Ijmkkc32.exe 808 Ihaldgak.exe 1364 Ieelnkpd.exe 1360 Jmpqbnmp.exe 1812 Jigagocd.exe 884 Jiinmnaa.exe 2652 Jdobjgqg.exe 2812 Jpfcohfk.exe 2444 Jeblgodb.exe 2180 Keehmobp.exe 2132 Kommediq.exe 2904 Kegebn32.exe 2480 Kkdnke32.exe 2908 Kejahn32.exe 2072 Kkfjpemb.exe 2484 Khjkiikl.exe 2972 Kcdljghj.exe 1220 Lgbdpena.exe 1028 Lbnbfb32.exe 236 Llcfck32.exe -
Loads dropped DLL 64 IoCs
pid Process 2612 0ba352cc28662a4a140bb50223041029c52e886e4fdea3a36fd7fdd24eed4bc4.exe 2612 0ba352cc28662a4a140bb50223041029c52e886e4fdea3a36fd7fdd24eed4bc4.exe 2300 Lbhphdab.exe 2300 Lbhphdab.exe 2888 Lhbhdnio.exe 2888 Lhbhdnio.exe 2344 Lqmliqfj.exe 2344 Lqmliqfj.exe 2680 Lgiakjld.exe 2680 Lgiakjld.exe 2660 Mfakbf32.exe 2660 Mfakbf32.exe 2076 Mcekkkmc.exe 2076 Mcekkkmc.exe 1948 Ndehjnpo.exe 1948 Ndehjnpo.exe 840 Nakeib32.exe 840 Nakeib32.exe 2844 Nlefjpid.exe 2844 Nlefjpid.exe 2196 Pihbbgjj.exe 2196 Pihbbgjj.exe 1384 Pgopak32.exe 1384 Pgopak32.exe 1464 Pgamgken.exe 1464 Pgamgken.exe 2164 Aaogbh32.exe 2164 Aaogbh32.exe 2376 Ankabh32.exe 2376 Ankabh32.exe 2248 Bocckoom.exe 2248 Bocckoom.exe 2368 Bgqeea32.exe 2368 Bgqeea32.exe 1924 Bkonkpqk.exe 1924 Bkonkpqk.exe 1316 Daplmimi.exe 1316 Daplmimi.exe 2452 Dmgmbj32.exe 2452 Dmgmbj32.exe 2232 Dofilm32.exe 2232 Dofilm32.exe 368 Ddcadd32.exe 368 Ddcadd32.exe 2152 Eagbnh32.exe 2152 Eagbnh32.exe 612 Egdjfo32.exe 612 Egdjfo32.exe 1772 Egfglocf.exe 1772 Egfglocf.exe 2244 Eghdanac.exe 2244 Eghdanac.exe 1332 Eenabkfk.exe 1332 Eenabkfk.exe 1664 Fcaaloed.exe 1664 Fcaaloed.exe 2764 Fdekigip.exe 2764 Fdekigip.exe 2672 Fplknh32.exe 2672 Fplknh32.exe 2584 Fdjddf32.exe 2584 Fdjddf32.exe 2696 Fgjmfa32.exe 2696 Fgjmfa32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Fkeedo32.exe Fpkdca32.exe File opened for modification C:\Windows\SysWOW64\Ndfppije.exe Nmkklflj.exe File created C:\Windows\SysWOW64\Kpnend32.dll Nlefjpid.exe File opened for modification C:\Windows\SysWOW64\Fdjddf32.exe Fplknh32.exe File created C:\Windows\SysWOW64\Ccileljk.exe Bokcom32.exe File created C:\Windows\SysWOW64\Bfnkpedc.dll Dcihdo32.exe File created C:\Windows\SysWOW64\Bpnibl32.exe Bgfdjfkh.exe File opened for modification C:\Windows\SysWOW64\Dpmeij32.exe Dbidof32.exe File opened for modification C:\Windows\SysWOW64\Hgmhcm32.exe Hkdkhl32.exe File opened for modification C:\Windows\SysWOW64\Jfpndkel.exe Jilmkffb.exe File created C:\Windows\SysWOW64\Dmgmbj32.exe Daplmimi.exe File opened for modification C:\Windows\SysWOW64\Hfbckagm.exe Hbnqln32.exe File opened for modification C:\Windows\SysWOW64\Jpfcohfk.exe Jdobjgqg.exe File opened for modification C:\Windows\SysWOW64\Llcfck32.exe Lbnbfb32.exe File opened for modification C:\Windows\SysWOW64\Mhaobd32.exe Mnjnolap.exe File created C:\Windows\SysWOW64\Njhhid32.dll Gbolce32.exe File created C:\Windows\SysWOW64\Gkjahg32.exe Gemhpq32.exe File created C:\Windows\SysWOW64\Mnjnolap.exe Meojkide.exe File created C:\Windows\SysWOW64\Opnpnj32.dll Nbegonmd.exe File created C:\Windows\SysWOW64\Qfkbfpca.dll Nmkklflj.exe File created C:\Windows\SysWOW64\Kifbahjj.dll Ieqbbl32.exe File created C:\Windows\SysWOW64\Jmpqbnmp.exe Ieelnkpd.exe File created C:\Windows\SysWOW64\Poddphee.exe Nnpofe32.exe File opened for modification C:\Windows\SysWOW64\Ikkmho32.exe Ieohfemq.exe File created C:\Windows\SysWOW64\Bccjlodh.dll Ndehjnpo.exe File created C:\Windows\SysWOW64\Kkfjpemb.exe Kejahn32.exe File created C:\Windows\SysWOW64\Eebendko.dll Epgoio32.exe File created C:\Windows\SysWOW64\Kelqff32.exe Kiccle32.exe File created C:\Windows\SysWOW64\Djfooa32.exe Ddfjak32.exe File opened for modification C:\Windows\SysWOW64\Hgeenb32.exe Hojqjp32.exe File created C:\Windows\SysWOW64\Plljbkml.exe Pdqfnhpa.exe File opened for modification C:\Windows\SysWOW64\Bofbih32.exe Bpnibl32.exe File opened for modification C:\Windows\SysWOW64\Deljfqmf.exe Dpmeij32.exe File created C:\Windows\SysWOW64\Fpkdca32.exe Fgcpkldh.exe File created C:\Windows\SysWOW64\Pmiaidbj.dll Denglpkc.exe File created C:\Windows\SysWOW64\Gllmbj32.dll Kfbjjjci.exe File created C:\Windows\SysWOW64\Pdqfaiab.dll Bhdmahpn.exe File created C:\Windows\SysWOW64\Ccdnipal.exe Cjljpjjk.exe File opened for modification C:\Windows\SysWOW64\Dpphipbk.exe Dcihdo32.exe File created C:\Windows\SysWOW64\Pikkfilp.exe Plfjme32.exe File opened for modification C:\Windows\SysWOW64\Pjndca32.exe Pjlgna32.exe File created C:\Windows\SysWOW64\Naipph32.dll Mfakbf32.exe File created C:\Windows\SysWOW64\Gionkg32.dll Bgqeea32.exe File created C:\Windows\SysWOW64\Qhmomjib.dll Dmgmbj32.exe File created C:\Windows\SysWOW64\Ieelnkpd.exe Ihaldgak.exe File created C:\Windows\SysWOW64\Dgoikhhk.dll Aihjpman.exe File created C:\Windows\SysWOW64\Jilmkffb.exe Jcmhmp32.exe File created C:\Windows\SysWOW64\Nnpopj32.dll Djfooa32.exe File created C:\Windows\SysWOW64\Lqmliqfj.exe Lhbhdnio.exe File created C:\Windows\SysWOW64\Lgiakjld.exe Lqmliqfj.exe File created C:\Windows\SysWOW64\Lecegc32.dll Gfbfln32.exe File created C:\Windows\SysWOW64\Jabmhccg.dll Hgeenb32.exe File created C:\Windows\SysWOW64\Nkbdge32.dll Pedokpcm.exe File created C:\Windows\SysWOW64\Okdahbmm.exe Nkbdbbop.exe File created C:\Windows\SysWOW64\Nfgnbedd.dll Ankabh32.exe File created C:\Windows\SysWOW64\Ijmkkc32.exe Ieqbbl32.exe File created C:\Windows\SysWOW64\Kejahn32.exe Kkdnke32.exe File created C:\Windows\SysWOW64\Eojdod32.dll Hojqjp32.exe File created C:\Windows\SysWOW64\Hfdbji32.exe Hmlmacfn.exe File created C:\Windows\SysWOW64\Mfoljh32.dll Aeokdn32.exe File created C:\Windows\SysWOW64\Enkfnp32.dll Ijmkkc32.exe File created C:\Windows\SysWOW64\Hgnmblgo.dll Ohqbbi32.exe File opened for modification C:\Windows\SysWOW64\Eenckc32.exe Ebmjihqn.exe File created C:\Windows\SysWOW64\Bgbkhnja.dll Hgmhcm32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3376 3360 WerFault.exe 271 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emailhfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enjand32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifkfap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjljpjjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iefeaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjifpdib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhngbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lelmei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmkklflj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enokidgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdqfnhpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Denglpkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmmcae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plljbkml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gilhpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aihjpman.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keehmobp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dogbolep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eenckc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndfppije.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fioajqmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgbdpena.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfhikl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiccle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbegonmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdieaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enlncdio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqmliqfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcekkkmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eagbnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieqbbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahjahk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggphji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebcqicem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kommediq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iecaad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgfdjfkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkmhij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmpqbnmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pedokpcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndehjnpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgcpkldh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hogddpld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ompgqonl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpnibl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddfjak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihaldgak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdobjgqg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jajbfeop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkiiom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djfooa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nakeib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpphipbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpmeij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebmjihqn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgmhcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgjmfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opcaiggo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emilqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fncddc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilhnjfmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohqbbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnjnolap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egfglocf.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdqfaiab.dll" Bhdmahpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ddcadd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gnphfppi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgnnfme.dll" Nnpofe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eeijpdbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgbkhnja.dll" Hgmhcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iecaad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bocckoom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ggphji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coledgje.dll" Lelmei32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mkbhco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bhdmahpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nljikmpj.dll" Jcmhmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjgnb32.dll" Cldolj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppibcink.dll" Egfglocf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmpeai32.dll" Hjbhgolp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fgcpkldh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biiqmd32.dll" Hcnfjpib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Himkgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bgfdjfkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Enjand32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ehilgikj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Faopib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agnbbk32.dll" Daplmimi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eenabkfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knngob32.dll" Ilhnjfmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njjbga32.dll" Lbnbfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pjhaec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kkiiom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmalaioi.dll" Gkjahg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enpappch.dll" Fgjmfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgckhoib.dll" Kegebn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Njobpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfhkok32.dll" Ompgqonl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pdllci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ckopch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ccileljk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qlnghj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jajbfeop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cfmceomm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnagchpe.dll" Nakeib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqnqdcmj.dll" Aaogbh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jaaoakmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klmhcl32.dll" Nncaejie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgjlbh32.dll" Fehodaqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fghbnm32.dll" Dofilm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ijmkkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ledcahkp.dll" Kcdljghj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lbnbfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fgqcel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kfbjjjci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdmfml32.dll" Ddcadd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kegebn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbjpjphf.dll" Gdpfbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hgeenb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mljgmiaq.dll" Ijmdql32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oenmkngi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 0ba352cc28662a4a140bb50223041029c52e886e4fdea3a36fd7fdd24eed4bc4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kccmfg32.dll" Bofbih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oacqge32.dll" Bhngbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lelmei32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cldolj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ackoccaa.dll" Dcnchg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pgopak32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2612 wrote to memory of 2300 2612 0ba352cc28662a4a140bb50223041029c52e886e4fdea3a36fd7fdd24eed4bc4.exe 29 PID 2612 wrote to memory of 2300 2612 0ba352cc28662a4a140bb50223041029c52e886e4fdea3a36fd7fdd24eed4bc4.exe 29 PID 2612 wrote to memory of 2300 2612 0ba352cc28662a4a140bb50223041029c52e886e4fdea3a36fd7fdd24eed4bc4.exe 29 PID 2612 wrote to memory of 2300 2612 0ba352cc28662a4a140bb50223041029c52e886e4fdea3a36fd7fdd24eed4bc4.exe 29 PID 2300 wrote to memory of 2888 2300 Lbhphdab.exe 30 PID 2300 wrote to memory of 2888 2300 Lbhphdab.exe 30 PID 2300 wrote to memory of 2888 2300 Lbhphdab.exe 30 PID 2300 wrote to memory of 2888 2300 Lbhphdab.exe 30 PID 2888 wrote to memory of 2344 2888 Lhbhdnio.exe 31 PID 2888 wrote to memory of 2344 2888 Lhbhdnio.exe 31 PID 2888 wrote to memory of 2344 2888 Lhbhdnio.exe 31 PID 2888 wrote to memory of 2344 2888 Lhbhdnio.exe 31 PID 2344 wrote to memory of 2680 2344 Lqmliqfj.exe 32 PID 2344 wrote to memory of 2680 2344 Lqmliqfj.exe 32 PID 2344 wrote to memory of 2680 2344 Lqmliqfj.exe 32 PID 2344 wrote to memory of 2680 2344 Lqmliqfj.exe 32 PID 2680 wrote to memory of 2660 2680 Lgiakjld.exe 33 PID 2680 wrote to memory of 2660 2680 Lgiakjld.exe 33 PID 2680 wrote to memory of 2660 2680 Lgiakjld.exe 33 PID 2680 wrote to memory of 2660 2680 Lgiakjld.exe 33 PID 2660 wrote to memory of 2076 2660 Mfakbf32.exe 34 PID 2660 wrote to memory of 2076 2660 Mfakbf32.exe 34 PID 2660 wrote to memory of 2076 2660 Mfakbf32.exe 34 PID 2660 wrote to memory of 2076 2660 Mfakbf32.exe 34 PID 2076 wrote to memory of 1948 2076 Mcekkkmc.exe 35 PID 2076 wrote to memory of 1948 2076 Mcekkkmc.exe 35 PID 2076 wrote to memory of 1948 2076 Mcekkkmc.exe 35 PID 2076 wrote to memory of 1948 2076 Mcekkkmc.exe 35 PID 1948 wrote to memory of 840 1948 Ndehjnpo.exe 36 PID 1948 wrote to memory of 840 1948 Ndehjnpo.exe 36 PID 1948 wrote to memory of 840 1948 Ndehjnpo.exe 36 PID 1948 wrote to memory of 840 1948 Ndehjnpo.exe 36 PID 840 wrote to memory of 2844 840 Nakeib32.exe 37 PID 840 wrote to memory of 2844 840 Nakeib32.exe 37 PID 840 wrote to memory of 2844 840 Nakeib32.exe 37 PID 840 wrote to memory of 2844 840 Nakeib32.exe 37 PID 2844 wrote to memory of 2196 2844 Nlefjpid.exe 38 PID 2844 wrote to memory of 2196 2844 Nlefjpid.exe 38 PID 2844 wrote to memory of 2196 2844 Nlefjpid.exe 38 PID 2844 wrote to memory of 2196 2844 Nlefjpid.exe 38 PID 2196 wrote to memory of 1384 2196 Pihbbgjj.exe 39 PID 2196 wrote to memory of 1384 2196 Pihbbgjj.exe 39 PID 2196 wrote to memory of 1384 2196 Pihbbgjj.exe 39 PID 2196 wrote to memory of 1384 2196 Pihbbgjj.exe 39 PID 1384 wrote to memory of 1464 1384 Pgopak32.exe 40 PID 1384 wrote to memory of 1464 1384 Pgopak32.exe 40 PID 1384 wrote to memory of 1464 1384 Pgopak32.exe 40 PID 1384 wrote to memory of 1464 1384 Pgopak32.exe 40 PID 1464 wrote to memory of 2164 1464 Pgamgken.exe 41 PID 1464 wrote to memory of 2164 1464 Pgamgken.exe 41 PID 1464 wrote to memory of 2164 1464 Pgamgken.exe 41 PID 1464 wrote to memory of 2164 1464 Pgamgken.exe 41 PID 2164 wrote to memory of 2376 2164 Aaogbh32.exe 42 PID 2164 wrote to memory of 2376 2164 Aaogbh32.exe 42 PID 2164 wrote to memory of 2376 2164 Aaogbh32.exe 42 PID 2164 wrote to memory of 2376 2164 Aaogbh32.exe 42 PID 2376 wrote to memory of 2248 2376 Ankabh32.exe 43 PID 2376 wrote to memory of 2248 2376 Ankabh32.exe 43 PID 2376 wrote to memory of 2248 2376 Ankabh32.exe 43 PID 2376 wrote to memory of 2248 2376 Ankabh32.exe 43 PID 2248 wrote to memory of 2368 2248 Bocckoom.exe 44 PID 2248 wrote to memory of 2368 2248 Bocckoom.exe 44 PID 2248 wrote to memory of 2368 2248 Bocckoom.exe 44 PID 2248 wrote to memory of 2368 2248 Bocckoom.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ba352cc28662a4a140bb50223041029c52e886e4fdea3a36fd7fdd24eed4bc4.exe"C:\Users\Admin\AppData\Local\Temp\0ba352cc28662a4a140bb50223041029c52e886e4fdea3a36fd7fdd24eed4bc4.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Lbhphdab.exeC:\Windows\system32\Lbhphdab.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\Lhbhdnio.exeC:\Windows\system32\Lhbhdnio.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Lqmliqfj.exeC:\Windows\system32\Lqmliqfj.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Lgiakjld.exeC:\Windows\system32\Lgiakjld.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Mfakbf32.exeC:\Windows\system32\Mfakbf32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Mcekkkmc.exeC:\Windows\system32\Mcekkkmc.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\Ndehjnpo.exeC:\Windows\system32\Ndehjnpo.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\Nakeib32.exeC:\Windows\system32\Nakeib32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\SysWOW64\Nlefjpid.exeC:\Windows\system32\Nlefjpid.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Pihbbgjj.exeC:\Windows\system32\Pihbbgjj.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Pgopak32.exeC:\Windows\system32\Pgopak32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\SysWOW64\Pgamgken.exeC:\Windows\system32\Pgamgken.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\SysWOW64\Aaogbh32.exeC:\Windows\system32\Aaogbh32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Ankabh32.exeC:\Windows\system32\Ankabh32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\Bocckoom.exeC:\Windows\system32\Bocckoom.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\Bgqeea32.exeC:\Windows\system32\Bgqeea32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2368 -
C:\Windows\SysWOW64\Bkonkpqk.exeC:\Windows\system32\Bkonkpqk.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1924 -
C:\Windows\SysWOW64\Daplmimi.exeC:\Windows\system32\Daplmimi.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1316 -
C:\Windows\SysWOW64\Dmgmbj32.exeC:\Windows\system32\Dmgmbj32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2452 -
C:\Windows\SysWOW64\Dofilm32.exeC:\Windows\system32\Dofilm32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2232 -
C:\Windows\SysWOW64\Ddcadd32.exeC:\Windows\system32\Ddcadd32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:368 -
C:\Windows\SysWOW64\Eagbnh32.exeC:\Windows\system32\Eagbnh32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2152 -
C:\Windows\SysWOW64\Egdjfo32.exeC:\Windows\system32\Egdjfo32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:612 -
C:\Windows\SysWOW64\Egfglocf.exeC:\Windows\system32\Egfglocf.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1772 -
C:\Windows\SysWOW64\Eghdanac.exeC:\Windows\system32\Eghdanac.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2244 -
C:\Windows\SysWOW64\Eenabkfk.exeC:\Windows\system32\Eenabkfk.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1332 -
C:\Windows\SysWOW64\Fcaaloed.exeC:\Windows\system32\Fcaaloed.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1664 -
C:\Windows\SysWOW64\Fdekigip.exeC:\Windows\system32\Fdekigip.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2764 -
C:\Windows\SysWOW64\Fplknh32.exeC:\Windows\system32\Fplknh32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2672 -
C:\Windows\SysWOW64\Fdjddf32.exeC:\Windows\system32\Fdjddf32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2584 -
C:\Windows\SysWOW64\Fgjmfa32.exeC:\Windows\system32\Fgjmfa32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2696 -
C:\Windows\SysWOW64\Ghnfci32.exeC:\Windows\system32\Ghnfci32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\Gfbfln32.exeC:\Windows\system32\Gfbfln32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2420 -
C:\Windows\SysWOW64\Gcfgfack.exeC:\Windows\system32\Gcfgfack.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Gnphfppi.exeC:\Windows\system32\Gnphfppi.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:976 -
C:\Windows\SysWOW64\Gkchpcoc.exeC:\Windows\system32\Gkchpcoc.exe37⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Hbnqln32.exeC:\Windows\system32\Hbnqln32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1888 -
C:\Windows\SysWOW64\Hfbckagm.exeC:\Windows\system32\Hfbckagm.exe39⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Hcfceeff.exeC:\Windows\system32\Hcfceeff.exe40⤵
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\Hjbhgolp.exeC:\Windows\system32\Hjbhgolp.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:2308 -
C:\Windows\SysWOW64\Iigehk32.exeC:\Windows\system32\Iigehk32.exe42⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Ifkfap32.exeC:\Windows\system32\Ifkfap32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2200 -
C:\Windows\SysWOW64\Ilhnjfmi.exeC:\Windows\system32\Ilhnjfmi.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1820 -
C:\Windows\SysWOW64\Ieqbbl32.exeC:\Windows\system32\Ieqbbl32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1860 -
C:\Windows\SysWOW64\Ijmkkc32.exeC:\Windows\system32\Ijmkkc32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1864 -
C:\Windows\SysWOW64\Ihaldgak.exeC:\Windows\system32\Ihaldgak.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:808 -
C:\Windows\SysWOW64\Ieelnkpd.exeC:\Windows\system32\Ieelnkpd.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1364 -
C:\Windows\SysWOW64\Jmpqbnmp.exeC:\Windows\system32\Jmpqbnmp.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1360 -
C:\Windows\SysWOW64\Jigagocd.exeC:\Windows\system32\Jigagocd.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Jiinmnaa.exeC:\Windows\system32\Jiinmnaa.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:884 -
C:\Windows\SysWOW64\Jdobjgqg.exeC:\Windows\system32\Jdobjgqg.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2652 -
C:\Windows\SysWOW64\Jpfcohfk.exeC:\Windows\system32\Jpfcohfk.exe53⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Jeblgodb.exeC:\Windows\system32\Jeblgodb.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Keehmobp.exeC:\Windows\system32\Keehmobp.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2180 -
C:\Windows\SysWOW64\Kommediq.exeC:\Windows\system32\Kommediq.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2132 -
C:\Windows\SysWOW64\Kegebn32.exeC:\Windows\system32\Kegebn32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2904 -
C:\Windows\SysWOW64\Kkdnke32.exeC:\Windows\system32\Kkdnke32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2480 -
C:\Windows\SysWOW64\Kejahn32.exeC:\Windows\system32\Kejahn32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2908 -
C:\Windows\SysWOW64\Kkfjpemb.exeC:\Windows\system32\Kkfjpemb.exe60⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Khjkiikl.exeC:\Windows\system32\Khjkiikl.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Kcdljghj.exeC:\Windows\system32\Kcdljghj.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:2972 -
C:\Windows\SysWOW64\Lgbdpena.exeC:\Windows\system32\Lgbdpena.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1220 -
C:\Windows\SysWOW64\Lbnbfb32.exeC:\Windows\system32\Lbnbfb32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1028 -
C:\Windows\SysWOW64\Llcfck32.exeC:\Windows\system32\Llcfck32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:236 -
C:\Windows\SysWOW64\Nnpofe32.exeC:\Windows\system32\Nnpofe32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2552 -
C:\Windows\SysWOW64\Poddphee.exeC:\Windows\system32\Poddphee.exe67⤵PID:2820
-
C:\Windows\SysWOW64\Qgdbpi32.exeC:\Windows\system32\Qgdbpi32.exe68⤵PID:2544
-
C:\Windows\SysWOW64\Bgnaekil.exeC:\Windows\system32\Bgnaekil.exe69⤵PID:932
-
C:\Windows\SysWOW64\Boifinfg.exeC:\Windows\system32\Boifinfg.exe70⤵PID:2748
-
C:\Windows\SysWOW64\Bokcom32.exeC:\Windows\system32\Bokcom32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2892 -
C:\Windows\SysWOW64\Ccileljk.exeC:\Windows\system32\Ccileljk.exe72⤵
- Modifies registry class
PID:2280 -
C:\Windows\SysWOW64\Copljmpo.exeC:\Windows\system32\Copljmpo.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1160 -
C:\Windows\SysWOW64\Cfjdfg32.exeC:\Windows\system32\Cfjdfg32.exe74⤵PID:2460
-
C:\Windows\SysWOW64\Cpbiolnl.exeC:\Windows\system32\Cpbiolnl.exe75⤵PID:2780
-
C:\Windows\SysWOW64\Cjljpjjk.exeC:\Windows\system32\Cjljpjjk.exe76⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2596 -
C:\Windows\SysWOW64\Ccdnipal.exeC:\Windows\system32\Ccdnipal.exe77⤵PID:2572
-
C:\Windows\SysWOW64\Cmmcae32.exeC:\Windows\system32\Cmmcae32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3040 -
C:\Windows\SysWOW64\Dcihdo32.exeC:\Windows\system32\Dcihdo32.exe79⤵
- Drops file in System32 directory
PID:2348 -
C:\Windows\SysWOW64\Dpphipbk.exeC:\Windows\system32\Dpphipbk.exe80⤵
- System Location Discovery: System Language Discovery
PID:1560 -
C:\Windows\SysWOW64\Dogbolep.exeC:\Windows\system32\Dogbolep.exe81⤵
- System Location Discovery: System Language Discovery
PID:2884 -
C:\Windows\SysWOW64\Epgoio32.exeC:\Windows\system32\Epgoio32.exe82⤵
- Drops file in System32 directory
PID:2468 -
C:\Windows\SysWOW64\Eefdgeig.exeC:\Windows\system32\Eefdgeig.exe83⤵PID:2500
-
C:\Windows\SysWOW64\Emailhfb.exeC:\Windows\system32\Emailhfb.exe84⤵
- System Location Discovery: System Language Discovery
PID:2724 -
C:\Windows\SysWOW64\Egimdmmc.exeC:\Windows\system32\Egimdmmc.exe85⤵PID:436
-
C:\Windows\SysWOW64\Edmnnakm.exeC:\Windows\system32\Edmnnakm.exe86⤵PID:1576
-
C:\Windows\SysWOW64\Fkjbpkag.exeC:\Windows\system32\Fkjbpkag.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:928 -
C:\Windows\SysWOW64\Fgqcel32.exeC:\Windows\system32\Fgqcel32.exe88⤵
- Modifies registry class
PID:2880 -
C:\Windows\SysWOW64\Fgcpkldh.exeC:\Windows\system32\Fgcpkldh.exe89⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2504 -
C:\Windows\SysWOW64\Fpkdca32.exeC:\Windows\system32\Fpkdca32.exe90⤵
- Drops file in System32 directory
PID:2436 -
C:\Windows\SysWOW64\Fkeedo32.exeC:\Windows\system32\Fkeedo32.exe91⤵PID:2284
-
C:\Windows\SysWOW64\Gkgbioee.exeC:\Windows\system32\Gkgbioee.exe92⤵PID:2176
-
C:\Windows\SysWOW64\Gdpfbd32.exeC:\Windows\system32\Gdpfbd32.exe93⤵
- Modifies registry class
PID:2312 -
C:\Windows\SysWOW64\Gpfggeai.exeC:\Windows\system32\Gpfggeai.exe94⤵PID:804
-
C:\Windows\SysWOW64\Gafcahil.exeC:\Windows\system32\Gafcahil.exe95⤵PID:2156
-
C:\Windows\SysWOW64\Glpdbfek.exeC:\Windows\system32\Glpdbfek.exe96⤵PID:2936
-
C:\Windows\SysWOW64\Gfhikl32.exeC:\Windows\system32\Gfhikl32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2992 -
C:\Windows\SysWOW64\Hjfbaj32.exeC:\Windows\system32\Hjfbaj32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1780 -
C:\Windows\SysWOW64\Hcnfjpib.exeC:\Windows\system32\Hcnfjpib.exe99⤵
- Modifies registry class
PID:1844 -
C:\Windows\SysWOW64\Hcqcoo32.exeC:\Windows\system32\Hcqcoo32.exe100⤵PID:1336
-
C:\Windows\SysWOW64\Himkgf32.exeC:\Windows\system32\Himkgf32.exe101⤵
- Modifies registry class
PID:2464 -
C:\Windows\SysWOW64\Hogddpld.exeC:\Windows\system32\Hogddpld.exe102⤵
- System Location Discovery: System Language Discovery
PID:1828 -
C:\Windows\SysWOW64\Hojqjp32.exeC:\Windows\system32\Hojqjp32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2940 -
C:\Windows\SysWOW64\Hgeenb32.exeC:\Windows\system32\Hgeenb32.exe104⤵
- Drops file in System32 directory
- Modifies registry class
PID:2772 -
C:\Windows\SysWOW64\Iggbdb32.exeC:\Windows\system32\Iggbdb32.exe105⤵PID:3012
-
C:\Windows\SysWOW64\Iekbmfdc.exeC:\Windows\system32\Iekbmfdc.exe106⤵PID:2848
-
C:\Windows\SysWOW64\Imfgahao.exeC:\Windows\system32\Imfgahao.exe107⤵PID:2408
-
C:\Windows\SysWOW64\Ijjgkmqh.exeC:\Windows\system32\Ijjgkmqh.exe108⤵PID:2488
-
C:\Windows\SysWOW64\Ijmdql32.exeC:\Windows\system32\Ijmdql32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2828 -
C:\Windows\SysWOW64\Iefeaj32.exeC:\Windows\system32\Iefeaj32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1436 -
C:\Windows\SysWOW64\Jbjejojn.exeC:\Windows\system32\Jbjejojn.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1704 -
C:\Windows\SysWOW64\Jblbpnhk.exeC:\Windows\system32\Jblbpnhk.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2456 -
C:\Windows\SysWOW64\Jaaoakmc.exeC:\Windows\system32\Jaaoakmc.exe113⤵
- Modifies registry class
PID:1736 -
C:\Windows\SysWOW64\Nmkbfmpf.exeC:\Windows\system32\Nmkbfmpf.exe114⤵PID:1372
-
C:\Windows\SysWOW64\Njobpa32.exeC:\Windows\system32\Njobpa32.exe115⤵
- Modifies registry class
PID:1840 -
C:\Windows\SysWOW64\Nqkgbkdj.exeC:\Windows\system32\Nqkgbkdj.exe116⤵PID:1900
-
C:\Windows\SysWOW64\Oiglfm32.exeC:\Windows\system32\Oiglfm32.exe117⤵PID:2648
-
C:\Windows\SysWOW64\Oenmkngi.exeC:\Windows\system32\Oenmkngi.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1836 -
C:\Windows\SysWOW64\Opcaiggo.exeC:\Windows\system32\Opcaiggo.exe119⤵
- System Location Discovery: System Language Discovery
PID:2732 -
C:\Windows\SysWOW64\Obdjjb32.exeC:\Windows\system32\Obdjjb32.exe120⤵PID:2264
-
C:\Windows\SysWOW64\Ohqbbi32.exeC:\Windows\system32\Ohqbbi32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2476
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-