Analysis
-
max time kernel
113s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
29-08-2024 14:40
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6509f95c3a202f3fbdb8fcf65f95c740N.exe
Resource
win7-20240705-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
6509f95c3a202f3fbdb8fcf65f95c740N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
6509f95c3a202f3fbdb8fcf65f95c740N.exe
-
Size
60KB
-
MD5
6509f95c3a202f3fbdb8fcf65f95c740
-
SHA1
f4bd7462d22a43c6577c68fefb0619ac5b86bbee
-
SHA256
9fa43a35669f42697c4d6f795bb88f79caa6467beee2041771613bcd849b4132
-
SHA512
2e32e7613a60a101715185a61c5106c6f3a59033c7de1c20de704a8adf821e03bb852883c1360e2dede3f9fe49c5d60d21ec25e841a57c69d8318c9d951d3bf4
-
SSDEEP
768:Do9WWpPgoBrMCNwXBftM5MHOtm6j4QOhOtWp97QcsRmNeikORT3W/1H5lB+XdnhP:DeKoBrMoYF6jfiQcBNeikOJM/B86l1rs
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhoeii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfebhmbm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikfdkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igpaec32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcmcebkc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogbldk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkjpdcfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emjhmipi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmalgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qhincn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emgkhj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kihpmnbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgcmod32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkbnap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hijhhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcmdjgbh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maldfbjn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clkicbfa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiilge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ephdjeol.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifengpdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncnjeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oddphp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oknhdjko.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amafgc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keoabo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chocodch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmebcgbb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmqkml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Genlgnhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hqochjnk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpmooind.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpfnckhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpiaipmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klmbjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcdjpfgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oiahnnji.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajnqphhe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ablbjj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgfooe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akdafn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igpaec32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lalhgogb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbchkime.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejcofica.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Booiep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okkkoj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcdldknm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clnehado.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhiphb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eifobe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgahkngh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnlphh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdqkifmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmqihg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhmldfdm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlmnogkl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofobgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ioiidfon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikagogco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbnlaqhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbbnjgik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odflmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Paafmp32.exe -
Executes dropped EXE 64 IoCs
pid Process 2620 Qiiahgjh.exe 2652 Qmenhe32.exe 2544 Aepbmhpl.exe 2864 Amgjnepn.exe 2632 Apefjqob.exe 2724 Aohgfm32.exe 1312 Ainkcf32.exe 2772 Aphcppmo.exe 1100 Aaipghcn.exe 2748 Aedlhg32.exe 444 Ahchdb32.exe 2416 Akadpn32.exe 2344 Aaklmhak.exe 1808 Akdafn32.exe 1532 Anbmbi32.exe 2296 Ahhaobfe.exe 888 Akfnkmei.exe 1876 Andjgidl.exe 2380 Bapfhg32.exe 1984 Bgmnpn32.exe 376 Bikjmj32.exe 604 Bpebidam.exe 2264 Bccoeo32.exe 1304 Bkkgfm32.exe 2372 Bnicbh32.exe 2516 Bllcnega.exe 2008 Bgahkngh.exe 2760 Bnlphh32.exe 2168 Bpjldc32.exe 656 Bgddam32.exe 744 Bheaiekc.exe 1688 Booiep32.exe 2936 Bfiabjjm.exe 1480 Clciod32.exe 2796 Ckfjjqhd.exe 2016 Cbpbgk32.exe 2052 Cfknhi32.exe 2036 Clefdcog.exe 2324 Codbqonk.exe 2184 Cbbomjnn.exe 1696 Cdqkifmb.exe 2100 Chlgid32.exe 1176 Ckkcep32.exe 2468 Cnipak32.exe 1672 Cbdkbjkl.exe 692 Cdchneko.exe 632 Chocodch.exe 1168 Ckmpkpbl.exe 1288 Cjppfl32.exe 2844 Cbghhj32.exe 2956 Cqjhcfpc.exe 2780 Cdedde32.exe 1272 Cchdpbog.exe 2480 Cgdqpq32.exe 2216 Cjbmll32.exe 3024 Cmqihg32.exe 1216 Cqleifna.exe 2572 Dcjaeamd.exe 2916 Dgfmep32.exe 1928 Dfinam32.exe 588 Dnpebj32.exe 2112 Dmcfngde.exe 1896 Doabjbci.exe 968 Dcmnja32.exe -
Loads dropped DLL 64 IoCs
pid Process 2140 6509f95c3a202f3fbdb8fcf65f95c740N.exe 2140 6509f95c3a202f3fbdb8fcf65f95c740N.exe 2620 Qiiahgjh.exe 2620 Qiiahgjh.exe 2652 Qmenhe32.exe 2652 Qmenhe32.exe 2544 Aepbmhpl.exe 2544 Aepbmhpl.exe 2864 Amgjnepn.exe 2864 Amgjnepn.exe 2632 Apefjqob.exe 2632 Apefjqob.exe 2724 Aohgfm32.exe 2724 Aohgfm32.exe 1312 Ainkcf32.exe 1312 Ainkcf32.exe 2772 Aphcppmo.exe 2772 Aphcppmo.exe 1100 Aaipghcn.exe 1100 Aaipghcn.exe 2748 Aedlhg32.exe 2748 Aedlhg32.exe 444 Ahchdb32.exe 444 Ahchdb32.exe 2416 Akadpn32.exe 2416 Akadpn32.exe 2344 Aaklmhak.exe 2344 Aaklmhak.exe 1808 Akdafn32.exe 1808 Akdafn32.exe 1532 Anbmbi32.exe 1532 Anbmbi32.exe 2296 Ahhaobfe.exe 2296 Ahhaobfe.exe 888 Akfnkmei.exe 888 Akfnkmei.exe 1876 Andjgidl.exe 1876 Andjgidl.exe 2380 Bapfhg32.exe 2380 Bapfhg32.exe 1984 Bgmnpn32.exe 1984 Bgmnpn32.exe 376 Bikjmj32.exe 376 Bikjmj32.exe 604 Bpebidam.exe 604 Bpebidam.exe 2264 Bccoeo32.exe 2264 Bccoeo32.exe 1304 Bkkgfm32.exe 1304 Bkkgfm32.exe 2372 Bnicbh32.exe 2372 Bnicbh32.exe 2516 Bllcnega.exe 2516 Bllcnega.exe 2008 Bgahkngh.exe 2008 Bgahkngh.exe 2760 Bnlphh32.exe 2760 Bnlphh32.exe 2168 Bpjldc32.exe 2168 Bpjldc32.exe 656 Bgddam32.exe 656 Bgddam32.exe 744 Bheaiekc.exe 744 Bheaiekc.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Aepbmhpl.exe Qmenhe32.exe File opened for modification C:\Windows\SysWOW64\Fogdap32.exe Fkkhpadq.exe File created C:\Windows\SysWOW64\Gncgbkki.exe Geloanjg.exe File created C:\Windows\SysWOW64\Cifqgb32.dll Hnnjfo32.exe File created C:\Windows\SysWOW64\Ppkfhg32.dll Iickckcl.exe File opened for modification C:\Windows\SysWOW64\Jeoeclek.exe Jacibm32.exe File created C:\Windows\SysWOW64\Fpkljm32.dll Egpena32.exe File opened for modification C:\Windows\SysWOW64\Joblkegc.exe Jkfpjf32.exe File opened for modification C:\Windows\SysWOW64\Oknhdjko.exe Ogbldk32.exe File created C:\Windows\SysWOW64\Djoeki32.exe Dklepmal.exe File created C:\Windows\SysWOW64\Opnphfdp.dll Fipbhd32.exe File created C:\Windows\SysWOW64\Akfnkmei.exe Ahhaobfe.exe File created C:\Windows\SysWOW64\Dkaegg32.dll Cgdqpq32.exe File created C:\Windows\SysWOW64\Cekfoolj.dll Docopbaf.exe File opened for modification C:\Windows\SysWOW64\Emgkhj32.exe Ejioln32.exe File opened for modification C:\Windows\SysWOW64\Fobkfqpo.exe Fpokjd32.exe File created C:\Windows\SysWOW64\Qadkkc32.dll Lajkbp32.exe File created C:\Windows\SysWOW64\Hhchpk32.dll Pcnfdl32.exe File created C:\Windows\SysWOW64\Kcacil32.dll Cncolfcl.exe File created C:\Windows\SysWOW64\Dkbbinig.exe Dhdfmbjc.exe File opened for modification C:\Windows\SysWOW64\Hjlemlnk.exe Haemloni.exe File created C:\Windows\SysWOW64\Efmckpko.exe Ecogodlk.exe File created C:\Windows\SysWOW64\Bhdjno32.exe Bdinnqon.exe File opened for modification C:\Windows\SysWOW64\Amhcad32.exe Qdpohodn.exe File opened for modification C:\Windows\SysWOW64\Ddbmcb32.exe Dqfabdaf.exe File created C:\Windows\SysWOW64\Hlhddh32.exe Hijhhl32.exe File created C:\Windows\SysWOW64\Lpdankjg.exe Laaabo32.exe File opened for modification C:\Windows\SysWOW64\Ppkmjlca.exe Plpqim32.exe File created C:\Windows\SysWOW64\Nglaha32.dll Ejklan32.exe File opened for modification C:\Windows\SysWOW64\Kamlhl32.exe Kmaphmln.exe File created C:\Windows\SysWOW64\Bobhaimm.dll Dmcfngde.exe File opened for modification C:\Windows\SysWOW64\Ijidfpci.exe Ikfdkc32.exe File opened for modification C:\Windows\SysWOW64\Kjpceebh.exe Klmbjh32.exe File opened for modification C:\Windows\SysWOW64\Ofobgc32.exe Ocpfkh32.exe File created C:\Windows\SysWOW64\Igpaec32.exe Icdeee32.exe File opened for modification C:\Windows\SysWOW64\Cbpbgk32.exe Ckfjjqhd.exe File created C:\Windows\SysWOW64\Opnqffif.dll Gibbgmfe.exe File created C:\Windows\SysWOW64\Fnejdq32.dll Ifgklp32.exe File created C:\Windows\SysWOW64\Jpmooind.exe Jajocl32.exe File opened for modification C:\Windows\SysWOW64\Nqmqcmdh.exe Nnodgbed.exe File created C:\Windows\SysWOW64\Baclaf32.exe Boeoek32.exe File created C:\Windows\SysWOW64\Cbbomjnn.exe Codbqonk.exe File created C:\Windows\SysWOW64\Dppfbm32.dll Djgfgkbo.exe File opened for modification C:\Windows\SysWOW64\Kngekdnf.exe Kpdeoh32.exe File created C:\Windows\SysWOW64\Lkbpke32.exe Llpoohik.exe File opened for modification C:\Windows\SysWOW64\Qemomb32.exe Qbobaf32.exe File opened for modification C:\Windows\SysWOW64\Flfkoeoh.exe Fhjoof32.exe File created C:\Windows\SysWOW64\Hofqpc32.exe Hlhddh32.exe File created C:\Windows\SysWOW64\Cjoohi32.dll Hlmnogkl.exe File opened for modification C:\Windows\SysWOW64\Macjgadf.exe Mnhnfckm.exe File created C:\Windows\SysWOW64\Dfngll32.exe Dbbklnpj.exe File created C:\Windows\SysWOW64\Mmgofm32.dll Hqochjnk.exe File opened for modification C:\Windows\SysWOW64\Ingmmn32.exe Ifpelq32.exe File opened for modification C:\Windows\SysWOW64\Addhcn32.exe Amjpgdik.exe File created C:\Windows\SysWOW64\Ddppmclb.exe Dbadagln.exe File opened for modification C:\Windows\SysWOW64\Dhklna32.exe Ddppmclb.exe File created C:\Windows\SysWOW64\Fbpclofe.exe Flfkoeoh.exe File opened for modification C:\Windows\SysWOW64\Ggdekbgb.exe Ghaeoe32.exe File created C:\Windows\SysWOW64\Jnhdiaee.dll Kfidqb32.exe File opened for modification C:\Windows\SysWOW64\Lmcilp32.exe Lophacfl.exe File created C:\Windows\SysWOW64\Enpban32.exe Elaeeb32.exe File opened for modification C:\Windows\SysWOW64\Pncjad32.exe Pjhnqfla.exe File created C:\Windows\SysWOW64\Qdkcda32.dll Pcdldknm.exe File created C:\Windows\SysWOW64\Ilpcfn32.dll Ecgjdong.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5896 5688 WerFault.exe 575 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njchfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abnopj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emgdmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdedde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joblkegc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkcfjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhklna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioiidfon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Monhjgkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhmbdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djmiejji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eifobe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkmaed32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iokfjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbphgpfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koibpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enhaeldn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebcmfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmenhe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amhcad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkbpke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkgeehnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgnfji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aicmadmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgmnpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boeoek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bojipjcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgnminke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkfpjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffdilo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcfoihhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mneaacno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bafhff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doabjbci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imacijjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcnfdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfhgggim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekghcq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fegjgkla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhhehpbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkbbinig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nopaoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhfkihon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjlmkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onamle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ablbjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebfqfpop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdfahaaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caokmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbdham32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldbjdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nphghn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcdldknm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jacibm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbngfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaeqmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghaeoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcmcebkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mokkegmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amoibc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgddam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffbmfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiilge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elaeeb32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bllcnega.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cahcle32.dll" Khojcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqnablhp.dll" Mdmmhn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngbpehpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Clilmbhd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Faijggao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Geqlnjcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gajjhkgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcpnpp32.dll" Monhjgkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcdldknm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdfahaaa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epeajo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lceeqk32.dll" Felcbk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glfgnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iianmlfn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Meecaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bldainid.dll" Odacbpee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oqmmbqgd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gaeqmk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijnnao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jacibm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgdgpfnf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mopdpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbpihjem.dll" Ofobgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pncjad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iokhldhb.dll" Bnlphh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cqleifna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajnnkldn.dll" Hjlemlnk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjggap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icfbkded.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Naegmabc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhhehpbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qemomb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpebidam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flfkoeoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpijpamg.dll" Jaeehmko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjhckg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olahgd32.dll" Dmmbge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Honfqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jidbmpjh.dll" Ocpfkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhkghqpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqlceg32.dll" Dcjaeamd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Macjgadf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkekbn32.dll" Okkkoj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgnpjkhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" 6509f95c3a202f3fbdb8fcf65f95c740N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epkepakn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddppmclb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngbpoo32.dll" Epnkip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndfpnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fimelc32.dll" Pjlgle32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dqfabdaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emjhmipi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kamlhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgnminke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofobgc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 6509f95c3a202f3fbdb8fcf65f95c740N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apefjqob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnnjfo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blniinac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aepbmhpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpfkeb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Leegbnan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eocmkdfd.dll" Ooggpiek.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2140 wrote to memory of 2620 2140 6509f95c3a202f3fbdb8fcf65f95c740N.exe 30 PID 2140 wrote to memory of 2620 2140 6509f95c3a202f3fbdb8fcf65f95c740N.exe 30 PID 2140 wrote to memory of 2620 2140 6509f95c3a202f3fbdb8fcf65f95c740N.exe 30 PID 2140 wrote to memory of 2620 2140 6509f95c3a202f3fbdb8fcf65f95c740N.exe 30 PID 2620 wrote to memory of 2652 2620 Qiiahgjh.exe 31 PID 2620 wrote to memory of 2652 2620 Qiiahgjh.exe 31 PID 2620 wrote to memory of 2652 2620 Qiiahgjh.exe 31 PID 2620 wrote to memory of 2652 2620 Qiiahgjh.exe 31 PID 2652 wrote to memory of 2544 2652 Qmenhe32.exe 32 PID 2652 wrote to memory of 2544 2652 Qmenhe32.exe 32 PID 2652 wrote to memory of 2544 2652 Qmenhe32.exe 32 PID 2652 wrote to memory of 2544 2652 Qmenhe32.exe 32 PID 2544 wrote to memory of 2864 2544 Aepbmhpl.exe 33 PID 2544 wrote to memory of 2864 2544 Aepbmhpl.exe 33 PID 2544 wrote to memory of 2864 2544 Aepbmhpl.exe 33 PID 2544 wrote to memory of 2864 2544 Aepbmhpl.exe 33 PID 2864 wrote to memory of 2632 2864 Amgjnepn.exe 34 PID 2864 wrote to memory of 2632 2864 Amgjnepn.exe 34 PID 2864 wrote to memory of 2632 2864 Amgjnepn.exe 34 PID 2864 wrote to memory of 2632 2864 Amgjnepn.exe 34 PID 2632 wrote to memory of 2724 2632 Apefjqob.exe 35 PID 2632 wrote to memory of 2724 2632 Apefjqob.exe 35 PID 2632 wrote to memory of 2724 2632 Apefjqob.exe 35 PID 2632 wrote to memory of 2724 2632 Apefjqob.exe 35 PID 2724 wrote to memory of 1312 2724 Aohgfm32.exe 36 PID 2724 wrote to memory of 1312 2724 Aohgfm32.exe 36 PID 2724 wrote to memory of 1312 2724 Aohgfm32.exe 36 PID 2724 wrote to memory of 1312 2724 Aohgfm32.exe 36 PID 1312 wrote to memory of 2772 1312 Ainkcf32.exe 37 PID 1312 wrote to memory of 2772 1312 Ainkcf32.exe 37 PID 1312 wrote to memory of 2772 1312 Ainkcf32.exe 37 PID 1312 wrote to memory of 2772 1312 Ainkcf32.exe 37 PID 2772 wrote to memory of 1100 2772 Aphcppmo.exe 38 PID 2772 wrote to memory of 1100 2772 Aphcppmo.exe 38 PID 2772 wrote to memory of 1100 2772 Aphcppmo.exe 38 PID 2772 wrote to memory of 1100 2772 Aphcppmo.exe 38 PID 1100 wrote to memory of 2748 1100 Aaipghcn.exe 39 PID 1100 wrote to memory of 2748 1100 Aaipghcn.exe 39 PID 1100 wrote to memory of 2748 1100 Aaipghcn.exe 39 PID 1100 wrote to memory of 2748 1100 Aaipghcn.exe 39 PID 2748 wrote to memory of 444 2748 Aedlhg32.exe 40 PID 2748 wrote to memory of 444 2748 Aedlhg32.exe 40 PID 2748 wrote to memory of 444 2748 Aedlhg32.exe 40 PID 2748 wrote to memory of 444 2748 Aedlhg32.exe 40 PID 444 wrote to memory of 2416 444 Ahchdb32.exe 41 PID 444 wrote to memory of 2416 444 Ahchdb32.exe 41 PID 444 wrote to memory of 2416 444 Ahchdb32.exe 41 PID 444 wrote to memory of 2416 444 Ahchdb32.exe 41 PID 2416 wrote to memory of 2344 2416 Akadpn32.exe 42 PID 2416 wrote to memory of 2344 2416 Akadpn32.exe 42 PID 2416 wrote to memory of 2344 2416 Akadpn32.exe 42 PID 2416 wrote to memory of 2344 2416 Akadpn32.exe 42 PID 2344 wrote to memory of 1808 2344 Aaklmhak.exe 43 PID 2344 wrote to memory of 1808 2344 Aaklmhak.exe 43 PID 2344 wrote to memory of 1808 2344 Aaklmhak.exe 43 PID 2344 wrote to memory of 1808 2344 Aaklmhak.exe 43 PID 1808 wrote to memory of 1532 1808 Akdafn32.exe 44 PID 1808 wrote to memory of 1532 1808 Akdafn32.exe 44 PID 1808 wrote to memory of 1532 1808 Akdafn32.exe 44 PID 1808 wrote to memory of 1532 1808 Akdafn32.exe 44 PID 1532 wrote to memory of 2296 1532 Anbmbi32.exe 45 PID 1532 wrote to memory of 2296 1532 Anbmbi32.exe 45 PID 1532 wrote to memory of 2296 1532 Anbmbi32.exe 45 PID 1532 wrote to memory of 2296 1532 Anbmbi32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\6509f95c3a202f3fbdb8fcf65f95c740N.exe"C:\Users\Admin\AppData\Local\Temp\6509f95c3a202f3fbdb8fcf65f95c740N.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\Qiiahgjh.exeC:\Windows\system32\Qiiahgjh.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Qmenhe32.exeC:\Windows\system32\Qmenhe32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Aepbmhpl.exeC:\Windows\system32\Aepbmhpl.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Amgjnepn.exeC:\Windows\system32\Amgjnepn.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Apefjqob.exeC:\Windows\system32\Apefjqob.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Aohgfm32.exeC:\Windows\system32\Aohgfm32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Ainkcf32.exeC:\Windows\system32\Ainkcf32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\SysWOW64\Aphcppmo.exeC:\Windows\system32\Aphcppmo.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Aaipghcn.exeC:\Windows\system32\Aaipghcn.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\Aedlhg32.exeC:\Windows\system32\Aedlhg32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Ahchdb32.exeC:\Windows\system32\Ahchdb32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:444 -
C:\Windows\SysWOW64\Akadpn32.exeC:\Windows\system32\Akadpn32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Aaklmhak.exeC:\Windows\system32\Aaklmhak.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Akdafn32.exeC:\Windows\system32\Akdafn32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\SysWOW64\Anbmbi32.exeC:\Windows\system32\Anbmbi32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\SysWOW64\Ahhaobfe.exeC:\Windows\system32\Ahhaobfe.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2296 -
C:\Windows\SysWOW64\Akfnkmei.exeC:\Windows\system32\Akfnkmei.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:888 -
C:\Windows\SysWOW64\Andjgidl.exeC:\Windows\system32\Andjgidl.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1876 -
C:\Windows\SysWOW64\Bapfhg32.exeC:\Windows\system32\Bapfhg32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2380 -
C:\Windows\SysWOW64\Bgmnpn32.exeC:\Windows\system32\Bgmnpn32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1984 -
C:\Windows\SysWOW64\Bikjmj32.exeC:\Windows\system32\Bikjmj32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:376 -
C:\Windows\SysWOW64\Bpebidam.exeC:\Windows\system32\Bpebidam.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:604 -
C:\Windows\SysWOW64\Bccoeo32.exeC:\Windows\system32\Bccoeo32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2264 -
C:\Windows\SysWOW64\Bkkgfm32.exeC:\Windows\system32\Bkkgfm32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1304 -
C:\Windows\SysWOW64\Bnicbh32.exeC:\Windows\system32\Bnicbh32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2372 -
C:\Windows\SysWOW64\Bllcnega.exeC:\Windows\system32\Bllcnega.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2516 -
C:\Windows\SysWOW64\Bgahkngh.exeC:\Windows\system32\Bgahkngh.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2008 -
C:\Windows\SysWOW64\Bnlphh32.exeC:\Windows\system32\Bnlphh32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2760 -
C:\Windows\SysWOW64\Bpjldc32.exeC:\Windows\system32\Bpjldc32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2168 -
C:\Windows\SysWOW64\Bgddam32.exeC:\Windows\system32\Bgddam32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:656 -
C:\Windows\SysWOW64\Bheaiekc.exeC:\Windows\system32\Bheaiekc.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:744 -
C:\Windows\SysWOW64\Booiep32.exeC:\Windows\system32\Booiep32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Bfiabjjm.exeC:\Windows\system32\Bfiabjjm.exe34⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Clciod32.exeC:\Windows\system32\Clciod32.exe35⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Ckfjjqhd.exeC:\Windows\system32\Ckfjjqhd.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2796 -
C:\Windows\SysWOW64\Cbpbgk32.exeC:\Windows\system32\Cbpbgk32.exe37⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Cfknhi32.exeC:\Windows\system32\Cfknhi32.exe38⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Clefdcog.exeC:\Windows\system32\Clefdcog.exe39⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Codbqonk.exeC:\Windows\system32\Codbqonk.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2324 -
C:\Windows\SysWOW64\Cbbomjnn.exeC:\Windows\system32\Cbbomjnn.exe41⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Cdqkifmb.exeC:\Windows\system32\Cdqkifmb.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Chlgid32.exeC:\Windows\system32\Chlgid32.exe43⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Ckkcep32.exeC:\Windows\system32\Ckkcep32.exe44⤵
- Executes dropped EXE
PID:1176 -
C:\Windows\SysWOW64\Cnipak32.exeC:\Windows\system32\Cnipak32.exe45⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Cbdkbjkl.exeC:\Windows\system32\Cbdkbjkl.exe46⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Cdchneko.exeC:\Windows\system32\Cdchneko.exe47⤵
- Executes dropped EXE
PID:692 -
C:\Windows\SysWOW64\Chocodch.exeC:\Windows\system32\Chocodch.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:632 -
C:\Windows\SysWOW64\Ckmpkpbl.exeC:\Windows\system32\Ckmpkpbl.exe49⤵
- Executes dropped EXE
PID:1168 -
C:\Windows\SysWOW64\Cjppfl32.exeC:\Windows\system32\Cjppfl32.exe50⤵
- Executes dropped EXE
PID:1288 -
C:\Windows\SysWOW64\Cbghhj32.exeC:\Windows\system32\Cbghhj32.exe51⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Cqjhcfpc.exeC:\Windows\system32\Cqjhcfpc.exe52⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Cdedde32.exeC:\Windows\system32\Cdedde32.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2780 -
C:\Windows\SysWOW64\Cchdpbog.exeC:\Windows\system32\Cchdpbog.exe54⤵
- Executes dropped EXE
PID:1272 -
C:\Windows\SysWOW64\Cgdqpq32.exeC:\Windows\system32\Cgdqpq32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2480 -
C:\Windows\SysWOW64\Cjbmll32.exeC:\Windows\system32\Cjbmll32.exe56⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Cmqihg32.exeC:\Windows\system32\Cmqihg32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Cqleifna.exeC:\Windows\system32\Cqleifna.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:1216 -
C:\Windows\SysWOW64\Dcjaeamd.exeC:\Windows\system32\Dcjaeamd.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2572 -
C:\Windows\SysWOW64\Dgfmep32.exeC:\Windows\system32\Dgfmep32.exe60⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Dfinam32.exeC:\Windows\system32\Dfinam32.exe61⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Dnpebj32.exeC:\Windows\system32\Dnpebj32.exe62⤵
- Executes dropped EXE
PID:588 -
C:\Windows\SysWOW64\Dmcfngde.exeC:\Windows\system32\Dmcfngde.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2112 -
C:\Windows\SysWOW64\Doabjbci.exeC:\Windows\system32\Doabjbci.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1896 -
C:\Windows\SysWOW64\Dcmnja32.exeC:\Windows\system32\Dcmnja32.exe65⤵
- Executes dropped EXE
PID:968 -
C:\Windows\SysWOW64\Dghjkpck.exeC:\Windows\system32\Dghjkpck.exe66⤵PID:2096
-
C:\Windows\SysWOW64\Djgfgkbo.exeC:\Windows\system32\Djgfgkbo.exe67⤵
- Drops file in System32 directory
PID:2876 -
C:\Windows\SysWOW64\Dijfch32.exeC:\Windows\system32\Dijfch32.exe68⤵PID:1404
-
C:\Windows\SysWOW64\Dmebcgbb.exeC:\Windows\system32\Dmebcgbb.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:772 -
C:\Windows\SysWOW64\Docopbaf.exeC:\Windows\system32\Docopbaf.exe70⤵
- Drops file in System32 directory
PID:2044 -
C:\Windows\SysWOW64\Dbbklnpj.exeC:\Windows\system32\Dbbklnpj.exe71⤵
- Drops file in System32 directory
PID:2888 -
C:\Windows\SysWOW64\Dfngll32.exeC:\Windows\system32\Dfngll32.exe72⤵PID:2452
-
C:\Windows\SysWOW64\Dilchhgg.exeC:\Windows\system32\Dilchhgg.exe73⤵PID:2636
-
C:\Windows\SysWOW64\Dmgoif32.exeC:\Windows\system32\Dmgoif32.exe74⤵PID:1716
-
C:\Windows\SysWOW64\Dkjpdcfj.exeC:\Windows\system32\Dkjpdcfj.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2584 -
C:\Windows\SysWOW64\Dpfkeb32.exeC:\Windows\system32\Dpfkeb32.exe76⤵
- Modifies registry class
PID:2528 -
C:\Windows\SysWOW64\Dbdham32.exeC:\Windows\system32\Dbdham32.exe77⤵
- System Location Discovery: System Language Discovery
PID:1956 -
C:\Windows\SysWOW64\Dfpcblfp.exeC:\Windows\system32\Dfpcblfp.exe78⤵PID:3008
-
C:\Windows\SysWOW64\Dinpnged.exeC:\Windows\system32\Dinpnged.exe79⤵PID:2476
-
C:\Windows\SysWOW64\Dkmljcdh.exeC:\Windows\system32\Dkmljcdh.exe80⤵PID:2940
-
C:\Windows\SysWOW64\Dnkhfnck.exeC:\Windows\system32\Dnkhfnck.exe81⤵PID:1148
-
C:\Windows\SysWOW64\Dbgdgm32.exeC:\Windows\system32\Dbgdgm32.exe82⤵PID:536
-
C:\Windows\SysWOW64\Deeqch32.exeC:\Windows\system32\Deeqch32.exe83⤵PID:2064
-
C:\Windows\SysWOW64\Diqmcgca.exeC:\Windows\system32\Diqmcgca.exe84⤵PID:2204
-
C:\Windows\SysWOW64\Dgcmod32.exeC:\Windows\system32\Dgcmod32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1656 -
C:\Windows\SysWOW64\Epkepakn.exeC:\Windows\system32\Epkepakn.exe86⤵
- Modifies registry class
PID:2396 -
C:\Windows\SysWOW64\Enneln32.exeC:\Windows\system32\Enneln32.exe87⤵PID:2592
-
C:\Windows\SysWOW64\Ebialmjb.exeC:\Windows\system32\Ebialmjb.exe88⤵PID:1888
-
C:\Windows\SysWOW64\Eegmhhie.exeC:\Windows\system32\Eegmhhie.exe89⤵PID:1860
-
C:\Windows\SysWOW64\Egfjdchi.exeC:\Windows\system32\Egfjdchi.exe90⤵PID:1064
-
C:\Windows\SysWOW64\Elaeeb32.exeC:\Windows\system32\Elaeeb32.exe91⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2228 -
C:\Windows\SysWOW64\Enpban32.exeC:\Windows\system32\Enpban32.exe92⤵PID:2820
-
C:\Windows\SysWOW64\Ebknblho.exeC:\Windows\system32\Ebknblho.exe93⤵PID:2508
-
C:\Windows\SysWOW64\Eejjnhgc.exeC:\Windows\system32\Eejjnhgc.exe94⤵PID:1856
-
C:\Windows\SysWOW64\Ecmjid32.exeC:\Windows\system32\Ecmjid32.exe95⤵PID:1080
-
C:\Windows\SysWOW64\Eldbkbop.exeC:\Windows\system32\Eldbkbop.exe96⤵PID:2868
-
C:\Windows\SysWOW64\Ejfbfo32.exeC:\Windows\system32\Ejfbfo32.exe97⤵PID:2732
-
C:\Windows\SysWOW64\Enbogmnc.exeC:\Windows\system32\Enbogmnc.exe98⤵PID:2212
-
C:\Windows\SysWOW64\Eaqkcimg.exeC:\Windows\system32\Eaqkcimg.exe99⤵PID:2304
-
C:\Windows\SysWOW64\Ecogodlk.exeC:\Windows\system32\Ecogodlk.exe100⤵
- Drops file in System32 directory
PID:1900 -
C:\Windows\SysWOW64\Efmckpko.exeC:\Windows\system32\Efmckpko.exe101⤵PID:336
-
C:\Windows\SysWOW64\Ejioln32.exeC:\Windows\system32\Ejioln32.exe102⤵
- Drops file in System32 directory
PID:1512 -
C:\Windows\SysWOW64\Emgkhj32.exeC:\Windows\system32\Emgkhj32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1548 -
C:\Windows\SysWOW64\Eacghhkd.exeC:\Windows\system32\Eacghhkd.exe104⤵PID:3052
-
C:\Windows\SysWOW64\Ecadddjh.exeC:\Windows\system32\Ecadddjh.exe105⤵PID:2440
-
C:\Windows\SysWOW64\Efppqoil.exeC:\Windows\system32\Efppqoil.exe106⤵PID:2644
-
C:\Windows\SysWOW64\Ejklan32.exeC:\Windows\system32\Ejklan32.exe107⤵
- Drops file in System32 directory
PID:2624 -
C:\Windows\SysWOW64\Einlmkhp.exeC:\Windows\system32\Einlmkhp.exe108⤵PID:2092
-
C:\Windows\SysWOW64\Emjhmipi.exeC:\Windows\system32\Emjhmipi.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2276 -
C:\Windows\SysWOW64\Ephdjeol.exeC:\Windows\system32\Ephdjeol.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2944 -
C:\Windows\SysWOW64\Ebfqfpop.exeC:\Windows\system32\Ebfqfpop.exe111⤵
- System Location Discovery: System Language Discovery
PID:2804 -
C:\Windows\SysWOW64\Ffbmfo32.exeC:\Windows\system32\Ffbmfo32.exe112⤵
- System Location Discovery: System Language Discovery
PID:2328 -
C:\Windows\SysWOW64\Fiqibj32.exeC:\Windows\system32\Fiqibj32.exe113⤵PID:1336
-
C:\Windows\SysWOW64\Fdfmpc32.exeC:\Windows\system32\Fdfmpc32.exe114⤵PID:2136
-
C:\Windows\SysWOW64\Ffdilo32.exeC:\Windows\system32\Ffdilo32.exe115⤵
- System Location Discovery: System Language Discovery
PID:1972 -
C:\Windows\SysWOW64\Fegjgkla.exeC:\Windows\system32\Fegjgkla.exe116⤵
- System Location Discovery: System Language Discovery
PID:1904 -
C:\Windows\SysWOW64\Flabdecn.exeC:\Windows\system32\Flabdecn.exe117⤵PID:2280
-
C:\Windows\SysWOW64\Fpmned32.exeC:\Windows\system32\Fpmned32.exe118⤵PID:864
-
C:\Windows\SysWOW64\Fbkjap32.exeC:\Windows\system32\Fbkjap32.exe119⤵PID:2900
-
C:\Windows\SysWOW64\Ffgfancd.exeC:\Windows\system32\Ffgfancd.exe120⤵PID:2540
-
C:\Windows\SysWOW64\Fejfmk32.exeC:\Windows\system32\Fejfmk32.exe121⤵PID:1924
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-