Analysis
-
max time kernel
120s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
01/09/2024, 17:57
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
78cd71a2b0c344e778c31129c6f688e0N.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
78cd71a2b0c344e778c31129c6f688e0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
78cd71a2b0c344e778c31129c6f688e0N.exe
-
Size
96KB
-
MD5
78cd71a2b0c344e778c31129c6f688e0
-
SHA1
dbb4eb75625d2bdcdec18ed578f1b21e23a22cbc
-
SHA256
1fc5f4ebf256a56f7a5bb51efa8665c45b1b95c3d6f90b977fdb9c2981aa630a
-
SHA512
9c2698d21bd7c736372c9b909e31fa5d7947904dea46a1a0056976ceb5dd82749f375f762d4c470e11b688c15ba1a9747f8ff9b0188b8263b3a3c45063abc1a2
-
SSDEEP
1536:4/kqospVGu2NiGtZ0wROiconF217XHeCCzItotyr/BOmwCMy0QiLiizHNQNdq:4/1TGu2NZMoM1H7QIGtyr5OmwCMyELiY
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hhhmki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojlmgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mibgho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abpjgekf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjlekm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nedfofig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebemnc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjgmoahd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Camlpldf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iiablido.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffbjpfmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iiiapg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edjjph32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcmdlgoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fqmobelc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iikneggd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emmljodk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfhpjaba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdhjfc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbohmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jlfahgpf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfpphp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghlell32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Filnjk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkmhej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmahbhei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ocbnqfln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dolondiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqhiab32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkohanoc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljljenoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhpeem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfbdje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpicceon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qiclcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjkmhbek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndbjgjqh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldangbhd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmepboin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Phibbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdnabo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cahbem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddgcdjip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdiaqj32.exe -
Executes dropped EXE 64 IoCs
pid Process 2268 Eaangfjf.exe 2848 Fimclh32.exe 2896 Folhio32.exe 2928 Flbehbqm.exe 2632 Faonqiod.exe 2020 Gdbchd32.exe 1056 Gjahfkfg.exe 2080 Gqmmhdka.exe 3016 Hhhblgim.exe 2308 Hikobfgj.exe 1296 Hcqcoo32.exe 1228 Hojqjp32.exe 2464 Hnomkloi.exe 2244 Ifloeo32.exe 1796 Iabcbg32.exe 2476 Ijmdql32.exe 1476 Jaoblk32.exe 1824 Jhndcd32.exe 1156 Jmkmlk32.exe 732 Kpnbcfkc.exe 2712 Kekkkm32.exe 1708 Kocodbpk.exe 2608 Keodflee.exe 1588 Lojeda32.exe 2740 Ldgnmhhj.exe 2784 Lnaokn32.exe 2932 Lkepdbkb.exe 1264 Mpeebhhf.exe 2704 Mojaceln.exe 2616 Mdigakic.exe 436 Mnakjaoc.exe 2920 Mgjpcf32.exe 2092 Nbodpo32.exe 552 Nkhhie32.exe 1608 Nbaafocg.exe 1632 Nkjeod32.exe 784 Ndbjgjqh.exe 2248 Nnknqpgi.exe 876 Ngcbie32.exe 2164 Nmpkal32.exe 1940 Nfhpjaba.exe 1656 Olehbh32.exe 1664 Ofklpa32.exe 1164 Opcaiggo.exe 2356 Oikeal32.exe 2440 Oafjfokk.exe 1728 Ohqbbi32.exe 1556 Ohcohh32.exe 2468 Ompgqonl.exe 2788 Pfhlie32.exe 2804 Panpgn32.exe 2648 Pjfdpckc.exe 2036 Ppcmhj32.exe 1668 Pmgnan32.exe 2560 Pbcfie32.exe 2912 Pbfcoedi.exe 2124 Phckglbq.exe 1036 Qeglqpaj.exe 2236 Qlqdmj32.exe 2284 Qdlialfb.exe 1704 Akfaof32.exe 888 Ahjahk32.exe 1988 Aabfqp32.exe 1532 Agonig32.exe -
Loads dropped DLL 64 IoCs
pid Process 2304 78cd71a2b0c344e778c31129c6f688e0N.exe 2304 78cd71a2b0c344e778c31129c6f688e0N.exe 2268 Eaangfjf.exe 2268 Eaangfjf.exe 2848 Fimclh32.exe 2848 Fimclh32.exe 2896 Folhio32.exe 2896 Folhio32.exe 2928 Flbehbqm.exe 2928 Flbehbqm.exe 2632 Faonqiod.exe 2632 Faonqiod.exe 2020 Gdbchd32.exe 2020 Gdbchd32.exe 1056 Gjahfkfg.exe 1056 Gjahfkfg.exe 2080 Gqmmhdka.exe 2080 Gqmmhdka.exe 3016 Hhhblgim.exe 3016 Hhhblgim.exe 2308 Hikobfgj.exe 2308 Hikobfgj.exe 1296 Hcqcoo32.exe 1296 Hcqcoo32.exe 1228 Hojqjp32.exe 1228 Hojqjp32.exe 2464 Hnomkloi.exe 2464 Hnomkloi.exe 2244 Ifloeo32.exe 2244 Ifloeo32.exe 1796 Iabcbg32.exe 1796 Iabcbg32.exe 2476 Ijmdql32.exe 2476 Ijmdql32.exe 1476 Jaoblk32.exe 1476 Jaoblk32.exe 1824 Jhndcd32.exe 1824 Jhndcd32.exe 1156 Jmkmlk32.exe 1156 Jmkmlk32.exe 732 Kpnbcfkc.exe 732 Kpnbcfkc.exe 2712 Kekkkm32.exe 2712 Kekkkm32.exe 1708 Kocodbpk.exe 1708 Kocodbpk.exe 2608 Keodflee.exe 2608 Keodflee.exe 1588 Lojeda32.exe 1588 Lojeda32.exe 2740 Ldgnmhhj.exe 2740 Ldgnmhhj.exe 2784 Lnaokn32.exe 2784 Lnaokn32.exe 2932 Lkepdbkb.exe 2932 Lkepdbkb.exe 1264 Mpeebhhf.exe 1264 Mpeebhhf.exe 2704 Mojaceln.exe 2704 Mojaceln.exe 2616 Mdigakic.exe 2616 Mdigakic.exe 436 Mnakjaoc.exe 436 Mnakjaoc.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jobgmokc.dll Cdflhppk.exe File opened for modification C:\Windows\SysWOW64\Klnpke32.exe Kdckgc32.exe File created C:\Windows\SysWOW64\Nllafq32.exe Nfoinj32.exe File created C:\Windows\SysWOW64\Bdlccoje.exe Process not Found File created C:\Windows\SysWOW64\Lagomagp.dll Afoqbpid.exe File created C:\Windows\SysWOW64\Najbbepc.exe Nlmjjo32.exe File opened for modification C:\Windows\SysWOW64\Pcajpjoi.exe Pfnjfepp.exe File created C:\Windows\SysWOW64\Eempnnjn.dll Process not Found File opened for modification C:\Windows\SysWOW64\Lkbphfab.exe Liddljan.exe File opened for modification C:\Windows\SysWOW64\Fgpcgi32.exe Fkibbh32.exe File opened for modification C:\Windows\SysWOW64\Gcceqa32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Gibadm32.exe Floaji32.exe File created C:\Windows\SysWOW64\Ngcbie32.exe Nnknqpgi.exe File created C:\Windows\SysWOW64\Bfjijo32.dll Kelqff32.exe File created C:\Windows\SysWOW64\Ejldfh32.exe Dnecag32.exe File created C:\Windows\SysWOW64\Bemenm32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Gmflmfpe.exe Gcmgdpid.exe File created C:\Windows\SysWOW64\Bclbhkdj.exe Bkqnchgo.exe File created C:\Windows\SysWOW64\Cipaqqli.exe Bccihj32.exe File created C:\Windows\SysWOW64\Dggcbf32.exe Dqmkflcd.exe File opened for modification C:\Windows\SysWOW64\Ibplji32.exe Ioapnn32.exe File opened for modification C:\Windows\SysWOW64\Ejldfh32.exe Dnecag32.exe File opened for modification C:\Windows\SysWOW64\Gpdhiaoi.exe Gmflmfpe.exe File created C:\Windows\SysWOW64\Qbenaghd.dll Process not Found File created C:\Windows\SysWOW64\Olihibek.dll Process not Found File created C:\Windows\SysWOW64\Kaolmoii.dll Process not Found File created C:\Windows\SysWOW64\Jdgphqgg.dll Dcaghm32.exe File created C:\Windows\SysWOW64\Ecklgdag.exe Ejbhno32.exe File opened for modification C:\Windows\SysWOW64\Idqpjg32.exe Igmppcpm.exe File created C:\Windows\SysWOW64\Dgjkcdoi.dll Process not Found File opened for modification C:\Windows\SysWOW64\Jnncoini.exe Jkpfcnoe.exe File opened for modification C:\Windows\SysWOW64\Ebnokjpf.exe Eqmbca32.exe File opened for modification C:\Windows\SysWOW64\Cnanbijd.exe Process not Found File created C:\Windows\SysWOW64\Imnaimag.dll Ecklgdag.exe File created C:\Windows\SysWOW64\Jmehoabj.dll Process not Found File created C:\Windows\SysWOW64\Pcchoj32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Clpeajjb.exe Bnjipn32.exe File opened for modification C:\Windows\SysWOW64\Ecidbfbb.exe Emmljodk.exe File opened for modification C:\Windows\SysWOW64\Kfpmfgpn.exe Kodhbe32.exe File created C:\Windows\SysWOW64\Nhllchmg.dll Gdqlpj32.exe File opened for modification C:\Windows\SysWOW64\Aepqac32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Nlojcg32.exe Process not Found File created C:\Windows\SysWOW64\Aamekk32.exe Qhdabemb.exe File opened for modification C:\Windows\SysWOW64\Mmepboin.exe Lhhhjhkf.exe File opened for modification C:\Windows\SysWOW64\Ocbnqfln.exe Oenngb32.exe File opened for modification C:\Windows\SysWOW64\Ncplfj32.exe Nelkme32.exe File opened for modification C:\Windows\SysWOW64\Qpicjend.exe Qkmjbo32.exe File opened for modification C:\Windows\SysWOW64\Bkmijk32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Mdidhfdp.exe Mhbdce32.exe File created C:\Windows\SysWOW64\Bhjngnod.exe Bcmeogam.exe File created C:\Windows\SysWOW64\Ldangbhd.exe Koeeoljm.exe File created C:\Windows\SysWOW64\Njlopkmg.exe Nogjbbma.exe File opened for modification C:\Windows\SysWOW64\Iniidj32.exe Iilalc32.exe File created C:\Windows\SysWOW64\Mcccglnn.exe Mkhocj32.exe File created C:\Windows\SysWOW64\Ffjhgodp.dll Jjkmhbek.exe File created C:\Windows\SysWOW64\Gdiode32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jaklei32.exe Jiphpf32.exe File created C:\Windows\SysWOW64\Cjgmoahd.exe Ccmdbg32.exe File created C:\Windows\SysWOW64\Pddbni32.dll Nfhcmkkg.exe File created C:\Windows\SysWOW64\Jdmnao32.dll Abnpjnem.exe File created C:\Windows\SysWOW64\Bbggdf32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Bcmeogam.exe Bhgaan32.exe File opened for modification C:\Windows\SysWOW64\Kjalch32.exe Kmnljc32.exe File created C:\Windows\SysWOW64\Ocfjnb32.dll Mqckaf32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2724 4532 Process not Found 1432 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldgnmhhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkohanoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olklmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afgoem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdpepejb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bojogp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Belcck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iomaaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqomai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gflfidpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmmmdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbcaoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inpchbdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohqbbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feeilbhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fenedlec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdidhfdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odpghiqc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgcmoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okhboc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfpkfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdhjfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edahca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjeojnep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khlkba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njlopkmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iipgeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nphbhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oabdol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pblkgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaiqnmgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpcjfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lheilofe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahhgkdfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhfcnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddeammok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcooinfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkmabdfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glhjpjok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hikpnkme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehilgikj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmgmhngk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcdpld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Foacmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odbhofjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emogdk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fniikj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iabcbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ippflkok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkcnleom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgleei32.dll" Aanonj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjdbg32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ngkfnp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eqjenb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bfjhippb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhpnlnon.dll" Fefboabg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnqnai32.dll" Llefld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcbjeaq.dll" Nmaialjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Injlmcib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jgdmkhnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hbjjfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Inpchbdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pbfcoedi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkddne32.dll" Ooabjbdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfgboeij.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdpeplpn.dll" Hnbhpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ilcfjkgj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eqmbca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dmbpaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmafdaaj.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggfehlqg.dll" Bgqqcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Konpjafp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkfpgc32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mkhocj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hjlekm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phgppddg.dll" Ikcpmieg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eagdgaoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmfimhnl.dll" Mibgho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdafcaak.dll" Plfhfiqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kphkapbl.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klfbmd32.dll" Dicmlpje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Blkoocfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nkfpefme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ldchff32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cbihpbpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Feljja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gomjpg32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpaaao32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ibdcnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gajfen32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dllnphkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gdchifik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfighccb.dll" Panpgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fcdpld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eioicpja.dll" Kaeadppc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apmmen32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffoehg32.dll" Imbakfcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gfpkbbmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nknmplji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eddgaj32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2304 wrote to memory of 2268 2304 78cd71a2b0c344e778c31129c6f688e0N.exe 29 PID 2304 wrote to memory of 2268 2304 78cd71a2b0c344e778c31129c6f688e0N.exe 29 PID 2304 wrote to memory of 2268 2304 78cd71a2b0c344e778c31129c6f688e0N.exe 29 PID 2304 wrote to memory of 2268 2304 78cd71a2b0c344e778c31129c6f688e0N.exe 29 PID 2268 wrote to memory of 2848 2268 Eaangfjf.exe 30 PID 2268 wrote to memory of 2848 2268 Eaangfjf.exe 30 PID 2268 wrote to memory of 2848 2268 Eaangfjf.exe 30 PID 2268 wrote to memory of 2848 2268 Eaangfjf.exe 30 PID 2848 wrote to memory of 2896 2848 Fimclh32.exe 31 PID 2848 wrote to memory of 2896 2848 Fimclh32.exe 31 PID 2848 wrote to memory of 2896 2848 Fimclh32.exe 31 PID 2848 wrote to memory of 2896 2848 Fimclh32.exe 31 PID 2896 wrote to memory of 2928 2896 Folhio32.exe 32 PID 2896 wrote to memory of 2928 2896 Folhio32.exe 32 PID 2896 wrote to memory of 2928 2896 Folhio32.exe 32 PID 2896 wrote to memory of 2928 2896 Folhio32.exe 32 PID 2928 wrote to memory of 2632 2928 Flbehbqm.exe 33 PID 2928 wrote to memory of 2632 2928 Flbehbqm.exe 33 PID 2928 wrote to memory of 2632 2928 Flbehbqm.exe 33 PID 2928 wrote to memory of 2632 2928 Flbehbqm.exe 33 PID 2632 wrote to memory of 2020 2632 Faonqiod.exe 34 PID 2632 wrote to memory of 2020 2632 Faonqiod.exe 34 PID 2632 wrote to memory of 2020 2632 Faonqiod.exe 34 PID 2632 wrote to memory of 2020 2632 Faonqiod.exe 34 PID 2020 wrote to memory of 1056 2020 Gdbchd32.exe 35 PID 2020 wrote to memory of 1056 2020 Gdbchd32.exe 35 PID 2020 wrote to memory of 1056 2020 Gdbchd32.exe 35 PID 2020 wrote to memory of 1056 2020 Gdbchd32.exe 35 PID 1056 wrote to memory of 2080 1056 Gjahfkfg.exe 36 PID 1056 wrote to memory of 2080 1056 Gjahfkfg.exe 36 PID 1056 wrote to memory of 2080 1056 Gjahfkfg.exe 36 PID 1056 wrote to memory of 2080 1056 Gjahfkfg.exe 36 PID 2080 wrote to memory of 3016 2080 Gqmmhdka.exe 37 PID 2080 wrote to memory of 3016 2080 Gqmmhdka.exe 37 PID 2080 wrote to memory of 3016 2080 Gqmmhdka.exe 37 PID 2080 wrote to memory of 3016 2080 Gqmmhdka.exe 37 PID 3016 wrote to memory of 2308 3016 Hhhblgim.exe 38 PID 3016 wrote to memory of 2308 3016 Hhhblgim.exe 38 PID 3016 wrote to memory of 2308 3016 Hhhblgim.exe 38 PID 3016 wrote to memory of 2308 3016 Hhhblgim.exe 38 PID 2308 wrote to memory of 1296 2308 Hikobfgj.exe 39 PID 2308 wrote to memory of 1296 2308 Hikobfgj.exe 39 PID 2308 wrote to memory of 1296 2308 Hikobfgj.exe 39 PID 2308 wrote to memory of 1296 2308 Hikobfgj.exe 39 PID 1296 wrote to memory of 1228 1296 Hcqcoo32.exe 40 PID 1296 wrote to memory of 1228 1296 Hcqcoo32.exe 40 PID 1296 wrote to memory of 1228 1296 Hcqcoo32.exe 40 PID 1296 wrote to memory of 1228 1296 Hcqcoo32.exe 40 PID 1228 wrote to memory of 2464 1228 Hojqjp32.exe 41 PID 1228 wrote to memory of 2464 1228 Hojqjp32.exe 41 PID 1228 wrote to memory of 2464 1228 Hojqjp32.exe 41 PID 1228 wrote to memory of 2464 1228 Hojqjp32.exe 41 PID 2464 wrote to memory of 2244 2464 Hnomkloi.exe 42 PID 2464 wrote to memory of 2244 2464 Hnomkloi.exe 42 PID 2464 wrote to memory of 2244 2464 Hnomkloi.exe 42 PID 2464 wrote to memory of 2244 2464 Hnomkloi.exe 42 PID 2244 wrote to memory of 1796 2244 Ifloeo32.exe 43 PID 2244 wrote to memory of 1796 2244 Ifloeo32.exe 43 PID 2244 wrote to memory of 1796 2244 Ifloeo32.exe 43 PID 2244 wrote to memory of 1796 2244 Ifloeo32.exe 43 PID 1796 wrote to memory of 2476 1796 Iabcbg32.exe 44 PID 1796 wrote to memory of 2476 1796 Iabcbg32.exe 44 PID 1796 wrote to memory of 2476 1796 Iabcbg32.exe 44 PID 1796 wrote to memory of 2476 1796 Iabcbg32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\78cd71a2b0c344e778c31129c6f688e0N.exe"C:\Users\Admin\AppData\Local\Temp\78cd71a2b0c344e778c31129c6f688e0N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\Eaangfjf.exeC:\Windows\system32\Eaangfjf.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\Fimclh32.exeC:\Windows\system32\Fimclh32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Folhio32.exeC:\Windows\system32\Folhio32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Flbehbqm.exeC:\Windows\system32\Flbehbqm.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Faonqiod.exeC:\Windows\system32\Faonqiod.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Gdbchd32.exeC:\Windows\system32\Gdbchd32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\Gjahfkfg.exeC:\Windows\system32\Gjahfkfg.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\SysWOW64\Gqmmhdka.exeC:\Windows\system32\Gqmmhdka.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\Hhhblgim.exeC:\Windows\system32\Hhhblgim.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Hikobfgj.exeC:\Windows\system32\Hikobfgj.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\Hcqcoo32.exeC:\Windows\system32\Hcqcoo32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\SysWOW64\Hojqjp32.exeC:\Windows\system32\Hojqjp32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\SysWOW64\Hnomkloi.exeC:\Windows\system32\Hnomkloi.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\Ifloeo32.exeC:\Windows\system32\Ifloeo32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\Iabcbg32.exeC:\Windows\system32\Iabcbg32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\Ijmdql32.exeC:\Windows\system32\Ijmdql32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2476 -
C:\Windows\SysWOW64\Jaoblk32.exeC:\Windows\system32\Jaoblk32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1476 -
C:\Windows\SysWOW64\Jhndcd32.exeC:\Windows\system32\Jhndcd32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1824 -
C:\Windows\SysWOW64\Jmkmlk32.exeC:\Windows\system32\Jmkmlk32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1156 -
C:\Windows\SysWOW64\Kpnbcfkc.exeC:\Windows\system32\Kpnbcfkc.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:732 -
C:\Windows\SysWOW64\Kekkkm32.exeC:\Windows\system32\Kekkkm32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2712 -
C:\Windows\SysWOW64\Kocodbpk.exeC:\Windows\system32\Kocodbpk.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1708 -
C:\Windows\SysWOW64\Keodflee.exeC:\Windows\system32\Keodflee.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2608 -
C:\Windows\SysWOW64\Lojeda32.exeC:\Windows\system32\Lojeda32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1588 -
C:\Windows\SysWOW64\Ldgnmhhj.exeC:\Windows\system32\Ldgnmhhj.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2740 -
C:\Windows\SysWOW64\Lnaokn32.exeC:\Windows\system32\Lnaokn32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2784 -
C:\Windows\SysWOW64\Lkepdbkb.exeC:\Windows\system32\Lkepdbkb.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2932 -
C:\Windows\SysWOW64\Mpeebhhf.exeC:\Windows\system32\Mpeebhhf.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1264 -
C:\Windows\SysWOW64\Mojaceln.exeC:\Windows\system32\Mojaceln.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2704 -
C:\Windows\SysWOW64\Mdigakic.exeC:\Windows\system32\Mdigakic.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2616 -
C:\Windows\SysWOW64\Mnakjaoc.exeC:\Windows\system32\Mnakjaoc.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:436 -
C:\Windows\SysWOW64\Mgjpcf32.exeC:\Windows\system32\Mgjpcf32.exe33⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Nbodpo32.exeC:\Windows\system32\Nbodpo32.exe34⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Nkhhie32.exeC:\Windows\system32\Nkhhie32.exe35⤵
- Executes dropped EXE
PID:552 -
C:\Windows\SysWOW64\Nbaafocg.exeC:\Windows\system32\Nbaafocg.exe36⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Nkjeod32.exeC:\Windows\system32\Nkjeod32.exe37⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Ndbjgjqh.exeC:\Windows\system32\Ndbjgjqh.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:784 -
C:\Windows\SysWOW64\Nnknqpgi.exeC:\Windows\system32\Nnknqpgi.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2248 -
C:\Windows\SysWOW64\Ngcbie32.exeC:\Windows\system32\Ngcbie32.exe40⤵
- Executes dropped EXE
PID:876 -
C:\Windows\SysWOW64\Nmpkal32.exeC:\Windows\system32\Nmpkal32.exe41⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Nfhpjaba.exeC:\Windows\system32\Nfhpjaba.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Olehbh32.exeC:\Windows\system32\Olehbh32.exe43⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Ofklpa32.exeC:\Windows\system32\Ofklpa32.exe44⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Opcaiggo.exeC:\Windows\system32\Opcaiggo.exe45⤵
- Executes dropped EXE
PID:1164 -
C:\Windows\SysWOW64\Oikeal32.exeC:\Windows\system32\Oikeal32.exe46⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Oafjfokk.exeC:\Windows\system32\Oafjfokk.exe47⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Ohqbbi32.exeC:\Windows\system32\Ohqbbi32.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1728 -
C:\Windows\SysWOW64\Ohcohh32.exeC:\Windows\system32\Ohcohh32.exe49⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Ompgqonl.exeC:\Windows\system32\Ompgqonl.exe50⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Pfhlie32.exeC:\Windows\system32\Pfhlie32.exe51⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Panpgn32.exeC:\Windows\system32\Panpgn32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2804 -
C:\Windows\SysWOW64\Pjfdpckc.exeC:\Windows\system32\Pjfdpckc.exe53⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Ppcmhj32.exeC:\Windows\system32\Ppcmhj32.exe54⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Pmgnan32.exeC:\Windows\system32\Pmgnan32.exe55⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Pbcfie32.exeC:\Windows\system32\Pbcfie32.exe56⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Pbfcoedi.exeC:\Windows\system32\Pbfcoedi.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2912 -
C:\Windows\SysWOW64\Phckglbq.exeC:\Windows\system32\Phckglbq.exe58⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Qeglqpaj.exeC:\Windows\system32\Qeglqpaj.exe59⤵
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\Qlqdmj32.exeC:\Windows\system32\Qlqdmj32.exe60⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Qdlialfb.exeC:\Windows\system32\Qdlialfb.exe61⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Akfaof32.exeC:\Windows\system32\Akfaof32.exe62⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Ahjahk32.exeC:\Windows\system32\Ahjahk32.exe63⤵
- Executes dropped EXE
PID:888 -
C:\Windows\SysWOW64\Aabfqp32.exeC:\Windows\system32\Aabfqp32.exe64⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Agonig32.exeC:\Windows\system32\Agonig32.exe65⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Adcobk32.exeC:\Windows\system32\Adcobk32.exe66⤵PID:1100
-
C:\Windows\SysWOW64\Adekhkng.exeC:\Windows\system32\Adekhkng.exe67⤵PID:948
-
C:\Windows\SysWOW64\Annpaq32.exeC:\Windows\system32\Annpaq32.exe68⤵PID:2564
-
C:\Windows\SysWOW64\Bhgaan32.exeC:\Windows\system32\Bhgaan32.exe69⤵
- Drops file in System32 directory
PID:1812 -
C:\Windows\SysWOW64\Bcmeogam.exeC:\Windows\system32\Bcmeogam.exe70⤵
- Drops file in System32 directory
PID:856 -
C:\Windows\SysWOW64\Bhjngnod.exeC:\Windows\system32\Bhjngnod.exe71⤵PID:2780
-
C:\Windows\SysWOW64\Bfnnpbnn.exeC:\Windows\system32\Bfnnpbnn.exe72⤵PID:2864
-
C:\Windows\SysWOW64\Bfpkfb32.exeC:\Windows\system32\Bfpkfb32.exe73⤵
- System Location Discovery: System Language Discovery
PID:2856 -
C:\Windows\SysWOW64\Bgagnjbi.exeC:\Windows\system32\Bgagnjbi.exe74⤵PID:2816
-
C:\Windows\SysWOW64\Bgcdcjpf.exeC:\Windows\system32\Bgcdcjpf.exe75⤵PID:2496
-
C:\Windows\SysWOW64\Cbihpbpl.exeC:\Windows\system32\Cbihpbpl.exe76⤵
- Modifies registry class
PID:2376 -
C:\Windows\SysWOW64\Ckamihfm.exeC:\Windows\system32\Ckamihfm.exe77⤵PID:2944
-
C:\Windows\SysWOW64\Ccmanjch.exeC:\Windows\system32\Ccmanjch.exe78⤵PID:2156
-
C:\Windows\SysWOW64\Cnbfkccn.exeC:\Windows\system32\Cnbfkccn.exe79⤵PID:1820
-
C:\Windows\SysWOW64\Cconcjae.exeC:\Windows\system32\Cconcjae.exe80⤵PID:2216
-
C:\Windows\SysWOW64\Cbdkdffm.exeC:\Windows\system32\Cbdkdffm.exe81⤵PID:1192
-
C:\Windows\SysWOW64\Cmjoaofc.exeC:\Windows\system32\Cmjoaofc.exe82⤵PID:1628
-
C:\Windows\SysWOW64\Dfbdje32.exeC:\Windows\system32\Dfbdje32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2360 -
C:\Windows\SysWOW64\Dkolblkk.exeC:\Windows\system32\Dkolblkk.exe84⤵PID:2168
-
C:\Windows\SysWOW64\Dicmlpje.exeC:\Windows\system32\Dicmlpje.exe85⤵
- Modifies registry class
PID:2144 -
C:\Windows\SysWOW64\Dnpedghl.exeC:\Windows\system32\Dnpedghl.exe86⤵PID:932
-
C:\Windows\SysWOW64\Dbmnjenb.exeC:\Windows\system32\Dbmnjenb.exe87⤵PID:2172
-
C:\Windows\SysWOW64\Dgjfbllj.exeC:\Windows\system32\Dgjfbllj.exe88⤵PID:3004
-
C:\Windows\SysWOW64\Dcaghm32.exeC:\Windows\system32\Dcaghm32.exe89⤵
- Drops file in System32 directory
PID:2588 -
C:\Windows\SysWOW64\Djkodg32.exeC:\Windows\system32\Djkodg32.exe90⤵PID:2640
-
C:\Windows\SysWOW64\Ehopnk32.exeC:\Windows\system32\Ehopnk32.exe91⤵PID:2884
-
C:\Windows\SysWOW64\Eagdgaoe.exeC:\Windows\system32\Eagdgaoe.exe92⤵
- Modifies registry class
PID:612 -
C:\Windows\SysWOW64\Emnelbdi.exeC:\Windows\system32\Emnelbdi.exe93⤵PID:2452
-
C:\Windows\SysWOW64\Ebkndibq.exeC:\Windows\system32\Ebkndibq.exe94⤵PID:2388
-
C:\Windows\SysWOW64\Elcbmn32.exeC:\Windows\system32\Elcbmn32.exe95⤵PID:1304
-
C:\Windows\SysWOW64\Fhaibnim.exeC:\Windows\system32\Fhaibnim.exe96⤵PID:1088
-
C:\Windows\SysWOW64\Feeilbhg.exeC:\Windows\system32\Feeilbhg.exe97⤵
- System Location Discovery: System Language Discovery
PID:2208 -
C:\Windows\SysWOW64\Fkbadifn.exeC:\Windows\system32\Fkbadifn.exe98⤵PID:2472
-
C:\Windows\SysWOW64\Gdmcbojl.exeC:\Windows\system32\Gdmcbojl.exe99⤵PID:852
-
C:\Windows\SysWOW64\Gkfkoi32.exeC:\Windows\system32\Gkfkoi32.exe100⤵PID:1096
-
C:\Windows\SysWOW64\Gdophn32.exeC:\Windows\system32\Gdophn32.exe101⤵PID:580
-
C:\Windows\SysWOW64\Gilhpe32.exeC:\Windows\system32\Gilhpe32.exe102⤵PID:908
-
C:\Windows\SysWOW64\Gcdmikma.exeC:\Windows\system32\Gcdmikma.exe103⤵PID:868
-
C:\Windows\SysWOW64\Gllabp32.exeC:\Windows\system32\Gllabp32.exe104⤵PID:1584
-
C:\Windows\SysWOW64\Geeekf32.exeC:\Windows\system32\Geeekf32.exe105⤵PID:2860
-
C:\Windows\SysWOW64\Gcifdj32.exeC:\Windows\system32\Gcifdj32.exe106⤵PID:2644
-
C:\Windows\SysWOW64\Hopgikop.exeC:\Windows\system32\Hopgikop.exe107⤵PID:916
-
C:\Windows\SysWOW64\Hhhkbqea.exeC:\Windows\system32\Hhhkbqea.exe108⤵PID:1724
-
C:\Windows\SysWOW64\Happkf32.exeC:\Windows\system32\Happkf32.exe109⤵PID:1000
-
C:\Windows\SysWOW64\Hjkdoh32.exeC:\Windows\system32\Hjkdoh32.exe110⤵PID:1396
-
C:\Windows\SysWOW64\Hdailaib.exeC:\Windows\system32\Hdailaib.exe111⤵PID:2808
-
C:\Windows\SysWOW64\Hnimeg32.exeC:\Windows\system32\Hnimeg32.exe112⤵PID:2328
-
C:\Windows\SysWOW64\Hqhiab32.exeC:\Windows\system32\Hqhiab32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1832 -
C:\Windows\SysWOW64\Hfdbji32.exeC:\Windows\system32\Hfdbji32.exe114⤵PID:1012
-
C:\Windows\SysWOW64\Homfboco.exeC:\Windows\system32\Homfboco.exe115⤵PID:1108
-
C:\Windows\SysWOW64\Ifgooikk.exeC:\Windows\system32\Ifgooikk.exe116⤵PID:2576
-
C:\Windows\SysWOW64\Ioochn32.exeC:\Windows\system32\Ioochn32.exe117⤵PID:2772
-
C:\Windows\SysWOW64\Ijegeg32.exeC:\Windows\system32\Ijegeg32.exe118⤵PID:2108
-
C:\Windows\SysWOW64\Ioapnn32.exeC:\Windows\system32\Ioapnn32.exe119⤵
- Drops file in System32 directory
PID:1624 -
C:\Windows\SysWOW64\Ibplji32.exeC:\Windows\system32\Ibplji32.exe120⤵PID:2936
-
C:\Windows\SysWOW64\Iijdfc32.exeC:\Windows\system32\Iijdfc32.exe121⤵PID:2836
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-