Analysis
-
max time kernel
39s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
03/09/2024, 04:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
eea22e3616b493ec4588387204f79770N.exe
Resource
win7-20240729-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
eea22e3616b493ec4588387204f79770N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
eea22e3616b493ec4588387204f79770N.exe
-
Size
78KB
-
MD5
eea22e3616b493ec4588387204f79770
-
SHA1
71ef491ef03325313aacaf4dec83b52bb9bec7d2
-
SHA256
e6a2b1cfe70d5b7bbd9281b2652dfee7150f01b4aa42fdb338c73802fcd3555e
-
SHA512
90f4dde12f3d5067074f84dafb6e6a63c5c1412312511c62415c54576453cec5d33bb27757f88638875729d91f81d34169ebd520e3d2d10cc01125bac7765317
-
SSDEEP
1536:s2qB9MpwWF6XTIpKC9pWeKnW9rL8MpiVtN+zL20gJi1ie:gBapuX+9pWa9rZiVtgzL20WKt
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dafoikjb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Famaimfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcepqh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmmdin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bknjfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pioeoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bogjaamh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlgjldnm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dahkok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gamnhq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kageia32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpieengb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oajndh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfoeil32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkefbcmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkebafoa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imbjcpnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppddpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eppefg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmohco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikldqile.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cqfbjhgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfcgbb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccpeld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpieengb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhkeohhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjohmbpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmdgipkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qkielpdf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfcodkcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgdkkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epnhpglg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elkofg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcepqh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hifbdnbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Libjncnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aiaoclgl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omckoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppddpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhdmph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpggei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjaeba32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioeclg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opialpld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Colpld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cehhdkjf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faonom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkebafoa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnhgha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jikhnaao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jibnop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obeacl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmimcbja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgknkf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqdgom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmbndmkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khgkpl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anadojlo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qoeamo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anjnnk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ageompfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfckcoen.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhpgfeao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eppefg32.exe -
Executes dropped EXE 64 IoCs
pid Process 2068 Nkkmgncb.exe 2956 Nqhepeai.exe 2788 Nmofdf32.exe 2428 Ncinap32.exe 2564 Nmabjfek.exe 2844 Nppofado.exe 2044 Nihcog32.exe 756 Nqokpd32.exe 1700 Nmflee32.exe 1900 Obbdml32.exe 2292 Olkifaen.exe 288 Obeacl32.exe 2240 Opialpld.exe 2368 Oajndh32.exe 1672 Objjnkie.exe 1160 Ohfcfb32.exe 1632 Omckoi32.exe 1816 Odmckcmq.exe 2404 Pnchhllf.exe 588 Ppddpd32.exe 1444 Pjihmmbk.exe 1988 Pacajg32.exe 1924 Pbemboof.exe 2616 Pioeoi32.exe 2320 Pbgjgomc.exe 2840 Peefcjlg.exe 2648 Plpopddd.exe 2556 Pehcij32.exe 1676 Ppmgfb32.exe 3068 Popgboae.exe 1604 Qobdgo32.exe 2728 Qaapcj32.exe 2752 Qkielpdf.exe 2960 Qoeamo32.exe 3044 Aacmij32.exe 2172 Adaiee32.exe 2748 Agpeaa32.exe 448 Aklabp32.exe 1620 Anjnnk32.exe 2604 Aphjjf32.exe 1488 Ahpbkd32.exe 2308 Aknngo32.exe 112 Aiaoclgl.exe 1892 Aahfdihn.exe 2620 Adfbpega.exe 2104 Ageompfe.exe 2188 Ajckilei.exe 2972 Alageg32.exe 2580 Adipfd32.exe 2540 Agglbp32.exe 2096 Ajehnk32.exe 2232 Anadojlo.exe 2736 Alddjg32.exe 1504 Aobpfb32.exe 1928 Afliclij.exe 536 Ajhddk32.exe 2364 Bhkeohhn.exe 3004 Bpbmqe32.exe 2116 Bcpimq32.exe 2756 Bfoeil32.exe 1056 Bjjaikoa.exe 2276 Blinefnd.exe 1660 Bogjaamh.exe 1724 Baefnmml.exe -
Loads dropped DLL 64 IoCs
pid Process 2208 eea22e3616b493ec4588387204f79770N.exe 2208 eea22e3616b493ec4588387204f79770N.exe 2068 Nkkmgncb.exe 2068 Nkkmgncb.exe 2956 Nqhepeai.exe 2956 Nqhepeai.exe 2788 Nmofdf32.exe 2788 Nmofdf32.exe 2428 Ncinap32.exe 2428 Ncinap32.exe 2564 Nmabjfek.exe 2564 Nmabjfek.exe 2844 Nppofado.exe 2844 Nppofado.exe 2044 Nihcog32.exe 2044 Nihcog32.exe 756 Nqokpd32.exe 756 Nqokpd32.exe 1700 Nmflee32.exe 1700 Nmflee32.exe 1900 Obbdml32.exe 1900 Obbdml32.exe 2292 Olkifaen.exe 2292 Olkifaen.exe 288 Obeacl32.exe 288 Obeacl32.exe 2240 Opialpld.exe 2240 Opialpld.exe 2368 Oajndh32.exe 2368 Oajndh32.exe 1672 Objjnkie.exe 1672 Objjnkie.exe 1160 Ohfcfb32.exe 1160 Ohfcfb32.exe 1632 Omckoi32.exe 1632 Omckoi32.exe 1816 Odmckcmq.exe 1816 Odmckcmq.exe 2404 Pnchhllf.exe 2404 Pnchhllf.exe 588 Ppddpd32.exe 588 Ppddpd32.exe 1444 Pjihmmbk.exe 1444 Pjihmmbk.exe 1988 Pacajg32.exe 1988 Pacajg32.exe 1924 Pbemboof.exe 1924 Pbemboof.exe 2616 Pioeoi32.exe 2616 Pioeoi32.exe 2320 Pbgjgomc.exe 2320 Pbgjgomc.exe 2840 Peefcjlg.exe 2840 Peefcjlg.exe 2648 Plpopddd.exe 2648 Plpopddd.exe 2556 Pehcij32.exe 2556 Pehcij32.exe 1676 Ppmgfb32.exe 1676 Ppmgfb32.exe 3068 Popgboae.exe 3068 Popgboae.exe 1604 Qobdgo32.exe 1604 Qobdgo32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pecikhmn.dll Nqhepeai.exe File created C:\Windows\SysWOW64\Ccbbachm.exe Cogfqe32.exe File created C:\Windows\SysWOW64\Klcgpkhh.exe Khgkpl32.exe File created C:\Windows\SysWOW64\Mkhngh32.dll Pnchhllf.exe File created C:\Windows\SysWOW64\Dhbccb32.dll Bknjfb32.exe File created C:\Windows\SysWOW64\Flkeabdg.dll Bbllnlfd.exe File created C:\Windows\SysWOW64\Nedamakn.dll Cfckcoen.exe File created C:\Windows\SysWOW64\Ggegqe32.dll Hcgmfgfd.exe File created C:\Windows\SysWOW64\Hqkmplen.exe Hnmacpfj.exe File opened for modification C:\Windows\SysWOW64\Honnki32.exe Hqkmplen.exe File opened for modification C:\Windows\SysWOW64\Dhpgfeao.exe Dafoikjb.exe File opened for modification C:\Windows\SysWOW64\Fmfocnjg.exe Fkhbgbkc.exe File created C:\Windows\SysWOW64\Glbaei32.exe Gdkjdl32.exe File opened for modification C:\Windows\SysWOW64\Pbemboof.exe Pacajg32.exe File created C:\Windows\SysWOW64\Ckbpqe32.exe Cidddj32.exe File opened for modification C:\Windows\SysWOW64\Djocbqpb.exe Dfcgbb32.exe File created C:\Windows\SysWOW64\Ebqngb32.exe Epbbkf32.exe File opened for modification C:\Windows\SysWOW64\Giaidnkf.exe Gajqbakc.exe File created C:\Windows\SysWOW64\Dbhbaq32.dll Ajhddk32.exe File created C:\Windows\SysWOW64\Mdmckc32.dll Gnfkba32.exe File opened for modification C:\Windows\SysWOW64\Nihcog32.exe Nppofado.exe File created C:\Windows\SysWOW64\Bdmnkd32.dll Emdeok32.exe File created C:\Windows\SysWOW64\Ikgjnobg.dll Ncinap32.exe File created C:\Windows\SysWOW64\Mlpckqje.dll Inojhc32.exe File opened for modification C:\Windows\SysWOW64\Nmflee32.exe Nqokpd32.exe File created C:\Windows\SysWOW64\Adfbpega.exe Aahfdihn.exe File opened for modification C:\Windows\SysWOW64\Adfbpega.exe Aahfdihn.exe File created C:\Windows\SysWOW64\Hellqgnm.dll Gkebafoa.exe File created C:\Windows\SysWOW64\Lcmdjb32.dll Objjnkie.exe File created C:\Windows\SysWOW64\Adiijqhm.dll Ppddpd32.exe File created C:\Windows\SysWOW64\Dgnjqe32.exe Deondj32.exe File created C:\Windows\SysWOW64\Aqgpml32.dll Hjfnnajl.exe File created C:\Windows\SysWOW64\Dhpgfeao.exe Dafoikjb.exe File opened for modification C:\Windows\SysWOW64\Fkefbcmf.exe Fhgifgnb.exe File created C:\Windows\SysWOW64\Igejec32.dll Alageg32.exe File created C:\Windows\SysWOW64\Ajhddk32.exe Afliclij.exe File created C:\Windows\SysWOW64\Dhcihn32.dll Eojlbb32.exe File opened for modification C:\Windows\SysWOW64\Fefqdl32.exe Fmohco32.exe File created C:\Windows\SysWOW64\Ogbogkjn.dll Iebldo32.exe File created C:\Windows\SysWOW64\Ieibdnnp.exe Imbjcpnn.exe File created C:\Windows\SysWOW64\Bilfjg32.dll Odmckcmq.exe File opened for modification C:\Windows\SysWOW64\Hnhgha32.exe Hkjkle32.exe File opened for modification C:\Windows\SysWOW64\Inhdgdmk.exe Ioeclg32.exe File opened for modification C:\Windows\SysWOW64\Jcciqi32.exe Jllqplnp.exe File opened for modification C:\Windows\SysWOW64\Bnlgbnbp.exe Bknjfb32.exe File created C:\Windows\SysWOW64\Npepbkgb.dll Ccpeld32.exe File created C:\Windows\SysWOW64\Eckfklnl.dll Dboeco32.exe File opened for modification C:\Windows\SysWOW64\Dnhbmpkn.exe Dgnjqe32.exe File opened for modification C:\Windows\SysWOW64\Bfoeil32.exe Bcpimq32.exe File opened for modification C:\Windows\SysWOW64\Kdnkdmec.exe Kekkiq32.exe File opened for modification C:\Windows\SysWOW64\Aobpfb32.exe Alddjg32.exe File created C:\Windows\SysWOW64\Efjmbaba.exe Ebnabb32.exe File created C:\Windows\SysWOW64\Fpnehm32.dll Bfoeil32.exe File created C:\Windows\SysWOW64\Bbllnlfd.exe Bjedmo32.exe File created C:\Windows\SysWOW64\Gdnfjl32.exe Gaojnq32.exe File opened for modification C:\Windows\SysWOW64\Cgidfcdk.exe Bdkhjgeh.exe File opened for modification C:\Windows\SysWOW64\Ikldqile.exe Igqhpj32.exe File created C:\Windows\SysWOW64\Lpcfmngo.dll Nmabjfek.exe File created C:\Windows\SysWOW64\Eafkhn32.exe Epeoaffo.exe File created C:\Windows\SysWOW64\Eioigi32.dll Gqdgom32.exe File opened for modification C:\Windows\SysWOW64\Omckoi32.exe Ohfcfb32.exe File created C:\Windows\SysWOW64\Dnhbmpkn.exe Dgnjqe32.exe File created C:\Windows\SysWOW64\Lknocpdc.dll Feddombd.exe File created C:\Windows\SysWOW64\Iakino32.exe Inmmbc32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4012 2860 WerFault.exe 323 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klecfkff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blkjkflb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Colpld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icncgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfmkbebl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmipdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfodfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Difqji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgiaefgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efedga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifolhann.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kambcbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hifbdnbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioeclg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkielpdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qoeamo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agglbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpieengb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obeacl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opialpld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eimcjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giaidnkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajehnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebnabb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgcnahoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fccglehn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gamnhq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqkmplen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plpopddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcpimq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgknkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epnhpglg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcqjfeja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hclfag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Injqmdki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alddjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbabho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jipaip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnofgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klcgpkhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqhepeai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djocbqpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkjkle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfoeil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccbbachm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gecpnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqokpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eicpcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flnlkgjq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjfnnajl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iegeonpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khldkllj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blinefnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gncnmane.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikldqile.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppddpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qaapcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhbkpgbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcgqgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikgkei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adaiee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afliclij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epeoaffo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbegbacp.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfckcoen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djocbqpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plpopddd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bcpimq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbllnlfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmeedp32.dll" Jfmkbebl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmcjcekp.dll" Fdgdji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gnfkba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iclbpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckpckece.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pofhpf32.dll" Cbjlhpkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efjmbaba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifkmqd32.dll" Jfcabd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbhljb32.dll" Bdkhjgeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdnfjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqgpml32.dll" Hjfnnajl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gcjmmdbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcepqh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iegeonpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbpifm32.dll" Iclbpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpgionie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nihcog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpbmqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acfgdc32.dll" Blkjkflb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hqkmplen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffdmihcc.dll" Inhdgdmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nklcci32.dll" Bfcodkcb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbegbacp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aijpfppe.dll" Hcepqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dafoikjb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcghkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odiaql32.dll" Hqiqjlga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifolhann.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iakino32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcmdjb32.dll" Objjnkie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhcgiiek.dll" Popgboae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Difqji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hffhec32.dll" Gaagcpdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmflee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eifmimch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elibpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odmckcmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikeebbaa.dll" Gncnmane.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcgmfgfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qaacem32.dll" Pacajg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cidddj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pncadjah.dll" Hoqjqhjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plcpehgf.dll" Fgocmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fkhbgbkc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjaeba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifblipqh.dll" Imggplgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmgaio32.dll" Jcqlkjae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acfdii32.dll" Omckoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdmepgce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epeoaffo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfcgbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpdkpiik.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jibnop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 eea22e3616b493ec4588387204f79770N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkkmgncb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgidfcdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmmdin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eghoka32.dll" Kenhopmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgdkkc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2208 wrote to memory of 2068 2208 eea22e3616b493ec4588387204f79770N.exe 31 PID 2208 wrote to memory of 2068 2208 eea22e3616b493ec4588387204f79770N.exe 31 PID 2208 wrote to memory of 2068 2208 eea22e3616b493ec4588387204f79770N.exe 31 PID 2208 wrote to memory of 2068 2208 eea22e3616b493ec4588387204f79770N.exe 31 PID 2068 wrote to memory of 2956 2068 Nkkmgncb.exe 32 PID 2068 wrote to memory of 2956 2068 Nkkmgncb.exe 32 PID 2068 wrote to memory of 2956 2068 Nkkmgncb.exe 32 PID 2068 wrote to memory of 2956 2068 Nkkmgncb.exe 32 PID 2956 wrote to memory of 2788 2956 Nqhepeai.exe 33 PID 2956 wrote to memory of 2788 2956 Nqhepeai.exe 33 PID 2956 wrote to memory of 2788 2956 Nqhepeai.exe 33 PID 2956 wrote to memory of 2788 2956 Nqhepeai.exe 33 PID 2788 wrote to memory of 2428 2788 Nmofdf32.exe 34 PID 2788 wrote to memory of 2428 2788 Nmofdf32.exe 34 PID 2788 wrote to memory of 2428 2788 Nmofdf32.exe 34 PID 2788 wrote to memory of 2428 2788 Nmofdf32.exe 34 PID 2428 wrote to memory of 2564 2428 Ncinap32.exe 35 PID 2428 wrote to memory of 2564 2428 Ncinap32.exe 35 PID 2428 wrote to memory of 2564 2428 Ncinap32.exe 35 PID 2428 wrote to memory of 2564 2428 Ncinap32.exe 35 PID 2564 wrote to memory of 2844 2564 Nmabjfek.exe 36 PID 2564 wrote to memory of 2844 2564 Nmabjfek.exe 36 PID 2564 wrote to memory of 2844 2564 Nmabjfek.exe 36 PID 2564 wrote to memory of 2844 2564 Nmabjfek.exe 36 PID 2844 wrote to memory of 2044 2844 Nppofado.exe 37 PID 2844 wrote to memory of 2044 2844 Nppofado.exe 37 PID 2844 wrote to memory of 2044 2844 Nppofado.exe 37 PID 2844 wrote to memory of 2044 2844 Nppofado.exe 37 PID 2044 wrote to memory of 756 2044 Nihcog32.exe 38 PID 2044 wrote to memory of 756 2044 Nihcog32.exe 38 PID 2044 wrote to memory of 756 2044 Nihcog32.exe 38 PID 2044 wrote to memory of 756 2044 Nihcog32.exe 38 PID 756 wrote to memory of 1700 756 Nqokpd32.exe 39 PID 756 wrote to memory of 1700 756 Nqokpd32.exe 39 PID 756 wrote to memory of 1700 756 Nqokpd32.exe 39 PID 756 wrote to memory of 1700 756 Nqokpd32.exe 39 PID 1700 wrote to memory of 1900 1700 Nmflee32.exe 40 PID 1700 wrote to memory of 1900 1700 Nmflee32.exe 40 PID 1700 wrote to memory of 1900 1700 Nmflee32.exe 40 PID 1700 wrote to memory of 1900 1700 Nmflee32.exe 40 PID 1900 wrote to memory of 2292 1900 Obbdml32.exe 41 PID 1900 wrote to memory of 2292 1900 Obbdml32.exe 41 PID 1900 wrote to memory of 2292 1900 Obbdml32.exe 41 PID 1900 wrote to memory of 2292 1900 Obbdml32.exe 41 PID 2292 wrote to memory of 288 2292 Olkifaen.exe 42 PID 2292 wrote to memory of 288 2292 Olkifaen.exe 42 PID 2292 wrote to memory of 288 2292 Olkifaen.exe 42 PID 2292 wrote to memory of 288 2292 Olkifaen.exe 42 PID 288 wrote to memory of 2240 288 Obeacl32.exe 43 PID 288 wrote to memory of 2240 288 Obeacl32.exe 43 PID 288 wrote to memory of 2240 288 Obeacl32.exe 43 PID 288 wrote to memory of 2240 288 Obeacl32.exe 43 PID 2240 wrote to memory of 2368 2240 Opialpld.exe 44 PID 2240 wrote to memory of 2368 2240 Opialpld.exe 44 PID 2240 wrote to memory of 2368 2240 Opialpld.exe 44 PID 2240 wrote to memory of 2368 2240 Opialpld.exe 44 PID 2368 wrote to memory of 1672 2368 Oajndh32.exe 45 PID 2368 wrote to memory of 1672 2368 Oajndh32.exe 45 PID 2368 wrote to memory of 1672 2368 Oajndh32.exe 45 PID 2368 wrote to memory of 1672 2368 Oajndh32.exe 45 PID 1672 wrote to memory of 1160 1672 Objjnkie.exe 46 PID 1672 wrote to memory of 1160 1672 Objjnkie.exe 46 PID 1672 wrote to memory of 1160 1672 Objjnkie.exe 46 PID 1672 wrote to memory of 1160 1672 Objjnkie.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\eea22e3616b493ec4588387204f79770N.exe"C:\Users\Admin\AppData\Local\Temp\eea22e3616b493ec4588387204f79770N.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Nkkmgncb.exeC:\Windows\system32\Nkkmgncb.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\Nqhepeai.exeC:\Windows\system32\Nqhepeai.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Nmofdf32.exeC:\Windows\system32\Nmofdf32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Ncinap32.exeC:\Windows\system32\Ncinap32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Nmabjfek.exeC:\Windows\system32\Nmabjfek.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\Nppofado.exeC:\Windows\system32\Nppofado.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Nihcog32.exeC:\Windows\system32\Nihcog32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\Nqokpd32.exeC:\Windows\system32\Nqokpd32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\SysWOW64\Nmflee32.exeC:\Windows\system32\Nmflee32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\Obbdml32.exeC:\Windows\system32\Obbdml32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\SysWOW64\Olkifaen.exeC:\Windows\system32\Olkifaen.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\Obeacl32.exeC:\Windows\system32\Obeacl32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:288 -
C:\Windows\SysWOW64\Opialpld.exeC:\Windows\system32\Opialpld.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Oajndh32.exeC:\Windows\system32\Oajndh32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\Objjnkie.exeC:\Windows\system32\Objjnkie.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\SysWOW64\Ohfcfb32.exeC:\Windows\system32\Ohfcfb32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1160 -
C:\Windows\SysWOW64\Omckoi32.exeC:\Windows\system32\Omckoi32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1632 -
C:\Windows\SysWOW64\Odmckcmq.exeC:\Windows\system32\Odmckcmq.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1816 -
C:\Windows\SysWOW64\Pnchhllf.exeC:\Windows\system32\Pnchhllf.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2404 -
C:\Windows\SysWOW64\Ppddpd32.exeC:\Windows\system32\Ppddpd32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:588 -
C:\Windows\SysWOW64\Pjihmmbk.exeC:\Windows\system32\Pjihmmbk.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1444 -
C:\Windows\SysWOW64\Pacajg32.exeC:\Windows\system32\Pacajg32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1988 -
C:\Windows\SysWOW64\Pbemboof.exeC:\Windows\system32\Pbemboof.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1924 -
C:\Windows\SysWOW64\Pioeoi32.exeC:\Windows\system32\Pioeoi32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2616 -
C:\Windows\SysWOW64\Pbgjgomc.exeC:\Windows\system32\Pbgjgomc.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2320 -
C:\Windows\SysWOW64\Peefcjlg.exeC:\Windows\system32\Peefcjlg.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2840 -
C:\Windows\SysWOW64\Plpopddd.exeC:\Windows\system32\Plpopddd.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2648 -
C:\Windows\SysWOW64\Pehcij32.exeC:\Windows\system32\Pehcij32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2556 -
C:\Windows\SysWOW64\Ppmgfb32.exeC:\Windows\system32\Ppmgfb32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1676 -
C:\Windows\SysWOW64\Popgboae.exeC:\Windows\system32\Popgboae.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3068 -
C:\Windows\SysWOW64\Qobdgo32.exeC:\Windows\system32\Qobdgo32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1604 -
C:\Windows\SysWOW64\Qaapcj32.exeC:\Windows\system32\Qaapcj32.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2728 -
C:\Windows\SysWOW64\Qkielpdf.exeC:\Windows\system32\Qkielpdf.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2752 -
C:\Windows\SysWOW64\Qoeamo32.exeC:\Windows\system32\Qoeamo32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2960 -
C:\Windows\SysWOW64\Aacmij32.exeC:\Windows\system32\Aacmij32.exe36⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Adaiee32.exeC:\Windows\system32\Adaiee32.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2172 -
C:\Windows\SysWOW64\Agpeaa32.exeC:\Windows\system32\Agpeaa32.exe38⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Aklabp32.exeC:\Windows\system32\Aklabp32.exe39⤵
- Executes dropped EXE
PID:448 -
C:\Windows\SysWOW64\Anjnnk32.exeC:\Windows\system32\Anjnnk32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Aphjjf32.exeC:\Windows\system32\Aphjjf32.exe41⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Ahpbkd32.exeC:\Windows\system32\Ahpbkd32.exe42⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Aknngo32.exeC:\Windows\system32\Aknngo32.exe43⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Aiaoclgl.exeC:\Windows\system32\Aiaoclgl.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:112 -
C:\Windows\SysWOW64\Aahfdihn.exeC:\Windows\system32\Aahfdihn.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1892 -
C:\Windows\SysWOW64\Adfbpega.exeC:\Windows\system32\Adfbpega.exe46⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Ageompfe.exeC:\Windows\system32\Ageompfe.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Ajckilei.exeC:\Windows\system32\Ajckilei.exe48⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Alageg32.exeC:\Windows\system32\Alageg32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2972 -
C:\Windows\SysWOW64\Adipfd32.exeC:\Windows\system32\Adipfd32.exe50⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Agglbp32.exeC:\Windows\system32\Agglbp32.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2540 -
C:\Windows\SysWOW64\Ajehnk32.exeC:\Windows\system32\Ajehnk32.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2096 -
C:\Windows\SysWOW64\Anadojlo.exeC:\Windows\system32\Anadojlo.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Alddjg32.exeC:\Windows\system32\Alddjg32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2736 -
C:\Windows\SysWOW64\Aobpfb32.exeC:\Windows\system32\Aobpfb32.exe55⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Afliclij.exeC:\Windows\system32\Afliclij.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1928 -
C:\Windows\SysWOW64\Ajhddk32.exeC:\Windows\system32\Ajhddk32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:536 -
C:\Windows\SysWOW64\Bhkeohhn.exeC:\Windows\system32\Bhkeohhn.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Bpbmqe32.exeC:\Windows\system32\Bpbmqe32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:3004 -
C:\Windows\SysWOW64\Bcpimq32.exeC:\Windows\system32\Bcpimq32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2116 -
C:\Windows\SysWOW64\Bfoeil32.exeC:\Windows\system32\Bfoeil32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2756 -
C:\Windows\SysWOW64\Bjjaikoa.exeC:\Windows\system32\Bjjaikoa.exe62⤵
- Executes dropped EXE
PID:1056 -
C:\Windows\SysWOW64\Blinefnd.exeC:\Windows\system32\Blinefnd.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2276 -
C:\Windows\SysWOW64\Bogjaamh.exeC:\Windows\system32\Bogjaamh.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Baefnmml.exeC:\Windows\system32\Baefnmml.exe65⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Bddbjhlp.exeC:\Windows\system32\Bddbjhlp.exe66⤵PID:2228
-
C:\Windows\SysWOW64\Blkjkflb.exeC:\Windows\system32\Blkjkflb.exe67⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1832 -
C:\Windows\SysWOW64\Bknjfb32.exeC:\Windows\system32\Bknjfb32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2720 -
C:\Windows\SysWOW64\Bnlgbnbp.exeC:\Windows\system32\Bnlgbnbp.exe69⤵PID:1720
-
C:\Windows\SysWOW64\Bfcodkcb.exeC:\Windows\system32\Bfcodkcb.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2696 -
C:\Windows\SysWOW64\Bhbkpgbf.exeC:\Windows\system32\Bhbkpgbf.exe71⤵
- System Location Discovery: System Language Discovery
PID:2548 -
C:\Windows\SysWOW64\Bgdkkc32.exeC:\Windows\system32\Bgdkkc32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2768 -
C:\Windows\SysWOW64\Bolcma32.exeC:\Windows\system32\Bolcma32.exe73⤵PID:1128
-
C:\Windows\SysWOW64\Bqmpdioa.exeC:\Windows\system32\Bqmpdioa.exe74⤵PID:1072
-
C:\Windows\SysWOW64\Bdhleh32.exeC:\Windows\system32\Bdhleh32.exe75⤵PID:576
-
C:\Windows\SysWOW64\Bgghac32.exeC:\Windows\system32\Bgghac32.exe76⤵PID:2576
-
C:\Windows\SysWOW64\Bjedmo32.exeC:\Windows\system32\Bjedmo32.exe77⤵
- Drops file in System32 directory
PID:2520 -
C:\Windows\SysWOW64\Bbllnlfd.exeC:\Windows\system32\Bbllnlfd.exe78⤵
- Drops file in System32 directory
- Modifies registry class
PID:2636 -
C:\Windows\SysWOW64\Bdkhjgeh.exeC:\Windows\system32\Bdkhjgeh.exe79⤵
- Drops file in System32 directory
- Modifies registry class
PID:2092 -
C:\Windows\SysWOW64\Cgidfcdk.exeC:\Windows\system32\Cgidfcdk.exe80⤵
- Modifies registry class
PID:2304 -
C:\Windows\SysWOW64\Ckeqga32.exeC:\Windows\system32\Ckeqga32.exe81⤵PID:1484
-
C:\Windows\SysWOW64\Cdmepgce.exeC:\Windows\system32\Cdmepgce.exe82⤵
- Modifies registry class
PID:2268 -
C:\Windows\SysWOW64\Ccpeld32.exeC:\Windows\system32\Ccpeld32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1908 -
C:\Windows\SysWOW64\Cjjnhnbl.exeC:\Windows\system32\Cjjnhnbl.exe84⤵PID:1688
-
C:\Windows\SysWOW64\Cmhjdiap.exeC:\Windows\system32\Cmhjdiap.exe85⤵PID:1644
-
C:\Windows\SysWOW64\Cogfqe32.exeC:\Windows\system32\Cogfqe32.exe86⤵
- Drops file in System32 directory
PID:2532 -
C:\Windows\SysWOW64\Ccbbachm.exeC:\Windows\system32\Ccbbachm.exe87⤵
- System Location Discovery: System Language Discovery
PID:1600 -
C:\Windows\SysWOW64\Cfanmogq.exeC:\Windows\system32\Cfanmogq.exe88⤵PID:3056
-
C:\Windows\SysWOW64\Cjljnn32.exeC:\Windows\system32\Cjljnn32.exe89⤵PID:1668
-
C:\Windows\SysWOW64\Cqfbjhgf.exeC:\Windows\system32\Cqfbjhgf.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1384 -
C:\Windows\SysWOW64\Cceogcfj.exeC:\Windows\system32\Cceogcfj.exe91⤵PID:2940
-
C:\Windows\SysWOW64\Cfckcoen.exeC:\Windows\system32\Cfckcoen.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2984 -
C:\Windows\SysWOW64\Ciagojda.exeC:\Windows\system32\Ciagojda.exe93⤵PID:1880
-
C:\Windows\SysWOW64\Ckpckece.exeC:\Windows\system32\Ckpckece.exe94⤵
- Modifies registry class
PID:2496 -
C:\Windows\SysWOW64\Colpld32.exeC:\Windows\system32\Colpld32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1052 -
C:\Windows\SysWOW64\Cbjlhpkb.exeC:\Windows\system32\Cbjlhpkb.exe96⤵
- Modifies registry class
PID:1540 -
C:\Windows\SysWOW64\Cehhdkjf.exeC:\Windows\system32\Cehhdkjf.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2480 -
C:\Windows\SysWOW64\Cidddj32.exeC:\Windows\system32\Cidddj32.exe98⤵
- Drops file in System32 directory
- Modifies registry class
PID:2316 -
C:\Windows\SysWOW64\Ckbpqe32.exeC:\Windows\system32\Ckbpqe32.exe99⤵PID:2688
-
C:\Windows\SysWOW64\Dnqlmq32.exeC:\Windows\system32\Dnqlmq32.exe100⤵PID:3052
-
C:\Windows\SysWOW64\Dfhdnn32.exeC:\Windows\system32\Dfhdnn32.exe101⤵PID:1708
-
C:\Windows\SysWOW64\Difqji32.exeC:\Windows\system32\Difqji32.exe102⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1636 -
C:\Windows\SysWOW64\Dgiaefgg.exeC:\Windows\system32\Dgiaefgg.exe103⤵
- System Location Discovery: System Language Discovery
PID:3048 -
C:\Windows\SysWOW64\Dppigchi.exeC:\Windows\system32\Dppigchi.exe104⤵PID:2360
-
C:\Windows\SysWOW64\Dboeco32.exeC:\Windows\system32\Dboeco32.exe105⤵
- Drops file in System32 directory
PID:2128 -
C:\Windows\SysWOW64\Demaoj32.exeC:\Windows\system32\Demaoj32.exe106⤵PID:344
-
C:\Windows\SysWOW64\Dgknkf32.exeC:\Windows\system32\Dgknkf32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1356 -
C:\Windows\SysWOW64\Dlgjldnm.exeC:\Windows\system32\Dlgjldnm.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1944 -
C:\Windows\SysWOW64\Dnefhpma.exeC:\Windows\system32\Dnefhpma.exe109⤵PID:2348
-
C:\Windows\SysWOW64\Dbabho32.exeC:\Windows\system32\Dbabho32.exe110⤵
- System Location Discovery: System Language Discovery
PID:2080 -
C:\Windows\SysWOW64\Deondj32.exeC:\Windows\system32\Deondj32.exe111⤵
- Drops file in System32 directory
PID:2800 -
C:\Windows\SysWOW64\Dgnjqe32.exeC:\Windows\system32\Dgnjqe32.exe112⤵
- Drops file in System32 directory
PID:3064 -
C:\Windows\SysWOW64\Dnhbmpkn.exeC:\Windows\system32\Dnhbmpkn.exe113⤵PID:1512
-
C:\Windows\SysWOW64\Dmkcil32.exeC:\Windows\system32\Dmkcil32.exe114⤵PID:580
-
C:\Windows\SysWOW64\Dafoikjb.exeC:\Windows\system32\Dafoikjb.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2124 -
C:\Windows\SysWOW64\Dhpgfeao.exeC:\Windows\system32\Dhpgfeao.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2832 -
C:\Windows\SysWOW64\Dfcgbb32.exeC:\Windows\system32\Dfcgbb32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1104 -
C:\Windows\SysWOW64\Djocbqpb.exeC:\Windows\system32\Djocbqpb.exe118⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2200 -
C:\Windows\SysWOW64\Dahkok32.exeC:\Windows\system32\Dahkok32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2324 -
C:\Windows\SysWOW64\Dcghkf32.exeC:\Windows\system32\Dcghkf32.exe120⤵
- Modifies registry class
PID:2668 -
C:\Windows\SysWOW64\Efedga32.exeC:\Windows\system32\Efedga32.exe121⤵
- System Location Discovery: System Language Discovery
PID:2608
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-