Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/09/2024, 22:44
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c890759fc1a71045b030829e88e9a070N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
c890759fc1a71045b030829e88e9a070N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
c890759fc1a71045b030829e88e9a070N.exe
-
Size
120KB
-
MD5
c890759fc1a71045b030829e88e9a070
-
SHA1
cfcb9277ef880a1ec8bcfeea20ca523aaddda4b3
-
SHA256
054aa9df1c4881ce8e6aa16af1f0b0509faf5ecc0c89d4b73e4557280c0c31b9
-
SHA512
19ae853d8e8ab884ee8b4c55fda174c9926b461f59fd2939b88e90fc478d7626f13ac6ed937900222e64da82457ca00a818a9cf2ce682d6d948de30e98fcfe07
-
SSDEEP
3072:hyLZw9Wc1DPNJULbygDeL203H/6TC+qF1SsB1bw4AVRrd9:MfcjIqL9C81NBy9
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hkiicmdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apkgpf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idgglb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kekiphge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bccmmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ehhdaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pfebnmcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dmgmpnhl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inojhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jikhnaao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hneeilgj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcllbhdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqnapb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqmnjd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cqfbjhgf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icifjk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpiqmlfm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jefpeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lfmbek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emifeqid.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmlkfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eclbcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eaeipfei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hieiqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Joidhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ibfmmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hcgjmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bfabnl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgedmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Opnbbe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cinafkkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aciqcifh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jkchmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgfjhcge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mloiec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aobpfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cillkbac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkoicb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnnhngjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mdadjd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmmcpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Djjjga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pkcbnanl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hmjoqo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcphnm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pljlbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Inbnhihl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgciff32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edlafebn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dklddhka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hemqpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cbffoabe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohfcfb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqmpdioa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ihglhp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppnnai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfcgbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dpeiligo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mokilo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oehgjfhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fdgdji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlnmel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kpicle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ljfapjbi.exe -
Executes dropped EXE 64 IoCs
pid Process 1376 Ohojmjep.exe 2100 Obdojcef.exe 332 Oagoep32.exe 2804 Ookpodkj.exe 2480 Oeehln32.exe 1880 Omqlpp32.exe 2608 Odjdmjgo.exe 1508 Oanefo32.exe 1392 Opaebkmc.exe 2696 Okgjodmi.exe 1452 Oaqbln32.exe 2656 Pmgbao32.exe 1964 Pgpgjepk.exe 2912 Pecgea32.exe 2168 Plmpblnb.exe 2976 Peedka32.exe 3028 Plolgk32.exe 1244 Palepb32.exe 1668 Pjcmap32.exe 1980 Panaeb32.exe 1992 Pejmfqan.exe 1528 Qobbofgn.exe 1628 Qnebjc32.exe 1900 Qkibcg32.exe 3036 Qododfek.exe 2160 Qackpado.exe 2304 Agpcihcf.exe 1068 Agbpnh32.exe 2820 Aknlofim.exe 2852 Aciqcifh.exe 2712 Afgmodel.exe 2592 Anneqafn.exe 2660 Aopahjll.exe 1636 Aihfap32.exe 2584 Aqonbm32.exe 1208 Aijbfo32.exe 2044 Akiobk32.exe 1944 Bcpgdhpp.exe 2684 Beackp32.exe 2636 Bgblmk32.exe 2300 Boidnh32.exe 552 Bbgqjdce.exe 2580 Befmfpbi.exe 1956 Bjbeofpp.exe 628 Bbjmpcab.exe 692 Bammlq32.exe 1132 Bgffhkoj.exe 704 Bjebdfnn.exe 1908 Bmcnqama.exe 2064 Bejfao32.exe 2400 Bcmfmlen.exe 2688 Bflbigdb.exe 2316 Cnckjddd.exe 2800 Cmfkfa32.exe 2620 Cpdgbm32.exe 2616 Cgkocj32.exe 2664 Cjjkpe32.exe 2184 Cillkbac.exe 868 Cacclpae.exe 1056 Cpfdhl32.exe 1968 Cbepdhgc.exe 2828 Cfpldf32.exe 2216 Ciohqa32.exe 944 Cpiqmlfm.exe -
Loads dropped DLL 64 IoCs
pid Process 2548 c890759fc1a71045b030829e88e9a070N.exe 2548 c890759fc1a71045b030829e88e9a070N.exe 1376 Ohojmjep.exe 1376 Ohojmjep.exe 2100 Obdojcef.exe 2100 Obdojcef.exe 332 Oagoep32.exe 332 Oagoep32.exe 2804 Ookpodkj.exe 2804 Ookpodkj.exe 2480 Oeehln32.exe 2480 Oeehln32.exe 1880 Omqlpp32.exe 1880 Omqlpp32.exe 2608 Odjdmjgo.exe 2608 Odjdmjgo.exe 1508 Oanefo32.exe 1508 Oanefo32.exe 1392 Opaebkmc.exe 1392 Opaebkmc.exe 2696 Okgjodmi.exe 2696 Okgjodmi.exe 1452 Oaqbln32.exe 1452 Oaqbln32.exe 2656 Pmgbao32.exe 2656 Pmgbao32.exe 1964 Pgpgjepk.exe 1964 Pgpgjepk.exe 2912 Pecgea32.exe 2912 Pecgea32.exe 2168 Plmpblnb.exe 2168 Plmpblnb.exe 2976 Peedka32.exe 2976 Peedka32.exe 3028 Plolgk32.exe 3028 Plolgk32.exe 1244 Palepb32.exe 1244 Palepb32.exe 1668 Pjcmap32.exe 1668 Pjcmap32.exe 1980 Panaeb32.exe 1980 Panaeb32.exe 1992 Pejmfqan.exe 1992 Pejmfqan.exe 1528 Qobbofgn.exe 1528 Qobbofgn.exe 1628 Qnebjc32.exe 1628 Qnebjc32.exe 1900 Qkibcg32.exe 1900 Qkibcg32.exe 3036 Qododfek.exe 3036 Qododfek.exe 2160 Qackpado.exe 2160 Qackpado.exe 2304 Agpcihcf.exe 2304 Agpcihcf.exe 1068 Agbpnh32.exe 1068 Agbpnh32.exe 2820 Aknlofim.exe 2820 Aknlofim.exe 2852 Aciqcifh.exe 2852 Aciqcifh.exe 2712 Afgmodel.exe 2712 Afgmodel.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pjcmap32.exe Palepb32.exe File created C:\Windows\SysWOW64\Jbcjnnpl.exe Jpdnbbah.exe File created C:\Windows\SysWOW64\Bhbkpgbf.exe Bfcodkcb.exe File opened for modification C:\Windows\SysWOW64\Bgllgedi.exe Bhjlli32.exe File opened for modification C:\Windows\SysWOW64\Cfmhdpnc.exe Cnfqccna.exe File opened for modification C:\Windows\SysWOW64\Bqmpdioa.exe Bbjpil32.exe File opened for modification C:\Windows\SysWOW64\Ddpobo32.exe Daacecfc.exe File created C:\Windows\SysWOW64\Bbnlpnob.dll Hpbdmo32.exe File created C:\Windows\SysWOW64\Jeafjiop.exe Jbcjnnpl.exe File created C:\Windows\SysWOW64\Jkchmo32.exe Jhdlad32.exe File created C:\Windows\SysWOW64\Qoblpdnf.dll Adifpk32.exe File created C:\Windows\SysWOW64\Bkbdabog.exe Bdhleh32.exe File opened for modification C:\Windows\SysWOW64\Bnapnm32.exe Bkbdabog.exe File created C:\Windows\SysWOW64\Hcdgmimg.exe Hohkmj32.exe File opened for modification C:\Windows\SysWOW64\Dnqlmq32.exe Ckbpqe32.exe File opened for modification C:\Windows\SysWOW64\Ieponofk.exe Ibacbcgg.exe File opened for modification C:\Windows\SysWOW64\Panaeb32.exe Pjcmap32.exe File opened for modification C:\Windows\SysWOW64\Eelkeeah.exe Egikjh32.exe File opened for modification C:\Windows\SysWOW64\Eklqcl32.exe Ehmdgp32.exe File created C:\Windows\SysWOW64\Nlemad32.dll Mdiefffn.exe File opened for modification C:\Windows\SysWOW64\Nnafnopi.exe Njfjnpgp.exe File created C:\Windows\SysWOW64\Ponklpcg.exe Pmmneg32.exe File created C:\Windows\SysWOW64\Eghoka32.dll Kenhopmf.exe File opened for modification C:\Windows\SysWOW64\Odjdmjgo.exe Omqlpp32.exe File created C:\Windows\SysWOW64\Cenljmgq.exe Cbppnbhm.exe File opened for modification C:\Windows\SysWOW64\Ebklic32.exe Eopphehb.exe File opened for modification C:\Windows\SysWOW64\Homdhjai.exe Hkahgk32.exe File created C:\Windows\SysWOW64\Lifaid32.dll Pjleclph.exe File created C:\Windows\SysWOW64\Bieopm32.exe Bffbdadk.exe File opened for modification C:\Windows\SysWOW64\Ghofam32.exe Gdcjpncm.exe File opened for modification C:\Windows\SysWOW64\Jhdegn32.exe Jdhifooi.exe File opened for modification C:\Windows\SysWOW64\Aopahjll.exe Anneqafn.exe File created C:\Windows\SysWOW64\Aeeeakip.dll Cgkocj32.exe File created C:\Windows\SysWOW64\Qpmcjc32.dll Ddpobo32.exe File opened for modification C:\Windows\SysWOW64\Iahkpg32.exe Injndk32.exe File created C:\Windows\SysWOW64\Aoojnc32.exe Alqnah32.exe File opened for modification C:\Windows\SysWOW64\Lkicbk32.exe Lcblan32.exe File created C:\Windows\SysWOW64\Jeomfi32.dll Ppfafcpb.exe File created C:\Windows\SysWOW64\Epeoaffo.exe Ehnfpifm.exe File created C:\Windows\SysWOW64\Caefjg32.dll Kekkiq32.exe File created C:\Windows\SysWOW64\Boidnh32.exe Bgblmk32.exe File created C:\Windows\SysWOW64\Bmcnqama.exe Bjebdfnn.exe File opened for modification C:\Windows\SysWOW64\Dmhdkdlg.exe Dkigoimd.exe File opened for modification C:\Windows\SysWOW64\Eeldkonl.exe Emdmjamj.exe File created C:\Windows\SysWOW64\Ghofam32.exe Gdcjpncm.exe File opened for modification C:\Windows\SysWOW64\Plgolf32.exe Piicpk32.exe File created C:\Windows\SysWOW64\Eibkmp32.dll Pkcbnanl.exe File opened for modification C:\Windows\SysWOW64\Jmfcop32.exe Jikhnaao.exe File created C:\Windows\SysWOW64\Cbiiog32.exe Cnnnnh32.exe File created C:\Windows\SysWOW64\Fohlogok.dll Hmmbqegc.exe File opened for modification C:\Windows\SysWOW64\Hfpfdeon.exe Hcajhi32.exe File opened for modification C:\Windows\SysWOW64\Kpfplo32.exe Khohkamc.exe File opened for modification C:\Windows\SysWOW64\Kablnadm.exe Kocpbfei.exe File created C:\Windows\SysWOW64\Mfjgiobf.dll Lfbdci32.exe File created C:\Windows\SysWOW64\Kablnadm.exe Kocpbfei.exe File opened for modification C:\Windows\SysWOW64\Obdojcef.exe Ohojmjep.exe File created C:\Windows\SysWOW64\Epojbfko.dll Aciqcifh.exe File opened for modification C:\Windows\SysWOW64\Fmkilb32.exe Fjlmpfhg.exe File opened for modification C:\Windows\SysWOW64\Ldbofgme.exe Lfoojj32.exe File created C:\Windows\SysWOW64\Emifeqid.exe Ekkjheja.exe File opened for modification C:\Windows\SysWOW64\Mqklqhpg.exe Mnmpdlac.exe File created C:\Windows\SysWOW64\Jgifkl32.dll Oeaqig32.exe File created C:\Windows\SysWOW64\Pkbnjifp.dll Gkgoff32.exe File created C:\Windows\SysWOW64\Gqdefddb.exe Gjjmijme.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 9388 9360 WerFault.exe 1021 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhgnaehm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhjlli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgnkci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbqkiind.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnheohcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhhhbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alageg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfcabd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfpldf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oippjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibcphc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkchmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhjcec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkigoimd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eelkeeah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kindeddf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adfbpega.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Diaaeepi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eopphehb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldheebad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kocpbfei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpiqmlfm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghibjjnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cillkbac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldpbpgoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmgfqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdlggg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbfbnddq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqhepeai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnofjfhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fggkcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfeaiime.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncfalqpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkqnoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpcoeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbjpil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikldqile.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfliim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bceibfgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hghillnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqjaeeog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cqaiph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcjmmdbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjeglh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imokehhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnjldf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anjnnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkmmlgik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffodjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oadkej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glchpp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkjphcff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boljgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igmbgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joggci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqgddm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ookpodkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oabkom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cepipm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dejbqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daacecfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmnnkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlfnangf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjleclph.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elnpioai.dll" Djiqdb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eakooqih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eodicd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kokmmkcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mkdffoij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgdgodno.dll" Ccdmnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfcakjoj.dll" Nefdpjkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnppof32.dll" Djfdob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nqmnjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Boddiidc.dll" Blfapfpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gnfkba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Figfejbj.dll" Kdnild32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jioopgef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ljfapjbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpajfg32.dll" Ceebklai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Edlhqlfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmihbe32.dll" Jelfdc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cacclpae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ehpalp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Famope32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knbnol32.dll" Onnnml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bqmpdioa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdjjgb32.dll" Mhjcec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nlilqbgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Opialpld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edgeao32.dll" Ecploipa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fnflke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Imokehhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pdbdqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pidfdofi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oanefo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pmgbao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cfcijf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnfak32.dll" Lhhkapeh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fpohakbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fhljkm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iieepbje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Glbaei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikbilijo.dll" Jedehaea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgloog32.dll" Cbffoabe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bljhgm32.dll" Ekhmcelc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ieofkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keacjqlh.dll" Gcmamj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmkbjj32.dll" Hcojam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lngpog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkhkagoh.dll" Cfckcoen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iheegf32.dll" Mkndhabp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pdbdqh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pkcbnanl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gfnjne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pfpibn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fggmldfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Plmpblnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Afgmodel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogjknh32.dll" Hnheohcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hokhbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jelfdc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Opialpld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Piliii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pccohd32.dll" Jikhnaao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fnofjfhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hakkgc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pbagipfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Picojhcm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2548 wrote to memory of 1376 2548 c890759fc1a71045b030829e88e9a070N.exe 30 PID 2548 wrote to memory of 1376 2548 c890759fc1a71045b030829e88e9a070N.exe 30 PID 2548 wrote to memory of 1376 2548 c890759fc1a71045b030829e88e9a070N.exe 30 PID 2548 wrote to memory of 1376 2548 c890759fc1a71045b030829e88e9a070N.exe 30 PID 1376 wrote to memory of 2100 1376 Ohojmjep.exe 31 PID 1376 wrote to memory of 2100 1376 Ohojmjep.exe 31 PID 1376 wrote to memory of 2100 1376 Ohojmjep.exe 31 PID 1376 wrote to memory of 2100 1376 Ohojmjep.exe 31 PID 2100 wrote to memory of 332 2100 Obdojcef.exe 32 PID 2100 wrote to memory of 332 2100 Obdojcef.exe 32 PID 2100 wrote to memory of 332 2100 Obdojcef.exe 32 PID 2100 wrote to memory of 332 2100 Obdojcef.exe 32 PID 332 wrote to memory of 2804 332 Oagoep32.exe 33 PID 332 wrote to memory of 2804 332 Oagoep32.exe 33 PID 332 wrote to memory of 2804 332 Oagoep32.exe 33 PID 332 wrote to memory of 2804 332 Oagoep32.exe 33 PID 2804 wrote to memory of 2480 2804 Ookpodkj.exe 34 PID 2804 wrote to memory of 2480 2804 Ookpodkj.exe 34 PID 2804 wrote to memory of 2480 2804 Ookpodkj.exe 34 PID 2804 wrote to memory of 2480 2804 Ookpodkj.exe 34 PID 2480 wrote to memory of 1880 2480 Oeehln32.exe 35 PID 2480 wrote to memory of 1880 2480 Oeehln32.exe 35 PID 2480 wrote to memory of 1880 2480 Oeehln32.exe 35 PID 2480 wrote to memory of 1880 2480 Oeehln32.exe 35 PID 1880 wrote to memory of 2608 1880 Omqlpp32.exe 36 PID 1880 wrote to memory of 2608 1880 Omqlpp32.exe 36 PID 1880 wrote to memory of 2608 1880 Omqlpp32.exe 36 PID 1880 wrote to memory of 2608 1880 Omqlpp32.exe 36 PID 2608 wrote to memory of 1508 2608 Odjdmjgo.exe 37 PID 2608 wrote to memory of 1508 2608 Odjdmjgo.exe 37 PID 2608 wrote to memory of 1508 2608 Odjdmjgo.exe 37 PID 2608 wrote to memory of 1508 2608 Odjdmjgo.exe 37 PID 1508 wrote to memory of 1392 1508 Oanefo32.exe 38 PID 1508 wrote to memory of 1392 1508 Oanefo32.exe 38 PID 1508 wrote to memory of 1392 1508 Oanefo32.exe 38 PID 1508 wrote to memory of 1392 1508 Oanefo32.exe 38 PID 1392 wrote to memory of 2696 1392 Opaebkmc.exe 39 PID 1392 wrote to memory of 2696 1392 Opaebkmc.exe 39 PID 1392 wrote to memory of 2696 1392 Opaebkmc.exe 39 PID 1392 wrote to memory of 2696 1392 Opaebkmc.exe 39 PID 2696 wrote to memory of 1452 2696 Okgjodmi.exe 40 PID 2696 wrote to memory of 1452 2696 Okgjodmi.exe 40 PID 2696 wrote to memory of 1452 2696 Okgjodmi.exe 40 PID 2696 wrote to memory of 1452 2696 Okgjodmi.exe 40 PID 1452 wrote to memory of 2656 1452 Oaqbln32.exe 41 PID 1452 wrote to memory of 2656 1452 Oaqbln32.exe 41 PID 1452 wrote to memory of 2656 1452 Oaqbln32.exe 41 PID 1452 wrote to memory of 2656 1452 Oaqbln32.exe 41 PID 2656 wrote to memory of 1964 2656 Pmgbao32.exe 42 PID 2656 wrote to memory of 1964 2656 Pmgbao32.exe 42 PID 2656 wrote to memory of 1964 2656 Pmgbao32.exe 42 PID 2656 wrote to memory of 1964 2656 Pmgbao32.exe 42 PID 1964 wrote to memory of 2912 1964 Pgpgjepk.exe 43 PID 1964 wrote to memory of 2912 1964 Pgpgjepk.exe 43 PID 1964 wrote to memory of 2912 1964 Pgpgjepk.exe 43 PID 1964 wrote to memory of 2912 1964 Pgpgjepk.exe 43 PID 2912 wrote to memory of 2168 2912 Pecgea32.exe 44 PID 2912 wrote to memory of 2168 2912 Pecgea32.exe 44 PID 2912 wrote to memory of 2168 2912 Pecgea32.exe 44 PID 2912 wrote to memory of 2168 2912 Pecgea32.exe 44 PID 2168 wrote to memory of 2976 2168 Plmpblnb.exe 45 PID 2168 wrote to memory of 2976 2168 Plmpblnb.exe 45 PID 2168 wrote to memory of 2976 2168 Plmpblnb.exe 45 PID 2168 wrote to memory of 2976 2168 Plmpblnb.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\c890759fc1a71045b030829e88e9a070N.exe"C:\Users\Admin\AppData\Local\Temp\c890759fc1a71045b030829e88e9a070N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Ohojmjep.exeC:\Windows\system32\Ohojmjep.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\SysWOW64\Obdojcef.exeC:\Windows\system32\Obdojcef.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Oagoep32.exeC:\Windows\system32\Oagoep32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:332 -
C:\Windows\SysWOW64\Ookpodkj.exeC:\Windows\system32\Ookpodkj.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Oeehln32.exeC:\Windows\system32\Oeehln32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Omqlpp32.exeC:\Windows\system32\Omqlpp32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\SysWOW64\Odjdmjgo.exeC:\Windows\system32\Odjdmjgo.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Oanefo32.exeC:\Windows\system32\Oanefo32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\Opaebkmc.exeC:\Windows\system32\Opaebkmc.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\SysWOW64\Okgjodmi.exeC:\Windows\system32\Okgjodmi.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Oaqbln32.exeC:\Windows\system32\Oaqbln32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\SysWOW64\Pmgbao32.exeC:\Windows\system32\Pmgbao32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Pgpgjepk.exeC:\Windows\system32\Pgpgjepk.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\Pecgea32.exeC:\Windows\system32\Pecgea32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Plmpblnb.exeC:\Windows\system32\Plmpblnb.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\Peedka32.exeC:\Windows\system32\Peedka32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2976 -
C:\Windows\SysWOW64\Plolgk32.exeC:\Windows\system32\Plolgk32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3028 -
C:\Windows\SysWOW64\Palepb32.exeC:\Windows\system32\Palepb32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1244 -
C:\Windows\SysWOW64\Pjcmap32.exeC:\Windows\system32\Pjcmap32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1668 -
C:\Windows\SysWOW64\Panaeb32.exeC:\Windows\system32\Panaeb32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1980 -
C:\Windows\SysWOW64\Pejmfqan.exeC:\Windows\system32\Pejmfqan.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1992 -
C:\Windows\SysWOW64\Qobbofgn.exeC:\Windows\system32\Qobbofgn.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1528 -
C:\Windows\SysWOW64\Qnebjc32.exeC:\Windows\system32\Qnebjc32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1628 -
C:\Windows\SysWOW64\Qkibcg32.exeC:\Windows\system32\Qkibcg32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1900 -
C:\Windows\SysWOW64\Qododfek.exeC:\Windows\system32\Qododfek.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3036 -
C:\Windows\SysWOW64\Qackpado.exeC:\Windows\system32\Qackpado.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2160 -
C:\Windows\SysWOW64\Agpcihcf.exeC:\Windows\system32\Agpcihcf.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2304 -
C:\Windows\SysWOW64\Agbpnh32.exeC:\Windows\system32\Agbpnh32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1068 -
C:\Windows\SysWOW64\Aknlofim.exeC:\Windows\system32\Aknlofim.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2820 -
C:\Windows\SysWOW64\Aciqcifh.exeC:\Windows\system32\Aciqcifh.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2852 -
C:\Windows\SysWOW64\Afgmodel.exeC:\Windows\system32\Afgmodel.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2712 -
C:\Windows\SysWOW64\Anneqafn.exeC:\Windows\system32\Anneqafn.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2592 -
C:\Windows\SysWOW64\Aopahjll.exeC:\Windows\system32\Aopahjll.exe34⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Aihfap32.exeC:\Windows\system32\Aihfap32.exe35⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Aqonbm32.exeC:\Windows\system32\Aqonbm32.exe36⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Aijbfo32.exeC:\Windows\system32\Aijbfo32.exe37⤵
- Executes dropped EXE
PID:1208 -
C:\Windows\SysWOW64\Akiobk32.exeC:\Windows\system32\Akiobk32.exe38⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Bcpgdhpp.exeC:\Windows\system32\Bcpgdhpp.exe39⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Beackp32.exeC:\Windows\system32\Beackp32.exe40⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Bgblmk32.exeC:\Windows\system32\Bgblmk32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2636 -
C:\Windows\SysWOW64\Boidnh32.exeC:\Windows\system32\Boidnh32.exe42⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Bbgqjdce.exeC:\Windows\system32\Bbgqjdce.exe43⤵
- Executes dropped EXE
PID:552 -
C:\Windows\SysWOW64\Befmfpbi.exeC:\Windows\system32\Befmfpbi.exe44⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Bjbeofpp.exeC:\Windows\system32\Bjbeofpp.exe45⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Bbjmpcab.exeC:\Windows\system32\Bbjmpcab.exe46⤵
- Executes dropped EXE
PID:628 -
C:\Windows\SysWOW64\Bammlq32.exeC:\Windows\system32\Bammlq32.exe47⤵
- Executes dropped EXE
PID:692 -
C:\Windows\SysWOW64\Bgffhkoj.exeC:\Windows\system32\Bgffhkoj.exe48⤵
- Executes dropped EXE
PID:1132 -
C:\Windows\SysWOW64\Bjebdfnn.exeC:\Windows\system32\Bjebdfnn.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:704 -
C:\Windows\SysWOW64\Bmcnqama.exeC:\Windows\system32\Bmcnqama.exe50⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Bejfao32.exeC:\Windows\system32\Bejfao32.exe51⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Bcmfmlen.exeC:\Windows\system32\Bcmfmlen.exe52⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Bflbigdb.exeC:\Windows\system32\Bflbigdb.exe53⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Cnckjddd.exeC:\Windows\system32\Cnckjddd.exe54⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Cmfkfa32.exeC:\Windows\system32\Cmfkfa32.exe55⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Cpdgbm32.exeC:\Windows\system32\Cpdgbm32.exe56⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Cgkocj32.exeC:\Windows\system32\Cgkocj32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2616 -
C:\Windows\SysWOW64\Cjjkpe32.exeC:\Windows\system32\Cjjkpe32.exe58⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Cillkbac.exeC:\Windows\system32\Cillkbac.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2184 -
C:\Windows\SysWOW64\Cacclpae.exeC:\Windows\system32\Cacclpae.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:868 -
C:\Windows\SysWOW64\Cpfdhl32.exeC:\Windows\system32\Cpfdhl32.exe61⤵
- Executes dropped EXE
PID:1056 -
C:\Windows\SysWOW64\Cbepdhgc.exeC:\Windows\system32\Cbepdhgc.exe62⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Cfpldf32.exeC:\Windows\system32\Cfpldf32.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2828 -
C:\Windows\SysWOW64\Ciohqa32.exeC:\Windows\system32\Ciohqa32.exe64⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Cpiqmlfm.exeC:\Windows\system32\Cpiqmlfm.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:944 -
C:\Windows\SysWOW64\Ccdmnj32.exeC:\Windows\system32\Ccdmnj32.exe66⤵
- Modifies registry class
PID:1984 -
C:\Windows\SysWOW64\Cfcijf32.exeC:\Windows\system32\Cfcijf32.exe67⤵
- Modifies registry class
PID:2308 -
C:\Windows\SysWOW64\Ciaefa32.exeC:\Windows\system32\Ciaefa32.exe68⤵PID:1916
-
C:\Windows\SysWOW64\Cmmagpef.exeC:\Windows\system32\Cmmagpef.exe69⤵PID:2056
-
C:\Windows\SysWOW64\Cnnnnh32.exeC:\Windows\system32\Cnnnnh32.exe70⤵
- Drops file in System32 directory
PID:2208 -
C:\Windows\SysWOW64\Cbiiog32.exeC:\Windows\system32\Cbiiog32.exe71⤵PID:2752
-
C:\Windows\SysWOW64\Cehfkb32.exeC:\Windows\system32\Cehfkb32.exe72⤵PID:2848
-
C:\Windows\SysWOW64\Cicalakk.exeC:\Windows\system32\Cicalakk.exe73⤵PID:2728
-
C:\Windows\SysWOW64\Clbnhmjo.exeC:\Windows\system32\Clbnhmjo.exe74⤵PID:2628
-
C:\Windows\SysWOW64\Copjdhib.exeC:\Windows\system32\Copjdhib.exe75⤵PID:1492
-
C:\Windows\SysWOW64\Daofpchf.exeC:\Windows\system32\Daofpchf.exe76⤵PID:872
-
C:\Windows\SysWOW64\Dejbqb32.exeC:\Windows\system32\Dejbqb32.exe77⤵
- System Location Discovery: System Language Discovery
PID:2028 -
C:\Windows\SysWOW64\Difnaqih.exeC:\Windows\system32\Difnaqih.exe78⤵PID:2932
-
C:\Windows\SysWOW64\Dldkmlhl.exeC:\Windows\system32\Dldkmlhl.exe79⤵PID:2844
-
C:\Windows\SysWOW64\Dobgihgp.exeC:\Windows\system32\Dobgihgp.exe80⤵PID:288
-
C:\Windows\SysWOW64\Daacecfc.exeC:\Windows\system32\Daacecfc.exe81⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3020 -
C:\Windows\SysWOW64\Ddpobo32.exeC:\Windows\system32\Ddpobo32.exe82⤵
- Drops file in System32 directory
PID:1020 -
C:\Windows\SysWOW64\Dkigoimd.exeC:\Windows\system32\Dkigoimd.exe83⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:848 -
C:\Windows\SysWOW64\Dmhdkdlg.exeC:\Windows\system32\Dmhdkdlg.exe84⤵PID:820
-
C:\Windows\SysWOW64\Dacpkc32.exeC:\Windows\system32\Dacpkc32.exe85⤵PID:1624
-
C:\Windows\SysWOW64\Ddblgn32.exeC:\Windows\system32\Ddblgn32.exe86⤵PID:2312
-
C:\Windows\SysWOW64\Ddblgn32.exeC:\Windows\system32\Ddblgn32.exe87⤵PID:2528
-
C:\Windows\SysWOW64\Dfphcj32.exeC:\Windows\system32\Dfphcj32.exe88⤵PID:1040
-
C:\Windows\SysWOW64\Dklddhka.exeC:\Windows\system32\Dklddhka.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1584 -
C:\Windows\SysWOW64\Dmjqpdje.exeC:\Windows\system32\Dmjqpdje.exe90⤵PID:2720
-
C:\Windows\SysWOW64\Dphmloih.exeC:\Windows\system32\Dphmloih.exe91⤵PID:2476
-
C:\Windows\SysWOW64\Dhpemm32.exeC:\Windows\system32\Dhpemm32.exe92⤵PID:3004
-
C:\Windows\SysWOW64\Dgbeiiqe.exeC:\Windows\system32\Dgbeiiqe.exe93⤵PID:2040
-
C:\Windows\SysWOW64\Diaaeepi.exeC:\Windows\system32\Diaaeepi.exe94⤵
- System Location Discovery: System Language Discovery
PID:1784 -
C:\Windows\SysWOW64\Dmmmfc32.exeC:\Windows\system32\Dmmmfc32.exe95⤵PID:1912
-
C:\Windows\SysWOW64\Dpkibo32.exeC:\Windows\system32\Dpkibo32.exe96⤵PID:1652
-
C:\Windows\SysWOW64\Ddfebnoo.exeC:\Windows\system32\Ddfebnoo.exe97⤵PID:2576
-
C:\Windows\SysWOW64\Dbifnj32.exeC:\Windows\system32\Dbifnj32.exe98⤵PID:2036
-
C:\Windows\SysWOW64\Dkqnoh32.exeC:\Windows\system32\Dkqnoh32.exe99⤵
- System Location Discovery: System Language Discovery
PID:2320 -
C:\Windows\SysWOW64\Dicnkdnf.exeC:\Windows\system32\Dicnkdnf.exe100⤵PID:1748
-
C:\Windows\SysWOW64\Dmojkc32.exeC:\Windows\system32\Dmojkc32.exe101⤵PID:1556
-
C:\Windows\SysWOW64\Elajgpmj.exeC:\Windows\system32\Elajgpmj.exe102⤵PID:3012
-
C:\Windows\SysWOW64\Edibhmml.exeC:\Windows\system32\Edibhmml.exe103⤵PID:2868
-
C:\Windows\SysWOW64\Eclbcj32.exeC:\Windows\system32\Eclbcj32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:812 -
C:\Windows\SysWOW64\Eggndi32.exeC:\Windows\system32\Eggndi32.exe105⤵PID:1736
-
C:\Windows\SysWOW64\Eiekpd32.exeC:\Windows\system32\Eiekpd32.exe106⤵PID:2944
-
C:\Windows\SysWOW64\Eppcmncq.exeC:\Windows\system32\Eppcmncq.exe107⤵PID:1152
-
C:\Windows\SysWOW64\Ecnoijbd.exeC:\Windows\system32\Ecnoijbd.exe108⤵PID:2432
-
C:\Windows\SysWOW64\Egikjh32.exeC:\Windows\system32\Egikjh32.exe109⤵
- Drops file in System32 directory
PID:1804 -
C:\Windows\SysWOW64\Eelkeeah.exeC:\Windows\system32\Eelkeeah.exe110⤵
- System Location Discovery: System Language Discovery
PID:3044 -
C:\Windows\SysWOW64\Ehkhaqpk.exeC:\Windows\system32\Ehkhaqpk.exe111⤵PID:2544
-
C:\Windows\SysWOW64\Eoepnk32.exeC:\Windows\system32\Eoepnk32.exe112⤵PID:2104
-
C:\Windows\SysWOW64\Ecploipa.exeC:\Windows\system32\Ecploipa.exe113⤵
- Modifies registry class
PID:1904 -
C:\Windows\SysWOW64\Eijdkcgn.exeC:\Windows\system32\Eijdkcgn.exe114⤵PID:2904
-
C:\Windows\SysWOW64\Ehmdgp32.exeC:\Windows\system32\Ehmdgp32.exe115⤵
- Drops file in System32 directory
PID:636 -
C:\Windows\SysWOW64\Eklqcl32.exeC:\Windows\system32\Eklqcl32.exe116⤵PID:904
-
C:\Windows\SysWOW64\Ecbhdi32.exeC:\Windows\system32\Ecbhdi32.exe117⤵PID:1252
-
C:\Windows\SysWOW64\Eaeipfei.exeC:\Windows\system32\Eaeipfei.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1988 -
C:\Windows\SysWOW64\Eddeladm.exeC:\Windows\system32\Eddeladm.exe119⤵PID:2968
-
C:\Windows\SysWOW64\Ehpalp32.exeC:\Windows\system32\Ehpalp32.exe120⤵
- Modifies registry class
PID:448 -
C:\Windows\SysWOW64\Eknmhk32.exeC:\Windows\system32\Eknmhk32.exe121⤵PID:844
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-