Analysis
-
max time kernel
105s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11-09-2024 13:48
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ea3df99684b295cdf5803931b1e986b8eabc743b4db0739a3ff5c58522bb4228.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
ea3df99684b295cdf5803931b1e986b8eabc743b4db0739a3ff5c58522bb4228.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
ea3df99684b295cdf5803931b1e986b8eabc743b4db0739a3ff5c58522bb4228.exe
-
Size
93KB
-
MD5
a6e9df6039e79613bb0f219c0875741c
-
SHA1
24226753bb26150ac4f9c38c29af139e803b963e
-
SHA256
ea3df99684b295cdf5803931b1e986b8eabc743b4db0739a3ff5c58522bb4228
-
SHA512
86e8046713a3008781d2be2bf901eb5993e043c0d3fe20a6df565b4ea83d088b4ec9e8bf3d10913cd220f88c93d6a09db9e9e8459dc364b8e0abfcfe991e5ef8
-
SSDEEP
1536:+NuRm0FjLs3bEzeZnBvhUYVJRU2kWU7I1ahmY95vsaMiwihtIbbpkp:+Em0hLs3bEz2nBvTTRZkWU7rhmG5vdM4
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmaoem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhbpbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Choejien.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kiepca32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajhkka32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmeaaboe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmcpfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Palincli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ejjhlmqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmejdm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhbnjpic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emogdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Geehcoaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hkqgkcpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpoeac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhfjid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjbdmbmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paojeafn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idhplaoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ifkecl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmgfoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Enokidgl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nffenj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffahgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhjjle32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pifcdbhi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eoefea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmgfoi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbckeb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcdinbdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cigijhne.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkhkbmco.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhippbem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpdhiaoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goohckob.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgahcn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjocaaoh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfqpmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nchkjhdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Opbnbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdnabo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eacnpoqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lncodf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnjnbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cgklma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kqncnjan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jpgaohej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Olijen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ooaflp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjjohbgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jahieboa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbckeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lnklol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odkkdqmd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbihccpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qofjmnji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmimpf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjnkac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eddlcgjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mphfji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qohkdkdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnglekch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Haggkf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oogdiqki.exe -
Executes dropped EXE 64 IoCs
pid Process 1804 Cbcdjpba.exe 2856 Dmobpn32.exe 2756 Dmaoem32.exe 2776 Djfooa32.exe 2700 Diklpn32.exe 3048 Eeameodq.exe 1276 Efaiobkc.exe 1708 Enokidgl.exe 2544 Eckcak32.exe 2044 Efllcf32.exe 2832 Fdpmljan.exe 1792 Fdbibjok.exe 1444 Fefboabg.exe 2352 Fehodaqd.exe 2168 Foacmg32.exe 2496 Ghlell32.exe 2608 Ggqamh32.exe 2724 Gaffja32.exe 1936 Ghpngkhm.exe 1540 Gnocdb32.exe 2484 Hcllmi32.exe 1984 Hemeod32.exe 388 Hoeigi32.exe 3020 Hfanjcke.exe 2480 Hojbbiae.exe 2156 Hdgkkppm.exe 2784 Ihedan32.exe 2968 Idkdfo32.exe 2956 Ifoncgpc.exe 2692 Iogbllfc.exe 2632 Iojoalda.exe 2620 Jkcllmhb.exe 2272 Jigmeagl.exe 2120 Jboanfmm.exe 2372 Jbandfkj.exe 2060 Jccjln32.exe 1996 Kmkodd32.exe 2408 Kgqcam32.exe 1972 Lpekln32.exe 2324 Lkolmk32.exe 1740 Ldgpea32.exe 2076 Lomdcj32.exe 1156 Lkcehkeh.exe 2536 Lmdnjf32.exe 1724 Mkhocj32.exe 2532 Mmigdend.exe 1748 Mgalnk32.exe 1988 Mpjqfpke.exe 2116 Mheekb32.exe 2080 Mamjchoa.exe 2988 Nkfnln32.exe 2848 Ndnbeclb.exe 2880 Nkhkbmco.exe 2904 Nabcog32.exe 2712 Nkjggmal.exe 2040 Nnidchqp.exe 2980 Ngahmngp.exe 3040 Nqjmec32.exe 2736 Nffenj32.exe 2416 Nlpmjdce.exe 852 Ojdndi32.exe 2472 Ooaflp32.exe 2220 Ojgkih32.exe 1108 Ocoobngl.exe -
Loads dropped DLL 64 IoCs
pid Process 2160 ea3df99684b295cdf5803931b1e986b8eabc743b4db0739a3ff5c58522bb4228.exe 2160 ea3df99684b295cdf5803931b1e986b8eabc743b4db0739a3ff5c58522bb4228.exe 1804 Cbcdjpba.exe 1804 Cbcdjpba.exe 2856 Dmobpn32.exe 2856 Dmobpn32.exe 2756 Dmaoem32.exe 2756 Dmaoem32.exe 2776 Djfooa32.exe 2776 Djfooa32.exe 2700 Diklpn32.exe 2700 Diklpn32.exe 3048 Eeameodq.exe 3048 Eeameodq.exe 1276 Efaiobkc.exe 1276 Efaiobkc.exe 1708 Enokidgl.exe 1708 Enokidgl.exe 2544 Eckcak32.exe 2544 Eckcak32.exe 2044 Efllcf32.exe 2044 Efllcf32.exe 2832 Fdpmljan.exe 2832 Fdpmljan.exe 1792 Fdbibjok.exe 1792 Fdbibjok.exe 1444 Fefboabg.exe 1444 Fefboabg.exe 2352 Fehodaqd.exe 2352 Fehodaqd.exe 2168 Foacmg32.exe 2168 Foacmg32.exe 2496 Ghlell32.exe 2496 Ghlell32.exe 2608 Ggqamh32.exe 2608 Ggqamh32.exe 2724 Gaffja32.exe 2724 Gaffja32.exe 1936 Ghpngkhm.exe 1936 Ghpngkhm.exe 1540 Gnocdb32.exe 1540 Gnocdb32.exe 2484 Hcllmi32.exe 2484 Hcllmi32.exe 1984 Hemeod32.exe 1984 Hemeod32.exe 388 Hoeigi32.exe 388 Hoeigi32.exe 3020 Hfanjcke.exe 3020 Hfanjcke.exe 2480 Hojbbiae.exe 2480 Hojbbiae.exe 2156 Hdgkkppm.exe 2156 Hdgkkppm.exe 2784 Ihedan32.exe 2784 Ihedan32.exe 2968 Idkdfo32.exe 2968 Idkdfo32.exe 2956 Ifoncgpc.exe 2956 Ifoncgpc.exe 2692 Iogbllfc.exe 2692 Iogbllfc.exe 2632 Iojoalda.exe 2632 Iojoalda.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ndnbeclb.exe Nkfnln32.exe File opened for modification C:\Windows\SysWOW64\Lnhmqc32.exe Lepihndm.exe File created C:\Windows\SysWOW64\Pkdiehca.exe Pdjqinld.exe File created C:\Windows\SysWOW64\Knpdbhob.dll Dajiag32.exe File created C:\Windows\SysWOW64\Koobcj32.exe Kchaniho.exe File opened for modification C:\Windows\SysWOW64\Ldgpea32.exe Lkolmk32.exe File opened for modification C:\Windows\SysWOW64\Lmhhcaik.exe Kfnpgg32.exe File created C:\Windows\SysWOW64\Mipanmej.dll Odkkdqmd.exe File opened for modification C:\Windows\SysWOW64\Idofmp32.exe Ifkecl32.exe File opened for modification C:\Windows\SysWOW64\Pdmpgfae.exe Pkdknq32.exe File opened for modification C:\Windows\SysWOW64\Jbqkmj32.exe Jkegigal.exe File created C:\Windows\SysWOW64\Dlebeg32.exe Djdenoif.exe File created C:\Windows\SysWOW64\Gapcnodg.exe Glckehfp.exe File opened for modification C:\Windows\SysWOW64\Lofafhck.exe Lhmijn32.exe File created C:\Windows\SysWOW64\Keeeld32.dll Ongfai32.exe File opened for modification C:\Windows\SysWOW64\Pdkejo32.exe Palincli.exe File created C:\Windows\SysWOW64\Hcllmi32.exe Gnocdb32.exe File created C:\Windows\SysWOW64\Poenac32.dll Dkfdlclg.exe File opened for modification C:\Windows\SysWOW64\Hiichkog.exe Hbokkagk.exe File created C:\Windows\SysWOW64\Oigmbagp.exe Opohil32.exe File opened for modification C:\Windows\SysWOW64\Pfnjfepp.exe Pqaanoah.exe File created C:\Windows\SysWOW64\Fhopbf32.dll Qegpbaqb.exe File created C:\Windows\SysWOW64\Dmebncpa.dll Ldpbmg32.exe File created C:\Windows\SysWOW64\Ancfbhdh.exe Albijp32.exe File opened for modification C:\Windows\SysWOW64\Hgjdecca.exe Honpqaff.exe File created C:\Windows\SysWOW64\Jpgaohej.exe Iebmaoed.exe File opened for modification C:\Windows\SysWOW64\Fnglekch.exe Fdohme32.exe File created C:\Windows\SysWOW64\Dpqlmm32.exe Dghgdg32.exe File opened for modification C:\Windows\SysWOW64\Fjmfpe32.exe Fohacl32.exe File created C:\Windows\SysWOW64\Hmnoih32.dll Nacgpi32.exe File opened for modification C:\Windows\SysWOW64\Bnfbilgo.exe Bgmjla32.exe File created C:\Windows\SysWOW64\Dkecke32.dll Hofmlf32.exe File opened for modification C:\Windows\SysWOW64\Nqcjiaah.exe Njialh32.exe File created C:\Windows\SysWOW64\Oichhc32.exe Ocfppm32.exe File created C:\Windows\SysWOW64\Gfnnmboa.exe Gdobqgpn.exe File created C:\Windows\SysWOW64\Ldgikklb.exe Lfbibfmi.exe File created C:\Windows\SysWOW64\Fnlceaoq.dll Nchkjhdh.exe File created C:\Windows\SysWOW64\Odhjmc32.exe Ojpedn32.exe File created C:\Windows\SysWOW64\Bcnklm32.exe Bldbococ.exe File opened for modification C:\Windows\SysWOW64\Bpahad32.exe Belcck32.exe File opened for modification C:\Windows\SysWOW64\Kjfhgp32.exe Kqncnjan.exe File created C:\Windows\SysWOW64\Ncpdlhhj.dll Pmimpf32.exe File created C:\Windows\SysWOW64\Ojlmgg32.exe Odpeop32.exe File created C:\Windows\SysWOW64\Jncqlj32.exe Jgihopao.exe File created C:\Windows\SysWOW64\Pkpacaoj.exe Ohoiaf32.exe File created C:\Windows\SysWOW64\Edgbldch.dll Cbcgmi32.exe File opened for modification C:\Windows\SysWOW64\Encgglkm.exe Ehiojb32.exe File created C:\Windows\SysWOW64\Cdpfiekl.exe Ckgapo32.exe File created C:\Windows\SysWOW64\Agkfil32.exe Aeljmq32.exe File created C:\Windows\SysWOW64\Eccadhkh.exe Eikmkbeg.exe File created C:\Windows\SysWOW64\Igmhga32.dll Nqcjiaah.exe File created C:\Windows\SysWOW64\Opnjlnpf.dll Hbohblcg.exe File opened for modification C:\Windows\SysWOW64\Ghlell32.exe Foacmg32.exe File opened for modification C:\Windows\SysWOW64\Lmdnjf32.exe Lkcehkeh.exe File opened for modification C:\Windows\SysWOW64\Mmigdend.exe Mkhocj32.exe File created C:\Windows\SysWOW64\Qbiamm32.exe Qipmdhcj.exe File created C:\Windows\SysWOW64\Lgpkobnb.exe Lnhffm32.exe File created C:\Windows\SysWOW64\Efeblnbp.exe Eiabbicf.exe File created C:\Windows\SysWOW64\Ilfmedlj.dll Kgqcam32.exe File opened for modification C:\Windows\SysWOW64\Nkhkbmco.exe Ndnbeclb.exe File created C:\Windows\SysWOW64\Cfcajekc.exe Cmkmao32.exe File created C:\Windows\SysWOW64\Jkhjin32.exe Jndjoi32.exe File opened for modification C:\Windows\SysWOW64\Milcphgf.exe Mfngdmgb.exe File opened for modification C:\Windows\SysWOW64\Jegknp32.exe Jpkbfi32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 896 5492 WerFault.exe 1019 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfnpgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqffoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbnajcig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imgmonga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdjedk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acfpilmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmpodedg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agjahooi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lodeahen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfbnfcli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oijlpjma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chigmlml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmcpfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jiecdn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nifhop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjfkde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqnidh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efeblnbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqlgikcq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bonepo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chpmocpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chiedc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlckoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhbpbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhnlmjie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfgbbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijacgnjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Diklpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbokkagk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeklpeco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knqnmeff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbclcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obpccped.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjhjcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Einljkji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aobblkkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckgapo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekacnjfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edafjiqe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhapfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkpbbeda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndnbeclb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caijik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgbemjqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cigijhne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blfodb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkcllmhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojhdmgkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbffga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpqlmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckjqog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnadfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jllggbde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Niilofhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifkgldag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elbkddpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jakhckdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Choejien.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enjmlgoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpihog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iidajaiq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aendjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjqlbdog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgbdge32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhhcmd32.dll" Cocpjf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fanjil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ceclmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjmkkfek.dll" Pejnpe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kkkgnmqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjqfie32.dll" Cobkja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdhadgoa.dll" ea3df99684b295cdf5803931b1e986b8eabc743b4db0739a3ff5c58522bb4228.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkociclf.dll" Knapen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cfcajekc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggfqlkla.dll" Ibglhhdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeojob32.dll" Lnnkmdfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbifqe32.dll" Dgdfocge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Phcpdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdnonb32.dll" Goicaell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmaphoqe.dll" Gpihog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hfmfjh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pdkejo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Honpqaff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Efaiobkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pifcdbhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Claqoinf.dll" Mfbnfcli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lhjjle32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Njklioqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fopnma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fallil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jobnej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aikine32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciekbj32.dll" Ikhlaaif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aomdpj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Enjmlgoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qkoeoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hcjpcmjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ipmeej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hbohblcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjkedoid.dll" Lfhgng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaaicjed.dll" Idkdfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qgeckn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aeljmq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhiqmobf.dll" Ancfbhdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efiamj32.dll" Diklpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Obhdpaqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cipcii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iejkel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoggn32.dll" Oldajoho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gflcplhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Memagk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ellfmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Minpeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qhnnfc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kdcnpkog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhcpiioc.dll" Olfnpnfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fobodn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmepmj32.dll" Memagk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lhlgaedj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ioplglop.dll" Nldbbbno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ohoiaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Efmchp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gffoec32.dll" Dcbpfp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nhbnjpic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fjnkac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgnnjcee.dll" Hmefcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bchmolkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bmcpfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mkgllndq.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2160 wrote to memory of 1804 2160 ea3df99684b295cdf5803931b1e986b8eabc743b4db0739a3ff5c58522bb4228.exe 29 PID 2160 wrote to memory of 1804 2160 ea3df99684b295cdf5803931b1e986b8eabc743b4db0739a3ff5c58522bb4228.exe 29 PID 2160 wrote to memory of 1804 2160 ea3df99684b295cdf5803931b1e986b8eabc743b4db0739a3ff5c58522bb4228.exe 29 PID 2160 wrote to memory of 1804 2160 ea3df99684b295cdf5803931b1e986b8eabc743b4db0739a3ff5c58522bb4228.exe 29 PID 1804 wrote to memory of 2856 1804 Cbcdjpba.exe 30 PID 1804 wrote to memory of 2856 1804 Cbcdjpba.exe 30 PID 1804 wrote to memory of 2856 1804 Cbcdjpba.exe 30 PID 1804 wrote to memory of 2856 1804 Cbcdjpba.exe 30 PID 2856 wrote to memory of 2756 2856 Dmobpn32.exe 31 PID 2856 wrote to memory of 2756 2856 Dmobpn32.exe 31 PID 2856 wrote to memory of 2756 2856 Dmobpn32.exe 31 PID 2856 wrote to memory of 2756 2856 Dmobpn32.exe 31 PID 2756 wrote to memory of 2776 2756 Dmaoem32.exe 32 PID 2756 wrote to memory of 2776 2756 Dmaoem32.exe 32 PID 2756 wrote to memory of 2776 2756 Dmaoem32.exe 32 PID 2756 wrote to memory of 2776 2756 Dmaoem32.exe 32 PID 2776 wrote to memory of 2700 2776 Djfooa32.exe 33 PID 2776 wrote to memory of 2700 2776 Djfooa32.exe 33 PID 2776 wrote to memory of 2700 2776 Djfooa32.exe 33 PID 2776 wrote to memory of 2700 2776 Djfooa32.exe 33 PID 2700 wrote to memory of 3048 2700 Diklpn32.exe 34 PID 2700 wrote to memory of 3048 2700 Diklpn32.exe 34 PID 2700 wrote to memory of 3048 2700 Diklpn32.exe 34 PID 2700 wrote to memory of 3048 2700 Diklpn32.exe 34 PID 3048 wrote to memory of 1276 3048 Eeameodq.exe 35 PID 3048 wrote to memory of 1276 3048 Eeameodq.exe 35 PID 3048 wrote to memory of 1276 3048 Eeameodq.exe 35 PID 3048 wrote to memory of 1276 3048 Eeameodq.exe 35 PID 1276 wrote to memory of 1708 1276 Efaiobkc.exe 36 PID 1276 wrote to memory of 1708 1276 Efaiobkc.exe 36 PID 1276 wrote to memory of 1708 1276 Efaiobkc.exe 36 PID 1276 wrote to memory of 1708 1276 Efaiobkc.exe 36 PID 1708 wrote to memory of 2544 1708 Enokidgl.exe 37 PID 1708 wrote to memory of 2544 1708 Enokidgl.exe 37 PID 1708 wrote to memory of 2544 1708 Enokidgl.exe 37 PID 1708 wrote to memory of 2544 1708 Enokidgl.exe 37 PID 2544 wrote to memory of 2044 2544 Eckcak32.exe 38 PID 2544 wrote to memory of 2044 2544 Eckcak32.exe 38 PID 2544 wrote to memory of 2044 2544 Eckcak32.exe 38 PID 2544 wrote to memory of 2044 2544 Eckcak32.exe 38 PID 2044 wrote to memory of 2832 2044 Efllcf32.exe 39 PID 2044 wrote to memory of 2832 2044 Efllcf32.exe 39 PID 2044 wrote to memory of 2832 2044 Efllcf32.exe 39 PID 2044 wrote to memory of 2832 2044 Efllcf32.exe 39 PID 2832 wrote to memory of 1792 2832 Fdpmljan.exe 40 PID 2832 wrote to memory of 1792 2832 Fdpmljan.exe 40 PID 2832 wrote to memory of 1792 2832 Fdpmljan.exe 40 PID 2832 wrote to memory of 1792 2832 Fdpmljan.exe 40 PID 1792 wrote to memory of 1444 1792 Fdbibjok.exe 41 PID 1792 wrote to memory of 1444 1792 Fdbibjok.exe 41 PID 1792 wrote to memory of 1444 1792 Fdbibjok.exe 41 PID 1792 wrote to memory of 1444 1792 Fdbibjok.exe 41 PID 1444 wrote to memory of 2352 1444 Fefboabg.exe 42 PID 1444 wrote to memory of 2352 1444 Fefboabg.exe 42 PID 1444 wrote to memory of 2352 1444 Fefboabg.exe 42 PID 1444 wrote to memory of 2352 1444 Fefboabg.exe 42 PID 2352 wrote to memory of 2168 2352 Fehodaqd.exe 43 PID 2352 wrote to memory of 2168 2352 Fehodaqd.exe 43 PID 2352 wrote to memory of 2168 2352 Fehodaqd.exe 43 PID 2352 wrote to memory of 2168 2352 Fehodaqd.exe 43 PID 2168 wrote to memory of 2496 2168 Foacmg32.exe 44 PID 2168 wrote to memory of 2496 2168 Foacmg32.exe 44 PID 2168 wrote to memory of 2496 2168 Foacmg32.exe 44 PID 2168 wrote to memory of 2496 2168 Foacmg32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\ea3df99684b295cdf5803931b1e986b8eabc743b4db0739a3ff5c58522bb4228.exe"C:\Users\Admin\AppData\Local\Temp\ea3df99684b295cdf5803931b1e986b8eabc743b4db0739a3ff5c58522bb4228.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\Cbcdjpba.exeC:\Windows\system32\Cbcdjpba.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\SysWOW64\Dmobpn32.exeC:\Windows\system32\Dmobpn32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Dmaoem32.exeC:\Windows\system32\Dmaoem32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Djfooa32.exeC:\Windows\system32\Djfooa32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Diklpn32.exeC:\Windows\system32\Diklpn32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Eeameodq.exeC:\Windows\system32\Eeameodq.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\Efaiobkc.exeC:\Windows\system32\Efaiobkc.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Windows\SysWOW64\Enokidgl.exeC:\Windows\system32\Enokidgl.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\Eckcak32.exeC:\Windows\system32\Eckcak32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Efllcf32.exeC:\Windows\system32\Efllcf32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\Fdpmljan.exeC:\Windows\system32\Fdpmljan.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Fdbibjok.exeC:\Windows\system32\Fdbibjok.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\Fefboabg.exeC:\Windows\system32\Fefboabg.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\SysWOW64\Fehodaqd.exeC:\Windows\system32\Fehodaqd.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Foacmg32.exeC:\Windows\system32\Foacmg32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\Ghlell32.exeC:\Windows\system32\Ghlell32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2496 -
C:\Windows\SysWOW64\Ggqamh32.exeC:\Windows\system32\Ggqamh32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2608 -
C:\Windows\SysWOW64\Gaffja32.exeC:\Windows\system32\Gaffja32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2724 -
C:\Windows\SysWOW64\Ghpngkhm.exeC:\Windows\system32\Ghpngkhm.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1936 -
C:\Windows\SysWOW64\Gnocdb32.exeC:\Windows\system32\Gnocdb32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1540 -
C:\Windows\SysWOW64\Hcllmi32.exeC:\Windows\system32\Hcllmi32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2484 -
C:\Windows\SysWOW64\Hemeod32.exeC:\Windows\system32\Hemeod32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1984 -
C:\Windows\SysWOW64\Hoeigi32.exeC:\Windows\system32\Hoeigi32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:388 -
C:\Windows\SysWOW64\Hfanjcke.exeC:\Windows\system32\Hfanjcke.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3020 -
C:\Windows\SysWOW64\Hojbbiae.exeC:\Windows\system32\Hojbbiae.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2480 -
C:\Windows\SysWOW64\Hdgkkppm.exeC:\Windows\system32\Hdgkkppm.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2156 -
C:\Windows\SysWOW64\Ihedan32.exeC:\Windows\system32\Ihedan32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2784 -
C:\Windows\SysWOW64\Idkdfo32.exeC:\Windows\system32\Idkdfo32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2968 -
C:\Windows\SysWOW64\Ifoncgpc.exeC:\Windows\system32\Ifoncgpc.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2956 -
C:\Windows\SysWOW64\Iogbllfc.exeC:\Windows\system32\Iogbllfc.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2692 -
C:\Windows\SysWOW64\Iojoalda.exeC:\Windows\system32\Iojoalda.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2632 -
C:\Windows\SysWOW64\Jkcllmhb.exeC:\Windows\system32\Jkcllmhb.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2620 -
C:\Windows\SysWOW64\Jigmeagl.exeC:\Windows\system32\Jigmeagl.exe34⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Jboanfmm.exeC:\Windows\system32\Jboanfmm.exe35⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Jbandfkj.exeC:\Windows\system32\Jbandfkj.exe36⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Jccjln32.exeC:\Windows\system32\Jccjln32.exe37⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Kmkodd32.exeC:\Windows\system32\Kmkodd32.exe38⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Kgqcam32.exeC:\Windows\system32\Kgqcam32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2408 -
C:\Windows\SysWOW64\Lpekln32.exeC:\Windows\system32\Lpekln32.exe40⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Lkolmk32.exeC:\Windows\system32\Lkolmk32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2324 -
C:\Windows\SysWOW64\Ldgpea32.exeC:\Windows\system32\Ldgpea32.exe42⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Lomdcj32.exeC:\Windows\system32\Lomdcj32.exe43⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Lkcehkeh.exeC:\Windows\system32\Lkcehkeh.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1156 -
C:\Windows\SysWOW64\Lmdnjf32.exeC:\Windows\system32\Lmdnjf32.exe45⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Mkhocj32.exeC:\Windows\system32\Mkhocj32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1724 -
C:\Windows\SysWOW64\Mmigdend.exeC:\Windows\system32\Mmigdend.exe47⤵
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Mgalnk32.exeC:\Windows\system32\Mgalnk32.exe48⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Mpjqfpke.exeC:\Windows\system32\Mpjqfpke.exe49⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Mheekb32.exeC:\Windows\system32\Mheekb32.exe50⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Mamjchoa.exeC:\Windows\system32\Mamjchoa.exe51⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Nkfnln32.exeC:\Windows\system32\Nkfnln32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2988 -
C:\Windows\SysWOW64\Ndnbeclb.exeC:\Windows\system32\Ndnbeclb.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2848 -
C:\Windows\SysWOW64\Nkhkbmco.exeC:\Windows\system32\Nkhkbmco.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Nabcog32.exeC:\Windows\system32\Nabcog32.exe55⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Nkjggmal.exeC:\Windows\system32\Nkjggmal.exe56⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Nnidchqp.exeC:\Windows\system32\Nnidchqp.exe57⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Ngahmngp.exeC:\Windows\system32\Ngahmngp.exe58⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Nqjmec32.exeC:\Windows\system32\Nqjmec32.exe59⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Nffenj32.exeC:\Windows\system32\Nffenj32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Nlpmjdce.exeC:\Windows\system32\Nlpmjdce.exe61⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Ojdndi32.exeC:\Windows\system32\Ojdndi32.exe62⤵
- Executes dropped EXE
PID:852 -
C:\Windows\SysWOW64\Ooaflp32.exeC:\Windows\system32\Ooaflp32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\Ojgkih32.exeC:\Windows\system32\Ojgkih32.exe64⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Ocoobngl.exeC:\Windows\system32\Ocoobngl.exe65⤵
- Executes dropped EXE
PID:1108 -
C:\Windows\SysWOW64\Omgckcmm.exeC:\Windows\system32\Omgckcmm.exe66⤵PID:1700
-
C:\Windows\SysWOW64\Obdlcjkd.exeC:\Windows\system32\Obdlcjkd.exe67⤵PID:1532
-
C:\Windows\SysWOW64\Okmqlp32.exeC:\Windows\system32\Okmqlp32.exe68⤵PID:1964
-
C:\Windows\SysWOW64\Oqiidg32.exeC:\Windows\system32\Oqiidg32.exe69⤵PID:948
-
C:\Windows\SysWOW64\Ogcaaahi.exeC:\Windows\system32\Ogcaaahi.exe70⤵PID:896
-
C:\Windows\SysWOW64\Pegaje32.exeC:\Windows\system32\Pegaje32.exe71⤵PID:2432
-
C:\Windows\SysWOW64\Pmbfoh32.exeC:\Windows\system32\Pmbfoh32.exe72⤵PID:2788
-
C:\Windows\SysWOW64\Pejnpe32.exeC:\Windows\system32\Pejnpe32.exe73⤵
- Modifies registry class
PID:2876 -
C:\Windows\SysWOW64\Pnbcij32.exeC:\Windows\system32\Pnbcij32.exe74⤵PID:3044
-
C:\Windows\SysWOW64\Paqoef32.exeC:\Windows\system32\Paqoef32.exe75⤵PID:1828
-
C:\Windows\SysWOW64\Pjicnlqe.exeC:\Windows\system32\Pjicnlqe.exe76⤵PID:572
-
C:\Windows\SysWOW64\Paclje32.exeC:\Windows\system32\Paclje32.exe77⤵PID:2528
-
C:\Windows\SysWOW64\Pfpdcm32.exeC:\Windows\system32\Pfpdcm32.exe78⤵PID:2388
-
C:\Windows\SysWOW64\Pmimpf32.exeC:\Windows\system32\Pmimpf32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:952 -
C:\Windows\SysWOW64\Qfbahldf.exeC:\Windows\system32\Qfbahldf.exe80⤵PID:1616
-
C:\Windows\SysWOW64\Qipmdhcj.exeC:\Windows\system32\Qipmdhcj.exe81⤵
- Drops file in System32 directory
PID:2180 -
C:\Windows\SysWOW64\Qbiamm32.exeC:\Windows\system32\Qbiamm32.exe82⤵PID:2216
-
C:\Windows\SysWOW64\Qnpbbn32.exeC:\Windows\system32\Qnpbbn32.exe83⤵PID:1228
-
C:\Windows\SysWOW64\Aeikohgk.exeC:\Windows\system32\Aeikohgk.exe84⤵PID:556
-
C:\Windows\SysWOW64\Ajfcgoec.exeC:\Windows\system32\Ajfcgoec.exe85⤵PID:3000
-
C:\Windows\SysWOW64\Aelgdhei.exeC:\Windows\system32\Aelgdhei.exe86⤵PID:1408
-
C:\Windows\SysWOW64\Ahjcqcdm.exeC:\Windows\system32\Ahjcqcdm.exe87⤵PID:2564
-
C:\Windows\SysWOW64\Aendjh32.exeC:\Windows\system32\Aendjh32.exe88⤵
- System Location Discovery: System Language Discovery
PID:1608 -
C:\Windows\SysWOW64\Adcakdhn.exeC:\Windows\system32\Adcakdhn.exe89⤵PID:2764
-
C:\Windows\SysWOW64\Aagadh32.exeC:\Windows\system32\Aagadh32.exe90⤵PID:2668
-
C:\Windows\SysWOW64\Afdjmo32.exeC:\Windows\system32\Afdjmo32.exe91⤵PID:2616
-
C:\Windows\SysWOW64\Bplofekp.exeC:\Windows\system32\Bplofekp.exe92⤵PID:2172
-
C:\Windows\SysWOW64\Bffgbo32.exeC:\Windows\system32\Bffgbo32.exe93⤵PID:1292
-
C:\Windows\SysWOW64\Bpokkdim.exeC:\Windows\system32\Bpokkdim.exe94⤵PID:1120
-
C:\Windows\SysWOW64\Belcck32.exeC:\Windows\system32\Belcck32.exe95⤵
- Drops file in System32 directory
PID:2520 -
C:\Windows\SysWOW64\Bpahad32.exeC:\Windows\system32\Bpahad32.exe96⤵PID:2960
-
C:\Windows\SysWOW64\Babdhlmh.exeC:\Windows\system32\Babdhlmh.exe97⤵PID:744
-
C:\Windows\SysWOW64\Bkkiab32.exeC:\Windows\system32\Bkkiab32.exe98⤵PID:2492
-
C:\Windows\SysWOW64\Bepmokco.exeC:\Windows\system32\Bepmokco.exe99⤵PID:636
-
C:\Windows\SysWOW64\Boiagp32.exeC:\Windows\system32\Boiagp32.exe100⤵PID:1976
-
C:\Windows\SysWOW64\Cgdflb32.exeC:\Windows\system32\Cgdflb32.exe101⤵PID:1628
-
C:\Windows\SysWOW64\Caijik32.exeC:\Windows\system32\Caijik32.exe102⤵
- System Location Discovery: System Language Discovery
PID:2400 -
C:\Windows\SysWOW64\Chccfe32.exeC:\Windows\system32\Chccfe32.exe103⤵PID:2872
-
C:\Windows\SysWOW64\Cnpknl32.exeC:\Windows\system32\Cnpknl32.exe104⤵PID:2688
-
C:\Windows\SysWOW64\Cpogjh32.exeC:\Windows\system32\Cpogjh32.exe105⤵PID:2212
-
C:\Windows\SysWOW64\Cnbhcl32.exeC:\Windows\system32\Cnbhcl32.exe106⤵PID:2328
-
C:\Windows\SysWOW64\Cgklma32.exeC:\Windows\system32\Cgklma32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:904 -
C:\Windows\SysWOW64\Cpcaeghc.exeC:\Windows\system32\Cpcaeghc.exe108⤵PID:1524
-
C:\Windows\SysWOW64\Ccamabgg.exeC:\Windows\system32\Ccamabgg.exe109⤵PID:2304
-
C:\Windows\SysWOW64\Choejien.exeC:\Windows\system32\Choejien.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1656 -
C:\Windows\SysWOW64\Dkfdlclg.exeC:\Windows\system32\Dkfdlclg.exe111⤵
- Drops file in System32 directory
PID:2028 -
C:\Windows\SysWOW64\Egmeadbk.exeC:\Windows\system32\Egmeadbk.exe112⤵PID:964
-
C:\Windows\SysWOW64\Ejkampao.exeC:\Windows\system32\Ejkampao.exe113⤵PID:2344
-
C:\Windows\SysWOW64\Edafjiqe.exeC:\Windows\system32\Edafjiqe.exe114⤵
- System Location Discovery: System Language Discovery
PID:880 -
C:\Windows\SysWOW64\Emlkoknp.exeC:\Windows\system32\Emlkoknp.exe115⤵PID:2128
-
C:\Windows\SysWOW64\Ecfcle32.exeC:\Windows\system32\Ecfcle32.exe116⤵PID:2792
-
C:\Windows\SysWOW64\Efdohq32.exeC:\Windows\system32\Efdohq32.exe117⤵PID:2760
-
C:\Windows\SysWOW64\Emogdk32.exeC:\Windows\system32\Emogdk32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2340 -
C:\Windows\SysWOW64\Epmcqf32.exeC:\Windows\system32\Epmcqf32.exe119⤵PID:2108
-
C:\Windows\SysWOW64\Efglmpbn.exeC:\Windows\system32\Efglmpbn.exe120⤵PID:2320
-
C:\Windows\SysWOW64\Ekcdegqe.exeC:\Windows\system32\Ekcdegqe.exe121⤵PID:2612
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-