Analysis
-
max time kernel
149s -
max time network
21s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
19/09/2024, 03:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
93556edacf96cb5a277785d08f02280daf45624d6596a0ac88343b00d93444d5N.exe
Resource
win7-20240729-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
93556edacf96cb5a277785d08f02280daf45624d6596a0ac88343b00d93444d5N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
93556edacf96cb5a277785d08f02280daf45624d6596a0ac88343b00d93444d5N.exe
-
Size
406KB
-
MD5
a5dd93012152fb7c7d1a257a31459380
-
SHA1
d1dc139a13faed2641321459744a30da7ae704bf
-
SHA256
93556edacf96cb5a277785d08f02280daf45624d6596a0ac88343b00d93444d5
-
SHA512
17d44aa4d4de487908312e98b4fd0f106e7148071e506f4da6fe878bd13201eb7dfb84e6056ace3f528583c3369067f4f0fa9e5710a6f0a2a30cd9bd8c66ec6d
-
SSDEEP
6144:ig6O6L5qBmU5U5Xj1XH5U5Xj83XH5U1XH5U5Xj8s5DXH5U5qXH5XXH5U5oXH:MvLcJMp3Ma3M3MvD3Mq3B3Mo3
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egmeadbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emlkoknp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgkqeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Angafl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Infhmmhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnnohmog.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anlkakqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjaiaolb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lldkem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcikllja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qedjib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apphpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdnicemo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgnbepjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddgljced.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdjedk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhfqejoh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icnngeof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjcigcmd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baannfim.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pccelqeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajipmocp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Neohbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cadfbi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dddodd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebfpglkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmejdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojlmgg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgcoal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iapghlbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcdkagga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfbibfmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djfagjai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbebcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Giogonlb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcjihk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Biiljjnk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emcqpjhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apeakonl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgehfodh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eojpqpih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beignlig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkkiab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pafacd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aliejq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hoflpbmo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlliof32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpoleilj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmicnhob.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgmaphdg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmahbhei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfoffmhd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajkmbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkkiab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boiagp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chccfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcfojhhh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjqpcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkeppngm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dokjlcjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Filnjk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knnagehi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enajgllm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdobqgpn.exe -
Executes dropped EXE 64 IoCs
pid Process 2328 Lmpdoffo.exe 2692 Lheilofe.exe 2740 Mdnffpif.exe 2836 Mkhocj32.exe 2752 Mikooghn.exe 2632 Mcfpmlll.exe 3064 Mheekb32.exe 2096 Mkcagn32.exe 2684 Mcjihk32.exe 1652 Napfihmn.exe 2792 Nkhkbmco.exe 2628 Npecjdaf.exe 1240 Nnidchqp.exe 2236 Njpdiifd.exe 2232 Odbhofjh.exe 2464 Ogadkajl.exe 2376 Oohmmojn.exe 1540 Obfiijia.exe 1816 Oiqaed32.exe 3000 Okomappb.exe 2364 Pjicnlqe.exe 492 Paclje32.exe 1448 Pjkpckob.exe 940 Pllmkcdp.exe 2408 Pccelqeb.exe 1624 Qmlief32.exe 2704 Qhejed32.exe 2848 Qpmbgaid.exe 2620 Aanonj32.exe 2592 Aelgdhei.exe 2000 Ajipmocp.exe 1316 Adadedjq.exe 1072 Ajkmbo32.exe 1064 Apheke32.exe 2072 Afamgpga.exe 2572 Apjbpemb.exe 2372 Abhnlqlf.exe 2648 Bmnbjill.exe 1088 Beignlig.exe 2392 Blcokf32.exe 2876 Bgichoqj.exe 1200 Benpik32.exe 1844 Biiljjnk.exe 2252 Bkkiab32.exe 264 Bepmokco.exe 1436 Bhoikfbb.exe 2280 Bkmegaaf.exe 2148 Boiagp32.exe 2972 Bagncl32.exe 2596 Cdejpg32.exe 2868 Cgdflb32.exe 1792 Cnnohmog.exe 2556 Cplkehnk.exe 1632 Chccfe32.exe 2120 Ckboba32.exe 2976 Cjdonndl.exe 1028 Calgoken.exe 2228 Cdjckfda.exe 3032 Cjglcmbi.exe 2548 Clehoiam.exe 2164 Cpadpg32.exe 2104 Ccoplcii.exe 560 Cgklma32.exe 2672 Cfnmhnhm.exe -
Loads dropped DLL 64 IoCs
pid Process 2532 93556edacf96cb5a277785d08f02280daf45624d6596a0ac88343b00d93444d5N.exe 2532 93556edacf96cb5a277785d08f02280daf45624d6596a0ac88343b00d93444d5N.exe 2328 Lmpdoffo.exe 2328 Lmpdoffo.exe 2692 Lheilofe.exe 2692 Lheilofe.exe 2740 Mdnffpif.exe 2740 Mdnffpif.exe 2836 Mkhocj32.exe 2836 Mkhocj32.exe 2752 Mikooghn.exe 2752 Mikooghn.exe 2632 Mcfpmlll.exe 2632 Mcfpmlll.exe 3064 Mheekb32.exe 3064 Mheekb32.exe 2096 Mkcagn32.exe 2096 Mkcagn32.exe 2684 Mcjihk32.exe 2684 Mcjihk32.exe 1652 Napfihmn.exe 1652 Napfihmn.exe 2792 Nkhkbmco.exe 2792 Nkhkbmco.exe 2628 Npecjdaf.exe 2628 Npecjdaf.exe 1240 Nnidchqp.exe 1240 Nnidchqp.exe 2236 Njpdiifd.exe 2236 Njpdiifd.exe 2232 Odbhofjh.exe 2232 Odbhofjh.exe 2464 Ogadkajl.exe 2464 Ogadkajl.exe 2376 Oohmmojn.exe 2376 Oohmmojn.exe 1540 Obfiijia.exe 1540 Obfiijia.exe 1816 Oiqaed32.exe 1816 Oiqaed32.exe 3000 Okomappb.exe 3000 Okomappb.exe 2364 Pjicnlqe.exe 2364 Pjicnlqe.exe 492 Paclje32.exe 492 Paclje32.exe 1448 Pjkpckob.exe 1448 Pjkpckob.exe 940 Pllmkcdp.exe 940 Pllmkcdp.exe 2408 Pccelqeb.exe 2408 Pccelqeb.exe 1624 Qmlief32.exe 1624 Qmlief32.exe 2704 Qhejed32.exe 2704 Qhejed32.exe 2848 Qpmbgaid.exe 2848 Qpmbgaid.exe 2620 Aanonj32.exe 2620 Aanonj32.exe 2592 Aelgdhei.exe 2592 Aelgdhei.exe 2000 Ajipmocp.exe 2000 Ajipmocp.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Bagncl32.exe Boiagp32.exe File opened for modification C:\Windows\SysWOW64\Ljlhme32.exe Lhnlqjha.exe File created C:\Windows\SysWOW64\Dbdippia.dll Okecak32.exe File opened for modification C:\Windows\SysWOW64\Colgpo32.exe Cpigeblb.exe File created C:\Windows\SysWOW64\Hnfggjde.dll Fcqoec32.exe File opened for modification C:\Windows\SysWOW64\Idlgohcl.exe Iankbldh.exe File created C:\Windows\SysWOW64\Icadpd32.exe Ipbgci32.exe File opened for modification C:\Windows\SysWOW64\Jlnadiko.exe Jjpehn32.exe File opened for modification C:\Windows\SysWOW64\Cdjckfda.exe Calgoken.exe File created C:\Windows\SysWOW64\Cgklma32.exe Ccoplcii.exe File opened for modification C:\Windows\SysWOW64\Emjnikpc.exe Ejkampao.exe File opened for modification C:\Windows\SysWOW64\Geehcoaf.exe Gajlcp32.exe File opened for modification C:\Windows\SysWOW64\Ihhjjm32.exe Ianambhc.exe File created C:\Windows\SysWOW64\Mdbloobc.exe Meolcb32.exe File created C:\Windows\SysWOW64\Plfmlj32.dll Bikemiik.exe File opened for modification C:\Windows\SysWOW64\Dppiddie.exe Dldndf32.exe File created C:\Windows\SysWOW64\Cfnmhnhm.exe Cgklma32.exe File opened for modification C:\Windows\SysWOW64\Hhfqejoh.exe Hdjedk32.exe File opened for modification C:\Windows\SysWOW64\Hcdkagga.exe Hdakej32.exe File created C:\Windows\SysWOW64\Jdnkjn32.dll Jmhkdnfp.exe File created C:\Windows\SysWOW64\Enomam32.exe Enomam32.exe File created C:\Windows\SysWOW64\Kbkgjqib.dll Efdohq32.exe File created C:\Windows\SysWOW64\Dcdjbpgm.dll Hbcdfq32.exe File created C:\Windows\SysWOW64\Lmndafic.dll Jkfkjemd.exe File opened for modification C:\Windows\SysWOW64\Qhejed32.exe Qmlief32.exe File created C:\Windows\SysWOW64\Nhpadpke.exe Neaehelb.exe File opened for modification C:\Windows\SysWOW64\Bbegkn32.exe Bdbfpafn.exe File opened for modification C:\Windows\SysWOW64\Iapghlbe.exe Indkgm32.exe File opened for modification C:\Windows\SysWOW64\Jkcoee32.exe Jlqniihl.exe File created C:\Windows\SysWOW64\Cgmiba32.exe Ccamabgg.exe File created C:\Windows\SysWOW64\Afelbkca.dll Gmejdm32.exe File created C:\Windows\SysWOW64\Fjlpdj32.dll Hilghaqq.exe File created C:\Windows\SysWOW64\Hpehje32.exe Hljljflh.exe File created C:\Windows\SysWOW64\Clehoiam.exe Cjglcmbi.exe File created C:\Windows\SysWOW64\Ikkoagjo.exe Ihmcelkk.exe File created C:\Windows\SysWOW64\Fbjeao32.exe Fpliec32.exe File created C:\Windows\SysWOW64\Eqfjdnpo.dll Hobfgcdb.exe File created C:\Windows\SysWOW64\Bdiciboh.exe Bakgmgpe.exe File opened for modification C:\Windows\SysWOW64\Djokgk32.exe Dklkkoqf.exe File created C:\Windows\SysWOW64\Npphimpc.dll Gdgadeee.exe File created C:\Windows\SysWOW64\Ghcdpjqj.exe Geehcoaf.exe File opened for modification C:\Windows\SysWOW64\Iegaha32.exe Icidlf32.exe File created C:\Windows\SysWOW64\Ekndpa32.exe Egchocif.exe File opened for modification C:\Windows\SysWOW64\Hakani32.exe Hidjml32.exe File created C:\Windows\SysWOW64\Efdohq32.exe Egaoldnf.exe File opened for modification C:\Windows\SysWOW64\Flkjffkm.exe Filnjk32.exe File created C:\Windows\SysWOW64\Ifbalb32.dll Qmoone32.exe File created C:\Windows\SysWOW64\Paejod32.dll Dgqokp32.exe File created C:\Windows\SysWOW64\Efhgfh32.dll Iedmhlqf.exe File opened for modification C:\Windows\SysWOW64\Jdfqomom.exe Jnlhbb32.exe File created C:\Windows\SysWOW64\Pfhghgie.exe Pcikllja.exe File opened for modification C:\Windows\SysWOW64\Feiamj32.exe Fffabman.exe File created C:\Windows\SysWOW64\Hgnjlfam.exe Hpcbol32.exe File created C:\Windows\SysWOW64\Mnkmfbbe.dll Ikibkhla.exe File created C:\Windows\SysWOW64\Ahpfoa32.exe Aimfcedl.exe File created C:\Windows\SysWOW64\Mhfnlgnk.dll Gjmpfp32.exe File created C:\Windows\SysWOW64\Jkcoee32.exe Jlqniihl.exe File opened for modification C:\Windows\SysWOW64\Chdlidjm.exe Cialng32.exe File created C:\Windows\SysWOW64\Iiiogoac.exe Igjckcbo.exe File created C:\Windows\SysWOW64\Hhhmki32.exe Hdmajkdl.exe File created C:\Windows\SysWOW64\Hobfgcdb.exe Hgknffcp.exe File opened for modification C:\Windows\SysWOW64\Kgkokjjd.exe Kaagnp32.exe File created C:\Windows\SysWOW64\Lhnlqjha.exe Lcbppk32.exe File created C:\Windows\SysWOW64\Cjlmpk32.dll Oncpmf32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7016 6196 WerFault.exe 661 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cadfbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idlgohcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkfdlclg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjacai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emogdk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqjceidf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebnlba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbebcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilolol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iobbfggm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njpdiifd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfecim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjmpfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfoffmhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpldjajo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egmeadbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgnjlfam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqaliabh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocphembl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajcpgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfhial32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkkiab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfgpnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlqniihl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jookedhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaagnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efakhk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lifoia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Moecghdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ognakk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cialng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clphjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hidjml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgkokjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhnlqjha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpckee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcjffc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eligoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooiepnen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlpdifda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfnchd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfhghgie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Angafl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bakgmgpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfmbmkgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqqqokla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icnngeof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peoanckj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnjbmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljlhme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncbilimn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdobqgpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdmajkdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlmjjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbohmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acldpojj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqninhmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgmaphdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flkjffkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iniebmfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqbbig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfhjfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egobfdpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbihmcqp.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Heedbbdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icnngeof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ocphembl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iomhkgkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cljiqf32.dll" Majfcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaligm32.dll" Acldpojj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlhgpq32.dll" Gfcqkafl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfffmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Filnjk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkbbqjgb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdgadeee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eqjceidf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqnpke32.dll" Iomhkgkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmojcceo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pifcdbhi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdkpob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aapeim32.dll" Oamohenq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qcgkeonp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kknbenkh.dll" Chiedc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpgcde32.dll" Cjglcmbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idagdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphfcnka.dll" Fmicnhob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbejabln.dll" Flnpoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Giogonlb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idagdm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pidgnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlleni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pomcgf32.dll" Faefim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qpgfhg32.dll" Ohfgeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfganlfn.dll" Qgeckn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpfdpmho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjbpppeb.dll" Ogpnakfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhaeje32.dll" Hljljflh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oiqaed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldpdnalq.dll" Fbebcp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcjleq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Feiamj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmcimq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcdkagga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikkoagjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egglnnil.dll" Gjhfkqdm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbmgapgc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pccelqeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfijmdbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoeidfog.dll" Bpdnjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gadkmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfodod32.dll" Ejnnbpol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjqpcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghcdpjqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoqnikmd.dll" Apgnpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdpfiekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkeka32.dll" Mikooghn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpcaeghc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dokjlcjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obkjhoan.dll" Heedbbdb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Infhmmhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Neaehelb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aifpcfjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nellfkep.dll" Odbhofjh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpdnjb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Paclje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdejpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kiaiooja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dajjck32.dll" Cdnicemo.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2532 wrote to memory of 2328 2532 93556edacf96cb5a277785d08f02280daf45624d6596a0ac88343b00d93444d5N.exe 29 PID 2532 wrote to memory of 2328 2532 93556edacf96cb5a277785d08f02280daf45624d6596a0ac88343b00d93444d5N.exe 29 PID 2532 wrote to memory of 2328 2532 93556edacf96cb5a277785d08f02280daf45624d6596a0ac88343b00d93444d5N.exe 29 PID 2532 wrote to memory of 2328 2532 93556edacf96cb5a277785d08f02280daf45624d6596a0ac88343b00d93444d5N.exe 29 PID 2328 wrote to memory of 2692 2328 Lmpdoffo.exe 30 PID 2328 wrote to memory of 2692 2328 Lmpdoffo.exe 30 PID 2328 wrote to memory of 2692 2328 Lmpdoffo.exe 30 PID 2328 wrote to memory of 2692 2328 Lmpdoffo.exe 30 PID 2692 wrote to memory of 2740 2692 Lheilofe.exe 31 PID 2692 wrote to memory of 2740 2692 Lheilofe.exe 31 PID 2692 wrote to memory of 2740 2692 Lheilofe.exe 31 PID 2692 wrote to memory of 2740 2692 Lheilofe.exe 31 PID 2740 wrote to memory of 2836 2740 Mdnffpif.exe 32 PID 2740 wrote to memory of 2836 2740 Mdnffpif.exe 32 PID 2740 wrote to memory of 2836 2740 Mdnffpif.exe 32 PID 2740 wrote to memory of 2836 2740 Mdnffpif.exe 32 PID 2836 wrote to memory of 2752 2836 Mkhocj32.exe 33 PID 2836 wrote to memory of 2752 2836 Mkhocj32.exe 33 PID 2836 wrote to memory of 2752 2836 Mkhocj32.exe 33 PID 2836 wrote to memory of 2752 2836 Mkhocj32.exe 33 PID 2752 wrote to memory of 2632 2752 Mikooghn.exe 34 PID 2752 wrote to memory of 2632 2752 Mikooghn.exe 34 PID 2752 wrote to memory of 2632 2752 Mikooghn.exe 34 PID 2752 wrote to memory of 2632 2752 Mikooghn.exe 34 PID 2632 wrote to memory of 3064 2632 Mcfpmlll.exe 35 PID 2632 wrote to memory of 3064 2632 Mcfpmlll.exe 35 PID 2632 wrote to memory of 3064 2632 Mcfpmlll.exe 35 PID 2632 wrote to memory of 3064 2632 Mcfpmlll.exe 35 PID 3064 wrote to memory of 2096 3064 Mheekb32.exe 36 PID 3064 wrote to memory of 2096 3064 Mheekb32.exe 36 PID 3064 wrote to memory of 2096 3064 Mheekb32.exe 36 PID 3064 wrote to memory of 2096 3064 Mheekb32.exe 36 PID 2096 wrote to memory of 2684 2096 Mkcagn32.exe 37 PID 2096 wrote to memory of 2684 2096 Mkcagn32.exe 37 PID 2096 wrote to memory of 2684 2096 Mkcagn32.exe 37 PID 2096 wrote to memory of 2684 2096 Mkcagn32.exe 37 PID 2684 wrote to memory of 1652 2684 Mcjihk32.exe 38 PID 2684 wrote to memory of 1652 2684 Mcjihk32.exe 38 PID 2684 wrote to memory of 1652 2684 Mcjihk32.exe 38 PID 2684 wrote to memory of 1652 2684 Mcjihk32.exe 38 PID 1652 wrote to memory of 2792 1652 Napfihmn.exe 39 PID 1652 wrote to memory of 2792 1652 Napfihmn.exe 39 PID 1652 wrote to memory of 2792 1652 Napfihmn.exe 39 PID 1652 wrote to memory of 2792 1652 Napfihmn.exe 39 PID 2792 wrote to memory of 2628 2792 Nkhkbmco.exe 40 PID 2792 wrote to memory of 2628 2792 Nkhkbmco.exe 40 PID 2792 wrote to memory of 2628 2792 Nkhkbmco.exe 40 PID 2792 wrote to memory of 2628 2792 Nkhkbmco.exe 40 PID 2628 wrote to memory of 1240 2628 Npecjdaf.exe 41 PID 2628 wrote to memory of 1240 2628 Npecjdaf.exe 41 PID 2628 wrote to memory of 1240 2628 Npecjdaf.exe 41 PID 2628 wrote to memory of 1240 2628 Npecjdaf.exe 41 PID 1240 wrote to memory of 2236 1240 Nnidchqp.exe 42 PID 1240 wrote to memory of 2236 1240 Nnidchqp.exe 42 PID 1240 wrote to memory of 2236 1240 Nnidchqp.exe 42 PID 1240 wrote to memory of 2236 1240 Nnidchqp.exe 42 PID 2236 wrote to memory of 2232 2236 Njpdiifd.exe 43 PID 2236 wrote to memory of 2232 2236 Njpdiifd.exe 43 PID 2236 wrote to memory of 2232 2236 Njpdiifd.exe 43 PID 2236 wrote to memory of 2232 2236 Njpdiifd.exe 43 PID 2232 wrote to memory of 2464 2232 Odbhofjh.exe 44 PID 2232 wrote to memory of 2464 2232 Odbhofjh.exe 44 PID 2232 wrote to memory of 2464 2232 Odbhofjh.exe 44 PID 2232 wrote to memory of 2464 2232 Odbhofjh.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\93556edacf96cb5a277785d08f02280daf45624d6596a0ac88343b00d93444d5N.exe"C:\Users\Admin\AppData\Local\Temp\93556edacf96cb5a277785d08f02280daf45624d6596a0ac88343b00d93444d5N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\Lmpdoffo.exeC:\Windows\system32\Lmpdoffo.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\Lheilofe.exeC:\Windows\system32\Lheilofe.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Mdnffpif.exeC:\Windows\system32\Mdnffpif.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Mkhocj32.exeC:\Windows\system32\Mkhocj32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Mikooghn.exeC:\Windows\system32\Mikooghn.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Mcfpmlll.exeC:\Windows\system32\Mcfpmlll.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Mheekb32.exeC:\Windows\system32\Mheekb32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\Mkcagn32.exeC:\Windows\system32\Mkcagn32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\Mcjihk32.exeC:\Windows\system32\Mcjihk32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Napfihmn.exeC:\Windows\system32\Napfihmn.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\Nkhkbmco.exeC:\Windows\system32\Nkhkbmco.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Npecjdaf.exeC:\Windows\system32\Npecjdaf.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Nnidchqp.exeC:\Windows\system32\Nnidchqp.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\SysWOW64\Njpdiifd.exeC:\Windows\system32\Njpdiifd.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Odbhofjh.exeC:\Windows\system32\Odbhofjh.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\Ogadkajl.exeC:\Windows\system32\Ogadkajl.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2464 -
C:\Windows\SysWOW64\Oohmmojn.exeC:\Windows\system32\Oohmmojn.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2376 -
C:\Windows\SysWOW64\Obfiijia.exeC:\Windows\system32\Obfiijia.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1540 -
C:\Windows\SysWOW64\Oiqaed32.exeC:\Windows\system32\Oiqaed32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1816 -
C:\Windows\SysWOW64\Okomappb.exeC:\Windows\system32\Okomappb.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3000 -
C:\Windows\SysWOW64\Pjicnlqe.exeC:\Windows\system32\Pjicnlqe.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2364 -
C:\Windows\SysWOW64\Paclje32.exeC:\Windows\system32\Paclje32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:492 -
C:\Windows\SysWOW64\Pjkpckob.exeC:\Windows\system32\Pjkpckob.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1448 -
C:\Windows\SysWOW64\Pllmkcdp.exeC:\Windows\system32\Pllmkcdp.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:940 -
C:\Windows\SysWOW64\Pccelqeb.exeC:\Windows\system32\Pccelqeb.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2408 -
C:\Windows\SysWOW64\Qmlief32.exeC:\Windows\system32\Qmlief32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1624 -
C:\Windows\SysWOW64\Qhejed32.exeC:\Windows\system32\Qhejed32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2704 -
C:\Windows\SysWOW64\Qpmbgaid.exeC:\Windows\system32\Qpmbgaid.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2848 -
C:\Windows\SysWOW64\Aanonj32.exeC:\Windows\system32\Aanonj32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2620 -
C:\Windows\SysWOW64\Aelgdhei.exeC:\Windows\system32\Aelgdhei.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2592 -
C:\Windows\SysWOW64\Ajipmocp.exeC:\Windows\system32\Ajipmocp.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2000 -
C:\Windows\SysWOW64\Adadedjq.exeC:\Windows\system32\Adadedjq.exe33⤵
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\Ajkmbo32.exeC:\Windows\system32\Ajkmbo32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\Apheke32.exeC:\Windows\system32\Apheke32.exe35⤵
- Executes dropped EXE
PID:1064 -
C:\Windows\SysWOW64\Afamgpga.exeC:\Windows\system32\Afamgpga.exe36⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Apjbpemb.exeC:\Windows\system32\Apjbpemb.exe37⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Abhnlqlf.exeC:\Windows\system32\Abhnlqlf.exe38⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Bmnbjill.exeC:\Windows\system32\Bmnbjill.exe39⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Beignlig.exeC:\Windows\system32\Beignlig.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1088 -
C:\Windows\SysWOW64\Blcokf32.exeC:\Windows\system32\Blcokf32.exe41⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Bgichoqj.exeC:\Windows\system32\Bgichoqj.exe42⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Benpik32.exeC:\Windows\system32\Benpik32.exe43⤵
- Executes dropped EXE
PID:1200 -
C:\Windows\SysWOW64\Biiljjnk.exeC:\Windows\system32\Biiljjnk.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Bkkiab32.exeC:\Windows\system32\Bkkiab32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2252 -
C:\Windows\SysWOW64\Bepmokco.exeC:\Windows\system32\Bepmokco.exe46⤵
- Executes dropped EXE
PID:264 -
C:\Windows\SysWOW64\Bhoikfbb.exeC:\Windows\system32\Bhoikfbb.exe47⤵
- Executes dropped EXE
PID:1436 -
C:\Windows\SysWOW64\Bkmegaaf.exeC:\Windows\system32\Bkmegaaf.exe48⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Boiagp32.exeC:\Windows\system32\Boiagp32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2148 -
C:\Windows\SysWOW64\Bagncl32.exeC:\Windows\system32\Bagncl32.exe50⤵
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Cdejpg32.exeC:\Windows\system32\Cdejpg32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:2596 -
C:\Windows\SysWOW64\Cgdflb32.exeC:\Windows\system32\Cgdflb32.exe52⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Cnnohmog.exeC:\Windows\system32\Cnnohmog.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\Cplkehnk.exeC:\Windows\system32\Cplkehnk.exe54⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Chccfe32.exeC:\Windows\system32\Chccfe32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Ckboba32.exeC:\Windows\system32\Ckboba32.exe56⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Cjdonndl.exeC:\Windows\system32\Cjdonndl.exe57⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Calgoken.exeC:\Windows\system32\Calgoken.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1028 -
C:\Windows\SysWOW64\Cdjckfda.exeC:\Windows\system32\Cdjckfda.exe59⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Cjglcmbi.exeC:\Windows\system32\Cjglcmbi.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3032 -
C:\Windows\SysWOW64\Clehoiam.exeC:\Windows\system32\Clehoiam.exe61⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Cpadpg32.exeC:\Windows\system32\Cpadpg32.exe62⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Ccoplcii.exeC:\Windows\system32\Ccoplcii.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2104 -
C:\Windows\SysWOW64\Cgklma32.exeC:\Windows\system32\Cgklma32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:560 -
C:\Windows\SysWOW64\Cfnmhnhm.exeC:\Windows\system32\Cfnmhnhm.exe65⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Clheeh32.exeC:\Windows\system32\Clheeh32.exe66⤵PID:1840
-
C:\Windows\SysWOW64\Cpcaeghc.exeC:\Windows\system32\Cpcaeghc.exe67⤵
- Modifies registry class
PID:376 -
C:\Windows\SysWOW64\Ccamabgg.exeC:\Windows\system32\Ccamabgg.exe68⤵
- Drops file in System32 directory
PID:3024 -
C:\Windows\SysWOW64\Cgmiba32.exeC:\Windows\system32\Cgmiba32.exe69⤵PID:2188
-
C:\Windows\SysWOW64\Cjlenm32.exeC:\Windows\system32\Cjlenm32.exe70⤵PID:2404
-
C:\Windows\SysWOW64\Cljajh32.exeC:\Windows\system32\Cljajh32.exe71⤵PID:2780
-
C:\Windows\SysWOW64\Dpenkgfq.exeC:\Windows\system32\Dpenkgfq.exe72⤵PID:2784
-
C:\Windows\SysWOW64\Dbgjbo32.exeC:\Windows\system32\Dbgjbo32.exe73⤵PID:2760
-
C:\Windows\SysWOW64\Djnbdlla.exeC:\Windows\system32\Djnbdlla.exe74⤵PID:1584
-
C:\Windows\SysWOW64\Dllnphkd.exeC:\Windows\system32\Dllnphkd.exe75⤵PID:2652
-
C:\Windows\SysWOW64\Dokjlcjh.exeC:\Windows\system32\Dokjlcjh.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:908 -
C:\Windows\SysWOW64\Dcffmb32.exeC:\Windows\system32\Dcffmb32.exe77⤵PID:2788
-
C:\Windows\SysWOW64\Dfecim32.exeC:\Windows\system32\Dfecim32.exe78⤵
- System Location Discovery: System Language Discovery
PID:2516 -
C:\Windows\SysWOW64\Ddgcdjip.exeC:\Windows\system32\Ddgcdjip.exe79⤵PID:2220
-
C:\Windows\SysWOW64\Dhcoei32.exeC:\Windows\system32\Dhcoei32.exe80⤵PID:1080
-
C:\Windows\SysWOW64\Dkakad32.exeC:\Windows\system32\Dkakad32.exe81⤵PID:2664
-
C:\Windows\SysWOW64\Dnpgmp32.exeC:\Windows\system32\Dnpgmp32.exe82⤵PID:1204
-
C:\Windows\SysWOW64\Dfgpnm32.exeC:\Windows\system32\Dfgpnm32.exe83⤵
- System Location Discovery: System Language Discovery
PID:1748 -
C:\Windows\SysWOW64\Ddjpjj32.exeC:\Windows\system32\Ddjpjj32.exe84⤵PID:1600
-
C:\Windows\SysWOW64\Dghlfe32.exeC:\Windows\system32\Dghlfe32.exe85⤵PID:2052
-
C:\Windows\SysWOW64\Dkdhfdnj.exeC:\Windows\system32\Dkdhfdnj.exe86⤵PID:1872
-
C:\Windows\SysWOW64\Dnbdbomn.exeC:\Windows\system32\Dnbdbomn.exe87⤵PID:680
-
C:\Windows\SysWOW64\Dqqqokla.exeC:\Windows\system32\Dqqqokla.exe88⤵
- System Location Discovery: System Language Discovery
PID:2600 -
C:\Windows\SysWOW64\Dhhhphmc.exeC:\Windows\system32\Dhhhphmc.exe89⤵PID:2796
-
C:\Windows\SysWOW64\Dkfdlclg.exeC:\Windows\system32\Dkfdlclg.exe90⤵
- System Location Discovery: System Language Discovery
PID:1780 -
C:\Windows\SysWOW64\Djiegp32.exeC:\Windows\system32\Djiegp32.exe91⤵PID:2224
-
C:\Windows\SysWOW64\Dndahokk.exeC:\Windows\system32\Dndahokk.exe92⤵PID:2960
-
C:\Windows\SysWOW64\Dqcmdjjo.exeC:\Windows\system32\Dqcmdjjo.exe93⤵PID:2864
-
C:\Windows\SysWOW64\Ddoiei32.exeC:\Windows\system32\Ddoiei32.exe94⤵PID:2400
-
C:\Windows\SysWOW64\Egmeadbk.exeC:\Windows\system32\Egmeadbk.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1956 -
C:\Windows\SysWOW64\Ejkampao.exeC:\Windows\system32\Ejkampao.exe96⤵
- Drops file in System32 directory
PID:620 -
C:\Windows\SysWOW64\Emjnikpc.exeC:\Windows\system32\Emjnikpc.exe97⤵PID:1812
-
C:\Windows\SysWOW64\Eqejjj32.exeC:\Windows\system32\Eqejjj32.exe98⤵PID:2732
-
C:\Windows\SysWOW64\Egobfdpi.exeC:\Windows\system32\Egobfdpi.exe99⤵
- System Location Discovery: System Language Discovery
PID:2460 -
C:\Windows\SysWOW64\Efbbba32.exeC:\Windows\system32\Efbbba32.exe100⤵PID:2488
-
C:\Windows\SysWOW64\Ejnnbpol.exeC:\Windows\system32\Ejnnbpol.exe101⤵
- Modifies registry class
PID:936 -
C:\Windows\SysWOW64\Emlkoknp.exeC:\Windows\system32\Emlkoknp.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3036 -
C:\Windows\SysWOW64\Epkgkfmd.exeC:\Windows\system32\Epkgkfmd.exe103⤵PID:2680
-
C:\Windows\SysWOW64\Egaoldnf.exeC:\Windows\system32\Egaoldnf.exe104⤵
- Drops file in System32 directory
PID:2180 -
C:\Windows\SysWOW64\Efdohq32.exeC:\Windows\system32\Efdohq32.exe105⤵
- Drops file in System32 directory
PID:2964 -
C:\Windows\SysWOW64\Emogdk32.exeC:\Windows\system32\Emogdk32.exe106⤵
- System Location Discovery: System Language Discovery
PID:1656 -
C:\Windows\SysWOW64\Eqjceidf.exeC:\Windows\system32\Eqjceidf.exe107⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2764 -
C:\Windows\SysWOW64\Echpaecj.exeC:\Windows\system32\Echpaecj.exe108⤵PID:3040
-
C:\Windows\SysWOW64\Ebkpma32.exeC:\Windows\system32\Ebkpma32.exe109⤵PID:2608
-
C:\Windows\SysWOW64\Ejbhno32.exeC:\Windows\system32\Ejbhno32.exe110⤵PID:600
-
C:\Windows\SysWOW64\Eiehilaa.exeC:\Windows\system32\Eiehilaa.exe111⤵PID:2184
-
C:\Windows\SysWOW64\Ecklgdag.exeC:\Windows\system32\Ecklgdag.exe112⤵PID:2932
-
C:\Windows\SysWOW64\Ebnlba32.exeC:\Windows\system32\Ebnlba32.exe113⤵
- System Location Discovery: System Language Discovery
PID:1208 -
C:\Windows\SysWOW64\Emcqpjhh.exeC:\Windows\system32\Emcqpjhh.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:964 -
C:\Windows\SysWOW64\Elfakg32.exeC:\Windows\system32\Elfakg32.exe115⤵PID:2172
-
C:\Windows\SysWOW64\Fflehp32.exeC:\Windows\system32\Fflehp32.exe116⤵PID:2708
-
C:\Windows\SysWOW64\Fenedlec.exeC:\Windows\system32\Fenedlec.exe117⤵PID:1984
-
C:\Windows\SysWOW64\Fgmaphdg.exeC:\Windows\system32\Fgmaphdg.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2036 -
C:\Windows\SysWOW64\Flhnqf32.exeC:\Windows\system32\Flhnqf32.exe119⤵PID:976
-
C:\Windows\SysWOW64\Fpdjaeei.exeC:\Windows\system32\Fpdjaeei.exe120⤵PID:1980
-
C:\Windows\SysWOW64\Fbbfmqdm.exeC:\Windows\system32\Fbbfmqdm.exe121⤵PID:1708
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-