Analysis
-
max time kernel
112s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19-09-2024 06:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2212cf8c0e9e584f3321483540b4f63eaf061b5501874b8bb985d9c45ea55549N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
2212cf8c0e9e584f3321483540b4f63eaf061b5501874b8bb985d9c45ea55549N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
2212cf8c0e9e584f3321483540b4f63eaf061b5501874b8bb985d9c45ea55549N.exe
-
Size
352KB
-
MD5
811161482f88ee533fde79881ac4a7b0
-
SHA1
0cf741ec222c02c043dbdef5720ccb67ccbb4de7
-
SHA256
2212cf8c0e9e584f3321483540b4f63eaf061b5501874b8bb985d9c45ea55549
-
SHA512
9f51a4174e1a7eff090d1066af0eb38547214f0333dba7590ceaa46b48d4238d8d20fff8a944b84452f9600e2220cfa0830d6c15ae91a8a6076c4c9b3fe9e6c9
-
SSDEEP
6144:4RkoZZLR2WHozNz9iWis/j9SrJz9ieis/j9SrJz9is/j9SrJwWisp:1mHrsUasUqsU6sp
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgipif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekkpbhjg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjbgfkeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hohmdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emlmedfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkdokjdd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edcgcfhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlkbga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pomejndk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbenoccc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcdahh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deodnmdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Feiflgfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfngqa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leoaod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpkmbmci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cehgcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddfgjbcn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jefcffgm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbddne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfenlqbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbnjhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jehmgigk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oocpkg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iapica32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Heaodg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhieldeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcnfhp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abadeh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljnpbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmjped32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgpjaohd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbjhkhqa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akkcjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kadjkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnbijqoh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnhnackf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhpbke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cppmgm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aemojf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eaplknaf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adgkbp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgfomejm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejpkjlgk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eckbbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjmlagfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llflijci.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgkffpoe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jndnng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkebokco.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akpafa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pijnkoog.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eaempc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmpcfb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dffhfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jimdbm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlokmh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehmhgnjl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Encjpebq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckmhmkjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cicelo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnoqjjkd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioljhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Niappepp.exe -
Executes dropped EXE 64 IoCs
pid Process 2100 Qepdbpii.exe 2796 Qohilfpj.exe 2696 Aendldnh.exe 2716 Abadeh32.exe 2756 Bkdokjdd.exe 2648 Cchfek32.exe 3016 Dninfgol.exe 2196 Dnkjlg32.exe 2188 Eagfaf32.exe 1328 Ejpkjlgk.exe 3040 Fdoedp32.exe 524 Fdabip32.exe 1300 Fbfojl32.exe 2956 Hcihookb.exe 2244 Igacia32.exe 1880 Ikplopnp.exe 2496 Jqckhffo.exe 2944 Jehmgigk.exe 1508 Jifemgnb.exe 1488 Kjllpopk.exe 2320 Kjnhennh.exe 2212 Kjbaqn32.exe 2512 Lbemeo32.exe 2448 Llmandgf.exe 2216 Mlhdbhng.exe 1372 Mgnhpanm.exe 2144 Mlmmmh32.exe 2596 Naooqndd.exe 2368 Nobpjbcn.exe 2076 Ocgbiedj.exe 1800 Onlffncp.exe 2572 Ohfggl32.exe 2432 Pamkgl32.exe 2772 Pgipif32.exe 3008 Qmhegmel.exe 1216 Qbenoccc.exe 780 Aldhih32.exe 700 Aemmanjl.exe 1556 Amhafpgg.exe 2140 Bklbpd32.exe 972 Bmohgoao.exe 2260 Bejlkaoj.exe 2316 Bocadg32.exe 1448 Blgamkdd.exe 2440 Coenifch.exe 1536 Clinckba.exe 1836 Cddcgmom.exe 2456 Cknkdggi.exe 2564 Cdfpmm32.exe 876 Ckqhigeg.exe 2392 Cpmpbncn.exe 1616 Cjfekcio.exe 2736 Cppmgm32.exe 2860 Dfmepd32.exe 2620 Dcqfih32.exe 2412 Dhmnap32.exe 2304 Dfaokckn.exe 2780 Dkngckie.exe 2628 Dkpdhj32.exe 2184 Dffhfc32.exe 1320 Dkcqnj32.exe 2428 Ekemci32.exe 752 Encjpebq.exe 920 Ejjjef32.exe -
Loads dropped DLL 64 IoCs
pid Process 1140 2212cf8c0e9e584f3321483540b4f63eaf061b5501874b8bb985d9c45ea55549N.exe 1140 2212cf8c0e9e584f3321483540b4f63eaf061b5501874b8bb985d9c45ea55549N.exe 2100 Qepdbpii.exe 2100 Qepdbpii.exe 2796 Qohilfpj.exe 2796 Qohilfpj.exe 2696 Aendldnh.exe 2696 Aendldnh.exe 2716 Abadeh32.exe 2716 Abadeh32.exe 2756 Bkdokjdd.exe 2756 Bkdokjdd.exe 2648 Cchfek32.exe 2648 Cchfek32.exe 3016 Dninfgol.exe 3016 Dninfgol.exe 2196 Dnkjlg32.exe 2196 Dnkjlg32.exe 2188 Eagfaf32.exe 2188 Eagfaf32.exe 1328 Ejpkjlgk.exe 1328 Ejpkjlgk.exe 3040 Fdoedp32.exe 3040 Fdoedp32.exe 524 Fdabip32.exe 524 Fdabip32.exe 1300 Fbfojl32.exe 1300 Fbfojl32.exe 2956 Hcihookb.exe 2956 Hcihookb.exe 2244 Igacia32.exe 2244 Igacia32.exe 1880 Ikplopnp.exe 1880 Ikplopnp.exe 2496 Jqckhffo.exe 2496 Jqckhffo.exe 2944 Jehmgigk.exe 2944 Jehmgigk.exe 1508 Jifemgnb.exe 1508 Jifemgnb.exe 1488 Kjllpopk.exe 1488 Kjllpopk.exe 2320 Kjnhennh.exe 2320 Kjnhennh.exe 2212 Kjbaqn32.exe 2212 Kjbaqn32.exe 2512 Lbemeo32.exe 2512 Lbemeo32.exe 2448 Llmandgf.exe 2448 Llmandgf.exe 2216 Mlhdbhng.exe 2216 Mlhdbhng.exe 1372 Mgnhpanm.exe 1372 Mgnhpanm.exe 2144 Mlmmmh32.exe 2144 Mlmmmh32.exe 2596 Naooqndd.exe 2596 Naooqndd.exe 2368 Nobpjbcn.exe 2368 Nobpjbcn.exe 2076 Ocgbiedj.exe 2076 Ocgbiedj.exe 1800 Onlffncp.exe 1800 Onlffncp.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Dgbdhe32.exe Djndoaof.exe File created C:\Windows\SysWOW64\Ohcdpmhn.dll Migfopeo.exe File created C:\Windows\SysWOW64\Qinjhmil.dll Odbiij32.exe File opened for modification C:\Windows\SysWOW64\Hoplhmoe.exe Hifclc32.exe File created C:\Windows\SysWOW64\Nekmjeda.exe Nhfmqa32.exe File opened for modification C:\Windows\SysWOW64\Nffjlhji.exe Najadala.exe File opened for modification C:\Windows\SysWOW64\Jhbqci32.exe Jgqdlaka.exe File created C:\Windows\SysWOW64\Mhoghkof.dll Flqacb32.exe File created C:\Windows\SysWOW64\Mkfodlnp.dll Eagfaf32.exe File created C:\Windows\SysWOW64\Lalhebof.dll Llnjac32.exe File created C:\Windows\SysWOW64\Kdimaeid.dll Modlnn32.exe File created C:\Windows\SysWOW64\Ahhldc32.dll Nibgjkdk.exe File created C:\Windows\SysWOW64\Pcpjek32.dll Bhkipeda.exe File created C:\Windows\SysWOW64\Gpekmnmh.exe Geogpemb.exe File created C:\Windows\SysWOW64\Iaobkj32.dll Mndoggcf.exe File opened for modification C:\Windows\SysWOW64\Jofikn32.exe Jendbhbe.exe File created C:\Windows\SysWOW64\Pdedgf32.exe Pbdhonpi.exe File created C:\Windows\SysWOW64\Amjaoinj.exe Aacajhhf.exe File opened for modification C:\Windows\SysWOW64\Mmiipjpj.exe Modlnn32.exe File opened for modification C:\Windows\SysWOW64\Fcjggc32.exe Fbkkmp32.exe File created C:\Windows\SysWOW64\Ocdcefcb.dll Lcfdlj32.exe File created C:\Windows\SysWOW64\Apkhgk32.exe Anllkp32.exe File opened for modification C:\Windows\SysWOW64\Dafqap32.exe Dhnlhk32.exe File created C:\Windows\SysWOW64\Jfafdj32.exe Jlkbga32.exe File created C:\Windows\SysWOW64\Alpdnd32.dll Elagmg32.exe File created C:\Windows\SysWOW64\Jogelb32.dll Kpajam32.exe File opened for modification C:\Windows\SysWOW64\Fbddne32.exe Filpepno.exe File created C:\Windows\SysWOW64\Enmjdlql.dll Dkojlc32.exe File opened for modification C:\Windows\SysWOW64\Kgcdkj32.exe Kohofh32.exe File created C:\Windows\SysWOW64\Cabdmlka.dll Jdpkjf32.exe File opened for modification C:\Windows\SysWOW64\Ifaogdla.exe Ifobbd32.exe File created C:\Windows\SysWOW64\Delangck.exe Diepifmg.exe File opened for modification C:\Windows\SysWOW64\Kbgchn32.exe Kgaccm32.exe File created C:\Windows\SysWOW64\Lkjmijfd.dll Dpcqggee.exe File created C:\Windows\SysWOW64\Ebcgme32.dll Mqhjhgcm.exe File created C:\Windows\SysWOW64\Qdbhapeb.dll Bjkldo32.exe File created C:\Windows\SysWOW64\Hkhfbp32.dll Hglcclhb.exe File created C:\Windows\SysWOW64\Okocmapl.exe Nljflekd.exe File opened for modification C:\Windows\SysWOW64\Qkidkl32.exe Qdolobjd.exe File opened for modification C:\Windows\SysWOW64\Aohfejcg.exe Qeoald32.exe File created C:\Windows\SysWOW64\Gbqfbl32.exe Gbnjmmci.exe File opened for modification C:\Windows\SysWOW64\Onkcpa32.exe Oagcfn32.exe File created C:\Windows\SysWOW64\Kjllpopk.exe Jifemgnb.exe File created C:\Windows\SysWOW64\Lnpjhbaa.dll Mffkdlpi.exe File opened for modification C:\Windows\SysWOW64\Cdobag32.exe Bdmflh32.exe File opened for modification C:\Windows\SysWOW64\Anajhm32.exe Aamjoh32.exe File opened for modification C:\Windows\SysWOW64\Dkpdhj32.exe Dkngckie.exe File created C:\Windows\SysWOW64\Egoopl32.exe Epcjmbqm.exe File opened for modification C:\Windows\SysWOW64\Oigjkinn.exe Olcjbd32.exe File opened for modification C:\Windows\SysWOW64\Mopfhl32.exe Mciebk32.exe File created C:\Windows\SysWOW64\Djfhoqgn.exe Dgfomejm.exe File created C:\Windows\SysWOW64\Bmidoi32.exe Aemojf32.exe File created C:\Windows\SysWOW64\Okfkgiah.exe Odmcjo32.exe File created C:\Windows\SysWOW64\Fmnhnc32.dll Ciagnf32.exe File created C:\Windows\SysWOW64\Icgkmpmo.exe Ijofdj32.exe File created C:\Windows\SysWOW64\Pkhcio32.dll Hhjeqhil.exe File opened for modification C:\Windows\SysWOW64\Cffpjj32.exe Cmnladee.exe File created C:\Windows\SysWOW64\Khlqhh32.dll Ijkqkl32.exe File created C:\Windows\SysWOW64\Nkqqmanl.exe Nkndhbpn.exe File created C:\Windows\SysWOW64\Modlnn32.exe Mbmlimfn.exe File created C:\Windows\SysWOW64\Nikgnjlo.dll Pohngd32.exe File created C:\Windows\SysWOW64\Fafepa32.dll Ehoqklia.exe File opened for modification C:\Windows\SysWOW64\Hlahfgek.exe Hbhcmaoj.exe File created C:\Windows\SysWOW64\Dgbdhe32.exe Djndoaof.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1980 3752 WerFault.exe 797 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oilnbkki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhikpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgdikkaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejodpedp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boihof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfkabcop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmgcbdll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhelbine.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjdanb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gloflk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbkkmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcjggc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Appdkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhccnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfqgnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdbehn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iamhld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcnfhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qldllala.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pngdhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgcojing.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdhlni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aohfejcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlokmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cebloo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elnbei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgeogaeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmhodg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oillib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkndhbpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpmpbncn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiqamepn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bllefjlq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dffhfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcfdlj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mciebk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odmcjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blbcqn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbehebak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abeinf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmhnngnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmohgoao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pojkmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbkdoogb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlmmmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edjmcamk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkcqnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnqbeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jefcffgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kadjkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odnngfpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akndabag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmkjac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kenqakea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phfamj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhfbln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmpiqd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmamci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfleppnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgipif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdigakji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fajdbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhpbke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnhoqhpn.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmcdmaqg.dll" Ejqapebo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iakkfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgaicblf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nikgnjlo.dll" Pohngd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbbnjh32.dll" Amqdkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fqfgdedc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Andkonik.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdpmqkaa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aemmanjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jqngac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khpnjfjg.dll" Mmcije32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgfqal32.dll" Piljqo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abadeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfbgpdqp.dll" Mpmeqkpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjbgfkeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cilmcgeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnlddg32.dll" Flcnia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgfgjobl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkqqmanl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qmfkjfnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oillib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlolhc32.dll" Ojdajb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Piljqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jihmpfga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hohmdo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcamic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbpqlp32.dll" Epmjhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fcplnjnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iecfpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dajqphjn.dll" Oemigaln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khlqhh32.dll" Ijkqkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnlaklqe.dll" Jofikn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfhjnqaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmcbjojn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elnbei32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fajdbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpdlhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jogkim32.dll" Gaahkeik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aigdjjog.dll" Kpdggm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgbdhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deiohe32.dll" Gnbkcedl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gnbkcedl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfmopf32.dll" Nlhkpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfpnjaan.dll" Hjcagnii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kefmkbgj.dll" Pacekdek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdobag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fafepa32.dll" Ehoqklia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phkecmkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nikmndlk.dll" Analaecj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cepjhb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnjfefml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jflmijfk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmjped32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obohhd32.dll" Iggomj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgdhnhpa.dll" Kfnnhb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjcagnii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oidkmqhm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghojakgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbemeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efakjgni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idniba32.dll" Gffcmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifobbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gckajf32.dll" Hnjfefml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcqfih32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1140 wrote to memory of 2100 1140 2212cf8c0e9e584f3321483540b4f63eaf061b5501874b8bb985d9c45ea55549N.exe 29 PID 1140 wrote to memory of 2100 1140 2212cf8c0e9e584f3321483540b4f63eaf061b5501874b8bb985d9c45ea55549N.exe 29 PID 1140 wrote to memory of 2100 1140 2212cf8c0e9e584f3321483540b4f63eaf061b5501874b8bb985d9c45ea55549N.exe 29 PID 1140 wrote to memory of 2100 1140 2212cf8c0e9e584f3321483540b4f63eaf061b5501874b8bb985d9c45ea55549N.exe 29 PID 2100 wrote to memory of 2796 2100 Qepdbpii.exe 30 PID 2100 wrote to memory of 2796 2100 Qepdbpii.exe 30 PID 2100 wrote to memory of 2796 2100 Qepdbpii.exe 30 PID 2100 wrote to memory of 2796 2100 Qepdbpii.exe 30 PID 2796 wrote to memory of 2696 2796 Qohilfpj.exe 31 PID 2796 wrote to memory of 2696 2796 Qohilfpj.exe 31 PID 2796 wrote to memory of 2696 2796 Qohilfpj.exe 31 PID 2796 wrote to memory of 2696 2796 Qohilfpj.exe 31 PID 2696 wrote to memory of 2716 2696 Aendldnh.exe 32 PID 2696 wrote to memory of 2716 2696 Aendldnh.exe 32 PID 2696 wrote to memory of 2716 2696 Aendldnh.exe 32 PID 2696 wrote to memory of 2716 2696 Aendldnh.exe 32 PID 2716 wrote to memory of 2756 2716 Abadeh32.exe 33 PID 2716 wrote to memory of 2756 2716 Abadeh32.exe 33 PID 2716 wrote to memory of 2756 2716 Abadeh32.exe 33 PID 2716 wrote to memory of 2756 2716 Abadeh32.exe 33 PID 2756 wrote to memory of 2648 2756 Bkdokjdd.exe 34 PID 2756 wrote to memory of 2648 2756 Bkdokjdd.exe 34 PID 2756 wrote to memory of 2648 2756 Bkdokjdd.exe 34 PID 2756 wrote to memory of 2648 2756 Bkdokjdd.exe 34 PID 2648 wrote to memory of 3016 2648 Cchfek32.exe 35 PID 2648 wrote to memory of 3016 2648 Cchfek32.exe 35 PID 2648 wrote to memory of 3016 2648 Cchfek32.exe 35 PID 2648 wrote to memory of 3016 2648 Cchfek32.exe 35 PID 3016 wrote to memory of 2196 3016 Dninfgol.exe 36 PID 3016 wrote to memory of 2196 3016 Dninfgol.exe 36 PID 3016 wrote to memory of 2196 3016 Dninfgol.exe 36 PID 3016 wrote to memory of 2196 3016 Dninfgol.exe 36 PID 2196 wrote to memory of 2188 2196 Dnkjlg32.exe 37 PID 2196 wrote to memory of 2188 2196 Dnkjlg32.exe 37 PID 2196 wrote to memory of 2188 2196 Dnkjlg32.exe 37 PID 2196 wrote to memory of 2188 2196 Dnkjlg32.exe 37 PID 2188 wrote to memory of 1328 2188 Eagfaf32.exe 38 PID 2188 wrote to memory of 1328 2188 Eagfaf32.exe 38 PID 2188 wrote to memory of 1328 2188 Eagfaf32.exe 38 PID 2188 wrote to memory of 1328 2188 Eagfaf32.exe 38 PID 1328 wrote to memory of 3040 1328 Ejpkjlgk.exe 39 PID 1328 wrote to memory of 3040 1328 Ejpkjlgk.exe 39 PID 1328 wrote to memory of 3040 1328 Ejpkjlgk.exe 39 PID 1328 wrote to memory of 3040 1328 Ejpkjlgk.exe 39 PID 3040 wrote to memory of 524 3040 Fdoedp32.exe 40 PID 3040 wrote to memory of 524 3040 Fdoedp32.exe 40 PID 3040 wrote to memory of 524 3040 Fdoedp32.exe 40 PID 3040 wrote to memory of 524 3040 Fdoedp32.exe 40 PID 524 wrote to memory of 1300 524 Fdabip32.exe 41 PID 524 wrote to memory of 1300 524 Fdabip32.exe 41 PID 524 wrote to memory of 1300 524 Fdabip32.exe 41 PID 524 wrote to memory of 1300 524 Fdabip32.exe 41 PID 1300 wrote to memory of 2956 1300 Fbfojl32.exe 42 PID 1300 wrote to memory of 2956 1300 Fbfojl32.exe 42 PID 1300 wrote to memory of 2956 1300 Fbfojl32.exe 42 PID 1300 wrote to memory of 2956 1300 Fbfojl32.exe 42 PID 2956 wrote to memory of 2244 2956 Hcihookb.exe 43 PID 2956 wrote to memory of 2244 2956 Hcihookb.exe 43 PID 2956 wrote to memory of 2244 2956 Hcihookb.exe 43 PID 2956 wrote to memory of 2244 2956 Hcihookb.exe 43 PID 2244 wrote to memory of 1880 2244 Igacia32.exe 44 PID 2244 wrote to memory of 1880 2244 Igacia32.exe 44 PID 2244 wrote to memory of 1880 2244 Igacia32.exe 44 PID 2244 wrote to memory of 1880 2244 Igacia32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\2212cf8c0e9e584f3321483540b4f63eaf061b5501874b8bb985d9c45ea55549N.exe"C:\Users\Admin\AppData\Local\Temp\2212cf8c0e9e584f3321483540b4f63eaf061b5501874b8bb985d9c45ea55549N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\SysWOW64\Qepdbpii.exeC:\Windows\system32\Qepdbpii.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Qohilfpj.exeC:\Windows\system32\Qohilfpj.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Aendldnh.exeC:\Windows\system32\Aendldnh.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Abadeh32.exeC:\Windows\system32\Abadeh32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Bkdokjdd.exeC:\Windows\system32\Bkdokjdd.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Cchfek32.exeC:\Windows\system32\Cchfek32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Dninfgol.exeC:\Windows\system32\Dninfgol.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Dnkjlg32.exeC:\Windows\system32\Dnkjlg32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Eagfaf32.exeC:\Windows\system32\Eagfaf32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Ejpkjlgk.exeC:\Windows\system32\Ejpkjlgk.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Windows\SysWOW64\Fdoedp32.exeC:\Windows\system32\Fdoedp32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Fdabip32.exeC:\Windows\system32\Fdabip32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:524 -
C:\Windows\SysWOW64\Fbfojl32.exeC:\Windows\system32\Fbfojl32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\SysWOW64\Hcihookb.exeC:\Windows\system32\Hcihookb.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Igacia32.exeC:\Windows\system32\Igacia32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\Ikplopnp.exeC:\Windows\system32\Ikplopnp.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1880 -
C:\Windows\SysWOW64\Jqckhffo.exeC:\Windows\system32\Jqckhffo.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2496 -
C:\Windows\SysWOW64\Jehmgigk.exeC:\Windows\system32\Jehmgigk.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2944 -
C:\Windows\SysWOW64\Jifemgnb.exeC:\Windows\system32\Jifemgnb.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1508 -
C:\Windows\SysWOW64\Kjllpopk.exeC:\Windows\system32\Kjllpopk.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1488 -
C:\Windows\SysWOW64\Kjnhennh.exeC:\Windows\system32\Kjnhennh.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2320 -
C:\Windows\SysWOW64\Kjbaqn32.exeC:\Windows\system32\Kjbaqn32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2212 -
C:\Windows\SysWOW64\Lbemeo32.exeC:\Windows\system32\Lbemeo32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2512 -
C:\Windows\SysWOW64\Llmandgf.exeC:\Windows\system32\Llmandgf.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2448 -
C:\Windows\SysWOW64\Mlhdbhng.exeC:\Windows\system32\Mlhdbhng.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2216 -
C:\Windows\SysWOW64\Mgnhpanm.exeC:\Windows\system32\Mgnhpanm.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1372 -
C:\Windows\SysWOW64\Mlmmmh32.exeC:\Windows\system32\Mlmmmh32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2144 -
C:\Windows\SysWOW64\Naooqndd.exeC:\Windows\system32\Naooqndd.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2596 -
C:\Windows\SysWOW64\Nobpjbcn.exeC:\Windows\system32\Nobpjbcn.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2368 -
C:\Windows\SysWOW64\Ocgbiedj.exeC:\Windows\system32\Ocgbiedj.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2076 -
C:\Windows\SysWOW64\Onlffncp.exeC:\Windows\system32\Onlffncp.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1800 -
C:\Windows\SysWOW64\Ohfggl32.exeC:\Windows\system32\Ohfggl32.exe33⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Pamkgl32.exeC:\Windows\system32\Pamkgl32.exe34⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Pgipif32.exeC:\Windows\system32\Pgipif32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2772 -
C:\Windows\SysWOW64\Qmhegmel.exeC:\Windows\system32\Qmhegmel.exe36⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Qbenoccc.exeC:\Windows\system32\Qbenoccc.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1216 -
C:\Windows\SysWOW64\Aldhih32.exeC:\Windows\system32\Aldhih32.exe38⤵
- Executes dropped EXE
PID:780 -
C:\Windows\SysWOW64\Aemmanjl.exeC:\Windows\system32\Aemmanjl.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:700 -
C:\Windows\SysWOW64\Amhafpgg.exeC:\Windows\system32\Amhafpgg.exe40⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Bklbpd32.exeC:\Windows\system32\Bklbpd32.exe41⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Bmohgoao.exeC:\Windows\system32\Bmohgoao.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:972 -
C:\Windows\SysWOW64\Bejlkaoj.exeC:\Windows\system32\Bejlkaoj.exe43⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Bocadg32.exeC:\Windows\system32\Bocadg32.exe44⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Blgamkdd.exeC:\Windows\system32\Blgamkdd.exe45⤵
- Executes dropped EXE
PID:1448 -
C:\Windows\SysWOW64\Coenifch.exeC:\Windows\system32\Coenifch.exe46⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Clinckba.exeC:\Windows\system32\Clinckba.exe47⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Cddcgmom.exeC:\Windows\system32\Cddcgmom.exe48⤵
- Executes dropped EXE
PID:1836 -
C:\Windows\SysWOW64\Cknkdggi.exeC:\Windows\system32\Cknkdggi.exe49⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Cdfpmm32.exeC:\Windows\system32\Cdfpmm32.exe50⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Ckqhigeg.exeC:\Windows\system32\Ckqhigeg.exe51⤵
- Executes dropped EXE
PID:876 -
C:\Windows\SysWOW64\Cpmpbncn.exeC:\Windows\system32\Cpmpbncn.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2392 -
C:\Windows\SysWOW64\Cjfekcio.exeC:\Windows\system32\Cjfekcio.exe53⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Cppmgm32.exeC:\Windows\system32\Cppmgm32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Dfmepd32.exeC:\Windows\system32\Dfmepd32.exe55⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Dcqfih32.exeC:\Windows\system32\Dcqfih32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2620 -
C:\Windows\SysWOW64\Dhmnap32.exeC:\Windows\system32\Dhmnap32.exe57⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Dfaokckn.exeC:\Windows\system32\Dfaokckn.exe58⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Dkngckie.exeC:\Windows\system32\Dkngckie.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2780 -
C:\Windows\SysWOW64\Dkpdhj32.exeC:\Windows\system32\Dkpdhj32.exe60⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Dffhfc32.exeC:\Windows\system32\Dffhfc32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2184 -
C:\Windows\SysWOW64\Dkcqnj32.exeC:\Windows\system32\Dkcqnj32.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1320 -
C:\Windows\SysWOW64\Ekemci32.exeC:\Windows\system32\Ekemci32.exe63⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Encjpebq.exeC:\Windows\system32\Encjpebq.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:752 -
C:\Windows\SysWOW64\Ejjjef32.exeC:\Windows\system32\Ejjjef32.exe65⤵
- Executes dropped EXE
PID:920 -
C:\Windows\SysWOW64\Efakjgni.exeC:\Windows\system32\Efakjgni.exe66⤵
- Modifies registry class
PID:2492 -
C:\Windows\SysWOW64\Epipbmdj.exeC:\Windows\system32\Epipbmdj.exe67⤵PID:1772
-
C:\Windows\SysWOW64\Ejodpedp.exeC:\Windows\system32\Ejodpedp.exe68⤵
- System Location Discovery: System Language Discovery
PID:868 -
C:\Windows\SysWOW64\Ebjhdhak.exeC:\Windows\system32\Ebjhdhak.exe69⤵PID:3068
-
C:\Windows\SysWOW64\Flbmmm32.exeC:\Windows\system32\Flbmmm32.exe70⤵PID:1820
-
C:\Windows\SysWOW64\Flejbmfh.exeC:\Windows\system32\Flejbmfh.exe71⤵PID:1620
-
C:\Windows\SysWOW64\Fpcbik32.exeC:\Windows\system32\Fpcbik32.exe72⤵PID:2224
-
C:\Windows\SysWOW64\Fhngmnij.exeC:\Windows\system32\Fhngmnij.exe73⤵PID:2708
-
C:\Windows\SysWOW64\Fbckjfip.exeC:\Windows\system32\Fbckjfip.exe74⤵PID:2636
-
C:\Windows\SysWOW64\Fnjlog32.exeC:\Windows\system32\Fnjlog32.exe75⤵PID:2608
-
C:\Windows\SysWOW64\Gmpiqd32.exeC:\Windows\system32\Gmpiqd32.exe76⤵
- System Location Discovery: System Language Discovery
PID:2360 -
C:\Windows\SysWOW64\Gamafbjb.exeC:\Windows\system32\Gamafbjb.exe77⤵PID:2852
-
C:\Windows\SysWOW64\Gmdblcpg.exeC:\Windows\system32\Gmdblcpg.exe78⤵PID:1096
-
C:\Windows\SysWOW64\Geogpemb.exeC:\Windows\system32\Geogpemb.exe79⤵
- Drops file in System32 directory
PID:2020 -
C:\Windows\SysWOW64\Gpekmnmh.exeC:\Windows\system32\Gpekmnmh.exe80⤵PID:2292
-
C:\Windows\SysWOW64\Hpghcn32.exeC:\Windows\system32\Hpghcn32.exe81⤵PID:2388
-
C:\Windows\SysWOW64\Hlnihopi.exeC:\Windows\system32\Hlnihopi.exe82⤵PID:2408
-
C:\Windows\SysWOW64\Hefmqdgj.exeC:\Windows\system32\Hefmqdgj.exe83⤵PID:2968
-
C:\Windows\SysWOW64\Hkebokco.exeC:\Windows\system32\Hkebokco.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2028 -
C:\Windows\SysWOW64\Hglcclhb.exeC:\Windows\system32\Hglcclhb.exe85⤵
- Drops file in System32 directory
PID:1012 -
C:\Windows\SysWOW64\Hdpcmpgl.exeC:\Windows\system32\Hdpcmpgl.exe86⤵PID:1136
-
C:\Windows\SysWOW64\Iedmjhkh.exeC:\Windows\system32\Iedmjhkh.exe87⤵PID:2060
-
C:\Windows\SysWOW64\Ichmclja.exeC:\Windows\system32\Ichmclja.exe88⤵PID:1768
-
C:\Windows\SysWOW64\Jbdpeh32.exeC:\Windows\system32\Jbdpeh32.exe89⤵PID:2972
-
C:\Windows\SysWOW64\Jjoejj32.exeC:\Windows\system32\Jjoejj32.exe90⤵PID:2324
-
C:\Windows\SysWOW64\Jgcecn32.exeC:\Windows\system32\Jgcecn32.exe91⤵PID:952
-
C:\Windows\SysWOW64\Jfhbdk32.exeC:\Windows\system32\Jfhbdk32.exe92⤵PID:2928
-
C:\Windows\SysWOW64\Jqngac32.exeC:\Windows\system32\Jqngac32.exe93⤵
- Modifies registry class
PID:108 -
C:\Windows\SysWOW64\Kcopcofe.exeC:\Windows\system32\Kcopcofe.exe94⤵PID:2228
-
C:\Windows\SysWOW64\Kjihpi32.exeC:\Windows\system32\Kjihpi32.exe95⤵PID:2864
-
C:\Windows\SysWOW64\Kcalindb.exeC:\Windows\system32\Kcalindb.exe96⤵PID:2672
-
C:\Windows\SysWOW64\Kmiaad32.exeC:\Windows\system32\Kmiaad32.exe97⤵PID:2588
-
C:\Windows\SysWOW64\Kgcbbaga.exeC:\Windows\system32\Kgcbbaga.exe98⤵PID:1052
-
C:\Windows\SysWOW64\Kgeogaeo.exeC:\Windows\system32\Kgeogaeo.exe99⤵
- System Location Discovery: System Language Discovery
PID:1740 -
C:\Windows\SysWOW64\Llcgnple.exeC:\Windows\system32\Llcgnple.exe100⤵PID:2660
-
C:\Windows\SysWOW64\Lfmhnmhd.exeC:\Windows\system32\Lfmhnmhd.exe101⤵PID:2908
-
C:\Windows\SysWOW64\Ljkadlok.exeC:\Windows\system32\Ljkadlok.exe102⤵PID:1296
-
C:\Windows\SysWOW64\Llnjac32.exeC:\Windows\system32\Llnjac32.exe103⤵
- Drops file in System32 directory
PID:2484 -
C:\Windows\SysWOW64\Legoji32.exeC:\Windows\system32\Legoji32.exe104⤵PID:928
-
C:\Windows\SysWOW64\Mffkdlpi.exeC:\Windows\system32\Mffkdlpi.exe105⤵
- Drops file in System32 directory
PID:1316 -
C:\Windows\SysWOW64\Mbmlimfn.exeC:\Windows\system32\Mbmlimfn.exe106⤵
- Drops file in System32 directory
PID:1376 -
C:\Windows\SysWOW64\Modlnn32.exeC:\Windows\system32\Modlnn32.exe107⤵
- Drops file in System32 directory
PID:2356 -
C:\Windows\SysWOW64\Mmiipjpj.exeC:\Windows\system32\Mmiipjpj.exe108⤵PID:2052
-
C:\Windows\SysWOW64\Mhonmc32.exeC:\Windows\system32\Mhonmc32.exe109⤵PID:2064
-
C:\Windows\SysWOW64\Nibgjkdk.exeC:\Windows\system32\Nibgjkdk.exe110⤵
- Drops file in System32 directory
PID:1060 -
C:\Windows\SysWOW64\Ndhkgd32.exeC:\Windows\system32\Ndhkgd32.exe111⤵PID:2684
-
C:\Windows\SysWOW64\Nlcplf32.exeC:\Windows\system32\Nlcplf32.exe112⤵PID:2724
-
C:\Windows\SysWOW64\Nocima32.exeC:\Windows\system32\Nocima32.exe113⤵PID:2584
-
C:\Windows\SysWOW64\Npcegd32.exeC:\Windows\system32\Npcegd32.exe114⤵PID:2664
-
C:\Windows\SysWOW64\Nljflekd.exeC:\Windows\system32\Nljflekd.exe115⤵
- Drops file in System32 directory
PID:1092 -
C:\Windows\SysWOW64\Okocmapl.exeC:\Windows\system32\Okocmapl.exe116⤵PID:3052
-
C:\Windows\SysWOW64\Oedgkjob.exeC:\Windows\system32\Oedgkjob.exe117⤵PID:2180
-
C:\Windows\SysWOW64\Oheple32.exeC:\Windows\system32\Oheple32.exe118⤵PID:2080
-
C:\Windows\SysWOW64\Onbhdl32.exeC:\Windows\system32\Onbhdl32.exe119⤵PID:2548
-
C:\Windows\SysWOW64\Odnngfpe.exeC:\Windows\system32\Odnngfpe.exe120⤵
- System Location Discovery: System Language Discovery
PID:2424 -
C:\Windows\SysWOW64\Pohngd32.exeC:\Windows\system32\Pohngd32.exe121⤵
- Drops file in System32 directory
- Modifies registry class
PID:1444
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-