Analysis
-
max time kernel
15s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13-10-2024 13:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c722becf27e3bd133a7593d1bf87231195f6b021c28ab7b5a0fcaf0084801850N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
c722becf27e3bd133a7593d1bf87231195f6b021c28ab7b5a0fcaf0084801850N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
c722becf27e3bd133a7593d1bf87231195f6b021c28ab7b5a0fcaf0084801850N.exe
-
Size
128KB
-
MD5
c24455d6fe54899b20b7637961945af0
-
SHA1
16ee7f1ed7ea994b890d9f146936362e08d5382e
-
SHA256
c722becf27e3bd133a7593d1bf87231195f6b021c28ab7b5a0fcaf0084801850
-
SHA512
439813e1d09c4997e167cea9d091f15bb1cecc9e9f07307a571a1c99fccf5400f409c3a77a26a71cba287d560e928b2090bab713c98ff14fbbfa57d2b3f2c4a1
-
SSDEEP
3072:PaH1eoc+beZWQVu0WpsrheAE7DxSvITW/cbFGS9n:SH1ewaWQEJpLAIhCw9n
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lboiol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lldmleam.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkndhabp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aijbfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ciaefa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpgjgboe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cbblda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kdpfadlm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nncbdomg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Obokcqhk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piicpk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqdiga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bffbdadk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Caaggpdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Deollamj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fdmhbplb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbhlek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cjlheehe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fcnkhmdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ihpfgalh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbfook32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bhjlli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ohncbdbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eknmhk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kffldlne.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdjjag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Clojhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Akkoig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gifclb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkjjma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbmcibjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpkmcldj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dmmmfc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kncaojfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cfhkhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daacecfc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eogmcjef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Abpcooea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbbpenco.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfejjgli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lclicpkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Calcpm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clmdmm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjahej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bbmcibjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ajeeeblb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjebdfnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kddomchg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlphbbbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jbjpom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofhjopbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cbppnbhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iliebpfc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpgobc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bchfhfeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eoiiijcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdaglmcb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hihlqeib.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oadkej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ijclol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omklkkpl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djdgic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Doecog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pleofj32.exe -
Executes dropped EXE 64 IoCs
pid Process 2688 Obdojcef.exe 2436 Oagoep32.exe 1620 Ohagbj32.exe 3004 Okpcoe32.exe 2312 Odhhgkib.exe 1804 Olophhjd.exe 1988 Omqlpp32.exe 2248 Okdmjdol.exe 1108 Oopijc32.exe 580 Ogknoe32.exe 1800 Oijjka32.exe 1124 Pgnjde32.exe 1132 Pilfpqaa.exe 2964 Pcdkif32.exe 2388 Pecgea32.exe 268 Pcghof32.exe 3008 Peedka32.exe 1996 Plolgk32.exe 704 Pomhcg32.exe 3024 Palepb32.exe 2480 Pckajebj.exe 2244 Phhjblpa.exe 2192 Qkffng32.exe 1680 Qfljkp32.exe 1724 Qdojgmfe.exe 1736 Qgmfchei.exe 2320 Qngopb32.exe 2332 Qdaglmcb.exe 2748 Akkoig32.exe 2732 Aknlofim.exe 2604 Anlhkbhq.exe 1968 Afgmodel.exe 2180 Anneqafn.exe 1920 Afjjed32.exe 2824 Ajeeeblb.exe 636 Aflfjc32.exe 1240 Aijbfo32.exe 2128 Bcpgdhpp.exe 2952 Bfncpcoc.exe 2108 Bkklhjnk.exe 2364 Bofgii32.exe 2708 Bbeded32.exe 2272 Bgblmk32.exe 1348 Bbgqjdce.exe 1144 Befmfpbi.exe 2172 Bjbeofpp.exe 2168 Bbjmpcab.exe 2120 Bammlq32.exe 1220 Bckjhl32.exe 2460 Bjebdfnn.exe 1708 Bmcnqama.exe 2740 Bejfao32.exe 2896 Bgibnj32.exe 2780 Cnckjddd.exe 3060 Caaggpdh.exe 1932 Cpdgbm32.exe 1636 Cfnoogbo.exe 1384 Cillkbac.exe 2132 Cacclpae.exe 2516 Ccbphk32.exe 376 Cbepdhgc.exe 1628 Cjlheehe.exe 1684 Cmjdaqgi.exe 560 Clmdmm32.exe -
Loads dropped DLL 64 IoCs
pid Process 1732 c722becf27e3bd133a7593d1bf87231195f6b021c28ab7b5a0fcaf0084801850N.exe 1732 c722becf27e3bd133a7593d1bf87231195f6b021c28ab7b5a0fcaf0084801850N.exe 2688 Obdojcef.exe 2688 Obdojcef.exe 2436 Oagoep32.exe 2436 Oagoep32.exe 1620 Ohagbj32.exe 1620 Ohagbj32.exe 3004 Okpcoe32.exe 3004 Okpcoe32.exe 2312 Odhhgkib.exe 2312 Odhhgkib.exe 1804 Olophhjd.exe 1804 Olophhjd.exe 1988 Omqlpp32.exe 1988 Omqlpp32.exe 2248 Okdmjdol.exe 2248 Okdmjdol.exe 1108 Oopijc32.exe 1108 Oopijc32.exe 580 Ogknoe32.exe 580 Ogknoe32.exe 1800 Oijjka32.exe 1800 Oijjka32.exe 1124 Pgnjde32.exe 1124 Pgnjde32.exe 1132 Pilfpqaa.exe 1132 Pilfpqaa.exe 2964 Pcdkif32.exe 2964 Pcdkif32.exe 2388 Pecgea32.exe 2388 Pecgea32.exe 268 Pcghof32.exe 268 Pcghof32.exe 3008 Peedka32.exe 3008 Peedka32.exe 1996 Plolgk32.exe 1996 Plolgk32.exe 704 Pomhcg32.exe 704 Pomhcg32.exe 3024 Palepb32.exe 3024 Palepb32.exe 2480 Pckajebj.exe 2480 Pckajebj.exe 2244 Phhjblpa.exe 2244 Phhjblpa.exe 2192 Qkffng32.exe 2192 Qkffng32.exe 1680 Qfljkp32.exe 1680 Qfljkp32.exe 1724 Qdojgmfe.exe 1724 Qdojgmfe.exe 1736 Qgmfchei.exe 1736 Qgmfchei.exe 2320 Qngopb32.exe 2320 Qngopb32.exe 2332 Qdaglmcb.exe 2332 Qdaglmcb.exe 2748 Akkoig32.exe 2748 Akkoig32.exe 2732 Aknlofim.exe 2732 Aknlofim.exe 2604 Anlhkbhq.exe 2604 Anlhkbhq.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Obdojcef.exe c722becf27e3bd133a7593d1bf87231195f6b021c28ab7b5a0fcaf0084801850N.exe File created C:\Windows\SysWOW64\Qcclhg32.dll Ogknoe32.exe File opened for modification C:\Windows\SysWOW64\Hblgnkdh.exe Hpnkbpdd.exe File created C:\Windows\SysWOW64\Dcqlnqml.dll Kklkcn32.exe File created C:\Windows\SysWOW64\Boadnkpf.dll Lhfefgkg.exe File opened for modification C:\Windows\SysWOW64\Bfdenafn.exe Bceibfgj.exe File created C:\Windows\SysWOW64\Mhmdim32.dll Pcghof32.exe File opened for modification C:\Windows\SysWOW64\Eejopecj.exe Eclbcj32.exe File opened for modification C:\Windows\SysWOW64\Gblkoham.exe Gmpcgace.exe File opened for modification C:\Windows\SysWOW64\Hboddk32.exe Hpphhp32.exe File created C:\Windows\SysWOW64\Jajcdjca.exe Jolghndm.exe File created C:\Windows\SysWOW64\Lhgccebd.dll Kocmim32.exe File opened for modification C:\Windows\SysWOW64\Bcpgdhpp.exe Aijbfo32.exe File opened for modification C:\Windows\SysWOW64\Cbepdhgc.exe Ccbphk32.exe File created C:\Windows\SysWOW64\Gcmbji32.dll Hfegij32.exe File created C:\Windows\SysWOW64\Phbeeddm.dll Hlgimqhf.exe File created C:\Windows\SysWOW64\Qnghel32.exe Qeppdo32.exe File opened for modification C:\Windows\SysWOW64\Fdmhbplb.exe Fncpef32.exe File created C:\Windows\SysWOW64\Nipdkieg.exe Nedhjj32.exe File created C:\Windows\SysWOW64\Aaddfb32.dll Cbppnbhm.exe File opened for modification C:\Windows\SysWOW64\Anneqafn.exe Afgmodel.exe File created C:\Windows\SysWOW64\Mdghaf32.exe Mbhlek32.exe File opened for modification C:\Windows\SysWOW64\Bmbgfkje.exe Bjdkjpkb.exe File created C:\Windows\SysWOW64\Gdhclbka.dll Jhdlad32.exe File created C:\Windows\SysWOW64\Loefnpnn.exe Lkjjma32.exe File created C:\Windows\SysWOW64\Hopbda32.dll Oemgplgo.exe File created C:\Windows\SysWOW64\Fikbiheg.dll Djdgic32.exe File opened for modification C:\Windows\SysWOW64\Omqlpp32.exe Olophhjd.exe File opened for modification C:\Windows\SysWOW64\Ioohokoo.exe Ijclol32.exe File created C:\Windows\SysWOW64\Kffldlne.exe Kcgphp32.exe File created C:\Windows\SysWOW64\Nidmfh32.exe Neiaeiii.exe File opened for modification C:\Windows\SysWOW64\Ojomdoof.exe Obhdcanc.exe File created C:\Windows\SysWOW64\Bbbpenco.exe Bnfddp32.exe File opened for modification C:\Windows\SysWOW64\Plolgk32.exe Peedka32.exe File created C:\Windows\SysWOW64\Qdojgmfe.exe Qfljkp32.exe File created C:\Windows\SysWOW64\Djgompkk.dll Eogmcjef.exe File opened for modification C:\Windows\SysWOW64\Fjegog32.exe Fpmbfbgo.exe File created C:\Windows\SysWOW64\Oibmpl32.exe Ojomdoof.exe File created C:\Windows\SysWOW64\Olpecfkn.dll Qcogbdkg.exe File created C:\Windows\SysWOW64\Eoepnk32.exe Elfcbo32.exe File created C:\Windows\SysWOW64\Fjjpjgjj.exe Fcphnm32.exe File created C:\Windows\SysWOW64\Hofpgamj.dll Iikifegp.exe File created C:\Windows\SysWOW64\Ieajkfmd.exe Iafnjg32.exe File created C:\Windows\SysWOW64\Ifjlcmmj.exe Ippdgc32.exe File created C:\Windows\SysWOW64\Gblkoham.exe Gmpcgace.exe File created C:\Windows\SysWOW64\Baepmlkg.dll Ojomdoof.exe File opened for modification C:\Windows\SysWOW64\Ceebklai.exe Cbffoabe.exe File opened for modification C:\Windows\SysWOW64\Qdojgmfe.exe Qfljkp32.exe File created C:\Windows\SysWOW64\Lcdgejhm.dll Anneqafn.exe File created C:\Windows\SysWOW64\Eknmhk32.exe Elkmmodo.exe File created C:\Windows\SysWOW64\Gifclb32.exe Gdkgkcpq.exe File created C:\Windows\SysWOW64\Hgpjhn32.exe Hebnlb32.exe File created C:\Windows\SysWOW64\Bajpcflf.dll Aflfjc32.exe File opened for modification C:\Windows\SysWOW64\Iliebpfc.exe Iikifegp.exe File created C:\Windows\SysWOW64\Pdjjag32.exe Ppnnai32.exe File created C:\Windows\SysWOW64\Bmmhbd32.dll Qkffng32.exe File created C:\Windows\SysWOW64\Fgnadkic.exe Fqdiga32.exe File created C:\Windows\SysWOW64\Nhiejpim.dll Pmpbdm32.exe File created C:\Windows\SysWOW64\Jaknfc32.dll Ohagbj32.exe File created C:\Windows\SysWOW64\Jngafd32.dll Ffaaoh32.exe File opened for modification C:\Windows\SysWOW64\Napbjjom.exe Nnafnopi.exe File created C:\Windows\SysWOW64\Bbeded32.exe Bofgii32.exe File created C:\Windows\SysWOW64\Hgdgodno.dll Ccdmnj32.exe File created C:\Windows\SysWOW64\Bleoal32.dll Hnjbeh32.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\system32†Delgfamk.¾ll Dpapaj32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffaaoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbcjnnpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhjjgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qppkfhlc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aijbfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfphcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhjlli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcdkif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gneijien.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkgahoel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiffkkbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmmbqegc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knkgpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppnnai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmpkqklh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgdnnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aebmjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eecafd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbjojh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjlioj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lboiol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elfcbo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkglnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlefhcnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cagienkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obdojcef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dklddhka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmfbpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkaehb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfhkhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlqmmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peedka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cillkbac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpkompgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjmnjkjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lklgbadb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbepdhgc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fajbke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfcjdkpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iamdkfnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oadkej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aficjnpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfegij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkhejkcq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jefpeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcecbq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmpbdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfliim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnafnopi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cinafkkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c722becf27e3bd133a7593d1bf87231195f6b021c28ab7b5a0fcaf0084801850N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obokcqhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckmnbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbcbjlmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgibnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgqkbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmkhjncg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehmdgp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojomdoof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apedah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onfoin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceebklai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfnoogbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oococb32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icblnd32.dll" Nidmfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Odhhgkib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pgnjde32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cpmjhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dklddhka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fajbke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knnpkl32.dll" Ihbcmaje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kncaojfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aaimopli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maanne32.dll" Ajpepm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bmpkqklh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjmagfog.dll" Qfljkp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iikifegp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Knhjjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nlqmmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpqnnmcd.dll" Aqbdkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ckjamgmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ohagbj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bckjhl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lonpma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcnfppba.dll" Ohncbdbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Olbfagca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aojabdlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fikbiheg.dll" Djdgic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pglabp32.dll" Oopijc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pecgea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eeaepd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jliaac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgknkqan.dll" Ldpbpgoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihaiqn32.dll" Obokcqhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kncinl32.dll" Bjebdfnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ifjlcmmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kpgffe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nibqqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bhjlli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bgoime32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hafimk32.dll" Pilfpqaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bflbhgjm.dll" Ceeieced.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opnkglik.dll" Gmpcgace.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lgehno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hopbda32.dll" Oemgplgo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bgoime32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bcpgdhpp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dklddhka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhiejpim.dll" Pmpbdm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Klngkfge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lbcbjlmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ajpepm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Coacbfii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcclhg32.dll" Ogknoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aknlofim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dkqnoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Elfcbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kffldlne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Odgamdef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pmmeon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nnafnopi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pcdkif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bammlq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cfcijf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gphfihaj.dll" Ijnbcmkk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ioohokoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjoahnho.dll" Jampjian.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mdghaf32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1732 wrote to memory of 2688 1732 c722becf27e3bd133a7593d1bf87231195f6b021c28ab7b5a0fcaf0084801850N.exe 30 PID 1732 wrote to memory of 2688 1732 c722becf27e3bd133a7593d1bf87231195f6b021c28ab7b5a0fcaf0084801850N.exe 30 PID 1732 wrote to memory of 2688 1732 c722becf27e3bd133a7593d1bf87231195f6b021c28ab7b5a0fcaf0084801850N.exe 30 PID 1732 wrote to memory of 2688 1732 c722becf27e3bd133a7593d1bf87231195f6b021c28ab7b5a0fcaf0084801850N.exe 30 PID 2688 wrote to memory of 2436 2688 Obdojcef.exe 31 PID 2688 wrote to memory of 2436 2688 Obdojcef.exe 31 PID 2688 wrote to memory of 2436 2688 Obdojcef.exe 31 PID 2688 wrote to memory of 2436 2688 Obdojcef.exe 31 PID 2436 wrote to memory of 1620 2436 Oagoep32.exe 32 PID 2436 wrote to memory of 1620 2436 Oagoep32.exe 32 PID 2436 wrote to memory of 1620 2436 Oagoep32.exe 32 PID 2436 wrote to memory of 1620 2436 Oagoep32.exe 32 PID 1620 wrote to memory of 3004 1620 Ohagbj32.exe 33 PID 1620 wrote to memory of 3004 1620 Ohagbj32.exe 33 PID 1620 wrote to memory of 3004 1620 Ohagbj32.exe 33 PID 1620 wrote to memory of 3004 1620 Ohagbj32.exe 33 PID 3004 wrote to memory of 2312 3004 Okpcoe32.exe 34 PID 3004 wrote to memory of 2312 3004 Okpcoe32.exe 34 PID 3004 wrote to memory of 2312 3004 Okpcoe32.exe 34 PID 3004 wrote to memory of 2312 3004 Okpcoe32.exe 34 PID 2312 wrote to memory of 1804 2312 Odhhgkib.exe 35 PID 2312 wrote to memory of 1804 2312 Odhhgkib.exe 35 PID 2312 wrote to memory of 1804 2312 Odhhgkib.exe 35 PID 2312 wrote to memory of 1804 2312 Odhhgkib.exe 35 PID 1804 wrote to memory of 1988 1804 Olophhjd.exe 36 PID 1804 wrote to memory of 1988 1804 Olophhjd.exe 36 PID 1804 wrote to memory of 1988 1804 Olophhjd.exe 36 PID 1804 wrote to memory of 1988 1804 Olophhjd.exe 36 PID 1988 wrote to memory of 2248 1988 Omqlpp32.exe 37 PID 1988 wrote to memory of 2248 1988 Omqlpp32.exe 37 PID 1988 wrote to memory of 2248 1988 Omqlpp32.exe 37 PID 1988 wrote to memory of 2248 1988 Omqlpp32.exe 37 PID 2248 wrote to memory of 1108 2248 Okdmjdol.exe 38 PID 2248 wrote to memory of 1108 2248 Okdmjdol.exe 38 PID 2248 wrote to memory of 1108 2248 Okdmjdol.exe 38 PID 2248 wrote to memory of 1108 2248 Okdmjdol.exe 38 PID 1108 wrote to memory of 580 1108 Oopijc32.exe 39 PID 1108 wrote to memory of 580 1108 Oopijc32.exe 39 PID 1108 wrote to memory of 580 1108 Oopijc32.exe 39 PID 1108 wrote to memory of 580 1108 Oopijc32.exe 39 PID 580 wrote to memory of 1800 580 Ogknoe32.exe 40 PID 580 wrote to memory of 1800 580 Ogknoe32.exe 40 PID 580 wrote to memory of 1800 580 Ogknoe32.exe 40 PID 580 wrote to memory of 1800 580 Ogknoe32.exe 40 PID 1800 wrote to memory of 1124 1800 Oijjka32.exe 41 PID 1800 wrote to memory of 1124 1800 Oijjka32.exe 41 PID 1800 wrote to memory of 1124 1800 Oijjka32.exe 41 PID 1800 wrote to memory of 1124 1800 Oijjka32.exe 41 PID 1124 wrote to memory of 1132 1124 Pgnjde32.exe 42 PID 1124 wrote to memory of 1132 1124 Pgnjde32.exe 42 PID 1124 wrote to memory of 1132 1124 Pgnjde32.exe 42 PID 1124 wrote to memory of 1132 1124 Pgnjde32.exe 42 PID 1132 wrote to memory of 2964 1132 Pilfpqaa.exe 43 PID 1132 wrote to memory of 2964 1132 Pilfpqaa.exe 43 PID 1132 wrote to memory of 2964 1132 Pilfpqaa.exe 43 PID 1132 wrote to memory of 2964 1132 Pilfpqaa.exe 43 PID 2964 wrote to memory of 2388 2964 Pcdkif32.exe 44 PID 2964 wrote to memory of 2388 2964 Pcdkif32.exe 44 PID 2964 wrote to memory of 2388 2964 Pcdkif32.exe 44 PID 2964 wrote to memory of 2388 2964 Pcdkif32.exe 44 PID 2388 wrote to memory of 268 2388 Pecgea32.exe 45 PID 2388 wrote to memory of 268 2388 Pecgea32.exe 45 PID 2388 wrote to memory of 268 2388 Pecgea32.exe 45 PID 2388 wrote to memory of 268 2388 Pecgea32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\c722becf27e3bd133a7593d1bf87231195f6b021c28ab7b5a0fcaf0084801850N.exe"C:\Users\Admin\AppData\Local\Temp\c722becf27e3bd133a7593d1bf87231195f6b021c28ab7b5a0fcaf0084801850N.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\Obdojcef.exeC:\Windows\system32\Obdojcef.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Oagoep32.exeC:\Windows\system32\Oagoep32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\Ohagbj32.exeC:\Windows\system32\Ohagbj32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\Okpcoe32.exeC:\Windows\system32\Okpcoe32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\Odhhgkib.exeC:\Windows\system32\Odhhgkib.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\Olophhjd.exeC:\Windows\system32\Olophhjd.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\SysWOW64\Omqlpp32.exeC:\Windows\system32\Omqlpp32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\Okdmjdol.exeC:\Windows\system32\Okdmjdol.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\Oopijc32.exeC:\Windows\system32\Oopijc32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\SysWOW64\Ogknoe32.exeC:\Windows\system32\Ogknoe32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Windows\SysWOW64\Oijjka32.exeC:\Windows\system32\Oijjka32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\Pgnjde32.exeC:\Windows\system32\Pgnjde32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\SysWOW64\Pilfpqaa.exeC:\Windows\system32\Pilfpqaa.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Windows\SysWOW64\Pcdkif32.exeC:\Windows\system32\Pcdkif32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Pecgea32.exeC:\Windows\system32\Pecgea32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\Pcghof32.exeC:\Windows\system32\Pcghof32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:268 -
C:\Windows\SysWOW64\Peedka32.exeC:\Windows\system32\Peedka32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3008 -
C:\Windows\SysWOW64\Plolgk32.exeC:\Windows\system32\Plolgk32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1996 -
C:\Windows\SysWOW64\Pomhcg32.exeC:\Windows\system32\Pomhcg32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:704 -
C:\Windows\SysWOW64\Palepb32.exeC:\Windows\system32\Palepb32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3024 -
C:\Windows\SysWOW64\Pckajebj.exeC:\Windows\system32\Pckajebj.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2480 -
C:\Windows\SysWOW64\Phhjblpa.exeC:\Windows\system32\Phhjblpa.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2244 -
C:\Windows\SysWOW64\Qkffng32.exeC:\Windows\system32\Qkffng32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2192 -
C:\Windows\SysWOW64\Qfljkp32.exeC:\Windows\system32\Qfljkp32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1680 -
C:\Windows\SysWOW64\Qdojgmfe.exeC:\Windows\system32\Qdojgmfe.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1724 -
C:\Windows\SysWOW64\Qgmfchei.exeC:\Windows\system32\Qgmfchei.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1736 -
C:\Windows\SysWOW64\Qngopb32.exeC:\Windows\system32\Qngopb32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2320 -
C:\Windows\SysWOW64\Qdaglmcb.exeC:\Windows\system32\Qdaglmcb.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2332 -
C:\Windows\SysWOW64\Akkoig32.exeC:\Windows\system32\Akkoig32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2748 -
C:\Windows\SysWOW64\Aknlofim.exeC:\Windows\system32\Aknlofim.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2732 -
C:\Windows\SysWOW64\Anlhkbhq.exeC:\Windows\system32\Anlhkbhq.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2604 -
C:\Windows\SysWOW64\Afgmodel.exeC:\Windows\system32\Afgmodel.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1968 -
C:\Windows\SysWOW64\Anneqafn.exeC:\Windows\system32\Anneqafn.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2180 -
C:\Windows\SysWOW64\Afjjed32.exeC:\Windows\system32\Afjjed32.exe35⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Ajeeeblb.exeC:\Windows\system32\Ajeeeblb.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Aflfjc32.exeC:\Windows\system32\Aflfjc32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:636 -
C:\Windows\SysWOW64\Aijbfo32.exeC:\Windows\system32\Aijbfo32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1240 -
C:\Windows\SysWOW64\Bcpgdhpp.exeC:\Windows\system32\Bcpgdhpp.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:2128 -
C:\Windows\SysWOW64\Bfncpcoc.exeC:\Windows\system32\Bfncpcoc.exe40⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Bkklhjnk.exeC:\Windows\system32\Bkklhjnk.exe41⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Bofgii32.exeC:\Windows\system32\Bofgii32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2364 -
C:\Windows\SysWOW64\Bbeded32.exeC:\Windows\system32\Bbeded32.exe43⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Bgblmk32.exeC:\Windows\system32\Bgblmk32.exe44⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Bbgqjdce.exeC:\Windows\system32\Bbgqjdce.exe45⤵
- Executes dropped EXE
PID:1348 -
C:\Windows\SysWOW64\Befmfpbi.exeC:\Windows\system32\Befmfpbi.exe46⤵
- Executes dropped EXE
PID:1144 -
C:\Windows\SysWOW64\Bjbeofpp.exeC:\Windows\system32\Bjbeofpp.exe47⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Bbjmpcab.exeC:\Windows\system32\Bbjmpcab.exe48⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Bammlq32.exeC:\Windows\system32\Bammlq32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:2120 -
C:\Windows\SysWOW64\Bckjhl32.exeC:\Windows\system32\Bckjhl32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:1220 -
C:\Windows\SysWOW64\Bjebdfnn.exeC:\Windows\system32\Bjebdfnn.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2460 -
C:\Windows\SysWOW64\Bmcnqama.exeC:\Windows\system32\Bmcnqama.exe52⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Bejfao32.exeC:\Windows\system32\Bejfao32.exe53⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Bgibnj32.exeC:\Windows\system32\Bgibnj32.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2896 -
C:\Windows\SysWOW64\Cnckjddd.exeC:\Windows\system32\Cnckjddd.exe55⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Caaggpdh.exeC:\Windows\system32\Caaggpdh.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Cpdgbm32.exeC:\Windows\system32\Cpdgbm32.exe57⤵
- Executes dropped EXE
PID:1932 -
C:\Windows\SysWOW64\Cfnoogbo.exeC:\Windows\system32\Cfnoogbo.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1636 -
C:\Windows\SysWOW64\Cillkbac.exeC:\Windows\system32\Cillkbac.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1384 -
C:\Windows\SysWOW64\Cacclpae.exeC:\Windows\system32\Cacclpae.exe60⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Ccbphk32.exeC:\Windows\system32\Ccbphk32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2516 -
C:\Windows\SysWOW64\Cbepdhgc.exeC:\Windows\system32\Cbepdhgc.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:376 -
C:\Windows\SysWOW64\Cjlheehe.exeC:\Windows\system32\Cjlheehe.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Cmjdaqgi.exeC:\Windows\system32\Cmjdaqgi.exe64⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Clmdmm32.exeC:\Windows\system32\Clmdmm32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:560 -
C:\Windows\SysWOW64\Ccdmnj32.exeC:\Windows\system32\Ccdmnj32.exe66⤵
- Drops file in System32 directory
PID:3052 -
C:\Windows\SysWOW64\Cfcijf32.exeC:\Windows\system32\Cfcijf32.exe67⤵
- Modifies registry class
PID:2080 -
C:\Windows\SysWOW64\Ceeieced.exeC:\Windows\system32\Ceeieced.exe68⤵
- Modifies registry class
PID:2392 -
C:\Windows\SysWOW64\Ciaefa32.exeC:\Windows\system32\Ciaefa32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2976 -
C:\Windows\SysWOW64\Cpkmcldj.exeC:\Windows\system32\Cpkmcldj.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1584 -
C:\Windows\SysWOW64\Cehfkb32.exeC:\Windows\system32\Cehfkb32.exe71⤵PID:2904
-
C:\Windows\SysWOW64\Cicalakk.exeC:\Windows\system32\Cicalakk.exe72⤵PID:2628
-
C:\Windows\SysWOW64\Cpmjhk32.exeC:\Windows\system32\Cpmjhk32.exe73⤵
- Modifies registry class
PID:2804 -
C:\Windows\SysWOW64\Cblfdg32.exeC:\Windows\system32\Cblfdg32.exe74⤵PID:1956
-
C:\Windows\SysWOW64\Dejbqb32.exeC:\Windows\system32\Dejbqb32.exe75⤵PID:828
-
C:\Windows\SysWOW64\Dhiomn32.exeC:\Windows\system32\Dhiomn32.exe76⤵PID:676
-
C:\Windows\SysWOW64\Djgkii32.exeC:\Windows\system32\Djgkii32.exe77⤵PID:2704
-
C:\Windows\SysWOW64\Dobgihgp.exeC:\Windows\system32\Dobgihgp.exe78⤵PID:628
-
C:\Windows\SysWOW64\Daacecfc.exeC:\Windows\system32\Daacecfc.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2136 -
C:\Windows\SysWOW64\Ddpobo32.exeC:\Windows\system32\Ddpobo32.exe80⤵PID:2960
-
C:\Windows\SysWOW64\Dkigoimd.exeC:\Windows\system32\Dkigoimd.exe81⤵PID:612
-
C:\Windows\SysWOW64\Doecog32.exeC:\Windows\system32\Doecog32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:784 -
C:\Windows\SysWOW64\Deollamj.exeC:\Windows\system32\Deollamj.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2176 -
C:\Windows\SysWOW64\Ddblgn32.exeC:\Windows\system32\Ddblgn32.exe84⤵PID:2088
-
C:\Windows\SysWOW64\Dfphcj32.exeC:\Windows\system32\Dfphcj32.exe85⤵
- System Location Discovery: System Language Discovery
PID:2356 -
C:\Windows\SysWOW64\Dklddhka.exeC:\Windows\system32\Dklddhka.exe86⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2736 -
C:\Windows\SysWOW64\Dmjqpdje.exeC:\Windows\system32\Dmjqpdje.exe87⤵PID:2928
-
C:\Windows\SysWOW64\Dphmloih.exeC:\Windows\system32\Dphmloih.exe88⤵PID:2668
-
C:\Windows\SysWOW64\Dgbeiiqe.exeC:\Windows\system32\Dgbeiiqe.exe89⤵PID:2832
-
C:\Windows\SysWOW64\Dknajh32.exeC:\Windows\system32\Dknajh32.exe90⤵PID:596
-
C:\Windows\SysWOW64\Dmmmfc32.exeC:\Windows\system32\Dmmmfc32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2352 -
C:\Windows\SysWOW64\Dahifbpk.exeC:\Windows\system32\Dahifbpk.exe92⤵PID:236
-
C:\Windows\SysWOW64\Ddfebnoo.exeC:\Windows\system32\Ddfebnoo.exe93⤵PID:2644
-
C:\Windows\SysWOW64\Dkqnoh32.exeC:\Windows\system32\Dkqnoh32.exe94⤵
- Modifies registry class
PID:880 -
C:\Windows\SysWOW64\Dicnkdnf.exeC:\Windows\system32\Dicnkdnf.exe95⤵PID:1600
-
C:\Windows\SysWOW64\Elajgpmj.exeC:\Windows\system32\Elajgpmj.exe96⤵PID:2240
-
C:\Windows\SysWOW64\Eclbcj32.exeC:\Windows\system32\Eclbcj32.exe97⤵
- Drops file in System32 directory
PID:876 -
C:\Windows\SysWOW64\Eejopecj.exeC:\Windows\system32\Eejopecj.exe98⤵PID:1496
-
C:\Windows\SysWOW64\Emagacdm.exeC:\Windows\system32\Emagacdm.exe99⤵PID:2852
-
C:\Windows\SysWOW64\Eldglp32.exeC:\Windows\system32\Eldglp32.exe100⤵PID:2856
-
C:\Windows\SysWOW64\Ecnoijbd.exeC:\Windows\system32\Ecnoijbd.exe101⤵PID:2296
-
C:\Windows\SysWOW64\Egikjh32.exeC:\Windows\system32\Egikjh32.exe102⤵PID:2624
-
C:\Windows\SysWOW64\Ehkhaqpk.exeC:\Windows\system32\Ehkhaqpk.exe103⤵PID:2772
-
C:\Windows\SysWOW64\Elfcbo32.exeC:\Windows\system32\Elfcbo32.exe104⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:348 -
C:\Windows\SysWOW64\Eoepnk32.exeC:\Windows\system32\Eoepnk32.exe105⤵PID:2808
-
C:\Windows\SysWOW64\Eacljf32.exeC:\Windows\system32\Eacljf32.exe106⤵PID:2784
-
C:\Windows\SysWOW64\Eeohkeoe.exeC:\Windows\system32\Eeohkeoe.exe107⤵PID:1808
-
C:\Windows\SysWOW64\Ehmdgp32.exeC:\Windows\system32\Ehmdgp32.exe108⤵
- System Location Discovery: System Language Discovery
PID:1076 -
C:\Windows\SysWOW64\Elipgofb.exeC:\Windows\system32\Elipgofb.exe109⤵PID:1524
-
C:\Windows\SysWOW64\Eogmcjef.exeC:\Windows\system32\Eogmcjef.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2024 -
C:\Windows\SysWOW64\Ecbhdi32.exeC:\Windows\system32\Ecbhdi32.exe111⤵PID:2440
-
C:\Windows\SysWOW64\Eaeipfei.exeC:\Windows\system32\Eaeipfei.exe112⤵PID:2844
-
C:\Windows\SysWOW64\Eeaepd32.exeC:\Windows\system32\Eeaepd32.exe113⤵
- Modifies registry class
PID:2872 -
C:\Windows\SysWOW64\Elkmmodo.exeC:\Windows\system32\Elkmmodo.exe114⤵
- Drops file in System32 directory
PID:2796 -
C:\Windows\SysWOW64\Eknmhk32.exeC:\Windows\system32\Eknmhk32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1296 -
C:\Windows\SysWOW64\Eoiiijcc.exeC:\Windows\system32\Eoiiijcc.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2972 -
C:\Windows\SysWOW64\Eecafd32.exeC:\Windows\system32\Eecafd32.exe117⤵
- System Location Discovery: System Language Discovery
PID:1844 -
C:\Windows\SysWOW64\Edfbaabj.exeC:\Windows\system32\Edfbaabj.exe118⤵PID:1316
-
C:\Windows\SysWOW64\Fhbnbpjc.exeC:\Windows\system32\Fhbnbpjc.exe119⤵PID:584
-
C:\Windows\SysWOW64\Fgdnnl32.exeC:\Windows\system32\Fgdnnl32.exe120⤵
- System Location Discovery: System Language Discovery
PID:1972 -
C:\Windows\SysWOW64\Folfoj32.exeC:\Windows\system32\Folfoj32.exe121⤵PID:1136
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-