Analysis
-
max time kernel
72s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
26-07-2024 05:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
858b3c5d021882b82e2a7e02d7f10a00N.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
858b3c5d021882b82e2a7e02d7f10a00N.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
858b3c5d021882b82e2a7e02d7f10a00N.exe
-
Size
390KB
-
MD5
858b3c5d021882b82e2a7e02d7f10a00
-
SHA1
8ef2caa9e7a1bc11416d1c7252d6b105b5706f8d
-
SHA256
06c53847e27901dbee60c52d0d53a74b47368461180e157abe4c12c8c30a9ffa
-
SHA512
dd8a592fb07a9d946da863b8ef9c6687158627ad296cb6ec64feb4b1d7d77ac1ac20578af1a503a99d1189d00edfa8cfaf7eb539ded43a81a34b2889d40b5f24
-
SSDEEP
6144:IoLZhP7TbT8RS66b+X0RjtdgOPAUvgkNRgdgOPAUvgkG:TZhP7TngUngEiM2gEif
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bphdpe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpdefh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncfjajma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfcmlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jqpebg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmbabj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jhkclc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moqgiopk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhffikob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dbmlal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fappgflg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hghdjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kaggbihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ogbgbn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Papank32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Imkndofe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmdkfmjc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Camqpnel.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Panehkaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jifhdphd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmpiicdm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjofanld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mflgkd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aokckm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kelmbifm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kggfnoch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nepach32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhngem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfdngl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omgfdhbq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piemih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pecelm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bkkioeig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpafgp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iphhgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjjmonac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmemoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Didgig32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdigakic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojeakfnd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhndnpnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfbbpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ipkema32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpbabf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Geinjapb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nobndj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nchipb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmamfddp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igkjcm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nebnigmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkgbioee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljhngfkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccolja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dgfmep32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aankkqfl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hengep32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nomphm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Enepnoji.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhfgokap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qkbkfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kbpefc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjjafkpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cllkkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjhdgk32.exe -
Executes dropped EXE 64 IoCs
pid Process 936 Kpgionie.exe 2620 Llbconkd.exe 2936 Lghgmg32.exe 2008 Mkofaj32.exe 2520 Mnpobefe.exe 3000 Mlgiiaij.exe 2752 Ncfjajma.exe 2332 Oepjoa32.exe 2576 Ojpomh32.exe 2092 Pnfnajed.exe 760 Pnhjgj32.exe 2952 Pfhhflmg.exe 2252 Aokckm32.exe 2856 Adleoc32.exe 1524 Bpebidam.exe 884 Blqmid32.exe 1312 Codbqonk.exe 1360 Dgfmep32.exe 2000 Dnpebj32.exe 2444 Dcokpa32.exe 2156 Dcageqgm.exe 1008 Enpban32.exe 2428 Ejfbfo32.exe 3040 Ejioln32.exe 1584 Fmlecinf.exe 2608 Fhjoof32.exe 2672 Fenphjei.exe 2144 Gdcmig32.exe 2788 Gdhfdffl.exe 2528 Genlgnhd.exe 2136 Hcblqb32.exe 2192 Hhcndhap.exe 1724 Hqochjnk.exe 568 Iqapnjli.exe 892 Icplje32.exe 1712 Iifghk32.exe 2360 Jnbpqb32.exe 2244 Jbphgpfg.exe 2096 Jjlmkb32.exe 1128 Jkkjeeke.exe 1356 Jahbmlil.exe 624 Jfekec32.exe 2348 Kgdgpfnf.exe 1684 Kiecgo32.exe 2480 Kppldhla.exe 2256 Kihpmnbb.exe 544 Kbpefc32.exe 1636 Kmficl32.exe 868 Kngekdnf.exe 1888 Khojcj32.exe 2160 Kecjmodq.exe 2132 Lbgkfbbj.exe 2076 Llpoohik.exe 920 Lgnjke32.exe 3004 Mlmoilni.exe 2500 Mhdpnm32.exe 2556 Mhflcm32.exe 1708 Mopdpg32.exe 2036 Mhhiiloh.exe 2084 Mobaef32.exe 2064 Mnhnfckm.exe 880 Nnjklb32.exe 672 Ngbpehpj.exe 1344 Nlohmonb.exe -
Loads dropped DLL 64 IoCs
pid Process 2424 858b3c5d021882b82e2a7e02d7f10a00N.exe 2424 858b3c5d021882b82e2a7e02d7f10a00N.exe 936 Kpgionie.exe 936 Kpgionie.exe 2620 Llbconkd.exe 2620 Llbconkd.exe 2936 Lghgmg32.exe 2936 Lghgmg32.exe 2008 Mkofaj32.exe 2008 Mkofaj32.exe 2520 Mnpobefe.exe 2520 Mnpobefe.exe 3000 Mlgiiaij.exe 3000 Mlgiiaij.exe 2752 Ncfjajma.exe 2752 Ncfjajma.exe 2332 Oepjoa32.exe 2332 Oepjoa32.exe 2576 Ojpomh32.exe 2576 Ojpomh32.exe 2092 Pnfnajed.exe 2092 Pnfnajed.exe 760 Pnhjgj32.exe 760 Pnhjgj32.exe 2952 Pfhhflmg.exe 2952 Pfhhflmg.exe 2252 Aokckm32.exe 2252 Aokckm32.exe 2856 Adleoc32.exe 2856 Adleoc32.exe 1524 Bpebidam.exe 1524 Bpebidam.exe 884 Blqmid32.exe 884 Blqmid32.exe 1312 Codbqonk.exe 1312 Codbqonk.exe 1360 Dgfmep32.exe 1360 Dgfmep32.exe 2000 Dnpebj32.exe 2000 Dnpebj32.exe 2444 Dcokpa32.exe 2444 Dcokpa32.exe 2156 Dcageqgm.exe 2156 Dcageqgm.exe 1008 Enpban32.exe 1008 Enpban32.exe 2428 Ejfbfo32.exe 2428 Ejfbfo32.exe 3040 Ejioln32.exe 3040 Ejioln32.exe 1584 Fmlecinf.exe 1584 Fmlecinf.exe 2608 Fhjoof32.exe 2608 Fhjoof32.exe 2672 Fenphjei.exe 2672 Fenphjei.exe 2144 Gdcmig32.exe 2144 Gdcmig32.exe 2788 Gdhfdffl.exe 2788 Gdhfdffl.exe 2528 Genlgnhd.exe 2528 Genlgnhd.exe 2136 Hcblqb32.exe 2136 Hcblqb32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Nchipb32.exe Nloachkf.exe File created C:\Windows\SysWOW64\Kecmfg32.exe Kkkhmadd.exe File opened for modification C:\Windows\SysWOW64\Lmcdkbao.exe Lbmpnjai.exe File created C:\Windows\SysWOW64\Oikcicfl.exe Oemjbe32.exe File created C:\Windows\SysWOW64\Kbkdpnil.exe Kmnlhg32.exe File created C:\Windows\SysWOW64\Qlemhi32.dll Jjlmkb32.exe File created C:\Windows\SysWOW64\Cbjhhiqm.dll Lmbabj32.exe File opened for modification C:\Windows\SysWOW64\Ebofcd32.exe Elbmkm32.exe File created C:\Windows\SysWOW64\Aeeafk32.dll Niqgof32.exe File created C:\Windows\SysWOW64\Bdinjj32.dll Akkokc32.exe File created C:\Windows\SysWOW64\Gnjehaio.exe Gqfeom32.exe File created C:\Windows\SysWOW64\Bgflnkja.dll Iagchmjn.exe File created C:\Windows\SysWOW64\Ogegmkqk.dll Llbconkd.exe File created C:\Windows\SysWOW64\Ilhnjfmi.exe Ifkfap32.exe File created C:\Windows\SysWOW64\Mcpgomne.dll Aknnil32.exe File created C:\Windows\SysWOW64\Bhbmip32.exe Bojipjcj.exe File created C:\Windows\SysWOW64\Imqfik32.dll Ijghmd32.exe File opened for modification C:\Windows\SysWOW64\Jmpqbnmp.exe Ilmgef32.exe File opened for modification C:\Windows\SysWOW64\Lbnbfb32.exe Lcieef32.exe File created C:\Windows\SysWOW64\Deajlf32.exe Dijjgegh.exe File created C:\Windows\SysWOW64\Lhapocoi.exe Kaggbihl.exe File created C:\Windows\SysWOW64\Ikicikap.exe Idokma32.exe File created C:\Windows\SysWOW64\Dpbenpqh.exe Dckdio32.exe File created C:\Windows\SysWOW64\Klalgq32.dll Lbgkfbbj.exe File created C:\Windows\SysWOW64\Lffohikd.exe Lfdbcing.exe File created C:\Windows\SysWOW64\Jlegic32.exe Jlbjcd32.exe File created C:\Windows\SysWOW64\Ejapnc32.dll Mobaef32.exe File created C:\Windows\SysWOW64\Gfbaeb32.dll Plfhdlfb.exe File opened for modification C:\Windows\SysWOW64\Lfdbcing.exe Lojjfo32.exe File opened for modification C:\Windows\SysWOW64\Blibghmm.exe Bpbabf32.exe File created C:\Windows\SysWOW64\Djmknb32.exe Dhlogjko.exe File opened for modification C:\Windows\SysWOW64\Kmjaddii.exe Kkhdml32.exe File created C:\Windows\SysWOW64\Dcbbjffh.dll Hjcoaeol.exe File created C:\Windows\SysWOW64\Bmbkid32.exe Acjfpokk.exe File created C:\Windows\SysWOW64\Kppjhkhn.dll Kjcedj32.exe File created C:\Windows\SysWOW64\Mgmmkohc.dll Imchcplm.exe File created C:\Windows\SysWOW64\Bmhmgbif.exe Bkgqpjch.exe File opened for modification C:\Windows\SysWOW64\Imfgahao.exe Ifloeo32.exe File created C:\Windows\SysWOW64\Lccmhojk.dll Lehfafgp.exe File created C:\Windows\SysWOW64\Gpafgp32.exe Gfiaojkq.exe File opened for modification C:\Windows\SysWOW64\Ahancp32.exe Aknnil32.exe File created C:\Windows\SysWOW64\Gpnchjga.dll Lghgmg32.exe File created C:\Windows\SysWOW64\Ifdeao32.dll Jfjjkhhg.exe File opened for modification C:\Windows\SysWOW64\Pjhpin32.exe Ojfcdo32.exe File created C:\Windows\SysWOW64\Gbdlnf32.exe Fmgcepio.exe File opened for modification C:\Windows\SysWOW64\Cjhdgk32.exe Ccolja32.exe File created C:\Windows\SysWOW64\Fenphjei.exe Fhjoof32.exe File created C:\Windows\SysWOW64\Jagmhnkn.dll Mokdja32.exe File created C:\Windows\SysWOW64\Geiabo32.dll Jkllnn32.exe File opened for modification C:\Windows\SysWOW64\Bpbabf32.exe Bemmenhb.exe File opened for modification C:\Windows\SysWOW64\Dhgelk32.exe Dhehfk32.exe File created C:\Windows\SysWOW64\Nebnigmp.exe Noifmmec.exe File created C:\Windows\SysWOW64\Ejlogbpb.dll Hpdefh32.exe File created C:\Windows\SysWOW64\Goeoie32.dll Eabeal32.exe File opened for modification C:\Windows\SysWOW64\Kecjmodq.exe Khojcj32.exe File created C:\Windows\SysWOW64\Acfdnmfb.dll Gmnlog32.exe File opened for modification C:\Windows\SysWOW64\Nanhihno.exe Noplmlok.exe File created C:\Windows\SysWOW64\Haenec32.dll Gmamfddp.exe File opened for modification C:\Windows\SysWOW64\Mmemoe32.exe Mfkebkjk.exe File opened for modification C:\Windows\SysWOW64\Kdooij32.exe Kdlbckee.exe File created C:\Windows\SysWOW64\Ifpbfc32.dll Gkgbioee.exe File opened for modification C:\Windows\SysWOW64\Ooidei32.exe Ogbldk32.exe File created C:\Windows\SysWOW64\Akpcdopi.dll Bhpqcpkm.exe File created C:\Windows\SysWOW64\Jkobgm32.exe Jfbinf32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3876 4732 Process not Found 800 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjhfjpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbakpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkimff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmbkid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhflcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Migbpocm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idokma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lojjfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfljmmjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdooij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blqmid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kecmfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfppgohb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keodflee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeokba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaggbihl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Popkeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Himkgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iadnon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghqchi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqochjnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjlmkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddppmclb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Faijggao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciepkajj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gecklbih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cihqbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pngbcldl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilmgef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deajlf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joepjokm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncfjajma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dncdqcbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoalpaaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbkkepio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdigakic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjjpag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mffkgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmhkojab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qicoleno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iamjghnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imdjlida.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hefginae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joenaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgfmep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcblqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpckce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alofnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hengep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enepnoji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifkfap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiphmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nladco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aknnil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nndhpqma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iphhgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Papank32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abbjbnoq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnjhaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maocekoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkldgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iboghh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcopkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkkjeeke.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Maocekoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nepach32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Abbjbnoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dodahk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mphajbdq.dll" Fjfhkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lhapocoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fohecb32.dll" Jkobgm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mbkkepio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Okinik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ninhamne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfjkof32.dll" Fbpfeh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Noplmlok.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mccaodgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnbdeb32.dll" Kgdgpfnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipbolili.dll" Pimkbbpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmamh32.dll" Bdfjnkne.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fphgbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofgjhe32.dll" Gamkol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jifhdphd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojnmbglh.dll" Mmkcoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eckqbibe.dll" Bgqeea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fenphjei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aopnanlf.dll" Hchoop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jcandb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mmdkfmjc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Helmiiec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmocck32.dll" Mccaodgj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cjjpag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ocdnloph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mdhnnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbbmhm32.dll" Lnlaomae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ponioeij.dll" Fkjbpkag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lccmhojk.dll" Lehfafgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pljhmo32.dll" Gplebjbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncance32.dll" Ifkfap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lkffohon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jlaeab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Moqgiopk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edljdb32.dll" Nomphm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jaffca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Odimdqne.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dfniee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oenolc32.dll" Mfakbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdjlhdag.dll" Aqimoc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cjhdgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ecjkkp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ofefqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddnpnigl.dll" Mhhiiloh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhnlnf32.dll" Lefikg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lcncbc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ffghjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfaakfpk.dll" Odacbpee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mgfiocfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Agfikc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ilmgef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnfnhaca.dll" Nckmpicl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fpmpnmck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkqlnk32.dll" Epaodjlo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gmgenh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gnjhaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ijimli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pcenmcea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eckomcec.dll" Fjfjcdln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ilkpac32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2424 wrote to memory of 936 2424 858b3c5d021882b82e2a7e02d7f10a00N.exe 30 PID 2424 wrote to memory of 936 2424 858b3c5d021882b82e2a7e02d7f10a00N.exe 30 PID 2424 wrote to memory of 936 2424 858b3c5d021882b82e2a7e02d7f10a00N.exe 30 PID 2424 wrote to memory of 936 2424 858b3c5d021882b82e2a7e02d7f10a00N.exe 30 PID 936 wrote to memory of 2620 936 Kpgionie.exe 31 PID 936 wrote to memory of 2620 936 Kpgionie.exe 31 PID 936 wrote to memory of 2620 936 Kpgionie.exe 31 PID 936 wrote to memory of 2620 936 Kpgionie.exe 31 PID 2620 wrote to memory of 2936 2620 Llbconkd.exe 32 PID 2620 wrote to memory of 2936 2620 Llbconkd.exe 32 PID 2620 wrote to memory of 2936 2620 Llbconkd.exe 32 PID 2620 wrote to memory of 2936 2620 Llbconkd.exe 32 PID 2936 wrote to memory of 2008 2936 Lghgmg32.exe 33 PID 2936 wrote to memory of 2008 2936 Lghgmg32.exe 33 PID 2936 wrote to memory of 2008 2936 Lghgmg32.exe 33 PID 2936 wrote to memory of 2008 2936 Lghgmg32.exe 33 PID 2008 wrote to memory of 2520 2008 Mkofaj32.exe 34 PID 2008 wrote to memory of 2520 2008 Mkofaj32.exe 34 PID 2008 wrote to memory of 2520 2008 Mkofaj32.exe 34 PID 2008 wrote to memory of 2520 2008 Mkofaj32.exe 34 PID 2520 wrote to memory of 3000 2520 Mnpobefe.exe 35 PID 2520 wrote to memory of 3000 2520 Mnpobefe.exe 35 PID 2520 wrote to memory of 3000 2520 Mnpobefe.exe 35 PID 2520 wrote to memory of 3000 2520 Mnpobefe.exe 35 PID 3000 wrote to memory of 2752 3000 Mlgiiaij.exe 36 PID 3000 wrote to memory of 2752 3000 Mlgiiaij.exe 36 PID 3000 wrote to memory of 2752 3000 Mlgiiaij.exe 36 PID 3000 wrote to memory of 2752 3000 Mlgiiaij.exe 36 PID 2752 wrote to memory of 2332 2752 Ncfjajma.exe 37 PID 2752 wrote to memory of 2332 2752 Ncfjajma.exe 37 PID 2752 wrote to memory of 2332 2752 Ncfjajma.exe 37 PID 2752 wrote to memory of 2332 2752 Ncfjajma.exe 37 PID 2332 wrote to memory of 2576 2332 Oepjoa32.exe 38 PID 2332 wrote to memory of 2576 2332 Oepjoa32.exe 38 PID 2332 wrote to memory of 2576 2332 Oepjoa32.exe 38 PID 2332 wrote to memory of 2576 2332 Oepjoa32.exe 38 PID 2576 wrote to memory of 2092 2576 Ojpomh32.exe 39 PID 2576 wrote to memory of 2092 2576 Ojpomh32.exe 39 PID 2576 wrote to memory of 2092 2576 Ojpomh32.exe 39 PID 2576 wrote to memory of 2092 2576 Ojpomh32.exe 39 PID 2092 wrote to memory of 760 2092 Pnfnajed.exe 40 PID 2092 wrote to memory of 760 2092 Pnfnajed.exe 40 PID 2092 wrote to memory of 760 2092 Pnfnajed.exe 40 PID 2092 wrote to memory of 760 2092 Pnfnajed.exe 40 PID 760 wrote to memory of 2952 760 Pnhjgj32.exe 41 PID 760 wrote to memory of 2952 760 Pnhjgj32.exe 41 PID 760 wrote to memory of 2952 760 Pnhjgj32.exe 41 PID 760 wrote to memory of 2952 760 Pnhjgj32.exe 41 PID 2952 wrote to memory of 2252 2952 Pfhhflmg.exe 42 PID 2952 wrote to memory of 2252 2952 Pfhhflmg.exe 42 PID 2952 wrote to memory of 2252 2952 Pfhhflmg.exe 42 PID 2952 wrote to memory of 2252 2952 Pfhhflmg.exe 42 PID 2252 wrote to memory of 2856 2252 Aokckm32.exe 43 PID 2252 wrote to memory of 2856 2252 Aokckm32.exe 43 PID 2252 wrote to memory of 2856 2252 Aokckm32.exe 43 PID 2252 wrote to memory of 2856 2252 Aokckm32.exe 43 PID 2856 wrote to memory of 1524 2856 Adleoc32.exe 44 PID 2856 wrote to memory of 1524 2856 Adleoc32.exe 44 PID 2856 wrote to memory of 1524 2856 Adleoc32.exe 44 PID 2856 wrote to memory of 1524 2856 Adleoc32.exe 44 PID 1524 wrote to memory of 884 1524 Bpebidam.exe 45 PID 1524 wrote to memory of 884 1524 Bpebidam.exe 45 PID 1524 wrote to memory of 884 1524 Bpebidam.exe 45 PID 1524 wrote to memory of 884 1524 Bpebidam.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\858b3c5d021882b82e2a7e02d7f10a00N.exe"C:\Users\Admin\AppData\Local\Temp\858b3c5d021882b82e2a7e02d7f10a00N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\Kpgionie.exeC:\Windows\system32\Kpgionie.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Windows\SysWOW64\Llbconkd.exeC:\Windows\system32\Llbconkd.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Lghgmg32.exeC:\Windows\system32\Lghgmg32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Mkofaj32.exeC:\Windows\system32\Mkofaj32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\Mnpobefe.exeC:\Windows\system32\Mnpobefe.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Mlgiiaij.exeC:\Windows\system32\Mlgiiaij.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\Ncfjajma.exeC:\Windows\system32\Ncfjajma.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Oepjoa32.exeC:\Windows\system32\Oepjoa32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\Ojpomh32.exeC:\Windows\system32\Ojpomh32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Pnfnajed.exeC:\Windows\system32\Pnfnajed.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\Pnhjgj32.exeC:\Windows\system32\Pnhjgj32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\SysWOW64\Pfhhflmg.exeC:\Windows\system32\Pfhhflmg.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Aokckm32.exeC:\Windows\system32\Aokckm32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\Adleoc32.exeC:\Windows\system32\Adleoc32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Bpebidam.exeC:\Windows\system32\Bpebidam.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\SysWOW64\Blqmid32.exeC:\Windows\system32\Blqmid32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:884 -
C:\Windows\SysWOW64\Codbqonk.exeC:\Windows\system32\Codbqonk.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1312 -
C:\Windows\SysWOW64\Dgfmep32.exeC:\Windows\system32\Dgfmep32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1360 -
C:\Windows\SysWOW64\Dnpebj32.exeC:\Windows\system32\Dnpebj32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2000 -
C:\Windows\SysWOW64\Dcokpa32.exeC:\Windows\system32\Dcokpa32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2444 -
C:\Windows\SysWOW64\Dcageqgm.exeC:\Windows\system32\Dcageqgm.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2156 -
C:\Windows\SysWOW64\Enpban32.exeC:\Windows\system32\Enpban32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1008 -
C:\Windows\SysWOW64\Ejfbfo32.exeC:\Windows\system32\Ejfbfo32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2428 -
C:\Windows\SysWOW64\Ejioln32.exeC:\Windows\system32\Ejioln32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3040 -
C:\Windows\SysWOW64\Fmlecinf.exeC:\Windows\system32\Fmlecinf.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1584 -
C:\Windows\SysWOW64\Fhjoof32.exeC:\Windows\system32\Fhjoof32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2608 -
C:\Windows\SysWOW64\Fenphjei.exeC:\Windows\system32\Fenphjei.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2672 -
C:\Windows\SysWOW64\Gdcmig32.exeC:\Windows\system32\Gdcmig32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2144 -
C:\Windows\SysWOW64\Gdhfdffl.exeC:\Windows\system32\Gdhfdffl.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2788 -
C:\Windows\SysWOW64\Genlgnhd.exeC:\Windows\system32\Genlgnhd.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2528 -
C:\Windows\SysWOW64\Hcblqb32.exeC:\Windows\system32\Hcblqb32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2136 -
C:\Windows\SysWOW64\Hhcndhap.exeC:\Windows\system32\Hhcndhap.exe33⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Hqochjnk.exeC:\Windows\system32\Hqochjnk.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1724 -
C:\Windows\SysWOW64\Iqapnjli.exeC:\Windows\system32\Iqapnjli.exe35⤵
- Executes dropped EXE
PID:568 -
C:\Windows\SysWOW64\Icplje32.exeC:\Windows\system32\Icplje32.exe36⤵
- Executes dropped EXE
PID:892 -
C:\Windows\SysWOW64\Iifghk32.exeC:\Windows\system32\Iifghk32.exe37⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Jnbpqb32.exeC:\Windows\system32\Jnbpqb32.exe38⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Jbphgpfg.exeC:\Windows\system32\Jbphgpfg.exe39⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Jjlmkb32.exeC:\Windows\system32\Jjlmkb32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2096 -
C:\Windows\SysWOW64\Jkkjeeke.exeC:\Windows\system32\Jkkjeeke.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1128 -
C:\Windows\SysWOW64\Jahbmlil.exeC:\Windows\system32\Jahbmlil.exe42⤵
- Executes dropped EXE
PID:1356 -
C:\Windows\SysWOW64\Jfekec32.exeC:\Windows\system32\Jfekec32.exe43⤵
- Executes dropped EXE
PID:624 -
C:\Windows\SysWOW64\Kgdgpfnf.exeC:\Windows\system32\Kgdgpfnf.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:2348 -
C:\Windows\SysWOW64\Kiecgo32.exeC:\Windows\system32\Kiecgo32.exe45⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Kppldhla.exeC:\Windows\system32\Kppldhla.exe46⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Kihpmnbb.exeC:\Windows\system32\Kihpmnbb.exe47⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Kbpefc32.exeC:\Windows\system32\Kbpefc32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:544 -
C:\Windows\SysWOW64\Kmficl32.exeC:\Windows\system32\Kmficl32.exe49⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Kngekdnf.exeC:\Windows\system32\Kngekdnf.exe50⤵
- Executes dropped EXE
PID:868 -
C:\Windows\SysWOW64\Khojcj32.exeC:\Windows\system32\Khojcj32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1888 -
C:\Windows\SysWOW64\Kecjmodq.exeC:\Windows\system32\Kecjmodq.exe52⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Lbgkfbbj.exeC:\Windows\system32\Lbgkfbbj.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2132 -
C:\Windows\SysWOW64\Llpoohik.exeC:\Windows\system32\Llpoohik.exe54⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Lgnjke32.exeC:\Windows\system32\Lgnjke32.exe55⤵
- Executes dropped EXE
PID:920 -
C:\Windows\SysWOW64\Mlmoilni.exeC:\Windows\system32\Mlmoilni.exe56⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Mhdpnm32.exeC:\Windows\system32\Mhdpnm32.exe57⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Mhflcm32.exeC:\Windows\system32\Mhflcm32.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2556 -
C:\Windows\SysWOW64\Mopdpg32.exeC:\Windows\system32\Mopdpg32.exe59⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Mhhiiloh.exeC:\Windows\system32\Mhhiiloh.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:2036 -
C:\Windows\SysWOW64\Mobaef32.exeC:\Windows\system32\Mobaef32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2084 -
C:\Windows\SysWOW64\Mnhnfckm.exeC:\Windows\system32\Mnhnfckm.exe62⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Nnjklb32.exeC:\Windows\system32\Nnjklb32.exe63⤵
- Executes dropped EXE
PID:880 -
C:\Windows\SysWOW64\Ngbpehpj.exeC:\Windows\system32\Ngbpehpj.exe64⤵
- Executes dropped EXE
PID:672 -
C:\Windows\SysWOW64\Nlohmonb.exeC:\Windows\system32\Nlohmonb.exe65⤵
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\Nfglfdeb.exeC:\Windows\system32\Nfglfdeb.exe66⤵PID:1704
-
C:\Windows\SysWOW64\Nladco32.exeC:\Windows\system32\Nladco32.exe67⤵
- System Location Discovery: System Language Discovery
PID:2916 -
C:\Windows\SysWOW64\Nckmpicl.exeC:\Windows\system32\Nckmpicl.exe68⤵
- Modifies registry class
PID:1004 -
C:\Windows\SysWOW64\Nobndj32.exeC:\Windows\system32\Nobndj32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2436 -
C:\Windows\SysWOW64\Okinik32.exeC:\Windows\system32\Okinik32.exe70⤵
- Modifies registry class
PID:2320 -
C:\Windows\SysWOW64\Odacbpee.exeC:\Windows\system32\Odacbpee.exe71⤵
- Modifies registry class
PID:2040 -
C:\Windows\SysWOW64\Ogbldk32.exeC:\Windows\system32\Ogbldk32.exe72⤵
- Drops file in System32 directory
PID:2068 -
C:\Windows\SysWOW64\Ooidei32.exeC:\Windows\system32\Ooidei32.exe73⤵PID:2784
-
C:\Windows\SysWOW64\Ogdhik32.exeC:\Windows\system32\Ogdhik32.exe74⤵PID:1048
-
C:\Windows\SysWOW64\Objmgd32.exeC:\Windows\system32\Objmgd32.exe75⤵PID:1112
-
C:\Windows\SysWOW64\Ojeakfnd.exeC:\Windows\system32\Ojeakfnd.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2760 -
C:\Windows\SysWOW64\Pcnfdl32.exeC:\Windows\system32\Pcnfdl32.exe77⤵PID:556
-
C:\Windows\SysWOW64\Pncjad32.exeC:\Windows\system32\Pncjad32.exe78⤵PID:1832
-
C:\Windows\SysWOW64\Pimkbbpi.exeC:\Windows\system32\Pimkbbpi.exe79⤵
- Modifies registry class
PID:2356 -
C:\Windows\SysWOW64\Piohgbng.exeC:\Windows\system32\Piohgbng.exe80⤵PID:1500
-
C:\Windows\SysWOW64\Pmmqmpdm.exeC:\Windows\system32\Pmmqmpdm.exe81⤵PID:1772
-
C:\Windows\SysWOW64\Phgannal.exeC:\Windows\system32\Phgannal.exe82⤵PID:1568
-
C:\Windows\SysWOW64\Qhincn32.exeC:\Windows\system32\Qhincn32.exe83⤵PID:2852
-
C:\Windows\SysWOW64\Qbobaf32.exeC:\Windows\system32\Qbobaf32.exe84⤵PID:848
-
C:\Windows\SysWOW64\Aeokba32.exeC:\Windows\system32\Aeokba32.exe85⤵
- System Location Discovery: System Language Discovery
PID:852 -
C:\Windows\SysWOW64\Amjpgdik.exeC:\Windows\system32\Amjpgdik.exe86⤵PID:2200
-
C:\Windows\SysWOW64\Aiaqle32.exeC:\Windows\system32\Aiaqle32.exe87⤵PID:2044
-
C:\Windows\SysWOW64\Apkihofl.exeC:\Windows\system32\Apkihofl.exe88⤵PID:2072
-
C:\Windows\SysWOW64\Apnfno32.exeC:\Windows\system32\Apnfno32.exe89⤵PID:1948
-
C:\Windows\SysWOW64\Aejnfe32.exeC:\Windows\system32\Aejnfe32.exe90⤵PID:1844
-
C:\Windows\SysWOW64\Abnopj32.exeC:\Windows\system32\Abnopj32.exe91⤵PID:2452
-
C:\Windows\SysWOW64\Bhkghqpb.exeC:\Windows\system32\Bhkghqpb.exe92⤵PID:1680
-
C:\Windows\SysWOW64\Bbqkeioh.exeC:\Windows\system32\Bbqkeioh.exe93⤵PID:3068
-
C:\Windows\SysWOW64\Bhndnpnp.exeC:\Windows\system32\Bhndnpnp.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2628 -
C:\Windows\SysWOW64\Bafhff32.exeC:\Windows\system32\Bafhff32.exe95⤵PID:2864
-
C:\Windows\SysWOW64\Bhpqcpkm.exeC:\Windows\system32\Bhpqcpkm.exe96⤵
- Drops file in System32 directory
PID:988 -
C:\Windows\SysWOW64\Bojipjcj.exeC:\Windows\system32\Bojipjcj.exe97⤵
- Drops file in System32 directory
PID:2364 -
C:\Windows\SysWOW64\Bhbmip32.exeC:\Windows\system32\Bhbmip32.exe98⤵PID:1660
-
C:\Windows\SysWOW64\Bhdjno32.exeC:\Windows\system32\Bhdjno32.exe99⤵PID:2116
-
C:\Windows\SysWOW64\Camnge32.exeC:\Windows\system32\Camnge32.exe100⤵PID:2692
-
C:\Windows\SysWOW64\Cjhckg32.exeC:\Windows\system32\Cjhckg32.exe101⤵PID:2940
-
C:\Windows\SysWOW64\Cjjpag32.exeC:\Windows\system32\Cjjpag32.exe102⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2280 -
C:\Windows\SysWOW64\Cpdhna32.exeC:\Windows\system32\Cpdhna32.exe103⤵PID:1848
-
C:\Windows\SysWOW64\Cnhhge32.exeC:\Windows\system32\Cnhhge32.exe104⤵PID:1624
-
C:\Windows\SysWOW64\Cfcmlg32.exeC:\Windows\system32\Cfcmlg32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1788 -
C:\Windows\SysWOW64\Coladm32.exeC:\Windows\system32\Coladm32.exe106⤵PID:1648
-
C:\Windows\SysWOW64\Donojm32.exeC:\Windows\system32\Donojm32.exe107⤵PID:2032
-
C:\Windows\SysWOW64\Doqkpl32.exeC:\Windows\system32\Doqkpl32.exe108⤵PID:1308
-
C:\Windows\SysWOW64\Dglpdomh.exeC:\Windows\system32\Dglpdomh.exe109⤵PID:1824
-
C:\Windows\SysWOW64\Ddppmclb.exeC:\Windows\system32\Ddppmclb.exe110⤵
- System Location Discovery: System Language Discovery
PID:1816 -
C:\Windows\SysWOW64\Dqfabdaf.exeC:\Windows\system32\Dqfabdaf.exe111⤵PID:2704
-
C:\Windows\SysWOW64\Eepmlf32.exeC:\Windows\system32\Eepmlf32.exe112⤵PID:2808
-
C:\Windows\SysWOW64\Faijggao.exeC:\Windows\system32\Faijggao.exe113⤵
- System Location Discovery: System Language Discovery
PID:2568 -
C:\Windows\SysWOW64\Fnogfk32.exeC:\Windows\system32\Fnogfk32.exe114⤵PID:2824
-
C:\Windows\SysWOW64\Fjfhkl32.exeC:\Windows\system32\Fjfhkl32.exe115⤵
- Modifies registry class
PID:836 -
C:\Windows\SysWOW64\Fappgflg.exeC:\Windows\system32\Fappgflg.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:332 -
C:\Windows\SysWOW64\Fmfalg32.exeC:\Windows\system32\Fmfalg32.exe117⤵PID:1084
-
C:\Windows\SysWOW64\Gjjafkpe.exeC:\Windows\system32\Gjjafkpe.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2168 -
C:\Windows\SysWOW64\Gedbfimc.exeC:\Windows\system32\Gedbfimc.exe119⤵PID:2860
-
C:\Windows\SysWOW64\Golgon32.exeC:\Windows\system32\Golgon32.exe120⤵PID:2224
-
C:\Windows\SysWOW64\Gplcia32.exeC:\Windows\system32\Gplcia32.exe121⤵PID:2956
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-