Analysis
-
max time kernel
104s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
01-08-2024 21:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
22f8010d566846a70e6ad1a2c8fb7c1907a7a25bcddbdba52f37a5728d4ce45e.exe
Resource
win7-20240704-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
22f8010d566846a70e6ad1a2c8fb7c1907a7a25bcddbdba52f37a5728d4ce45e.exe
Resource
win10v2004-20240730-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
22f8010d566846a70e6ad1a2c8fb7c1907a7a25bcddbdba52f37a5728d4ce45e.exe
-
Size
520KB
-
MD5
ec9980e4c9aa37cc4fa2e512b895733a
-
SHA1
77807b2cbd550ef22d09748dc85420a3e559005b
-
SHA256
22f8010d566846a70e6ad1a2c8fb7c1907a7a25bcddbdba52f37a5728d4ce45e
-
SHA512
3eb8ba3411ae408206a8aaa0ca7f460e3454048ce63bbf89dfaf5381308dd874e84fda344c2cc5138c373f1c2c4035b326b34b5f7db31b8e32033b4cbaab426a
-
SSDEEP
6144:hgABQh7FM6234lKm3mo8Yvi4KsLTFM6234lKm3r8SeNpgdyuH1lZfRo0V8JcgEH:hZQpFB24lwR45FB24lJ87g7/VycgEH
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jiiikq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Okjdfq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jomadaga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fekafc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kogjib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eakkkdnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Adaeai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnnidk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cqeoegfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cojgdf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anjqdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nnpdbg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okkfoikl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jfoeqmfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gggihhkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jaflocqd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eghflc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ihedan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mdpbnlbe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cheoma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kldlmqml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pikkfilp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gkjahg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejbhno32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhhkiq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgdgngml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jlqniihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oleinmgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Naqkki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qfpggjdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggmnoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Monjpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ocglmcdp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnlbpman.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nefncd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mphfji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goadik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jajbfeop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Khkmba32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhaogp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jgjkhi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqpejh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Enokidgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ocoodjan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bofebqlb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jijbnppi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkeppngm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mikjmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cphncpld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bafjlnnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iicoai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Legcjjjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ejldfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pdkejo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aidfacjf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcdlpklh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gnkkeg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnfhhicd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gclopbjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hqhiab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nihgndip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahbcda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ocmdeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mbcaoh32.exe -
Executes dropped EXE 64 IoCs
pid Process 2712 Cmbiap32.exe 1856 Cghmni32.exe 2324 Cocbbk32.exe 2440 Dcaghm32.exe 2928 Epmahmcm.exe 2692 Eelfedpa.exe 2124 Faimkd32.exe 2336 Fhfbmn32.exe 2540 Gkfkoi32.exe 2932 Gngdadoj.exe 2868 Gokmnlcf.exe 800 Galfpgpg.exe 1484 Hkdkhl32.exe 2380 Happkf32.exe 2284 Hngppgae.exe 2468 Hqhiab32.exe 2524 Homfboco.exe 1908 Ibnodj32.exe 580 Ieohfemq.exe 1964 Ieaekdkn.exe 2116 Iaheqe32.exe 1668 Jajbfeop.exe 2952 Jalolemm.exe 544 Jmcpqfba.exe 3052 Jaahgd32.exe 2592 Kopldl32.exe 2148 Kldlmqml.exe 2240 Khkmba32.exe 2736 Lmjbphod.exe 2784 Llooad32.exe 2812 Legcjjjm.exe 2660 Lpmhgc32.exe 1368 Laqadknn.exe 836 Mcpmonea.exe 1784 Mhmfgdch.exe 2984 Mhobldaf.exe 1788 Mahgejhf.exe 924 Mpmdff32.exe 2432 Mnqdpj32.exe 2600 Njgeel32.exe 860 Ngkfnp32.exe 1712 Nqdjge32.exe 2944 Njlopkmg.exe 2088 Nmmgafjh.exe 1380 Ndhlfh32.exe 2312 Nonqca32.exe 1824 Ojgado32.exe 2316 Ocpfmd32.exe 1028 Ojjnioae.exe 1048 Oeobfgak.exe 2508 Ofqonp32.exe 2268 Ogpkhb32.exe 2472 Ocglmcdp.exe 1864 Plbaafak.exe 2704 Pldnge32.exe 2972 Pihnqj32.exe 1744 Pnefiq32.exe 2200 Pikkfilp.exe 532 Pngcnpkg.exe 1552 Phphgf32.exe 1820 Qhbdmeoe.exe 1292 Qhdabemb.exe 2140 Aamekk32.exe 1812 Afjncabj.exe -
Loads dropped DLL 64 IoCs
pid Process 2172 22f8010d566846a70e6ad1a2c8fb7c1907a7a25bcddbdba52f37a5728d4ce45e.exe 2172 22f8010d566846a70e6ad1a2c8fb7c1907a7a25bcddbdba52f37a5728d4ce45e.exe 2712 Cmbiap32.exe 2712 Cmbiap32.exe 1856 Cghmni32.exe 1856 Cghmni32.exe 2324 Cocbbk32.exe 2324 Cocbbk32.exe 2440 Dcaghm32.exe 2440 Dcaghm32.exe 2928 Epmahmcm.exe 2928 Epmahmcm.exe 2692 Eelfedpa.exe 2692 Eelfedpa.exe 2124 Faimkd32.exe 2124 Faimkd32.exe 2336 Fhfbmn32.exe 2336 Fhfbmn32.exe 2540 Gkfkoi32.exe 2540 Gkfkoi32.exe 2932 Gngdadoj.exe 2932 Gngdadoj.exe 2868 Gokmnlcf.exe 2868 Gokmnlcf.exe 800 Galfpgpg.exe 800 Galfpgpg.exe 1484 Hkdkhl32.exe 1484 Hkdkhl32.exe 2380 Happkf32.exe 2380 Happkf32.exe 2284 Hngppgae.exe 2284 Hngppgae.exe 2468 Hqhiab32.exe 2468 Hqhiab32.exe 2524 Homfboco.exe 2524 Homfboco.exe 1908 Ibnodj32.exe 1908 Ibnodj32.exe 580 Ieohfemq.exe 580 Ieohfemq.exe 1964 Ieaekdkn.exe 1964 Ieaekdkn.exe 2116 Iaheqe32.exe 2116 Iaheqe32.exe 1668 Jajbfeop.exe 1668 Jajbfeop.exe 2952 Jalolemm.exe 2952 Jalolemm.exe 544 Jmcpqfba.exe 544 Jmcpqfba.exe 3052 Jaahgd32.exe 3052 Jaahgd32.exe 2592 Kopldl32.exe 2592 Kopldl32.exe 2148 Kldlmqml.exe 2148 Kldlmqml.exe 2240 Khkmba32.exe 2240 Khkmba32.exe 2736 Lmjbphod.exe 2736 Lmjbphod.exe 2784 Llooad32.exe 2784 Llooad32.exe 2812 Legcjjjm.exe 2812 Legcjjjm.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Melmba32.dll Alkpgh32.exe File created C:\Windows\SysWOW64\Immcccdb.dll Lgcooh32.exe File created C:\Windows\SysWOW64\Bdpggf32.dll Ngajeg32.exe File opened for modification C:\Windows\SysWOW64\Ganfhpfj.exe Ghebpjpj.exe File created C:\Windows\SysWOW64\Fdjcjebn.dll Gfcqkafl.exe File created C:\Windows\SysWOW64\Gqbkknqb.dll Pdegnn32.exe File created C:\Windows\SysWOW64\Bbnlia32.exe Bciohe32.exe File opened for modification C:\Windows\SysWOW64\Cbncfgnm.exe Cheoma32.exe File created C:\Windows\SysWOW64\Nklmdcfo.exe Nachlm32.exe File created C:\Windows\SysWOW64\Bbakgjmj.exe Bjefcgpo.exe File created C:\Windows\SysWOW64\Apeoom32.dll Dcaghm32.exe File opened for modification C:\Windows\SysWOW64\Dmdkkm32.exe Dfjcncak.exe File created C:\Windows\SysWOW64\Ohgnoeii.exe Ocjfgo32.exe File created C:\Windows\SysWOW64\Jqfaka32.dll Koglbkdl.exe File created C:\Windows\SysWOW64\Ghebpjpj.exe Fchigcab.exe File created C:\Windows\SysWOW64\Mdmonf32.exe Mhfniekh.exe File created C:\Windows\SysWOW64\Papifjfj.dll Qpjeaa32.exe File opened for modification C:\Windows\SysWOW64\Cgnkkjgd.exe Clhgnagn.exe File created C:\Windows\SysWOW64\Pcmqnddq.dll Ddjbbbna.exe File created C:\Windows\SysWOW64\Gjmgno32.dll Mnhgga32.exe File created C:\Windows\SysWOW64\Leoofkdo.exe Lmckbigd.exe File opened for modification C:\Windows\SysWOW64\Lkkefi32.exe Lhjmdn32.exe File created C:\Windows\SysWOW64\Neoejnjj.dll Mcpmonea.exe File opened for modification C:\Windows\SysWOW64\Coknmp32.exe Bhoikfbb.exe File opened for modification C:\Windows\SysWOW64\Choejien.exe Cgklma32.exe File opened for modification C:\Windows\SysWOW64\Jhgonj32.exe Jlqniihl.exe File opened for modification C:\Windows\SysWOW64\Hjdkhpih.exe Hnnjco32.exe File opened for modification C:\Windows\SysWOW64\Difcpc32.exe Didgkc32.exe File created C:\Windows\SysWOW64\Bbggdf32.exe Bafjlnnn.exe File opened for modification C:\Windows\SysWOW64\Iejnna32.exe Hnllcoed.exe File created C:\Windows\SysWOW64\Gbejabln.dll Fipdci32.exe File created C:\Windows\SysWOW64\Inbobn32.exe Iomaaa32.exe File opened for modification C:\Windows\SysWOW64\Lnhmqc32.exe Lcolpe32.exe File opened for modification C:\Windows\SysWOW64\Dhhkiq32.exe Danblfmk.exe File opened for modification C:\Windows\SysWOW64\Knggqm32.exe Kelfbh32.exe File created C:\Windows\SysWOW64\Jokpoh32.dll Hahdjfqc.exe File opened for modification C:\Windows\SysWOW64\Qfbcae32.exe Pmhbbp32.exe File created C:\Windows\SysWOW64\Odhomb32.dll Fdadbd32.exe File opened for modification C:\Windows\SysWOW64\Hdpqhc32.exe Hjglpncm.exe File created C:\Windows\SysWOW64\Idligq32.exe Ifhinl32.exe File created C:\Windows\SysWOW64\Pjplnpco.dll Ecmlomgk.exe File opened for modification C:\Windows\SysWOW64\Pbokaelh.exe Pjhcphkf.exe File created C:\Windows\SysWOW64\Mhfniekh.exe Monjpp32.exe File created C:\Windows\SysWOW64\Nhjofbdk.exe Meiedg32.exe File created C:\Windows\SysWOW64\Dopdgoif.dll Okjdfq32.exe File created C:\Windows\SysWOW64\Lhcgnj32.dll Pockoeeg.exe File created C:\Windows\SysWOW64\Hllpfdfe.dll Kpjlldmg.exe File opened for modification C:\Windows\SysWOW64\Njdagbjd.exe Mkodfeem.exe File created C:\Windows\SysWOW64\Jiiikq32.exe Jboanfmm.exe File opened for modification C:\Windows\SysWOW64\Cpldjajo.exe Cefpmiji.exe File created C:\Windows\SysWOW64\Labbkkgl.dll Ndofjq32.exe File opened for modification C:\Windows\SysWOW64\Qmkigb32.exe Qfaqji32.exe File created C:\Windows\SysWOW64\Nalbkn32.exe Nhdnbipf.exe File opened for modification C:\Windows\SysWOW64\Fmmjbk32.exe Feaeni32.exe File created C:\Windows\SysWOW64\Ljeeom32.dll Choejien.exe File created C:\Windows\SysWOW64\Jjcigcmd.exe Jnlhbb32.exe File created C:\Windows\SysWOW64\Jcmjfiab.exe Jjcigcmd.exe File created C:\Windows\SysWOW64\Kdbgqm32.dll Bknani32.exe File opened for modification C:\Windows\SysWOW64\Jkcjchco.exe Jakejb32.exe File created C:\Windows\SysWOW64\Ekgineko.exe Dmcidqlf.exe File opened for modification C:\Windows\SysWOW64\Mkhnef32.exe Lchpeebo.exe File opened for modification C:\Windows\SysWOW64\Ibnodj32.exe Homfboco.exe File created C:\Windows\SysWOW64\Mchmblji.exe Lhgeao32.exe File created C:\Windows\SysWOW64\Ofdkpo32.dll Injnfl32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pegalaad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgmnhojl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdfogiil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajkjij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Echoca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmjbphod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpahad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjmbohhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfmgdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehbgbngm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlijan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmpooiji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djiegp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hphljkfk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idojon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nefncd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poegde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfaqji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edpobo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okjdfq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lifoia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqeqhlii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obllai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phbhpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jffddfjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjgmhaim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igmppcpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cibnfpjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baampb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Likbpceb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnnjco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldpfoipj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnppfjlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apgnpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kebggncm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmclem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmaego32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chcbhbio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmckbigd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehphdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpfeoqmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idligq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adaeai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcbjfjnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nachlm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfjgopop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbgaahgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eohhmbjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkcqnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiclop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inciaamj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jeepaiin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kldlmqml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnkkeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfaodclg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boqdng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klkmkoce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmjfbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jboanfmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldcjooac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lajgnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cocnanmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boekqn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aadnfo32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oieencik.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Njbanida.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dcdjgbed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Enjcfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Clhgnagn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dhcanahm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hibkkjpb.dll" Cmbiap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gkfkoi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bjjcdp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mfdmdlaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphncc32.dll" Eafmng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hemeod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cqokoeig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kmaego32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofqngejc.dll" Lbnfep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkhfbp32.dll" Hkhodk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hdajgfkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gamafbjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcdggbbn.dll" Jiiikq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jhgonj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Obllai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eafmng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fmjfbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Andgadch.dll" Fpijgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caapeidl.dll" Difcpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgejjgag.dll" Diljpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Flbmmm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ogpkhb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Naebmppm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nlnlcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bmfdfpih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giemme32.dll" Gfobndnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lffjih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbpmba32.dll" Jbmdig32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nnidchqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnpdn32.dll" Enjcfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kogjib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifafj32.dll" Niopgljl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpfggg32.dll" Pgdgngml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogckqib.dll" Fllpcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nbaqhk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nnjnbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jqogiafk.dll" Cffqhmqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ckciqdol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Facmhk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dbjledoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgopfi32.dll" Ddlloi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jmigke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lffjih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opahef32.dll" Oappof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dknejb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eqejjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opnboecn.dll" Hiohob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibbooamb.dll" Oqmohi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpileedj.dll" Pflpecpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gdnkhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfhbiqgd.dll" Dhagaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbclgajm.dll" Emmljodk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fmggdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcckbeha.dll" Eelfedpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jfdgnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jollgl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hjeojnep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bedmcndm.dll" Qddmbkoi.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2172 wrote to memory of 2712 2172 22f8010d566846a70e6ad1a2c8fb7c1907a7a25bcddbdba52f37a5728d4ce45e.exe 29 PID 2172 wrote to memory of 2712 2172 22f8010d566846a70e6ad1a2c8fb7c1907a7a25bcddbdba52f37a5728d4ce45e.exe 29 PID 2172 wrote to memory of 2712 2172 22f8010d566846a70e6ad1a2c8fb7c1907a7a25bcddbdba52f37a5728d4ce45e.exe 29 PID 2172 wrote to memory of 2712 2172 22f8010d566846a70e6ad1a2c8fb7c1907a7a25bcddbdba52f37a5728d4ce45e.exe 29 PID 2712 wrote to memory of 1856 2712 Cmbiap32.exe 30 PID 2712 wrote to memory of 1856 2712 Cmbiap32.exe 30 PID 2712 wrote to memory of 1856 2712 Cmbiap32.exe 30 PID 2712 wrote to memory of 1856 2712 Cmbiap32.exe 30 PID 1856 wrote to memory of 2324 1856 Cghmni32.exe 31 PID 1856 wrote to memory of 2324 1856 Cghmni32.exe 31 PID 1856 wrote to memory of 2324 1856 Cghmni32.exe 31 PID 1856 wrote to memory of 2324 1856 Cghmni32.exe 31 PID 2324 wrote to memory of 2440 2324 Cocbbk32.exe 32 PID 2324 wrote to memory of 2440 2324 Cocbbk32.exe 32 PID 2324 wrote to memory of 2440 2324 Cocbbk32.exe 32 PID 2324 wrote to memory of 2440 2324 Cocbbk32.exe 32 PID 2440 wrote to memory of 2928 2440 Dcaghm32.exe 33 PID 2440 wrote to memory of 2928 2440 Dcaghm32.exe 33 PID 2440 wrote to memory of 2928 2440 Dcaghm32.exe 33 PID 2440 wrote to memory of 2928 2440 Dcaghm32.exe 33 PID 2928 wrote to memory of 2692 2928 Epmahmcm.exe 34 PID 2928 wrote to memory of 2692 2928 Epmahmcm.exe 34 PID 2928 wrote to memory of 2692 2928 Epmahmcm.exe 34 PID 2928 wrote to memory of 2692 2928 Epmahmcm.exe 34 PID 2692 wrote to memory of 2124 2692 Eelfedpa.exe 35 PID 2692 wrote to memory of 2124 2692 Eelfedpa.exe 35 PID 2692 wrote to memory of 2124 2692 Eelfedpa.exe 35 PID 2692 wrote to memory of 2124 2692 Eelfedpa.exe 35 PID 2124 wrote to memory of 2336 2124 Faimkd32.exe 36 PID 2124 wrote to memory of 2336 2124 Faimkd32.exe 36 PID 2124 wrote to memory of 2336 2124 Faimkd32.exe 36 PID 2124 wrote to memory of 2336 2124 Faimkd32.exe 36 PID 2336 wrote to memory of 2540 2336 Fhfbmn32.exe 37 PID 2336 wrote to memory of 2540 2336 Fhfbmn32.exe 37 PID 2336 wrote to memory of 2540 2336 Fhfbmn32.exe 37 PID 2336 wrote to memory of 2540 2336 Fhfbmn32.exe 37 PID 2540 wrote to memory of 2932 2540 Gkfkoi32.exe 38 PID 2540 wrote to memory of 2932 2540 Gkfkoi32.exe 38 PID 2540 wrote to memory of 2932 2540 Gkfkoi32.exe 38 PID 2540 wrote to memory of 2932 2540 Gkfkoi32.exe 38 PID 2932 wrote to memory of 2868 2932 Gngdadoj.exe 39 PID 2932 wrote to memory of 2868 2932 Gngdadoj.exe 39 PID 2932 wrote to memory of 2868 2932 Gngdadoj.exe 39 PID 2932 wrote to memory of 2868 2932 Gngdadoj.exe 39 PID 2868 wrote to memory of 800 2868 Gokmnlcf.exe 40 PID 2868 wrote to memory of 800 2868 Gokmnlcf.exe 40 PID 2868 wrote to memory of 800 2868 Gokmnlcf.exe 40 PID 2868 wrote to memory of 800 2868 Gokmnlcf.exe 40 PID 800 wrote to memory of 1484 800 Galfpgpg.exe 41 PID 800 wrote to memory of 1484 800 Galfpgpg.exe 41 PID 800 wrote to memory of 1484 800 Galfpgpg.exe 41 PID 800 wrote to memory of 1484 800 Galfpgpg.exe 41 PID 1484 wrote to memory of 2380 1484 Hkdkhl32.exe 42 PID 1484 wrote to memory of 2380 1484 Hkdkhl32.exe 42 PID 1484 wrote to memory of 2380 1484 Hkdkhl32.exe 42 PID 1484 wrote to memory of 2380 1484 Hkdkhl32.exe 42 PID 2380 wrote to memory of 2284 2380 Happkf32.exe 43 PID 2380 wrote to memory of 2284 2380 Happkf32.exe 43 PID 2380 wrote to memory of 2284 2380 Happkf32.exe 43 PID 2380 wrote to memory of 2284 2380 Happkf32.exe 43 PID 2284 wrote to memory of 2468 2284 Hngppgae.exe 44 PID 2284 wrote to memory of 2468 2284 Hngppgae.exe 44 PID 2284 wrote to memory of 2468 2284 Hngppgae.exe 44 PID 2284 wrote to memory of 2468 2284 Hngppgae.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\22f8010d566846a70e6ad1a2c8fb7c1907a7a25bcddbdba52f37a5728d4ce45e.exe"C:\Users\Admin\AppData\Local\Temp\22f8010d566846a70e6ad1a2c8fb7c1907a7a25bcddbdba52f37a5728d4ce45e.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\Cmbiap32.exeC:\Windows\system32\Cmbiap32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Cghmni32.exeC:\Windows\system32\Cghmni32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\SysWOW64\Cocbbk32.exeC:\Windows\system32\Cocbbk32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\Dcaghm32.exeC:\Windows\system32\Dcaghm32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\Epmahmcm.exeC:\Windows\system32\Epmahmcm.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Eelfedpa.exeC:\Windows\system32\Eelfedpa.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Faimkd32.exeC:\Windows\system32\Faimkd32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\Fhfbmn32.exeC:\Windows\system32\Fhfbmn32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\Gkfkoi32.exeC:\Windows\system32\Gkfkoi32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Gngdadoj.exeC:\Windows\system32\Gngdadoj.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Gokmnlcf.exeC:\Windows\system32\Gokmnlcf.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Galfpgpg.exeC:\Windows\system32\Galfpgpg.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Windows\SysWOW64\Hkdkhl32.exeC:\Windows\system32\Hkdkhl32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\Happkf32.exeC:\Windows\system32\Happkf32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Hngppgae.exeC:\Windows\system32\Hngppgae.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\Hqhiab32.exeC:\Windows\system32\Hqhiab32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2468 -
C:\Windows\SysWOW64\Homfboco.exeC:\Windows\system32\Homfboco.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2524 -
C:\Windows\SysWOW64\Ibnodj32.exeC:\Windows\system32\Ibnodj32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1908 -
C:\Windows\SysWOW64\Ieohfemq.exeC:\Windows\system32\Ieohfemq.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:580 -
C:\Windows\SysWOW64\Ieaekdkn.exeC:\Windows\system32\Ieaekdkn.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1964 -
C:\Windows\SysWOW64\Iaheqe32.exeC:\Windows\system32\Iaheqe32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2116 -
C:\Windows\SysWOW64\Jajbfeop.exeC:\Windows\system32\Jajbfeop.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1668 -
C:\Windows\SysWOW64\Jalolemm.exeC:\Windows\system32\Jalolemm.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2952 -
C:\Windows\SysWOW64\Jmcpqfba.exeC:\Windows\system32\Jmcpqfba.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:544 -
C:\Windows\SysWOW64\Jaahgd32.exeC:\Windows\system32\Jaahgd32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3052 -
C:\Windows\SysWOW64\Kopldl32.exeC:\Windows\system32\Kopldl32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2592 -
C:\Windows\SysWOW64\Kldlmqml.exeC:\Windows\system32\Kldlmqml.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2148 -
C:\Windows\SysWOW64\Khkmba32.exeC:\Windows\system32\Khkmba32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2240 -
C:\Windows\SysWOW64\Lmjbphod.exeC:\Windows\system32\Lmjbphod.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2736 -
C:\Windows\SysWOW64\Llooad32.exeC:\Windows\system32\Llooad32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2784 -
C:\Windows\SysWOW64\Legcjjjm.exeC:\Windows\system32\Legcjjjm.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2812 -
C:\Windows\SysWOW64\Lpmhgc32.exeC:\Windows\system32\Lpmhgc32.exe33⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Laqadknn.exeC:\Windows\system32\Laqadknn.exe34⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\Mcpmonea.exeC:\Windows\system32\Mcpmonea.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:836 -
C:\Windows\SysWOW64\Mhmfgdch.exeC:\Windows\system32\Mhmfgdch.exe36⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Mhobldaf.exeC:\Windows\system32\Mhobldaf.exe37⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Mahgejhf.exeC:\Windows\system32\Mahgejhf.exe38⤵
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\Mpmdff32.exeC:\Windows\system32\Mpmdff32.exe39⤵
- Executes dropped EXE
PID:924 -
C:\Windows\SysWOW64\Mnqdpj32.exeC:\Windows\system32\Mnqdpj32.exe40⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Njgeel32.exeC:\Windows\system32\Njgeel32.exe41⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Ngkfnp32.exeC:\Windows\system32\Ngkfnp32.exe42⤵
- Executes dropped EXE
PID:860 -
C:\Windows\SysWOW64\Nqdjge32.exeC:\Windows\system32\Nqdjge32.exe43⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Njlopkmg.exeC:\Windows\system32\Njlopkmg.exe44⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Nmmgafjh.exeC:\Windows\system32\Nmmgafjh.exe45⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Ndhlfh32.exeC:\Windows\system32\Ndhlfh32.exe46⤵
- Executes dropped EXE
PID:1380 -
C:\Windows\SysWOW64\Nonqca32.exeC:\Windows\system32\Nonqca32.exe47⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Ojgado32.exeC:\Windows\system32\Ojgado32.exe48⤵
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Ocpfmd32.exeC:\Windows\system32\Ocpfmd32.exe49⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Ojjnioae.exeC:\Windows\system32\Ojjnioae.exe50⤵
- Executes dropped EXE
PID:1028 -
C:\Windows\SysWOW64\Oeobfgak.exeC:\Windows\system32\Oeobfgak.exe51⤵
- Executes dropped EXE
PID:1048 -
C:\Windows\SysWOW64\Ofqonp32.exeC:\Windows\system32\Ofqonp32.exe52⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Ogpkhb32.exeC:\Windows\system32\Ogpkhb32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2268 -
C:\Windows\SysWOW64\Ocglmcdp.exeC:\Windows\system32\Ocglmcdp.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\Plbaafak.exeC:\Windows\system32\Plbaafak.exe55⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Pldnge32.exeC:\Windows\system32\Pldnge32.exe56⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Pihnqj32.exeC:\Windows\system32\Pihnqj32.exe57⤵
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Pnefiq32.exeC:\Windows\system32\Pnefiq32.exe58⤵
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\Pikkfilp.exeC:\Windows\system32\Pikkfilp.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Pngcnpkg.exeC:\Windows\system32\Pngcnpkg.exe60⤵
- Executes dropped EXE
PID:532 -
C:\Windows\SysWOW64\Phphgf32.exeC:\Windows\system32\Phphgf32.exe61⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Qhbdmeoe.exeC:\Windows\system32\Qhbdmeoe.exe62⤵
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\Qhdabemb.exeC:\Windows\system32\Qhdabemb.exe63⤵
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\Aamekk32.exeC:\Windows\system32\Aamekk32.exe64⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Afjncabj.exeC:\Windows\system32\Afjncabj.exe65⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Aeokdn32.exeC:\Windows\system32\Aeokdn32.exe66⤵PID:3024
-
C:\Windows\SysWOW64\Abbknb32.exeC:\Windows\system32\Abbknb32.exe67⤵PID:3040
-
C:\Windows\SysWOW64\Aeahjn32.exeC:\Windows\system32\Aeahjn32.exe68⤵PID:2360
-
C:\Windows\SysWOW64\Alkpgh32.exeC:\Windows\system32\Alkpgh32.exe69⤵
- Drops file in System32 directory
PID:968 -
C:\Windows\SysWOW64\Aecdpmbm.exeC:\Windows\system32\Aecdpmbm.exe70⤵PID:2656
-
C:\Windows\SysWOW64\Almmlg32.exeC:\Windows\system32\Almmlg32.exe71⤵PID:2792
-
C:\Windows\SysWOW64\Bdiaqj32.exeC:\Windows\system32\Bdiaqj32.exe72⤵PID:2632
-
C:\Windows\SysWOW64\Bkbjmd32.exeC:\Windows\system32\Bkbjmd32.exe73⤵PID:2492
-
C:\Windows\SysWOW64\Bkefcc32.exeC:\Windows\system32\Bkefcc32.exe74⤵PID:2684
-
C:\Windows\SysWOW64\Bjjcdp32.exeC:\Windows\system32\Bjjcdp32.exe75⤵
- Modifies registry class
PID:1740 -
C:\Windows\SysWOW64\Baakem32.exeC:\Windows\system32\Baakem32.exe76⤵PID:2196
-
C:\Windows\SysWOW64\Bkjpncii.exeC:\Windows\system32\Bkjpncii.exe77⤵PID:2020
-
C:\Windows\SysWOW64\Blklfk32.exeC:\Windows\system32\Blklfk32.exe78⤵PID:1496
-
C:\Windows\SysWOW64\Bcedbefd.exeC:\Windows\system32\Bcedbefd.exe79⤵PID:2168
-
C:\Windows\SysWOW64\Bnjipn32.exeC:\Windows\system32\Bnjipn32.exe80⤵PID:1976
-
C:\Windows\SysWOW64\Cjaieoko.exeC:\Windows\system32\Cjaieoko.exe81⤵PID:2076
-
C:\Windows\SysWOW64\Conbmfif.exeC:\Windows\system32\Conbmfif.exe82⤵PID:1828
-
C:\Windows\SysWOW64\Chfffk32.exeC:\Windows\system32\Chfffk32.exe83⤵PID:1372
-
C:\Windows\SysWOW64\Ckebbgoj.exeC:\Windows\system32\Ckebbgoj.exe84⤵PID:2564
-
C:\Windows\SysWOW64\Cfjgopop.exeC:\Windows\system32\Cfjgopop.exe85⤵
- System Location Discovery: System Language Discovery
PID:680 -
C:\Windows\SysWOW64\Ckgogfmg.exeC:\Windows\system32\Ckgogfmg.exe86⤵PID:2220
-
C:\Windows\SysWOW64\Djcbib32.exeC:\Windows\system32\Djcbib32.exe87⤵PID:3004
-
C:\Windows\SysWOW64\Dfjcncak.exeC:\Windows\system32\Dfjcncak.exe88⤵
- Drops file in System32 directory
PID:2796 -
C:\Windows\SysWOW64\Dmdkkm32.exeC:\Windows\system32\Dmdkkm32.exe89⤵PID:2608
-
C:\Windows\SysWOW64\Dcnchg32.exeC:\Windows\system32\Dcnchg32.exe90⤵PID:2664
-
C:\Windows\SysWOW64\Dpedmhfi.exeC:\Windows\system32\Dpedmhfi.exe91⤵PID:2300
-
C:\Windows\SysWOW64\Emieflec.exeC:\Windows\system32\Emieflec.exe92⤵PID:1692
-
C:\Windows\SysWOW64\Eedijo32.exeC:\Windows\system32\Eedijo32.exe93⤵PID:2256
-
C:\Windows\SysWOW64\Eheblj32.exeC:\Windows\system32\Eheblj32.exe94⤵PID:692
-
C:\Windows\SysWOW64\Enokidgl.exeC:\Windows\system32\Enokidgl.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2392 -
C:\Windows\SysWOW64\Eeicenni.exeC:\Windows\system32\Eeicenni.exe96⤵PID:1848
-
C:\Windows\SysWOW64\Eapcjo32.exeC:\Windows\system32\Eapcjo32.exe97⤵PID:1756
-
C:\Windows\SysWOW64\Ehilgikj.exeC:\Windows\system32\Ehilgikj.exe98⤵PID:1860
-
C:\Windows\SysWOW64\Fabppo32.exeC:\Windows\system32\Fabppo32.exe99⤵PID:964
-
C:\Windows\SysWOW64\Ffoihepa.exeC:\Windows\system32\Ffoihepa.exe100⤵PID:2320
-
C:\Windows\SysWOW64\Fmhaep32.exeC:\Windows\system32\Fmhaep32.exe101⤵PID:1672
-
C:\Windows\SysWOW64\Fdbibjok.exeC:\Windows\system32\Fdbibjok.exe102⤵PID:2716
-
C:\Windows\SysWOW64\Fpijgk32.exeC:\Windows\system32\Fpijgk32.exe103⤵
- Modifies registry class
PID:2880 -
C:\Windows\SysWOW64\Fplgljbm.exeC:\Windows\system32\Fplgljbm.exe104⤵PID:2976
-
C:\Windows\SysWOW64\Flbgak32.exeC:\Windows\system32\Flbgak32.exe105⤵PID:1620
-
C:\Windows\SysWOW64\Gifhkpgk.exeC:\Windows\system32\Gifhkpgk.exe106⤵PID:392
-
C:\Windows\SysWOW64\Gkgdbh32.exeC:\Windows\system32\Gkgdbh32.exe107⤵PID:2964
-
C:\Windows\SysWOW64\Gkjahg32.exeC:\Windows\system32\Gkjahg32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1968 -
C:\Windows\SysWOW64\Gdbeqmag.exeC:\Windows\system32\Gdbeqmag.exe109⤵PID:632
-
C:\Windows\SysWOW64\Gaffja32.exeC:\Windows\system32\Gaffja32.exe110⤵PID:2444
-
C:\Windows\SysWOW64\Giakoc32.exeC:\Windows\system32\Giakoc32.exe111⤵PID:560
-
C:\Windows\SysWOW64\Ggekhhle.exeC:\Windows\system32\Ggekhhle.exe112⤵PID:1972
-
C:\Windows\SysWOW64\Glbcpokl.exeC:\Windows\system32\Glbcpokl.exe113⤵PID:2612
-
C:\Windows\SysWOW64\Hekhid32.exeC:\Windows\system32\Hekhid32.exe114⤵PID:1584
-
C:\Windows\SysWOW64\Hemeod32.exeC:\Windows\system32\Hemeod32.exe115⤵
- Modifies registry class
PID:2816 -
C:\Windows\SysWOW64\Hlgmkn32.exeC:\Windows\system32\Hlgmkn32.exe116⤵PID:1680
-
C:\Windows\SysWOW64\Hlijan32.exeC:\Windows\system32\Hlijan32.exe117⤵
- System Location Discovery: System Language Discovery
PID:1792 -
C:\Windows\SysWOW64\Hohfmi32.exeC:\Windows\system32\Hohfmi32.exe118⤵PID:912
-
C:\Windows\SysWOW64\Hllffmbb.exeC:\Windows\system32\Hllffmbb.exe119⤵PID:2092
-
C:\Windows\SysWOW64\Hhbgkn32.exeC:\Windows\system32\Hhbgkn32.exe120⤵PID:2488
-
C:\Windows\SysWOW64\Ihedan32.exeC:\Windows\system32\Ihedan32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2156
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-