Analysis
-
max time kernel
147s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
08/08/2024, 01:48
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a8d938a332853e6c0fcb77a2ac54f249034819a4de07c16d17d64b5e416e0f39.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
a8d938a332853e6c0fcb77a2ac54f249034819a4de07c16d17d64b5e416e0f39.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
a8d938a332853e6c0fcb77a2ac54f249034819a4de07c16d17d64b5e416e0f39.exe
-
Size
55KB
-
MD5
51392541dec94df0552f267d2a7bb86d
-
SHA1
a17e20096d64539922feb5fa63ff97c954d42514
-
SHA256
a8d938a332853e6c0fcb77a2ac54f249034819a4de07c16d17d64b5e416e0f39
-
SHA512
a0523cd5d36ac24b539d9a84be1acb6ffc19cd9379afa290716d3f707254291ad1446d0ff2b719a5ac94afcc57ffeae0b56767e03d0eb5617783acd8068f9fd9
-
SSDEEP
768:kiOK5XRfbnt8cT4k9B+WetBtQ9ULzszjKmIr3zmZIXVVzNZA2/2p/1H5w8Xdnh:LOKLf5ik9BNEIKFmoBDU2/2LqW
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpjhcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfbfpnel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ooaflp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jekoljgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnhakp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgbcha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pikkfilp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Miphjf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Injnfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odgchjhl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epmahmcm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcgdgnmc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmdnjf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhbdmeoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgjfmlkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjpodhfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jffhec32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcfioj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfpndkel.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baakem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifecen32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipcjje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ickoimie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opicgenj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Giafmfad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kncmknkg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijenpn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gifhkpgk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nolffjap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmflmfpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eakjophb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llcfck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlmiojla.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qnagbc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpjgag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnnobl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcojbm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqjceidf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad a8d938a332853e6c0fcb77a2ac54f249034819a4de07c16d17d64b5e416e0f39.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdchifik.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmeemp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljjkgfig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogqpjd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipbgci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nihjfm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hljnbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmphfc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhekodik.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kommediq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnhakp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdadbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pghklq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgdijk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clbdobpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdmjmenh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opennf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgjfmlkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nocgbl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iopgjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgdafeln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aglhph32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biakbc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpihnbmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajghgd32.exe -
Executes dropped EXE 64 IoCs
pid Process 1668 Dmljnfll.exe 2580 Dbhbfmkd.exe 2772 Dhekodik.exe 2740 Dbkolmia.exe 2900 Dekhnh32.exe 2804 Dabicikf.exe 3056 Dgoakpjn.exe 2236 Dmiihjak.exe 1300 Epjbienl.exe 1204 Elqcnfdp.exe 1108 Egfglocf.exe 1620 Eekdmk32.exe 1976 Ecodfogg.exe 1728 Fofekp32.exe 2440 Fdcncg32.exe 2332 Febjmj32.exe 2000 Fnnobl32.exe 2028 Fakhhk32.exe 1740 Fdjddf32.exe 1632 Fdlqjf32.exe 2044 Gfmmanif.exe 1816 Ggmjkapi.exe 908 Gmjbchnq.exe 2444 Gkoodd32.exe 2016 Gdgcnj32.exe 2352 Gfgpgmql.exe 2968 Hqpahkmj.exe 1568 Hjieapck.exe 2564 Hjkbfpah.exe 2852 Haggijgb.exe 2788 Hchpjddc.exe 2060 Hiehbl32.exe 2940 Ipoqofjh.exe 3068 Ienfml32.exe 588 Ipcjje32.exe 1912 Ihooog32.exe 2528 Ilmgef32.exe 1168 Jffhec32.exe 1100 Jpomnilc.exe 736 Jfiekc32.exe 2672 Jpajdi32.exe 2320 Jepoao32.exe 572 Joicje32.exe 536 Jlmddi32.exe 2540 Kommediq.exe 2208 Kegebn32.exe 1500 Kopikdgn.exe 1020 Lnipgp32.exe 3020 Lfedlb32.exe 3024 Lnlmmo32.exe 2972 Lomidgkl.exe 1676 Lgdafeln.exe 2124 Lhenmm32.exe 2224 Lpmeojbo.exe 2568 Lckbkfbb.exe 2860 Lfingaaf.exe 2768 Llcfck32.exe 1028 Lbpolb32.exe 648 Lflklaoc.exe 2692 Llfcik32.exe 2140 Lodoefed.exe 1148 Mfngbq32.exe 2964 Mkkpjg32.exe 1748 Mdcdcmai.exe -
Loads dropped DLL 64 IoCs
pid Process 2712 a8d938a332853e6c0fcb77a2ac54f249034819a4de07c16d17d64b5e416e0f39.exe 2712 a8d938a332853e6c0fcb77a2ac54f249034819a4de07c16d17d64b5e416e0f39.exe 1668 Dmljnfll.exe 1668 Dmljnfll.exe 2580 Dbhbfmkd.exe 2580 Dbhbfmkd.exe 2772 Dhekodik.exe 2772 Dhekodik.exe 2740 Dbkolmia.exe 2740 Dbkolmia.exe 2900 Dekhnh32.exe 2900 Dekhnh32.exe 2804 Dabicikf.exe 2804 Dabicikf.exe 3056 Dgoakpjn.exe 3056 Dgoakpjn.exe 2236 Dmiihjak.exe 2236 Dmiihjak.exe 1300 Epjbienl.exe 1300 Epjbienl.exe 1204 Elqcnfdp.exe 1204 Elqcnfdp.exe 1108 Egfglocf.exe 1108 Egfglocf.exe 1620 Eekdmk32.exe 1620 Eekdmk32.exe 1976 Ecodfogg.exe 1976 Ecodfogg.exe 1728 Fofekp32.exe 1728 Fofekp32.exe 2440 Fdcncg32.exe 2440 Fdcncg32.exe 2332 Febjmj32.exe 2332 Febjmj32.exe 2000 Fnnobl32.exe 2000 Fnnobl32.exe 2028 Fakhhk32.exe 2028 Fakhhk32.exe 1740 Fdjddf32.exe 1740 Fdjddf32.exe 1632 Fdlqjf32.exe 1632 Fdlqjf32.exe 2044 Gfmmanif.exe 2044 Gfmmanif.exe 1816 Ggmjkapi.exe 1816 Ggmjkapi.exe 908 Gmjbchnq.exe 908 Gmjbchnq.exe 2444 Gkoodd32.exe 2444 Gkoodd32.exe 2016 Gdgcnj32.exe 2016 Gdgcnj32.exe 2352 Gfgpgmql.exe 2352 Gfgpgmql.exe 2968 Hqpahkmj.exe 2968 Hqpahkmj.exe 1568 Hjieapck.exe 1568 Hjieapck.exe 2564 Hjkbfpah.exe 2564 Hjkbfpah.exe 2852 Haggijgb.exe 2852 Haggijgb.exe 2788 Hchpjddc.exe 2788 Hchpjddc.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Jhbfcj32.exe Ijmibn32.exe File opened for modification C:\Windows\SysWOW64\Ipoqofjh.exe Hiehbl32.exe File opened for modification C:\Windows\SysWOW64\Fefpfi32.exe Fpihnbmk.exe File created C:\Windows\SysWOW64\Jadlgjjq.exe Jlgcncli.exe File created C:\Windows\SysWOW64\Nnfpfbig.dll Iniidj32.exe File created C:\Windows\SysWOW64\Dhnlqcee.dll Lihifhoq.exe File created C:\Windows\SysWOW64\Cffebb32.dll Qmlief32.exe File created C:\Windows\SysWOW64\Cadfbi32.exe Ckjnfobi.exe File created C:\Windows\SysWOW64\Klmghfio.exe Koifob32.exe File opened for modification C:\Windows\SysWOW64\Omddmkhl.exe Ofklpa32.exe File opened for modification C:\Windows\SysWOW64\Jjdcdjcm.exe Jnncoini.exe File created C:\Windows\SysWOW64\Gjpgaohl.dll Onqaonnc.exe File opened for modification C:\Windows\SysWOW64\Jeidob32.exe Jibcja32.exe File created C:\Windows\SysWOW64\Pfmgmm32.exe Pghklq32.exe File created C:\Windows\SysWOW64\Ofpeil32.dll Dmkipb32.exe File created C:\Windows\SysWOW64\Eadejede.exe Epchbm32.exe File created C:\Windows\SysWOW64\Bbkmki32.exe Bichbckg.exe File opened for modification C:\Windows\SysWOW64\Gdpfbd32.exe Gocnjn32.exe File opened for modification C:\Windows\SysWOW64\Ojakdd32.exe Odgchjhl.exe File created C:\Windows\SysWOW64\Omincc32.dll Hqjfgb32.exe File opened for modification C:\Windows\SysWOW64\Jjimpj32.exe Jcodcp32.exe File created C:\Windows\SysWOW64\Oghfnq32.dll Ofmknifp.exe File opened for modification C:\Windows\SysWOW64\Mmjqhd32.exe Meolcb32.exe File opened for modification C:\Windows\SysWOW64\Glefpd32.exe Gekncjfe.exe File created C:\Windows\SysWOW64\Fgdhfbpi.dll Lfckko32.exe File opened for modification C:\Windows\SysWOW64\Bggohi32.exe Bnojpdfb.exe File opened for modification C:\Windows\SysWOW64\Pekffp32.exe Poqniegj.exe File created C:\Windows\SysWOW64\Pbenfb32.dll Ecodfogg.exe File opened for modification C:\Windows\SysWOW64\Lolbjahp.exe Ldgnmhhj.exe File created C:\Windows\SysWOW64\Fadmenpg.exe Fimedaoe.exe File opened for modification C:\Windows\SysWOW64\Eqjceidf.exe Ejpkho32.exe File created C:\Windows\SysWOW64\Qlqmjc32.dll Eiheok32.exe File created C:\Windows\SysWOW64\Gfnnmboa.exe Gmejdm32.exe File created C:\Windows\SysWOW64\Anmbpf32.dll Ghqqpd32.exe File created C:\Windows\SysWOW64\Hbmpoj32.exe Hmphfc32.exe File opened for modification C:\Windows\SysWOW64\Mcmkoi32.exe Mqoocmcg.exe File created C:\Windows\SysWOW64\Aidpiiop.dll Cbqekhmp.exe File created C:\Windows\SysWOW64\Dgemgm32.exe Dpjhcj32.exe File created C:\Windows\SysWOW64\Edlmlclc.dll Eiplecnc.exe File created C:\Windows\SysWOW64\Hhpjfoji.exe Hccbnhla.exe File created C:\Windows\SysWOW64\Fmmnecce.dll Fdadbd32.exe File opened for modification C:\Windows\SysWOW64\Dekhnh32.exe Dbkolmia.exe File created C:\Windows\SysWOW64\Kjonihkc.dll Copljmpo.exe File created C:\Windows\SysWOW64\Cfjijn32.dll Gmbagf32.exe File created C:\Windows\SysWOW64\Amfcfk32.exe Abpohb32.exe File created C:\Windows\SysWOW64\Fcnkemgi.exe Ehhghdgc.exe File created C:\Windows\SysWOW64\Nmnjfc32.dll Loicnemp.exe File opened for modification C:\Windows\SysWOW64\Poqniegj.exe Pjdeaohb.exe File created C:\Windows\SysWOW64\Ilnqhddd.exe Ifahpnfl.exe File opened for modification C:\Windows\SysWOW64\Gifhkpgk.exe Flbgak32.exe File created C:\Windows\SysWOW64\Igeljknl.dll Kaagnp32.exe File created C:\Windows\SysWOW64\Ofhmfe32.dll Bdpjjaiq.exe File opened for modification C:\Windows\SysWOW64\Fpecddpi.exe Fgjnpb32.exe File created C:\Windows\SysWOW64\Ohmljj32.exe Oacdmpan.exe File opened for modification C:\Windows\SysWOW64\Cmocha32.exe Cjqglf32.exe File created C:\Windows\SysWOW64\Fpihnbmk.exe Fiopah32.exe File opened for modification C:\Windows\SysWOW64\Pnefiq32.exe Pihnqj32.exe File created C:\Windows\SysWOW64\Baakem32.exe Bhiglh32.exe File opened for modification C:\Windows\SysWOW64\Kebgea32.exe Knhoig32.exe File created C:\Windows\SysWOW64\Mimilgnj.dll Ihclmp32.exe File created C:\Windows\SysWOW64\Nlngdfab.dll Ilihij32.exe File opened for modification C:\Windows\SysWOW64\Gacgli32.exe Gkiooocb.exe File created C:\Windows\SysWOW64\Feedfo32.dll Kfcadq32.exe File opened for modification C:\Windows\SysWOW64\Ggphji32.exe Gljdlq32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3036 1696 WerFault.exe 982 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnpbgbdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcgpiq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnkpjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djhldahb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qohkdkdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfdpgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lckbkfbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jadlgjjq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiolio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oceaql32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jndjoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcifdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohofimje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njipabhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdefgimi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Colgpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pldknmhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaiglnih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Legmpdga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgkkdnkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjeojnep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eedjfchi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbihmcqp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmfblk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kppohf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Macnjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmmppm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcgdgnmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmejdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbkmki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Conbmfif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Likbpceb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bebjdjal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnjonpgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfaedeme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecodfogg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcjcefbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjpodhfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcobdgoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koeeoljm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flhnqf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfdbji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iganmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjcljlea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pifakj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikhlaaif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkhjin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phabdmgq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aagfffbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocbbbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjjcqpbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehhghdgc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Liaggk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqkgbkdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnoklc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aabhiikm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnejqmie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epakcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hioefjfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbhbfmkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnlfjjpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggicdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hojeka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdjddf32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blllchcf.dll" Jbpcgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epflbbpp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Begegn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbdfql32.dll" Mkkpjg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijenpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifahpnfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfdmqoad.dll" Fkpeojha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikqcgj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jiphpf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eiheok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpfamd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfanhc32.dll" Fjkije32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acfmjn32.dll" Kommediq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebjldp32.dll" Kdgane32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Keekeg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eipekmjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fadmenpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmhbbp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qohkdkdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eebdhmbm.dll" Ehhghdgc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipoqofjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lihkjgpf.dll" Jennjblp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfnnmboa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfbibfmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nchkjhdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjkije32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Majfcb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgllof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qckcdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpmjno32.dll" Fldbnb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcqdidim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogfagmck.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnpgmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aihenoef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fclmem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilnqhddd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahpdficc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jqakompl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmijmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjgodk32.dll" Andnff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Angklf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lomidgkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjchjcmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhmcao32.dll" Kononm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nenaho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifhcad32.dll" Kogjib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipollp32.dll" Dmiihjak.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Opkndldc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifoljn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abaaakob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpnhhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enckek32.dll" Faedpdcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgnpcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cofohkgi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdchifik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhggokji.dll" Nchkjhdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fcnkemgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejkdfong.dll" Lklmoccl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnbgdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aamhdckg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gekncjfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdjnje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epqfkj32.dll" Pbfehn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijmibn32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2712 wrote to memory of 1668 2712 a8d938a332853e6c0fcb77a2ac54f249034819a4de07c16d17d64b5e416e0f39.exe 29 PID 2712 wrote to memory of 1668 2712 a8d938a332853e6c0fcb77a2ac54f249034819a4de07c16d17d64b5e416e0f39.exe 29 PID 2712 wrote to memory of 1668 2712 a8d938a332853e6c0fcb77a2ac54f249034819a4de07c16d17d64b5e416e0f39.exe 29 PID 2712 wrote to memory of 1668 2712 a8d938a332853e6c0fcb77a2ac54f249034819a4de07c16d17d64b5e416e0f39.exe 29 PID 1668 wrote to memory of 2580 1668 Dmljnfll.exe 30 PID 1668 wrote to memory of 2580 1668 Dmljnfll.exe 30 PID 1668 wrote to memory of 2580 1668 Dmljnfll.exe 30 PID 1668 wrote to memory of 2580 1668 Dmljnfll.exe 30 PID 2580 wrote to memory of 2772 2580 Dbhbfmkd.exe 31 PID 2580 wrote to memory of 2772 2580 Dbhbfmkd.exe 31 PID 2580 wrote to memory of 2772 2580 Dbhbfmkd.exe 31 PID 2580 wrote to memory of 2772 2580 Dbhbfmkd.exe 31 PID 2772 wrote to memory of 2740 2772 Dhekodik.exe 32 PID 2772 wrote to memory of 2740 2772 Dhekodik.exe 32 PID 2772 wrote to memory of 2740 2772 Dhekodik.exe 32 PID 2772 wrote to memory of 2740 2772 Dhekodik.exe 32 PID 2740 wrote to memory of 2900 2740 Dbkolmia.exe 33 PID 2740 wrote to memory of 2900 2740 Dbkolmia.exe 33 PID 2740 wrote to memory of 2900 2740 Dbkolmia.exe 33 PID 2740 wrote to memory of 2900 2740 Dbkolmia.exe 33 PID 2900 wrote to memory of 2804 2900 Dekhnh32.exe 34 PID 2900 wrote to memory of 2804 2900 Dekhnh32.exe 34 PID 2900 wrote to memory of 2804 2900 Dekhnh32.exe 34 PID 2900 wrote to memory of 2804 2900 Dekhnh32.exe 34 PID 2804 wrote to memory of 3056 2804 Dabicikf.exe 35 PID 2804 wrote to memory of 3056 2804 Dabicikf.exe 35 PID 2804 wrote to memory of 3056 2804 Dabicikf.exe 35 PID 2804 wrote to memory of 3056 2804 Dabicikf.exe 35 PID 3056 wrote to memory of 2236 3056 Dgoakpjn.exe 36 PID 3056 wrote to memory of 2236 3056 Dgoakpjn.exe 36 PID 3056 wrote to memory of 2236 3056 Dgoakpjn.exe 36 PID 3056 wrote to memory of 2236 3056 Dgoakpjn.exe 36 PID 2236 wrote to memory of 1300 2236 Dmiihjak.exe 37 PID 2236 wrote to memory of 1300 2236 Dmiihjak.exe 37 PID 2236 wrote to memory of 1300 2236 Dmiihjak.exe 37 PID 2236 wrote to memory of 1300 2236 Dmiihjak.exe 37 PID 1300 wrote to memory of 1204 1300 Epjbienl.exe 38 PID 1300 wrote to memory of 1204 1300 Epjbienl.exe 38 PID 1300 wrote to memory of 1204 1300 Epjbienl.exe 38 PID 1300 wrote to memory of 1204 1300 Epjbienl.exe 38 PID 1204 wrote to memory of 1108 1204 Elqcnfdp.exe 39 PID 1204 wrote to memory of 1108 1204 Elqcnfdp.exe 39 PID 1204 wrote to memory of 1108 1204 Elqcnfdp.exe 39 PID 1204 wrote to memory of 1108 1204 Elqcnfdp.exe 39 PID 1108 wrote to memory of 1620 1108 Egfglocf.exe 40 PID 1108 wrote to memory of 1620 1108 Egfglocf.exe 40 PID 1108 wrote to memory of 1620 1108 Egfglocf.exe 40 PID 1108 wrote to memory of 1620 1108 Egfglocf.exe 40 PID 1620 wrote to memory of 1976 1620 Eekdmk32.exe 41 PID 1620 wrote to memory of 1976 1620 Eekdmk32.exe 41 PID 1620 wrote to memory of 1976 1620 Eekdmk32.exe 41 PID 1620 wrote to memory of 1976 1620 Eekdmk32.exe 41 PID 1976 wrote to memory of 1728 1976 Ecodfogg.exe 42 PID 1976 wrote to memory of 1728 1976 Ecodfogg.exe 42 PID 1976 wrote to memory of 1728 1976 Ecodfogg.exe 42 PID 1976 wrote to memory of 1728 1976 Ecodfogg.exe 42 PID 1728 wrote to memory of 2440 1728 Fofekp32.exe 43 PID 1728 wrote to memory of 2440 1728 Fofekp32.exe 43 PID 1728 wrote to memory of 2440 1728 Fofekp32.exe 43 PID 1728 wrote to memory of 2440 1728 Fofekp32.exe 43 PID 2440 wrote to memory of 2332 2440 Fdcncg32.exe 44 PID 2440 wrote to memory of 2332 2440 Fdcncg32.exe 44 PID 2440 wrote to memory of 2332 2440 Fdcncg32.exe 44 PID 2440 wrote to memory of 2332 2440 Fdcncg32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8d938a332853e6c0fcb77a2ac54f249034819a4de07c16d17d64b5e416e0f39.exe"C:\Users\Admin\AppData\Local\Temp\a8d938a332853e6c0fcb77a2ac54f249034819a4de07c16d17d64b5e416e0f39.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Dmljnfll.exeC:\Windows\system32\Dmljnfll.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\SysWOW64\Dbhbfmkd.exeC:\Windows\system32\Dbhbfmkd.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Dhekodik.exeC:\Windows\system32\Dhekodik.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Dbkolmia.exeC:\Windows\system32\Dbkolmia.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Dekhnh32.exeC:\Windows\system32\Dekhnh32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Dabicikf.exeC:\Windows\system32\Dabicikf.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Dgoakpjn.exeC:\Windows\system32\Dgoakpjn.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\Dmiihjak.exeC:\Windows\system32\Dmiihjak.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Epjbienl.exeC:\Windows\system32\Epjbienl.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\SysWOW64\Elqcnfdp.exeC:\Windows\system32\Elqcnfdp.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\SysWOW64\Egfglocf.exeC:\Windows\system32\Egfglocf.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\SysWOW64\Eekdmk32.exeC:\Windows\system32\Eekdmk32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\Ecodfogg.exeC:\Windows\system32\Ecodfogg.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\Fofekp32.exeC:\Windows\system32\Fofekp32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\Fdcncg32.exeC:\Windows\system32\Fdcncg32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\Febjmj32.exeC:\Windows\system32\Febjmj32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2332 -
C:\Windows\SysWOW64\Fnnobl32.exeC:\Windows\system32\Fnnobl32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2000 -
C:\Windows\SysWOW64\Fakhhk32.exeC:\Windows\system32\Fakhhk32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2028 -
C:\Windows\SysWOW64\Fdjddf32.exeC:\Windows\system32\Fdjddf32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1740 -
C:\Windows\SysWOW64\Fdlqjf32.exeC:\Windows\system32\Fdlqjf32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1632 -
C:\Windows\SysWOW64\Gfmmanif.exeC:\Windows\system32\Gfmmanif.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2044 -
C:\Windows\SysWOW64\Ggmjkapi.exeC:\Windows\system32\Ggmjkapi.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1816 -
C:\Windows\SysWOW64\Gmjbchnq.exeC:\Windows\system32\Gmjbchnq.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:908 -
C:\Windows\SysWOW64\Gkoodd32.exeC:\Windows\system32\Gkoodd32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2444 -
C:\Windows\SysWOW64\Gdgcnj32.exeC:\Windows\system32\Gdgcnj32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2016 -
C:\Windows\SysWOW64\Gfgpgmql.exeC:\Windows\system32\Gfgpgmql.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2352 -
C:\Windows\SysWOW64\Hqpahkmj.exeC:\Windows\system32\Hqpahkmj.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2968 -
C:\Windows\SysWOW64\Hjieapck.exeC:\Windows\system32\Hjieapck.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1568 -
C:\Windows\SysWOW64\Hjkbfpah.exeC:\Windows\system32\Hjkbfpah.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2564 -
C:\Windows\SysWOW64\Haggijgb.exeC:\Windows\system32\Haggijgb.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2852 -
C:\Windows\SysWOW64\Hchpjddc.exeC:\Windows\system32\Hchpjddc.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2788 -
C:\Windows\SysWOW64\Hiehbl32.exeC:\Windows\system32\Hiehbl32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2060 -
C:\Windows\SysWOW64\Ipoqofjh.exeC:\Windows\system32\Ipoqofjh.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2940 -
C:\Windows\SysWOW64\Ienfml32.exeC:\Windows\system32\Ienfml32.exe35⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Ipcjje32.exeC:\Windows\system32\Ipcjje32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:588 -
C:\Windows\SysWOW64\Ihooog32.exeC:\Windows\system32\Ihooog32.exe37⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Ilmgef32.exeC:\Windows\system32\Ilmgef32.exe38⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Jffhec32.exeC:\Windows\system32\Jffhec32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1168 -
C:\Windows\SysWOW64\Jpomnilc.exeC:\Windows\system32\Jpomnilc.exe40⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\Jfiekc32.exeC:\Windows\system32\Jfiekc32.exe41⤵
- Executes dropped EXE
PID:736 -
C:\Windows\SysWOW64\Jpajdi32.exeC:\Windows\system32\Jpajdi32.exe42⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Jepoao32.exeC:\Windows\system32\Jepoao32.exe43⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Joicje32.exeC:\Windows\system32\Joicje32.exe44⤵
- Executes dropped EXE
PID:572 -
C:\Windows\SysWOW64\Jlmddi32.exeC:\Windows\system32\Jlmddi32.exe45⤵
- Executes dropped EXE
PID:536 -
C:\Windows\SysWOW64\Kommediq.exeC:\Windows\system32\Kommediq.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2540 -
C:\Windows\SysWOW64\Kegebn32.exeC:\Windows\system32\Kegebn32.exe47⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Kopikdgn.exeC:\Windows\system32\Kopikdgn.exe48⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Lnipgp32.exeC:\Windows\system32\Lnipgp32.exe49⤵
- Executes dropped EXE
PID:1020 -
C:\Windows\SysWOW64\Lfedlb32.exeC:\Windows\system32\Lfedlb32.exe50⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Lnlmmo32.exeC:\Windows\system32\Lnlmmo32.exe51⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Lomidgkl.exeC:\Windows\system32\Lomidgkl.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2972 -
C:\Windows\SysWOW64\Lgdafeln.exeC:\Windows\system32\Lgdafeln.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Lhenmm32.exeC:\Windows\system32\Lhenmm32.exe54⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Lpmeojbo.exeC:\Windows\system32\Lpmeojbo.exe55⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Lckbkfbb.exeC:\Windows\system32\Lckbkfbb.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2568 -
C:\Windows\SysWOW64\Lfingaaf.exeC:\Windows\system32\Lfingaaf.exe57⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Llcfck32.exeC:\Windows\system32\Llcfck32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Lbpolb32.exeC:\Windows\system32\Lbpolb32.exe59⤵
- Executes dropped EXE
PID:1028 -
C:\Windows\SysWOW64\Lflklaoc.exeC:\Windows\system32\Lflklaoc.exe60⤵
- Executes dropped EXE
PID:648 -
C:\Windows\SysWOW64\Llfcik32.exeC:\Windows\system32\Llfcik32.exe61⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Lodoefed.exeC:\Windows\system32\Lodoefed.exe62⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Mfngbq32.exeC:\Windows\system32\Mfngbq32.exe63⤵
- Executes dropped EXE
PID:1148 -
C:\Windows\SysWOW64\Mkkpjg32.exeC:\Windows\system32\Mkkpjg32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:2964 -
C:\Windows\SysWOW64\Mdcdcmai.exeC:\Windows\system32\Mdcdcmai.exe65⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Mnlilb32.exeC:\Windows\system32\Mnlilb32.exe66⤵PID:2156
-
C:\Windows\SysWOW64\Mchadifq.exeC:\Windows\system32\Mchadifq.exe67⤵PID:1640
-
C:\Windows\SysWOW64\Mjbiac32.exeC:\Windows\system32\Mjbiac32.exe68⤵PID:1928
-
C:\Windows\SysWOW64\Mqlbnnej.exeC:\Windows\system32\Mqlbnnej.exe69⤵PID:2432
-
C:\Windows\SysWOW64\Mfijfdca.exeC:\Windows\system32\Mfijfdca.exe70⤵PID:1712
-
C:\Windows\SysWOW64\Mnpbgbdd.exeC:\Windows\system32\Mnpbgbdd.exe71⤵
- System Location Discovery: System Language Discovery
PID:2176 -
C:\Windows\SysWOW64\Mqoocmcg.exeC:\Windows\system32\Mqoocmcg.exe72⤵
- Drops file in System32 directory
PID:2232 -
C:\Windows\SysWOW64\Mcmkoi32.exeC:\Windows\system32\Mcmkoi32.exe73⤵PID:2256
-
C:\Windows\SysWOW64\Mflgkd32.exeC:\Windows\system32\Mflgkd32.exe74⤵PID:2396
-
C:\Windows\SysWOW64\Nmeohnil.exeC:\Windows\system32\Nmeohnil.exe75⤵PID:2996
-
C:\Windows\SysWOW64\Njipabhe.exeC:\Windows\system32\Njipabhe.exe76⤵
- System Location Discovery: System Language Discovery
PID:2152 -
C:\Windows\SysWOW64\Nilpmo32.exeC:\Windows\system32\Nilpmo32.exe77⤵PID:2820
-
C:\Windows\SysWOW64\Ncbdjhnf.exeC:\Windows\system32\Ncbdjhnf.exe78⤵PID:1952
-
C:\Windows\SysWOW64\Niombolm.exeC:\Windows\system32\Niombolm.exe79⤵PID:1696
-
C:\Windows\SysWOW64\Nlmiojla.exeC:\Windows\system32\Nlmiojla.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2812 -
C:\Windows\SysWOW64\Nbgakd32.exeC:\Windows\system32\Nbgakd32.exe81⤵PID:1716
-
C:\Windows\SysWOW64\Nhdjdk32.exeC:\Windows\system32\Nhdjdk32.exe82⤵PID:2032
-
C:\Windows\SysWOW64\Nbinad32.exeC:\Windows\system32\Nbinad32.exe83⤵PID:2808
-
C:\Windows\SysWOW64\Nhffikob.exeC:\Windows\system32\Nhffikob.exe84⤵PID:2144
-
C:\Windows\SysWOW64\Naokbq32.exeC:\Windows\system32\Naokbq32.exe85⤵PID:2608
-
C:\Windows\SysWOW64\Ojgokflc.exeC:\Windows\system32\Ojgokflc.exe86⤵PID:1464
-
C:\Windows\SysWOW64\Oaaghp32.exeC:\Windows\system32\Oaaghp32.exe87⤵PID:1004
-
C:\Windows\SysWOW64\Ofnppgbh.exeC:\Windows\system32\Ofnppgbh.exe88⤵PID:568
-
C:\Windows\SysWOW64\Oacdmpan.exeC:\Windows\system32\Oacdmpan.exe89⤵
- Drops file in System32 directory
PID:2560 -
C:\Windows\SysWOW64\Ohmljj32.exeC:\Windows\system32\Ohmljj32.exe90⤵PID:524
-
C:\Windows\SysWOW64\Omjeba32.exeC:\Windows\system32\Omjeba32.exe91⤵PID:2724
-
C:\Windows\SysWOW64\Obgmjh32.exeC:\Windows\system32\Obgmjh32.exe92⤵PID:2892
-
C:\Windows\SysWOW64\Oiqegb32.exeC:\Windows\system32\Oiqegb32.exe93⤵PID:2132
-
C:\Windows\SysWOW64\Opkndldc.exeC:\Windows\system32\Opkndldc.exe94⤵
- Modifies registry class
PID:2748 -
C:\Windows\SysWOW64\Oegflcbj.exeC:\Windows\system32\Oegflcbj.exe95⤵PID:2264
-
C:\Windows\SysWOW64\Plaoim32.exeC:\Windows\system32\Plaoim32.exe96⤵PID:1648
-
C:\Windows\SysWOW64\Pejcab32.exeC:\Windows\system32\Pejcab32.exe97⤵PID:1492
-
C:\Windows\SysWOW64\Pldknmhd.exeC:\Windows\system32\Pldknmhd.exe98⤵
- System Location Discovery: System Language Discovery
PID:2932 -
C:\Windows\SysWOW64\Pelpgb32.exeC:\Windows\system32\Pelpgb32.exe99⤵PID:2172
-
C:\Windows\SysWOW64\Plfhdlfb.exeC:\Windows\system32\Plfhdlfb.exe100⤵PID:2068
-
C:\Windows\SysWOW64\Pdamhocm.exeC:\Windows\system32\Pdamhocm.exe101⤵PID:1036
-
C:\Windows\SysWOW64\Pogaeg32.exeC:\Windows\system32\Pogaeg32.exe102⤵PID:1552
-
C:\Windows\SysWOW64\Peaibajp.exeC:\Windows\system32\Peaibajp.exe103⤵PID:1088
-
C:\Windows\SysWOW64\Pahjgb32.exeC:\Windows\system32\Pahjgb32.exe104⤵PID:1664
-
C:\Windows\SysWOW64\Phabdmgq.exeC:\Windows\system32\Phabdmgq.exe105⤵
- System Location Discovery: System Language Discovery
PID:2364 -
C:\Windows\SysWOW64\Qnoklc32.exeC:\Windows\system32\Qnoklc32.exe106⤵
- System Location Discovery: System Language Discovery
PID:984 -
C:\Windows\SysWOW64\Qckcdj32.exeC:\Windows\system32\Qckcdj32.exe107⤵
- Modifies registry class
PID:2584 -
C:\Windows\SysWOW64\Qnagbc32.exeC:\Windows\system32\Qnagbc32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2640 -
C:\Windows\SysWOW64\Acnpjj32.exeC:\Windows\system32\Acnpjj32.exe109⤵PID:2356
-
C:\Windows\SysWOW64\Ajghgd32.exeC:\Windows\system32\Ajghgd32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3052 -
C:\Windows\SysWOW64\Aodqok32.exeC:\Windows\system32\Aodqok32.exe111⤵PID:1152
-
C:\Windows\SysWOW64\Aglhph32.exeC:\Windows\system32\Aglhph32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2388 -
C:\Windows\SysWOW64\Alhaho32.exeC:\Windows\system32\Alhaho32.exe113⤵PID:2260
-
C:\Windows\SysWOW64\Ahoamplo.exeC:\Windows\system32\Ahoamplo.exe114⤵PID:852
-
C:\Windows\SysWOW64\Aagfffbo.exeC:\Windows\system32\Aagfffbo.exe115⤵
- System Location Discovery: System Language Discovery
PID:808 -
C:\Windows\SysWOW64\Almjcobe.exeC:\Windows\system32\Almjcobe.exe116⤵PID:1812
-
C:\Windows\SysWOW64\Abjcleqm.exeC:\Windows\system32\Abjcleqm.exe117⤵PID:868
-
C:\Windows\SysWOW64\Akbgdkgm.exeC:\Windows\system32\Akbgdkgm.exe118⤵PID:664
-
C:\Windows\SysWOW64\Bqopmbed.exeC:\Windows\system32\Bqopmbed.exe119⤵PID:2880
-
C:\Windows\SysWOW64\Bkddjkej.exeC:\Windows\system32\Bkddjkej.exe120⤵PID:2240
-
C:\Windows\SysWOW64\Bdmhcp32.exeC:\Windows\system32\Bdmhcp32.exe121⤵PID:2720
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-