Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
20-08-2024 05:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
76b58cdf15ffd1587239f3726ec4e6d0N.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
76b58cdf15ffd1587239f3726ec4e6d0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
76b58cdf15ffd1587239f3726ec4e6d0N.exe
-
Size
256KB
-
MD5
76b58cdf15ffd1587239f3726ec4e6d0
-
SHA1
dcd6849591ce2f76a82acf966dd4240579f2a098
-
SHA256
a521c9c268e00c6288e61f05f4b28dc21502693b451d1ffe9e23cca54c987fc6
-
SHA512
8e4ab1df93e2fdc2edf26623e3eed0be5a393f9a9b591f388cec35780f3243aa864995ed66d503053b40ba1aaf38f878757342c0be3b05036ded2ca943886805
-
SSDEEP
6144:MP5c0mLeG49C81NByvZ6Mxv5Rar3O6B9fZSLhZmzbBy9:8m09C8HByvNv54B9f01ZmHBy9
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abinjdad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Onjgkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pcnfdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Chggdoee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaplfinb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldjmidcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Acadchoo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plbmom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ekghcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pbblkaea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iafofkkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Llebnfpe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbffjmmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbojjq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lilomj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jgjmoace.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcofid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgaahh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aiqjao32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efmlqigc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aicfgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aankkqfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ddppmclb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kgocid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcjoci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abbhje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgodcich.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aahimb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lfdpjp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngoleb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojpaeq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nhcebj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cnflae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cojeomee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ejfllhao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfkgdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Abgaeddg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aankkqfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Plbmom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afcdpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ccpqjfnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bdodmlcm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbfnchfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bfjkphjd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgqmpkfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iaaekl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jfojpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aicfgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Chjmmnnb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdgkicek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Manjaldo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jcfgoadd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcjjkkji.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilemce32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioefdpne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ioefdpne.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkcfjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iklfia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lmbabj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mkdbea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ollqllod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gpjfcali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jjfmem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Momapqgn.exe -
Executes dropped EXE 64 IoCs
pid Process 2684 Nobndj32.exe 2664 Ncnjeh32.exe 2844 Nflfad32.exe 2724 Odacbpee.exe 2628 Onjgkf32.exe 1928 Oiokholk.exe 2256 Obhpad32.exe 2536 Oiahnnji.exe 1908 Oehicoom.exe 2864 Okbapi32.exe 1644 Pcnfdl32.exe 2388 Pflbpg32.exe 588 Ppdfimji.exe 2156 Pglojj32.exe 2432 Pbepkh32.exe 2428 Pfqlkfoc.exe 1820 Piohgbng.exe 1372 Pefhlcdk.exe 2468 Plpqim32.exe 2128 Ppkmjlca.exe 1008 Pfeeff32.exe 2452 Plbmom32.exe 2308 Qpniokan.exe 2932 Qifnhaho.exe 2780 Qncfphff.exe 2680 Qemomb32.exe 2800 Qhkkim32.exe 2584 Anecfgdc.exe 2552 Adblnnbk.exe 2964 Ajldkhjh.exe 2276 Amjpgdik.exe 1256 Ahpddmia.exe 2736 Afcdpi32.exe 1500 Aahimb32.exe 2320 Abjeejep.exe 780 Apnfno32.exe 1476 Aifjgdkj.exe 2000 Aocbokia.exe 2072 Bfjkphjd.exe 1708 Bhkghqpb.exe 2160 Boeoek32.exe 2380 Baclaf32.exe 1516 Bhndnpnp.exe 1532 Blipno32.exe 2028 Bbchkime.exe 2924 Beadgdli.exe 900 Bimphc32.exe 3052 Bknmok32.exe 1580 Bceeqi32.exe 2716 Bedamd32.exe 2812 Bhbmip32.exe 2676 Blniinac.exe 2268 Bnofaf32.exe 1208 Bakaaepk.exe 2364 Bdinnqon.exe 2384 Bkcfjk32.exe 2108 Cnabffeo.exe 1712 Cppobaeb.exe 2360 Chggdoee.exe 2456 Cjhckg32.exe 2116 Caokmd32.exe 1248 Cdngip32.exe 1856 Cglcek32.exe 1584 Cnflae32.exe -
Loads dropped DLL 64 IoCs
pid Process 2648 76b58cdf15ffd1587239f3726ec4e6d0N.exe 2648 76b58cdf15ffd1587239f3726ec4e6d0N.exe 2684 Nobndj32.exe 2684 Nobndj32.exe 2664 Ncnjeh32.exe 2664 Ncnjeh32.exe 2844 Nflfad32.exe 2844 Nflfad32.exe 2724 Odacbpee.exe 2724 Odacbpee.exe 2628 Onjgkf32.exe 2628 Onjgkf32.exe 1928 Oiokholk.exe 1928 Oiokholk.exe 2256 Obhpad32.exe 2256 Obhpad32.exe 2536 Oiahnnji.exe 2536 Oiahnnji.exe 1908 Oehicoom.exe 1908 Oehicoom.exe 2864 Okbapi32.exe 2864 Okbapi32.exe 1644 Pcnfdl32.exe 1644 Pcnfdl32.exe 2388 Pflbpg32.exe 2388 Pflbpg32.exe 588 Ppdfimji.exe 588 Ppdfimji.exe 2156 Pglojj32.exe 2156 Pglojj32.exe 2432 Pbepkh32.exe 2432 Pbepkh32.exe 2428 Pfqlkfoc.exe 2428 Pfqlkfoc.exe 1820 Piohgbng.exe 1820 Piohgbng.exe 1372 Pefhlcdk.exe 1372 Pefhlcdk.exe 2468 Plpqim32.exe 2468 Plpqim32.exe 2128 Ppkmjlca.exe 2128 Ppkmjlca.exe 1008 Pfeeff32.exe 1008 Pfeeff32.exe 2452 Plbmom32.exe 2452 Plbmom32.exe 2308 Qpniokan.exe 2308 Qpniokan.exe 2932 Qifnhaho.exe 2932 Qifnhaho.exe 2780 Qncfphff.exe 2780 Qncfphff.exe 2680 Qemomb32.exe 2680 Qemomb32.exe 2800 Qhkkim32.exe 2800 Qhkkim32.exe 2584 Anecfgdc.exe 2584 Anecfgdc.exe 2552 Adblnnbk.exe 2552 Adblnnbk.exe 2964 Ajldkhjh.exe 2964 Ajldkhjh.exe 2276 Amjpgdik.exe 2276 Amjpgdik.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Gmkjgfmf.exe Gedbfimc.exe File created C:\Windows\SysWOW64\Ghekhd32.exe Gefolhja.exe File created C:\Windows\SysWOW64\Hafbghhj.exe Hkmjjn32.exe File opened for modification C:\Windows\SysWOW64\Mdgmbhgh.exe Meemgk32.exe File created C:\Windows\SysWOW64\Lkkckf32.dll Nedifo32.exe File created C:\Windows\SysWOW64\Dgqion32.exe Ddbmcb32.exe File created C:\Windows\SysWOW64\Einebddd.exe Efoifiep.exe File created C:\Windows\SysWOW64\Ldjmidcj.exe Llcehg32.exe File created C:\Windows\SysWOW64\Mqpfnk32.dll Pjbjjc32.exe File opened for modification C:\Windows\SysWOW64\Bknmok32.exe Bimphc32.exe File created C:\Windows\SysWOW64\Ekghcq32.exe Ejfllhao.exe File created C:\Windows\SysWOW64\Ihnjmf32.exe Ifpnaj32.exe File created C:\Windows\SysWOW64\Aegkfpah.exe Abinjdad.exe File created C:\Windows\SysWOW64\Lpcafg32.dll Aocbokia.exe File created C:\Windows\SysWOW64\Pcppbl32.dll Hoalia32.exe File opened for modification C:\Windows\SysWOW64\Lbojjq32.exe Lodnjboi.exe File created C:\Windows\SysWOW64\Bacefpbg.exe Bodhjdcc.exe File opened for modification C:\Windows\SysWOW64\Gdnibdmf.exe Gaplfinb.exe File created C:\Windows\SysWOW64\Jjejnabb.dll Hganjo32.exe File created C:\Windows\SysWOW64\Djmiejji.exe Dgnminke.exe File opened for modification C:\Windows\SysWOW64\Hkmjjn32.exe Hganjo32.exe File created C:\Windows\SysWOW64\Nomklqkm.dll Jegdgj32.exe File opened for modification C:\Windows\SysWOW64\Kaekljjo.exe Knfopnkk.exe File created C:\Windows\SysWOW64\Ngonaccp.dll Nohddd32.exe File created C:\Windows\SysWOW64\Oellihpf.dll Qjdgpcmd.exe File created C:\Windows\SysWOW64\Okbapi32.exe Oehicoom.exe File created C:\Windows\SysWOW64\Boeoek32.exe Bhkghqpb.exe File created C:\Windows\SysWOW64\Hjnhlm32.dll Bmnofp32.exe File created C:\Windows\SysWOW64\Llaqkn32.dll Anpooe32.exe File created C:\Windows\SysWOW64\Flffpf32.dll Bphaglgo.exe File created C:\Windows\SysWOW64\Jmhdkakc.dll Chbihc32.exe File created C:\Windows\SysWOW64\Mqmojc32.dll Hdbbnd32.exe File created C:\Windows\SysWOW64\Jalolq32.dll Joebccpp.exe File opened for modification C:\Windows\SysWOW64\Llcehg32.exe Lidilk32.exe File created C:\Windows\SysWOW64\Pgodcich.exe Peqhgmdd.exe File opened for modification C:\Windows\SysWOW64\Pnnfkb32.exe Pjbjjc32.exe File opened for modification C:\Windows\SysWOW64\Pglojj32.exe Ppdfimji.exe File opened for modification C:\Windows\SysWOW64\Qpniokan.exe Plbmom32.exe File created C:\Windows\SysWOW64\Bpfebmia.exe Bacefpbg.exe File created C:\Windows\SysWOW64\Hjlkkhne.dll Chjmmnnb.exe File created C:\Windows\SysWOW64\Nhcebj32.exe Nedifo32.exe File created C:\Windows\SysWOW64\Bchmahjj.dll Palbgn32.exe File opened for modification C:\Windows\SysWOW64\Bkcfjk32.exe Bdinnqon.exe File created C:\Windows\SysWOW64\Efmlqigc.exe Ecnpdnho.exe File created C:\Windows\SysWOW64\Hmfmkjdf.exe Hocmpm32.exe File opened for modification C:\Windows\SysWOW64\Hlbpme32.exe Hjddaj32.exe File opened for modification C:\Windows\SysWOW64\Nloachkf.exe Nhcebj32.exe File opened for modification C:\Windows\SysWOW64\Anecfgdc.exe Qhkkim32.exe File created C:\Windows\SysWOW64\Ahpddmia.exe Amjpgdik.exe File created C:\Windows\SysWOW64\Kbpnkm32.exe Kndbko32.exe File created C:\Windows\SysWOW64\Lbjlop32.dll Magdam32.exe File opened for modification C:\Windows\SysWOW64\Ainmlomf.exe Acadchoo.exe File opened for modification C:\Windows\SysWOW64\Djoeki32.exe Dgqion32.exe File created C:\Windows\SysWOW64\Gbhcpmkm.exe Gpjfcali.exe File created C:\Windows\SysWOW64\Cppobaeb.exe Cnabffeo.exe File created C:\Windows\SysWOW64\Negeln32.exe Nommodjj.exe File opened for modification C:\Windows\SysWOW64\Negeln32.exe Nommodjj.exe File opened for modification C:\Windows\SysWOW64\Ncnjeh32.exe Nobndj32.exe File opened for modification C:\Windows\SysWOW64\Qhkkim32.exe Qemomb32.exe File created C:\Windows\SysWOW64\Bfqhifni.dll Mheeif32.exe File created C:\Windows\SysWOW64\Djqdbbek.dll Plpqim32.exe File created C:\Windows\SysWOW64\Lilomj32.exe Ladgkmlj.exe File created C:\Windows\SysWOW64\Aljmbknm.exe Ailqfooi.exe File created C:\Windows\SysWOW64\Comjjjlc.dll Alaccj32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anecfgdc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fllaopcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkedjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hadfah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peqhgmdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecnpdnho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfoeel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hofjem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nommodjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plbmom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnadkjlc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nedifo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddppmclb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gllnnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilemce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keiqlihp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejabqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpicbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jegdgj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abbhje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbepkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bakaaepk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgnminke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egebjmdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fefcmehe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdbbnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcjjkkji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbadagln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhlbbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bimphc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfdpjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlanhh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noagjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjaoplho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifpnaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdngip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihbdhepp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmbabj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hekefkig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkopndcb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmdkfmjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aejglo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhglop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbmlkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kghmhegc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpfebmia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpmkbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijimli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmnlhg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llcehg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcmoie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obhpad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccgnelll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oomjng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfbjdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aocbokia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blniinac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cccdjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klhbdclg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqepgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cobhdhha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aegkfpah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgckoofa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhalngad.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gdnibdmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mgfiocfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pgodcich.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ailqfooi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mdoccg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qifnhaho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Clkicbfa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dkbbinig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqmice32.dll" Icabeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Knikfnih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmdoe32.dll" Lilomj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghbakjma.dll" Bakaaepk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Meemgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkkndgbj.dll" Odcimipf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pajeanhf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hchoop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geiilj32.dll" Kelmbifm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lbkaoalg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mdgmbhgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qpniokan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgjond32.dll" Dbdagg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmkhejmb.dll" Glbdnbpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nnbjpqoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdnnjcdh.dll" Epqgopbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gbmlkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Idghhf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Beggec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jdlacfca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jbfkeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqmnfa32.dll" Kapaaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njldiiel.dll" Ljbipolj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ogmkne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Clhecl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aocbokia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pnnfkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bdodmlcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeelon32.dll" Bhndnpnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ddmchcnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nndgeplo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bmelpa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lofkoamf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nhqhmj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oiokholk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Abjeejep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fbfjkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fdlpnamm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nijjfj32.dll" Jqpebg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kcajceke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkggemii.dll" Qmepanje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qamnbhdj.dll" Bkkioeig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edalmn32.dll" Beggec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Okbapi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpcafg32.dll" Aocbokia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpfjap32.dll" Cglcek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jqeomfgc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pbdipa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bkcfjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inhcgajk.dll" Dhdfmbjc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ipqicdim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Magdam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bbikig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ppdfimji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Piohgbng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gbjpem32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2648 wrote to memory of 2684 2648 76b58cdf15ffd1587239f3726ec4e6d0N.exe 30 PID 2648 wrote to memory of 2684 2648 76b58cdf15ffd1587239f3726ec4e6d0N.exe 30 PID 2648 wrote to memory of 2684 2648 76b58cdf15ffd1587239f3726ec4e6d0N.exe 30 PID 2648 wrote to memory of 2684 2648 76b58cdf15ffd1587239f3726ec4e6d0N.exe 30 PID 2684 wrote to memory of 2664 2684 Nobndj32.exe 31 PID 2684 wrote to memory of 2664 2684 Nobndj32.exe 31 PID 2684 wrote to memory of 2664 2684 Nobndj32.exe 31 PID 2684 wrote to memory of 2664 2684 Nobndj32.exe 31 PID 2664 wrote to memory of 2844 2664 Ncnjeh32.exe 32 PID 2664 wrote to memory of 2844 2664 Ncnjeh32.exe 32 PID 2664 wrote to memory of 2844 2664 Ncnjeh32.exe 32 PID 2664 wrote to memory of 2844 2664 Ncnjeh32.exe 32 PID 2844 wrote to memory of 2724 2844 Nflfad32.exe 33 PID 2844 wrote to memory of 2724 2844 Nflfad32.exe 33 PID 2844 wrote to memory of 2724 2844 Nflfad32.exe 33 PID 2844 wrote to memory of 2724 2844 Nflfad32.exe 33 PID 2724 wrote to memory of 2628 2724 Odacbpee.exe 34 PID 2724 wrote to memory of 2628 2724 Odacbpee.exe 34 PID 2724 wrote to memory of 2628 2724 Odacbpee.exe 34 PID 2724 wrote to memory of 2628 2724 Odacbpee.exe 34 PID 2628 wrote to memory of 1928 2628 Onjgkf32.exe 35 PID 2628 wrote to memory of 1928 2628 Onjgkf32.exe 35 PID 2628 wrote to memory of 1928 2628 Onjgkf32.exe 35 PID 2628 wrote to memory of 1928 2628 Onjgkf32.exe 35 PID 1928 wrote to memory of 2256 1928 Oiokholk.exe 36 PID 1928 wrote to memory of 2256 1928 Oiokholk.exe 36 PID 1928 wrote to memory of 2256 1928 Oiokholk.exe 36 PID 1928 wrote to memory of 2256 1928 Oiokholk.exe 36 PID 2256 wrote to memory of 2536 2256 Obhpad32.exe 37 PID 2256 wrote to memory of 2536 2256 Obhpad32.exe 37 PID 2256 wrote to memory of 2536 2256 Obhpad32.exe 37 PID 2256 wrote to memory of 2536 2256 Obhpad32.exe 37 PID 2536 wrote to memory of 1908 2536 Oiahnnji.exe 38 PID 2536 wrote to memory of 1908 2536 Oiahnnji.exe 38 PID 2536 wrote to memory of 1908 2536 Oiahnnji.exe 38 PID 2536 wrote to memory of 1908 2536 Oiahnnji.exe 38 PID 1908 wrote to memory of 2864 1908 Oehicoom.exe 39 PID 1908 wrote to memory of 2864 1908 Oehicoom.exe 39 PID 1908 wrote to memory of 2864 1908 Oehicoom.exe 39 PID 1908 wrote to memory of 2864 1908 Oehicoom.exe 39 PID 2864 wrote to memory of 1644 2864 Okbapi32.exe 40 PID 2864 wrote to memory of 1644 2864 Okbapi32.exe 40 PID 2864 wrote to memory of 1644 2864 Okbapi32.exe 40 PID 2864 wrote to memory of 1644 2864 Okbapi32.exe 40 PID 1644 wrote to memory of 2388 1644 Pcnfdl32.exe 41 PID 1644 wrote to memory of 2388 1644 Pcnfdl32.exe 41 PID 1644 wrote to memory of 2388 1644 Pcnfdl32.exe 41 PID 1644 wrote to memory of 2388 1644 Pcnfdl32.exe 41 PID 2388 wrote to memory of 588 2388 Pflbpg32.exe 42 PID 2388 wrote to memory of 588 2388 Pflbpg32.exe 42 PID 2388 wrote to memory of 588 2388 Pflbpg32.exe 42 PID 2388 wrote to memory of 588 2388 Pflbpg32.exe 42 PID 588 wrote to memory of 2156 588 Ppdfimji.exe 43 PID 588 wrote to memory of 2156 588 Ppdfimji.exe 43 PID 588 wrote to memory of 2156 588 Ppdfimji.exe 43 PID 588 wrote to memory of 2156 588 Ppdfimji.exe 43 PID 2156 wrote to memory of 2432 2156 Pglojj32.exe 44 PID 2156 wrote to memory of 2432 2156 Pglojj32.exe 44 PID 2156 wrote to memory of 2432 2156 Pglojj32.exe 44 PID 2156 wrote to memory of 2432 2156 Pglojj32.exe 44 PID 2432 wrote to memory of 2428 2432 Pbepkh32.exe 45 PID 2432 wrote to memory of 2428 2432 Pbepkh32.exe 45 PID 2432 wrote to memory of 2428 2432 Pbepkh32.exe 45 PID 2432 wrote to memory of 2428 2432 Pbepkh32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\76b58cdf15ffd1587239f3726ec4e6d0N.exe"C:\Users\Admin\AppData\Local\Temp\76b58cdf15ffd1587239f3726ec4e6d0N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Nobndj32.exeC:\Windows\system32\Nobndj32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Ncnjeh32.exeC:\Windows\system32\Ncnjeh32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Nflfad32.exeC:\Windows\system32\Nflfad32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Odacbpee.exeC:\Windows\system32\Odacbpee.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Onjgkf32.exeC:\Windows\system32\Onjgkf32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Oiokholk.exeC:\Windows\system32\Oiokholk.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\Obhpad32.exeC:\Windows\system32\Obhpad32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\Oiahnnji.exeC:\Windows\system32\Oiahnnji.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\Oehicoom.exeC:\Windows\system32\Oehicoom.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\SysWOW64\Okbapi32.exeC:\Windows\system32\Okbapi32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Pcnfdl32.exeC:\Windows\system32\Pcnfdl32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\Pflbpg32.exeC:\Windows\system32\Pflbpg32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\Ppdfimji.exeC:\Windows\system32\Ppdfimji.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:588 -
C:\Windows\SysWOW64\Pglojj32.exeC:\Windows\system32\Pglojj32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Pbepkh32.exeC:\Windows\system32\Pbepkh32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\Pfqlkfoc.exeC:\Windows\system32\Pfqlkfoc.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2428 -
C:\Windows\SysWOW64\Piohgbng.exeC:\Windows\system32\Piohgbng.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1820 -
C:\Windows\SysWOW64\Pefhlcdk.exeC:\Windows\system32\Pefhlcdk.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1372 -
C:\Windows\SysWOW64\Plpqim32.exeC:\Windows\system32\Plpqim32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2468 -
C:\Windows\SysWOW64\Ppkmjlca.exeC:\Windows\system32\Ppkmjlca.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2128 -
C:\Windows\SysWOW64\Pfeeff32.exeC:\Windows\system32\Pfeeff32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1008 -
C:\Windows\SysWOW64\Plbmom32.exeC:\Windows\system32\Plbmom32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2452 -
C:\Windows\SysWOW64\Qpniokan.exeC:\Windows\system32\Qpniokan.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2308 -
C:\Windows\SysWOW64\Qifnhaho.exeC:\Windows\system32\Qifnhaho.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2932 -
C:\Windows\SysWOW64\Qncfphff.exeC:\Windows\system32\Qncfphff.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2780 -
C:\Windows\SysWOW64\Qemomb32.exeC:\Windows\system32\Qemomb32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2680 -
C:\Windows\SysWOW64\Qhkkim32.exeC:\Windows\system32\Qhkkim32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2800 -
C:\Windows\SysWOW64\Anecfgdc.exeC:\Windows\system32\Anecfgdc.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2584 -
C:\Windows\SysWOW64\Adblnnbk.exeC:\Windows\system32\Adblnnbk.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2552 -
C:\Windows\SysWOW64\Ajldkhjh.exeC:\Windows\system32\Ajldkhjh.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2964 -
C:\Windows\SysWOW64\Amjpgdik.exeC:\Windows\system32\Amjpgdik.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2276 -
C:\Windows\SysWOW64\Ahpddmia.exeC:\Windows\system32\Ahpddmia.exe33⤵
- Executes dropped EXE
PID:1256 -
C:\Windows\SysWOW64\Afcdpi32.exeC:\Windows\system32\Afcdpi32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Aahimb32.exeC:\Windows\system32\Aahimb32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Abjeejep.exeC:\Windows\system32\Abjeejep.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2320 -
C:\Windows\SysWOW64\Apnfno32.exeC:\Windows\system32\Apnfno32.exe37⤵
- Executes dropped EXE
PID:780 -
C:\Windows\SysWOW64\Aifjgdkj.exeC:\Windows\system32\Aifjgdkj.exe38⤵
- Executes dropped EXE
PID:1476 -
C:\Windows\SysWOW64\Aocbokia.exeC:\Windows\system32\Aocbokia.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2000 -
C:\Windows\SysWOW64\Bfjkphjd.exeC:\Windows\system32\Bfjkphjd.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Bhkghqpb.exeC:\Windows\system32\Bhkghqpb.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1708 -
C:\Windows\SysWOW64\Boeoek32.exeC:\Windows\system32\Boeoek32.exe42⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Baclaf32.exeC:\Windows\system32\Baclaf32.exe43⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Bhndnpnp.exeC:\Windows\system32\Bhndnpnp.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:1516 -
C:\Windows\SysWOW64\Blipno32.exeC:\Windows\system32\Blipno32.exe45⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Bbchkime.exeC:\Windows\system32\Bbchkime.exe46⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Beadgdli.exeC:\Windows\system32\Beadgdli.exe47⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Bimphc32.exeC:\Windows\system32\Bimphc32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:900 -
C:\Windows\SysWOW64\Bknmok32.exeC:\Windows\system32\Bknmok32.exe49⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Bceeqi32.exeC:\Windows\system32\Bceeqi32.exe50⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Bedamd32.exeC:\Windows\system32\Bedamd32.exe51⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Bhbmip32.exeC:\Windows\system32\Bhbmip32.exe52⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Blniinac.exeC:\Windows\system32\Blniinac.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2676 -
C:\Windows\SysWOW64\Bnofaf32.exeC:\Windows\system32\Bnofaf32.exe54⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Bakaaepk.exeC:\Windows\system32\Bakaaepk.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1208 -
C:\Windows\SysWOW64\Bdinnqon.exeC:\Windows\system32\Bdinnqon.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2364 -
C:\Windows\SysWOW64\Bkcfjk32.exeC:\Windows\system32\Bkcfjk32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2384 -
C:\Windows\SysWOW64\Cnabffeo.exeC:\Windows\system32\Cnabffeo.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2108 -
C:\Windows\SysWOW64\Cppobaeb.exeC:\Windows\system32\Cppobaeb.exe59⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Chggdoee.exeC:\Windows\system32\Chggdoee.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Cjhckg32.exeC:\Windows\system32\Cjhckg32.exe61⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Caokmd32.exeC:\Windows\system32\Caokmd32.exe62⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Cdngip32.exeC:\Windows\system32\Cdngip32.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1248 -
C:\Windows\SysWOW64\Cglcek32.exeC:\Windows\system32\Cglcek32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:1856 -
C:\Windows\SysWOW64\Cnflae32.exeC:\Windows\system32\Cnflae32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\Cpdhna32.exeC:\Windows\system32\Cpdhna32.exe66⤵PID:1968
-
C:\Windows\SysWOW64\Cccdjl32.exeC:\Windows\system32\Cccdjl32.exe67⤵
- System Location Discovery: System Language Discovery
PID:764 -
C:\Windows\SysWOW64\Cjmmffgn.exeC:\Windows\system32\Cjmmffgn.exe68⤵PID:2900
-
C:\Windows\SysWOW64\Clkicbfa.exeC:\Windows\system32\Clkicbfa.exe69⤵
- Modifies registry class
PID:2788 -
C:\Windows\SysWOW64\Cojeomee.exeC:\Windows\system32\Cojeomee.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2672 -
C:\Windows\SysWOW64\Cgqmpkfg.exeC:\Windows\system32\Cgqmpkfg.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2572 -
C:\Windows\SysWOW64\Cfcmlg32.exeC:\Windows\system32\Cfcmlg32.exe72⤵PID:1848
-
C:\Windows\SysWOW64\Chbihc32.exeC:\Windows\system32\Chbihc32.exe73⤵
- Drops file in System32 directory
PID:2240 -
C:\Windows\SysWOW64\Coladm32.exeC:\Windows\system32\Coladm32.exe74⤵PID:2180
-
C:\Windows\SysWOW64\Ccgnelll.exeC:\Windows\system32\Ccgnelll.exe75⤵
- System Location Discovery: System Language Discovery
PID:1432 -
C:\Windows\SysWOW64\Djafaf32.exeC:\Windows\system32\Djafaf32.exe76⤵PID:2148
-
C:\Windows\SysWOW64\Dhdfmbjc.exeC:\Windows\system32\Dhdfmbjc.exe77⤵
- Modifies registry class
PID:1964 -
C:\Windows\SysWOW64\Dkbbinig.exeC:\Windows\system32\Dkbbinig.exe78⤵
- Modifies registry class
PID:2444 -
C:\Windows\SysWOW64\Dcjjkkji.exeC:\Windows\system32\Dcjjkkji.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2236 -
C:\Windows\SysWOW64\Ddkgbc32.exeC:\Windows\system32\Ddkgbc32.exe80⤵PID:3040
-
C:\Windows\SysWOW64\Dlboca32.exeC:\Windows\system32\Dlboca32.exe81⤵PID:1640
-
C:\Windows\SysWOW64\Doqkpl32.exeC:\Windows\system32\Doqkpl32.exe82⤵PID:1700
-
C:\Windows\SysWOW64\Dboglhna.exeC:\Windows\system32\Dboglhna.exe83⤵PID:3008
-
C:\Windows\SysWOW64\Ddmchcnd.exeC:\Windows\system32\Ddmchcnd.exe84⤵
- Modifies registry class
PID:1920 -
C:\Windows\SysWOW64\Dglpdomh.exeC:\Windows\system32\Dglpdomh.exe85⤵PID:2748
-
C:\Windows\SysWOW64\Dochelmj.exeC:\Windows\system32\Dochelmj.exe86⤵PID:2824
-
C:\Windows\SysWOW64\Dbadagln.exeC:\Windows\system32\Dbadagln.exe87⤵
- System Location Discovery: System Language Discovery
PID:2032 -
C:\Windows\SysWOW64\Ddppmclb.exeC:\Windows\system32\Ddppmclb.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1088 -
C:\Windows\SysWOW64\Dgnminke.exeC:\Windows\system32\Dgnminke.exe89⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2488 -
C:\Windows\SysWOW64\Djmiejji.exeC:\Windows\system32\Djmiejji.exe90⤵PID:568
-
C:\Windows\SysWOW64\Dbdagg32.exeC:\Windows\system32\Dbdagg32.exe91⤵
- Modifies registry class
PID:784 -
C:\Windows\SysWOW64\Ddbmcb32.exeC:\Windows\system32\Ddbmcb32.exe92⤵
- Drops file in System32 directory
PID:2348 -
C:\Windows\SysWOW64\Dgqion32.exeC:\Windows\system32\Dgqion32.exe93⤵
- Drops file in System32 directory
PID:2336 -
C:\Windows\SysWOW64\Djoeki32.exeC:\Windows\system32\Djoeki32.exe94⤵PID:1032
-
C:\Windows\SysWOW64\Dmmbge32.exeC:\Windows\system32\Dmmbge32.exe95⤵PID:2772
-
C:\Windows\SysWOW64\Eddjhb32.exeC:\Windows\system32\Eddjhb32.exe96⤵PID:2460
-
C:\Windows\SysWOW64\Egcfdn32.exeC:\Windows\system32\Egcfdn32.exe97⤵PID:3000
-
C:\Windows\SysWOW64\Ejabqi32.exeC:\Windows\system32\Ejabqi32.exe98⤵
- System Location Discovery: System Language Discovery
PID:316 -
C:\Windows\SysWOW64\Empomd32.exeC:\Windows\system32\Empomd32.exe99⤵PID:2836
-
C:\Windows\SysWOW64\Epnkip32.exeC:\Windows\system32\Epnkip32.exe100⤵PID:2644
-
C:\Windows\SysWOW64\Egebjmdn.exeC:\Windows\system32\Egebjmdn.exe101⤵
- System Location Discovery: System Language Discovery
PID:1064 -
C:\Windows\SysWOW64\Ejcofica.exeC:\Windows\system32\Ejcofica.exe102⤵PID:2832
-
C:\Windows\SysWOW64\Embkbdce.exeC:\Windows\system32\Embkbdce.exe103⤵PID:2540
-
C:\Windows\SysWOW64\Epqgopbi.exeC:\Windows\system32\Epqgopbi.exe104⤵
- Modifies registry class
PID:2944 -
C:\Windows\SysWOW64\Ebockkal.exeC:\Windows\system32\Ebockkal.exe105⤵PID:1980
-
C:\Windows\SysWOW64\Ejfllhao.exeC:\Windows\system32\Ejfllhao.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1688 -
C:\Windows\SysWOW64\Ekghcq32.exeC:\Windows\system32\Ekghcq32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2356 -
C:\Windows\SysWOW64\Ecnpdnho.exeC:\Windows\system32\Ecnpdnho.exe108⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1800 -
C:\Windows\SysWOW64\Efmlqigc.exeC:\Windows\system32\Efmlqigc.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1528 -
C:\Windows\SysWOW64\Emgdmc32.exeC:\Windows\system32\Emgdmc32.exe110⤵PID:1428
-
C:\Windows\SysWOW64\Epeajo32.exeC:\Windows\system32\Epeajo32.exe111⤵PID:2448
-
C:\Windows\SysWOW64\Enhaeldn.exeC:\Windows\system32\Enhaeldn.exe112⤵PID:2888
-
C:\Windows\SysWOW64\Efoifiep.exeC:\Windows\system32\Efoifiep.exe113⤵
- Drops file in System32 directory
PID:2604 -
C:\Windows\SysWOW64\Einebddd.exeC:\Windows\system32\Einebddd.exe114⤵PID:1656
-
C:\Windows\SysWOW64\Fllaopcg.exeC:\Windows\system32\Fllaopcg.exe115⤵
- System Location Discovery: System Language Discovery
PID:2852 -
C:\Windows\SysWOW64\Fnjnkkbk.exeC:\Windows\system32\Fnjnkkbk.exe116⤵PID:572
-
C:\Windows\SysWOW64\Fbfjkj32.exeC:\Windows\system32\Fbfjkj32.exe117⤵
- Modifies registry class
PID:1808 -
C:\Windows\SysWOW64\Fedfgejh.exeC:\Windows\system32\Fedfgejh.exe118⤵PID:2408
-
C:\Windows\SysWOW64\Fhbbcail.exeC:\Windows\system32\Fhbbcail.exe119⤵PID:1768
-
C:\Windows\SysWOW64\Fjaoplho.exeC:\Windows\system32\Fjaoplho.exe120⤵
- System Location Discovery: System Language Discovery
PID:1728 -
C:\Windows\SysWOW64\Fefcmehe.exeC:\Windows\system32\Fefcmehe.exe121⤵
- System Location Discovery: System Language Discovery
PID:3044
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-