Analysis
-
max time kernel
111s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
21-08-2024 02:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c59b2fe3166e3472a4f04a0bc7b03470N.exe
Resource
win7-20240704-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
c59b2fe3166e3472a4f04a0bc7b03470N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
c59b2fe3166e3472a4f04a0bc7b03470N.exe
-
Size
63KB
-
MD5
c59b2fe3166e3472a4f04a0bc7b03470
-
SHA1
cd56c28340dd0e383645f47b84a23dece9a20e88
-
SHA256
5b992c94f5810cb974f56cd008d95764525ca36a8daa35b941f7f4371848f154
-
SHA512
4c7297abddaed6a082f93847bb289c33d36970dfefd40918bfe5a6409c261966f03224fd59e04d7e489a34cd26d6d29c0fbf67e5de21832dddec51b0aa8f401d
-
SSDEEP
1536:XQ5speJSxOn9wlQaelnD7KdzVH1juIZo:XAspeJSxOnulQTlD7KdzVH1juIZo
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fclkldqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agakog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dheljhof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghqqpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbimbpld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iigehk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjcajn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jojnglco.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldkeoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Deljfqmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgcbpemp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elpqemll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eoecbheg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dadcppbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epinhg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Appfggjm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imchcplm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfnmnojj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnfbmgcj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcdbjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcgdjmlo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgagnjbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eigbfb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnimeg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ciebdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cappnf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldkeoo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdhmel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Koeeoljm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epgabhdg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqdioaqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehphdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lighjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cemebcnf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhbjmg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ompgqonl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emncci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdjddf32.exe -
Executes dropped EXE 64 IoCs
pid Process 1800 Agnjge32.exe 2780 Ajociq32.exe 2796 Ajapoqmf.exe 2756 Afhpca32.exe 2776 Bemmenhb.exe 2656 Bfmjoqoe.exe 1976 Bnhncclq.exe 2188 Baigen32.exe 2736 Bjalndpb.exe 608 Cmaeoo32.exe 2980 Ckfeic32.exe 3032 Cpbnaj32.exe 2220 Clnhajlc.exe 1984 Dibhjokm.exe 1940 Dekeeonn.exe 1720 Dgoobg32.exe 1272 Dadcppbp.exe 800 Echlmh32.exe 2524 Elpqemll.exe 1260 Ecjibgdh.exe 1744 Elbmkm32.exe 3060 Efkbdbai.exe 2460 Ebabicfn.exe 2996 Eoecbheg.exe 1916 Fqilppic.exe 1624 Fqkieogp.exe 2732 Fjdnne32.exe 2880 Fjfjcdln.exe 2104 Fcoolj32.exe 2740 Gbdlnf32.exe 2648 Gmipko32.exe 1960 Gbfhcf32.exe 2020 Gpjilj32.exe 2280 Gfdaid32.exe 2928 Ghenamai.exe 2696 Hjhchg32.exe 1608 Hdqhambg.exe 1748 Hpghfn32.exe 3036 Iboghh32.exe 2156 Ieppjclf.exe 1956 Imkeneja.exe 1304 Iokahhac.exe 2520 Ihcfan32.exe 1792 Jnbkodci.exe 1544 Jempcgad.exe 2408 Jlghpa32.exe 1764 Jpeafo32.exe 700 Jjneoeeh.exe 2572 Jojnglco.exe 1300 Kdgfpbaf.exe 2828 Komjmk32.exe 2836 Kdjceb32.exe 2824 Kghoan32.exe 2940 Knbgnhfd.exe 2700 Kgjlgm32.exe 1900 Kjihci32.exe 692 Kqcqpc32.exe 1724 Kjkehhjf.exe 1372 Kmjaddii.exe 1636 Kgoebmip.exe 2200 Lmlnjcgg.exe 1784 Lgabgl32.exe 2056 Ljpnch32.exe 2324 Lomglo32.exe -
Loads dropped DLL 64 IoCs
pid Process 1612 c59b2fe3166e3472a4f04a0bc7b03470N.exe 1612 c59b2fe3166e3472a4f04a0bc7b03470N.exe 1800 Agnjge32.exe 1800 Agnjge32.exe 2780 Ajociq32.exe 2780 Ajociq32.exe 2796 Ajapoqmf.exe 2796 Ajapoqmf.exe 2756 Afhpca32.exe 2756 Afhpca32.exe 2776 Bemmenhb.exe 2776 Bemmenhb.exe 2656 Bfmjoqoe.exe 2656 Bfmjoqoe.exe 1976 Bnhncclq.exe 1976 Bnhncclq.exe 2188 Baigen32.exe 2188 Baigen32.exe 2736 Bjalndpb.exe 2736 Bjalndpb.exe 608 Cmaeoo32.exe 608 Cmaeoo32.exe 2980 Ckfeic32.exe 2980 Ckfeic32.exe 3032 Cpbnaj32.exe 3032 Cpbnaj32.exe 2220 Clnhajlc.exe 2220 Clnhajlc.exe 1984 Dibhjokm.exe 1984 Dibhjokm.exe 1940 Dekeeonn.exe 1940 Dekeeonn.exe 1720 Dgoobg32.exe 1720 Dgoobg32.exe 1272 Dadcppbp.exe 1272 Dadcppbp.exe 800 Echlmh32.exe 800 Echlmh32.exe 2524 Elpqemll.exe 2524 Elpqemll.exe 1260 Ecjibgdh.exe 1260 Ecjibgdh.exe 1744 Elbmkm32.exe 1744 Elbmkm32.exe 3060 Efkbdbai.exe 3060 Efkbdbai.exe 2460 Ebabicfn.exe 2460 Ebabicfn.exe 2996 Eoecbheg.exe 2996 Eoecbheg.exe 1916 Fqilppic.exe 1916 Fqilppic.exe 1624 Fqkieogp.exe 1624 Fqkieogp.exe 2732 Fjdnne32.exe 2732 Fjdnne32.exe 2880 Fjfjcdln.exe 2880 Fjfjcdln.exe 2104 Fcoolj32.exe 2104 Fcoolj32.exe 2740 Gbdlnf32.exe 2740 Gbdlnf32.exe 2648 Gmipko32.exe 2648 Gmipko32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Apdobg32.exe Aeokdn32.exe File created C:\Windows\SysWOW64\Qnommd32.dll Process not Found File created C:\Windows\SysWOW64\Imokbhjf.exe Process not Found File created C:\Windows\SysWOW64\Ejqakjgg.dll Process not Found File created C:\Windows\SysWOW64\Gmjjblih.dll Process not Found File created C:\Windows\SysWOW64\Fdjddf32.exe Faikbkhj.exe File created C:\Windows\SysWOW64\Bfppgohb.exe Bacgohjk.exe File opened for modification C:\Windows\SysWOW64\Lbjlnd32.exe Lgehpk32.exe File opened for modification C:\Windows\SysWOW64\Faljqcmk.exe Fagqed32.exe File opened for modification C:\Windows\SysWOW64\Lobgah32.exe Lppgfkpd.exe File created C:\Windows\SysWOW64\Djokgk32.exe Dpggnfap.exe File created C:\Windows\SysWOW64\Gmfblfeb.dll Process not Found File opened for modification C:\Windows\SysWOW64\Madbll32.exe Process not Found File created C:\Windows\SysWOW64\Onehadbj.exe Odmgnl32.exe File created C:\Windows\SysWOW64\Dpnioi32.dll Iegaha32.exe File created C:\Windows\SysWOW64\Qfedhb32.exe Qahlpkhh.exe File created C:\Windows\SysWOW64\Egmqcllm.dll Aenileon.exe File opened for modification C:\Windows\SysWOW64\Iijdfc32.exe Icmlnmgb.exe File created C:\Windows\SysWOW64\Nibmdpam.dll Dbfaopqo.exe File created C:\Windows\SysWOW64\Jompim32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Akoghnnj.exe Process not Found File opened for modification C:\Windows\SysWOW64\Eocieq32.exe Eghdanac.exe File created C:\Windows\SysWOW64\Kifbahjj.dll Iaegbmlq.exe File opened for modification C:\Windows\SysWOW64\Cmmcae32.exe Clkfjman.exe File created C:\Windows\SysWOW64\Nlqgnc32.dll Dpmeij32.exe File opened for modification C:\Windows\SysWOW64\Dlpdifda.exe Dcgppana.exe File created C:\Windows\SysWOW64\Nphdaeol.exe Process not Found File created C:\Windows\SysWOW64\Dejqenmh.exe Process not Found File created C:\Windows\SysWOW64\Hchhlj32.dll Inffdd32.exe File opened for modification C:\Windows\SysWOW64\Lljolodf.exe Kemjieol.exe File created C:\Windows\SysWOW64\Ppelfbol.exe Pmgpjgph.exe File created C:\Windows\SysWOW64\Dldndf32.exe Dghekobe.exe File created C:\Windows\SysWOW64\Konpjafp.exe Process not Found File created C:\Windows\SysWOW64\Klaggn32.dll Gkimff32.exe File created C:\Windows\SysWOW64\Ekiaac32.exe Djiegp32.exe File opened for modification C:\Windows\SysWOW64\Nldgdpjf.exe Mpmfoodb.exe File created C:\Windows\SysWOW64\Oaqeogll.exe Ngkaaolf.exe File opened for modification C:\Windows\SysWOW64\Pdljjplb.exe Pkcfak32.exe File created C:\Windows\SysWOW64\Oncaei32.dll Pmgnan32.exe File opened for modification C:\Windows\SysWOW64\Gpihog32.exe Gjmpfp32.exe File created C:\Windows\SysWOW64\Iegaha32.exe Ilolol32.exe File created C:\Windows\SysWOW64\Gjhfkqdm.exe Fpnekc32.exe File opened for modification C:\Windows\SysWOW64\Iapghlbe.exe Idlgohcl.exe File created C:\Windows\SysWOW64\Gipahplk.dll Jbmgapgc.exe File created C:\Windows\SysWOW64\Pkopjh32.exe Phacnm32.exe File created C:\Windows\SysWOW64\Kkdnke32.exe Kaliaphd.exe File opened for modification C:\Windows\SysWOW64\Mgebfi32.exe Mafmhcam.exe File opened for modification C:\Windows\SysWOW64\Ehbdif32.exe Enmplm32.exe File created C:\Windows\SysWOW64\Biodkpfp.dll Pjdlkeln.exe File created C:\Windows\SysWOW64\Bchmolkm.exe Apjdin32.exe File created C:\Windows\SysWOW64\Injnfl32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Lqdfmihh.exe Process not Found File created C:\Windows\SysWOW64\Cojfkela.dll Process not Found File created C:\Windows\SysWOW64\Jqfaka32.dll Process not Found File created C:\Windows\SysWOW64\Gqhadmhc.exe Gjnigb32.exe File created C:\Windows\SysWOW64\Deljfqmf.exe Dieiap32.exe File opened for modification C:\Windows\SysWOW64\Oikcicfl.exe Ofmgmhgh.exe File created C:\Windows\SysWOW64\Mqhhbn32.exe Mgodjico.exe File created C:\Windows\SysWOW64\Mjeffc32.exe Mdhnnl32.exe File created C:\Windows\SysWOW64\Pdgnnfme.dll Pelpgb32.exe File opened for modification C:\Windows\SysWOW64\Ighfecdb.exe Iomaaa32.exe File opened for modification C:\Windows\SysWOW64\Nhmpmcaq.exe Process not Found File opened for modification C:\Windows\SysWOW64\Mapjjdjb.exe Lhgeao32.exe File created C:\Windows\SysWOW64\Hcghffen.exe Hkkcbdhc.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlcceboa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acbieing.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eajhgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogiegc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlidplcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgeobdkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmbclj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhbjmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epmahmcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgdmkhnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjephakn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akhkkmdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajoebigm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kekkkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doqmjaac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igioiacg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pihbbgjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkcfak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcqcoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgpmbgai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghqqpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfiofefm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfcoel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igeggkoq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpnkjq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bchmolkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agfikc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoimlc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hegdinpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocdnloph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opkndldc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkkcbdhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poplqm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blfnin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqdbjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpnfdbig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnecjgch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmicnhob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cqlhlo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiehilaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geehcoaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooiepnen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edenjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdmcbojl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ingmoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fecool32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejpipf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhonegbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epbamc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjahfkfg.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhbaqhmq.dll" Fimclh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgbiggof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ioonfaed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgcooh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iodhfp32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oiifcdhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlijpo32.dll" Ofmgmhgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppibcink.dll" Elcpdeam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aeahjn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebnlba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkgmpgnq.dll" Kgjelg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjopen32.dll" Odmgnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfpamd32.dll" Obfiijia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aabhiikm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njkjihdl.dll" Ndhooaog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdeifinb.dll" Hajdniep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpcaeghc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhegckpd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eoimlc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeakle32.dll" Hfjglppd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbcnpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qjofljho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejqakjgg.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpfggeai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmamliin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieplbk32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpccn32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blcdaojp.dll" Ekdglcmh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibpjaagi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekoemjgn.dll" Foqadnpq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iiicjf32.dll" Iijdfc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qmomelml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pedmbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibbjgneh.dll" Pldknmhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpmjno32.dll" Fhifmcfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gledgkfn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hljljflh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eecpggap.dll" Podbgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akafgm32.dll" Ffjghppi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afbpph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoecelol.dll" Bfpkfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmjdia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdgaibdg.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkimff32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkmmpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bklifdmh.dll" Ahbqliap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hijeld32.dll" Iopeagip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfngafnm.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpofpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmbfoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bboqgikn.dll" Fhfdffll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdfdjnfl.dll" Dgehfodh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qpojak32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpfpkog.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcdeqiac.dll" Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1612 wrote to memory of 1800 1612 c59b2fe3166e3472a4f04a0bc7b03470N.exe 30 PID 1612 wrote to memory of 1800 1612 c59b2fe3166e3472a4f04a0bc7b03470N.exe 30 PID 1612 wrote to memory of 1800 1612 c59b2fe3166e3472a4f04a0bc7b03470N.exe 30 PID 1612 wrote to memory of 1800 1612 c59b2fe3166e3472a4f04a0bc7b03470N.exe 30 PID 1800 wrote to memory of 2780 1800 Agnjge32.exe 31 PID 1800 wrote to memory of 2780 1800 Agnjge32.exe 31 PID 1800 wrote to memory of 2780 1800 Agnjge32.exe 31 PID 1800 wrote to memory of 2780 1800 Agnjge32.exe 31 PID 2780 wrote to memory of 2796 2780 Ajociq32.exe 32 PID 2780 wrote to memory of 2796 2780 Ajociq32.exe 32 PID 2780 wrote to memory of 2796 2780 Ajociq32.exe 32 PID 2780 wrote to memory of 2796 2780 Ajociq32.exe 32 PID 2796 wrote to memory of 2756 2796 Ajapoqmf.exe 33 PID 2796 wrote to memory of 2756 2796 Ajapoqmf.exe 33 PID 2796 wrote to memory of 2756 2796 Ajapoqmf.exe 33 PID 2796 wrote to memory of 2756 2796 Ajapoqmf.exe 33 PID 2756 wrote to memory of 2776 2756 Afhpca32.exe 34 PID 2756 wrote to memory of 2776 2756 Afhpca32.exe 34 PID 2756 wrote to memory of 2776 2756 Afhpca32.exe 34 PID 2756 wrote to memory of 2776 2756 Afhpca32.exe 34 PID 2776 wrote to memory of 2656 2776 Bemmenhb.exe 35 PID 2776 wrote to memory of 2656 2776 Bemmenhb.exe 35 PID 2776 wrote to memory of 2656 2776 Bemmenhb.exe 35 PID 2776 wrote to memory of 2656 2776 Bemmenhb.exe 35 PID 2656 wrote to memory of 1976 2656 Bfmjoqoe.exe 36 PID 2656 wrote to memory of 1976 2656 Bfmjoqoe.exe 36 PID 2656 wrote to memory of 1976 2656 Bfmjoqoe.exe 36 PID 2656 wrote to memory of 1976 2656 Bfmjoqoe.exe 36 PID 1976 wrote to memory of 2188 1976 Bnhncclq.exe 37 PID 1976 wrote to memory of 2188 1976 Bnhncclq.exe 37 PID 1976 wrote to memory of 2188 1976 Bnhncclq.exe 37 PID 1976 wrote to memory of 2188 1976 Bnhncclq.exe 37 PID 2188 wrote to memory of 2736 2188 Baigen32.exe 38 PID 2188 wrote to memory of 2736 2188 Baigen32.exe 38 PID 2188 wrote to memory of 2736 2188 Baigen32.exe 38 PID 2188 wrote to memory of 2736 2188 Baigen32.exe 38 PID 2736 wrote to memory of 608 2736 Bjalndpb.exe 39 PID 2736 wrote to memory of 608 2736 Bjalndpb.exe 39 PID 2736 wrote to memory of 608 2736 Bjalndpb.exe 39 PID 2736 wrote to memory of 608 2736 Bjalndpb.exe 39 PID 608 wrote to memory of 2980 608 Cmaeoo32.exe 40 PID 608 wrote to memory of 2980 608 Cmaeoo32.exe 40 PID 608 wrote to memory of 2980 608 Cmaeoo32.exe 40 PID 608 wrote to memory of 2980 608 Cmaeoo32.exe 40 PID 2980 wrote to memory of 3032 2980 Ckfeic32.exe 41 PID 2980 wrote to memory of 3032 2980 Ckfeic32.exe 41 PID 2980 wrote to memory of 3032 2980 Ckfeic32.exe 41 PID 2980 wrote to memory of 3032 2980 Ckfeic32.exe 41 PID 3032 wrote to memory of 2220 3032 Cpbnaj32.exe 42 PID 3032 wrote to memory of 2220 3032 Cpbnaj32.exe 42 PID 3032 wrote to memory of 2220 3032 Cpbnaj32.exe 42 PID 3032 wrote to memory of 2220 3032 Cpbnaj32.exe 42 PID 2220 wrote to memory of 1984 2220 Clnhajlc.exe 43 PID 2220 wrote to memory of 1984 2220 Clnhajlc.exe 43 PID 2220 wrote to memory of 1984 2220 Clnhajlc.exe 43 PID 2220 wrote to memory of 1984 2220 Clnhajlc.exe 43 PID 1984 wrote to memory of 1940 1984 Dibhjokm.exe 44 PID 1984 wrote to memory of 1940 1984 Dibhjokm.exe 44 PID 1984 wrote to memory of 1940 1984 Dibhjokm.exe 44 PID 1984 wrote to memory of 1940 1984 Dibhjokm.exe 44 PID 1940 wrote to memory of 1720 1940 Dekeeonn.exe 45 PID 1940 wrote to memory of 1720 1940 Dekeeonn.exe 45 PID 1940 wrote to memory of 1720 1940 Dekeeonn.exe 45 PID 1940 wrote to memory of 1720 1940 Dekeeonn.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\c59b2fe3166e3472a4f04a0bc7b03470N.exe"C:\Users\Admin\AppData\Local\Temp\c59b2fe3166e3472a4f04a0bc7b03470N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\Agnjge32.exeC:\Windows\system32\Agnjge32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\Ajociq32.exeC:\Windows\system32\Ajociq32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Ajapoqmf.exeC:\Windows\system32\Ajapoqmf.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Afhpca32.exeC:\Windows\system32\Afhpca32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Bemmenhb.exeC:\Windows\system32\Bemmenhb.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Bfmjoqoe.exeC:\Windows\system32\Bfmjoqoe.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Bnhncclq.exeC:\Windows\system32\Bnhncclq.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\Baigen32.exeC:\Windows\system32\Baigen32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Bjalndpb.exeC:\Windows\system32\Bjalndpb.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Cmaeoo32.exeC:\Windows\system32\Cmaeoo32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:608 -
C:\Windows\SysWOW64\Ckfeic32.exeC:\Windows\system32\Ckfeic32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Cpbnaj32.exeC:\Windows\system32\Cpbnaj32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\Clnhajlc.exeC:\Windows\system32\Clnhajlc.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\Dibhjokm.exeC:\Windows\system32\Dibhjokm.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\Dekeeonn.exeC:\Windows\system32\Dekeeonn.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\Dgoobg32.exeC:\Windows\system32\Dgoobg32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1720 -
C:\Windows\SysWOW64\Dadcppbp.exeC:\Windows\system32\Dadcppbp.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1272 -
C:\Windows\SysWOW64\Echlmh32.exeC:\Windows\system32\Echlmh32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:800 -
C:\Windows\SysWOW64\Elpqemll.exeC:\Windows\system32\Elpqemll.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2524 -
C:\Windows\SysWOW64\Ecjibgdh.exeC:\Windows\system32\Ecjibgdh.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1260 -
C:\Windows\SysWOW64\Elbmkm32.exeC:\Windows\system32\Elbmkm32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1744 -
C:\Windows\SysWOW64\Efkbdbai.exeC:\Windows\system32\Efkbdbai.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3060 -
C:\Windows\SysWOW64\Ebabicfn.exeC:\Windows\system32\Ebabicfn.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2460 -
C:\Windows\SysWOW64\Eoecbheg.exeC:\Windows\system32\Eoecbheg.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2996 -
C:\Windows\SysWOW64\Fqilppic.exeC:\Windows\system32\Fqilppic.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1916 -
C:\Windows\SysWOW64\Fqkieogp.exeC:\Windows\system32\Fqkieogp.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1624 -
C:\Windows\SysWOW64\Fjdnne32.exeC:\Windows\system32\Fjdnne32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2732 -
C:\Windows\SysWOW64\Fjfjcdln.exeC:\Windows\system32\Fjfjcdln.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2880 -
C:\Windows\SysWOW64\Fcoolj32.exeC:\Windows\system32\Fcoolj32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2104 -
C:\Windows\SysWOW64\Gbdlnf32.exeC:\Windows\system32\Gbdlnf32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2740 -
C:\Windows\SysWOW64\Gmipko32.exeC:\Windows\system32\Gmipko32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2648 -
C:\Windows\SysWOW64\Gbfhcf32.exeC:\Windows\system32\Gbfhcf32.exe33⤵
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Gpjilj32.exeC:\Windows\system32\Gpjilj32.exe34⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Gfdaid32.exeC:\Windows\system32\Gfdaid32.exe35⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Ghenamai.exeC:\Windows\system32\Ghenamai.exe36⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Hjhchg32.exeC:\Windows\system32\Hjhchg32.exe37⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Hdqhambg.exeC:\Windows\system32\Hdqhambg.exe38⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Hpghfn32.exeC:\Windows\system32\Hpghfn32.exe39⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Iboghh32.exeC:\Windows\system32\Iboghh32.exe40⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Ieppjclf.exeC:\Windows\system32\Ieppjclf.exe41⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Imkeneja.exeC:\Windows\system32\Imkeneja.exe42⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Iokahhac.exeC:\Windows\system32\Iokahhac.exe43⤵
- Executes dropped EXE
PID:1304 -
C:\Windows\SysWOW64\Ihcfan32.exeC:\Windows\system32\Ihcfan32.exe44⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Jnbkodci.exeC:\Windows\system32\Jnbkodci.exe45⤵
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\Jempcgad.exeC:\Windows\system32\Jempcgad.exe46⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Jlghpa32.exeC:\Windows\system32\Jlghpa32.exe47⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Jpeafo32.exeC:\Windows\system32\Jpeafo32.exe48⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Jjneoeeh.exeC:\Windows\system32\Jjneoeeh.exe49⤵
- Executes dropped EXE
PID:700 -
C:\Windows\SysWOW64\Jojnglco.exeC:\Windows\system32\Jojnglco.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Kdgfpbaf.exeC:\Windows\system32\Kdgfpbaf.exe51⤵
- Executes dropped EXE
PID:1300 -
C:\Windows\SysWOW64\Komjmk32.exeC:\Windows\system32\Komjmk32.exe52⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Kdjceb32.exeC:\Windows\system32\Kdjceb32.exe53⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Kghoan32.exeC:\Windows\system32\Kghoan32.exe54⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Knbgnhfd.exeC:\Windows\system32\Knbgnhfd.exe55⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Kgjlgm32.exeC:\Windows\system32\Kgjlgm32.exe56⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Kjihci32.exeC:\Windows\system32\Kjihci32.exe57⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Kqcqpc32.exeC:\Windows\system32\Kqcqpc32.exe58⤵
- Executes dropped EXE
PID:692 -
C:\Windows\SysWOW64\Kjkehhjf.exeC:\Windows\system32\Kjkehhjf.exe59⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Kmjaddii.exeC:\Windows\system32\Kmjaddii.exe60⤵
- Executes dropped EXE
PID:1372 -
C:\Windows\SysWOW64\Kgoebmip.exeC:\Windows\system32\Kgoebmip.exe61⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Lmlnjcgg.exeC:\Windows\system32\Lmlnjcgg.exe62⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Lgabgl32.exeC:\Windows\system32\Lgabgl32.exe63⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Ljpnch32.exeC:\Windows\system32\Ljpnch32.exe64⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Lomglo32.exeC:\Windows\system32\Lomglo32.exe65⤵
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Ljbkig32.exeC:\Windows\system32\Ljbkig32.exe66⤵PID:2012
-
C:\Windows\SysWOW64\Lmqgec32.exeC:\Windows\system32\Lmqgec32.exe67⤵PID:276
-
C:\Windows\SysWOW64\Lckpbm32.exeC:\Windows\system32\Lckpbm32.exe68⤵PID:2132
-
C:\Windows\SysWOW64\Lighjd32.exeC:\Windows\system32\Lighjd32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2464 -
C:\Windows\SysWOW64\Lbplciof.exeC:\Windows\system32\Lbplciof.exe70⤵PID:2236
-
C:\Windows\SysWOW64\Lgmekpmn.exeC:\Windows\system32\Lgmekpmn.exe71⤵PID:2268
-
C:\Windows\SysWOW64\Lbbiii32.exeC:\Windows\system32\Lbbiii32.exe72⤵PID:2900
-
C:\Windows\SysWOW64\Mgoaap32.exeC:\Windows\system32\Mgoaap32.exe73⤵PID:2640
-
C:\Windows\SysWOW64\Mecbjd32.exeC:\Windows\system32\Mecbjd32.exe74⤵PID:2680
-
C:\Windows\SysWOW64\Mlmjgnaa.exeC:\Windows\system32\Mlmjgnaa.exe75⤵PID:2116
-
C:\Windows\SysWOW64\Majcoepi.exeC:\Windows\system32\Majcoepi.exe76⤵PID:1828
-
C:\Windows\SysWOW64\Mjbghkfi.exeC:\Windows\system32\Mjbghkfi.exe77⤵PID:576
-
C:\Windows\SysWOW64\Mcjlap32.exeC:\Windows\system32\Mcjlap32.exe78⤵PID:1088
-
C:\Windows\SysWOW64\Migdig32.exeC:\Windows\system32\Migdig32.exe79⤵PID:584
-
C:\Windows\SysWOW64\Mbpibm32.exeC:\Windows\system32\Mbpibm32.exe80⤵PID:2488
-
C:\Windows\SysWOW64\Mmemoe32.exeC:\Windows\system32\Mmemoe32.exe81⤵PID:2228
-
C:\Windows\SysWOW64\Nfmahkhh.exeC:\Windows\system32\Nfmahkhh.exe82⤵PID:1740
-
C:\Windows\SysWOW64\Nbdbml32.exeC:\Windows\system32\Nbdbml32.exe83⤵PID:2404
-
C:\Windows\SysWOW64\Nhakecld.exeC:\Windows\system32\Nhakecld.exe84⤵PID:2584
-
C:\Windows\SysWOW64\Nbfobllj.exeC:\Windows\system32\Nbfobllj.exe85⤵PID:2260
-
C:\Windows\SysWOW64\Nhcgkbja.exeC:\Windows\system32\Nhcgkbja.exe86⤵PID:1004
-
C:\Windows\SysWOW64\Nalldh32.exeC:\Windows\system32\Nalldh32.exe87⤵PID:2868
-
C:\Windows\SysWOW64\Nlapaapg.exeC:\Windows\system32\Nlapaapg.exe88⤵PID:2844
-
C:\Windows\SysWOW64\Nanhihno.exeC:\Windows\system32\Nanhihno.exe89⤵PID:2660
-
C:\Windows\SysWOW64\Ngkaaolf.exeC:\Windows\system32\Ngkaaolf.exe90⤵
- Drops file in System32 directory
PID:1192 -
C:\Windows\SysWOW64\Oaqeogll.exeC:\Windows\system32\Oaqeogll.exe91⤵PID:2400
-
C:\Windows\SysWOW64\Ogmngn32.exeC:\Windows\system32\Ogmngn32.exe92⤵PID:792
-
C:\Windows\SysWOW64\Opebpdad.exeC:\Windows\system32\Opebpdad.exe93⤵PID:2832
-
C:\Windows\SysWOW64\Ocdnloph.exeC:\Windows\system32\Ocdnloph.exe94⤵
- System Location Discovery: System Language Discovery
PID:1520 -
C:\Windows\SysWOW64\Omjbihpn.exeC:\Windows\system32\Omjbihpn.exe95⤵PID:1648
-
C:\Windows\SysWOW64\Odckfb32.exeC:\Windows\system32\Odckfb32.exe96⤵PID:756
-
C:\Windows\SysWOW64\Oeegnj32.exeC:\Windows\system32\Oeegnj32.exe97⤵PID:856
-
C:\Windows\SysWOW64\Opjlkc32.exeC:\Windows\system32\Opjlkc32.exe98⤵PID:1516
-
C:\Windows\SysWOW64\Oegdcj32.exeC:\Windows\system32\Oegdcj32.exe99⤵PID:3000
-
C:\Windows\SysWOW64\Opmhqc32.exeC:\Windows\system32\Opmhqc32.exe100⤵PID:1592
-
C:\Windows\SysWOW64\Peiaij32.exeC:\Windows\system32\Peiaij32.exe101⤵PID:2644
-
C:\Windows\SysWOW64\Plcied32.exeC:\Windows\system32\Plcied32.exe102⤵PID:2684
-
C:\Windows\SysWOW64\Papank32.exeC:\Windows\system32\Papank32.exe103⤵PID:2688
-
C:\Windows\SysWOW64\Pdonjf32.exeC:\Windows\system32\Pdonjf32.exe104⤵PID:972
-
C:\Windows\SysWOW64\Podbgo32.exeC:\Windows\system32\Podbgo32.exe105⤵
- Modifies registry class
PID:3024 -
C:\Windows\SysWOW64\Penjdien.exeC:\Windows\system32\Penjdien.exe106⤵PID:2052
-
C:\Windows\SysWOW64\Pofomolo.exeC:\Windows\system32\Pofomolo.exe107⤵PID:2360
-
C:\Windows\SysWOW64\Phocfd32.exeC:\Windows\system32\Phocfd32.exe108⤵PID:2216
-
C:\Windows\SysWOW64\Pnllnk32.exeC:\Windows\system32\Pnllnk32.exe109⤵PID:1492
-
C:\Windows\SysWOW64\Pgdpgqgg.exeC:\Windows\system32\Pgdpgqgg.exe110⤵PID:2580
-
C:\Windows\SysWOW64\Qjeihl32.exeC:\Windows\system32\Qjeihl32.exe111⤵PID:1536
-
C:\Windows\SysWOW64\Qoaaqb32.exeC:\Windows\system32\Qoaaqb32.exe112⤵PID:2768
-
C:\Windows\SysWOW64\Ajgfnk32.exeC:\Windows\system32\Ajgfnk32.exe113⤵PID:2892
-
C:\Windows\SysWOW64\Abbjbnoq.exeC:\Windows\system32\Abbjbnoq.exe114⤵PID:3008
-
C:\Windows\SysWOW64\Aalaoipc.exeC:\Windows\system32\Aalaoipc.exe115⤵PID:2392
-
C:\Windows\SysWOW64\Agfikc32.exeC:\Windows\system32\Agfikc32.exe116⤵
- System Location Discovery: System Language Discovery
PID:2208 -
C:\Windows\SysWOW64\Ablmilgf.exeC:\Windows\system32\Ablmilgf.exe117⤵PID:2984
-
C:\Windows\SysWOW64\Bfncbp32.exeC:\Windows\system32\Bfncbp32.exe118⤵PID:1564
-
C:\Windows\SysWOW64\Bacgohjk.exeC:\Windows\system32\Bacgohjk.exe119⤵
- Drops file in System32 directory
PID:744 -
C:\Windows\SysWOW64\Bfppgohb.exeC:\Windows\system32\Bfppgohb.exe120⤵PID:1572
-
C:\Windows\SysWOW64\Biolckgf.exeC:\Windows\system32\Biolckgf.exe121⤵PID:876
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-