Analysis
-
max time kernel
105s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
22/08/2024, 19:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e8a35013efe7968a2b46842a2860ef90N.exe
Resource
win7-20240704-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
e8a35013efe7968a2b46842a2860ef90N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
e8a35013efe7968a2b46842a2860ef90N.exe
-
Size
359KB
-
MD5
e8a35013efe7968a2b46842a2860ef90
-
SHA1
5fe614bd308d48e2e78b19d159cf4f6eb9c8b12d
-
SHA256
d6fa3d61929706b021c0fa116165109d501101b409682cf0b77f34deedb79659
-
SHA512
5f64e423dc3933b7c279058e65f632db350c4cc7711e73f11133248d0db75ab0b199fd32a9a2769b9470da9421943e6e1aa17b6bb7eaaebbba48b3fd8fe0a13e
-
SSDEEP
3072:SQVaHM5fZ0kQI8Va3CkfUVuyelbvP5lkzmQ1o0Otw44KmfpKivFM6WpqXWweFqD0:awZprba4Yb31/do
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ockhpgbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nndkdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejpkjlgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jaajaikm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnhnackf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgnjhfbq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dffmgqcp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Liqnclia.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmepboin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjgjgioi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jocgcmlq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cicakm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idhcqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdcahdib.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceioka32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhohhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kikhkeel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eloimcca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hilbfc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcgogm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daqemh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbqkqj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgdhakpb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmhgjahb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gehjepon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdehoo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdkihlid.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acjmheap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jifjod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfddcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djdenoif.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iadabljk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjobga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqqolfik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnppfjlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bglhcihn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddkdkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kaedmi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idabbpgj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnaempnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfbicg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddkdkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhfkhhnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdiokeck.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afhgkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpmqom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdfifg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcpmqj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnafgpoa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blfnin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgnkkjgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnbhpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejfpofkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqmqkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aepqac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnmiegma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kocdbp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpghcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ainhln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdapqgom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkfaqkcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boggkicf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppnpfagc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifndbd32.exe -
Executes dropped EXE 64 IoCs
pid Process 2900 Ogldfl32.exe 2784 Olhmnb32.exe 2756 Omkidb32.exe 2952 Pobhfl32.exe 2884 Qedjib32.exe 3052 Aihmhe32.exe 672 Ahpfoa32.exe 1348 Bmahbhei.exe 1700 Bfoffmhd.exe 972 Cgcoal32.exe 1444 Ckjnfobi.exe 432 Dddodd32.exe 1792 Docjpa32.exe 2428 Eogckqkk.exe 572 Eclejclg.exe 1952 Edkbdf32.exe 1308 Gdedoegh.exe 2488 Hdjnje32.exe 1436 Hebqbl32.exe 2284 Idgmch32.exe 1316 Ikcbfb32.exe 2492 Ippkni32.exe 2056 Ikhlaaif.exe 588 Idqpjg32.exe 2172 Jhbfcj32.exe 3064 Jjbbmmih.exe 2316 Jficbn32.exe 2856 Jhjldiln.exe 2220 Jdpmij32.exe 2808 Knkngp32.exe 2632 Kjbnlqld.exe 3060 Koacjg32.exe 1972 Lnhmqc32.exe 2372 Lgaaiian.exe 1060 Liqnclia.exe 1996 Ljdgqc32.exe 1772 Mmepboin.exe 1868 Mmgmhngk.exe 1752 Mphfji32.exe 2196 Mipjbokm.exe 2148 Mfdklc32.exe 2312 Neihmpon.exe 1376 Nlcpjj32.exe 960 Nhjaok32.exe 768 Ndaaclac.exe 876 Nmifla32.exe 2088 Nhojjjhj.exe 3028 Npjonlee.exe 2084 Nibcgb32.exe 2780 Ockhpgbf.exe 2788 Ocmdeg32.exe 2892 Oleinmgd.exe 2840 Ojijha32.exe 2704 Oofbph32.exe 584 Ohofimje.exe 2276 Ofbgbaio.exe 2828 Phcpdm32.exe 2692 Pqodho32.exe 1956 Pnbeacbd.exe 2992 Pdlmnm32.exe 2104 Pgmfph32.exe 2320 Pqekin32.exe 1668 Agkfil32.exe 1508 Acafnm32.exe -
Loads dropped DLL 64 IoCs
pid Process 2120 e8a35013efe7968a2b46842a2860ef90N.exe 2120 e8a35013efe7968a2b46842a2860ef90N.exe 2900 Ogldfl32.exe 2900 Ogldfl32.exe 2784 Olhmnb32.exe 2784 Olhmnb32.exe 2756 Omkidb32.exe 2756 Omkidb32.exe 2952 Pobhfl32.exe 2952 Pobhfl32.exe 2884 Qedjib32.exe 2884 Qedjib32.exe 3052 Aihmhe32.exe 3052 Aihmhe32.exe 672 Ahpfoa32.exe 672 Ahpfoa32.exe 1348 Bmahbhei.exe 1348 Bmahbhei.exe 1700 Bfoffmhd.exe 1700 Bfoffmhd.exe 972 Cgcoal32.exe 972 Cgcoal32.exe 1444 Ckjnfobi.exe 1444 Ckjnfobi.exe 432 Dddodd32.exe 432 Dddodd32.exe 1792 Docjpa32.exe 1792 Docjpa32.exe 2428 Eogckqkk.exe 2428 Eogckqkk.exe 572 Eclejclg.exe 572 Eclejclg.exe 1952 Edkbdf32.exe 1952 Edkbdf32.exe 1308 Gdedoegh.exe 1308 Gdedoegh.exe 2488 Hdjnje32.exe 2488 Hdjnje32.exe 1436 Hebqbl32.exe 1436 Hebqbl32.exe 2284 Idgmch32.exe 2284 Idgmch32.exe 1316 Ikcbfb32.exe 1316 Ikcbfb32.exe 2492 Ippkni32.exe 2492 Ippkni32.exe 2056 Ikhlaaif.exe 2056 Ikhlaaif.exe 588 Idqpjg32.exe 588 Idqpjg32.exe 2172 Jhbfcj32.exe 2172 Jhbfcj32.exe 3064 Jjbbmmih.exe 3064 Jjbbmmih.exe 2316 Jficbn32.exe 2316 Jficbn32.exe 2856 Jhjldiln.exe 2856 Jhjldiln.exe 2220 Jdpmij32.exe 2220 Jdpmij32.exe 2808 Knkngp32.exe 2808 Knkngp32.exe 2632 Kjbnlqld.exe 2632 Kjbnlqld.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Qjabhq32.dll Jhjldiln.exe File created C:\Windows\SysWOW64\Eifehecg.dll Jiphpf32.exe File created C:\Windows\SysWOW64\Anbcio32.exe Adjoqjfc.exe File opened for modification C:\Windows\SysWOW64\Ajddik32.exe Aiagck32.exe File opened for modification C:\Windows\SysWOW64\Knhnkc32.exe Kpbajggh.exe File created C:\Windows\SysWOW64\Dnkjlg32.exe Dcciiope.exe File created C:\Windows\SysWOW64\Dgdjmm32.dll Ceehdo32.exe File created C:\Windows\SysWOW64\Qobcfklm.exe Popgal32.exe File created C:\Windows\SysWOW64\Ikhlaaif.exe Ippkni32.exe File opened for modification C:\Windows\SysWOW64\Mknbmm32.exe Mgcflnfp.exe File created C:\Windows\SysWOW64\Jjnmof32.dll Debcjiod.exe File opened for modification C:\Windows\SysWOW64\Iglmjf32.exe Iifphj32.exe File opened for modification C:\Windows\SysWOW64\Kiponlic.exe Kpgkef32.exe File created C:\Windows\SysWOW64\Hkkmploq.dll Opepik32.exe File created C:\Windows\SysWOW64\Pjnamk32.dll Kipafe32.exe File created C:\Windows\SysWOW64\Qhmeeqpk.exe Qfllce32.exe File created C:\Windows\SysWOW64\Lnhmqc32.exe Koacjg32.exe File created C:\Windows\SysWOW64\Gbolncpj.dll Mmgmhngk.exe File opened for modification C:\Windows\SysWOW64\Mfpfbemc.exe Mqcnjnol.exe File opened for modification C:\Windows\SysWOW64\Cmdonf32.exe Cqmnie32.exe File created C:\Windows\SysWOW64\Lfmhnmhd.exe Lmddeh32.exe File opened for modification C:\Windows\SysWOW64\Cliplc32.exe Cbalcnce.exe File opened for modification C:\Windows\SysWOW64\Pobhfl32.exe Omkidb32.exe File opened for modification C:\Windows\SysWOW64\Lgaaiian.exe Lnhmqc32.exe File created C:\Windows\SysWOW64\Iobemkon.dll Kggcgf32.exe File created C:\Windows\SysWOW64\Lpbgndfg.exe Kajmhhcb.exe File created C:\Windows\SysWOW64\Hkebokco.exe Hoobij32.exe File created C:\Windows\SysWOW64\Ibhdkj32.dll Iccdhm32.exe File created C:\Windows\SysWOW64\Dfqghcae.dll Fiomjp32.exe File opened for modification C:\Windows\SysWOW64\Okgbapdd.exe Ojffjg32.exe File opened for modification C:\Windows\SysWOW64\Eebnqcjl.exe Eljihn32.exe File created C:\Windows\SysWOW64\Oinplk32.dll Nndkdn32.exe File created C:\Windows\SysWOW64\Pigkjmap.exe Pieodn32.exe File created C:\Windows\SysWOW64\Goidmibg.exe Gfaodclg.exe File opened for modification C:\Windows\SysWOW64\Bojogp32.exe Aohbaq32.exe File created C:\Windows\SysWOW64\Klqhogfd.exe Kbhdfa32.exe File created C:\Windows\SysWOW64\Mpacmghc.exe Mpofhhjf.exe File created C:\Windows\SysWOW64\Nlilag32.dll Lgaaiian.exe File created C:\Windows\SysWOW64\Elokeaab.dll Nfoinj32.exe File opened for modification C:\Windows\SysWOW64\Dnopdf32.exe Dhbhloho.exe File created C:\Windows\SysWOW64\Imflbgli.dll Abjiclfa.exe File created C:\Windows\SysWOW64\Hbahib32.dll Cbdalmlb.exe File created C:\Windows\SysWOW64\Epkhfkco.exe Ephkak32.exe File created C:\Windows\SysWOW64\Dhhjfm32.dll Ifndbd32.exe File created C:\Windows\SysWOW64\Geaamlck.exe Geoegm32.exe File opened for modification C:\Windows\SysWOW64\Dffopi32.exe Dnkjlg32.exe File created C:\Windows\SysWOW64\Jejjlh32.exe Jomadaga.exe File created C:\Windows\SysWOW64\Gnmiegma.exe Gdgdhnml.exe File created C:\Windows\SysWOW64\Nponen32.exe Njbemg32.exe File created C:\Windows\SysWOW64\Mfcfdk32.dll Edkbdf32.exe File opened for modification C:\Windows\SysWOW64\Hnocgnoc.exe Hahbam32.exe File opened for modification C:\Windows\SysWOW64\Lglfed32.exe Lapnmn32.exe File created C:\Windows\SysWOW64\Kikhkeel.exe Kfmlojfi.exe File created C:\Windows\SysWOW64\Apanmf32.exe Acjmheap.exe File created C:\Windows\SysWOW64\Linciami.exe Loeopl32.exe File created C:\Windows\SysWOW64\Ahamfm32.dll Cbfidfem.exe File created C:\Windows\SysWOW64\Aefaafcm.dll Gbmdpg32.exe File created C:\Windows\SysWOW64\Iifphj32.exe Icjhpc32.exe File created C:\Windows\SysWOW64\Fokcjnbp.exe Ffpnek32.exe File opened for modification C:\Windows\SysWOW64\Bddfhjma.exe Bfqfoeng.exe File created C:\Windows\SysWOW64\Lmimqgnn.exe Lhlehppg.exe File created C:\Windows\SysWOW64\Dlpomkqb.dll Iemoebmb.exe File opened for modification C:\Windows\SysWOW64\Aocdec32.exe Aaodlode.exe File opened for modification C:\Windows\SysWOW64\Fqmobelc.exe Fgdjipfc.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjoejj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hejcggee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emeejpjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aohbaq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaedmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgdhakpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omofbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhmijn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afhgkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mboekp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qokjcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipkmal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nggpgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbfidfem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llfiemfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibaonfll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nikide32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obhfhj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpfmhg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qbccbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nofecalk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njdbbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elbkddpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Filnlg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaaaao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdbmac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epfnkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnplhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaajaikm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkoljl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcgiejje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkfobbjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eajcgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hheimpfm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahpfoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggccaemi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbammb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iblcjohm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nihjfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnblbiic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcbaop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiponlic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpkkjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceibpnnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qobcfklm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Liqnclia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnkkeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpfojp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qccggfgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Najhngpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocmdeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddjbbbna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifkecl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emkanhnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmjjec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmgmhngk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgojdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdapqgom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndjloanf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gacblhii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcfgnbcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cidjnlce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knnmeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lceagmmn.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Linciami.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adqibb32.dll" Bbeemi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phibbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmggo32.dll" Hilbfc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlmcaijm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Homppc32.dll" Kmjjec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqibkj32.dll" Diljpn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phfaknce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jialbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jomadaga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ocgbiedj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejejopho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpkamiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Helpocnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khfdcgmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aclhap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgogbano.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgcflnfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjlajddc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nponen32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfjigebi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oinldeif.dll" Pajjpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icgkkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmimqgnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hegdkkje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmbffc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khinoo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndfqjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpijol32.dll" Pqekin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aipebm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mghdolen.dll" Pieodn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iekecpmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpnijlah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqhiimkk.dll" Cphbeakl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pqekin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kapiemhn.dll" Peqidn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhgllokk.dll" Edgmjhfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keogkp32.dll" Aiagck32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnocgnoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elfjae32.dll" Fchjacbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khinoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnblbiic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfioha32.dll" Nhojjjhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Beaaplbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfoinj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbpaib32.dll" Doeegl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njifhk32.dll" Kbhdfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcpnpn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjepib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghmkhobf.dll" Aohbaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fblcaohd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmcefhll.dll" Ofellh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hahbam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfodlnp.dll" Epfjjnkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdkihlid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndkapbmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfoffmhd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdhino32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbnhmdmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgniff32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adjoqjfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bajoephl.dll" Agjahooi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfpfbemc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbgdbfke.dll" Affjehkb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2120 wrote to memory of 2900 2120 e8a35013efe7968a2b46842a2860ef90N.exe 29 PID 2120 wrote to memory of 2900 2120 e8a35013efe7968a2b46842a2860ef90N.exe 29 PID 2120 wrote to memory of 2900 2120 e8a35013efe7968a2b46842a2860ef90N.exe 29 PID 2120 wrote to memory of 2900 2120 e8a35013efe7968a2b46842a2860ef90N.exe 29 PID 2900 wrote to memory of 2784 2900 Ogldfl32.exe 30 PID 2900 wrote to memory of 2784 2900 Ogldfl32.exe 30 PID 2900 wrote to memory of 2784 2900 Ogldfl32.exe 30 PID 2900 wrote to memory of 2784 2900 Ogldfl32.exe 30 PID 2784 wrote to memory of 2756 2784 Olhmnb32.exe 31 PID 2784 wrote to memory of 2756 2784 Olhmnb32.exe 31 PID 2784 wrote to memory of 2756 2784 Olhmnb32.exe 31 PID 2784 wrote to memory of 2756 2784 Olhmnb32.exe 31 PID 2756 wrote to memory of 2952 2756 Omkidb32.exe 32 PID 2756 wrote to memory of 2952 2756 Omkidb32.exe 32 PID 2756 wrote to memory of 2952 2756 Omkidb32.exe 32 PID 2756 wrote to memory of 2952 2756 Omkidb32.exe 32 PID 2952 wrote to memory of 2884 2952 Pobhfl32.exe 33 PID 2952 wrote to memory of 2884 2952 Pobhfl32.exe 33 PID 2952 wrote to memory of 2884 2952 Pobhfl32.exe 33 PID 2952 wrote to memory of 2884 2952 Pobhfl32.exe 33 PID 2884 wrote to memory of 3052 2884 Qedjib32.exe 34 PID 2884 wrote to memory of 3052 2884 Qedjib32.exe 34 PID 2884 wrote to memory of 3052 2884 Qedjib32.exe 34 PID 2884 wrote to memory of 3052 2884 Qedjib32.exe 34 PID 3052 wrote to memory of 672 3052 Aihmhe32.exe 35 PID 3052 wrote to memory of 672 3052 Aihmhe32.exe 35 PID 3052 wrote to memory of 672 3052 Aihmhe32.exe 35 PID 3052 wrote to memory of 672 3052 Aihmhe32.exe 35 PID 672 wrote to memory of 1348 672 Ahpfoa32.exe 36 PID 672 wrote to memory of 1348 672 Ahpfoa32.exe 36 PID 672 wrote to memory of 1348 672 Ahpfoa32.exe 36 PID 672 wrote to memory of 1348 672 Ahpfoa32.exe 36 PID 1348 wrote to memory of 1700 1348 Bmahbhei.exe 37 PID 1348 wrote to memory of 1700 1348 Bmahbhei.exe 37 PID 1348 wrote to memory of 1700 1348 Bmahbhei.exe 37 PID 1348 wrote to memory of 1700 1348 Bmahbhei.exe 37 PID 1700 wrote to memory of 972 1700 Bfoffmhd.exe 38 PID 1700 wrote to memory of 972 1700 Bfoffmhd.exe 38 PID 1700 wrote to memory of 972 1700 Bfoffmhd.exe 38 PID 1700 wrote to memory of 972 1700 Bfoffmhd.exe 38 PID 972 wrote to memory of 1444 972 Cgcoal32.exe 39 PID 972 wrote to memory of 1444 972 Cgcoal32.exe 39 PID 972 wrote to memory of 1444 972 Cgcoal32.exe 39 PID 972 wrote to memory of 1444 972 Cgcoal32.exe 39 PID 1444 wrote to memory of 432 1444 Ckjnfobi.exe 40 PID 1444 wrote to memory of 432 1444 Ckjnfobi.exe 40 PID 1444 wrote to memory of 432 1444 Ckjnfobi.exe 40 PID 1444 wrote to memory of 432 1444 Ckjnfobi.exe 40 PID 432 wrote to memory of 1792 432 Dddodd32.exe 41 PID 432 wrote to memory of 1792 432 Dddodd32.exe 41 PID 432 wrote to memory of 1792 432 Dddodd32.exe 41 PID 432 wrote to memory of 1792 432 Dddodd32.exe 41 PID 1792 wrote to memory of 2428 1792 Docjpa32.exe 42 PID 1792 wrote to memory of 2428 1792 Docjpa32.exe 42 PID 1792 wrote to memory of 2428 1792 Docjpa32.exe 42 PID 1792 wrote to memory of 2428 1792 Docjpa32.exe 42 PID 2428 wrote to memory of 572 2428 Eogckqkk.exe 43 PID 2428 wrote to memory of 572 2428 Eogckqkk.exe 43 PID 2428 wrote to memory of 572 2428 Eogckqkk.exe 43 PID 2428 wrote to memory of 572 2428 Eogckqkk.exe 43 PID 572 wrote to memory of 1952 572 Eclejclg.exe 44 PID 572 wrote to memory of 1952 572 Eclejclg.exe 44 PID 572 wrote to memory of 1952 572 Eclejclg.exe 44 PID 572 wrote to memory of 1952 572 Eclejclg.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\e8a35013efe7968a2b46842a2860ef90N.exe"C:\Users\Admin\AppData\Local\Temp\e8a35013efe7968a2b46842a2860ef90N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\Ogldfl32.exeC:\Windows\system32\Ogldfl32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Olhmnb32.exeC:\Windows\system32\Olhmnb32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Omkidb32.exeC:\Windows\system32\Omkidb32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Pobhfl32.exeC:\Windows\system32\Pobhfl32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Qedjib32.exeC:\Windows\system32\Qedjib32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Aihmhe32.exeC:\Windows\system32\Aihmhe32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Ahpfoa32.exeC:\Windows\system32\Ahpfoa32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:672 -
C:\Windows\SysWOW64\Bmahbhei.exeC:\Windows\system32\Bmahbhei.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\SysWOW64\Bfoffmhd.exeC:\Windows\system32\Bfoffmhd.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\Cgcoal32.exeC:\Windows\system32\Cgcoal32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Windows\SysWOW64\Ckjnfobi.exeC:\Windows\system32\Ckjnfobi.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\SysWOW64\Dddodd32.exeC:\Windows\system32\Dddodd32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\Docjpa32.exeC:\Windows\system32\Docjpa32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\Eogckqkk.exeC:\Windows\system32\Eogckqkk.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Eclejclg.exeC:\Windows\system32\Eclejclg.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:572 -
C:\Windows\SysWOW64\Edkbdf32.exeC:\Windows\system32\Edkbdf32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1952 -
C:\Windows\SysWOW64\Gdedoegh.exeC:\Windows\system32\Gdedoegh.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1308 -
C:\Windows\SysWOW64\Hdjnje32.exeC:\Windows\system32\Hdjnje32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2488 -
C:\Windows\SysWOW64\Hebqbl32.exeC:\Windows\system32\Hebqbl32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1436 -
C:\Windows\SysWOW64\Idgmch32.exeC:\Windows\system32\Idgmch32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2284 -
C:\Windows\SysWOW64\Ikcbfb32.exeC:\Windows\system32\Ikcbfb32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1316 -
C:\Windows\SysWOW64\Ippkni32.exeC:\Windows\system32\Ippkni32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2492 -
C:\Windows\SysWOW64\Ikhlaaif.exeC:\Windows\system32\Ikhlaaif.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2056 -
C:\Windows\SysWOW64\Idqpjg32.exeC:\Windows\system32\Idqpjg32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:588 -
C:\Windows\SysWOW64\Jhbfcj32.exeC:\Windows\system32\Jhbfcj32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2172 -
C:\Windows\SysWOW64\Jjbbmmih.exeC:\Windows\system32\Jjbbmmih.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3064 -
C:\Windows\SysWOW64\Jficbn32.exeC:\Windows\system32\Jficbn32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2316 -
C:\Windows\SysWOW64\Jhjldiln.exeC:\Windows\system32\Jhjldiln.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2856 -
C:\Windows\SysWOW64\Jdpmij32.exeC:\Windows\system32\Jdpmij32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2220 -
C:\Windows\SysWOW64\Knkngp32.exeC:\Windows\system32\Knkngp32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2808 -
C:\Windows\SysWOW64\Kjbnlqld.exeC:\Windows\system32\Kjbnlqld.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2632 -
C:\Windows\SysWOW64\Koacjg32.exeC:\Windows\system32\Koacjg32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3060 -
C:\Windows\SysWOW64\Lnhmqc32.exeC:\Windows\system32\Lnhmqc32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1972 -
C:\Windows\SysWOW64\Lgaaiian.exeC:\Windows\system32\Lgaaiian.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2372 -
C:\Windows\SysWOW64\Liqnclia.exeC:\Windows\system32\Liqnclia.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1060 -
C:\Windows\SysWOW64\Ljdgqc32.exeC:\Windows\system32\Ljdgqc32.exe37⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Mmepboin.exeC:\Windows\system32\Mmepboin.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Mmgmhngk.exeC:\Windows\system32\Mmgmhngk.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1868 -
C:\Windows\SysWOW64\Mphfji32.exeC:\Windows\system32\Mphfji32.exe40⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Mipjbokm.exeC:\Windows\system32\Mipjbokm.exe41⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Mfdklc32.exeC:\Windows\system32\Mfdklc32.exe42⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Neihmpon.exeC:\Windows\system32\Neihmpon.exe43⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Nlcpjj32.exeC:\Windows\system32\Nlcpjj32.exe44⤵
- Executes dropped EXE
PID:1376 -
C:\Windows\SysWOW64\Nhjaok32.exeC:\Windows\system32\Nhjaok32.exe45⤵
- Executes dropped EXE
PID:960 -
C:\Windows\SysWOW64\Ndaaclac.exeC:\Windows\system32\Ndaaclac.exe46⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Nmifla32.exeC:\Windows\system32\Nmifla32.exe47⤵
- Executes dropped EXE
PID:876 -
C:\Windows\SysWOW64\Nhojjjhj.exeC:\Windows\system32\Nhojjjhj.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:2088 -
C:\Windows\SysWOW64\Npjonlee.exeC:\Windows\system32\Npjonlee.exe49⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Nibcgb32.exeC:\Windows\system32\Nibcgb32.exe50⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Ockhpgbf.exeC:\Windows\system32\Ockhpgbf.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Ocmdeg32.exeC:\Windows\system32\Ocmdeg32.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2788 -
C:\Windows\SysWOW64\Oleinmgd.exeC:\Windows\system32\Oleinmgd.exe53⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Ojijha32.exeC:\Windows\system32\Ojijha32.exe54⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Oofbph32.exeC:\Windows\system32\Oofbph32.exe55⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Ohofimje.exeC:\Windows\system32\Ohofimje.exe56⤵
- Executes dropped EXE
PID:584 -
C:\Windows\SysWOW64\Ofbgbaio.exeC:\Windows\system32\Ofbgbaio.exe57⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Phcpdm32.exeC:\Windows\system32\Phcpdm32.exe58⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Pqodho32.exeC:\Windows\system32\Pqodho32.exe59⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Pnbeacbd.exeC:\Windows\system32\Pnbeacbd.exe60⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Pdlmnm32.exeC:\Windows\system32\Pdlmnm32.exe61⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Pgmfph32.exeC:\Windows\system32\Pgmfph32.exe62⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Pqekin32.exeC:\Windows\system32\Pqekin32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:2320 -
C:\Windows\SysWOW64\Agkfil32.exeC:\Windows\system32\Agkfil32.exe64⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Acafnm32.exeC:\Windows\system32\Acafnm32.exe65⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Amjkgbhe.exeC:\Windows\system32\Amjkgbhe.exe66⤵PID:928
-
C:\Windows\SysWOW64\Ajnlqgfo.exeC:\Windows\system32\Ajnlqgfo.exe67⤵PID:1628
-
C:\Windows\SysWOW64\Bichbckg.exeC:\Windows\system32\Bichbckg.exe68⤵PID:2076
-
C:\Windows\SysWOW64\Bpmqom32.exeC:\Windows\system32\Bpmqom32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:956 -
C:\Windows\SysWOW64\Bckidl32.exeC:\Windows\system32\Bckidl32.exe70⤵PID:2760
-
C:\Windows\SysWOW64\Blfnin32.exeC:\Windows\system32\Blfnin32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2888 -
C:\Windows\SysWOW64\Benbbcmf.exeC:\Windows\system32\Benbbcmf.exe72⤵PID:2852
-
C:\Windows\SysWOW64\Boggkicf.exeC:\Windows\system32\Boggkicf.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2820 -
C:\Windows\SysWOW64\Cdhino32.exeC:\Windows\system32\Cdhino32.exe74⤵
- Modifies registry class
PID:2680 -
C:\Windows\SysWOW64\Cdkfco32.exeC:\Windows\system32\Cdkfco32.exe75⤵PID:2264
-
C:\Windows\SysWOW64\Caofmc32.exeC:\Windows\system32\Caofmc32.exe76⤵PID:1728
-
C:\Windows\SysWOW64\Cijkaehj.exeC:\Windows\system32\Cijkaehj.exe77⤵PID:524
-
C:\Windows\SysWOW64\Cgnkkjgd.exeC:\Windows\system32\Cgnkkjgd.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1944 -
C:\Windows\SysWOW64\Dljdcqek.exeC:\Windows\system32\Dljdcqek.exe79⤵PID:2036
-
C:\Windows\SysWOW64\Dindme32.exeC:\Windows\system32\Dindme32.exe80⤵PID:1588
-
C:\Windows\SysWOW64\Dcgiejje.exeC:\Windows\system32\Dcgiejje.exe81⤵
- System Location Discovery: System Language Discovery
PID:2300 -
C:\Windows\SysWOW64\Dlomnp32.exeC:\Windows\system32\Dlomnp32.exe82⤵PID:1396
-
C:\Windows\SysWOW64\Ddjbbbna.exeC:\Windows\system32\Ddjbbbna.exe83⤵
- System Location Discovery: System Language Discovery
PID:1500 -
C:\Windows\SysWOW64\Dnbfkh32.exeC:\Windows\system32\Dnbfkh32.exe84⤵PID:2308
-
C:\Windows\SysWOW64\Dobcekld.exeC:\Windows\system32\Dobcekld.exe85⤵PID:1100
-
C:\Windows\SysWOW64\Ejldfh32.exeC:\Windows\system32\Ejldfh32.exe86⤵PID:592
-
C:\Windows\SysWOW64\Edahca32.exeC:\Windows\system32\Edahca32.exe87⤵PID:2020
-
C:\Windows\SysWOW64\Ecfednma.exeC:\Windows\system32\Ecfednma.exe88⤵PID:2976
-
C:\Windows\SysWOW64\Eloimcca.exeC:\Windows\system32\Eloimcca.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:456 -
C:\Windows\SysWOW64\Ehfjbd32.exeC:\Windows\system32\Ehfjbd32.exe90⤵PID:2608
-
C:\Windows\SysWOW64\Ebnokjpf.exeC:\Windows\system32\Ebnokjpf.exe91⤵PID:1720
-
C:\Windows\SysWOW64\Fbqkqj32.exeC:\Windows\system32\Fbqkqj32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2520 -
C:\Windows\SysWOW64\Fodljn32.exeC:\Windows\system32\Fodljn32.exe93⤵PID:2340
-
C:\Windows\SysWOW64\Fogipnjj.exeC:\Windows\system32\Fogipnjj.exe94⤵PID:2924
-
C:\Windows\SysWOW64\Fdcahdib.exeC:\Windows\system32\Fdcahdib.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2452 -
C:\Windows\SysWOW64\Fqjbme32.exeC:\Windows\system32\Fqjbme32.exe96⤵PID:2448
-
C:\Windows\SysWOW64\Fgdjipfc.exeC:\Windows\system32\Fgdjipfc.exe97⤵
- Drops file in System32 directory
PID:1800 -
C:\Windows\SysWOW64\Fqmobelc.exeC:\Windows\system32\Fqmobelc.exe98⤵PID:1320
-
C:\Windows\SysWOW64\Gjeckk32.exeC:\Windows\system32\Gjeckk32.exe99⤵PID:1264
-
C:\Windows\SysWOW64\Ggicdo32.exeC:\Windows\system32\Ggicdo32.exe100⤵PID:2580
-
C:\Windows\SysWOW64\Gpdhiaoi.exeC:\Windows\system32\Gpdhiaoi.exe101⤵PID:2724
-
C:\Windows\SysWOW64\Gcbaop32.exeC:\Windows\system32\Gcbaop32.exe102⤵
- System Location Discovery: System Language Discovery
PID:1600 -
C:\Windows\SysWOW64\Gioigf32.exeC:\Windows\system32\Gioigf32.exe103⤵PID:2844
-
C:\Windows\SysWOW64\Ghdfhc32.exeC:\Windows\system32\Ghdfhc32.exe104⤵PID:3056
-
C:\Windows\SysWOW64\Halkahoo.exeC:\Windows\system32\Halkahoo.exe105⤵PID:2388
-
C:\Windows\SysWOW64\Hejcggee.exeC:\Windows\system32\Hejcggee.exe106⤵
- System Location Discovery: System Language Discovery
PID:664 -
C:\Windows\SysWOW64\Hnbhpl32.exeC:\Windows\system32\Hnbhpl32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2600 -
C:\Windows\SysWOW64\Hhklibbf.exeC:\Windows\system32\Hhklibbf.exe108⤵PID:1400
-
C:\Windows\SysWOW64\Hpfamd32.exeC:\Windows\system32\Hpfamd32.exe109⤵PID:2720
-
C:\Windows\SysWOW64\Hafngggd.exeC:\Windows\system32\Hafngggd.exe110⤵PID:1812
-
C:\Windows\SysWOW64\Ijnbpm32.exeC:\Windows\system32\Ijnbpm32.exe111⤵PID:1404
-
C:\Windows\SysWOW64\Iehcajjc.exeC:\Windows\system32\Iehcajjc.exe112⤵PID:2768
-
C:\Windows\SysWOW64\Iblcjohm.exeC:\Windows\system32\Iblcjohm.exe113⤵
- System Location Discovery: System Language Discovery
PID:2476 -
C:\Windows\SysWOW64\Ildhcd32.exeC:\Windows\system32\Ildhcd32.exe114⤵PID:2904
-
C:\Windows\SysWOW64\Iihhmhng.exeC:\Windows\system32\Iihhmhng.exe115⤵PID:2740
-
C:\Windows\SysWOW64\Ieoiai32.exeC:\Windows\system32\Ieoiai32.exe116⤵PID:2212
-
C:\Windows\SysWOW64\Kknkncbl.exeC:\Windows\system32\Kknkncbl.exe117⤵PID:1048
-
C:\Windows\SysWOW64\Knocpn32.exeC:\Windows\system32\Knocpn32.exe118⤵PID:2700
-
C:\Windows\SysWOW64\Kgghidfm.exeC:\Windows\system32\Kgghidfm.exe119⤵PID:844
-
C:\Windows\SysWOW64\Khfdcgmp.exeC:\Windows\system32\Khfdcgmp.exe120⤵
- Modifies registry class
PID:2436 -
C:\Windows\SysWOW64\Ljjnpo32.exeC:\Windows\system32\Ljjnpo32.exe121⤵PID:548
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-