Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
24/08/2024, 05:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ec53577052a0385d7c164df4f8f41e00N.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
ec53577052a0385d7c164df4f8f41e00N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
ec53577052a0385d7c164df4f8f41e00N.exe
-
Size
128KB
-
MD5
ec53577052a0385d7c164df4f8f41e00
-
SHA1
560ea6d8db9592a9c0f3656bd779851c99fbfea3
-
SHA256
3719b753971a8ccba6f4f0fa2927008f11455f0386745931cf514b3cf8d8e481
-
SHA512
e734da09155af38acfa75151d28a63317fe83d7b7ee84da9752d5d8582390128cd4e58b25e96518b7a4bf08a5710371c36c98eb5b002e6eef85d04a61aaa3754
-
SSDEEP
3072:enkacoK7a8xjzuqm4rU/sEkk8QYxQdLrCimBaH8UH30ZIvM6qMH5X3O/:STrYm4rU/sEkFtCApaH8m3QIvMWH5H
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blgcio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjjpag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbdham32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkkjeeke.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfkjgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Meljbqna.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfgdmjlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggdekbgb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfjhbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adjhicpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Andjgidl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bahelebm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhdjno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdckobhd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoimecmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmlfmn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckhfpp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flfkoeoh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bckefnki.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apnfno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdhpdq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcflko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aifjgdkj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaklmhak.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afeaei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aompambg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfbqgldn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkbnap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idohdhbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcdadhjb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piadma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhgccbhp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofafgipc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ealahi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfinam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epqgopbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bakaaepk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifpelq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhbmip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcdadhjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alodeacc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eiciig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afeaei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahhaobfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehmpeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elieipej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enpban32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfkclf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjpceebh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpdankjg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pimkbbpi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbjifgcd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qekbgbpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Booiep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eejjnhgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngeljh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aldfcpjn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jihdnk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kijmbnpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecjgio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfekec32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obcffefa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpmooind.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afqhjj32.exe -
Executes dropped EXE 64 IoCs
pid Process 2752 Nqbaic32.exe 2684 Ndnmialh.exe 3068 Okhefl32.exe 2608 Onfabgch.exe 2672 Oqennbbl.exe 1480 Ogofkm32.exe 2532 Ofafgipc.exe 2008 Omlncc32.exe 1028 Opjkpo32.exe 568 Ocefpnom.exe 2884 Ofdclinq.exe 2392 Omnkicen.exe 536 Oaigib32.exe 2172 Obkcajde.exe 2368 Offpbi32.exe 2184 Opodknco.exe 1860 Obmpgjbb.exe 2868 Ofilgh32.exe 1816 Oekmceaf.exe 1796 Ombddbah.exe 1544 Oleepo32.exe 3012 Pndalkgf.exe 2280 Pbomli32.exe 2460 Piieicgl.exe 2420 Phledp32.exe 1636 Ppcmfn32.exe 2628 Padjmfdg.exe 2076 Phobjp32.exe 396 Pnhjgj32.exe 3052 Pbdfgilj.exe 2792 Pdecoa32.exe 2552 Pllkpn32.exe 540 Pnkglj32.exe 2004 Pmnghfhi.exe 1244 Peeoidik.exe 1496 Pdhpdq32.exe 332 Pfflql32.exe 2864 Pnmdbi32.exe 2212 Pmpdmfff.exe 2156 Pfhhflmg.exe 2340 Qigebglj.exe 1656 Qmbqcf32.exe 2520 Qfkelkkd.exe 1240 Qiiahgjh.exe 1680 Qmenhe32.exe 2916 Qlgndbil.exe 1316 Qdofep32.exe 2276 Qbafalph.exe 580 Aepbmhpl.exe 2580 Aiknnf32.exe 2152 Amgjnepn.exe 2564 Apefjqob.exe 2176 Aohgfm32.exe 1972 Abdbflnf.exe 2060 Aebobgmi.exe 1668 Ainkcf32.exe 2548 Allgoa32.exe 2432 Aphcppmo.exe 2320 Abfoll32.exe 2984 Aaipghcn.exe 2796 Aedlhg32.exe 408 Alodeacc.exe 1736 Aompambg.exe 2888 Abhlak32.exe -
Loads dropped DLL 64 IoCs
pid Process 916 ec53577052a0385d7c164df4f8f41e00N.exe 916 ec53577052a0385d7c164df4f8f41e00N.exe 2752 Nqbaic32.exe 2752 Nqbaic32.exe 2684 Ndnmialh.exe 2684 Ndnmialh.exe 3068 Okhefl32.exe 3068 Okhefl32.exe 2608 Onfabgch.exe 2608 Onfabgch.exe 2672 Oqennbbl.exe 2672 Oqennbbl.exe 1480 Ogofkm32.exe 1480 Ogofkm32.exe 2532 Ofafgipc.exe 2532 Ofafgipc.exe 2008 Omlncc32.exe 2008 Omlncc32.exe 1028 Opjkpo32.exe 1028 Opjkpo32.exe 568 Ocefpnom.exe 568 Ocefpnom.exe 2884 Ofdclinq.exe 2884 Ofdclinq.exe 2392 Omnkicen.exe 2392 Omnkicen.exe 536 Oaigib32.exe 536 Oaigib32.exe 2172 Obkcajde.exe 2172 Obkcajde.exe 2368 Offpbi32.exe 2368 Offpbi32.exe 2184 Opodknco.exe 2184 Opodknco.exe 1860 Obmpgjbb.exe 1860 Obmpgjbb.exe 2868 Ofilgh32.exe 2868 Ofilgh32.exe 1816 Oekmceaf.exe 1816 Oekmceaf.exe 1796 Ombddbah.exe 1796 Ombddbah.exe 1544 Oleepo32.exe 1544 Oleepo32.exe 3012 Pndalkgf.exe 3012 Pndalkgf.exe 2280 Pbomli32.exe 2280 Pbomli32.exe 2460 Piieicgl.exe 2460 Piieicgl.exe 2420 Phledp32.exe 2420 Phledp32.exe 1636 Ppcmfn32.exe 1636 Ppcmfn32.exe 2628 Padjmfdg.exe 2628 Padjmfdg.exe 2076 Phobjp32.exe 2076 Phobjp32.exe 396 Pnhjgj32.exe 396 Pnhjgj32.exe 3052 Pbdfgilj.exe 3052 Pbdfgilj.exe 2792 Pdecoa32.exe 2792 Pdecoa32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ehmpeb32.exe Epfhde32.exe File opened for modification C:\Windows\SysWOW64\Hkmaed32.exe Hjlemlnk.exe File created C:\Windows\SysWOW64\Mmgofm32.dll Honfqb32.exe File created C:\Windows\SysWOW64\Bopffl32.dll Bhbmip32.exe File created C:\Windows\SysWOW64\Jmhdkakc.dll Clnehado.exe File opened for modification C:\Windows\SysWOW64\Pndalkgf.exe Oleepo32.exe File created C:\Windows\SysWOW64\Plkkkh32.dll Cjppfl32.exe File created C:\Windows\SysWOW64\Dcageqgm.exe Dpfkeb32.exe File created C:\Windows\SysWOW64\Dnknlm32.dll Cgjgol32.exe File opened for modification C:\Windows\SysWOW64\Hijhhl32.exe Gcppkbia.exe File created C:\Windows\SysWOW64\Imhqbkbm.exe Ijidfpci.exe File created C:\Windows\SysWOW64\Agflga32.dll Piohgbng.exe File created C:\Windows\SysWOW64\Mlmoilni.exe Miocmq32.exe File opened for modification C:\Windows\SysWOW64\Piohgbng.exe Pjlgle32.exe File created C:\Windows\SysWOW64\Eiciig32.exe Eegmhhie.exe File created C:\Windows\SysWOW64\Emeobj32.exe Enbogmnc.exe File created C:\Windows\SysWOW64\Ijlaloaf.exe Ifpelq32.exe File opened for modification C:\Windows\SysWOW64\Eclcon32.exe Epqgopbi.exe File created C:\Windows\SysWOW64\Bhjneadb.exe Bdobdc32.exe File created C:\Windows\SysWOW64\Lgkqjo32.dll Hijhhl32.exe File opened for modification C:\Windows\SysWOW64\Kfnnlboi.exe Kngekdnf.exe File opened for modification C:\Windows\SysWOW64\Blqmid32.exe Bjbqmi32.exe File opened for modification C:\Windows\SysWOW64\Enbogmnc.exe Eldbkbop.exe File created C:\Windows\SysWOW64\Bfjpjn32.dll Gieommdc.exe File opened for modification C:\Windows\SysWOW64\Hjlemlnk.exe Hcblqb32.exe File created C:\Windows\SysWOW64\Hecebm32.exe Hoimecmb.exe File created C:\Windows\SysWOW64\Kmjgaeke.dll Ombddbah.exe File created C:\Windows\SysWOW64\Ainkcf32.exe Aebobgmi.exe File opened for modification C:\Windows\SysWOW64\Bnicbh32.exe Bkkgfm32.exe File created C:\Windows\SysWOW64\Jnbpqb32.exe Imacijjb.exe File created C:\Windows\SysWOW64\Monhjgkj.exe Mpkhoj32.exe File created C:\Windows\SysWOW64\Kokahpfn.dll Pbjifgcd.exe File created C:\Windows\SysWOW64\Clnehado.exe Cfcmlg32.exe File created C:\Windows\SysWOW64\Aanibhoh.exe Anbmbi32.exe File created C:\Windows\SysWOW64\Geloanjg.exe Gcmcebkc.exe File created C:\Windows\SysWOW64\Hdjoii32.exe Honfqb32.exe File created C:\Windows\SysWOW64\Glgkjp32.dll Efffpjmk.exe File created C:\Windows\SysWOW64\Jjonoenh.dll Pndalkgf.exe File opened for modification C:\Windows\SysWOW64\Eldbkbop.exe Ehhfjcff.exe File created C:\Windows\SysWOW64\Fmnahilc.exe Ficehj32.exe File opened for modification C:\Windows\SysWOW64\Bafhff32.exe Bklpjlmc.exe File opened for modification C:\Windows\SysWOW64\Djgfgkbo.exe Dfkjgm32.exe File created C:\Windows\SysWOW64\Elaeeb32.exe Egfjdchi.exe File created C:\Windows\SysWOW64\Gkmefaan.exe Ggbieb32.exe File created C:\Windows\SysWOW64\Goddjc32.exe Gncgbkki.exe File created C:\Windows\SysWOW64\Eqnpepil.dll Nladco32.exe File opened for modification C:\Windows\SysWOW64\Offpbi32.exe Obkcajde.exe File opened for modification C:\Windows\SysWOW64\Dbgdgm32.exe Dnkhfnck.exe File opened for modification C:\Windows\SysWOW64\Fmnahilc.exe Ficehj32.exe File opened for modification C:\Windows\SysWOW64\Ggdekbgb.exe Gdfiofhn.exe File opened for modification C:\Windows\SysWOW64\Doqkpl32.exe Dhgccbhp.exe File created C:\Windows\SysWOW64\Pllkpn32.exe Pdecoa32.exe File created C:\Windows\SysWOW64\Lmjqcd32.dll Dkmljcdh.exe File created C:\Windows\SysWOW64\Ggbieb32.exe Geqlnjcf.exe File created C:\Windows\SysWOW64\Fdbhpk32.dll Lkgifd32.exe File created C:\Windows\SysWOW64\Qpniokan.exe Plbmom32.exe File created C:\Windows\SysWOW64\Fopknnaa.dll Befnbd32.exe File created C:\Windows\SysWOW64\Opnphfdp.dll Faijggao.exe File created C:\Windows\SysWOW64\Heldbm32.dll Pmnghfhi.exe File opened for modification C:\Windows\SysWOW64\Ehhfjcff.exe Ecmjid32.exe File created C:\Windows\SysWOW64\Peecqfmk.dll Kecjmodq.exe File opened for modification C:\Windows\SysWOW64\Hoimecmb.exe Hkmaed32.exe File created C:\Windows\SysWOW64\Deeqch32.exe Dfbqgldn.exe File created C:\Windows\SysWOW64\Komlabbb.dll Epkepakn.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5532 5500 WerFault.exe 536 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppkmjlca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgqmpkfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hajfgnjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afqhjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkfpjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geqlnjcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdefnjkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhcndhap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnlhab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efffpjmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deeqch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahhaobfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdnncfoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhbbcail.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khagijcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aicmadmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbdham32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anhpkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofafgipc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bikjmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Leegbnan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miclhpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhjneadb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iblola32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Figocipe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iianmlfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Macjgadf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afcdpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aompambg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahedjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooggpiek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qekbgbpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oleepo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eegmhhie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiahnnji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbjifgcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogofkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofilgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obhpad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Appbcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ealahi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdhfdffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkmaed32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bemkle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaklmhak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enbogmnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lilfgq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbqkeioh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfcmlg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qbafalph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aanibhoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpdhna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eepmlf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqobnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okhefl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abdbflnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoimecmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epkepakn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Honfqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecjgio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pndalkgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaipghcn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bklpjlmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpgnoo32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebialmjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fihbcdgp.dll" Gpogiglp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lilfgq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mokkegmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oekehomj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amogaa32.dll" Qmbqcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgjdgifj.dll" Blqmid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjlemlnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cceapl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Loglaegj.dll" Obmpgjbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bniipnpc.dll" Padjmfdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkhjamcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecmjid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjlemlnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aopbmapo.dll" Lilfgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alakfjbc.dll" Bggjjlnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apafhqnp.dll" Dhgccbhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmlfmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Meecaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oqennbbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eejjnhgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgkqjo32.dll" Hijhhl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgiked32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odacbpee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cncolfcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdecoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbngfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdjkbh32.dll" Jecnnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fllaopcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmnghfhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oadilg32.dll" Qdofep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imacijjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgagag32.dll" Aiaqle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oleepo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eloipb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eomgdlji.dll" Enbogmnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifpelq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oengjm32.dll" Jmlfmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kngekdnf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qblfkgqb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebappk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dcmnja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffbmfo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbkjap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckhpejbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbfjkj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfflql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aiknnf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gagmbkik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkmaed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkibjgli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkadbc32.dll" Qekbgbpf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aejnfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjkoop32.dll" Cdkkcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfpqebhl.dll" Bomlppdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enneln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecogodlk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkimpfmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Copjlmfa.dll" Okinik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Boeoek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdfahaaa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpgecq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enmaap32.dll" Ogofkm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adjhicpo.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 916 wrote to memory of 2752 916 ec53577052a0385d7c164df4f8f41e00N.exe 30 PID 916 wrote to memory of 2752 916 ec53577052a0385d7c164df4f8f41e00N.exe 30 PID 916 wrote to memory of 2752 916 ec53577052a0385d7c164df4f8f41e00N.exe 30 PID 916 wrote to memory of 2752 916 ec53577052a0385d7c164df4f8f41e00N.exe 30 PID 2752 wrote to memory of 2684 2752 Nqbaic32.exe 31 PID 2752 wrote to memory of 2684 2752 Nqbaic32.exe 31 PID 2752 wrote to memory of 2684 2752 Nqbaic32.exe 31 PID 2752 wrote to memory of 2684 2752 Nqbaic32.exe 31 PID 2684 wrote to memory of 3068 2684 Ndnmialh.exe 32 PID 2684 wrote to memory of 3068 2684 Ndnmialh.exe 32 PID 2684 wrote to memory of 3068 2684 Ndnmialh.exe 32 PID 2684 wrote to memory of 3068 2684 Ndnmialh.exe 32 PID 3068 wrote to memory of 2608 3068 Okhefl32.exe 33 PID 3068 wrote to memory of 2608 3068 Okhefl32.exe 33 PID 3068 wrote to memory of 2608 3068 Okhefl32.exe 33 PID 3068 wrote to memory of 2608 3068 Okhefl32.exe 33 PID 2608 wrote to memory of 2672 2608 Onfabgch.exe 34 PID 2608 wrote to memory of 2672 2608 Onfabgch.exe 34 PID 2608 wrote to memory of 2672 2608 Onfabgch.exe 34 PID 2608 wrote to memory of 2672 2608 Onfabgch.exe 34 PID 2672 wrote to memory of 1480 2672 Oqennbbl.exe 35 PID 2672 wrote to memory of 1480 2672 Oqennbbl.exe 35 PID 2672 wrote to memory of 1480 2672 Oqennbbl.exe 35 PID 2672 wrote to memory of 1480 2672 Oqennbbl.exe 35 PID 1480 wrote to memory of 2532 1480 Ogofkm32.exe 36 PID 1480 wrote to memory of 2532 1480 Ogofkm32.exe 36 PID 1480 wrote to memory of 2532 1480 Ogofkm32.exe 36 PID 1480 wrote to memory of 2532 1480 Ogofkm32.exe 36 PID 2532 wrote to memory of 2008 2532 Ofafgipc.exe 37 PID 2532 wrote to memory of 2008 2532 Ofafgipc.exe 37 PID 2532 wrote to memory of 2008 2532 Ofafgipc.exe 37 PID 2532 wrote to memory of 2008 2532 Ofafgipc.exe 37 PID 2008 wrote to memory of 1028 2008 Omlncc32.exe 38 PID 2008 wrote to memory of 1028 2008 Omlncc32.exe 38 PID 2008 wrote to memory of 1028 2008 Omlncc32.exe 38 PID 2008 wrote to memory of 1028 2008 Omlncc32.exe 38 PID 1028 wrote to memory of 568 1028 Opjkpo32.exe 39 PID 1028 wrote to memory of 568 1028 Opjkpo32.exe 39 PID 1028 wrote to memory of 568 1028 Opjkpo32.exe 39 PID 1028 wrote to memory of 568 1028 Opjkpo32.exe 39 PID 568 wrote to memory of 2884 568 Ocefpnom.exe 40 PID 568 wrote to memory of 2884 568 Ocefpnom.exe 40 PID 568 wrote to memory of 2884 568 Ocefpnom.exe 40 PID 568 wrote to memory of 2884 568 Ocefpnom.exe 40 PID 2884 wrote to memory of 2392 2884 Ofdclinq.exe 41 PID 2884 wrote to memory of 2392 2884 Ofdclinq.exe 41 PID 2884 wrote to memory of 2392 2884 Ofdclinq.exe 41 PID 2884 wrote to memory of 2392 2884 Ofdclinq.exe 41 PID 2392 wrote to memory of 536 2392 Omnkicen.exe 42 PID 2392 wrote to memory of 536 2392 Omnkicen.exe 42 PID 2392 wrote to memory of 536 2392 Omnkicen.exe 42 PID 2392 wrote to memory of 536 2392 Omnkicen.exe 42 PID 536 wrote to memory of 2172 536 Oaigib32.exe 43 PID 536 wrote to memory of 2172 536 Oaigib32.exe 43 PID 536 wrote to memory of 2172 536 Oaigib32.exe 43 PID 536 wrote to memory of 2172 536 Oaigib32.exe 43 PID 2172 wrote to memory of 2368 2172 Obkcajde.exe 44 PID 2172 wrote to memory of 2368 2172 Obkcajde.exe 44 PID 2172 wrote to memory of 2368 2172 Obkcajde.exe 44 PID 2172 wrote to memory of 2368 2172 Obkcajde.exe 44 PID 2368 wrote to memory of 2184 2368 Offpbi32.exe 45 PID 2368 wrote to memory of 2184 2368 Offpbi32.exe 45 PID 2368 wrote to memory of 2184 2368 Offpbi32.exe 45 PID 2368 wrote to memory of 2184 2368 Offpbi32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\ec53577052a0385d7c164df4f8f41e00N.exe"C:\Users\Admin\AppData\Local\Temp\ec53577052a0385d7c164df4f8f41e00N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\SysWOW64\Nqbaic32.exeC:\Windows\system32\Nqbaic32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Ndnmialh.exeC:\Windows\system32\Ndnmialh.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Okhefl32.exeC:\Windows\system32\Okhefl32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\Onfabgch.exeC:\Windows\system32\Onfabgch.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Oqennbbl.exeC:\Windows\system32\Oqennbbl.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Ogofkm32.exeC:\Windows\system32\Ogofkm32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\Ofafgipc.exeC:\Windows\system32\Ofafgipc.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\Omlncc32.exeC:\Windows\system32\Omlncc32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\Opjkpo32.exeC:\Windows\system32\Opjkpo32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\SysWOW64\Ocefpnom.exeC:\Windows\system32\Ocefpnom.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Windows\SysWOW64\Ofdclinq.exeC:\Windows\system32\Ofdclinq.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Omnkicen.exeC:\Windows\system32\Omnkicen.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\Oaigib32.exeC:\Windows\system32\Oaigib32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\SysWOW64\Obkcajde.exeC:\Windows\system32\Obkcajde.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\Offpbi32.exeC:\Windows\system32\Offpbi32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\Opodknco.exeC:\Windows\system32\Opodknco.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2184 -
C:\Windows\SysWOW64\Obmpgjbb.exeC:\Windows\system32\Obmpgjbb.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1860 -
C:\Windows\SysWOW64\Ofilgh32.exeC:\Windows\system32\Ofilgh32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2868 -
C:\Windows\SysWOW64\Oekmceaf.exeC:\Windows\system32\Oekmceaf.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1816 -
C:\Windows\SysWOW64\Ombddbah.exeC:\Windows\system32\Ombddbah.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1796 -
C:\Windows\SysWOW64\Oleepo32.exeC:\Windows\system32\Oleepo32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1544 -
C:\Windows\SysWOW64\Pndalkgf.exeC:\Windows\system32\Pndalkgf.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3012 -
C:\Windows\SysWOW64\Pbomli32.exeC:\Windows\system32\Pbomli32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2280 -
C:\Windows\SysWOW64\Piieicgl.exeC:\Windows\system32\Piieicgl.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2460 -
C:\Windows\SysWOW64\Phledp32.exeC:\Windows\system32\Phledp32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2420 -
C:\Windows\SysWOW64\Ppcmfn32.exeC:\Windows\system32\Ppcmfn32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1636 -
C:\Windows\SysWOW64\Padjmfdg.exeC:\Windows\system32\Padjmfdg.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2628 -
C:\Windows\SysWOW64\Phobjp32.exeC:\Windows\system32\Phobjp32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2076 -
C:\Windows\SysWOW64\Pnhjgj32.exeC:\Windows\system32\Pnhjgj32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:396 -
C:\Windows\SysWOW64\Pbdfgilj.exeC:\Windows\system32\Pbdfgilj.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3052 -
C:\Windows\SysWOW64\Pdecoa32.exeC:\Windows\system32\Pdecoa32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2792 -
C:\Windows\SysWOW64\Pllkpn32.exeC:\Windows\system32\Pllkpn32.exe33⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Pnkglj32.exeC:\Windows\system32\Pnkglj32.exe34⤵
- Executes dropped EXE
PID:540 -
C:\Windows\SysWOW64\Pmnghfhi.exeC:\Windows\system32\Pmnghfhi.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2004 -
C:\Windows\SysWOW64\Peeoidik.exeC:\Windows\system32\Peeoidik.exe36⤵
- Executes dropped EXE
PID:1244 -
C:\Windows\SysWOW64\Pdhpdq32.exeC:\Windows\system32\Pdhpdq32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Pfflql32.exeC:\Windows\system32\Pfflql32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:332 -
C:\Windows\SysWOW64\Pnmdbi32.exeC:\Windows\system32\Pnmdbi32.exe39⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Pmpdmfff.exeC:\Windows\system32\Pmpdmfff.exe40⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Pfhhflmg.exeC:\Windows\system32\Pfhhflmg.exe41⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Qigebglj.exeC:\Windows\system32\Qigebglj.exe42⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Qmbqcf32.exeC:\Windows\system32\Qmbqcf32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:1656 -
C:\Windows\SysWOW64\Qfkelkkd.exeC:\Windows\system32\Qfkelkkd.exe44⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Qiiahgjh.exeC:\Windows\system32\Qiiahgjh.exe45⤵
- Executes dropped EXE
PID:1240 -
C:\Windows\SysWOW64\Qmenhe32.exeC:\Windows\system32\Qmenhe32.exe46⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Qlgndbil.exeC:\Windows\system32\Qlgndbil.exe47⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Qdofep32.exeC:\Windows\system32\Qdofep32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:1316 -
C:\Windows\SysWOW64\Qbafalph.exeC:\Windows\system32\Qbafalph.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2276 -
C:\Windows\SysWOW64\Aepbmhpl.exeC:\Windows\system32\Aepbmhpl.exe50⤵
- Executes dropped EXE
PID:580 -
C:\Windows\SysWOW64\Aiknnf32.exeC:\Windows\system32\Aiknnf32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:2580 -
C:\Windows\SysWOW64\Amgjnepn.exeC:\Windows\system32\Amgjnepn.exe52⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Apefjqob.exeC:\Windows\system32\Apefjqob.exe53⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Aohgfm32.exeC:\Windows\system32\Aohgfm32.exe54⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Abdbflnf.exeC:\Windows\system32\Abdbflnf.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1972 -
C:\Windows\SysWOW64\Aebobgmi.exeC:\Windows\system32\Aebobgmi.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2060 -
C:\Windows\SysWOW64\Ainkcf32.exeC:\Windows\system32\Ainkcf32.exe57⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Allgoa32.exeC:\Windows\system32\Allgoa32.exe58⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Aphcppmo.exeC:\Windows\system32\Aphcppmo.exe59⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Abfoll32.exeC:\Windows\system32\Abfoll32.exe60⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Aaipghcn.exeC:\Windows\system32\Aaipghcn.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2984 -
C:\Windows\SysWOW64\Aedlhg32.exeC:\Windows\system32\Aedlhg32.exe62⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Alodeacc.exeC:\Windows\system32\Alodeacc.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:408 -
C:\Windows\SysWOW64\Aompambg.exeC:\Windows\system32\Aompambg.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1736 -
C:\Windows\SysWOW64\Abhlak32.exeC:\Windows\system32\Abhlak32.exe65⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Aaklmhak.exeC:\Windows\system32\Aaklmhak.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2604 -
C:\Windows\SysWOW64\Adjhicpo.exeC:\Windows\system32\Adjhicpo.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2820 -
C:\Windows\SysWOW64\Ahedjb32.exeC:\Windows\system32\Ahedjb32.exe68⤵
- System Location Discovery: System Language Discovery
PID:3004 -
C:\Windows\SysWOW64\Akdafn32.exeC:\Windows\system32\Akdafn32.exe69⤵PID:1112
-
C:\Windows\SysWOW64\Anbmbi32.exeC:\Windows\system32\Anbmbi32.exe70⤵
- Drops file in System32 directory
PID:1208 -
C:\Windows\SysWOW64\Aanibhoh.exeC:\Windows\system32\Aanibhoh.exe71⤵
- System Location Discovery: System Language Discovery
PID:1592 -
C:\Windows\SysWOW64\Adleoc32.exeC:\Windows\system32\Adleoc32.exe72⤵PID:1712
-
C:\Windows\SysWOW64\Ahhaobfe.exeC:\Windows\system32\Ahhaobfe.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1700 -
C:\Windows\SysWOW64\Agkako32.exeC:\Windows\system32\Agkako32.exe74⤵PID:2240
-
C:\Windows\SysWOW64\Akfnkmei.exeC:\Windows\system32\Akfnkmei.exe75⤵PID:2500
-
C:\Windows\SysWOW64\Andjgidl.exeC:\Windows\system32\Andjgidl.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2188 -
C:\Windows\SysWOW64\Bdobdc32.exeC:\Windows\system32\Bdobdc32.exe77⤵
- Drops file in System32 directory
PID:1532 -
C:\Windows\SysWOW64\Bhjneadb.exeC:\Windows\system32\Bhjneadb.exe78⤵
- System Location Discovery: System Language Discovery
PID:2980 -
C:\Windows\SysWOW64\Bkhjamcf.exeC:\Windows\system32\Bkhjamcf.exe79⤵
- Modifies registry class
PID:768 -
C:\Windows\SysWOW64\Bikjmj32.exeC:\Windows\system32\Bikjmj32.exe80⤵
- System Location Discovery: System Language Discovery
PID:1936 -
C:\Windows\SysWOW64\Bngfmhbj.exeC:\Windows\system32\Bngfmhbj.exe81⤵PID:1772
-
C:\Windows\SysWOW64\Bpebidam.exeC:\Windows\system32\Bpebidam.exe82⤵PID:2016
-
C:\Windows\SysWOW64\Bccoeo32.exeC:\Windows\system32\Bccoeo32.exe83⤵PID:2692
-
C:\Windows\SysWOW64\Bgokfnij.exeC:\Windows\system32\Bgokfnij.exe84⤵PID:1308
-
C:\Windows\SysWOW64\Bkkgfm32.exeC:\Windows\system32\Bkkgfm32.exe85⤵
- Drops file in System32 directory
PID:1756 -
C:\Windows\SysWOW64\Bnicbh32.exeC:\Windows\system32\Bnicbh32.exe86⤵PID:620
-
C:\Windows\SysWOW64\Bllcnega.exeC:\Windows\system32\Bllcnega.exe87⤵PID:1704
-
C:\Windows\SysWOW64\Bdckobhd.exeC:\Windows\system32\Bdckobhd.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2100 -
C:\Windows\SysWOW64\Bcflko32.exeC:\Windows\system32\Bcflko32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1944 -
C:\Windows\SysWOW64\Bgahkngh.exeC:\Windows\system32\Bgahkngh.exe90⤵PID:2096
-
C:\Windows\SysWOW64\Bedhgj32.exeC:\Windows\system32\Bedhgj32.exe91⤵PID:1992
-
C:\Windows\SysWOW64\Blnpddeo.exeC:\Windows\system32\Blnpddeo.exe92⤵PID:852
-
C:\Windows\SysWOW64\Bpjldc32.exeC:\Windows\system32\Bpjldc32.exe93⤵PID:2204
-
C:\Windows\SysWOW64\Bomlppdb.exeC:\Windows\system32\Bomlppdb.exe94⤵
- Modifies registry class
PID:1288 -
C:\Windows\SysWOW64\Bgddam32.exeC:\Windows\system32\Bgddam32.exe95⤵PID:1524
-
C:\Windows\SysWOW64\Bfgdmjlp.exeC:\Windows\system32\Bfgdmjlp.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:904 -
C:\Windows\SysWOW64\Bjbqmi32.exeC:\Windows\system32\Bjbqmi32.exe97⤵
- Drops file in System32 directory
PID:1596 -
C:\Windows\SysWOW64\Blqmid32.exeC:\Windows\system32\Blqmid32.exe98⤵
- Modifies registry class
PID:2468 -
C:\Windows\SysWOW64\Booiep32.exeC:\Windows\system32\Booiep32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2592 -
C:\Windows\SysWOW64\Bckefnki.exeC:\Windows\system32\Bckefnki.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:380 -
C:\Windows\SysWOW64\Baneak32.exeC:\Windows\system32\Baneak32.exe101⤵PID:836
-
C:\Windows\SysWOW64\Bfiabjjm.exeC:\Windows\system32\Bfiabjjm.exe102⤵PID:1864
-
C:\Windows\SysWOW64\Chgnneiq.exeC:\Windows\system32\Chgnneiq.exe103⤵PID:640
-
C:\Windows\SysWOW64\Clciod32.exeC:\Windows\system32\Clciod32.exe104⤵PID:596
-
C:\Windows\SysWOW64\Ckfjjqhd.exeC:\Windows\system32\Ckfjjqhd.exe105⤵PID:2856
-
C:\Windows\SysWOW64\Coafko32.exeC:\Windows\system32\Coafko32.exe106⤵PID:1676
-
C:\Windows\SysWOW64\Cbpbgk32.exeC:\Windows\system32\Cbpbgk32.exe107⤵PID:2936
-
C:\Windows\SysWOW64\Cfknhi32.exeC:\Windows\system32\Cfknhi32.exe108⤵PID:668
-
C:\Windows\SysWOW64\Cdnncfoe.exeC:\Windows\system32\Cdnncfoe.exe109⤵
- System Location Discovery: System Language Discovery
PID:356 -
C:\Windows\SysWOW64\Clefdcog.exeC:\Windows\system32\Clefdcog.exe110⤵PID:2576
-
C:\Windows\SysWOW64\Ckhfpp32.exeC:\Windows\system32\Ckhfpp32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2828 -
C:\Windows\SysWOW64\Cngcll32.exeC:\Windows\system32\Cngcll32.exe112⤵PID:1708
-
C:\Windows\SysWOW64\Cbbomjnn.exeC:\Windows\system32\Cbbomjnn.exe113⤵PID:1780
-
C:\Windows\SysWOW64\Cfnkmi32.exeC:\Windows\system32\Cfnkmi32.exe114⤵PID:2848
-
C:\Windows\SysWOW64\Chlgid32.exeC:\Windows\system32\Chlgid32.exe115⤵PID:2168
-
C:\Windows\SysWOW64\Cgogealf.exeC:\Windows\system32\Cgogealf.exe116⤵PID:3008
-
C:\Windows\SysWOW64\Cnipak32.exeC:\Windows\system32\Cnipak32.exe117⤵PID:2348
-
C:\Windows\SysWOW64\Cbdkbjkl.exeC:\Windows\system32\Cbdkbjkl.exe118⤵PID:1908
-
C:\Windows\SysWOW64\Cdchneko.exeC:\Windows\system32\Cdchneko.exe119⤵PID:2724
-
C:\Windows\SysWOW64\Chocodch.exeC:\Windows\system32\Chocodch.exe120⤵PID:2668
-
C:\Windows\SysWOW64\Cgadja32.exeC:\Windows\system32\Cgadja32.exe121⤵PID:2192
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-