Analysis
-
max time kernel
48s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
29-08-2024 05:07
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
56280de0332c1b5580fff604affdc160N.exe
Resource
win7-20240705-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
56280de0332c1b5580fff604affdc160N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
56280de0332c1b5580fff604affdc160N.exe
-
Size
76KB
-
MD5
56280de0332c1b5580fff604affdc160
-
SHA1
9fab8c3c9531f375a2be7280410ad21eb90b1448
-
SHA256
24355d2cd3bcce05c800146e96ef4d7a0b70a74651e73e62c37b47e1f6e363d6
-
SHA512
2eb590993beea5841dbaf5ddaf828d9891ec2d2cc328d5b6db857f0b226027c91cdc44da9a16a350c58a49b2193f898b0c4192c6f774a978d23490196666cab5
-
SSDEEP
1536:KB3y7Z4muf/YoJBBuzxTSduHioQV+/eCeyvCQ:Wp/FJC1SduHrk+
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djhnmj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gapbbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpbkca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hehgbg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmffhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhjldiln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kigkmmql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kemcookp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nceeaikk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apgnpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehnknfdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqninhmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmjohoej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ephihbnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fqjbme32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdcinjpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhjdpgic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Napibq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nceeaikk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfliqmjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghlgdecf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjomlp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiffbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pinchq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmohco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abpjgekf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gffmqq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hafdbmjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlleni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgdijk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laacmc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onelbfab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cocnanmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fimgmj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mabihm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmlcbafa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojijha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejcjfgbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpgjob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igomfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nodikecl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nipgab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dljdcqek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnkjfcik.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pofnok32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohdkop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pafacd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acldpojj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdchifik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmgaikep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhiacg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Donijk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dejnme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikafpbon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iiiogoac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dilggefh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcdlpklh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkpfjnnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clbdobpc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqgmnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dalffg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aliejq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmgaikep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceclmc32.exe -
Executes dropped EXE 64 IoCs
pid Process 1968 Knldaf32.exe 2056 Kfcmcckn.exe 1544 Kgdijk32.exe 2732 Knnagehi.exe 2692 Kbjmhd32.exe 2688 Kjeblf32.exe 2652 Kbljmd32.exe 2748 Kcmfeldm.exe 1288 Kldofi32.exe 2000 Kmeknakn.exe 2892 Kemcookp.exe 2752 Kcpcjl32.exe 1464 Lneghd32.exe 1588 Laccdp32.exe 2084 Lcbppk32.exe 2096 Liohhbno.exe 752 Lmjdia32.exe 2388 Lcdmekne.exe 2212 Lbgmah32.exe 2328 Lmmaoq32.exe 1884 Llpajmkq.exe 924 Lbijgg32.exe 2360 Licbca32.exe 584 Lpmjplag.exe 1616 Lopjlh32.exe 2276 Lblflgqk.exe 2704 Lhiodnob.exe 2768 Lbncbgoh.exe 2520 Laacmc32.exe 2632 Mihkoa32.exe 2592 Mkihfi32.exe 2620 Mhmhpm32.exe 2024 Mkldli32.exe 2424 Meaiia32.exe 2956 Mhpeem32.exe 2908 Mojmbg32.exe 2248 Mpkjjofe.exe 1520 Mgebfi32.exe 1244 Micnbe32.exe 1552 Majfcb32.exe 2376 Mdibpn32.exe 2368 Mkcjlhdh.exe 1048 Mmaghc32.exe 1472 Ndkoemji.exe 2124 Ngikaijm.exe 880 Nelkme32.exe 2656 Nihgndip.exe 1596 Nlfdjphd.exe 2404 Noepfkgh.exe 2852 Ncplfj32.exe 2604 Neohbe32.exe 2872 Nhmdoq32.exe 944 Npdlpnnj.exe 540 Npdlpnnj.exe 2784 Naeigf32.exe 2312 Neaehelb.exe 2820 Nhpadpke.exe 2268 Nlkmeo32.exe 2672 Nceeaikk.exe 2952 Nceeaikk.exe 2164 Nahemf32.exe 2560 Necandjo.exe 572 Nlmjjo32.exe 920 Nolffjap.exe -
Loads dropped DLL 64 IoCs
pid Process 2508 56280de0332c1b5580fff604affdc160N.exe 2508 56280de0332c1b5580fff604affdc160N.exe 1968 Knldaf32.exe 1968 Knldaf32.exe 2056 Kfcmcckn.exe 2056 Kfcmcckn.exe 1544 Kgdijk32.exe 1544 Kgdijk32.exe 2732 Knnagehi.exe 2732 Knnagehi.exe 2692 Kbjmhd32.exe 2692 Kbjmhd32.exe 2688 Kjeblf32.exe 2688 Kjeblf32.exe 2652 Kbljmd32.exe 2652 Kbljmd32.exe 2748 Kcmfeldm.exe 2748 Kcmfeldm.exe 1288 Kldofi32.exe 1288 Kldofi32.exe 2000 Kmeknakn.exe 2000 Kmeknakn.exe 2892 Kemcookp.exe 2892 Kemcookp.exe 2752 Kcpcjl32.exe 2752 Kcpcjl32.exe 1464 Lneghd32.exe 1464 Lneghd32.exe 1588 Laccdp32.exe 1588 Laccdp32.exe 2084 Lcbppk32.exe 2084 Lcbppk32.exe 2096 Liohhbno.exe 2096 Liohhbno.exe 752 Lmjdia32.exe 752 Lmjdia32.exe 2388 Lcdmekne.exe 2388 Lcdmekne.exe 2212 Lbgmah32.exe 2212 Lbgmah32.exe 2328 Lmmaoq32.exe 2328 Lmmaoq32.exe 1884 Llpajmkq.exe 1884 Llpajmkq.exe 924 Lbijgg32.exe 924 Lbijgg32.exe 2360 Licbca32.exe 2360 Licbca32.exe 584 Lpmjplag.exe 584 Lpmjplag.exe 1616 Lopjlh32.exe 1616 Lopjlh32.exe 2276 Lblflgqk.exe 2276 Lblflgqk.exe 2704 Lhiodnob.exe 2704 Lhiodnob.exe 2768 Lbncbgoh.exe 2768 Lbncbgoh.exe 2520 Laacmc32.exe 2520 Laacmc32.exe 2632 Mihkoa32.exe 2632 Mihkoa32.exe 2592 Mkihfi32.exe 2592 Mkihfi32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mdoafi32.dll Qiclcp32.exe File created C:\Windows\SysWOW64\Aakepd32.dll Cijkaehj.exe File created C:\Windows\SysWOW64\Eckopm32.exe Eqmbca32.exe File created C:\Windows\SysWOW64\Emidimje.dll Fflgahfm.exe File opened for modification C:\Windows\SysWOW64\Kkmakd32.exe Kgaejeoc.exe File created C:\Windows\SysWOW64\Gealfddm.dll Pconjjql.exe File opened for modification C:\Windows\SysWOW64\Mpeidjfo.exe Mabihm32.exe File created C:\Windows\SysWOW64\Pghmeikh.exe Pdjqinld.exe File created C:\Windows\SysWOW64\Cpldjajo.exe Clphjc32.exe File created C:\Windows\SysWOW64\Kdcinjpo.exe Kqgmnk32.exe File created C:\Windows\SysWOW64\Cehlbihg.exe Ccjpfmic.exe File created C:\Windows\SysWOW64\Iamnpbpo.dll Bmcnmapk.exe File created C:\Windows\SysWOW64\Gmmihk32.exe Gjomlp32.exe File created C:\Windows\SysWOW64\Mpjboi32.exe Mlogojjp.exe File created C:\Windows\SysWOW64\Bbamec32.dll Cemfnh32.exe File created C:\Windows\SysWOW64\Mfdedcim.dll Ckjnfobi.exe File opened for modification C:\Windows\SysWOW64\Laifbnho.exe Lnkjfcik.exe File created C:\Windows\SysWOW64\Oabafcek.exe Ocpakg32.exe File opened for modification C:\Windows\SysWOW64\Fjmdgmnl.exe Fpgpjdnf.exe File created C:\Windows\SysWOW64\Gbejabln.dll Fcehpbdm.exe File created C:\Windows\SysWOW64\Mpcmojia.exe Maplcm32.exe File opened for modification C:\Windows\SysWOW64\Dhcanahm.exe Diqabd32.exe File created C:\Windows\SysWOW64\Ekhnip32.dll Nlkmeo32.exe File created C:\Windows\SysWOW64\Lidafjlk.dll Djhnmj32.exe File created C:\Windows\SysWOW64\Onhokqml.dll Cdmbiojc.exe File created C:\Windows\SysWOW64\Ehfjbd32.exe Ejcjfgbk.exe File opened for modification C:\Windows\SysWOW64\Jficbn32.exe Jbmgapgc.exe File created C:\Windows\SysWOW64\Aooaej32.exe Akdedkfl.exe File created C:\Windows\SysWOW64\Ahomebko.dll Ohofimje.exe File created C:\Windows\SysWOW64\Afgmldhe.exe Abkqle32.exe File created C:\Windows\SysWOW64\Dmkdanef.dll Dhknigfq.exe File created C:\Windows\SysWOW64\Ffmnloih.exe Ecnbpcje.exe File created C:\Windows\SysWOW64\Ejbmpe32.dll Ipedihgm.exe File created C:\Windows\SysWOW64\Leiabnbn.dll Lnmglbgh.exe File opened for modification C:\Windows\SysWOW64\Chdlidjm.exe Cialng32.exe File created C:\Windows\SysWOW64\Ioonfaed.exe Ikcbfb32.exe File created C:\Windows\SysWOW64\Beccgi32.exe Bgablmfa.exe File opened for modification C:\Windows\SysWOW64\Ogiqffhl.exe Ocmdeg32.exe File opened for modification C:\Windows\SysWOW64\Gpdhiaoi.exe Gaahmd32.exe File created C:\Windows\SysWOW64\Bphgedjk.dll Okgpfjbo.exe File created C:\Windows\SysWOW64\Aihmhe32.exe Afjplj32.exe File opened for modification C:\Windows\SysWOW64\Hdlkpd32.exe Hlebog32.exe File created C:\Windows\SysWOW64\Phgcib32.dll Jkfkjemd.exe File created C:\Windows\SysWOW64\Kgoief32.exe Jdpmij32.exe File created C:\Windows\SysWOW64\Qaeeli32.dll Oodejhfg.exe File created C:\Windows\SysWOW64\Ajibeg32.exe Akfbjkdj.exe File created C:\Windows\SysWOW64\Bmaaha32.exe Bieegcid.exe File created C:\Windows\SysWOW64\Ommfibdg.exe Ohajic32.exe File created C:\Windows\SysWOW64\Bpdnjb32.exe Baannfim.exe File created C:\Windows\SysWOW64\Gphkoi32.dll Donijk32.exe File created C:\Windows\SysWOW64\Ilgcjijc.dll Glpbiaqg.exe File opened for modification C:\Windows\SysWOW64\Ckdnpicb.exe Chfadndo.exe File created C:\Windows\SysWOW64\Dalffg32.exe Dciekjhc.exe File opened for modification C:\Windows\SysWOW64\Ohajic32.exe Ofcnmh32.exe File created C:\Windows\SysWOW64\Fmcnbemk.dll Lalchnfl.exe File created C:\Windows\SysWOW64\Gjomlp32.exe Gfcqkafl.exe File opened for modification C:\Windows\SysWOW64\Blkgdmbp.exe Bilkhbcl.exe File created C:\Windows\SysWOW64\Onhihepp.exe Ofaaghom.exe File created C:\Windows\SysWOW64\Dklkkoqf.exe Dhnoocab.exe File created C:\Windows\SysWOW64\Ndaaclac.exe Nenaho32.exe File created C:\Windows\SysWOW64\Jmhdamkj.dll Pmpcoabe.exe File created C:\Windows\SysWOW64\Cdfnea32.dll Piipibff.exe File created C:\Windows\SysWOW64\Ohljcnlh.exe Ojijha32.exe File opened for modification C:\Windows\SysWOW64\Amalcd32.exe Ajcpgi32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7676 7644 WerFault.exe 779 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhfcnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncplfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enajgllm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Angklf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkggel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfadeaho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkmakd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndekok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmcogf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooiepnen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dghekobe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikhlaaif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmbgnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmjehe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndkoemji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohfgeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fimgmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fefnmdfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acfpilmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eligoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcjodiep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkdiehca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akdedkfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaokhdja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogldfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aipbidbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icadpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oleinmgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhegckpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgkjji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cokqfhpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbaflm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpihog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgaaiian.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llojpghe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djddbkck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiffbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nchkjhdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiepmajb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbgmah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cialng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caomgjnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnhjbjam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocbnqfln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmpemkkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkfpefme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chdeonfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpfeoqmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjialchg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnbfkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqjenb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbaebh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acldpojj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbhhlo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hikpnkme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paldmbmq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgnkkjgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhadhakp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqmbca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knldaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpldjajo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cocnanmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbjeao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioonfaed.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qakkncmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alfbmoql.dll" Iaknmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlljiklc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnmglbgh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohfgeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plfmlj32.dll" Bmfamg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmnmd32.dll" Hepdml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhnipieq.dll" Kdefdjnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcjcefbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgpqnpjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qjacai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcehpbdm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdhdcnng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aahdmanl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bichbckg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddjjlj32.dll" Mojmbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odhhdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oplmpa32.dll" Bpmqom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmcchb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmjehe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpldjajo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjfdfcjj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbpbek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbgmah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hljljflh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iankbldh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgjjbc32.dll" Dhcanahm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngikaijm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nelkme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enomam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akfbjkdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edahca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnbahpke.dll" Hmpemkkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjfhgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgcdkk32.dll" Cbpbek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imcafcpf.dll" Enajgllm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbmnfajm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Liqnclia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cajmbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gggknmnm.dll" Eddeia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpflcp32.dll" Egbaelej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imoqbo32.dll" Afojgiei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppepdplg.dll" Gepgni32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcfmkcdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkhhpeka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbhnonjm.dll" Bjbelf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihgcof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oifjjk32.dll" Oleinmgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blkgdmbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmjdia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhglpqeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cleaebna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebhlmlhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpjlpclc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejeglg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhjcmcep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Allbpqcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gadkmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hojeka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgekdh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qmohco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkphql32.dll" Lfmhla32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgaljk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkpfjnnl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2508 wrote to memory of 1968 2508 56280de0332c1b5580fff604affdc160N.exe 29 PID 2508 wrote to memory of 1968 2508 56280de0332c1b5580fff604affdc160N.exe 29 PID 2508 wrote to memory of 1968 2508 56280de0332c1b5580fff604affdc160N.exe 29 PID 2508 wrote to memory of 1968 2508 56280de0332c1b5580fff604affdc160N.exe 29 PID 1968 wrote to memory of 2056 1968 Knldaf32.exe 30 PID 1968 wrote to memory of 2056 1968 Knldaf32.exe 30 PID 1968 wrote to memory of 2056 1968 Knldaf32.exe 30 PID 1968 wrote to memory of 2056 1968 Knldaf32.exe 30 PID 2056 wrote to memory of 1544 2056 Kfcmcckn.exe 31 PID 2056 wrote to memory of 1544 2056 Kfcmcckn.exe 31 PID 2056 wrote to memory of 1544 2056 Kfcmcckn.exe 31 PID 2056 wrote to memory of 1544 2056 Kfcmcckn.exe 31 PID 1544 wrote to memory of 2732 1544 Kgdijk32.exe 32 PID 1544 wrote to memory of 2732 1544 Kgdijk32.exe 32 PID 1544 wrote to memory of 2732 1544 Kgdijk32.exe 32 PID 1544 wrote to memory of 2732 1544 Kgdijk32.exe 32 PID 2732 wrote to memory of 2692 2732 Knnagehi.exe 33 PID 2732 wrote to memory of 2692 2732 Knnagehi.exe 33 PID 2732 wrote to memory of 2692 2732 Knnagehi.exe 33 PID 2732 wrote to memory of 2692 2732 Knnagehi.exe 33 PID 2692 wrote to memory of 2688 2692 Kbjmhd32.exe 34 PID 2692 wrote to memory of 2688 2692 Kbjmhd32.exe 34 PID 2692 wrote to memory of 2688 2692 Kbjmhd32.exe 34 PID 2692 wrote to memory of 2688 2692 Kbjmhd32.exe 34 PID 2688 wrote to memory of 2652 2688 Kjeblf32.exe 35 PID 2688 wrote to memory of 2652 2688 Kjeblf32.exe 35 PID 2688 wrote to memory of 2652 2688 Kjeblf32.exe 35 PID 2688 wrote to memory of 2652 2688 Kjeblf32.exe 35 PID 2652 wrote to memory of 2748 2652 Kbljmd32.exe 36 PID 2652 wrote to memory of 2748 2652 Kbljmd32.exe 36 PID 2652 wrote to memory of 2748 2652 Kbljmd32.exe 36 PID 2652 wrote to memory of 2748 2652 Kbljmd32.exe 36 PID 2748 wrote to memory of 1288 2748 Kcmfeldm.exe 37 PID 2748 wrote to memory of 1288 2748 Kcmfeldm.exe 37 PID 2748 wrote to memory of 1288 2748 Kcmfeldm.exe 37 PID 2748 wrote to memory of 1288 2748 Kcmfeldm.exe 37 PID 1288 wrote to memory of 2000 1288 Kldofi32.exe 38 PID 1288 wrote to memory of 2000 1288 Kldofi32.exe 38 PID 1288 wrote to memory of 2000 1288 Kldofi32.exe 38 PID 1288 wrote to memory of 2000 1288 Kldofi32.exe 38 PID 2000 wrote to memory of 2892 2000 Kmeknakn.exe 39 PID 2000 wrote to memory of 2892 2000 Kmeknakn.exe 39 PID 2000 wrote to memory of 2892 2000 Kmeknakn.exe 39 PID 2000 wrote to memory of 2892 2000 Kmeknakn.exe 39 PID 2892 wrote to memory of 2752 2892 Kemcookp.exe 40 PID 2892 wrote to memory of 2752 2892 Kemcookp.exe 40 PID 2892 wrote to memory of 2752 2892 Kemcookp.exe 40 PID 2892 wrote to memory of 2752 2892 Kemcookp.exe 40 PID 2752 wrote to memory of 1464 2752 Kcpcjl32.exe 41 PID 2752 wrote to memory of 1464 2752 Kcpcjl32.exe 41 PID 2752 wrote to memory of 1464 2752 Kcpcjl32.exe 41 PID 2752 wrote to memory of 1464 2752 Kcpcjl32.exe 41 PID 1464 wrote to memory of 1588 1464 Lneghd32.exe 42 PID 1464 wrote to memory of 1588 1464 Lneghd32.exe 42 PID 1464 wrote to memory of 1588 1464 Lneghd32.exe 42 PID 1464 wrote to memory of 1588 1464 Lneghd32.exe 42 PID 1588 wrote to memory of 2084 1588 Laccdp32.exe 43 PID 1588 wrote to memory of 2084 1588 Laccdp32.exe 43 PID 1588 wrote to memory of 2084 1588 Laccdp32.exe 43 PID 1588 wrote to memory of 2084 1588 Laccdp32.exe 43 PID 2084 wrote to memory of 2096 2084 Lcbppk32.exe 44 PID 2084 wrote to memory of 2096 2084 Lcbppk32.exe 44 PID 2084 wrote to memory of 2096 2084 Lcbppk32.exe 44 PID 2084 wrote to memory of 2096 2084 Lcbppk32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\56280de0332c1b5580fff604affdc160N.exe"C:\Users\Admin\AppData\Local\Temp\56280de0332c1b5580fff604affdc160N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Knldaf32.exeC:\Windows\system32\Knldaf32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\Kfcmcckn.exeC:\Windows\system32\Kfcmcckn.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\Kgdijk32.exeC:\Windows\system32\Kgdijk32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\Knnagehi.exeC:\Windows\system32\Knnagehi.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Kbjmhd32.exeC:\Windows\system32\Kbjmhd32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Kjeblf32.exeC:\Windows\system32\Kjeblf32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Kbljmd32.exeC:\Windows\system32\Kbljmd32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Kcmfeldm.exeC:\Windows\system32\Kcmfeldm.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Kldofi32.exeC:\Windows\system32\Kldofi32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Windows\SysWOW64\Kmeknakn.exeC:\Windows\system32\Kmeknakn.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\Kemcookp.exeC:\Windows\system32\Kemcookp.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Kcpcjl32.exeC:\Windows\system32\Kcpcjl32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Lneghd32.exeC:\Windows\system32\Lneghd32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\SysWOW64\Laccdp32.exeC:\Windows\system32\Laccdp32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\SysWOW64\Lcbppk32.exeC:\Windows\system32\Lcbppk32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\Liohhbno.exeC:\Windows\system32\Liohhbno.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2096 -
C:\Windows\SysWOW64\Lmjdia32.exeC:\Windows\system32\Lmjdia32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:752 -
C:\Windows\SysWOW64\Lcdmekne.exeC:\Windows\system32\Lcdmekne.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2388 -
C:\Windows\SysWOW64\Lbgmah32.exeC:\Windows\system32\Lbgmah32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2212 -
C:\Windows\SysWOW64\Lmmaoq32.exeC:\Windows\system32\Lmmaoq32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2328 -
C:\Windows\SysWOW64\Llpajmkq.exeC:\Windows\system32\Llpajmkq.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1884 -
C:\Windows\SysWOW64\Lbijgg32.exeC:\Windows\system32\Lbijgg32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:924 -
C:\Windows\SysWOW64\Licbca32.exeC:\Windows\system32\Licbca32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2360 -
C:\Windows\SysWOW64\Lpmjplag.exeC:\Windows\system32\Lpmjplag.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:584 -
C:\Windows\SysWOW64\Lopjlh32.exeC:\Windows\system32\Lopjlh32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1616 -
C:\Windows\SysWOW64\Lblflgqk.exeC:\Windows\system32\Lblflgqk.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2276 -
C:\Windows\SysWOW64\Lhiodnob.exeC:\Windows\system32\Lhiodnob.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2704 -
C:\Windows\SysWOW64\Lbncbgoh.exeC:\Windows\system32\Lbncbgoh.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2768 -
C:\Windows\SysWOW64\Laacmc32.exeC:\Windows\system32\Laacmc32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2520 -
C:\Windows\SysWOW64\Mihkoa32.exeC:\Windows\system32\Mihkoa32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2632 -
C:\Windows\SysWOW64\Mkihfi32.exeC:\Windows\system32\Mkihfi32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2592 -
C:\Windows\SysWOW64\Mhmhpm32.exeC:\Windows\system32\Mhmhpm32.exe33⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Mkldli32.exeC:\Windows\system32\Mkldli32.exe34⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Meaiia32.exeC:\Windows\system32\Meaiia32.exe35⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Mhpeem32.exeC:\Windows\system32\Mhpeem32.exe36⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Mojmbg32.exeC:\Windows\system32\Mojmbg32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:2908 -
C:\Windows\SysWOW64\Mpkjjofe.exeC:\Windows\system32\Mpkjjofe.exe38⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Mgebfi32.exeC:\Windows\system32\Mgebfi32.exe39⤵
- Executes dropped EXE
PID:1520 -
C:\Windows\SysWOW64\Micnbe32.exeC:\Windows\system32\Micnbe32.exe40⤵
- Executes dropped EXE
PID:1244 -
C:\Windows\SysWOW64\Majfcb32.exeC:\Windows\system32\Majfcb32.exe41⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Mdibpn32.exeC:\Windows\system32\Mdibpn32.exe42⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Mkcjlhdh.exeC:\Windows\system32\Mkcjlhdh.exe43⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Mmaghc32.exeC:\Windows\system32\Mmaghc32.exe44⤵
- Executes dropped EXE
PID:1048 -
C:\Windows\SysWOW64\Ndkoemji.exeC:\Windows\system32\Ndkoemji.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1472 -
C:\Windows\SysWOW64\Ngikaijm.exeC:\Windows\system32\Ngikaijm.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:2124 -
C:\Windows\SysWOW64\Nelkme32.exeC:\Windows\system32\Nelkme32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:880 -
C:\Windows\SysWOW64\Nihgndip.exeC:\Windows\system32\Nihgndip.exe48⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Nlfdjphd.exeC:\Windows\system32\Nlfdjphd.exe49⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Noepfkgh.exeC:\Windows\system32\Noepfkgh.exe50⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Ncplfj32.exeC:\Windows\system32\Ncplfj32.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2852 -
C:\Windows\SysWOW64\Neohbe32.exeC:\Windows\system32\Neohbe32.exe52⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Nhmdoq32.exeC:\Windows\system32\Nhmdoq32.exe53⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Npdlpnnj.exeC:\Windows\system32\Npdlpnnj.exe54⤵
- Executes dropped EXE
PID:944 -
C:\Windows\SysWOW64\Npdlpnnj.exeC:\Windows\system32\Npdlpnnj.exe55⤵
- Executes dropped EXE
PID:540 -
C:\Windows\SysWOW64\Naeigf32.exeC:\Windows\system32\Naeigf32.exe56⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Neaehelb.exeC:\Windows\system32\Neaehelb.exe57⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Nhpadpke.exeC:\Windows\system32\Nhpadpke.exe58⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Nlkmeo32.exeC:\Windows\system32\Nlkmeo32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2268 -
C:\Windows\SysWOW64\Nceeaikk.exeC:\Windows\system32\Nceeaikk.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Nceeaikk.exeC:\Windows\system32\Nceeaikk.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Nahemf32.exeC:\Windows\system32\Nahemf32.exe62⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Necandjo.exeC:\Windows\system32\Necandjo.exe63⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Nlmjjo32.exeC:\Windows\system32\Nlmjjo32.exe64⤵
- Executes dropped EXE
PID:572 -
C:\Windows\SysWOW64\Nolffjap.exeC:\Windows\system32\Nolffjap.exe65⤵
- Executes dropped EXE
PID:920 -
C:\Windows\SysWOW64\Ohdkop32.exeC:\Windows\system32\Ohdkop32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:340 -
C:\Windows\SysWOW64\Okbgkk32.exeC:\Windows\system32\Okbgkk32.exe67⤵PID:1736
-
C:\Windows\SysWOW64\Onacgf32.exeC:\Windows\system32\Onacgf32.exe68⤵PID:1928
-
C:\Windows\SysWOW64\Onacgf32.exeC:\Windows\system32\Onacgf32.exe69⤵PID:2828
-
C:\Windows\SysWOW64\Oamohenq.exeC:\Windows\system32\Oamohenq.exe70⤵PID:2584
-
C:\Windows\SysWOW64\Opoocb32.exeC:\Windows\system32\Opoocb32.exe71⤵PID:2600
-
C:\Windows\SysWOW64\Ohfgeo32.exeC:\Windows\system32\Ohfgeo32.exe72⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:560 -
C:\Windows\SysWOW64\Ogigpllh.exeC:\Windows\system32\Ogigpllh.exe73⤵PID:2068
-
C:\Windows\SysWOW64\Okecak32.exeC:\Windows\system32\Okecak32.exe74⤵PID:3036
-
C:\Windows\SysWOW64\Ojhdmgkl.exeC:\Windows\system32\Ojhdmgkl.exe75⤵PID:2964
-
C:\Windows\SysWOW64\Oncpmf32.exeC:\Windows\system32\Oncpmf32.exe76⤵PID:2796
-
C:\Windows\SysWOW64\Oaolne32.exeC:\Windows\system32\Oaolne32.exe77⤵PID:2912
-
C:\Windows\SysWOW64\Oqaliabh.exeC:\Windows\system32\Oqaliabh.exe78⤵PID:1312
-
C:\Windows\SysWOW64\Ocphembl.exeC:\Windows\system32\Ocphembl.exe79⤵PID:1632
-
C:\Windows\SysWOW64\Ogldfl32.exeC:\Windows\system32\Ogldfl32.exe80⤵
- System Location Discovery: System Language Discovery
PID:2396 -
C:\Windows\SysWOW64\Okgpfjbo.exeC:\Windows\system32\Okgpfjbo.exe81⤵
- Drops file in System32 directory
PID:1460 -
C:\Windows\SysWOW64\Onelbfab.exeC:\Windows\system32\Onelbfab.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:912 -
C:\Windows\SysWOW64\Olhmnb32.exeC:\Windows\system32\Olhmnb32.exe83⤵PID:2168
-
C:\Windows\SysWOW64\Oqdioaqf.exeC:\Windows\system32\Oqdioaqf.exe84⤵PID:3052
-
C:\Windows\SysWOW64\Odpeop32.exeC:\Windows\system32\Odpeop32.exe85⤵PID:1604
-
C:\Windows\SysWOW64\Ognakk32.exeC:\Windows\system32\Ognakk32.exe86⤵PID:2844
-
C:\Windows\SysWOW64\Ofaaghom.exeC:\Windows\system32\Ofaaghom.exe87⤵
- Drops file in System32 directory
PID:2876 -
C:\Windows\SysWOW64\Onhihepp.exeC:\Windows\system32\Onhihepp.exe88⤵PID:1532
-
C:\Windows\SysWOW64\Oqfeda32.exeC:\Windows\system32\Oqfeda32.exe89⤵PID:1636
-
C:\Windows\SysWOW64\Ooiepnen.exeC:\Windows\system32\Ooiepnen.exe90⤵
- System Location Discovery: System Language Discovery
PID:2996 -
C:\Windows\SysWOW64\Ogpnakfp.exeC:\Windows\system32\Ogpnakfp.exe91⤵PID:1748
-
C:\Windows\SysWOW64\Ofcnmh32.exeC:\Windows\system32\Ofcnmh32.exe92⤵
- Drops file in System32 directory
PID:2228 -
C:\Windows\SysWOW64\Ohajic32.exeC:\Windows\system32\Ohajic32.exe93⤵
- Drops file in System32 directory
PID:1648 -
C:\Windows\SysWOW64\Ommfibdg.exeC:\Windows\system32\Ommfibdg.exe94⤵PID:996
-
C:\Windows\SysWOW64\Polbemck.exeC:\Windows\system32\Polbemck.exe95⤵PID:1788
-
C:\Windows\SysWOW64\Pbjoaibo.exeC:\Windows\system32\Pbjoaibo.exe96⤵PID:2088
-
C:\Windows\SysWOW64\Pidgnc32.exeC:\Windows\system32\Pidgnc32.exe97⤵PID:2712
-
C:\Windows\SysWOW64\Pmpcoabe.exeC:\Windows\system32\Pmpcoabe.exe98⤵
- Drops file in System32 directory
PID:2880 -
C:\Windows\SysWOW64\Pkbcjn32.exeC:\Windows\system32\Pkbcjn32.exe99⤵PID:1696
-
C:\Windows\SysWOW64\Pcikllja.exeC:\Windows\system32\Pcikllja.exe100⤵PID:304
-
C:\Windows\SysWOW64\Pfhghgie.exeC:\Windows\system32\Pfhghgie.exe101⤵PID:3016
-
C:\Windows\SysWOW64\Pdkgcd32.exeC:\Windows\system32\Pdkgcd32.exe102⤵PID:1016
-
C:\Windows\SysWOW64\Pmbpda32.exeC:\Windows\system32\Pmbpda32.exe103⤵PID:900
-
C:\Windows\SysWOW64\Poplqm32.exeC:\Windows\system32\Poplqm32.exe104⤵PID:1516
-
C:\Windows\SysWOW64\Pncllifp.exeC:\Windows\system32\Pncllifp.exe105⤵PID:1584
-
C:\Windows\SysWOW64\Pbohmh32.exeC:\Windows\system32\Pbohmh32.exe106⤵PID:1980
-
C:\Windows\SysWOW64\Piipibff.exeC:\Windows\system32\Piipibff.exe107⤵
- Drops file in System32 directory
PID:1080 -
C:\Windows\SysWOW64\Pgkqeo32.exeC:\Windows\system32\Pgkqeo32.exe108⤵PID:2052
-
C:\Windows\SysWOW64\Pobhfl32.exeC:\Windows\system32\Pobhfl32.exe109⤵PID:2616
-
C:\Windows\SysWOW64\Pbaebh32.exeC:\Windows\system32\Pbaebh32.exe110⤵
- System Location Discovery: System Language Discovery
PID:2636 -
C:\Windows\SysWOW64\Peoanckj.exeC:\Windows\system32\Peoanckj.exe111⤵PID:2984
-
C:\Windows\SysWOW64\Pgnmjokn.exeC:\Windows\system32\Pgnmjokn.exe112⤵PID:2800
-
C:\Windows\SysWOW64\Pnhegi32.exeC:\Windows\system32\Pnhegi32.exe113⤵PID:784
-
C:\Windows\SysWOW64\Pafacd32.exeC:\Windows\system32\Pafacd32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2196 -
C:\Windows\SysWOW64\Peandcih.exeC:\Windows\system32\Peandcih.exe115⤵PID:2524
-
C:\Windows\SysWOW64\Pgpjpnhk.exeC:\Windows\system32\Pgpjpnhk.exe116⤵PID:2380
-
C:\Windows\SysWOW64\Qjofljho.exeC:\Windows\system32\Qjofljho.exe117⤵PID:1684
-
C:\Windows\SysWOW64\Qmmbhegc.exeC:\Windows\system32\Qmmbhegc.exe118⤵PID:2684
-
C:\Windows\SysWOW64\Qahnid32.exeC:\Windows\system32\Qahnid32.exe119⤵PID:2728
-
C:\Windows\SysWOW64\Qcgkeonp.exeC:\Windows\system32\Qcgkeonp.exe120⤵PID:444
-
C:\Windows\SysWOW64\Qgbfen32.exeC:\Windows\system32\Qgbfen32.exe121⤵PID:2960
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-