Analysis
-
max time kernel
144s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
29-08-2024 19:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
11085af67f096c112f1986ce3f6a5b90f8d206a016750fe6e4e17570ec3e224e.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
11085af67f096c112f1986ce3f6a5b90f8d206a016750fe6e4e17570ec3e224e.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
11085af67f096c112f1986ce3f6a5b90f8d206a016750fe6e4e17570ec3e224e.exe
-
Size
55KB
-
MD5
59d27a1ced442264655a240cb1561d62
-
SHA1
0074728b95329f068c277c286cc2b787e71dc6fc
-
SHA256
11085af67f096c112f1986ce3f6a5b90f8d206a016750fe6e4e17570ec3e224e
-
SHA512
30114be5a5d89e8dded27deee713ff83deae48395f4799b2254a0ca9c2b1d30202640c5455eb3b05577c43da40e03aaf50287a2c8b0228a783a667af0674f89c
-
SSDEEP
768:mL5Q/wt+h8wjSG/k3jkX430URAL5WQRbzBoDlrcV2p/1H5g0Xdnh:myl7IkURA1jVxV2LR
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alofnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcmoie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blnkbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adqbml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nldcagaq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biccfalm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfjjkhhg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcaaloed.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfojpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhkagonc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edmilpld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kodghqop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkimff32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jiclnpjg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojdjqp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odgchjhl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcppgbjd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqjfgb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emhnqbjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffiepg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pahjgb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cccdjl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmoaoikj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knmghb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phgfko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlqgob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Didgig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fqqdigko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdqfgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmgcepio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjmiknng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebhani32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbojjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baajji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkaeob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lefikg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fopole32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihnjmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iboghh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joenaf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adeiobgc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhlapc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdjpcj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfhiepbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opccallb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofgbkacb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhogaamj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kngaig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgbdpena.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qmepanje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpfggeai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klbfbg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdcebagp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cancif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dijjgegh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpblne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgalhgpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkcqfifp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Himionmc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gomhkb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lodoefed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlifcqfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emdhhdqb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paghojip.exe -
Executes dropped EXE 64 IoCs
pid Process 2884 Cjjpag32.exe 2796 Cccdjl32.exe 2720 Cfcmlg32.exe 2616 Chbihc32.exe 1976 Dfhgggim.exe 2000 Dfkclf32.exe 1996 Dqddmd32.exe 1444 Dbdagg32.exe 2420 Dmmbge32.exe 616 Ecgjdong.exe 2116 Ejabqi32.exe 520 Ecjgio32.exe 2236 Emdhhdqb.exe 2340 Eikimeff.exe 964 Ebcmfj32.exe 2088 Fipbhd32.exe 1716 Fnmjpk32.exe 2448 Fnogfk32.exe 868 Fhglop32.exe 2948 Fnadkjlc.exe 1816 Fjhdpk32.exe 2452 Gfoeel32.exe 1584 Gllnnc32.exe 1144 Gmkjgfmf.exe 2460 Golgon32.exe 2708 Geilah32.exe 2868 Glbdnbpk.exe 2672 Gkhaooec.exe 2840 Hdpehd32.exe 3028 Hganjo32.exe 2568 Hdeoccgn.exe 916 Hnmcli32.exe 1096 Hdgkicek.exe 1448 Ilgjhena.exe 2924 Icabeo32.exe 2204 Ihnjmf32.exe 668 Iafofkkf.exe 684 Ikapdqoc.exe 2248 Ibkhak32.exe 2532 Jghqia32.exe 2100 Jfmnkn32.exe 2208 Jfojpn32.exe 1432 Jqeomfgc.exe 1668 Jipcbidn.exe 2004 Jfddkmch.exe 2280 Kolhdbjh.exe 1380 Kenjgi32.exe 676 Kmiolk32.exe 1664 Kccgheib.exe 2736 Kfacdqhf.exe 2592 Lcedne32.exe 2744 Lfdpjp32.exe 1072 Lchqcd32.exe 3032 Lffmpp32.exe 2684 Llcehg32.exe 652 Lfhiepbn.exe 2192 Llebnfpe.exe 2920 Lbojjq32.exe 2404 Llhocfnb.exe 2016 Ladgkmlj.exe 1464 Mohhea32.exe 2104 Mdepmh32.exe 884 Mokdja32.exe 1288 Meemgk32.exe -
Loads dropped DLL 64 IoCs
pid Process 2712 11085af67f096c112f1986ce3f6a5b90f8d206a016750fe6e4e17570ec3e224e.exe 2712 11085af67f096c112f1986ce3f6a5b90f8d206a016750fe6e4e17570ec3e224e.exe 2884 Cjjpag32.exe 2884 Cjjpag32.exe 2796 Cccdjl32.exe 2796 Cccdjl32.exe 2720 Cfcmlg32.exe 2720 Cfcmlg32.exe 2616 Chbihc32.exe 2616 Chbihc32.exe 1976 Dfhgggim.exe 1976 Dfhgggim.exe 2000 Dfkclf32.exe 2000 Dfkclf32.exe 1996 Dqddmd32.exe 1996 Dqddmd32.exe 1444 Dbdagg32.exe 1444 Dbdagg32.exe 2420 Dmmbge32.exe 2420 Dmmbge32.exe 616 Ecgjdong.exe 616 Ecgjdong.exe 2116 Ejabqi32.exe 2116 Ejabqi32.exe 520 Ecjgio32.exe 520 Ecjgio32.exe 2236 Emdhhdqb.exe 2236 Emdhhdqb.exe 2340 Eikimeff.exe 2340 Eikimeff.exe 964 Ebcmfj32.exe 964 Ebcmfj32.exe 2088 Fipbhd32.exe 2088 Fipbhd32.exe 1716 Fnmjpk32.exe 1716 Fnmjpk32.exe 2448 Fnogfk32.exe 2448 Fnogfk32.exe 868 Fhglop32.exe 868 Fhglop32.exe 2948 Fnadkjlc.exe 2948 Fnadkjlc.exe 1816 Fjhdpk32.exe 1816 Fjhdpk32.exe 2452 Gfoeel32.exe 2452 Gfoeel32.exe 1584 Gllnnc32.exe 1584 Gllnnc32.exe 1144 Gmkjgfmf.exe 1144 Gmkjgfmf.exe 2460 Golgon32.exe 2460 Golgon32.exe 2708 Geilah32.exe 2708 Geilah32.exe 2868 Glbdnbpk.exe 2868 Glbdnbpk.exe 2672 Gkhaooec.exe 2672 Gkhaooec.exe 2840 Hdpehd32.exe 2840 Hdpehd32.exe 3028 Hganjo32.exe 3028 Hganjo32.exe 2568 Hdeoccgn.exe 2568 Hdeoccgn.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Qeglqpaj.exe Pinnfonh.exe File created C:\Windows\SysWOW64\Bjhjon32.dll Milaecdp.exe File opened for modification C:\Windows\SysWOW64\Abeghmmn.exe Amhopfof.exe File opened for modification C:\Windows\SysWOW64\Afbpnlcd.exe Akmlacdn.exe File opened for modification C:\Windows\SysWOW64\Cjkamk32.exe Cbcikn32.exe File opened for modification C:\Windows\SysWOW64\Hfbckagm.exe Hjkbfpah.exe File created C:\Windows\SysWOW64\Ncpgeh32.exe Mgigpgkd.exe File created C:\Windows\SysWOW64\Nkaane32.exe Naimepkp.exe File created C:\Windows\SysWOW64\Bbfgiabg.exe Bhpclica.exe File opened for modification C:\Windows\SysWOW64\Gekkpqnp.exe Ghgjflof.exe File created C:\Windows\SysWOW64\Eniack32.dll Mogcelgm.exe File created C:\Windows\SysWOW64\Hjkbfpah.exe Helmiiec.exe File created C:\Windows\SysWOW64\Odgchjhl.exe Ojoood32.exe File opened for modification C:\Windows\SysWOW64\Cogdhpkp.exe Ceoooj32.exe File created C:\Windows\SysWOW64\Cqcomn32.exe Cocbbk32.exe File created C:\Windows\SysWOW64\Fhaibnim.exe Foidii32.exe File opened for modification C:\Windows\SysWOW64\Dlqgob32.exe Dpjfjalp.exe File created C:\Windows\SysWOW64\Hknbcg32.dll Ophanl32.exe File created C:\Windows\SysWOW64\Pcqebd32.exe Pmfmej32.exe File opened for modification C:\Windows\SysWOW64\Cooddbfh.exe Bmohjooe.exe File created C:\Windows\SysWOW64\Cfjihdcc.exe Cooddbfh.exe File created C:\Windows\SysWOW64\Iekpdn32.exe Ijelgemi.exe File created C:\Windows\SysWOW64\Iemdfn32.dll Qkcbpn32.exe File created C:\Windows\SysWOW64\Cjkamk32.exe Cbcikn32.exe File opened for modification C:\Windows\SysWOW64\Ppogok32.exe Phhonn32.exe File created C:\Windows\SysWOW64\Epljpl32.dll Iamjghnm.exe File opened for modification C:\Windows\SysWOW64\Onipqp32.exe Oqepgk32.exe File created C:\Windows\SysWOW64\Cpidai32.exe Ccecheeb.exe File opened for modification C:\Windows\SysWOW64\Elpqemll.exe Egchmfnd.exe File opened for modification C:\Windows\SysWOW64\Cobjmq32.exe Cejfckie.exe File created C:\Windows\SysWOW64\Pdhbhf32.dll Qiekadkl.exe File created C:\Windows\SysWOW64\Dcihdo32.exe Dpmlcpdm.exe File opened for modification C:\Windows\SysWOW64\Hajhpgag.exe Hkppcmjk.exe File created C:\Windows\SysWOW64\Ojqeofnd.dll Nhnemdbf.exe File created C:\Windows\SysWOW64\Hidfjckg.exe Hbknmicj.exe File created C:\Windows\SysWOW64\Giedhjnn.dll Opebpdad.exe File created C:\Windows\SysWOW64\Jcfnnang.dll Pniohk32.exe File created C:\Windows\SysWOW64\Mbmffd32.dll Fdhigo32.exe File created C:\Windows\SysWOW64\Qebepc32.dll Aijfihip.exe File opened for modification C:\Windows\SysWOW64\Aaondi32.exe Akbelbpi.exe File created C:\Windows\SysWOW64\Oamcoejo.dll Dqddmd32.exe File opened for modification C:\Windows\SysWOW64\Kbeqjl32.exe Kmhhae32.exe File created C:\Windows\SysWOW64\Lnnndl32.exe Lefikg32.exe File created C:\Windows\SysWOW64\Nhcedjfb.dll Nldcagaq.exe File created C:\Windows\SysWOW64\Oolbcaij.exe Onmfin32.exe File created C:\Windows\SysWOW64\Blibghmm.exe Bepjjn32.exe File created C:\Windows\SysWOW64\Oedqakci.dll Akbelbpi.exe File opened for modification C:\Windows\SysWOW64\Lcnhcdkp.exe Lnaokn32.exe File created C:\Windows\SysWOW64\Dffbcq32.dll Eagdgaoe.exe File opened for modification C:\Windows\SysWOW64\Hbboiknb.exe Hijjpeha.exe File opened for modification C:\Windows\SysWOW64\Gcakbjpl.exe Fmgcepio.exe File created C:\Windows\SysWOW64\Kfdfdf32.exe Jfbinf32.exe File created C:\Windows\SysWOW64\Jhldob32.dll Joicje32.exe File created C:\Windows\SysWOW64\Hhjfod32.dll Ncbdjhnf.exe File created C:\Windows\SysWOW64\Alqplmlb.exe Agchdfmk.exe File created C:\Windows\SysWOW64\Gahpkd32.exe Gjngoj32.exe File created C:\Windows\SysWOW64\Hdcdfmqe.exe Hmgodc32.exe File opened for modification C:\Windows\SysWOW64\Knmghb32.exe Jhpopk32.exe File created C:\Windows\SysWOW64\Jqngde32.dll Mgigpgkd.exe File opened for modification C:\Windows\SysWOW64\Bmlbaqfh.exe Bbfnchfb.exe File created C:\Windows\SysWOW64\Fichqckn.exe Fiakkcma.exe File created C:\Windows\SysWOW64\Oheppe32.exe Olopjddf.exe File created C:\Windows\SysWOW64\Cegbce32.exe Bgcbja32.exe File opened for modification C:\Windows\SysWOW64\Ldokhn32.exe Lbpolb32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5076 5056 WerFault.exe 863 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnfmhj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njopgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baealp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgiplffm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gilhpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnadkjlc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkppcmjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhlapc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajmhljip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkkpjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klbfbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biccfalm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oolbcaij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nljcflbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnhlcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibpjaagi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edidcb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afbnec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcbjni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knpkhhhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cegbce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojlife32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abjcleqm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gngfjicn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmfmej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bikhce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kggfnoch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lklmoccl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omdbdb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdhigo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djghpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhkagonc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmajdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gomhkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfenjq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfoeel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cggcofkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akmlacdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogaeieoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iigcobid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jipcbidn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojdjqp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbdipa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfieec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekfaij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpjgdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnpofe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkfcqo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ienfml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idepdhia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooofcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejgeogmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elndpnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofmiea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkblohek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjkbfpah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfoqephq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Damhmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcacochk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgcdlj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mchokq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ollcee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcndag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgemgm32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggppdpif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llhocfnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oklmhcdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onmfin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqbdik32.dll" Fcgaae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgjfbllj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhldob32.dll" Joicje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Conpdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cohlnkeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djqdgfho.dll" Hgpeimhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhkagonc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bneancnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggphji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfddkmch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfjjkhhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aalaoipc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehhgfgla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpllfe32.dll" Opccallb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hajhpgag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfncbp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qckcdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmiggh32.dll" Bqciha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emokgnoa.dll" Llhocfnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfkfhl32.dll" Ladgkmlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Migbpocm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kakjdp32.dll" Ffghjg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ambhpljg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhpclica.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glgpghnp.dll" Dhgelk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbjcaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bikhce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epljpl32.dll" Iamjghnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgbddi32.dll" Npkfff32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgnnhbpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhngohip.dll" Fkgpaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnpkkdjl.dll" Bjlnaghp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgpnjkgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdnlpaln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aalaoipc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mqhhbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnmjpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Logcad32.dll" Mbjhlg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkghjq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhfhnofg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fejjah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggphji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecgjdong.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkbhmg32.dll" Ghddnnfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dndndbnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agfbfl32.dll" Aaondi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gcgnphgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoggkdlk.dll" Fdekigip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijphqbpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmdkki32.dll" Abbhje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cancif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkojoghl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cikbjpqd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkchpcoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hibebeqb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olgehh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdjabn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlcjoc32.dll" Cfjihdcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pinnfonh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdcdfmqe.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2712 wrote to memory of 2884 2712 11085af67f096c112f1986ce3f6a5b90f8d206a016750fe6e4e17570ec3e224e.exe 30 PID 2712 wrote to memory of 2884 2712 11085af67f096c112f1986ce3f6a5b90f8d206a016750fe6e4e17570ec3e224e.exe 30 PID 2712 wrote to memory of 2884 2712 11085af67f096c112f1986ce3f6a5b90f8d206a016750fe6e4e17570ec3e224e.exe 30 PID 2712 wrote to memory of 2884 2712 11085af67f096c112f1986ce3f6a5b90f8d206a016750fe6e4e17570ec3e224e.exe 30 PID 2884 wrote to memory of 2796 2884 Cjjpag32.exe 31 PID 2884 wrote to memory of 2796 2884 Cjjpag32.exe 31 PID 2884 wrote to memory of 2796 2884 Cjjpag32.exe 31 PID 2884 wrote to memory of 2796 2884 Cjjpag32.exe 31 PID 2796 wrote to memory of 2720 2796 Cccdjl32.exe 32 PID 2796 wrote to memory of 2720 2796 Cccdjl32.exe 32 PID 2796 wrote to memory of 2720 2796 Cccdjl32.exe 32 PID 2796 wrote to memory of 2720 2796 Cccdjl32.exe 32 PID 2720 wrote to memory of 2616 2720 Cfcmlg32.exe 33 PID 2720 wrote to memory of 2616 2720 Cfcmlg32.exe 33 PID 2720 wrote to memory of 2616 2720 Cfcmlg32.exe 33 PID 2720 wrote to memory of 2616 2720 Cfcmlg32.exe 33 PID 2616 wrote to memory of 1976 2616 Chbihc32.exe 34 PID 2616 wrote to memory of 1976 2616 Chbihc32.exe 34 PID 2616 wrote to memory of 1976 2616 Chbihc32.exe 34 PID 2616 wrote to memory of 1976 2616 Chbihc32.exe 34 PID 1976 wrote to memory of 2000 1976 Dfhgggim.exe 35 PID 1976 wrote to memory of 2000 1976 Dfhgggim.exe 35 PID 1976 wrote to memory of 2000 1976 Dfhgggim.exe 35 PID 1976 wrote to memory of 2000 1976 Dfhgggim.exe 35 PID 2000 wrote to memory of 1996 2000 Dfkclf32.exe 36 PID 2000 wrote to memory of 1996 2000 Dfkclf32.exe 36 PID 2000 wrote to memory of 1996 2000 Dfkclf32.exe 36 PID 2000 wrote to memory of 1996 2000 Dfkclf32.exe 36 PID 1996 wrote to memory of 1444 1996 Dqddmd32.exe 37 PID 1996 wrote to memory of 1444 1996 Dqddmd32.exe 37 PID 1996 wrote to memory of 1444 1996 Dqddmd32.exe 37 PID 1996 wrote to memory of 1444 1996 Dqddmd32.exe 37 PID 1444 wrote to memory of 2420 1444 Dbdagg32.exe 38 PID 1444 wrote to memory of 2420 1444 Dbdagg32.exe 38 PID 1444 wrote to memory of 2420 1444 Dbdagg32.exe 38 PID 1444 wrote to memory of 2420 1444 Dbdagg32.exe 38 PID 2420 wrote to memory of 616 2420 Dmmbge32.exe 39 PID 2420 wrote to memory of 616 2420 Dmmbge32.exe 39 PID 2420 wrote to memory of 616 2420 Dmmbge32.exe 39 PID 2420 wrote to memory of 616 2420 Dmmbge32.exe 39 PID 616 wrote to memory of 2116 616 Ecgjdong.exe 40 PID 616 wrote to memory of 2116 616 Ecgjdong.exe 40 PID 616 wrote to memory of 2116 616 Ecgjdong.exe 40 PID 616 wrote to memory of 2116 616 Ecgjdong.exe 40 PID 2116 wrote to memory of 520 2116 Ejabqi32.exe 41 PID 2116 wrote to memory of 520 2116 Ejabqi32.exe 41 PID 2116 wrote to memory of 520 2116 Ejabqi32.exe 41 PID 2116 wrote to memory of 520 2116 Ejabqi32.exe 41 PID 520 wrote to memory of 2236 520 Ecjgio32.exe 42 PID 520 wrote to memory of 2236 520 Ecjgio32.exe 42 PID 520 wrote to memory of 2236 520 Ecjgio32.exe 42 PID 520 wrote to memory of 2236 520 Ecjgio32.exe 42 PID 2236 wrote to memory of 2340 2236 Emdhhdqb.exe 43 PID 2236 wrote to memory of 2340 2236 Emdhhdqb.exe 43 PID 2236 wrote to memory of 2340 2236 Emdhhdqb.exe 43 PID 2236 wrote to memory of 2340 2236 Emdhhdqb.exe 43 PID 2340 wrote to memory of 964 2340 Eikimeff.exe 44 PID 2340 wrote to memory of 964 2340 Eikimeff.exe 44 PID 2340 wrote to memory of 964 2340 Eikimeff.exe 44 PID 2340 wrote to memory of 964 2340 Eikimeff.exe 44 PID 964 wrote to memory of 2088 964 Ebcmfj32.exe 45 PID 964 wrote to memory of 2088 964 Ebcmfj32.exe 45 PID 964 wrote to memory of 2088 964 Ebcmfj32.exe 45 PID 964 wrote to memory of 2088 964 Ebcmfj32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\11085af67f096c112f1986ce3f6a5b90f8d206a016750fe6e4e17570ec3e224e.exe"C:\Users\Admin\AppData\Local\Temp\11085af67f096c112f1986ce3f6a5b90f8d206a016750fe6e4e17570ec3e224e.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Cjjpag32.exeC:\Windows\system32\Cjjpag32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Cccdjl32.exeC:\Windows\system32\Cccdjl32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Cfcmlg32.exeC:\Windows\system32\Cfcmlg32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Chbihc32.exeC:\Windows\system32\Chbihc32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Dfhgggim.exeC:\Windows\system32\Dfhgggim.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\Dfkclf32.exeC:\Windows\system32\Dfkclf32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\Dqddmd32.exeC:\Windows\system32\Dqddmd32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\Dbdagg32.exeC:\Windows\system32\Dbdagg32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\SysWOW64\Dmmbge32.exeC:\Windows\system32\Dmmbge32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Ecgjdong.exeC:\Windows\system32\Ecgjdong.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:616 -
C:\Windows\SysWOW64\Ejabqi32.exeC:\Windows\system32\Ejabqi32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\Ecjgio32.exeC:\Windows\system32\Ecjgio32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:520 -
C:\Windows\SysWOW64\Emdhhdqb.exeC:\Windows\system32\Emdhhdqb.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Eikimeff.exeC:\Windows\system32\Eikimeff.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\Ebcmfj32.exeC:\Windows\system32\Ebcmfj32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\SysWOW64\Fipbhd32.exeC:\Windows\system32\Fipbhd32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2088 -
C:\Windows\SysWOW64\Fnmjpk32.exeC:\Windows\system32\Fnmjpk32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1716 -
C:\Windows\SysWOW64\Fnogfk32.exeC:\Windows\system32\Fnogfk32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2448 -
C:\Windows\SysWOW64\Fhglop32.exeC:\Windows\system32\Fhglop32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:868 -
C:\Windows\SysWOW64\Fnadkjlc.exeC:\Windows\system32\Fnadkjlc.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2948 -
C:\Windows\SysWOW64\Fjhdpk32.exeC:\Windows\system32\Fjhdpk32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1816 -
C:\Windows\SysWOW64\Gfoeel32.exeC:\Windows\system32\Gfoeel32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2452 -
C:\Windows\SysWOW64\Gllnnc32.exeC:\Windows\system32\Gllnnc32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1584 -
C:\Windows\SysWOW64\Gmkjgfmf.exeC:\Windows\system32\Gmkjgfmf.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1144 -
C:\Windows\SysWOW64\Golgon32.exeC:\Windows\system32\Golgon32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2460 -
C:\Windows\SysWOW64\Geilah32.exeC:\Windows\system32\Geilah32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2708 -
C:\Windows\SysWOW64\Glbdnbpk.exeC:\Windows\system32\Glbdnbpk.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2868 -
C:\Windows\SysWOW64\Gkhaooec.exeC:\Windows\system32\Gkhaooec.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2672 -
C:\Windows\SysWOW64\Hdpehd32.exeC:\Windows\system32\Hdpehd32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2840 -
C:\Windows\SysWOW64\Hganjo32.exeC:\Windows\system32\Hganjo32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3028 -
C:\Windows\SysWOW64\Hdeoccgn.exeC:\Windows\system32\Hdeoccgn.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2568 -
C:\Windows\SysWOW64\Hnmcli32.exeC:\Windows\system32\Hnmcli32.exe33⤵
- Executes dropped EXE
PID:916 -
C:\Windows\SysWOW64\Hdgkicek.exeC:\Windows\system32\Hdgkicek.exe34⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\Ilgjhena.exeC:\Windows\system32\Ilgjhena.exe35⤵
- Executes dropped EXE
PID:1448 -
C:\Windows\SysWOW64\Icabeo32.exeC:\Windows\system32\Icabeo32.exe36⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Ihnjmf32.exeC:\Windows\system32\Ihnjmf32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Iafofkkf.exeC:\Windows\system32\Iafofkkf.exe38⤵
- Executes dropped EXE
PID:668 -
C:\Windows\SysWOW64\Ikapdqoc.exeC:\Windows\system32\Ikapdqoc.exe39⤵
- Executes dropped EXE
PID:684 -
C:\Windows\SysWOW64\Ibkhak32.exeC:\Windows\system32\Ibkhak32.exe40⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Jghqia32.exeC:\Windows\system32\Jghqia32.exe41⤵
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Jfmnkn32.exeC:\Windows\system32\Jfmnkn32.exe42⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Jfojpn32.exeC:\Windows\system32\Jfojpn32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Jqeomfgc.exeC:\Windows\system32\Jqeomfgc.exe44⤵
- Executes dropped EXE
PID:1432 -
C:\Windows\SysWOW64\Jipcbidn.exeC:\Windows\system32\Jipcbidn.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1668 -
C:\Windows\SysWOW64\Jfddkmch.exeC:\Windows\system32\Jfddkmch.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:2004 -
C:\Windows\SysWOW64\Kolhdbjh.exeC:\Windows\system32\Kolhdbjh.exe47⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Kenjgi32.exeC:\Windows\system32\Kenjgi32.exe48⤵
- Executes dropped EXE
PID:1380 -
C:\Windows\SysWOW64\Kmiolk32.exeC:\Windows\system32\Kmiolk32.exe49⤵
- Executes dropped EXE
PID:676 -
C:\Windows\SysWOW64\Kccgheib.exeC:\Windows\system32\Kccgheib.exe50⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Kfacdqhf.exeC:\Windows\system32\Kfacdqhf.exe51⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Lcedne32.exeC:\Windows\system32\Lcedne32.exe52⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Lfdpjp32.exeC:\Windows\system32\Lfdpjp32.exe53⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Lchqcd32.exeC:\Windows\system32\Lchqcd32.exe54⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\Lffmpp32.exeC:\Windows\system32\Lffmpp32.exe55⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Llcehg32.exeC:\Windows\system32\Llcehg32.exe56⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Lfhiepbn.exeC:\Windows\system32\Lfhiepbn.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:652 -
C:\Windows\SysWOW64\Llebnfpe.exeC:\Windows\system32\Llebnfpe.exe58⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Lbojjq32.exeC:\Windows\system32\Lbojjq32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Llhocfnb.exeC:\Windows\system32\Llhocfnb.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:2404 -
C:\Windows\SysWOW64\Ladgkmlj.exeC:\Windows\system32\Ladgkmlj.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2016 -
C:\Windows\SysWOW64\Mohhea32.exeC:\Windows\system32\Mohhea32.exe62⤵
- Executes dropped EXE
PID:1464 -
C:\Windows\SysWOW64\Mdepmh32.exeC:\Windows\system32\Mdepmh32.exe63⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Mokdja32.exeC:\Windows\system32\Mokdja32.exe64⤵
- Executes dropped EXE
PID:884 -
C:\Windows\SysWOW64\Meemgk32.exeC:\Windows\system32\Meemgk32.exe65⤵
- Executes dropped EXE
PID:1288 -
C:\Windows\SysWOW64\Mkaeob32.exeC:\Windows\system32\Mkaeob32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1960 -
C:\Windows\SysWOW64\Malmllfb.exeC:\Windows\system32\Malmllfb.exe67⤵PID:2324
-
C:\Windows\SysWOW64\Mghfdcdi.exeC:\Windows\system32\Mghfdcdi.exe68⤵PID:1128
-
C:\Windows\SysWOW64\Migbpocm.exeC:\Windows\system32\Migbpocm.exe69⤵
- Modifies registry class
PID:1912 -
C:\Windows\SysWOW64\Mdlfngcc.exeC:\Windows\system32\Mdlfngcc.exe70⤵PID:1552
-
C:\Windows\SysWOW64\Miiofn32.exeC:\Windows\system32\Miiofn32.exe71⤵PID:2792
-
C:\Windows\SysWOW64\Mpcgbhig.exeC:\Windows\system32\Mpcgbhig.exe72⤵PID:2608
-
C:\Windows\SysWOW64\Mcacochk.exeC:\Windows\system32\Mcacochk.exe73⤵
- System Location Discovery: System Language Discovery
PID:2656 -
C:\Windows\SysWOW64\Nmggllha.exeC:\Windows\system32\Nmggllha.exe74⤵PID:2596
-
C:\Windows\SysWOW64\Ncdpdcfh.exeC:\Windows\system32\Ncdpdcfh.exe75⤵PID:1048
-
C:\Windows\SysWOW64\Nhqhmj32.exeC:\Windows\system32\Nhqhmj32.exe76⤵PID:1612
-
C:\Windows\SysWOW64\Naimepkp.exeC:\Windows\system32\Naimepkp.exe77⤵
- Drops file in System32 directory
PID:2652 -
C:\Windows\SysWOW64\Nkaane32.exeC:\Windows\system32\Nkaane32.exe78⤵PID:2488
-
C:\Windows\SysWOW64\Negeln32.exeC:\Windows\system32\Negeln32.exe79⤵PID:2396
-
C:\Windows\SysWOW64\Noojdc32.exeC:\Windows\system32\Noojdc32.exe80⤵PID:2256
-
C:\Windows\SysWOW64\Nanfqo32.exeC:\Windows\system32\Nanfqo32.exe81⤵PID:1972
-
C:\Windows\SysWOW64\Nhhominh.exeC:\Windows\system32\Nhhominh.exe82⤵PID:2328
-
C:\Windows\SysWOW64\Nkfkidmk.exeC:\Windows\system32\Nkfkidmk.exe83⤵PID:328
-
C:\Windows\SysWOW64\Opccallb.exeC:\Windows\system32\Opccallb.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1640 -
C:\Windows\SysWOW64\Ojkhjabc.exeC:\Windows\system32\Ojkhjabc.exe85⤵PID:2996
-
C:\Windows\SysWOW64\Oqepgk32.exeC:\Windows\system32\Oqepgk32.exe86⤵
- Drops file in System32 directory
PID:1152 -
C:\Windows\SysWOW64\Onipqp32.exeC:\Windows\system32\Onipqp32.exe87⤵PID:1016
-
C:\Windows\SysWOW64\Ogaeieoj.exeC:\Windows\system32\Ogaeieoj.exe88⤵
- System Location Discovery: System Language Discovery
PID:2788 -
C:\Windows\SysWOW64\Omnmal32.exeC:\Windows\system32\Omnmal32.exe89⤵PID:2640
-
C:\Windows\SysWOW64\Ofgbkacb.exeC:\Windows\system32\Ofgbkacb.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2564 -
C:\Windows\SysWOW64\Omqjgl32.exeC:\Windows\system32\Omqjgl32.exe91⤵PID:432
-
C:\Windows\SysWOW64\Ooofcg32.exeC:\Windows\system32\Ooofcg32.exe92⤵
- System Location Discovery: System Language Discovery
PID:2384 -
C:\Windows\SysWOW64\Ojdjqp32.exeC:\Windows\system32\Ojdjqp32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2220 -
C:\Windows\SysWOW64\Pcmoie32.exeC:\Windows\system32\Pcmoie32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:760 -
C:\Windows\SysWOW64\Pdnkanfg.exeC:\Windows\system32\Pdnkanfg.exe95⤵PID:2240
-
C:\Windows\SysWOW64\Pkhdnh32.exeC:\Windows\system32\Pkhdnh32.exe96⤵PID:2288
-
C:\Windows\SysWOW64\Pbblkaea.exeC:\Windows\system32\Pbblkaea.exe97⤵PID:1856
-
C:\Windows\SysWOW64\Pildgl32.exeC:\Windows\system32\Pildgl32.exe98⤵PID:1108
-
C:\Windows\SysWOW64\Pofldf32.exeC:\Windows\system32\Pofldf32.exe99⤵PID:1536
-
C:\Windows\SysWOW64\Pbdipa32.exeC:\Windows\system32\Pbdipa32.exe100⤵
- System Location Discovery: System Language Discovery
PID:872 -
C:\Windows\SysWOW64\Pioamlkk.exeC:\Windows\system32\Pioamlkk.exe101⤵PID:2860
-
C:\Windows\SysWOW64\Pnkiebib.exeC:\Windows\system32\Pnkiebib.exe102⤵PID:2848
-
C:\Windows\SysWOW64\Pchbmigj.exeC:\Windows\system32\Pchbmigj.exe103⤵PID:2892
-
C:\Windows\SysWOW64\Pkojoghl.exeC:\Windows\system32\Pkojoghl.exe104⤵
- Modifies registry class
PID:1440 -
C:\Windows\SysWOW64\Pegnglnm.exeC:\Windows\system32\Pegnglnm.exe105⤵PID:2160
-
C:\Windows\SysWOW64\Qfikod32.exeC:\Windows\system32\Qfikod32.exe106⤵PID:1340
-
C:\Windows\SysWOW64\Qpaohjkk.exeC:\Windows\system32\Qpaohjkk.exe107⤵PID:2056
-
C:\Windows\SysWOW64\Qmepanje.exeC:\Windows\system32\Qmepanje.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1628 -
C:\Windows\SysWOW64\Abbhje32.exeC:\Windows\system32\Abbhje32.exe109⤵
- Modifies registry class
PID:960 -
C:\Windows\SysWOW64\Aljmbknm.exeC:\Windows\system32\Aljmbknm.exe110⤵PID:1616
-
C:\Windows\SysWOW64\Aebakp32.exeC:\Windows\system32\Aebakp32.exe111⤵PID:2224
-
C:\Windows\SysWOW64\Aphehidc.exeC:\Windows\system32\Aphehidc.exe112⤵PID:2072
-
C:\Windows\SysWOW64\Afbnec32.exeC:\Windows\system32\Afbnec32.exe113⤵
- System Location Discovery: System Language Discovery
PID:2880 -
C:\Windows\SysWOW64\Alofnj32.exeC:\Windows\system32\Alofnj32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2612 -
C:\Windows\SysWOW64\Aalofa32.exeC:\Windows\system32\Aalofa32.exe115⤵PID:1572
-
C:\Windows\SysWOW64\Alaccj32.exeC:\Windows\system32\Alaccj32.exe116⤵PID:3044
-
C:\Windows\SysWOW64\Abkkpd32.exeC:\Windows\system32\Abkkpd32.exe117⤵PID:2304
-
C:\Windows\SysWOW64\Aejglo32.exeC:\Windows\system32\Aejglo32.exe118⤵PID:2984
-
C:\Windows\SysWOW64\Baqhapdj.exeC:\Windows\system32\Baqhapdj.exe119⤵PID:2284
-
C:\Windows\SysWOW64\Bfmqigba.exeC:\Windows\system32\Bfmqigba.exe120⤵PID:1792
-
C:\Windows\SysWOW64\Bacefpbg.exeC:\Windows\system32\Bacefpbg.exe121⤵PID:1292
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-