Analysis
-
max time kernel
85s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
03-09-2024 02:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ad2908b298784f81291c070729574420N.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
ad2908b298784f81291c070729574420N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
ad2908b298784f81291c070729574420N.exe
-
Size
92KB
-
MD5
ad2908b298784f81291c070729574420
-
SHA1
4e8317a673b408046181c9859f19def7360c21ab
-
SHA256
25193c6302b3d530ede961da01090e7787b39d6844694ce8ef24ca172ec153b5
-
SHA512
815edf1baf2a5c2c92690000bc7f55b4d42c62a13ccd8b2dcb1ff94b193ba441008db2e6adf733074fb7a9a62bac7394a23f8cc30ddb89efaedc247310b1f9dc
-
SSDEEP
1536:ovDLvs9SjOdOOZ42cL9SZZzjPIhEkaHxjXq+66DFUABABOVLefE3:Mvs9E2OOZ42KszTRj6+JB8M3
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpknjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgbdge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdpfiekl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnfajgbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhdabemb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lanmde32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mamjchoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjfdfcjj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihkihe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lojhmjag.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilcfjkgj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpgaohej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olhmnb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcjcefbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndnncf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikinjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbgcdmjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdjckfda.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcfojhhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogjjie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Depelp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apglgfde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqaanoah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Caligc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alnoepam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljdgqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enmbeehg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmeiei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amcfpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocoobngl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fijolbfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olhmnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhpadpke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jahflj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbabpodi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okciddnh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ognobcqo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihedan32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlokegib.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkefcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gloppi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lopjlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcofqphi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eddlcgjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjomlp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmaaha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pihnqj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iackhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kejfio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odiagj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nogjbbma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjgoaflj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdpqhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agmbolin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfnpek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmolll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlkonhkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnhhpaio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elcbmn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Almmlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbdhbnnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajhkka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgfannba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Laenqg32.exe -
Executes dropped EXE 64 IoCs
pid Process 1276 Djkodg32.exe 2360 Efbpihoo.exe 2292 Emlhfb32.exe 2748 Ejpipf32.exe 2776 Edhmhl32.exe 2804 Elcbmn32.exe 2580 Eigbfb32.exe 2996 Eodknifb.exe 1788 Fijolbfh.exe 2808 Fillabde.exe 1652 Foidii32.exe 2232 Febmfcjj.exe 1496 Fkpeojha.exe 1244 Fgffck32.exe 1832 Fdjfmolo.exe 2924 Fmbkfd32.exe 632 Giikkehc.exe 2392 Ggmldj32.exe 2332 Gljdlq32.exe 1176 Gebiefle.exe 2496 Gphmbolk.exe 108 Gaiijgbi.exe 2440 Gkancm32.exe 2040 Gdjblboj.exe 524 Hopgikop.exe 1948 Hhhkbqea.exe 1588 Hdolga32.exe 2324 Hngppgae.exe 2740 Hcdihn32.exe 2484 Hdcebagp.exe 2548 Hmojfcdk.exe 2640 Igdndl32.exe 2892 Ioochn32.exe 1616 Ijegeg32.exe 1892 Ibplji32.exe 2812 Iofiimkd.exe 1072 Iganmp32.exe 2852 Jbgbjh32.exe 1488 Jchobqnc.exe 1460 Jnncoini.exe 2228 Jnppei32.exe 2620 Jgidnobg.exe 2084 Jaahgd32.exe 1332 Jmhile32.exe 1828 Jfpndkel.exe 276 Knkbimbg.exe 816 Khdgabih.exe 768 Kehgkgha.exe 2280 Kopldl32.exe 2608 Kejdqffo.exe 2896 Kmeiei32.exe 592 Khkmba32.exe 2376 Kacakgip.exe 2704 Lhmjha32.exe 2504 Laenqg32.exe 2560 Lcnqin32.exe 2076 Mlfebcnd.exe 2588 Modano32.exe 844 Mdajff32.exe 2860 Mkkbcpbl.exe 1436 Meafpibb.exe 1960 Mgbcha32.exe 1804 Mahgejhf.exe 1716 Mhaobd32.exe -
Loads dropped DLL 64 IoCs
pid Process 2444 ad2908b298784f81291c070729574420N.exe 2444 ad2908b298784f81291c070729574420N.exe 1276 Djkodg32.exe 1276 Djkodg32.exe 2360 Efbpihoo.exe 2360 Efbpihoo.exe 2292 Emlhfb32.exe 2292 Emlhfb32.exe 2748 Ejpipf32.exe 2748 Ejpipf32.exe 2776 Edhmhl32.exe 2776 Edhmhl32.exe 2804 Elcbmn32.exe 2804 Elcbmn32.exe 2580 Eigbfb32.exe 2580 Eigbfb32.exe 2996 Eodknifb.exe 2996 Eodknifb.exe 1788 Fijolbfh.exe 1788 Fijolbfh.exe 2808 Fillabde.exe 2808 Fillabde.exe 1652 Foidii32.exe 1652 Foidii32.exe 2232 Febmfcjj.exe 2232 Febmfcjj.exe 1496 Fkpeojha.exe 1496 Fkpeojha.exe 1244 Fgffck32.exe 1244 Fgffck32.exe 1832 Fdjfmolo.exe 1832 Fdjfmolo.exe 2924 Fmbkfd32.exe 2924 Fmbkfd32.exe 632 Giikkehc.exe 632 Giikkehc.exe 2392 Ggmldj32.exe 2392 Ggmldj32.exe 2332 Gljdlq32.exe 2332 Gljdlq32.exe 1176 Gebiefle.exe 1176 Gebiefle.exe 2496 Gphmbolk.exe 2496 Gphmbolk.exe 108 Gaiijgbi.exe 108 Gaiijgbi.exe 2440 Gkancm32.exe 2440 Gkancm32.exe 2040 Gdjblboj.exe 2040 Gdjblboj.exe 524 Hopgikop.exe 524 Hopgikop.exe 1948 Hhhkbqea.exe 1948 Hhhkbqea.exe 1588 Hdolga32.exe 1588 Hdolga32.exe 2324 Hngppgae.exe 2324 Hngppgae.exe 2740 Hcdihn32.exe 2740 Hcdihn32.exe 2484 Hdcebagp.exe 2484 Hdcebagp.exe 2548 Hmojfcdk.exe 2548 Hmojfcdk.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Badlln32.exe Bcqlcj32.exe File created C:\Windows\SysWOW64\Obfoioei.dll Hdolga32.exe File opened for modification C:\Windows\SysWOW64\Fplgljbm.exe Fmknko32.exe File opened for modification C:\Windows\SysWOW64\Dpicceon.exe Dgqokp32.exe File created C:\Windows\SysWOW64\Ppdpkopc.dll Fbjeao32.exe File created C:\Windows\SysWOW64\Ohljcnlh.exe Oenngb32.exe File created C:\Windows\SysWOW64\Djlecd32.dll Ohljcnlh.exe File opened for modification C:\Windows\SysWOW64\Hcdihn32.exe Hngppgae.exe File created C:\Windows\SysWOW64\Cjmfag32.dll Eakjophb.exe File opened for modification C:\Windows\SysWOW64\Mahgejhf.exe Mgbcha32.exe File created C:\Windows\SysWOW64\Eampgb32.dll Onggom32.exe File created C:\Windows\SysWOW64\Mpbgqo32.dll Mlidplcf.exe File created C:\Windows\SysWOW64\Jgkmalkj.dll Gigllafc.exe File opened for modification C:\Windows\SysWOW64\Hdgkkppm.exe Hllffmbb.exe File created C:\Windows\SysWOW64\Laacmc32.exe Lifoia32.exe File opened for modification C:\Windows\SysWOW64\Pqekin32.exe Pgmfph32.exe File created C:\Windows\SysWOW64\Qcield32.dll Gflcplhh.exe File opened for modification C:\Windows\SysWOW64\Bibagmhk.exe Bbhikcpn.exe File created C:\Windows\SysWOW64\Ffoehg32.dll Iopqoi32.exe File opened for modification C:\Windows\SysWOW64\Ggmldj32.exe Giikkehc.exe File created C:\Windows\SysWOW64\Hlijan32.exe Hpbilmop.exe File created C:\Windows\SysWOW64\Adadedjq.exe Andlmnki.exe File created C:\Windows\SysWOW64\Fifogcdl.dll Ihedan32.exe File created C:\Windows\SysWOW64\Ipmeej32.exe Icidlf32.exe File created C:\Windows\SysWOW64\Ipjlgf32.dll Mkcjlhdh.exe File opened for modification C:\Windows\SysWOW64\Lcllii32.exe Ljdgqc32.exe File created C:\Windows\SysWOW64\Hlhleh32.dll Hllffmbb.exe File opened for modification C:\Windows\SysWOW64\Pcdnpp32.exe Pgnmjokn.exe File created C:\Windows\SysWOW64\Mfjdgjhi.dll Qklfqm32.exe File opened for modification C:\Windows\SysWOW64\Nibcgb32.exe Npjonlee.exe File opened for modification C:\Windows\SysWOW64\Pgmfph32.exe Pfnjfepp.exe File created C:\Windows\SysWOW64\Mboacdjn.dll Kgoknohj.exe File opened for modification C:\Windows\SysWOW64\Qibjjgag.exe Qnmfmoaa.exe File opened for modification C:\Windows\SysWOW64\Pmbpda32.exe Pidgnc32.exe File created C:\Windows\SysWOW64\Mmolll32.exe Mcghcgfb.exe File created C:\Windows\SysWOW64\Nabhaq32.dll Aahdmanl.exe File opened for modification C:\Windows\SysWOW64\Hpincd32.exe Hhmioa32.exe File created C:\Windows\SysWOW64\Kjeemh32.dll Mbabpodi.exe File opened for modification C:\Windows\SysWOW64\Ndnncf32.exe Nmdfglhm.exe File opened for modification C:\Windows\SysWOW64\Gkancm32.exe Gaiijgbi.exe File created C:\Windows\SysWOW64\Nibmdpam.dll Dklibf32.exe File created C:\Windows\SysWOW64\Nkhkbmco.exe Ndnbeclb.exe File created C:\Windows\SysWOW64\Blplkp32.exe Bbhgbj32.exe File created C:\Windows\SysWOW64\Cjliihgg.dll Lfckko32.exe File created C:\Windows\SysWOW64\Ihpfhhme.dll Khkmba32.exe File created C:\Windows\SysWOW64\Cgqjfn32.dll Joaebkni.exe File created C:\Windows\SysWOW64\Gifpkoho.dll Cekihh32.exe File created C:\Windows\SysWOW64\Fqcocg32.dll Kniaap32.exe File created C:\Windows\SysWOW64\Gmnmce32.dll Oqnfqcjk.exe File created C:\Windows\SysWOW64\Fihmiqhb.dll Knnagehi.exe File opened for modification C:\Windows\SysWOW64\Hpcnmnnh.exe Henipenb.exe File created C:\Windows\SysWOW64\Kejdqffo.exe Kopldl32.exe File created C:\Windows\SysWOW64\Niqebpek.dll Fdnabo32.exe File created C:\Windows\SysWOW64\Epnfkjll.dll Fmbkfd32.exe File created C:\Windows\SysWOW64\Hhhkbqea.exe Hopgikop.exe File created C:\Windows\SysWOW64\Jfpndkel.exe Jmhile32.exe File created C:\Windows\SysWOW64\Nmnjfc32.dll Ljljenoi.exe File opened for modification C:\Windows\SysWOW64\Cpkaai32.exe Cjaieoko.exe File created C:\Windows\SysWOW64\Gaibpa32.exe Ghpngkhm.exe File created C:\Windows\SysWOW64\Oqnfqcjk.exe Ndqokc32.exe File opened for modification C:\Windows\SysWOW64\Amfeodoh.exe Apbeeppo.exe File created C:\Windows\SysWOW64\Hlleon32.dll Dqmkflcd.exe File opened for modification C:\Windows\SysWOW64\Kfnpgg32.exe Kjgoaflj.exe File created C:\Windows\SysWOW64\Ekhnip32.dll Nhpadpke.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3692 3876 WerFault.exe 721 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcknqicd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpfmefdc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmojfcdk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjlgna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aijgemok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehgoaiml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hccbnhla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebkpma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chdeonfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcgiejje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbhikcpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enmplm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecnbpcje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoedch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgcnihnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jllggbde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlaqba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mheekb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhmdoq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkbhjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbdhbnnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbokkagk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhlndj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oenngb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlkonhkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obhdpaqm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgfpoimj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgmfph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hngppgae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqoqlfkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hllffmbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfmgmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elfakg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pemdic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfbfpnel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihmene32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpmdff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dklibf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgoohk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipmeej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkcoee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfnjfepp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgmnhojl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgahcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncnoaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbjeao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqekin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amdkam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgddin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhalag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhonegbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcfojhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldpbmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbkgjgqi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgoknohj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghpngkhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icnngeof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amfeodoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aomdpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Didgkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecaeoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnaihhgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbonmjph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmondpbc.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Andaoqjp.dll" Ndnncf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daopajpf.dll" Jnncoini.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpfdpmho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cocnanmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iccqedfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Albhablg.dll" Coidpiac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Albgko32.dll" Kmbgnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecaeoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epblob32.dll" Hpplfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efdohq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hobfgcdb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcpidagc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehnmgo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjaieoko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Faopib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgmfbf32.dll" Abmkhmfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkcfojmh.dll" Dgclpp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aoedch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkncf32.dll" Qnmfmoaa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlidplcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebnbaljb.dll" Pgnmjokn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blkoocfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mppiod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcnojqdi.dll" Kgahcn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbonmjph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffobpfeo.dll" Blelpeoa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lopjlh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kniaap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkcnkj32.dll" Aefaemqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dqcmdjjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhadhakp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfflal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbkgjgqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iopqoi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fijolbfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbbjbd32.dll" Fijolbfh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khdgabih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amfeodoh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhqmogam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmklad32.dll" Bambjnfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcknqicd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Laacmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncgdpknp.dll" Naeigf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmnmih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igdndl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kacakgip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikembicd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jiiikq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcjohgkb.dll" Okomappb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpfmefdc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdnabo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpcnmnnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnkhfnea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oilgje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hejaon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmondpbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ionbanpb.dll" Pconjjql.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iobdopna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcllii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbhikcpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glkinb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Liddljan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajmdmpmb.dll" Blpibghg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Coknmp32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2444 wrote to memory of 1276 2444 ad2908b298784f81291c070729574420N.exe 28 PID 2444 wrote to memory of 1276 2444 ad2908b298784f81291c070729574420N.exe 28 PID 2444 wrote to memory of 1276 2444 ad2908b298784f81291c070729574420N.exe 28 PID 2444 wrote to memory of 1276 2444 ad2908b298784f81291c070729574420N.exe 28 PID 1276 wrote to memory of 2360 1276 Djkodg32.exe 29 PID 1276 wrote to memory of 2360 1276 Djkodg32.exe 29 PID 1276 wrote to memory of 2360 1276 Djkodg32.exe 29 PID 1276 wrote to memory of 2360 1276 Djkodg32.exe 29 PID 2360 wrote to memory of 2292 2360 Efbpihoo.exe 30 PID 2360 wrote to memory of 2292 2360 Efbpihoo.exe 30 PID 2360 wrote to memory of 2292 2360 Efbpihoo.exe 30 PID 2360 wrote to memory of 2292 2360 Efbpihoo.exe 30 PID 2292 wrote to memory of 2748 2292 Emlhfb32.exe 31 PID 2292 wrote to memory of 2748 2292 Emlhfb32.exe 31 PID 2292 wrote to memory of 2748 2292 Emlhfb32.exe 31 PID 2292 wrote to memory of 2748 2292 Emlhfb32.exe 31 PID 2748 wrote to memory of 2776 2748 Ejpipf32.exe 32 PID 2748 wrote to memory of 2776 2748 Ejpipf32.exe 32 PID 2748 wrote to memory of 2776 2748 Ejpipf32.exe 32 PID 2748 wrote to memory of 2776 2748 Ejpipf32.exe 32 PID 2776 wrote to memory of 2804 2776 Edhmhl32.exe 33 PID 2776 wrote to memory of 2804 2776 Edhmhl32.exe 33 PID 2776 wrote to memory of 2804 2776 Edhmhl32.exe 33 PID 2776 wrote to memory of 2804 2776 Edhmhl32.exe 33 PID 2804 wrote to memory of 2580 2804 Elcbmn32.exe 34 PID 2804 wrote to memory of 2580 2804 Elcbmn32.exe 34 PID 2804 wrote to memory of 2580 2804 Elcbmn32.exe 34 PID 2804 wrote to memory of 2580 2804 Elcbmn32.exe 34 PID 2580 wrote to memory of 2996 2580 Eigbfb32.exe 35 PID 2580 wrote to memory of 2996 2580 Eigbfb32.exe 35 PID 2580 wrote to memory of 2996 2580 Eigbfb32.exe 35 PID 2580 wrote to memory of 2996 2580 Eigbfb32.exe 35 PID 2996 wrote to memory of 1788 2996 Eodknifb.exe 36 PID 2996 wrote to memory of 1788 2996 Eodknifb.exe 36 PID 2996 wrote to memory of 1788 2996 Eodknifb.exe 36 PID 2996 wrote to memory of 1788 2996 Eodknifb.exe 36 PID 1788 wrote to memory of 2808 1788 Fijolbfh.exe 37 PID 1788 wrote to memory of 2808 1788 Fijolbfh.exe 37 PID 1788 wrote to memory of 2808 1788 Fijolbfh.exe 37 PID 1788 wrote to memory of 2808 1788 Fijolbfh.exe 37 PID 2808 wrote to memory of 1652 2808 Fillabde.exe 38 PID 2808 wrote to memory of 1652 2808 Fillabde.exe 38 PID 2808 wrote to memory of 1652 2808 Fillabde.exe 38 PID 2808 wrote to memory of 1652 2808 Fillabde.exe 38 PID 1652 wrote to memory of 2232 1652 Foidii32.exe 39 PID 1652 wrote to memory of 2232 1652 Foidii32.exe 39 PID 1652 wrote to memory of 2232 1652 Foidii32.exe 39 PID 1652 wrote to memory of 2232 1652 Foidii32.exe 39 PID 2232 wrote to memory of 1496 2232 Febmfcjj.exe 40 PID 2232 wrote to memory of 1496 2232 Febmfcjj.exe 40 PID 2232 wrote to memory of 1496 2232 Febmfcjj.exe 40 PID 2232 wrote to memory of 1496 2232 Febmfcjj.exe 40 PID 1496 wrote to memory of 1244 1496 Fkpeojha.exe 41 PID 1496 wrote to memory of 1244 1496 Fkpeojha.exe 41 PID 1496 wrote to memory of 1244 1496 Fkpeojha.exe 41 PID 1496 wrote to memory of 1244 1496 Fkpeojha.exe 41 PID 1244 wrote to memory of 1832 1244 Fgffck32.exe 42 PID 1244 wrote to memory of 1832 1244 Fgffck32.exe 42 PID 1244 wrote to memory of 1832 1244 Fgffck32.exe 42 PID 1244 wrote to memory of 1832 1244 Fgffck32.exe 42 PID 1832 wrote to memory of 2924 1832 Fdjfmolo.exe 43 PID 1832 wrote to memory of 2924 1832 Fdjfmolo.exe 43 PID 1832 wrote to memory of 2924 1832 Fdjfmolo.exe 43 PID 1832 wrote to memory of 2924 1832 Fdjfmolo.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad2908b298784f81291c070729574420N.exe"C:\Users\Admin\AppData\Local\Temp\ad2908b298784f81291c070729574420N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\Djkodg32.exeC:\Windows\system32\Djkodg32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Windows\SysWOW64\Efbpihoo.exeC:\Windows\system32\Efbpihoo.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\Emlhfb32.exeC:\Windows\system32\Emlhfb32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\Ejpipf32.exeC:\Windows\system32\Ejpipf32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Edhmhl32.exeC:\Windows\system32\Edhmhl32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Elcbmn32.exeC:\Windows\system32\Elcbmn32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Eigbfb32.exeC:\Windows\system32\Eigbfb32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Eodknifb.exeC:\Windows\system32\Eodknifb.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\Fijolbfh.exeC:\Windows\system32\Fijolbfh.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SysWOW64\Fillabde.exeC:\Windows\system32\Fillabde.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Foidii32.exeC:\Windows\system32\Foidii32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\Febmfcjj.exeC:\Windows\system32\Febmfcjj.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\Fkpeojha.exeC:\Windows\system32\Fkpeojha.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\SysWOW64\Fgffck32.exeC:\Windows\system32\Fgffck32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\SysWOW64\Fdjfmolo.exeC:\Windows\system32\Fdjfmolo.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\SysWOW64\Fmbkfd32.exeC:\Windows\system32\Fmbkfd32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2924 -
C:\Windows\SysWOW64\Giikkehc.exeC:\Windows\system32\Giikkehc.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:632 -
C:\Windows\SysWOW64\Ggmldj32.exeC:\Windows\system32\Ggmldj32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2392 -
C:\Windows\SysWOW64\Gljdlq32.exeC:\Windows\system32\Gljdlq32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2332 -
C:\Windows\SysWOW64\Gebiefle.exeC:\Windows\system32\Gebiefle.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1176 -
C:\Windows\SysWOW64\Gphmbolk.exeC:\Windows\system32\Gphmbolk.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2496 -
C:\Windows\SysWOW64\Gaiijgbi.exeC:\Windows\system32\Gaiijgbi.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:108 -
C:\Windows\SysWOW64\Gkancm32.exeC:\Windows\system32\Gkancm32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2440 -
C:\Windows\SysWOW64\Gdjblboj.exeC:\Windows\system32\Gdjblboj.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2040 -
C:\Windows\SysWOW64\Hopgikop.exeC:\Windows\system32\Hopgikop.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:524 -
C:\Windows\SysWOW64\Hhhkbqea.exeC:\Windows\system32\Hhhkbqea.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1948 -
C:\Windows\SysWOW64\Hdolga32.exeC:\Windows\system32\Hdolga32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1588 -
C:\Windows\SysWOW64\Hngppgae.exeC:\Windows\system32\Hngppgae.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2324 -
C:\Windows\SysWOW64\Hcdihn32.exeC:\Windows\system32\Hcdihn32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2740 -
C:\Windows\SysWOW64\Hdcebagp.exeC:\Windows\system32\Hdcebagp.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2484 -
C:\Windows\SysWOW64\Hmojfcdk.exeC:\Windows\system32\Hmojfcdk.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2548 -
C:\Windows\SysWOW64\Igdndl32.exeC:\Windows\system32\Igdndl32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2640 -
C:\Windows\SysWOW64\Ioochn32.exeC:\Windows\system32\Ioochn32.exe34⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Ijegeg32.exeC:\Windows\system32\Ijegeg32.exe35⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Ibplji32.exeC:\Windows\system32\Ibplji32.exe36⤵
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\Iofiimkd.exeC:\Windows\system32\Iofiimkd.exe37⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Iganmp32.exeC:\Windows\system32\Iganmp32.exe38⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\Jbgbjh32.exeC:\Windows\system32\Jbgbjh32.exe39⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Jchobqnc.exeC:\Windows\system32\Jchobqnc.exe40⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Jnncoini.exeC:\Windows\system32\Jnncoini.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:1460 -
C:\Windows\SysWOW64\Jnppei32.exeC:\Windows\system32\Jnppei32.exe42⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Jgidnobg.exeC:\Windows\system32\Jgidnobg.exe43⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Jaahgd32.exeC:\Windows\system32\Jaahgd32.exe44⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Jmhile32.exeC:\Windows\system32\Jmhile32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1332 -
C:\Windows\SysWOW64\Jfpndkel.exeC:\Windows\system32\Jfpndkel.exe46⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Knkbimbg.exeC:\Windows\system32\Knkbimbg.exe47⤵
- Executes dropped EXE
PID:276 -
C:\Windows\SysWOW64\Khdgabih.exeC:\Windows\system32\Khdgabih.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:816 -
C:\Windows\SysWOW64\Kehgkgha.exeC:\Windows\system32\Kehgkgha.exe49⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Kopldl32.exeC:\Windows\system32\Kopldl32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2280 -
C:\Windows\SysWOW64\Kejdqffo.exeC:\Windows\system32\Kejdqffo.exe51⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Kmeiei32.exeC:\Windows\system32\Kmeiei32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Khkmba32.exeC:\Windows\system32\Khkmba32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:592 -
C:\Windows\SysWOW64\Kacakgip.exeC:\Windows\system32\Kacakgip.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2376 -
C:\Windows\SysWOW64\Lhmjha32.exeC:\Windows\system32\Lhmjha32.exe55⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Laenqg32.exeC:\Windows\system32\Laenqg32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Lcnqin32.exeC:\Windows\system32\Lcnqin32.exe57⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Mlfebcnd.exeC:\Windows\system32\Mlfebcnd.exe58⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Modano32.exeC:\Windows\system32\Modano32.exe59⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Mdajff32.exeC:\Windows\system32\Mdajff32.exe60⤵
- Executes dropped EXE
PID:844 -
C:\Windows\SysWOW64\Mkkbcpbl.exeC:\Windows\system32\Mkkbcpbl.exe61⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Meafpibb.exeC:\Windows\system32\Meafpibb.exe62⤵
- Executes dropped EXE
PID:1436 -
C:\Windows\SysWOW64\Mgbcha32.exeC:\Windows\system32\Mgbcha32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1960 -
C:\Windows\SysWOW64\Mahgejhf.exeC:\Windows\system32\Mahgejhf.exe64⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Mhaobd32.exeC:\Windows\system32\Mhaobd32.exe65⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Mjcljlea.exeC:\Windows\system32\Mjcljlea.exe66⤵PID:1664
-
C:\Windows\SysWOW64\Mpmdff32.exeC:\Windows\system32\Mpmdff32.exe67⤵
- System Location Discovery: System Language Discovery
PID:2500 -
C:\Windows\SysWOW64\Mkbhco32.exeC:\Windows\system32\Mkbhco32.exe68⤵PID:2708
-
C:\Windows\SysWOW64\Mqoqlfkl.exeC:\Windows\system32\Mqoqlfkl.exe69⤵
- System Location Discovery: System Language Discovery
PID:2176 -
C:\Windows\SysWOW64\Ngiiip32.exeC:\Windows\system32\Ngiiip32.exe70⤵PID:2144
-
C:\Windows\SysWOW64\Nncaejie.exeC:\Windows\system32\Nncaejie.exe71⤵PID:2792
-
C:\Windows\SysWOW64\Ncpjnahm.exeC:\Windows\system32\Ncpjnahm.exe72⤵PID:2564
-
C:\Windows\SysWOW64\Nfnfjmgp.exeC:\Windows\system32\Nfnfjmgp.exe73⤵PID:2568
-
C:\Windows\SysWOW64\Nlhnfg32.exeC:\Windows\system32\Nlhnfg32.exe74⤵PID:2508
-
C:\Windows\SysWOW64\Nogjbbma.exeC:\Windows\system32\Nogjbbma.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2716 -
C:\Windows\SysWOW64\Nfqbol32.exeC:\Windows\system32\Nfqbol32.exe76⤵PID:2856
-
C:\Windows\SysWOW64\Nkmkgc32.exeC:\Windows\system32\Nkmkgc32.exe77⤵PID:1340
-
C:\Windows\SysWOW64\Nbgcdmjb.exeC:\Windows\system32\Nbgcdmjb.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2436 -
C:\Windows\SysWOW64\Nhalag32.exeC:\Windows\system32\Nhalag32.exe79⤵
- System Location Discovery: System Language Discovery
PID:1612 -
C:\Windows\SysWOW64\Nbjpjm32.exeC:\Windows\system32\Nbjpjm32.exe80⤵PID:2200
-
C:\Windows\SysWOW64\Ndhlfh32.exeC:\Windows\system32\Ndhlfh32.exe81⤵PID:980
-
C:\Windows\SysWOW64\Ngfhbd32.exeC:\Windows\system32\Ngfhbd32.exe82⤵PID:2216
-
C:\Windows\SysWOW64\Onqaonnc.exeC:\Windows\system32\Onqaonnc.exe83⤵PID:2424
-
C:\Windows\SysWOW64\Odjikh32.exeC:\Windows\system32\Odjikh32.exe84⤵PID:1812
-
C:\Windows\SysWOW64\Okdahbmm.exeC:\Windows\system32\Okdahbmm.exe85⤵PID:2296
-
C:\Windows\SysWOW64\Ocpfmd32.exeC:\Windows\system32\Ocpfmd32.exe86⤵PID:2796
-
C:\Windows\SysWOW64\Ojjnioae.exeC:\Windows\system32\Ojjnioae.exe87⤵PID:2316
-
C:\Windows\SysWOW64\Ognobcqo.exeC:\Windows\system32\Ognobcqo.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:960 -
C:\Windows\SysWOW64\Onggom32.exeC:\Windows\system32\Onggom32.exe89⤵
- Drops file in System32 directory
PID:2644 -
C:\Windows\SysWOW64\Ofcldoef.exeC:\Windows\system32\Ofcldoef.exe90⤵PID:1584
-
C:\Windows\SysWOW64\Oiahpkdj.exeC:\Windows\system32\Oiahpkdj.exe91⤵PID:2664
-
C:\Windows\SysWOW64\Pjqdjn32.exeC:\Windows\system32\Pjqdjn32.exe92⤵PID:2480
-
C:\Windows\SysWOW64\Plbaafak.exeC:\Windows\system32\Plbaafak.exe93⤵PID:2692
-
C:\Windows\SysWOW64\Pifakj32.exeC:\Windows\system32\Pifakj32.exe94⤵PID:1116
-
C:\Windows\SysWOW64\Pppihdha.exeC:\Windows\system32\Pppihdha.exe95⤵PID:1684
-
C:\Windows\SysWOW64\Pihnqj32.exeC:\Windows\system32\Pihnqj32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2824 -
C:\Windows\SysWOW64\Pnefiq32.exeC:\Windows\system32\Pnefiq32.exe97⤵PID:1528
-
C:\Windows\SysWOW64\Peooek32.exeC:\Windows\system32\Peooek32.exe98⤵PID:928
-
C:\Windows\SysWOW64\Pjlgna32.exeC:\Windows\system32\Pjlgna32.exe99⤵
- System Location Discovery: System Language Discovery
PID:2976 -
C:\Windows\SysWOW64\Plkchdiq.exeC:\Windows\system32\Plkchdiq.exe100⤵PID:972
-
C:\Windows\SysWOW64\Pnjpdphd.exeC:\Windows\system32\Pnjpdphd.exe101⤵PID:1532
-
C:\Windows\SysWOW64\Qfedhb32.exeC:\Windows\system32\Qfedhb32.exe102⤵PID:2468
-
C:\Windows\SysWOW64\Qajiek32.exeC:\Windows\system32\Qajiek32.exe103⤵PID:2988
-
C:\Windows\SysWOW64\Qhdabemb.exeC:\Windows\system32\Qhdabemb.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2788 -
C:\Windows\SysWOW64\Qifnjm32.exeC:\Windows\system32\Qifnjm32.exe105⤵PID:2720
-
C:\Windows\SysWOW64\Afjncabj.exeC:\Windows\system32\Afjncabj.exe106⤵PID:2672
-
C:\Windows\SysWOW64\Amcfpl32.exeC:\Windows\system32\Amcfpl32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:432 -
C:\Windows\SysWOW64\Abpohb32.exeC:\Windows\system32\Abpohb32.exe108⤵PID:676
-
C:\Windows\SysWOW64\Aijgemok.exeC:\Windows\system32\Aijgemok.exe109⤵
- System Location Discovery: System Language Discovery
PID:576 -
C:\Windows\SysWOW64\Afngoand.exeC:\Windows\system32\Afngoand.exe110⤵PID:2304
-
C:\Windows\SysWOW64\Apglgfde.exeC:\Windows\system32\Apglgfde.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2476 -
C:\Windows\SysWOW64\Aecdpmbm.exeC:\Windows\system32\Aecdpmbm.exe112⤵PID:1660
-
C:\Windows\SysWOW64\Almmlg32.exeC:\Windows\system32\Almmlg32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1824 -
C:\Windows\SysWOW64\Aefaemqj.exeC:\Windows\system32\Aefaemqj.exe114⤵
- Modifies registry class
PID:1364 -
C:\Windows\SysWOW64\Blpibghg.exeC:\Windows\system32\Blpibghg.exe115⤵
- Modifies registry class
PID:3032 -
C:\Windows\SysWOW64\Bonenbgj.exeC:\Windows\system32\Bonenbgj.exe116⤵PID:396
-
C:\Windows\SysWOW64\Bambjnfn.exeC:\Windows\system32\Bambjnfn.exe117⤵
- Modifies registry class
PID:2556 -
C:\Windows\SysWOW64\Bkefcc32.exeC:\Windows\system32\Bkefcc32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1336 -
C:\Windows\SysWOW64\Bpbokj32.exeC:\Windows\system32\Bpbokj32.exe119⤵PID:2492
-
C:\Windows\SysWOW64\Bkgchckl.exeC:\Windows\system32\Bkgchckl.exe120⤵PID:1692
-
C:\Windows\SysWOW64\Baakem32.exeC:\Windows\system32\Baakem32.exe121⤵PID:2592
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-