Analysis
-
max time kernel
118s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05-09-2024 12:27
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
39595e4214b49f08f2298443d109cdd0N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
39595e4214b49f08f2298443d109cdd0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
39595e4214b49f08f2298443d109cdd0N.exe
-
Size
896KB
-
MD5
39595e4214b49f08f2298443d109cdd0
-
SHA1
52c174f5c352713949084b799882125114b4c276
-
SHA256
f2c2a8466c0a5d272236d4102b4574f0e59aafa59bb2a729cbdfd910525098af
-
SHA512
d31517233496dd3edc28ce4030d176d5db20ce6ae582f4d4df03ecbe71ed3e0c98fc0484b0efbe52a051f08c29a20d65738085411d0a23250659533226de3f3c
-
SSDEEP
6144:iWgh6BMU5CPXbo92ynnZMqKLDK2Q9zsyVH3imoQiRLsmAKWEnaW377a85n0R0tH7:FfFMusMH0QiRLsR4P377a20R01F50+5
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qldjdlgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbffjmmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqcjaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mqehjecl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fppaej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmnahilc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boeoek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjfmem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ockbdebl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aakhkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgdqpq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kimjhnnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncgcdi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idgjqook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcfoihhp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llpoohik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnhnfckm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgoadp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmjaohol.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhklna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enmnahnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obbdml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijdppm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djlbkcfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hocmpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Biccfalm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icdcllpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnbpqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qldjdlgb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoalia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Moccnoni.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljpnch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eakhdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elgfkhpi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhjhdp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfippfej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjmmffgn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffkncf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfadcemm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oflpgnld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Palpneop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Babbng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aacmij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qijdqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnpoie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojbnkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phklaacg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jipaip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhdpnm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcbookpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llhocfnb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amjpgdik.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iilceh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgnnhbpm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkpcbecl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikgkei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qmenhe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhbmip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccbbachm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogohdeam.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hokjkbkp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncipjieo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plpqim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llkbcl32.exe -
Executes dropped EXE 64 IoCs
pid Process 1532 Eegkpo32.exe 1040 Elacliin.exe 2748 Eopphehb.exe 2544 Eipgjaoi.exe 2560 Fpohakbp.exe 2532 Felajbpg.exe 2540 Flhflleb.exe 1508 Gkoobhhg.exe 2012 Gfnjne32.exe 2440 Gmhbkohm.exe 1964 Homdhjai.exe 2780 Ijibng32.exe 2984 Icdcllpc.exe 1052 Imlhebfc.exe 1152 Jigbebhb.exe 948 Jbpfnh32.exe 2844 Jmnqje32.exe 2836 Jfgebjnm.exe 1332 Kalipcmb.exe 1776 Kdkelolf.exe 2368 Klfjpa32.exe 3032 Kenoifpb.exe 2436 Klhgfq32.exe 2456 Kgnkci32.exe 2008 Kcdlhj32.exe 2188 Kindeddf.exe 1796 Keeeje32.exe 2900 Lhcafa32.exe 2736 Lkdjglfo.exe 2388 Lncfcgeb.exe 2672 Lnecigcp.exe 3028 Ldokfakl.exe 1716 Ldahkaij.exe 2512 Lnjldf32.exe 1968 Mfeaiime.exe 2332 Mhcmedli.exe 1336 Mqjefamk.exe 1548 Mjcjog32.exe 896 Mkfclo32.exe 2856 Mbqkiind.exe 2936 Mqehjecl.exe 1864 Ngpqfp32.exe 376 Ngbmlo32.exe 1728 Njpihk32.exe 1688 Ngdjaofc.exe 1304 Njbfnjeg.exe 2056 Nckkgp32.exe 2980 Nmcopebh.exe 888 Npbklabl.exe 2908 Nlilqbgp.exe 2064 Obbdml32.exe 3056 Olkifaen.exe 2572 Opfegp32.exe 2756 Oecmogln.exe 2568 Ohbikbkb.exe 616 Obgnhkkh.exe 1252 Onnnml32.exe 1932 Oehgjfhi.exe 1696 Odkgec32.exe 1248 Omckoi32.exe 2632 Oflpgnld.exe 2716 Pnchhllf.exe 1620 Phklaacg.exe 1616 Piliii32.exe -
Loads dropped DLL 64 IoCs
pid Process 1928 39595e4214b49f08f2298443d109cdd0N.exe 1928 39595e4214b49f08f2298443d109cdd0N.exe 1532 Eegkpo32.exe 1532 Eegkpo32.exe 1040 Elacliin.exe 1040 Elacliin.exe 2748 Eopphehb.exe 2748 Eopphehb.exe 2544 Eipgjaoi.exe 2544 Eipgjaoi.exe 2560 Fpohakbp.exe 2560 Fpohakbp.exe 2532 Felajbpg.exe 2532 Felajbpg.exe 2540 Flhflleb.exe 2540 Flhflleb.exe 1508 Gkoobhhg.exe 1508 Gkoobhhg.exe 2012 Gfnjne32.exe 2012 Gfnjne32.exe 2440 Gmhbkohm.exe 2440 Gmhbkohm.exe 1964 Homdhjai.exe 1964 Homdhjai.exe 2780 Ijibng32.exe 2780 Ijibng32.exe 2984 Icdcllpc.exe 2984 Icdcllpc.exe 1052 Imlhebfc.exe 1052 Imlhebfc.exe 1152 Jigbebhb.exe 1152 Jigbebhb.exe 948 Jbpfnh32.exe 948 Jbpfnh32.exe 2844 Jmnqje32.exe 2844 Jmnqje32.exe 2836 Jfgebjnm.exe 2836 Jfgebjnm.exe 1332 Kalipcmb.exe 1332 Kalipcmb.exe 1776 Kdkelolf.exe 1776 Kdkelolf.exe 2368 Klfjpa32.exe 2368 Klfjpa32.exe 3032 Kenoifpb.exe 3032 Kenoifpb.exe 2436 Klhgfq32.exe 2436 Klhgfq32.exe 2456 Kgnkci32.exe 2456 Kgnkci32.exe 2008 Kcdlhj32.exe 2008 Kcdlhj32.exe 2188 Kindeddf.exe 2188 Kindeddf.exe 1796 Keeeje32.exe 1796 Keeeje32.exe 2900 Lhcafa32.exe 2900 Lhcafa32.exe 2736 Lkdjglfo.exe 2736 Lkdjglfo.exe 2388 Lncfcgeb.exe 2388 Lncfcgeb.exe 2672 Lnecigcp.exe 2672 Lnecigcp.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Hqebodfa.dll Lfilnh32.exe File created C:\Windows\SysWOW64\Bapfhg32.exe Agkako32.exe File created C:\Windows\SysWOW64\Ckmagikg.dll Fjckelfm.exe File created C:\Windows\SysWOW64\Hijjpeha.exe Hflndjin.exe File created C:\Windows\SysWOW64\Mlpngd32.exe Mddibb32.exe File opened for modification C:\Windows\SysWOW64\Cdmepgce.exe Cgidfcdk.exe File created C:\Windows\SysWOW64\Phledp32.exe Oleepo32.exe File opened for modification C:\Windows\SysWOW64\Ailqfooi.exe Afndjdpe.exe File created C:\Windows\SysWOW64\Nhpabdqd.exe Nklaipbj.exe File opened for modification C:\Windows\SysWOW64\Bjngbihn.exe Bgokfnij.exe File created C:\Windows\SysWOW64\Ccgfbken.dll Ejdfqogm.exe File created C:\Windows\SysWOW64\Fnmjpk32.exe Fjaoplho.exe File opened for modification C:\Windows\SysWOW64\Mebpakbq.exe Lhoohgdg.exe File opened for modification C:\Windows\SysWOW64\Bnhncclq.exe Bepjjn32.exe File opened for modification C:\Windows\SysWOW64\Hhfkihon.exe Hqochjnk.exe File created C:\Windows\SysWOW64\Gbffjmmp.exe Gminbfoh.exe File created C:\Windows\SysWOW64\Fqhclqnc.exe Ffboohnm.exe File created C:\Windows\SysWOW64\Gddobpbe.exe Geaofc32.exe File opened for modification C:\Windows\SysWOW64\Floeof32.exe Fmlecinf.exe File created C:\Windows\SysWOW64\Klhbdclg.exe Kcajceke.exe File created C:\Windows\SysWOW64\Anfdhfiq.dll Admgglep.exe File opened for modification C:\Windows\SysWOW64\Gaagcpdl.exe Gkgoff32.exe File created C:\Windows\SysWOW64\Cnmbihjf.dll Ikjjda32.exe File created C:\Windows\SysWOW64\Gecklbih.exe Gmlckehe.exe File created C:\Windows\SysWOW64\Ddnfql32.exe Ddliklgk.exe File opened for modification C:\Windows\SysWOW64\Onnnml32.exe Obgnhkkh.exe File created C:\Windows\SysWOW64\Qkgjae32.dll Hidfjckg.exe File created C:\Windows\SysWOW64\Ghibjjnk.exe Goqnae32.exe File created C:\Windows\SysWOW64\Hkabghgm.dll Mndhnd32.exe File created C:\Windows\SysWOW64\Imbige32.dll Eifobe32.exe File created C:\Windows\SysWOW64\Ffmipmjn.exe Fhjhdp32.exe File created C:\Windows\SysWOW64\Cebedebg.dll Gmipko32.exe File created C:\Windows\SysWOW64\Fmaeho32.exe Fhdmph32.exe File opened for modification C:\Windows\SysWOW64\Agkako32.exe Alaqjaaa.exe File opened for modification C:\Windows\SysWOW64\Nljhhi32.exe Nmggllha.exe File created C:\Windows\SysWOW64\Dpdfemkm.exe Dkhnmfle.exe File created C:\Windows\SysWOW64\Mkaeob32.exe Mdgmbhgh.exe File created C:\Windows\SysWOW64\Jqfhqe32.exe Jflgph32.exe File created C:\Windows\SysWOW64\Koogbk32.exe Knpkhhhg.exe File opened for modification C:\Windows\SysWOW64\Dcageqgm.exe Dilchhgg.exe File created C:\Windows\SysWOW64\Jjlmkb32.exe Jgmaog32.exe File created C:\Windows\SysWOW64\Lgpfpe32.exe Ldbjdj32.exe File created C:\Windows\SysWOW64\Amafgc32.exe Afgnkilf.exe File created C:\Windows\SysWOW64\Lnjflmmn.dll Ddnfql32.exe File created C:\Windows\SysWOW64\Goqnae32.exe Glbaei32.exe File opened for modification C:\Windows\SysWOW64\Gmidlmcd.exe Fdapcg32.exe File created C:\Windows\SysWOW64\Mlanmb32.dll Clnehado.exe File created C:\Windows\SysWOW64\Hgoadp32.exe Habili32.exe File opened for modification C:\Windows\SysWOW64\Ngbmlo32.exe Ngpqfp32.exe File opened for modification C:\Windows\SysWOW64\Ponklpcg.exe Pbgjgomc.exe File created C:\Windows\SysWOW64\Gkbnap32.exe Gmnngl32.exe File opened for modification C:\Windows\SysWOW64\Mjmnmk32.exe Laeidfdn.exe File opened for modification C:\Windows\SysWOW64\Gamifcmi.exe Gmamfddp.exe File opened for modification C:\Windows\SysWOW64\Bqmpdioa.exe Bhbkpgbf.exe File opened for modification C:\Windows\SysWOW64\Gcgqgd32.exe Ghbljk32.exe File created C:\Windows\SysWOW64\Mebpakbq.exe Lhoohgdg.exe File created C:\Windows\SysWOW64\Gaklhb32.dll Qghgigkn.exe File created C:\Windows\SysWOW64\Kindeddf.exe Kcdlhj32.exe File created C:\Windows\SysWOW64\Nohefjhb.dll Pqgilnji.exe File created C:\Windows\SysWOW64\Jkbhmg32.dll Gpmllpef.exe File created C:\Windows\SysWOW64\Noockemb.dll Lkdjglfo.exe File created C:\Windows\SysWOW64\Mfjgiobf.dll Ldahkaij.exe File opened for modification C:\Windows\SysWOW64\Ebckmaec.exe Epeoaffo.exe File created C:\Windows\SysWOW64\Bklpjlmc.exe Bhndnpnp.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3316 3504 WerFault.exe 970 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dajgfboj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eomdoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkldgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoalia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joblkegc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmeebpkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjhnqfla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pncljmko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijaaae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biccfalm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqmnadlk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpnngi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goiafp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfglfdeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjaoplho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnadkjlc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Moccnoni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gagmbkik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjnjqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhkkim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biqfpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hidfjckg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdmepgce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfckcoen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjppfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neghdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbigmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnhbmpkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efoifiep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geaofc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndoelpid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipqicdim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klhbdclg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egeecf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcageqgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehmpeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlmoilni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpldcfmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bemmenhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feipbefb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npnclf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmneebeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iiipeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlilqbgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncipjieo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgocid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dammoahg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebqngb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inojhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfaalh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpdhna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkalcdao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifengpdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddkgbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odnobj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klhgfq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcdkef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebfqfpop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgnnhbpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qifpqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcmcebkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onamle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcichb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qemomb32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmlqdp32.dll" Mqehjecl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngbmlo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpbcek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lofifi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bapfhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnnnlokd.dll" Bfgdmjlp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fiebnjbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnlnpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfiaojkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffkncf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjleclph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hklhae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Inojhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Boobki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmagikg.dll" Fjckelfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnkbeloa.dll" Miiofn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aligmfnp.dll" Adipfd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Liipnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbhkmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aeghng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apilcoho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjebjjck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kanafj32.dll" Nkjdcp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kqcqpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlaaie32.dll" Emdhhdqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omnmal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngencpel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgfooe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbenacdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cffjagko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgfheodo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iocioq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdglfeli.dll" Iilceh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ponklpcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aeokba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnadkjlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiibij32.dll" Ailqfooi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkmjjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihnjmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gegknghg.dll" Ckchcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpbnaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbbinm32.dll" Ppgcol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbfjkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjfmem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aonkpi32.dll" Mhikae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iioloaac.dll" Hhlcal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmjqcd32.dll" Dkmljcdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aadobccg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dljfocan.dll" Boeoek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjckelfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nciija32.dll" Habkeacd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdqifajl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oaigib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qdofep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chgnneiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcefh32.dll" Cdedde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npgihifq.dll" Qldjdlgb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkmncl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naflocji.dll" Mlpngd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Opjkpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knoegqbp.dll" Bknfeege.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbannb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bqmpdioa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Koflgf32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1928 wrote to memory of 1532 1928 39595e4214b49f08f2298443d109cdd0N.exe 31 PID 1928 wrote to memory of 1532 1928 39595e4214b49f08f2298443d109cdd0N.exe 31 PID 1928 wrote to memory of 1532 1928 39595e4214b49f08f2298443d109cdd0N.exe 31 PID 1928 wrote to memory of 1532 1928 39595e4214b49f08f2298443d109cdd0N.exe 31 PID 1532 wrote to memory of 1040 1532 Eegkpo32.exe 32 PID 1532 wrote to memory of 1040 1532 Eegkpo32.exe 32 PID 1532 wrote to memory of 1040 1532 Eegkpo32.exe 32 PID 1532 wrote to memory of 1040 1532 Eegkpo32.exe 32 PID 1040 wrote to memory of 2748 1040 Elacliin.exe 33 PID 1040 wrote to memory of 2748 1040 Elacliin.exe 33 PID 1040 wrote to memory of 2748 1040 Elacliin.exe 33 PID 1040 wrote to memory of 2748 1040 Elacliin.exe 33 PID 2748 wrote to memory of 2544 2748 Eopphehb.exe 34 PID 2748 wrote to memory of 2544 2748 Eopphehb.exe 34 PID 2748 wrote to memory of 2544 2748 Eopphehb.exe 34 PID 2748 wrote to memory of 2544 2748 Eopphehb.exe 34 PID 2544 wrote to memory of 2560 2544 Eipgjaoi.exe 35 PID 2544 wrote to memory of 2560 2544 Eipgjaoi.exe 35 PID 2544 wrote to memory of 2560 2544 Eipgjaoi.exe 35 PID 2544 wrote to memory of 2560 2544 Eipgjaoi.exe 35 PID 2560 wrote to memory of 2532 2560 Fpohakbp.exe 36 PID 2560 wrote to memory of 2532 2560 Fpohakbp.exe 36 PID 2560 wrote to memory of 2532 2560 Fpohakbp.exe 36 PID 2560 wrote to memory of 2532 2560 Fpohakbp.exe 36 PID 2532 wrote to memory of 2540 2532 Felajbpg.exe 37 PID 2532 wrote to memory of 2540 2532 Felajbpg.exe 37 PID 2532 wrote to memory of 2540 2532 Felajbpg.exe 37 PID 2532 wrote to memory of 2540 2532 Felajbpg.exe 37 PID 2540 wrote to memory of 1508 2540 Flhflleb.exe 38 PID 2540 wrote to memory of 1508 2540 Flhflleb.exe 38 PID 2540 wrote to memory of 1508 2540 Flhflleb.exe 38 PID 2540 wrote to memory of 1508 2540 Flhflleb.exe 38 PID 1508 wrote to memory of 2012 1508 Gkoobhhg.exe 39 PID 1508 wrote to memory of 2012 1508 Gkoobhhg.exe 39 PID 1508 wrote to memory of 2012 1508 Gkoobhhg.exe 39 PID 1508 wrote to memory of 2012 1508 Gkoobhhg.exe 39 PID 2012 wrote to memory of 2440 2012 Gfnjne32.exe 40 PID 2012 wrote to memory of 2440 2012 Gfnjne32.exe 40 PID 2012 wrote to memory of 2440 2012 Gfnjne32.exe 40 PID 2012 wrote to memory of 2440 2012 Gfnjne32.exe 40 PID 2440 wrote to memory of 1964 2440 Gmhbkohm.exe 41 PID 2440 wrote to memory of 1964 2440 Gmhbkohm.exe 41 PID 2440 wrote to memory of 1964 2440 Gmhbkohm.exe 41 PID 2440 wrote to memory of 1964 2440 Gmhbkohm.exe 41 PID 1964 wrote to memory of 2780 1964 Homdhjai.exe 42 PID 1964 wrote to memory of 2780 1964 Homdhjai.exe 42 PID 1964 wrote to memory of 2780 1964 Homdhjai.exe 42 PID 1964 wrote to memory of 2780 1964 Homdhjai.exe 42 PID 2780 wrote to memory of 2984 2780 Ijibng32.exe 43 PID 2780 wrote to memory of 2984 2780 Ijibng32.exe 43 PID 2780 wrote to memory of 2984 2780 Ijibng32.exe 43 PID 2780 wrote to memory of 2984 2780 Ijibng32.exe 43 PID 2984 wrote to memory of 1052 2984 Icdcllpc.exe 44 PID 2984 wrote to memory of 1052 2984 Icdcllpc.exe 44 PID 2984 wrote to memory of 1052 2984 Icdcllpc.exe 44 PID 2984 wrote to memory of 1052 2984 Icdcllpc.exe 44 PID 1052 wrote to memory of 1152 1052 Imlhebfc.exe 45 PID 1052 wrote to memory of 1152 1052 Imlhebfc.exe 45 PID 1052 wrote to memory of 1152 1052 Imlhebfc.exe 45 PID 1052 wrote to memory of 1152 1052 Imlhebfc.exe 45 PID 1152 wrote to memory of 948 1152 Jigbebhb.exe 46 PID 1152 wrote to memory of 948 1152 Jigbebhb.exe 46 PID 1152 wrote to memory of 948 1152 Jigbebhb.exe 46 PID 1152 wrote to memory of 948 1152 Jigbebhb.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\39595e4214b49f08f2298443d109cdd0N.exe"C:\Users\Admin\AppData\Local\Temp\39595e4214b49f08f2298443d109cdd0N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\Eegkpo32.exeC:\Windows\system32\Eegkpo32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\SysWOW64\Elacliin.exeC:\Windows\system32\Elacliin.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\SysWOW64\Eopphehb.exeC:\Windows\system32\Eopphehb.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Eipgjaoi.exeC:\Windows\system32\Eipgjaoi.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Fpohakbp.exeC:\Windows\system32\Fpohakbp.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\Felajbpg.exeC:\Windows\system32\Felajbpg.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\Flhflleb.exeC:\Windows\system32\Flhflleb.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Gkoobhhg.exeC:\Windows\system32\Gkoobhhg.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\Gfnjne32.exeC:\Windows\system32\Gfnjne32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\Gmhbkohm.exeC:\Windows\system32\Gmhbkohm.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\Homdhjai.exeC:\Windows\system32\Homdhjai.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\Ijibng32.exeC:\Windows\system32\Ijibng32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Icdcllpc.exeC:\Windows\system32\Icdcllpc.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Imlhebfc.exeC:\Windows\system32\Imlhebfc.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\Jigbebhb.exeC:\Windows\system32\Jigbebhb.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\SysWOW64\Jbpfnh32.exeC:\Windows\system32\Jbpfnh32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:948 -
C:\Windows\SysWOW64\Jmnqje32.exeC:\Windows\system32\Jmnqje32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2844 -
C:\Windows\SysWOW64\Jfgebjnm.exeC:\Windows\system32\Jfgebjnm.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2836 -
C:\Windows\SysWOW64\Kalipcmb.exeC:\Windows\system32\Kalipcmb.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1332 -
C:\Windows\SysWOW64\Kdkelolf.exeC:\Windows\system32\Kdkelolf.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1776 -
C:\Windows\SysWOW64\Klfjpa32.exeC:\Windows\system32\Klfjpa32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2368 -
C:\Windows\SysWOW64\Kenoifpb.exeC:\Windows\system32\Kenoifpb.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3032 -
C:\Windows\SysWOW64\Klhgfq32.exeC:\Windows\system32\Klhgfq32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2436 -
C:\Windows\SysWOW64\Kgnkci32.exeC:\Windows\system32\Kgnkci32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2456 -
C:\Windows\SysWOW64\Kcdlhj32.exeC:\Windows\system32\Kcdlhj32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2008 -
C:\Windows\SysWOW64\Kindeddf.exeC:\Windows\system32\Kindeddf.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2188 -
C:\Windows\SysWOW64\Keeeje32.exeC:\Windows\system32\Keeeje32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1796 -
C:\Windows\SysWOW64\Lhcafa32.exeC:\Windows\system32\Lhcafa32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2900 -
C:\Windows\SysWOW64\Lkdjglfo.exeC:\Windows\system32\Lkdjglfo.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2736 -
C:\Windows\SysWOW64\Lncfcgeb.exeC:\Windows\system32\Lncfcgeb.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2388 -
C:\Windows\SysWOW64\Lnecigcp.exeC:\Windows\system32\Lnecigcp.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2672 -
C:\Windows\SysWOW64\Ldokfakl.exeC:\Windows\system32\Ldokfakl.exe33⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Ldahkaij.exeC:\Windows\system32\Ldahkaij.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1716 -
C:\Windows\SysWOW64\Lnjldf32.exeC:\Windows\system32\Lnjldf32.exe35⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Mfeaiime.exeC:\Windows\system32\Mfeaiime.exe36⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Mhcmedli.exeC:\Windows\system32\Mhcmedli.exe37⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Mqjefamk.exeC:\Windows\system32\Mqjefamk.exe38⤵
- Executes dropped EXE
PID:1336 -
C:\Windows\SysWOW64\Mjcjog32.exeC:\Windows\system32\Mjcjog32.exe39⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Mkfclo32.exeC:\Windows\system32\Mkfclo32.exe40⤵
- Executes dropped EXE
PID:896 -
C:\Windows\SysWOW64\Mbqkiind.exeC:\Windows\system32\Mbqkiind.exe41⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Mqehjecl.exeC:\Windows\system32\Mqehjecl.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2936 -
C:\Windows\SysWOW64\Ngpqfp32.exeC:\Windows\system32\Ngpqfp32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1864 -
C:\Windows\SysWOW64\Ngbmlo32.exeC:\Windows\system32\Ngbmlo32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:376 -
C:\Windows\SysWOW64\Njpihk32.exeC:\Windows\system32\Njpihk32.exe45⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Ngdjaofc.exeC:\Windows\system32\Ngdjaofc.exe46⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Njbfnjeg.exeC:\Windows\system32\Njbfnjeg.exe47⤵
- Executes dropped EXE
PID:1304 -
C:\Windows\SysWOW64\Nckkgp32.exeC:\Windows\system32\Nckkgp32.exe48⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Nmcopebh.exeC:\Windows\system32\Nmcopebh.exe49⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Npbklabl.exeC:\Windows\system32\Npbklabl.exe50⤵
- Executes dropped EXE
PID:888 -
C:\Windows\SysWOW64\Nlilqbgp.exeC:\Windows\system32\Nlilqbgp.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2908 -
C:\Windows\SysWOW64\Obbdml32.exeC:\Windows\system32\Obbdml32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Olkifaen.exeC:\Windows\system32\Olkifaen.exe53⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Opfegp32.exeC:\Windows\system32\Opfegp32.exe54⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Oecmogln.exeC:\Windows\system32\Oecmogln.exe55⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Ohbikbkb.exeC:\Windows\system32\Ohbikbkb.exe56⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Obgnhkkh.exeC:\Windows\system32\Obgnhkkh.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:616 -
C:\Windows\SysWOW64\Onnnml32.exeC:\Windows\system32\Onnnml32.exe58⤵
- Executes dropped EXE
PID:1252 -
C:\Windows\SysWOW64\Oehgjfhi.exeC:\Windows\system32\Oehgjfhi.exe59⤵
- Executes dropped EXE
PID:1932 -
C:\Windows\SysWOW64\Odkgec32.exeC:\Windows\system32\Odkgec32.exe60⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Omckoi32.exeC:\Windows\system32\Omckoi32.exe61⤵
- Executes dropped EXE
PID:1248 -
C:\Windows\SysWOW64\Oflpgnld.exeC:\Windows\system32\Oflpgnld.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Pnchhllf.exeC:\Windows\system32\Pnchhllf.exe63⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Phklaacg.exeC:\Windows\system32\Phklaacg.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Piliii32.exeC:\Windows\system32\Piliii32.exe65⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Pmhejhao.exeC:\Windows\system32\Pmhejhao.exe66⤵PID:2944
-
C:\Windows\SysWOW64\Pjleclph.exeC:\Windows\system32\Pjleclph.exe67⤵
- Modifies registry class
PID:1344 -
C:\Windows\SysWOW64\Pmjaohol.exeC:\Windows\system32\Pmjaohol.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3020 -
C:\Windows\SysWOW64\Pbgjgomc.exeC:\Windows\system32\Pbgjgomc.exe69⤵
- Drops file in System32 directory
PID:3044 -
C:\Windows\SysWOW64\Ponklpcg.exeC:\Windows\system32\Ponklpcg.exe70⤵
- Modifies registry class
PID:304 -
C:\Windows\SysWOW64\Pbigmn32.exeC:\Windows\system32\Pbigmn32.exe71⤵
- System Location Discovery: System Language Discovery
PID:2192 -
C:\Windows\SysWOW64\Popgboae.exeC:\Windows\system32\Popgboae.exe72⤵PID:2472
-
C:\Windows\SysWOW64\Paocnkph.exeC:\Windows\system32\Paocnkph.exe73⤵PID:2108
-
C:\Windows\SysWOW64\Qobdgo32.exeC:\Windows\system32\Qobdgo32.exe74⤵PID:2692
-
C:\Windows\SysWOW64\Qaapcj32.exeC:\Windows\system32\Qaapcj32.exe75⤵PID:2648
-
C:\Windows\SysWOW64\Qkielpdf.exeC:\Windows\system32\Qkielpdf.exe76⤵PID:2776
-
C:\Windows\SysWOW64\Aacmij32.exeC:\Windows\system32\Aacmij32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1720 -
C:\Windows\SysWOW64\Aklabp32.exeC:\Windows\system32\Aklabp32.exe78⤵PID:1488
-
C:\Windows\SysWOW64\Aaejojjq.exeC:\Windows\system32\Aaejojjq.exe79⤵PID:2464
-
C:\Windows\SysWOW64\Aknngo32.exeC:\Windows\system32\Aknngo32.exe80⤵PID:1812
-
C:\Windows\SysWOW64\Anljck32.exeC:\Windows\system32\Anljck32.exe81⤵PID:268
-
C:\Windows\SysWOW64\Akpkmo32.exeC:\Windows\system32\Akpkmo32.exe82⤵PID:636
-
C:\Windows\SysWOW64\Anogijnb.exeC:\Windows\system32\Anogijnb.exe83⤵PID:2404
-
C:\Windows\SysWOW64\Adipfd32.exeC:\Windows\system32\Adipfd32.exe84⤵
- Modifies registry class
PID:1340 -
C:\Windows\SysWOW64\Ajehnk32.exeC:\Windows\system32\Ajehnk32.exe85⤵PID:2328
-
C:\Windows\SysWOW64\Acnlgajg.exeC:\Windows\system32\Acnlgajg.exe86⤵PID:2468
-
C:\Windows\SysWOW64\Ajhddk32.exeC:\Windows\system32\Ajhddk32.exe87⤵PID:2216
-
C:\Windows\SysWOW64\Bacihmoo.exeC:\Windows\system32\Bacihmoo.exe88⤵PID:1608
-
C:\Windows\SysWOW64\Bjjaikoa.exeC:\Windows\system32\Bjjaikoa.exe89⤵PID:1920
-
C:\Windows\SysWOW64\Baefnmml.exeC:\Windows\system32\Baefnmml.exe90⤵PID:2684
-
C:\Windows\SysWOW64\Bddbjhlp.exeC:\Windows\system32\Bddbjhlp.exe91⤵PID:2592
-
C:\Windows\SysWOW64\Bfcodkcb.exeC:\Windows\system32\Bfcodkcb.exe92⤵PID:2708
-
C:\Windows\SysWOW64\Bhbkpgbf.exeC:\Windows\system32\Bhbkpgbf.exe93⤵
- Drops file in System32 directory
PID:1092 -
C:\Windows\SysWOW64\Bqmpdioa.exeC:\Windows\system32\Bqmpdioa.exe94⤵
- Modifies registry class
PID:1292 -
C:\Windows\SysWOW64\Bhdhefpc.exeC:\Windows\system32\Bhdhefpc.exe95⤵PID:1320
-
C:\Windows\SysWOW64\Bqolji32.exeC:\Windows\system32\Bqolji32.exe96⤵PID:1660
-
C:\Windows\SysWOW64\Cgidfcdk.exeC:\Windows\system32\Cgidfcdk.exe97⤵
- Drops file in System32 directory
PID:2400 -
C:\Windows\SysWOW64\Cdmepgce.exeC:\Windows\system32\Cdmepgce.exe98⤵
- System Location Discovery: System Language Discovery
PID:1956 -
C:\Windows\SysWOW64\Cglalbbi.exeC:\Windows\system32\Cglalbbi.exe99⤵PID:932
-
C:\Windows\SysWOW64\Ccbbachm.exeC:\Windows\system32\Ccbbachm.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2316 -
C:\Windows\SysWOW64\Cfanmogq.exeC:\Windows\system32\Cfanmogq.exe101⤵PID:1512
-
C:\Windows\SysWOW64\Ciokijfd.exeC:\Windows\system32\Ciokijfd.exe102⤵PID:2136
-
C:\Windows\SysWOW64\Cfckcoen.exeC:\Windows\system32\Cfckcoen.exe103⤵
- System Location Discovery: System Language Discovery
PID:2680 -
C:\Windows\SysWOW64\Cbjlhpkb.exeC:\Windows\system32\Cbjlhpkb.exe104⤵PID:2912
-
C:\Windows\SysWOW64\Cehhdkjf.exeC:\Windows\system32\Cehhdkjf.exe105⤵PID:1792
-
C:\Windows\SysWOW64\Cmppehkh.exeC:\Windows\system32\Cmppehkh.exe106⤵PID:1564
-
C:\Windows\SysWOW64\Dekdikhc.exeC:\Windows\system32\Dekdikhc.exe107⤵PID:2288
-
C:\Windows\SysWOW64\Dkdmfe32.exeC:\Windows\system32\Dkdmfe32.exe108⤵PID:1244
-
C:\Windows\SysWOW64\Daaenlng.exeC:\Windows\system32\Daaenlng.exe109⤵PID:2124
-
C:\Windows\SysWOW64\Dgknkf32.exeC:\Windows\system32\Dgknkf32.exe110⤵PID:3000
-
C:\Windows\SysWOW64\Dadbdkld.exeC:\Windows\system32\Dadbdkld.exe111⤵PID:916
-
C:\Windows\SysWOW64\Dnhbmpkn.exeC:\Windows\system32\Dnhbmpkn.exe112⤵
- System Location Discovery: System Language Discovery
PID:1724 -
C:\Windows\SysWOW64\Dcdkef32.exeC:\Windows\system32\Dcdkef32.exe113⤵
- System Location Discovery: System Language Discovery
PID:992 -
C:\Windows\SysWOW64\Djocbqpb.exeC:\Windows\system32\Djocbqpb.exe114⤵PID:2212
-
C:\Windows\SysWOW64\Dpklkgoj.exeC:\Windows\system32\Dpklkgoj.exe115⤵PID:2652
-
C:\Windows\SysWOW64\Eakhdj32.exeC:\Windows\system32\Eakhdj32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2536 -
C:\Windows\SysWOW64\Efhqmadd.exeC:\Windows\system32\Efhqmadd.exe117⤵PID:1984
-
C:\Windows\SysWOW64\Eppefg32.exeC:\Windows\system32\Eppefg32.exe118⤵PID:772
-
C:\Windows\SysWOW64\Efjmbaba.exeC:\Windows\system32\Efjmbaba.exe119⤵PID:2596
-
C:\Windows\SysWOW64\Elgfkhpi.exeC:\Windows\system32\Elgfkhpi.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2884 -
C:\Windows\SysWOW64\Ebqngb32.exeC:\Windows\system32\Ebqngb32.exe121⤵
- System Location Discovery: System Language Discovery
PID:1088
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-