Analysis
-
max time kernel
116s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05-09-2024 12:44
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cd19f7c8f4e4faab32ab07ab646edb20N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
cd19f7c8f4e4faab32ab07ab646edb20N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
cd19f7c8f4e4faab32ab07ab646edb20N.exe
-
Size
45KB
-
MD5
cd19f7c8f4e4faab32ab07ab646edb20
-
SHA1
e468c22d64104597791c84ac7e08db88145e643a
-
SHA256
d36324f9e0390d669c6b7e23289abdcb6318e1450ae80f5df0c23e4dd17ad004
-
SHA512
2860950d154145f5f5bd00e75ee18b08ca8d63c0b621b2e7fccfa0e3326874b6c55603e77fc694a9fc7ca1bd1d7c50f6d5d07e3c6e13c8976a91761cfe7c85a1
-
SSDEEP
768:DqcLbisi8Pl+dekQmEUV8QrYNntVALbhpfyrgOMp8Bacs8ArA/1H5k:DbLzQdfDy9ntChcrlucs8ArGK
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edmblo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbkdoogb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkgmfneb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebojbaga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqkimp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qmkigb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgolmbnq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeobidll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khpccibp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bndhle32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pncgjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olnnlpqd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daghjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cchdlb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcmiqdnj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjllpopk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bqhffj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inecnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Papmnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfbifgln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgmnko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odqiaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffhoam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfpjonfc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egoaiqjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djhapcgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hheimpfm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pibkdhbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgolmbnq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pengmqkl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnpjeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aalcdngp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfobndnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cflcglho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnjepahn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdbmac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnbbpkjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elmoqlmh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cabnokkq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flmifk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iecfpa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpdblpnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhombc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhobnqlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnpjeh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgbdhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmnnomnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkeogn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmjeca32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llpbeaak.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fojjfogp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpfgheco.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mloigc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iekbob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kedaddif.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kheloh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Noajoihl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onaflccf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpiinfbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlogao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boppmf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfambk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epimjd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hglakcao.exe -
Executes dropped EXE 64 IoCs
pid Process 2272 Gqenfc32.exe 2096 Gninpg32.exe 2060 Gjpodhfi.exe 2736 Gaigab32.exe 2656 Hpodbo32.exe 2676 Higikdhn.exe 2572 Hfmfjh32.exe 3048 Haggkf32.exe 2884 Iaicpepa.exe 1740 Ieglfd32.exe 1788 Iopqoi32.exe 1504 Iiiapg32.exe 2628 Iikneggd.exe 1624 Jfoookfn.exe 2980 Jllggbde.exe 2352 Jiphpf32.exe 1360 Jkdanngk.exe 2424 Jeiekgfq.exe 2492 Japfphle.exe 1164 Jkhjin32.exe 2148 Kabbehjb.exe 1988 Kjngjj32.exe 1520 Kkmddmop.exe 2716 Kpjlldmg.exe 2516 Kjdmjiae.exe 2008 Klcjfdqi.exe 2016 Ldqkqf32.exe 1208 Lbdljk32.exe 2948 Lkmpcpak.exe 2384 Lgcqhagp.exe 2788 Lcjamb32.exe 2564 Mghjcq32.exe 2588 Mnbbpkjg.exe 2180 Mcagma32.exe 2932 Mcddca32.exe 2636 Mloigc32.exe 2020 Nlafmcpa.exe 2888 Nldbbbno.exe 2928 Nhjcgccc.exe 2848 Nhmpmcaq.exe 2976 Nhombc32.exe 2164 Nmlekj32.exe 2240 Oenppk32.exe 2864 Oaeqeljm.exe 2012 Olkebejb.exe 1400 Ooianpif.exe 1984 Pdfifg32.exe 1732 Pmnnomnn.exe 676 Phcbmend.exe 2472 Pmqkellk.exe 1600 Pdjcaf32.exe 2108 Pncgjl32.exe 1588 Pcppbc32.exe 2720 Plhdkhoq.exe 2576 Pcbmhb32.exe 2916 Qljaah32.exe 2660 Qcdinbdk.exe 2028 Qjnajl32.exe 1992 Qlmnfh32.exe 2356 Adhbkj32.exe 2328 Aalcdngp.exe 1736 Agikmeeg.exe 1628 Abnpjnem.exe 2188 Agkhbece.exe -
Loads dropped DLL 64 IoCs
pid Process 1756 cd19f7c8f4e4faab32ab07ab646edb20N.exe 1756 cd19f7c8f4e4faab32ab07ab646edb20N.exe 2272 Gqenfc32.exe 2272 Gqenfc32.exe 2096 Gninpg32.exe 2096 Gninpg32.exe 2060 Gjpodhfi.exe 2060 Gjpodhfi.exe 2736 Gaigab32.exe 2736 Gaigab32.exe 2656 Hpodbo32.exe 2656 Hpodbo32.exe 2676 Higikdhn.exe 2676 Higikdhn.exe 2572 Hfmfjh32.exe 2572 Hfmfjh32.exe 3048 Haggkf32.exe 3048 Haggkf32.exe 2884 Iaicpepa.exe 2884 Iaicpepa.exe 1740 Ieglfd32.exe 1740 Ieglfd32.exe 1788 Iopqoi32.exe 1788 Iopqoi32.exe 1504 Iiiapg32.exe 1504 Iiiapg32.exe 2628 Iikneggd.exe 2628 Iikneggd.exe 1624 Jfoookfn.exe 1624 Jfoookfn.exe 2980 Jllggbde.exe 2980 Jllggbde.exe 2352 Jiphpf32.exe 2352 Jiphpf32.exe 1360 Jkdanngk.exe 1360 Jkdanngk.exe 2424 Jeiekgfq.exe 2424 Jeiekgfq.exe 2492 Japfphle.exe 2492 Japfphle.exe 1164 Jkhjin32.exe 1164 Jkhjin32.exe 2148 Kabbehjb.exe 2148 Kabbehjb.exe 1988 Kjngjj32.exe 1988 Kjngjj32.exe 1520 Kkmddmop.exe 1520 Kkmddmop.exe 2716 Kpjlldmg.exe 2716 Kpjlldmg.exe 2516 Kjdmjiae.exe 2516 Kjdmjiae.exe 2008 Klcjfdqi.exe 2008 Klcjfdqi.exe 2016 Ldqkqf32.exe 2016 Ldqkqf32.exe 1208 Lbdljk32.exe 1208 Lbdljk32.exe 2948 Lkmpcpak.exe 2948 Lkmpcpak.exe 2384 Lgcqhagp.exe 2384 Lgcqhagp.exe 2788 Lcjamb32.exe 2788 Lcjamb32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ajppjg32.dll Nfafci32.exe File created C:\Windows\SysWOW64\Iaakko32.dll Olmilk32.exe File created C:\Windows\SysWOW64\Kjngjj32.exe Kabbehjb.exe File opened for modification C:\Windows\SysWOW64\Kajbie32.exe Kolemj32.exe File created C:\Windows\SysWOW64\Jghfid32.exe Jblmpmfe.exe File created C:\Windows\SysWOW64\Fgjnphed.dll Ijdbffpl.exe File created C:\Windows\SysWOW64\Jigfna32.dll Ffndidol.exe File created C:\Windows\SysWOW64\Onejljep.exe Oppmkm32.exe File created C:\Windows\SysWOW64\Koboce32.dll Llkdieii.exe File opened for modification C:\Windows\SysWOW64\Oqmohi32.exe Ociooe32.exe File opened for modification C:\Windows\SysWOW64\Jklenmob.exe Jdbmac32.exe File opened for modification C:\Windows\SysWOW64\Ldebcach.exe Lfaaim32.exe File opened for modification C:\Windows\SysWOW64\Oedgkjob.exe Okocmapl.exe File opened for modification C:\Windows\SysWOW64\Djkcgpaa.exe Cabnokkq.exe File opened for modification C:\Windows\SysWOW64\Naalfnba.exe Ndmkmich.exe File opened for modification C:\Windows\SysWOW64\Peaagl32.exe Okimnfkm.exe File opened for modification C:\Windows\SysWOW64\Ljfgil32.exe Lancqglp.exe File created C:\Windows\SysWOW64\Bhallgpj.exe Bpfgheco.exe File created C:\Windows\SysWOW64\Dnipid32.dll Dffmgqcp.exe File created C:\Windows\SysWOW64\Ojhaie32.dll Ghjkki32.exe File created C:\Windows\SysWOW64\Kbcjof32.dll Hhgdig32.exe File created C:\Windows\SysWOW64\Jepndigo.dll Fmpmaqaq.exe File created C:\Windows\SysWOW64\Fpfijhdg.dll Commmdhp.exe File created C:\Windows\SysWOW64\Ifddon32.dll Mnbbpkjg.exe File created C:\Windows\SysWOW64\Fedqdl32.dll Ooianpif.exe File created C:\Windows\SysWOW64\Qliepk32.dll Eilfoapg.exe File opened for modification C:\Windows\SysWOW64\Emmljodk.exe Eiapjq32.exe File created C:\Windows\SysWOW64\Cchdlb32.exe Cjppclkp.exe File opened for modification C:\Windows\SysWOW64\Ijgcmc32.exe Imccco32.exe File created C:\Windows\SysWOW64\Cogpgn32.dll Kfeijocl.exe File opened for modification C:\Windows\SysWOW64\Bjcgdojn.exe Bciohe32.exe File created C:\Windows\SysWOW64\Okhiel32.dll Gmdapoil.exe File created C:\Windows\SysWOW64\Ddjmaebi.exe Dffmgqcp.exe File created C:\Windows\SysWOW64\Cgacalph.dll Eidohiac.exe File created C:\Windows\SysWOW64\Mhddjigo.dll Kfmjfa32.exe File opened for modification C:\Windows\SysWOW64\Iemoebmb.exe Incfhh32.exe File created C:\Windows\SysWOW64\Phfaknce.exe Palincli.exe File created C:\Windows\SysWOW64\Pffnfdhg.exe Pfdaae32.exe File created C:\Windows\SysWOW64\Kncfap32.dll Comkdl32.exe File created C:\Windows\SysWOW64\Jlajbl32.dll Ckfhom32.exe File opened for modification C:\Windows\SysWOW64\Jbegpn32.exe Jilcghfm.exe File created C:\Windows\SysWOW64\Kjdmjiae.exe Kpjlldmg.exe File created C:\Windows\SysWOW64\Cihqdoaa.exe Cgfdmf32.exe File created C:\Windows\SysWOW64\Dlkchjnb.dll Fpqjeiji.exe File opened for modification C:\Windows\SysWOW64\Eidohiac.exe Emmnch32.exe File created C:\Windows\SysWOW64\Ebjhdhak.exe Eqilmp32.exe File created C:\Windows\SysWOW64\Pfpjonfc.exe Ondejl32.exe File created C:\Windows\SysWOW64\Jfoookfn.exe Iikneggd.exe File created C:\Windows\SysWOW64\Lcjamb32.exe Lgcqhagp.exe File created C:\Windows\SysWOW64\Bkkfff32.dll Jmafocbb.exe File opened for modification C:\Windows\SysWOW64\Fcfmacce.exe Fgolmbnq.exe File created C:\Windows\SysWOW64\Gbdkihnf.dll Jnfhoi32.exe File opened for modification C:\Windows\SysWOW64\Lancqglp.exe Kibnld32.exe File created C:\Windows\SysWOW64\Oaeqeljm.exe Oenppk32.exe File opened for modification C:\Windows\SysWOW64\Mhippbem.exe Mkeogn32.exe File created C:\Windows\SysWOW64\Jqogiafk.dll Cchdlb32.exe File opened for modification C:\Windows\SysWOW64\Ehnieaoj.exe Epgqddoh.exe File created C:\Windows\SysWOW64\Biddhbhe.dll Bbdakh32.exe File opened for modification C:\Windows\SysWOW64\Ggmnoo32.exe Gmeificb.exe File created C:\Windows\SysWOW64\Pdbfehfe.dll Dceodhjg.exe File created C:\Windows\SysWOW64\Dqbgonjc.dll Idmllnho.exe File created C:\Windows\SysWOW64\Kkechk32.exe Kehjpd32.exe File created C:\Windows\SysWOW64\Peclcc32.exe Plkgkn32.exe File opened for modification C:\Windows\SysWOW64\Aiaqie32.exe Qlmpoqbo.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2464 4904 WerFault.exe 788 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkfemdlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cihqdoaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cohoqd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjccjblp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngcknpeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjapfamf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpidii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjllpopk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blpkmljl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpjmkhbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkhdfhmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbpbklpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glfqngom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpofhhjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eopehg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilggal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geoegm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eenige32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olmilk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmnlfhik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flmifk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mloigc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpqjeiji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfmjfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abjnei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpdenh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhbmgp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpjjcohd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfipcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkcmba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Palincli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcmiqdnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnalqqbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igkfop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkbpbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijgcmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bndhle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imcelhbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdpbnlbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdgjhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqhffj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elmoqlmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igfkkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cckjeq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aocdec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fiijladb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jllggbde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ancfbhdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbcgmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbfojl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aiaqie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adkaib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efnlko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlcimd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njhhiiok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fiiono32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iohiafag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjnohc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpldkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgdcqj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oipdhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihapcdol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgmagh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojckmm32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkeogn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idmllnho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkmllp32.dll" Qnkgnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnoamj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khonac32.dll" Hkqgkcpp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikmpipqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkapla32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bklbpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cankgh32.dll" Fqakqmpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eobenc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnjhbjql.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdbjcj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpdblpnd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adkaib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nejdgdpl.dll" Llmandgf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfmgdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilpblb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lggnjkbl.dll" Cajokmfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bokapipc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iiiapg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfgnbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oihclk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljqcbjee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeingodf.dll" Nmfbohal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kabbehjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfgnbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cohoqd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njadab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qccggfgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckciqdol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chpmocpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpgmeb32.dll" Qccggfgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpiinfbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpfjfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhddln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgbkhca.dll" Bgbncdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caeaoj32.dll" Edbjljpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eipojekb.dll" Cfjfal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgmkgkon.dll" Qmkigb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhmlbfcb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhmpmcaq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhhcpkmh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Konplnaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdjcaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmgfoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kipfhbmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkjfpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mqinpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhddjigo.dll" Kfmjfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kipqeq32.dll" Lgmnko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Galllipa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmhkfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kibnld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdjighdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmpmaqaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anjenh32.dll" Lfaaim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gehjepon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elmoqlmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbefbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plkgkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aleoco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Floccbai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmfbohal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pocmhnlk.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1756 wrote to memory of 2272 1756 cd19f7c8f4e4faab32ab07ab646edb20N.exe 29 PID 1756 wrote to memory of 2272 1756 cd19f7c8f4e4faab32ab07ab646edb20N.exe 29 PID 1756 wrote to memory of 2272 1756 cd19f7c8f4e4faab32ab07ab646edb20N.exe 29 PID 1756 wrote to memory of 2272 1756 cd19f7c8f4e4faab32ab07ab646edb20N.exe 29 PID 2272 wrote to memory of 2096 2272 Gqenfc32.exe 30 PID 2272 wrote to memory of 2096 2272 Gqenfc32.exe 30 PID 2272 wrote to memory of 2096 2272 Gqenfc32.exe 30 PID 2272 wrote to memory of 2096 2272 Gqenfc32.exe 30 PID 2096 wrote to memory of 2060 2096 Gninpg32.exe 31 PID 2096 wrote to memory of 2060 2096 Gninpg32.exe 31 PID 2096 wrote to memory of 2060 2096 Gninpg32.exe 31 PID 2096 wrote to memory of 2060 2096 Gninpg32.exe 31 PID 2060 wrote to memory of 2736 2060 Gjpodhfi.exe 32 PID 2060 wrote to memory of 2736 2060 Gjpodhfi.exe 32 PID 2060 wrote to memory of 2736 2060 Gjpodhfi.exe 32 PID 2060 wrote to memory of 2736 2060 Gjpodhfi.exe 32 PID 2736 wrote to memory of 2656 2736 Gaigab32.exe 33 PID 2736 wrote to memory of 2656 2736 Gaigab32.exe 33 PID 2736 wrote to memory of 2656 2736 Gaigab32.exe 33 PID 2736 wrote to memory of 2656 2736 Gaigab32.exe 33 PID 2656 wrote to memory of 2676 2656 Hpodbo32.exe 34 PID 2656 wrote to memory of 2676 2656 Hpodbo32.exe 34 PID 2656 wrote to memory of 2676 2656 Hpodbo32.exe 34 PID 2656 wrote to memory of 2676 2656 Hpodbo32.exe 34 PID 2676 wrote to memory of 2572 2676 Higikdhn.exe 35 PID 2676 wrote to memory of 2572 2676 Higikdhn.exe 35 PID 2676 wrote to memory of 2572 2676 Higikdhn.exe 35 PID 2676 wrote to memory of 2572 2676 Higikdhn.exe 35 PID 2572 wrote to memory of 3048 2572 Hfmfjh32.exe 36 PID 2572 wrote to memory of 3048 2572 Hfmfjh32.exe 36 PID 2572 wrote to memory of 3048 2572 Hfmfjh32.exe 36 PID 2572 wrote to memory of 3048 2572 Hfmfjh32.exe 36 PID 3048 wrote to memory of 2884 3048 Haggkf32.exe 37 PID 3048 wrote to memory of 2884 3048 Haggkf32.exe 37 PID 3048 wrote to memory of 2884 3048 Haggkf32.exe 37 PID 3048 wrote to memory of 2884 3048 Haggkf32.exe 37 PID 2884 wrote to memory of 1740 2884 Iaicpepa.exe 38 PID 2884 wrote to memory of 1740 2884 Iaicpepa.exe 38 PID 2884 wrote to memory of 1740 2884 Iaicpepa.exe 38 PID 2884 wrote to memory of 1740 2884 Iaicpepa.exe 38 PID 1740 wrote to memory of 1788 1740 Ieglfd32.exe 39 PID 1740 wrote to memory of 1788 1740 Ieglfd32.exe 39 PID 1740 wrote to memory of 1788 1740 Ieglfd32.exe 39 PID 1740 wrote to memory of 1788 1740 Ieglfd32.exe 39 PID 1788 wrote to memory of 1504 1788 Iopqoi32.exe 40 PID 1788 wrote to memory of 1504 1788 Iopqoi32.exe 40 PID 1788 wrote to memory of 1504 1788 Iopqoi32.exe 40 PID 1788 wrote to memory of 1504 1788 Iopqoi32.exe 40 PID 1504 wrote to memory of 2628 1504 Iiiapg32.exe 41 PID 1504 wrote to memory of 2628 1504 Iiiapg32.exe 41 PID 1504 wrote to memory of 2628 1504 Iiiapg32.exe 41 PID 1504 wrote to memory of 2628 1504 Iiiapg32.exe 41 PID 2628 wrote to memory of 1624 2628 Iikneggd.exe 42 PID 2628 wrote to memory of 1624 2628 Iikneggd.exe 42 PID 2628 wrote to memory of 1624 2628 Iikneggd.exe 42 PID 2628 wrote to memory of 1624 2628 Iikneggd.exe 42 PID 1624 wrote to memory of 2980 1624 Jfoookfn.exe 43 PID 1624 wrote to memory of 2980 1624 Jfoookfn.exe 43 PID 1624 wrote to memory of 2980 1624 Jfoookfn.exe 43 PID 1624 wrote to memory of 2980 1624 Jfoookfn.exe 43 PID 2980 wrote to memory of 2352 2980 Jllggbde.exe 44 PID 2980 wrote to memory of 2352 2980 Jllggbde.exe 44 PID 2980 wrote to memory of 2352 2980 Jllggbde.exe 44 PID 2980 wrote to memory of 2352 2980 Jllggbde.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\cd19f7c8f4e4faab32ab07ab646edb20N.exe"C:\Users\Admin\AppData\Local\Temp\cd19f7c8f4e4faab32ab07ab646edb20N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\Gqenfc32.exeC:\Windows\system32\Gqenfc32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\Gninpg32.exeC:\Windows\system32\Gninpg32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\Gjpodhfi.exeC:\Windows\system32\Gjpodhfi.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\Gaigab32.exeC:\Windows\system32\Gaigab32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Hpodbo32.exeC:\Windows\system32\Hpodbo32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Higikdhn.exeC:\Windows\system32\Higikdhn.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Hfmfjh32.exeC:\Windows\system32\Hfmfjh32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Haggkf32.exeC:\Windows\system32\Haggkf32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\Iaicpepa.exeC:\Windows\system32\Iaicpepa.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Ieglfd32.exeC:\Windows\system32\Ieglfd32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\Iopqoi32.exeC:\Windows\system32\Iopqoi32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SysWOW64\Iiiapg32.exeC:\Windows\system32\Iiiapg32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\Iikneggd.exeC:\Windows\system32\Iikneggd.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Jfoookfn.exeC:\Windows\system32\Jfoookfn.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\Jllggbde.exeC:\Windows\system32\Jllggbde.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Jiphpf32.exeC:\Windows\system32\Jiphpf32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2352 -
C:\Windows\SysWOW64\Jkdanngk.exeC:\Windows\system32\Jkdanngk.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1360 -
C:\Windows\SysWOW64\Jeiekgfq.exeC:\Windows\system32\Jeiekgfq.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2424 -
C:\Windows\SysWOW64\Japfphle.exeC:\Windows\system32\Japfphle.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2492 -
C:\Windows\SysWOW64\Jkhjin32.exeC:\Windows\system32\Jkhjin32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1164 -
C:\Windows\SysWOW64\Kabbehjb.exeC:\Windows\system32\Kabbehjb.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2148 -
C:\Windows\SysWOW64\Kjngjj32.exeC:\Windows\system32\Kjngjj32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1988 -
C:\Windows\SysWOW64\Kkmddmop.exeC:\Windows\system32\Kkmddmop.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1520 -
C:\Windows\SysWOW64\Kpjlldmg.exeC:\Windows\system32\Kpjlldmg.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2716 -
C:\Windows\SysWOW64\Kjdmjiae.exeC:\Windows\system32\Kjdmjiae.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2516 -
C:\Windows\SysWOW64\Klcjfdqi.exeC:\Windows\system32\Klcjfdqi.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2008 -
C:\Windows\SysWOW64\Ldqkqf32.exeC:\Windows\system32\Ldqkqf32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2016 -
C:\Windows\SysWOW64\Lbdljk32.exeC:\Windows\system32\Lbdljk32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1208 -
C:\Windows\SysWOW64\Lkmpcpak.exeC:\Windows\system32\Lkmpcpak.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2948 -
C:\Windows\SysWOW64\Lgcqhagp.exeC:\Windows\system32\Lgcqhagp.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2384 -
C:\Windows\SysWOW64\Lcjamb32.exeC:\Windows\system32\Lcjamb32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2788 -
C:\Windows\SysWOW64\Mghjcq32.exeC:\Windows\system32\Mghjcq32.exe33⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Mnbbpkjg.exeC:\Windows\system32\Mnbbpkjg.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2588 -
C:\Windows\SysWOW64\Mcagma32.exeC:\Windows\system32\Mcagma32.exe35⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Mcddca32.exeC:\Windows\system32\Mcddca32.exe36⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Mloigc32.exeC:\Windows\system32\Mloigc32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2636 -
C:\Windows\SysWOW64\Nlafmcpa.exeC:\Windows\system32\Nlafmcpa.exe38⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Nldbbbno.exeC:\Windows\system32\Nldbbbno.exe39⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Nhjcgccc.exeC:\Windows\system32\Nhjcgccc.exe40⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Nhmpmcaq.exeC:\Windows\system32\Nhmpmcaq.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:2848 -
C:\Windows\SysWOW64\Nhombc32.exeC:\Windows\system32\Nhombc32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Nmlekj32.exeC:\Windows\system32\Nmlekj32.exe43⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Oenppk32.exeC:\Windows\system32\Oenppk32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2240 -
C:\Windows\SysWOW64\Oaeqeljm.exeC:\Windows\system32\Oaeqeljm.exe45⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Olkebejb.exeC:\Windows\system32\Olkebejb.exe46⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Ooianpif.exeC:\Windows\system32\Ooianpif.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1400 -
C:\Windows\SysWOW64\Pdfifg32.exeC:\Windows\system32\Pdfifg32.exe48⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Pmnnomnn.exeC:\Windows\system32\Pmnnomnn.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Phcbmend.exeC:\Windows\system32\Phcbmend.exe50⤵
- Executes dropped EXE
PID:676 -
C:\Windows\SysWOW64\Pmqkellk.exeC:\Windows\system32\Pmqkellk.exe51⤵
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\Pdjcaf32.exeC:\Windows\system32\Pdjcaf32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:1600 -
C:\Windows\SysWOW64\Pncgjl32.exeC:\Windows\system32\Pncgjl32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Pcppbc32.exeC:\Windows\system32\Pcppbc32.exe54⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Plhdkhoq.exeC:\Windows\system32\Plhdkhoq.exe55⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Pcbmhb32.exeC:\Windows\system32\Pcbmhb32.exe56⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Qljaah32.exeC:\Windows\system32\Qljaah32.exe57⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Qcdinbdk.exeC:\Windows\system32\Qcdinbdk.exe58⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Qjnajl32.exeC:\Windows\system32\Qjnajl32.exe59⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Qlmnfh32.exeC:\Windows\system32\Qlmnfh32.exe60⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Adhbkj32.exeC:\Windows\system32\Adhbkj32.exe61⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Aalcdngp.exeC:\Windows\system32\Aalcdngp.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Agikmeeg.exeC:\Windows\system32\Agikmeeg.exe63⤵
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Abnpjnem.exeC:\Windows\system32\Abnpjnem.exe64⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Agkhbece.exeC:\Windows\system32\Agkhbece.exe65⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Ajidnp32.exeC:\Windows\system32\Ajidnp32.exe66⤵PID:2024
-
C:\Windows\SysWOW64\Abqlpn32.exeC:\Windows\system32\Abqlpn32.exe67⤵PID:2348
-
C:\Windows\SysWOW64\Adoili32.exeC:\Windows\system32\Adoili32.exe68⤵PID:928
-
C:\Windows\SysWOW64\Aqfiqjgb.exeC:\Windows\system32\Aqfiqjgb.exe69⤵PID:1076
-
C:\Windows\SysWOW64\Acdemegf.exeC:\Windows\system32\Acdemegf.exe70⤵PID:876
-
C:\Windows\SysWOW64\Anjjjn32.exeC:\Windows\system32\Anjjjn32.exe71⤵PID:2304
-
C:\Windows\SysWOW64\Bqhffj32.exeC:\Windows\system32\Bqhffj32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:236 -
C:\Windows\SysWOW64\Bgbncdmm.exeC:\Windows\system32\Bgbncdmm.exe73⤵
- Modifies registry class
PID:1608 -
C:\Windows\SysWOW64\Bjqjoolp.exeC:\Windows\system32\Bjqjoolp.exe74⤵PID:2672
-
C:\Windows\SysWOW64\Bciohe32.exeC:\Windows\system32\Bciohe32.exe75⤵
- Drops file in System32 directory
PID:2808 -
C:\Windows\SysWOW64\Bjcgdojn.exeC:\Windows\system32\Bjcgdojn.exe76⤵PID:2040
-
C:\Windows\SysWOW64\Bmacqj32.exeC:\Windows\system32\Bmacqj32.exe77⤵PID:3068
-
C:\Windows\SysWOW64\Boppmf32.exeC:\Windows\system32\Boppmf32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1288 -
C:\Windows\SysWOW64\Bfjhippb.exeC:\Windows\system32\Bfjhippb.exe79⤵PID:584
-
C:\Windows\SysWOW64\Bihdfkoe.exeC:\Windows\system32\Bihdfkoe.exe80⤵PID:1484
-
C:\Windows\SysWOW64\Boblbe32.exeC:\Windows\system32\Boblbe32.exe81⤵PID:1108
-
C:\Windows\SysWOW64\Bfldopno.exeC:\Windows\system32\Bfldopno.exe82⤵PID:940
-
C:\Windows\SysWOW64\Bgmagh32.exeC:\Windows\system32\Bgmagh32.exe83⤵
- System Location Discovery: System Language Discovery
PID:2360 -
C:\Windows\SysWOW64\Bpdihedp.exeC:\Windows\system32\Bpdihedp.exe84⤵PID:1060
-
C:\Windows\SysWOW64\Beaaplbg.exeC:\Windows\system32\Beaaplbg.exe85⤵PID:1604
-
C:\Windows\SysWOW64\Cgpnlgak.exeC:\Windows\system32\Cgpnlgak.exe86⤵PID:592
-
C:\Windows\SysWOW64\Cahbem32.exeC:\Windows\system32\Cahbem32.exe87⤵PID:856
-
C:\Windows\SysWOW64\Ccfoah32.exeC:\Windows\system32\Ccfoah32.exe88⤵PID:2620
-
C:\Windows\SysWOW64\Cajokmfi.exeC:\Windows\system32\Cajokmfi.exe89⤵
- Modifies registry class
PID:1720 -
C:\Windows\SysWOW64\Cgdggg32.exeC:\Windows\system32\Cgdggg32.exe90⤵PID:2688
-
C:\Windows\SysWOW64\Cgfdmf32.exeC:\Windows\system32\Cgfdmf32.exe91⤵
- Drops file in System32 directory
PID:536 -
C:\Windows\SysWOW64\Cihqdoaa.exeC:\Windows\system32\Cihqdoaa.exe92⤵
- System Location Discovery: System Language Discovery
PID:2800 -
C:\Windows\SysWOW64\Cbpendha.exeC:\Windows\system32\Cbpendha.exe93⤵PID:2524
-
C:\Windows\SysWOW64\Cpdeghgk.exeC:\Windows\system32\Cpdeghgk.exe94⤵PID:2528
-
C:\Windows\SysWOW64\Dmhfpmee.exeC:\Windows\system32\Dmhfpmee.exe95⤵PID:2856
-
C:\Windows\SysWOW64\Dpfblh32.exeC:\Windows\system32\Dpfblh32.exe96⤵PID:852
-
C:\Windows\SysWOW64\Deckeo32.exeC:\Windows\system32\Deckeo32.exe97⤵PID:2764
-
C:\Windows\SysWOW64\Dpiobh32.exeC:\Windows\system32\Dpiobh32.exe98⤵PID:276
-
C:\Windows\SysWOW64\Diackmif.exeC:\Windows\system32\Diackmif.exe99⤵PID:952
-
C:\Windows\SysWOW64\Dkbpbe32.exeC:\Windows\system32\Dkbpbe32.exe100⤵
- System Location Discovery: System Language Discovery
PID:396 -
C:\Windows\SysWOW64\Dhfpljnn.exeC:\Windows\system32\Dhfpljnn.exe101⤵PID:2236
-
C:\Windows\SysWOW64\Dophid32.exeC:\Windows\system32\Dophid32.exe102⤵PID:1508
-
C:\Windows\SysWOW64\Dejqenmh.exeC:\Windows\system32\Dejqenmh.exe103⤵PID:696
-
C:\Windows\SysWOW64\Eobenc32.exeC:\Windows\system32\Eobenc32.exe104⤵
- Modifies registry class
PID:2756 -
C:\Windows\SysWOW64\Edpnfjap.exeC:\Windows\system32\Edpnfjap.exe105⤵PID:2544
-
C:\Windows\SysWOW64\Eilfoapg.exeC:\Windows\system32\Eilfoapg.exe106⤵
- Drops file in System32 directory
PID:544 -
C:\Windows\SysWOW64\Edbjljpm.exeC:\Windows\system32\Edbjljpm.exe107⤵
- Modifies registry class
PID:2560 -
C:\Windows\SysWOW64\Egpfheoa.exeC:\Windows\system32\Egpfheoa.exe108⤵PID:1420
-
C:\Windows\SysWOW64\Elmoqlmh.exeC:\Windows\system32\Elmoqlmh.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1172 -
C:\Windows\SysWOW64\Eddgaj32.exeC:\Windows\system32\Eddgaj32.exe110⤵PID:2228
-
C:\Windows\SysWOW64\Eiapjq32.exeC:\Windows\system32\Eiapjq32.exe111⤵
- Drops file in System32 directory
PID:1572 -
C:\Windows\SysWOW64\Emmljodk.exeC:\Windows\system32\Emmljodk.exe112⤵PID:2284
-
C:\Windows\SysWOW64\Egepce32.exeC:\Windows\system32\Egepce32.exe113⤵PID:1692
-
C:\Windows\SysWOW64\Eiclop32.exeC:\Windows\system32\Eiclop32.exe114⤵PID:2208
-
C:\Windows\SysWOW64\Eopehg32.exeC:\Windows\system32\Eopehg32.exe115⤵
- System Location Discovery: System Language Discovery
PID:2804 -
C:\Windows\SysWOW64\Fcnmne32.exeC:\Windows\system32\Fcnmne32.exe116⤵PID:2552
-
C:\Windows\SysWOW64\Fhkffl32.exeC:\Windows\system32\Fhkffl32.exe117⤵PID:2580
-
C:\Windows\SysWOW64\Foencfda.exeC:\Windows\system32\Foencfda.exe118⤵PID:2540
-
C:\Windows\SysWOW64\Facjobce.exeC:\Windows\system32\Facjobce.exe119⤵PID:1860
-
C:\Windows\SysWOW64\Fhmblljb.exeC:\Windows\system32\Fhmblljb.exe120⤵PID:2144
-
C:\Windows\SysWOW64\Faegda32.exeC:\Windows\system32\Faegda32.exe121⤵PID:2056
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-