Analysis
-
max time kernel
111s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
08/09/2024, 16:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0e43aec7667bd8957a7a373a28ea2eb0N.exe
Resource
win7-20240729-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
0e43aec7667bd8957a7a373a28ea2eb0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
0e43aec7667bd8957a7a373a28ea2eb0N.exe
-
Size
363KB
-
MD5
0e43aec7667bd8957a7a373a28ea2eb0
-
SHA1
d6d3e803207e3f6e1de6aa0bbe5c9d09c08a6e3b
-
SHA256
0994bd312af7624cf5fcb282b4279418e5612725f429ac6f3d1f64313b918ef5
-
SHA512
d5833be043bacf2756fefc35d021f0260873f95c82d7441dd1d1291541d5085cbfd4e081596b559e70517064e1ff99032b0d838be6c9f8176d31b16739386079
-
SSDEEP
6144:iROdjbFQ43VU5tTbVXksax8n5tTDUZNSN58VU5tT:iRiHFQcG5tP6sus5t6NSN6G5t
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmighemp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbccklmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pknakhig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohkpdj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaaoakmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lojeda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpmeojbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biikne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccolja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fleihi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmmgbbeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adbmjbif.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdmjmenh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnjdpm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgomoboc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eabeal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omekgakg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmffhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fimclh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdbgia32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdbchd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kheaoj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nehjmppo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kopikdgn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnomkloi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbfklolh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehbcnajn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imfgahao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Naihdb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceioieei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egfglocf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfifmghc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gemfghek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Higiih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncpgeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfmlgi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldokhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlegic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldikbhfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifkfap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbddfe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipameehe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjbdfbnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pejcab32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pknakhig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmocha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnacbj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olehbh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dajlhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfiekc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acnpjj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ancdgcab.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cngfqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iaegbmlq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhfhnofg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkhhie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkdlaplh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kphpdhdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nloedjin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbcbag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fclmem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Echoepmo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjieapck.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjmiknng.exe -
Executes dropped EXE 64 IoCs
pid Process 1084 Nmmlccfp.exe 1796 Naihdb32.exe 2904 Nhbqqlfe.exe 3020 Njammhei.exe 2664 Odlnkmjg.exe 2640 Obonfj32.exe 784 Oiifcdhn.exe 2864 Ooeolkff.exe 1076 Obakli32.exe 1544 Obfdgiji.exe 2532 Oedqcdim.exe 2740 Odimdqne.exe 2988 Pkcfak32.exe 1996 Phgfko32.exe 3040 Pkebgj32.exe 2028 Papkcd32.exe 1368 Pccdqloh.exe 1576 Pimlmf32.exe 1816 Pllhib32.exe 2456 Pceqfl32.exe 1752 Pedmbg32.exe 1952 Ppiapp32.exe 2572 Qakmghbm.exe 884 Qjbehfbo.exe 1740 Qlpadaac.exe 1620 Qcjjakip.exe 2840 Qfifmghc.exe 2160 Qhgbibgg.exe 2516 Qlbnja32.exe 2688 Andkbien.exe 2828 Agloko32.exe 2628 Anfggicl.exe 2684 Aqddcdbo.exe 2500 Akjham32.exe 1112 Anhdmh32.exe 2876 Adbmjbif.exe 2076 Agaifnhi.exe 2004 Ajoebigm.exe 2440 Amnanefa.exe 2008 Agcekn32.exe 1540 Ajaagi32.exe 2236 Ampncd32.exe 1584 Aonjpp32.exe 2520 Agebam32.exe 2724 Bjdnmi32.exe 3016 Bmbkid32.exe 1716 Boqgep32.exe 2852 Bfkobj32.exe 2844 Bjfkbhae.exe 2908 Biikne32.exe 1612 Bkghjq32.exe 2196 Bcopkn32.exe 2144 Bfmlgi32.exe 2832 Bikhce32.exe 2972 Bmgddcnf.exe 960 Boeppomj.exe 940 Bnhqll32.exe 1640 Bineidcj.exe 1052 Bgqeea32.exe 2056 Bklaepbn.exe 836 Bnkmakbb.exe 1568 Bbfibj32.exe 2916 Baiingae.exe 1936 Bipaodah.exe -
Loads dropped DLL 64 IoCs
pid Process 1744 0e43aec7667bd8957a7a373a28ea2eb0N.exe 1744 0e43aec7667bd8957a7a373a28ea2eb0N.exe 1084 Nmmlccfp.exe 1084 Nmmlccfp.exe 1796 Naihdb32.exe 1796 Naihdb32.exe 2904 Nhbqqlfe.exe 2904 Nhbqqlfe.exe 3020 Njammhei.exe 3020 Njammhei.exe 2664 Odlnkmjg.exe 2664 Odlnkmjg.exe 2640 Obonfj32.exe 2640 Obonfj32.exe 784 Oiifcdhn.exe 784 Oiifcdhn.exe 2864 Ooeolkff.exe 2864 Ooeolkff.exe 1076 Obakli32.exe 1076 Obakli32.exe 1544 Obfdgiji.exe 1544 Obfdgiji.exe 2532 Oedqcdim.exe 2532 Oedqcdim.exe 2740 Odimdqne.exe 2740 Odimdqne.exe 2988 Pkcfak32.exe 2988 Pkcfak32.exe 1996 Phgfko32.exe 1996 Phgfko32.exe 3040 Pkebgj32.exe 3040 Pkebgj32.exe 2028 Papkcd32.exe 2028 Papkcd32.exe 1368 Pccdqloh.exe 1368 Pccdqloh.exe 1576 Pimlmf32.exe 1576 Pimlmf32.exe 1816 Pllhib32.exe 1816 Pllhib32.exe 2456 Pceqfl32.exe 2456 Pceqfl32.exe 1752 Pedmbg32.exe 1752 Pedmbg32.exe 1952 Ppiapp32.exe 1952 Ppiapp32.exe 2572 Qakmghbm.exe 2572 Qakmghbm.exe 884 Qjbehfbo.exe 884 Qjbehfbo.exe 1740 Qlpadaac.exe 1740 Qlpadaac.exe 1620 Qcjjakip.exe 1620 Qcjjakip.exe 2840 Qfifmghc.exe 2840 Qfifmghc.exe 2160 Qhgbibgg.exe 2160 Qhgbibgg.exe 2516 Qlbnja32.exe 2516 Qlbnja32.exe 2688 Andkbien.exe 2688 Andkbien.exe 2828 Agloko32.exe 2828 Agloko32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Jpomnilc.exe Jalmcl32.exe File opened for modification C:\Windows\SysWOW64\Nmjicn32.exe Niombolm.exe File created C:\Windows\SysWOW64\Imfkindn.dll Oiglfm32.exe File opened for modification C:\Windows\SysWOW64\Eidchjbi.exe Egfglocf.exe File created C:\Windows\SysWOW64\Peaibajp.exe Paemac32.exe File opened for modification C:\Windows\SysWOW64\Fimclh32.exe Fkjbpkag.exe File created C:\Windows\SysWOW64\Moahdd32.exe Mgjpcf32.exe File opened for modification C:\Windows\SysWOW64\Lcmopepp.exe Lobbpg32.exe File opened for modification C:\Windows\SysWOW64\Eocieq32.exe Epqhjdhc.exe File opened for modification C:\Windows\SysWOW64\Iaegbmlq.exe Ibbffq32.exe File created C:\Windows\SysWOW64\Abmgojdb.dll Emfbgg32.exe File created C:\Windows\SysWOW64\Qakmghbm.exe Ppiapp32.exe File created C:\Windows\SysWOW64\Aqkaef32.dll Ododdlcd.exe File opened for modification C:\Windows\SysWOW64\Iadphghe.exe Iimhfj32.exe File created C:\Windows\SysWOW64\Iilocklc.exe Ieqbbl32.exe File created C:\Windows\SysWOW64\Dcfknooi.exe Dedkbb32.exe File opened for modification C:\Windows\SysWOW64\Fkocfa32.exe Febjmj32.exe File created C:\Windows\SysWOW64\Qommgk32.dll Dfgdpj32.exe File created C:\Windows\SysWOW64\Kimfdido.dll Iabcbg32.exe File opened for modification C:\Windows\SysWOW64\Domffn32.exe Dpjfjalp.exe File created C:\Windows\SysWOW64\Hcnfjpib.exe Hqpjndio.exe File opened for modification C:\Windows\SysWOW64\Moahdd32.exe Mgjpcf32.exe File created C:\Windows\SysWOW64\Eaoaafli.exe Eoqeekme.exe File opened for modification C:\Windows\SysWOW64\Hkfeec32.exe Hgjieedg.exe File created C:\Windows\SysWOW64\Fabkfhch.dll Mdeaim32.exe File created C:\Windows\SysWOW64\Lecjaf32.dll Clkfjman.exe File created C:\Windows\SysWOW64\Jnafop32.exe Jpnfdbig.exe File created C:\Windows\SysWOW64\Lbinkahf.dll Nnknqpgi.exe File created C:\Windows\SysWOW64\Gdgcnj32.exe Gbigao32.exe File opened for modification C:\Windows\SysWOW64\Kgmkef32.exe Khjkiikl.exe File created C:\Windows\SysWOW64\Dckdio32.exe Damhmc32.exe File opened for modification C:\Windows\SysWOW64\Hkiknb32.exe Hikobfgj.exe File created C:\Windows\SysWOW64\Ipapioii.dll Imfgahao.exe File created C:\Windows\SysWOW64\Khhndi32.exe Kejahn32.exe File created C:\Windows\SysWOW64\Kfimea32.dll Cpgieb32.exe File created C:\Windows\SysWOW64\Bbffjdpp.dll Faikbkhj.exe File opened for modification C:\Windows\SysWOW64\Njipabhe.exe Nbbhpegc.exe File created C:\Windows\SysWOW64\Oiqegb32.exe Ojnelefl.exe File opened for modification C:\Windows\SysWOW64\Clkfjman.exe Cgpjin32.exe File created C:\Windows\SysWOW64\Cffgqn32.dll Gddpndhp.exe File opened for modification C:\Windows\SysWOW64\Ibhieo32.exe Iceiibef.exe File opened for modification C:\Windows\SysWOW64\Ceioieei.exe Cnogmk32.exe File created C:\Windows\SysWOW64\Ncejcg32.exe Ndbjgjqh.exe File created C:\Windows\SysWOW64\Agaifnhi.exe Adbmjbif.exe File opened for modification C:\Windows\SysWOW64\Ckajqo32.exe Ccjbobnf.exe File created C:\Windows\SysWOW64\Acfdnmfb.dll Gbkdgn32.exe File created C:\Windows\SysWOW64\Lgnefm32.dll Pelpgb32.exe File created C:\Windows\SysWOW64\Bdklnq32.exe Bblpae32.exe File created C:\Windows\SysWOW64\Hfleif32.dll Oiifcdhn.exe File created C:\Windows\SysWOW64\Pemjdi32.dll Ehjqif32.exe File opened for modification C:\Windows\SysWOW64\Ekppjmia.exe Ehbcnajn.exe File created C:\Windows\SysWOW64\Ponioeij.dll Fimclh32.exe File opened for modification C:\Windows\SysWOW64\Cabldeik.exe Cmgpcg32.exe File created C:\Windows\SysWOW64\Hccllbjf.dll Kegebn32.exe File created C:\Windows\SysWOW64\Mnfindfp.dll Lllpclnk.exe File created C:\Windows\SysWOW64\Pogaeg32.exe Pkkeeikj.exe File created C:\Windows\SysWOW64\Gccjpb32.exe Gohnpcmd.exe File created C:\Windows\SysWOW64\Dahgqohh.dll Kpeonkig.exe File opened for modification C:\Windows\SysWOW64\Pobgjhgh.exe Pldknmhd.exe File created C:\Windows\SysWOW64\Acbieing.exe Aogmdk32.exe File opened for modification C:\Windows\SysWOW64\Cbllph32.exe Conpdm32.exe File opened for modification C:\Windows\SysWOW64\Deajlf32.exe Dfnjqifb.exe File created C:\Windows\SysWOW64\Mogene32.exe Mpeebhhf.exe File created C:\Windows\SysWOW64\Ngcbie32.exe Ncggifep.exe -
Program crash 1 IoCs
pid pid_target Process 7740 9040 WerFault.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckijdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iekbmfdc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oenmkngi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahdkhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Foqadnpq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Faonqiod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dekhnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhlapc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jifkmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pejcab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqpjndio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ampncd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cinahhff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doapanne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohkpdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjnbmlmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkkeeikj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmjbchnq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lndlamke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lohiob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcqdidim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgmfjdbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmighemp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlgcncli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kplfmfmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nglmifca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmkbfmpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfhpjaba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Andkbien.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nehjmppo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcegdnna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gddpndhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnhjae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Copljmpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ficilgai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agaifnhi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkghjq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfmlgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkaljdaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhbjmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dofilm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iilocklc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phhonn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehdpcahk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbokda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pedmbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhekodik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dabicikf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jonqfq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plaoim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jephgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajaagi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Degobhjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgaoec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnpbgbdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gacgli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jigagocd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boncej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjjakg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmmgbbeq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kejahn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iagchmjn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfekkgla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iiodliep.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmlngdhk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgbgon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpfioeef.dll" Eolljk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnmdfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Himkgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbffjdpp.dll" Faikbkhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnbmgkoo.dll" Ohhcokmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkddjkej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcgdjmlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bojcalcl.dll" Ccolja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijmkkc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odaqikaa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jaaoakmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkccob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pceqfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbmjdo32.dll" Fqqdigko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pogaeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fimamm32.dll" Aaeiqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjincg32.dll" Jocceo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agloko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffinab32.dll" Ojlife32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppicdhan.dll" Bnemlf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdpfbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckajqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glqang32.dll" Mgaqohql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpehnofm.dll" Lpnobi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmpobi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oefcdgnb.dll" Nmkbfmpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbjoki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfalaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aodqok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpmlcpdm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbfklolh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obgmjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibnoen32.dll" Bqciha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnlqemal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjmiknng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nidoamch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpgieb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khcdijac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkdalb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffecai32.dll" Lpmeojbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcmopepp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlabjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omekgakg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fompem32.dll" Eaangfjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moljfnpo.dll" Ppiapp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhchjgoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bklicbjm.dll" Imkqmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Doapanne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcpgomne.dll" Adfbbabc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eaoaafli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ponioeij.dll" Fimclh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pedmbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbhbfmkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niadmlcg.dll" Nbddfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Momdeobl.dll" Aonjpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcegqmpg.dll" Mmafmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gnenfjdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjdbckib.dll" Jiinmnaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbainp32.dll" Afqeaemk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phoeomjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipgnbg32.dll" Ccdnipal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agaifnhi.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1744 wrote to memory of 1084 1744 0e43aec7667bd8957a7a373a28ea2eb0N.exe 29 PID 1744 wrote to memory of 1084 1744 0e43aec7667bd8957a7a373a28ea2eb0N.exe 29 PID 1744 wrote to memory of 1084 1744 0e43aec7667bd8957a7a373a28ea2eb0N.exe 29 PID 1744 wrote to memory of 1084 1744 0e43aec7667bd8957a7a373a28ea2eb0N.exe 29 PID 1084 wrote to memory of 1796 1084 Nmmlccfp.exe 30 PID 1084 wrote to memory of 1796 1084 Nmmlccfp.exe 30 PID 1084 wrote to memory of 1796 1084 Nmmlccfp.exe 30 PID 1084 wrote to memory of 1796 1084 Nmmlccfp.exe 30 PID 1796 wrote to memory of 2904 1796 Naihdb32.exe 31 PID 1796 wrote to memory of 2904 1796 Naihdb32.exe 31 PID 1796 wrote to memory of 2904 1796 Naihdb32.exe 31 PID 1796 wrote to memory of 2904 1796 Naihdb32.exe 31 PID 2904 wrote to memory of 3020 2904 Nhbqqlfe.exe 32 PID 2904 wrote to memory of 3020 2904 Nhbqqlfe.exe 32 PID 2904 wrote to memory of 3020 2904 Nhbqqlfe.exe 32 PID 2904 wrote to memory of 3020 2904 Nhbqqlfe.exe 32 PID 3020 wrote to memory of 2664 3020 Njammhei.exe 33 PID 3020 wrote to memory of 2664 3020 Njammhei.exe 33 PID 3020 wrote to memory of 2664 3020 Njammhei.exe 33 PID 3020 wrote to memory of 2664 3020 Njammhei.exe 33 PID 2664 wrote to memory of 2640 2664 Odlnkmjg.exe 34 PID 2664 wrote to memory of 2640 2664 Odlnkmjg.exe 34 PID 2664 wrote to memory of 2640 2664 Odlnkmjg.exe 34 PID 2664 wrote to memory of 2640 2664 Odlnkmjg.exe 34 PID 2640 wrote to memory of 784 2640 Obonfj32.exe 35 PID 2640 wrote to memory of 784 2640 Obonfj32.exe 35 PID 2640 wrote to memory of 784 2640 Obonfj32.exe 35 PID 2640 wrote to memory of 784 2640 Obonfj32.exe 35 PID 784 wrote to memory of 2864 784 Oiifcdhn.exe 36 PID 784 wrote to memory of 2864 784 Oiifcdhn.exe 36 PID 784 wrote to memory of 2864 784 Oiifcdhn.exe 36 PID 784 wrote to memory of 2864 784 Oiifcdhn.exe 36 PID 2864 wrote to memory of 1076 2864 Ooeolkff.exe 37 PID 2864 wrote to memory of 1076 2864 Ooeolkff.exe 37 PID 2864 wrote to memory of 1076 2864 Ooeolkff.exe 37 PID 2864 wrote to memory of 1076 2864 Ooeolkff.exe 37 PID 1076 wrote to memory of 1544 1076 Obakli32.exe 38 PID 1076 wrote to memory of 1544 1076 Obakli32.exe 38 PID 1076 wrote to memory of 1544 1076 Obakli32.exe 38 PID 1076 wrote to memory of 1544 1076 Obakli32.exe 38 PID 1544 wrote to memory of 2532 1544 Obfdgiji.exe 39 PID 1544 wrote to memory of 2532 1544 Obfdgiji.exe 39 PID 1544 wrote to memory of 2532 1544 Obfdgiji.exe 39 PID 1544 wrote to memory of 2532 1544 Obfdgiji.exe 39 PID 2532 wrote to memory of 2740 2532 Oedqcdim.exe 40 PID 2532 wrote to memory of 2740 2532 Oedqcdim.exe 40 PID 2532 wrote to memory of 2740 2532 Oedqcdim.exe 40 PID 2532 wrote to memory of 2740 2532 Oedqcdim.exe 40 PID 2740 wrote to memory of 2988 2740 Odimdqne.exe 41 PID 2740 wrote to memory of 2988 2740 Odimdqne.exe 41 PID 2740 wrote to memory of 2988 2740 Odimdqne.exe 41 PID 2740 wrote to memory of 2988 2740 Odimdqne.exe 41 PID 2988 wrote to memory of 1996 2988 Pkcfak32.exe 42 PID 2988 wrote to memory of 1996 2988 Pkcfak32.exe 42 PID 2988 wrote to memory of 1996 2988 Pkcfak32.exe 42 PID 2988 wrote to memory of 1996 2988 Pkcfak32.exe 42 PID 1996 wrote to memory of 3040 1996 Phgfko32.exe 43 PID 1996 wrote to memory of 3040 1996 Phgfko32.exe 43 PID 1996 wrote to memory of 3040 1996 Phgfko32.exe 43 PID 1996 wrote to memory of 3040 1996 Phgfko32.exe 43 PID 3040 wrote to memory of 2028 3040 Pkebgj32.exe 44 PID 3040 wrote to memory of 2028 3040 Pkebgj32.exe 44 PID 3040 wrote to memory of 2028 3040 Pkebgj32.exe 44 PID 3040 wrote to memory of 2028 3040 Pkebgj32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e43aec7667bd8957a7a373a28ea2eb0N.exe"C:\Users\Admin\AppData\Local\Temp\0e43aec7667bd8957a7a373a28ea2eb0N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\Nmmlccfp.exeC:\Windows\system32\Nmmlccfp.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\Naihdb32.exeC:\Windows\system32\Naihdb32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\Nhbqqlfe.exeC:\Windows\system32\Nhbqqlfe.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Njammhei.exeC:\Windows\system32\Njammhei.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\Odlnkmjg.exeC:\Windows\system32\Odlnkmjg.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Obonfj32.exeC:\Windows\system32\Obonfj32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Oiifcdhn.exeC:\Windows\system32\Oiifcdhn.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:784 -
C:\Windows\SysWOW64\Ooeolkff.exeC:\Windows\system32\Ooeolkff.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Obakli32.exeC:\Windows\system32\Obakli32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Windows\SysWOW64\Obfdgiji.exeC:\Windows\system32\Obfdgiji.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\Oedqcdim.exeC:\Windows\system32\Oedqcdim.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\Odimdqne.exeC:\Windows\system32\Odimdqne.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Pkcfak32.exeC:\Windows\system32\Pkcfak32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Phgfko32.exeC:\Windows\system32\Phgfko32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\Pkebgj32.exeC:\Windows\system32\Pkebgj32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Papkcd32.exeC:\Windows\system32\Papkcd32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2028 -
C:\Windows\SysWOW64\Pccdqloh.exeC:\Windows\system32\Pccdqloh.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1368 -
C:\Windows\SysWOW64\Pimlmf32.exeC:\Windows\system32\Pimlmf32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1576 -
C:\Windows\SysWOW64\Pllhib32.exeC:\Windows\system32\Pllhib32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1816 -
C:\Windows\SysWOW64\Pceqfl32.exeC:\Windows\system32\Pceqfl32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2456 -
C:\Windows\SysWOW64\Pedmbg32.exeC:\Windows\system32\Pedmbg32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1752 -
C:\Windows\SysWOW64\Ppiapp32.exeC:\Windows\system32\Ppiapp32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1952 -
C:\Windows\SysWOW64\Qakmghbm.exeC:\Windows\system32\Qakmghbm.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2572 -
C:\Windows\SysWOW64\Qjbehfbo.exeC:\Windows\system32\Qjbehfbo.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:884 -
C:\Windows\SysWOW64\Qlpadaac.exeC:\Windows\system32\Qlpadaac.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1740 -
C:\Windows\SysWOW64\Qcjjakip.exeC:\Windows\system32\Qcjjakip.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1620 -
C:\Windows\SysWOW64\Qfifmghc.exeC:\Windows\system32\Qfifmghc.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2840 -
C:\Windows\SysWOW64\Qhgbibgg.exeC:\Windows\system32\Qhgbibgg.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2160 -
C:\Windows\SysWOW64\Qlbnja32.exeC:\Windows\system32\Qlbnja32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2516 -
C:\Windows\SysWOW64\Andkbien.exeC:\Windows\system32\Andkbien.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2688 -
C:\Windows\SysWOW64\Agloko32.exeC:\Windows\system32\Agloko32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2828 -
C:\Windows\SysWOW64\Anfggicl.exeC:\Windows\system32\Anfggicl.exe33⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Aqddcdbo.exeC:\Windows\system32\Aqddcdbo.exe34⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Akjham32.exeC:\Windows\system32\Akjham32.exe35⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Anhdmh32.exeC:\Windows\system32\Anhdmh32.exe36⤵
- Executes dropped EXE
PID:1112 -
C:\Windows\SysWOW64\Adbmjbif.exeC:\Windows\system32\Adbmjbif.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2876 -
C:\Windows\SysWOW64\Agaifnhi.exeC:\Windows\system32\Agaifnhi.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2076 -
C:\Windows\SysWOW64\Ajoebigm.exeC:\Windows\system32\Ajoebigm.exe39⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Amnanefa.exeC:\Windows\system32\Amnanefa.exe40⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Agcekn32.exeC:\Windows\system32\Agcekn32.exe41⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Ajaagi32.exeC:\Windows\system32\Ajaagi32.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1540 -
C:\Windows\SysWOW64\Ampncd32.exeC:\Windows\system32\Ampncd32.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2236 -
C:\Windows\SysWOW64\Aonjpp32.exeC:\Windows\system32\Aonjpp32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:1584 -
C:\Windows\SysWOW64\Agebam32.exeC:\Windows\system32\Agebam32.exe45⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Bjdnmi32.exeC:\Windows\system32\Bjdnmi32.exe46⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Bmbkid32.exeC:\Windows\system32\Bmbkid32.exe47⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Boqgep32.exeC:\Windows\system32\Boqgep32.exe48⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Bfkobj32.exeC:\Windows\system32\Bfkobj32.exe49⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Bjfkbhae.exeC:\Windows\system32\Bjfkbhae.exe50⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Biikne32.exeC:\Windows\system32\Biikne32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Bkghjq32.exeC:\Windows\system32\Bkghjq32.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1612 -
C:\Windows\SysWOW64\Bcopkn32.exeC:\Windows\system32\Bcopkn32.exe53⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Bfmlgi32.exeC:\Windows\system32\Bfmlgi32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2144 -
C:\Windows\SysWOW64\Bikhce32.exeC:\Windows\system32\Bikhce32.exe55⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Bmgddcnf.exeC:\Windows\system32\Bmgddcnf.exe56⤵
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Boeppomj.exeC:\Windows\system32\Boeppomj.exe57⤵
- Executes dropped EXE
PID:960 -
C:\Windows\SysWOW64\Bnhqll32.exeC:\Windows\system32\Bnhqll32.exe58⤵
- Executes dropped EXE
PID:940 -
C:\Windows\SysWOW64\Bineidcj.exeC:\Windows\system32\Bineidcj.exe59⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Bgqeea32.exeC:\Windows\system32\Bgqeea32.exe60⤵
- Executes dropped EXE
PID:1052 -
C:\Windows\SysWOW64\Bklaepbn.exeC:\Windows\system32\Bklaepbn.exe61⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Bnkmakbb.exeC:\Windows\system32\Bnkmakbb.exe62⤵
- Executes dropped EXE
PID:836 -
C:\Windows\SysWOW64\Bbfibj32.exeC:\Windows\system32\Bbfibj32.exe63⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Baiingae.exeC:\Windows\system32\Baiingae.exe64⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Bipaodah.exeC:\Windows\system32\Bipaodah.exe65⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Bkonkpqk.exeC:\Windows\system32\Bkonkpqk.exe66⤵PID:2968
-
C:\Windows\SysWOW64\Bjanfl32.exeC:\Windows\system32\Bjanfl32.exe67⤵PID:1676
-
C:\Windows\SysWOW64\Bnmjgkpo.exeC:\Windows\system32\Bnmjgkpo.exe68⤵PID:2392
-
C:\Windows\SysWOW64\Cegbce32.exeC:\Windows\system32\Cegbce32.exe69⤵PID:2180
-
C:\Windows\SysWOW64\Ccjbobnf.exeC:\Windows\system32\Ccjbobnf.exe70⤵
- Drops file in System32 directory
PID:2420 -
C:\Windows\SysWOW64\Ckajqo32.exeC:\Windows\system32\Ckajqo32.exe71⤵
- Modifies registry class
PID:2964 -
C:\Windows\SysWOW64\Cnogmk32.exeC:\Windows\system32\Cnogmk32.exe72⤵
- Drops file in System32 directory
PID:1348 -
C:\Windows\SysWOW64\Ceioieei.exeC:\Windows\system32\Ceioieei.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1964 -
C:\Windows\SysWOW64\Ccloea32.exeC:\Windows\system32\Ccloea32.exe74⤵PID:2868
-
C:\Windows\SysWOW64\Cjfgalcq.exeC:\Windows\system32\Cjfgalcq.exe75⤵PID:2104
-
C:\Windows\SysWOW64\Cnacbj32.exeC:\Windows\system32\Cnacbj32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1008 -
C:\Windows\SysWOW64\Cappnf32.exeC:\Windows\system32\Cappnf32.exe77⤵PID:2720
-
C:\Windows\SysWOW64\Ccolja32.exeC:\Windows\system32\Ccolja32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2360 -
C:\Windows\SysWOW64\Cgjhkpbj.exeC:\Windows\system32\Cgjhkpbj.exe79⤵PID:908
-
C:\Windows\SysWOW64\Cfmhfm32.exeC:\Windows\system32\Cfmhfm32.exe80⤵PID:2732
-
C:\Windows\SysWOW64\Cikdbhhi.exeC:\Windows\system32\Cikdbhhi.exe81⤵PID:2772
-
C:\Windows\SysWOW64\Cmgpcg32.exeC:\Windows\system32\Cmgpcg32.exe82⤵
- Drops file in System32 directory
PID:2880 -
C:\Windows\SysWOW64\Cabldeik.exeC:\Windows\system32\Cabldeik.exe83⤵PID:2860
-
C:\Windows\SysWOW64\Cfoellgb.exeC:\Windows\system32\Cfoellgb.exe84⤵PID:2636
-
C:\Windows\SysWOW64\Cjkamk32.exeC:\Windows\system32\Cjkamk32.exe85⤵PID:2268
-
C:\Windows\SysWOW64\Cinahhff.exeC:\Windows\system32\Cinahhff.exe86⤵
- System Location Discovery: System Language Discovery
PID:1480 -
C:\Windows\SysWOW64\Cllmdcej.exeC:\Windows\system32\Cllmdcej.exe87⤵PID:1944
-
C:\Windows\SysWOW64\Cpgieb32.exeC:\Windows\system32\Cpgieb32.exe88⤵
- Drops file in System32 directory
- Modifies registry class
PID:1732 -
C:\Windows\SysWOW64\Ccceeqfl.exeC:\Windows\system32\Ccceeqfl.exe89⤵PID:1756
-
C:\Windows\SysWOW64\Cbfeam32.exeC:\Windows\system32\Cbfeam32.exe90⤵PID:1924
-
C:\Windows\SysWOW64\Cfaaalep.exeC:\Windows\system32\Cfaaalep.exe91⤵PID:640
-
C:\Windows\SysWOW64\Cedbmi32.exeC:\Windows\system32\Cedbmi32.exe92⤵PID:2000
-
C:\Windows\SysWOW64\Dmljnfll.exeC:\Windows\system32\Dmljnfll.exe93⤵PID:2796
-
C:\Windows\SysWOW64\Dpjfjalp.exeC:\Windows\system32\Dpjfjalp.exe94⤵
- Drops file in System32 directory
PID:2496 -
C:\Windows\SysWOW64\Domffn32.exeC:\Windows\system32\Domffn32.exe95⤵PID:1308
-
C:\Windows\SysWOW64\Dbhbfmkd.exeC:\Windows\system32\Dbhbfmkd.exe96⤵
- Modifies registry class
PID:1552 -
C:\Windows\SysWOW64\Degobhjg.exeC:\Windows\system32\Degobhjg.exe97⤵
- System Location Discovery: System Language Discovery
PID:2656 -
C:\Windows\SysWOW64\Dhekodik.exeC:\Windows\system32\Dhekodik.exe98⤵
- System Location Discovery: System Language Discovery
PID:1948 -
C:\Windows\SysWOW64\Dplbpaim.exeC:\Windows\system32\Dplbpaim.exe99⤵PID:964
-
C:\Windows\SysWOW64\Dbkolmia.exeC:\Windows\system32\Dbkolmia.exe100⤵PID:2320
-
C:\Windows\SysWOW64\Danohi32.exeC:\Windows\system32\Danohi32.exe101⤵PID:1152
-
C:\Windows\SysWOW64\Deikhhhe.exeC:\Windows\system32\Deikhhhe.exe102⤵PID:2900
-
C:\Windows\SysWOW64\Didgig32.exeC:\Windows\system32\Didgig32.exe103⤵PID:1512
-
C:\Windows\SysWOW64\Dhggdcgh.exeC:\Windows\system32\Dhggdcgh.exe104⤵PID:1992
-
C:\Windows\SysWOW64\Dkfcqo32.exeC:\Windows\system32\Dkfcqo32.exe105⤵PID:2568
-
C:\Windows\SysWOW64\Doapanne.exeC:\Windows\system32\Doapanne.exe106⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1448 -
C:\Windows\SysWOW64\Dekhnh32.exeC:\Windows\system32\Dekhnh32.exe107⤵
- System Location Discovery: System Language Discovery
PID:2308 -
C:\Windows\SysWOW64\Dhjdjc32.exeC:\Windows\system32\Dhjdjc32.exe108⤵PID:2132
-
C:\Windows\SysWOW64\Dlepjbmo.exeC:\Windows\system32\Dlepjbmo.exe109⤵PID:2368
-
C:\Windows\SysWOW64\Dkhpfo32.exeC:\Windows\system32\Dkhpfo32.exe110⤵PID:380
-
C:\Windows\SysWOW64\Dmgmbj32.exeC:\Windows\system32\Dmgmbj32.exe111⤵PID:2804
-
C:\Windows\SysWOW64\Dabicikf.exeC:\Windows\system32\Dabicikf.exe112⤵
- System Location Discovery: System Language Discovery
PID:1764 -
C:\Windows\SysWOW64\Dhlapc32.exeC:\Windows\system32\Dhlapc32.exe113⤵
- System Location Discovery: System Language Discovery
PID:1768 -
C:\Windows\SysWOW64\Dgoakpjn.exeC:\Windows\system32\Dgoakpjn.exe114⤵PID:2676
-
C:\Windows\SysWOW64\Dofilm32.exeC:\Windows\system32\Dofilm32.exe115⤵
- System Location Discovery: System Language Discovery
PID:2944 -
C:\Windows\SysWOW64\Dadehh32.exeC:\Windows\system32\Dadehh32.exe116⤵PID:2400
-
C:\Windows\SysWOW64\Dpgedepn.exeC:\Windows\system32\Dpgedepn.exe117⤵PID:2340
-
C:\Windows\SysWOW64\Ehonebqq.exeC:\Windows\system32\Ehonebqq.exe118⤵PID:1784
-
C:\Windows\SysWOW64\Eganqo32.exeC:\Windows\system32\Eganqo32.exe119⤵PID:2704
-
C:\Windows\SysWOW64\Eipjmk32.exeC:\Windows\system32\Eipjmk32.exe120⤵PID:992
-
C:\Windows\SysWOW64\Emkfmioh.exeC:\Windows\system32\Emkfmioh.exe121⤵PID:3064
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-