Analysis
-
max time kernel
112s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
14/09/2024, 16:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8cdd4b82c35f40ffbbc9474c01aaaa20N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
8cdd4b82c35f40ffbbc9474c01aaaa20N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
8cdd4b82c35f40ffbbc9474c01aaaa20N.exe
-
Size
165KB
-
MD5
8cdd4b82c35f40ffbbc9474c01aaaa20
-
SHA1
937314aeed179e91905d9f057c2efb5469861591
-
SHA256
afbc445504924bd1be729277103a95ab8bb906c03bb0c971c74face6a671ad1f
-
SHA512
ea8b8df1560e7249861e9282e0745efcc4343bdb38e172737356b053e9eb77ba00e1e2651790714db9ac3681b77b91f213e648d3baa148554e37b09d638c5871
-
SSDEEP
3072:cw0wB3rCJUvqT3vQfEdArGzHq+egM5bylnO/hZP:Uo3rKiqbQMdArGzHregqgnO
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iaddid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jinghn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aqddcdbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpfkhbon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iclfccmq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqambacb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gocnjn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjjmonac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjpkbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcjlap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Migdig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldfldpqf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnambeed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndjhpcoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oheppe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plffkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocqhcqgk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmngof32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndbile32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peapmhnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eamdlf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmjkbfnh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dijgnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Necqbp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gabofn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbmoceol.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbpmbndm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgjjdijo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biolckgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdhlih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmeohnil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hancef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kngaig32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amebjgai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jaamhb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fondonbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Docjne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdkaabnh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcjmcd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lafekm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iocdmccp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnjlhg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edelakoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Higiih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aoijjjcl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebpgoh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jojnglco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oafhmf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlqdmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlgdhcmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kghoan32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olioeoeo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcjjakip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Domffn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dapnfb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cimooo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiifcdhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acjdgf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbmebgpi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bebiifka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifoljn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jiaaaicm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfpmifoa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qggoeilh.exe -
Executes dropped EXE 64 IoCs
pid Process 2072 Hhogaamj.exe 2900 Hiockd32.exe 2312 Hdkaabnh.exe 2792 Inhoegqc.exe 2560 Iphhgb32.exe 2752 Ihdmld32.exe 2436 Iciaim32.exe 2336 Jopbnn32.exe 2968 Jkllnn32.exe 548 Jcgqbq32.exe 1932 Kdfmlc32.exe 1368 Kjebjjck.exe 1100 Kcpcho32.exe 2056 Kmhhae32.exe 2092 Kfaljjdj.exe 1540 Lggbmbfc.exe 1060 Lhklha32.exe 2304 Ladpagin.exe 996 Mmmnkglp.exe 1480 Mehbpjjk.exe 1708 Mlgdhcmb.exe 2388 Ndbile32.exe 692 Npiiafpa.exe 2252 Ndiomdde.exe 1960 Ohkdfhge.exe 2740 Ocqhcqgk.exe 2700 Olkjaflh.exe 1576 Ogekbchg.exe 2884 Pqplqile.exe 2584 Pjjmonac.exe 1284 Pfando32.exe 2984 Pcgkcccn.exe 2904 Qonlhd32.exe 1504 Qbodjofc.exe 3056 Aglmbfdk.exe 2308 Akjfhdka.exe 1300 Agqfme32.exe 1672 Agccbenc.exe 460 Acjdgf32.exe 1996 Biiiempl.exe 1216 Blgeahoo.exe 1800 Blibghmm.exe 2920 Bimbql32.exe 336 Bbfgiabg.exe 1776 Bakdjn32.exe 3044 Ckfeic32.exe 1952 Cdqfgh32.exe 600 Cimooo32.exe 1596 Chblqlcj.exe 324 Dakpiajj.exe 1724 Dibhjokm.exe 2696 Dcjmcd32.exe 1572 Dkeahf32.exe 2244 Ddnfql32.exe 2596 Docjne32.exe 2956 Dgoobg32.exe 2844 Dpgckm32.exe 2200 Dgalhgpg.exe 1376 Edelakoq.exe 264 Enmqjq32.exe 572 Egeecf32.exe 3024 Eoajgh32.exe 2084 Efkbdbai.exe 1096 Eocfmh32.exe -
Loads dropped DLL 64 IoCs
pid Process 2088 8cdd4b82c35f40ffbbc9474c01aaaa20N.exe 2088 8cdd4b82c35f40ffbbc9474c01aaaa20N.exe 2072 Hhogaamj.exe 2072 Hhogaamj.exe 2900 Hiockd32.exe 2900 Hiockd32.exe 2312 Hdkaabnh.exe 2312 Hdkaabnh.exe 2792 Inhoegqc.exe 2792 Inhoegqc.exe 2560 Iphhgb32.exe 2560 Iphhgb32.exe 2752 Ihdmld32.exe 2752 Ihdmld32.exe 2436 Iciaim32.exe 2436 Iciaim32.exe 2336 Jopbnn32.exe 2336 Jopbnn32.exe 2968 Jkllnn32.exe 2968 Jkllnn32.exe 548 Jcgqbq32.exe 548 Jcgqbq32.exe 1932 Kdfmlc32.exe 1932 Kdfmlc32.exe 1368 Kjebjjck.exe 1368 Kjebjjck.exe 1100 Kcpcho32.exe 1100 Kcpcho32.exe 2056 Kmhhae32.exe 2056 Kmhhae32.exe 2092 Kfaljjdj.exe 2092 Kfaljjdj.exe 1540 Lggbmbfc.exe 1540 Lggbmbfc.exe 1060 Lhklha32.exe 1060 Lhklha32.exe 2304 Ladpagin.exe 2304 Ladpagin.exe 996 Mmmnkglp.exe 996 Mmmnkglp.exe 1480 Mehbpjjk.exe 1480 Mehbpjjk.exe 1708 Mlgdhcmb.exe 1708 Mlgdhcmb.exe 2388 Ndbile32.exe 2388 Ndbile32.exe 692 Npiiafpa.exe 692 Npiiafpa.exe 2252 Ndiomdde.exe 2252 Ndiomdde.exe 1960 Ohkdfhge.exe 1960 Ohkdfhge.exe 2740 Ocqhcqgk.exe 2740 Ocqhcqgk.exe 2700 Olkjaflh.exe 2700 Olkjaflh.exe 1576 Ogekbchg.exe 1576 Ogekbchg.exe 2884 Pqplqile.exe 2884 Pqplqile.exe 2584 Pjjmonac.exe 2584 Pjjmonac.exe 1284 Pfando32.exe 1284 Pfando32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Klijjnen.exe Kcqfahom.exe File opened for modification C:\Windows\SysWOW64\Eamdlf32.exe Eajhgg32.exe File opened for modification C:\Windows\SysWOW64\Ficilgai.exe Fondonbc.exe File created C:\Windows\SysWOW64\Llcppm32.dll Hancef32.exe File opened for modification C:\Windows\SysWOW64\Odoakckp.exe Nejdjf32.exe File created C:\Windows\SysWOW64\Fapapi32.dll Olopjddf.exe File created C:\Windows\SysWOW64\Qcpnob32.dll Phhmeehg.exe File created C:\Windows\SysWOW64\Kimjjh32.dll Ggnqfgce.exe File opened for modification C:\Windows\SysWOW64\Dedkbb32.exe Cnjbfhqa.exe File opened for modification C:\Windows\SysWOW64\Lafekm32.exe Kadhen32.exe File opened for modification C:\Windows\SysWOW64\Bcmeogam.exe Bfieec32.exe File opened for modification C:\Windows\SysWOW64\Danaqbgp.exe Dgemgm32.exe File opened for modification C:\Windows\SysWOW64\Blgeahoo.exe Biiiempl.exe File created C:\Windows\SysWOW64\Gdbcbcgp.dll Niqgof32.exe File created C:\Windows\SysWOW64\Gkchpcoc.exe Gicpnhbb.exe File created C:\Windows\SysWOW64\Ddaman32.dll Peolmb32.exe File opened for modification C:\Windows\SysWOW64\Qggoeilh.exe Qdhcinme.exe File created C:\Windows\SysWOW64\Appcjgmk.dll Hijmin32.exe File created C:\Windows\SysWOW64\Hefginae.exe Hpinagbm.exe File opened for modification C:\Windows\SysWOW64\Nnhobgag.exe Nbaomf32.exe File created C:\Windows\SysWOW64\Chagol32.dll Cbcikn32.exe File created C:\Windows\SysWOW64\Nehjmppo.exe Nhdjdk32.exe File created C:\Windows\SysWOW64\Afqeaemk.exe Ahmehqna.exe File created C:\Windows\SysWOW64\Ipgpcc32.exe Imidgh32.exe File created C:\Windows\SysWOW64\Dlicoiod.dll Qlqdmj32.exe File created C:\Windows\SysWOW64\Lokfgk32.dll Ffpkob32.exe File created C:\Windows\SysWOW64\Dblangpk.dll Jakjjcnd.exe File opened for modification C:\Windows\SysWOW64\Ekdglcmh.exe Ehdnkh32.exe File opened for modification C:\Windows\SysWOW64\Jmbnhm32.exe Jkdalb32.exe File created C:\Windows\SysWOW64\Emqaaabg.exe Edhmhl32.exe File opened for modification C:\Windows\SysWOW64\Cpbiolnl.exe Cemebcnf.exe File opened for modification C:\Windows\SysWOW64\Adekhkng.exe Agakog32.exe File opened for modification C:\Windows\SysWOW64\Gnofng32.exe Ghenamai.exe File opened for modification C:\Windows\SysWOW64\Gmaoomld.exe Gnlbnagl.exe File created C:\Windows\SysWOW64\Qggoeilh.exe Qdhcinme.exe File created C:\Windows\SysWOW64\Bnemlf32.exe Bqambacb.exe File created C:\Windows\SysWOW64\Iohcpqfg.dll Jbooen32.exe File created C:\Windows\SysWOW64\Dfbdje32.exe Cincaq32.exe File created C:\Windows\SysWOW64\Njhgfljc.dll Bfnnpbnn.exe File created C:\Windows\SysWOW64\Dgemgm32.exe Degqka32.exe File opened for modification C:\Windows\SysWOW64\Paghojip.exe Phocfd32.exe File opened for modification C:\Windows\SysWOW64\Nmpiicdm.exe Nhbqqlfe.exe File created C:\Windows\SysWOW64\Gjiibm32.exe Fqqdigko.exe File created C:\Windows\SysWOW64\Jhldob32.dll Jljgni32.exe File created C:\Windows\SysWOW64\Eajhgg32.exe Elnonp32.exe File created C:\Windows\SysWOW64\Lafekm32.exe Kadhen32.exe File created C:\Windows\SysWOW64\Abbjbnoq.exe Amebjgai.exe File opened for modification C:\Windows\SysWOW64\Hefginae.exe Hpinagbm.exe File created C:\Windows\SysWOW64\Jgnbfdao.dll Mpllpl32.exe File opened for modification C:\Windows\SysWOW64\Bgpnjkgi.exe Bmjjmbgc.exe File opened for modification C:\Windows\SysWOW64\Inhoegqc.exe Hdkaabnh.exe File created C:\Windows\SysWOW64\Hnfgbfba.dll Nilndfgl.exe File created C:\Windows\SysWOW64\Ollljo32.exe Oafhmf32.exe File created C:\Windows\SysWOW64\Chndfp32.dll Hibebeqb.exe File created C:\Windows\SysWOW64\Hmglpc32.dll Bebiifka.exe File opened for modification C:\Windows\SysWOW64\Mcknjidn.exe Mchadifq.exe File created C:\Windows\SysWOW64\Alfdcp32.exe Qlcgmpkp.exe File created C:\Windows\SysWOW64\Jafilj32.exe Joepjokm.exe File created C:\Windows\SysWOW64\Nekofg32.dll Kcahjqfa.exe File created C:\Windows\SysWOW64\Mpeebhhf.exe Mglpjc32.exe File created C:\Windows\SysWOW64\Eeiggk32.exe Ekofgnna.exe File opened for modification C:\Windows\SysWOW64\Jljgni32.exe Jdobjgqg.exe File created C:\Windows\SysWOW64\Qmabnhbo.dll Mchadifq.exe File opened for modification C:\Windows\SysWOW64\Ahancp32.exe Aoijjjcl.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2932 1396 WerFault.exe 536 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ododdlcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cicggcke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acjdgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chblqlcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jblpge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cngfqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cilfka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggnqfgce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anhdmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqqdigko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emfbgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkancm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kngaig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Leqeed32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeiggk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glcfgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkjdpp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dghjmlnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lafekm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iigcobid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkdoci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbokda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjdkllec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqnhcgma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ileoknhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olopjddf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhbqqlfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldnbeokn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dendcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjiibm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkddjkej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlhmkbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaffca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knodnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlqdmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iciaim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbppdfmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlklik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdhcinme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aenileon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jekoljgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbooen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdgane32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npiiafpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eocfmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eekdmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcmeogam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdmjmenh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dakpiajj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kknklg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoijjjcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhgnbehe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oljanhmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnlbnagl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppmkilbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fondonbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abbjbnoq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hefginae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjhaec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agccbenc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbehgabe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnemlf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnjlhg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afffgjma.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fondonbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afbpnlcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqbobm32.dll" Gjnigb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liobklpa.dll" Nhbqqlfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcgdjmlo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qgfmlp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmfgkqba.dll" Peapmhnk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jljgni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kknklg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnnlmn32.dll" Hnikmnho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmnhnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ododdlcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgeobdkc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkghjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gojcia32.dll" Dlfbck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npgpnq32.dll" Cgjjdijo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifadmn32.dll" Kdlpkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phhmeehg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qogkcdjb.dll" Jgeobdkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlpneplg.dll" Fqnhcgma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmmgdk32.dll" Ododdlcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ligdgc32.dll" Phhonn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hoegoqng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckifmh32.dll" Ifoljn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gijcmo32.dll" Ileoknhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjmgbe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bipaodah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkchpcoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhgnbehe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmojfcdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgfamj32.dll" Nejdjf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odoakckp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibmmkaik.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jekoljgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oljanhmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gijfeqbn.dll" Pdllci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flhkhnel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgnbfdao.dll" Mpllpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efnnjm32.dll" Cfaaalep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Higiih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lchqamfp.dll" Ilnqhddd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgbejj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfnnpbnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gabofn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgabfa32.dll" Mcfbfaao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cojllidi.dll" Klijjnen.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Poddphee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qaaghk32.dll" Enepnoji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ollljo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plneoace.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feedfo32.dll" Jafilj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghenamai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndjhpcoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdfief32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdfief32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mffgfo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjiibm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akfalc32.dll" Cincaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkancm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpqof32.dll" Gnofng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdgfpbaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qchmll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bebiifka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjmhgp32.dll" Kopikdgn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2088 wrote to memory of 2072 2088 8cdd4b82c35f40ffbbc9474c01aaaa20N.exe 30 PID 2088 wrote to memory of 2072 2088 8cdd4b82c35f40ffbbc9474c01aaaa20N.exe 30 PID 2088 wrote to memory of 2072 2088 8cdd4b82c35f40ffbbc9474c01aaaa20N.exe 30 PID 2088 wrote to memory of 2072 2088 8cdd4b82c35f40ffbbc9474c01aaaa20N.exe 30 PID 2072 wrote to memory of 2900 2072 Hhogaamj.exe 31 PID 2072 wrote to memory of 2900 2072 Hhogaamj.exe 31 PID 2072 wrote to memory of 2900 2072 Hhogaamj.exe 31 PID 2072 wrote to memory of 2900 2072 Hhogaamj.exe 31 PID 2900 wrote to memory of 2312 2900 Hiockd32.exe 32 PID 2900 wrote to memory of 2312 2900 Hiockd32.exe 32 PID 2900 wrote to memory of 2312 2900 Hiockd32.exe 32 PID 2900 wrote to memory of 2312 2900 Hiockd32.exe 32 PID 2312 wrote to memory of 2792 2312 Hdkaabnh.exe 33 PID 2312 wrote to memory of 2792 2312 Hdkaabnh.exe 33 PID 2312 wrote to memory of 2792 2312 Hdkaabnh.exe 33 PID 2312 wrote to memory of 2792 2312 Hdkaabnh.exe 33 PID 2792 wrote to memory of 2560 2792 Inhoegqc.exe 34 PID 2792 wrote to memory of 2560 2792 Inhoegqc.exe 34 PID 2792 wrote to memory of 2560 2792 Inhoegqc.exe 34 PID 2792 wrote to memory of 2560 2792 Inhoegqc.exe 34 PID 2560 wrote to memory of 2752 2560 Iphhgb32.exe 35 PID 2560 wrote to memory of 2752 2560 Iphhgb32.exe 35 PID 2560 wrote to memory of 2752 2560 Iphhgb32.exe 35 PID 2560 wrote to memory of 2752 2560 Iphhgb32.exe 35 PID 2752 wrote to memory of 2436 2752 Ihdmld32.exe 36 PID 2752 wrote to memory of 2436 2752 Ihdmld32.exe 36 PID 2752 wrote to memory of 2436 2752 Ihdmld32.exe 36 PID 2752 wrote to memory of 2436 2752 Ihdmld32.exe 36 PID 2436 wrote to memory of 2336 2436 Iciaim32.exe 37 PID 2436 wrote to memory of 2336 2436 Iciaim32.exe 37 PID 2436 wrote to memory of 2336 2436 Iciaim32.exe 37 PID 2436 wrote to memory of 2336 2436 Iciaim32.exe 37 PID 2336 wrote to memory of 2968 2336 Jopbnn32.exe 38 PID 2336 wrote to memory of 2968 2336 Jopbnn32.exe 38 PID 2336 wrote to memory of 2968 2336 Jopbnn32.exe 38 PID 2336 wrote to memory of 2968 2336 Jopbnn32.exe 38 PID 2968 wrote to memory of 548 2968 Jkllnn32.exe 39 PID 2968 wrote to memory of 548 2968 Jkllnn32.exe 39 PID 2968 wrote to memory of 548 2968 Jkllnn32.exe 39 PID 2968 wrote to memory of 548 2968 Jkllnn32.exe 39 PID 548 wrote to memory of 1932 548 Jcgqbq32.exe 40 PID 548 wrote to memory of 1932 548 Jcgqbq32.exe 40 PID 548 wrote to memory of 1932 548 Jcgqbq32.exe 40 PID 548 wrote to memory of 1932 548 Jcgqbq32.exe 40 PID 1932 wrote to memory of 1368 1932 Kdfmlc32.exe 41 PID 1932 wrote to memory of 1368 1932 Kdfmlc32.exe 41 PID 1932 wrote to memory of 1368 1932 Kdfmlc32.exe 41 PID 1932 wrote to memory of 1368 1932 Kdfmlc32.exe 41 PID 1368 wrote to memory of 1100 1368 Kjebjjck.exe 42 PID 1368 wrote to memory of 1100 1368 Kjebjjck.exe 42 PID 1368 wrote to memory of 1100 1368 Kjebjjck.exe 42 PID 1368 wrote to memory of 1100 1368 Kjebjjck.exe 42 PID 1100 wrote to memory of 2056 1100 Kcpcho32.exe 43 PID 1100 wrote to memory of 2056 1100 Kcpcho32.exe 43 PID 1100 wrote to memory of 2056 1100 Kcpcho32.exe 43 PID 1100 wrote to memory of 2056 1100 Kcpcho32.exe 43 PID 2056 wrote to memory of 2092 2056 Kmhhae32.exe 44 PID 2056 wrote to memory of 2092 2056 Kmhhae32.exe 44 PID 2056 wrote to memory of 2092 2056 Kmhhae32.exe 44 PID 2056 wrote to memory of 2092 2056 Kmhhae32.exe 44 PID 2092 wrote to memory of 1540 2092 Kfaljjdj.exe 45 PID 2092 wrote to memory of 1540 2092 Kfaljjdj.exe 45 PID 2092 wrote to memory of 1540 2092 Kfaljjdj.exe 45 PID 2092 wrote to memory of 1540 2092 Kfaljjdj.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\8cdd4b82c35f40ffbbc9474c01aaaa20N.exe"C:\Users\Admin\AppData\Local\Temp\8cdd4b82c35f40ffbbc9474c01aaaa20N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Hhogaamj.exeC:\Windows\system32\Hhogaamj.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\Hiockd32.exeC:\Windows\system32\Hiockd32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Hdkaabnh.exeC:\Windows\system32\Hdkaabnh.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\Inhoegqc.exeC:\Windows\system32\Inhoegqc.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Iphhgb32.exeC:\Windows\system32\Iphhgb32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\Ihdmld32.exeC:\Windows\system32\Ihdmld32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Iciaim32.exeC:\Windows\system32\Iciaim32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\Jopbnn32.exeC:\Windows\system32\Jopbnn32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\Jkllnn32.exeC:\Windows\system32\Jkllnn32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Jcgqbq32.exeC:\Windows\system32\Jcgqbq32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\SysWOW64\Kdfmlc32.exeC:\Windows\system32\Kdfmlc32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\Kjebjjck.exeC:\Windows\system32\Kjebjjck.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\Kcpcho32.exeC:\Windows\system32\Kcpcho32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\Kmhhae32.exeC:\Windows\system32\Kmhhae32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\Kfaljjdj.exeC:\Windows\system32\Kfaljjdj.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\Lggbmbfc.exeC:\Windows\system32\Lggbmbfc.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1540 -
C:\Windows\SysWOW64\Lhklha32.exeC:\Windows\system32\Lhklha32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1060 -
C:\Windows\SysWOW64\Ladpagin.exeC:\Windows\system32\Ladpagin.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2304 -
C:\Windows\SysWOW64\Mmmnkglp.exeC:\Windows\system32\Mmmnkglp.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:996 -
C:\Windows\SysWOW64\Mehbpjjk.exeC:\Windows\system32\Mehbpjjk.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1480 -
C:\Windows\SysWOW64\Mlgdhcmb.exeC:\Windows\system32\Mlgdhcmb.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1708 -
C:\Windows\SysWOW64\Ndbile32.exeC:\Windows\system32\Ndbile32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2388 -
C:\Windows\SysWOW64\Npiiafpa.exeC:\Windows\system32\Npiiafpa.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:692 -
C:\Windows\SysWOW64\Ndiomdde.exeC:\Windows\system32\Ndiomdde.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2252 -
C:\Windows\SysWOW64\Ohkdfhge.exeC:\Windows\system32\Ohkdfhge.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1960 -
C:\Windows\SysWOW64\Ocqhcqgk.exeC:\Windows\system32\Ocqhcqgk.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2740 -
C:\Windows\SysWOW64\Olkjaflh.exeC:\Windows\system32\Olkjaflh.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2700 -
C:\Windows\SysWOW64\Ogekbchg.exeC:\Windows\system32\Ogekbchg.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1576 -
C:\Windows\SysWOW64\Pqplqile.exeC:\Windows\system32\Pqplqile.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2884 -
C:\Windows\SysWOW64\Pjjmonac.exeC:\Windows\system32\Pjjmonac.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2584 -
C:\Windows\SysWOW64\Pfando32.exeC:\Windows\system32\Pfando32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1284 -
C:\Windows\SysWOW64\Pcgkcccn.exeC:\Windows\system32\Pcgkcccn.exe33⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Qonlhd32.exeC:\Windows\system32\Qonlhd32.exe34⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Qbodjofc.exeC:\Windows\system32\Qbodjofc.exe35⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Aglmbfdk.exeC:\Windows\system32\Aglmbfdk.exe36⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Akjfhdka.exeC:\Windows\system32\Akjfhdka.exe37⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Agqfme32.exeC:\Windows\system32\Agqfme32.exe38⤵
- Executes dropped EXE
PID:1300 -
C:\Windows\SysWOW64\Agccbenc.exeC:\Windows\system32\Agccbenc.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1672 -
C:\Windows\SysWOW64\Acjdgf32.exeC:\Windows\system32\Acjdgf32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:460 -
C:\Windows\SysWOW64\Biiiempl.exeC:\Windows\system32\Biiiempl.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1996 -
C:\Windows\SysWOW64\Blgeahoo.exeC:\Windows\system32\Blgeahoo.exe42⤵
- Executes dropped EXE
PID:1216 -
C:\Windows\SysWOW64\Blibghmm.exeC:\Windows\system32\Blibghmm.exe43⤵
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\Bimbql32.exeC:\Windows\system32\Bimbql32.exe44⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Bbfgiabg.exeC:\Windows\system32\Bbfgiabg.exe45⤵
- Executes dropped EXE
PID:336 -
C:\Windows\SysWOW64\Bakdjn32.exeC:\Windows\system32\Bakdjn32.exe46⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Ckfeic32.exeC:\Windows\system32\Ckfeic32.exe47⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Cdqfgh32.exeC:\Windows\system32\Cdqfgh32.exe48⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Cimooo32.exeC:\Windows\system32\Cimooo32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:600 -
C:\Windows\SysWOW64\Chblqlcj.exeC:\Windows\system32\Chblqlcj.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1596 -
C:\Windows\SysWOW64\Dakpiajj.exeC:\Windows\system32\Dakpiajj.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:324 -
C:\Windows\SysWOW64\Dibhjokm.exeC:\Windows\system32\Dibhjokm.exe52⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Dcjmcd32.exeC:\Windows\system32\Dcjmcd32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Dkeahf32.exeC:\Windows\system32\Dkeahf32.exe54⤵
- Executes dropped EXE
PID:1572 -
C:\Windows\SysWOW64\Ddnfql32.exeC:\Windows\system32\Ddnfql32.exe55⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Docjne32.exeC:\Windows\system32\Docjne32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Dgoobg32.exeC:\Windows\system32\Dgoobg32.exe57⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Dpgckm32.exeC:\Windows\system32\Dpgckm32.exe58⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Dgalhgpg.exeC:\Windows\system32\Dgalhgpg.exe59⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Edelakoq.exeC:\Windows\system32\Edelakoq.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1376 -
C:\Windows\SysWOW64\Enmqjq32.exeC:\Windows\system32\Enmqjq32.exe61⤵
- Executes dropped EXE
PID:264 -
C:\Windows\SysWOW64\Egeecf32.exeC:\Windows\system32\Egeecf32.exe62⤵
- Executes dropped EXE
PID:572 -
C:\Windows\SysWOW64\Eoajgh32.exeC:\Windows\system32\Eoajgh32.exe63⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Efkbdbai.exeC:\Windows\system32\Efkbdbai.exe64⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Eocfmh32.exeC:\Windows\system32\Eocfmh32.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1096 -
C:\Windows\SysWOW64\Edpoeoea.exeC:\Windows\system32\Edpoeoea.exe66⤵PID:2052
-
C:\Windows\SysWOW64\Ffpkob32.exeC:\Windows\system32\Ffpkob32.exe67⤵
- Drops file in System32 directory
PID:1460 -
C:\Windows\SysWOW64\Fnkpcd32.exeC:\Windows\system32\Fnkpcd32.exe68⤵PID:2228
-
C:\Windows\SysWOW64\Fgcdlj32.exeC:\Windows\system32\Fgcdlj32.exe69⤵PID:2384
-
C:\Windows\SysWOW64\Fqkieogp.exeC:\Windows\system32\Fqkieogp.exe70⤵PID:1012
-
C:\Windows\SysWOW64\Fkambhgf.exeC:\Windows\system32\Fkambhgf.exe71⤵PID:1716
-
C:\Windows\SysWOW64\Feiaknmg.exeC:\Windows\system32\Feiaknmg.exe72⤵PID:1620
-
C:\Windows\SysWOW64\Fnafdc32.exeC:\Windows\system32\Fnafdc32.exe73⤵PID:2288
-
C:\Windows\SysWOW64\Ffmkhe32.exeC:\Windows\system32\Ffmkhe32.exe74⤵PID:3028
-
C:\Windows\SysWOW64\Gabofn32.exeC:\Windows\system32\Gabofn32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1580 -
C:\Windows\SysWOW64\Gjkcod32.exeC:\Windows\system32\Gjkcod32.exe76⤵PID:2716
-
C:\Windows\SysWOW64\Gbfhcf32.exeC:\Windows\system32\Gbfhcf32.exe77⤵PID:2788
-
C:\Windows\SysWOW64\Gipqpplq.exeC:\Windows\system32\Gipqpplq.exe78⤵PID:2120
-
C:\Windows\SysWOW64\Ghenamai.exeC:\Windows\system32\Ghenamai.exe79⤵
- Drops file in System32 directory
- Modifies registry class
PID:2112 -
C:\Windows\SysWOW64\Gnofng32.exeC:\Windows\system32\Gnofng32.exe80⤵
- Modifies registry class
PID:2420 -
C:\Windows\SysWOW64\Glcfgk32.exeC:\Windows\system32\Glcfgk32.exe81⤵
- System Location Discovery: System Language Discovery
PID:1488 -
C:\Windows\SysWOW64\Gbmoceol.exeC:\Windows\system32\Gbmoceol.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:568 -
C:\Windows\SysWOW64\Hhjgll32.exeC:\Windows\system32\Hhjgll32.exe83⤵PID:1756
-
C:\Windows\SysWOW64\Hndoifdp.exeC:\Windows\system32\Hndoifdp.exe84⤵PID:1964
-
C:\Windows\SysWOW64\Iigcobid.exeC:\Windows\system32\Iigcobid.exe85⤵
- System Location Discovery: System Language Discovery
PID:1924 -
C:\Windows\SysWOW64\Ileoknhh.exeC:\Windows\system32\Ileoknhh.exe86⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1008 -
C:\Windows\SysWOW64\Iaddid32.exeC:\Windows\system32\Iaddid32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:760 -
C:\Windows\SysWOW64\Igffmkno.exeC:\Windows\system32\Igffmkno.exe88⤵PID:3004
-
C:\Windows\SysWOW64\Jakjjcnd.exeC:\Windows\system32\Jakjjcnd.exe89⤵
- Drops file in System32 directory
PID:2932 -
C:\Windows\SysWOW64\Jkdoci32.exeC:\Windows\system32\Jkdoci32.exe90⤵
- System Location Discovery: System Language Discovery
PID:2684 -
C:\Windows\SysWOW64\Jdlclo32.exeC:\Windows\system32\Jdlclo32.exe91⤵PID:2828
-
C:\Windows\SysWOW64\Jempcgad.exeC:\Windows\system32\Jempcgad.exe92⤵PID:2868
-
C:\Windows\SysWOW64\Jndhddaf.exeC:\Windows\system32\Jndhddaf.exe93⤵PID:752
-
C:\Windows\SysWOW64\Jfpmifoa.exeC:\Windows\system32\Jfpmifoa.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2544 -
C:\Windows\SysWOW64\Johaalea.exeC:\Windows\system32\Johaalea.exe95⤵PID:1236
-
C:\Windows\SysWOW64\Jfbinf32.exeC:\Windows\system32\Jfbinf32.exe96⤵PID:2068
-
C:\Windows\SysWOW64\Jojnglco.exeC:\Windows\system32\Jojnglco.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:280 -
C:\Windows\SysWOW64\Kdgfpbaf.exeC:\Windows\system32\Kdgfpbaf.exe98⤵
- Modifies registry class
PID:1628 -
C:\Windows\SysWOW64\Kbkgig32.exeC:\Windows\system32\Kbkgig32.exe99⤵PID:1968
-
C:\Windows\SysWOW64\Kghoan32.exeC:\Windows\system32\Kghoan32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2224 -
C:\Windows\SysWOW64\Kdlpkb32.exeC:\Windows\system32\Kdlpkb32.exe101⤵
- Modifies registry class
PID:2268 -
C:\Windows\SysWOW64\Kbppdfmk.exeC:\Windows\system32\Kbppdfmk.exe102⤵
- System Location Discovery: System Language Discovery
PID:2160 -
C:\Windows\SysWOW64\Kngaig32.exeC:\Windows\system32\Kngaig32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2812 -
C:\Windows\SysWOW64\Kdqifajl.exeC:\Windows\system32\Kdqifajl.exe104⤵PID:2564
-
C:\Windows\SysWOW64\Kninog32.exeC:\Windows\system32\Kninog32.exe105⤵PID:2620
-
C:\Windows\SysWOW64\Lojjfo32.exeC:\Windows\system32\Lojjfo32.exe106⤵PID:2744
-
C:\Windows\SysWOW64\Lmnkpc32.exeC:\Windows\system32\Lmnkpc32.exe107⤵PID:2896
-
C:\Windows\SysWOW64\Lmqgec32.exeC:\Windows\system32\Lmqgec32.exe108⤵PID:1396
-
C:\Windows\SysWOW64\Lelljepm.exeC:\Windows\system32\Lelljepm.exe109⤵PID:2104
-
C:\Windows\SysWOW64\Lpapgnpb.exeC:\Windows\system32\Lpapgnpb.exe110⤵PID:1152
-
C:\Windows\SysWOW64\Lenioenj.exeC:\Windows\system32\Lenioenj.exe111⤵PID:2124
-
C:\Windows\SysWOW64\Lnfmhj32.exeC:\Windows\system32\Lnfmhj32.exe112⤵PID:3012
-
C:\Windows\SysWOW64\Leqeed32.exeC:\Windows\system32\Leqeed32.exe113⤵
- System Location Discovery: System Language Discovery
PID:2184 -
C:\Windows\SysWOW64\Mcfbfaao.exeC:\Windows\system32\Mcfbfaao.exe114⤵
- Modifies registry class
PID:964 -
C:\Windows\SysWOW64\Mjpkbk32.exeC:\Windows\system32\Mjpkbk32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1732 -
C:\Windows\SysWOW64\Mmngof32.exeC:\Windows\system32\Mmngof32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1020 -
C:\Windows\SysWOW64\Mhckloge.exeC:\Windows\system32\Mhckloge.exe117⤵PID:2988
-
C:\Windows\SysWOW64\Mcjlap32.exeC:\Windows\system32\Mcjlap32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2480 -
C:\Windows\SysWOW64\Migdig32.exeC:\Windows\system32\Migdig32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2976 -
C:\Windows\SysWOW64\Mbpibm32.exeC:\Windows\system32\Mbpibm32.exe120⤵PID:1624
-
C:\Windows\SysWOW64\Mlhmkbhb.exeC:\Windows\system32\Mlhmkbhb.exe121⤵
- System Location Discovery: System Language Discovery
PID:2536
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-