Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19-09-2024 06:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ad491ca60a1ea8b3330a50026c7076ae7eba19762040caab98218a3d94d6575fN.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
ad491ca60a1ea8b3330a50026c7076ae7eba19762040caab98218a3d94d6575fN.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
ad491ca60a1ea8b3330a50026c7076ae7eba19762040caab98218a3d94d6575fN.exe
-
Size
318KB
-
MD5
e80b5e573370201648d42e4369d41050
-
SHA1
e5a12ed4a7edaffdf2e183df96f6aad10840760a
-
SHA256
ad491ca60a1ea8b3330a50026c7076ae7eba19762040caab98218a3d94d6575f
-
SHA512
d7df8999a4db3f6e1aeccd67f9bc1d1a5bd5d14bb82946c3e363c13f841d1e931150c2f68bfe35762a0031f9aa0fef7b9307b2c928ac98570344ab77c959ba79
-
SSDEEP
6144:RGpsplRVEQHdMcm4FmowdHoS7c5cm4FmowdHoSrNF9xRVEQHd4:RGAO4wFHoS04wFHoSrZx8
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqfooonp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ieligmho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncbdjhnf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgbgon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehpgha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phocfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmnhnk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbaafocg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckgmon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nndhpqma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phhmeehg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hiofdmkq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opbopn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibbffq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jffhec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aokfpjai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbqajk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lndlamke.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpiacp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnopmegg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pikohg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aellfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acplpjpj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhfhnofg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihijhpdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Himionmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejiadgkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bphdpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eibgbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojlife32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kqcqpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Liekddkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcgaae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipameehe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pknakhig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhadgakg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjephakn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmkpnd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdooij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffeldglk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igffmkno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klamohhj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjfbaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcendc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgjmfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilhnjfmi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npieoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olkjaflh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egflml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phhmeehg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Papank32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjhlnahk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Janihlcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbkpfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckkenikc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjkehhjf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obonfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbkdgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hngngo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmnhnk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjahfkfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hobjia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akgibd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dammoahg.exe -
Executes dropped EXE 64 IoCs
pid Process 2760 Abgaeddg.exe 2764 Aiqjao32.exe 2912 Bfpmog32.exe 2788 Bmlbaqfh.exe 2100 Chjmmnnb.exe 2800 Ckkenikc.exe 2540 Cdfgmnpa.exe 2960 Dajgfboj.exe 2348 Djjeedhp.exe 2984 Dfpfke32.exe 2436 Egflml32.exe 1068 Ejiadgkl.exe 2164 Ffeldglk.exe 3056 Fcilnl32.exe 3068 Gjljij32.exe 2460 Gbnenk32.exe 2244 Hpfoboml.exe 2868 Hhadgakg.exe 1528 Ihijhpdo.exe 1932 Igngim32.exe 2456 Igpdnlgd.exe 2444 Ialadj32.exe 1656 Jnlepioj.exe 864 Kmabqf32.exe 2176 Kflcok32.exe 2772 Kpgdnp32.exe 2128 Lpiacp32.exe 2952 Llbnnq32.exe 2964 Lpgqlc32.exe 2656 Mpimbcnf.exe 1848 Mpkjgckc.exe 784 Mkggnp32.exe 3044 Noepdo32.exe 1952 Ngqeha32.exe 2936 Npiiafpa.exe 1856 Nknnnoph.exe 904 Nmogpj32.exe 520 Oihdjk32.exe 2336 Oeoeplfn.exe 2208 Olkjaflh.exe 2192 Oecnkk32.exe 1808 Oajopl32.exe 272 Pdkhag32.exe 1372 Pmfmej32.exe 3064 Pffgonbb.exe 580 Qonlhd32.exe 1316 Qbmhdp32.exe 1668 Qoqhncgp.exe 2480 Qqbeel32.exe 2880 Akgibd32.exe 2312 Amplklmj.exe 2748 Ajcldpkd.exe 2652 Bppdlgjk.exe 1132 Bbannb32.exe 2044 Bpengf32.exe 3036 Bimbql32.exe 2060 Baigen32.exe 2704 Bjalndpb.exe 1628 Bdipfi32.exe 2008 Cdlmlidp.exe 2232 Ckfeic32.exe 1648 Cbajme32.exe 1216 Clinfk32.exe 1292 Cimooo32.exe -
Loads dropped DLL 64 IoCs
pid Process 2132 ad491ca60a1ea8b3330a50026c7076ae7eba19762040caab98218a3d94d6575fN.exe 2132 ad491ca60a1ea8b3330a50026c7076ae7eba19762040caab98218a3d94d6575fN.exe 2760 Abgaeddg.exe 2760 Abgaeddg.exe 2764 Aiqjao32.exe 2764 Aiqjao32.exe 2912 Bfpmog32.exe 2912 Bfpmog32.exe 2788 Bmlbaqfh.exe 2788 Bmlbaqfh.exe 2100 Chjmmnnb.exe 2100 Chjmmnnb.exe 2800 Ckkenikc.exe 2800 Ckkenikc.exe 2540 Cdfgmnpa.exe 2540 Cdfgmnpa.exe 2960 Dajgfboj.exe 2960 Dajgfboj.exe 2348 Djjeedhp.exe 2348 Djjeedhp.exe 2984 Dfpfke32.exe 2984 Dfpfke32.exe 2436 Egflml32.exe 2436 Egflml32.exe 1068 Ejiadgkl.exe 1068 Ejiadgkl.exe 2164 Ffeldglk.exe 2164 Ffeldglk.exe 3056 Fcilnl32.exe 3056 Fcilnl32.exe 3068 Gjljij32.exe 3068 Gjljij32.exe 2460 Gbnenk32.exe 2460 Gbnenk32.exe 2244 Hpfoboml.exe 2244 Hpfoboml.exe 2868 Hhadgakg.exe 2868 Hhadgakg.exe 1528 Ihijhpdo.exe 1528 Ihijhpdo.exe 1932 Igngim32.exe 1932 Igngim32.exe 2456 Igpdnlgd.exe 2456 Igpdnlgd.exe 2444 Ialadj32.exe 2444 Ialadj32.exe 1656 Jnlepioj.exe 1656 Jnlepioj.exe 864 Kmabqf32.exe 864 Kmabqf32.exe 2176 Kflcok32.exe 2176 Kflcok32.exe 2772 Kpgdnp32.exe 2772 Kpgdnp32.exe 2128 Lpiacp32.exe 2128 Lpiacp32.exe 2952 Llbnnq32.exe 2952 Llbnnq32.exe 2964 Lpgqlc32.exe 2964 Lpgqlc32.exe 2656 Mpimbcnf.exe 2656 Mpimbcnf.exe 1848 Mpkjgckc.exe 1848 Mpkjgckc.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ifqfge32.exe Idpmejag.exe File created C:\Windows\SysWOW64\Npkaei32.exe Niaihojk.exe File created C:\Windows\SysWOW64\Jmemme32.dll Lpgqlc32.exe File created C:\Windows\SysWOW64\Pgffqlfd.dll Lgiakjld.exe File created C:\Windows\SysWOW64\Hnkjej32.dll Lfgaaa32.exe File created C:\Windows\SysWOW64\Moanhnka.dll Nmogpj32.exe File created C:\Windows\SysWOW64\Gndebkii.exe Fgjmfa32.exe File created C:\Windows\SysWOW64\Jdcihfiq.dll Kaillp32.exe File created C:\Windows\SysWOW64\Bfpmog32.exe Aiqjao32.exe File created C:\Windows\SysWOW64\Jdmfdgbj.exe Janihlcf.exe File created C:\Windows\SysWOW64\Lgiakjld.exe Lkcqfifp.exe File opened for modification C:\Windows\SysWOW64\Qgfmlp32.exe Qdhqpe32.exe File opened for modification C:\Windows\SysWOW64\Fqkbkicd.exe Fcgaae32.exe File opened for modification C:\Windows\SysWOW64\Oefmid32.exe Okailkhd.exe File opened for modification C:\Windows\SysWOW64\Bimbql32.exe Bpengf32.exe File opened for modification C:\Windows\SysWOW64\Baigen32.exe Bimbql32.exe File created C:\Windows\SysWOW64\Llkido32.dll Mbobgfnf.exe File created C:\Windows\SysWOW64\Dlpaod32.dll Opfdim32.exe File created C:\Windows\SysWOW64\Mplmipff.dll Edkahbmo.exe File created C:\Windows\SysWOW64\Bbdjgbdg.dll Oihdjk32.exe File created C:\Windows\SysWOW64\Bbannb32.exe Bppdlgjk.exe File created C:\Windows\SysWOW64\Kphpdhdh.exe Jhahcjcf.exe File created C:\Windows\SysWOW64\Obgmjh32.exe Ophanl32.exe File created C:\Windows\SysWOW64\Dmbjhfda.dll Cbajme32.exe File created C:\Windows\SysWOW64\Kbppkb32.dll Gikpjk32.exe File opened for modification C:\Windows\SysWOW64\Lamkllea.exe Lkccob32.exe File created C:\Windows\SysWOW64\Cffdnama.dll Dpgedepn.exe File opened for modification C:\Windows\SysWOW64\Ilhnjfmi.exe Ienfml32.exe File created C:\Windows\SysWOW64\Fchpmeni.dll Ndjhpcoe.exe File created C:\Windows\SysWOW64\Kgpdcm32.dll Enqfco32.exe File created C:\Windows\SysWOW64\Jcgdnd32.dll Jalmcl32.exe File created C:\Windows\SysWOW64\Ccekdaeg.dll Dajgfboj.exe File created C:\Windows\SysWOW64\Jpdkel32.dll Iljkofkg.exe File opened for modification C:\Windows\SysWOW64\Kdeehe32.exe Jmkmlk32.exe File created C:\Windows\SysWOW64\Ickcnjfh.dll Fopole32.exe File created C:\Windows\SysWOW64\Ooneiddj.dll Jplinckj.exe File opened for modification C:\Windows\SysWOW64\Caccnllf.exe Celbik32.exe File opened for modification C:\Windows\SysWOW64\Cgaoic32.exe Cojghf32.exe File created C:\Windows\SysWOW64\Gjjhgphb.dll Ailboh32.exe File opened for modification C:\Windows\SysWOW64\Aonjpp32.exe Afffgjma.exe File created C:\Windows\SysWOW64\Mckmpf32.dll Ipoqofjh.exe File created C:\Windows\SysWOW64\Lejadg32.dll Epjbienl.exe File created C:\Windows\SysWOW64\Niilmi32.exe Nndhpqma.exe File created C:\Windows\SysWOW64\Ilblkh32.exe Hiabjm32.exe File created C:\Windows\SysWOW64\Jkbkei32.dll Nbgakd32.exe File created C:\Windows\SysWOW64\Dekmid32.dll Icponb32.exe File opened for modification C:\Windows\SysWOW64\Akgibd32.exe Qqbeel32.exe File opened for modification C:\Windows\SysWOW64\Omdbdb32.exe Obonfj32.exe File opened for modification C:\Windows\SysWOW64\Aellfe32.exe Qpocno32.exe File created C:\Windows\SysWOW64\Cgjbbnaj.dll Dbcnpk32.exe File created C:\Windows\SysWOW64\Mdkcgk32.exe Mmpobi32.exe File created C:\Windows\SysWOW64\Ccolja32.exe Cjfgalcq.exe File created C:\Windows\SysWOW64\Kfpamb32.dll Ibgglfdl.exe File created C:\Windows\SysWOW64\Oicbma32.exe Ofefqf32.exe File created C:\Windows\SysWOW64\Kdokmeph.dll Bppdlgjk.exe File opened for modification C:\Windows\SysWOW64\Claake32.exe Bfeibo32.exe File opened for modification C:\Windows\SysWOW64\Hnjagdlj.exe Himionmc.exe File created C:\Windows\SysWOW64\Ckjfchcp.dll Eleliepj.exe File created C:\Windows\SysWOW64\Pngjlfla.dll Imndmnob.exe File opened for modification C:\Windows\SysWOW64\Aiqjao32.exe Abgaeddg.exe File created C:\Windows\SysWOW64\Oajopl32.exe Oecnkk32.exe File created C:\Windows\SysWOW64\Lgddiilp.dll Bcackdio.exe File created C:\Windows\SysWOW64\Dnimkebm.dll Nlefjpid.exe File created C:\Windows\SysWOW64\Qchmll32.exe Phbinc32.exe -
Program crash 1 IoCs
pid pid_target Process 6076 6092 WerFault.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nplhooec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkaaee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bncpffdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmpobi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gimmpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Niaihojk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpkjgckc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikoehj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bphdpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjolpkhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Incgfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jadlgjjq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbnenk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clinfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Magfjebk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edkopifk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mogcelgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmfmej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjfgalcq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imndmnob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpqekkob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aocgll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Haggijgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdlmlidp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffkncf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndmeecmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffcahq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idpmejag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nalnmahf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofefqf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbafel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckbccnji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdeehe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkhhie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egflml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilhlan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coiqmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loofjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbppqf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ialadj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lffohikd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddkbqfcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojdlkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdfgmnpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Defljp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enkdda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipameehe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kninog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfchgflg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enqfco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klamohhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obgmjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekppjmia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnoaliln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcchgini.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjephakn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Papank32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jffhec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhpigk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phklcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajjeld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Copljmpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmlbaqfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebabicfn.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgbcfflb.dll" Edhkpcdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgobpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dammoahg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dapjdq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kaillp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kipdnine.dll" Pacqlcdi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iceiibef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhbflj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkplgoop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alfdcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knmghb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipoqofjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cimooo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fqkbkicd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdkgph32.dll" Ohkpdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kooklaek.dll" Dijjgegh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkccob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngedmgdf.dll" Dapjdq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcipdg32.dll" Odanqb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpgedepn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cffdnama.dll" Dpgedepn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncance32.dll" Ienfml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gefjjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cadqllao.dll" Pimlmf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aonjpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbbhpegc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Banndk32.dll" Bqffna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikoehj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgiomabc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cillcclg.dll" Omdbdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkaaee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oclpdf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehaaei32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aknnil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgkeol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkigfdjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Noepdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkdegmha.dll" Enkdda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgnefm32.dll" Paqdgcfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alahklnm.dll" Pddinn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmhkojab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipoqofjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khggofme.dll" Nnknqpgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmejmm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpimbcnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmnkpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgfamj32.dll" Ndmeecmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eleliepj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdhlih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bimbql32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekipgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfeibo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmbghgdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdfflmoe.dll" Jpcfih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gknnkain.dll" Aellfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecodfogg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llfcik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbafel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nndhpqma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngqeha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gjnigb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bikdki32.dll" Himionmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekmjanpd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbobgfnf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2132 wrote to memory of 2760 2132 ad491ca60a1ea8b3330a50026c7076ae7eba19762040caab98218a3d94d6575fN.exe 30 PID 2132 wrote to memory of 2760 2132 ad491ca60a1ea8b3330a50026c7076ae7eba19762040caab98218a3d94d6575fN.exe 30 PID 2132 wrote to memory of 2760 2132 ad491ca60a1ea8b3330a50026c7076ae7eba19762040caab98218a3d94d6575fN.exe 30 PID 2132 wrote to memory of 2760 2132 ad491ca60a1ea8b3330a50026c7076ae7eba19762040caab98218a3d94d6575fN.exe 30 PID 2760 wrote to memory of 2764 2760 Abgaeddg.exe 31 PID 2760 wrote to memory of 2764 2760 Abgaeddg.exe 31 PID 2760 wrote to memory of 2764 2760 Abgaeddg.exe 31 PID 2760 wrote to memory of 2764 2760 Abgaeddg.exe 31 PID 2764 wrote to memory of 2912 2764 Aiqjao32.exe 32 PID 2764 wrote to memory of 2912 2764 Aiqjao32.exe 32 PID 2764 wrote to memory of 2912 2764 Aiqjao32.exe 32 PID 2764 wrote to memory of 2912 2764 Aiqjao32.exe 32 PID 2912 wrote to memory of 2788 2912 Bfpmog32.exe 33 PID 2912 wrote to memory of 2788 2912 Bfpmog32.exe 33 PID 2912 wrote to memory of 2788 2912 Bfpmog32.exe 33 PID 2912 wrote to memory of 2788 2912 Bfpmog32.exe 33 PID 2788 wrote to memory of 2100 2788 Bmlbaqfh.exe 34 PID 2788 wrote to memory of 2100 2788 Bmlbaqfh.exe 34 PID 2788 wrote to memory of 2100 2788 Bmlbaqfh.exe 34 PID 2788 wrote to memory of 2100 2788 Bmlbaqfh.exe 34 PID 2100 wrote to memory of 2800 2100 Chjmmnnb.exe 35 PID 2100 wrote to memory of 2800 2100 Chjmmnnb.exe 35 PID 2100 wrote to memory of 2800 2100 Chjmmnnb.exe 35 PID 2100 wrote to memory of 2800 2100 Chjmmnnb.exe 35 PID 2800 wrote to memory of 2540 2800 Ckkenikc.exe 36 PID 2800 wrote to memory of 2540 2800 Ckkenikc.exe 36 PID 2800 wrote to memory of 2540 2800 Ckkenikc.exe 36 PID 2800 wrote to memory of 2540 2800 Ckkenikc.exe 36 PID 2540 wrote to memory of 2960 2540 Cdfgmnpa.exe 37 PID 2540 wrote to memory of 2960 2540 Cdfgmnpa.exe 37 PID 2540 wrote to memory of 2960 2540 Cdfgmnpa.exe 37 PID 2540 wrote to memory of 2960 2540 Cdfgmnpa.exe 37 PID 2960 wrote to memory of 2348 2960 Dajgfboj.exe 38 PID 2960 wrote to memory of 2348 2960 Dajgfboj.exe 38 PID 2960 wrote to memory of 2348 2960 Dajgfboj.exe 38 PID 2960 wrote to memory of 2348 2960 Dajgfboj.exe 38 PID 2348 wrote to memory of 2984 2348 Djjeedhp.exe 39 PID 2348 wrote to memory of 2984 2348 Djjeedhp.exe 39 PID 2348 wrote to memory of 2984 2348 Djjeedhp.exe 39 PID 2348 wrote to memory of 2984 2348 Djjeedhp.exe 39 PID 2984 wrote to memory of 2436 2984 Dfpfke32.exe 40 PID 2984 wrote to memory of 2436 2984 Dfpfke32.exe 40 PID 2984 wrote to memory of 2436 2984 Dfpfke32.exe 40 PID 2984 wrote to memory of 2436 2984 Dfpfke32.exe 40 PID 2436 wrote to memory of 1068 2436 Egflml32.exe 41 PID 2436 wrote to memory of 1068 2436 Egflml32.exe 41 PID 2436 wrote to memory of 1068 2436 Egflml32.exe 41 PID 2436 wrote to memory of 1068 2436 Egflml32.exe 41 PID 1068 wrote to memory of 2164 1068 Ejiadgkl.exe 42 PID 1068 wrote to memory of 2164 1068 Ejiadgkl.exe 42 PID 1068 wrote to memory of 2164 1068 Ejiadgkl.exe 42 PID 1068 wrote to memory of 2164 1068 Ejiadgkl.exe 42 PID 2164 wrote to memory of 3056 2164 Ffeldglk.exe 43 PID 2164 wrote to memory of 3056 2164 Ffeldglk.exe 43 PID 2164 wrote to memory of 3056 2164 Ffeldglk.exe 43 PID 2164 wrote to memory of 3056 2164 Ffeldglk.exe 43 PID 3056 wrote to memory of 3068 3056 Fcilnl32.exe 44 PID 3056 wrote to memory of 3068 3056 Fcilnl32.exe 44 PID 3056 wrote to memory of 3068 3056 Fcilnl32.exe 44 PID 3056 wrote to memory of 3068 3056 Fcilnl32.exe 44 PID 3068 wrote to memory of 2460 3068 Gjljij32.exe 45 PID 3068 wrote to memory of 2460 3068 Gjljij32.exe 45 PID 3068 wrote to memory of 2460 3068 Gjljij32.exe 45 PID 3068 wrote to memory of 2460 3068 Gjljij32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad491ca60a1ea8b3330a50026c7076ae7eba19762040caab98218a3d94d6575fN.exe"C:\Users\Admin\AppData\Local\Temp\ad491ca60a1ea8b3330a50026c7076ae7eba19762040caab98218a3d94d6575fN.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\Abgaeddg.exeC:\Windows\system32\Abgaeddg.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Aiqjao32.exeC:\Windows\system32\Aiqjao32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Bfpmog32.exeC:\Windows\system32\Bfpmog32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Bmlbaqfh.exeC:\Windows\system32\Bmlbaqfh.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Chjmmnnb.exeC:\Windows\system32\Chjmmnnb.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Ckkenikc.exeC:\Windows\system32\Ckkenikc.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Cdfgmnpa.exeC:\Windows\system32\Cdfgmnpa.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Dajgfboj.exeC:\Windows\system32\Dajgfboj.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Djjeedhp.exeC:\Windows\system32\Djjeedhp.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\Dfpfke32.exeC:\Windows\system32\Dfpfke32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Egflml32.exeC:\Windows\system32\Egflml32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\Ejiadgkl.exeC:\Windows\system32\Ejiadgkl.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\SysWOW64\Ffeldglk.exeC:\Windows\system32\Ffeldglk.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Fcilnl32.exeC:\Windows\system32\Fcilnl32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\Gjljij32.exeC:\Windows\system32\Gjljij32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\Gbnenk32.exeC:\Windows\system32\Gbnenk32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2460 -
C:\Windows\SysWOW64\Hpfoboml.exeC:\Windows\system32\Hpfoboml.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2244 -
C:\Windows\SysWOW64\Hhadgakg.exeC:\Windows\system32\Hhadgakg.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2868 -
C:\Windows\SysWOW64\Ihijhpdo.exeC:\Windows\system32\Ihijhpdo.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1528 -
C:\Windows\SysWOW64\Igngim32.exeC:\Windows\system32\Igngim32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1932 -
C:\Windows\SysWOW64\Igpdnlgd.exeC:\Windows\system32\Igpdnlgd.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2456 -
C:\Windows\SysWOW64\Ialadj32.exeC:\Windows\system32\Ialadj32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2444 -
C:\Windows\SysWOW64\Jnlepioj.exeC:\Windows\system32\Jnlepioj.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1656 -
C:\Windows\SysWOW64\Kmabqf32.exeC:\Windows\system32\Kmabqf32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:864 -
C:\Windows\SysWOW64\Kflcok32.exeC:\Windows\system32\Kflcok32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2176 -
C:\Windows\SysWOW64\Kpgdnp32.exeC:\Windows\system32\Kpgdnp32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2772 -
C:\Windows\SysWOW64\Lpiacp32.exeC:\Windows\system32\Lpiacp32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2128 -
C:\Windows\SysWOW64\Llbnnq32.exeC:\Windows\system32\Llbnnq32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2952 -
C:\Windows\SysWOW64\Lpgqlc32.exeC:\Windows\system32\Lpgqlc32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2964 -
C:\Windows\SysWOW64\Mpimbcnf.exeC:\Windows\system32\Mpimbcnf.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2656 -
C:\Windows\SysWOW64\Mpkjgckc.exeC:\Windows\system32\Mpkjgckc.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1848 -
C:\Windows\SysWOW64\Mkggnp32.exeC:\Windows\system32\Mkggnp32.exe33⤵
- Executes dropped EXE
PID:784 -
C:\Windows\SysWOW64\Noepdo32.exeC:\Windows\system32\Noepdo32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:3044 -
C:\Windows\SysWOW64\Ngqeha32.exeC:\Windows\system32\Ngqeha32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:1952 -
C:\Windows\SysWOW64\Npiiafpa.exeC:\Windows\system32\Npiiafpa.exe36⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Nknnnoph.exeC:\Windows\system32\Nknnnoph.exe37⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Nmogpj32.exeC:\Windows\system32\Nmogpj32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:904 -
C:\Windows\SysWOW64\Oihdjk32.exeC:\Windows\system32\Oihdjk32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:520 -
C:\Windows\SysWOW64\Oeoeplfn.exeC:\Windows\system32\Oeoeplfn.exe40⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Olkjaflh.exeC:\Windows\system32\Olkjaflh.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Oecnkk32.exeC:\Windows\system32\Oecnkk32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2192 -
C:\Windows\SysWOW64\Oajopl32.exeC:\Windows\system32\Oajopl32.exe43⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Pdkhag32.exeC:\Windows\system32\Pdkhag32.exe44⤵
- Executes dropped EXE
PID:272 -
C:\Windows\SysWOW64\Pmfmej32.exeC:\Windows\system32\Pmfmej32.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1372 -
C:\Windows\SysWOW64\Pffgonbb.exeC:\Windows\system32\Pffgonbb.exe46⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Qonlhd32.exeC:\Windows\system32\Qonlhd32.exe47⤵
- Executes dropped EXE
PID:580 -
C:\Windows\SysWOW64\Qbmhdp32.exeC:\Windows\system32\Qbmhdp32.exe48⤵
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\Qoqhncgp.exeC:\Windows\system32\Qoqhncgp.exe49⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Qqbeel32.exeC:\Windows\system32\Qqbeel32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2480 -
C:\Windows\SysWOW64\Akgibd32.exeC:\Windows\system32\Akgibd32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Amplklmj.exeC:\Windows\system32\Amplklmj.exe52⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Ajcldpkd.exeC:\Windows\system32\Ajcldpkd.exe53⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Bppdlgjk.exeC:\Windows\system32\Bppdlgjk.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2652 -
C:\Windows\SysWOW64\Bbannb32.exeC:\Windows\system32\Bbannb32.exe55⤵
- Executes dropped EXE
PID:1132 -
C:\Windows\SysWOW64\Bpengf32.exeC:\Windows\system32\Bpengf32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2044 -
C:\Windows\SysWOW64\Bimbql32.exeC:\Windows\system32\Bimbql32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3036 -
C:\Windows\SysWOW64\Baigen32.exeC:\Windows\system32\Baigen32.exe58⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Bjalndpb.exeC:\Windows\system32\Bjalndpb.exe59⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Bdipfi32.exeC:\Windows\system32\Bdipfi32.exe60⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Cdlmlidp.exeC:\Windows\system32\Cdlmlidp.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2008 -
C:\Windows\SysWOW64\Ckfeic32.exeC:\Windows\system32\Ckfeic32.exe62⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Cbajme32.exeC:\Windows\system32\Cbajme32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1648 -
C:\Windows\SysWOW64\Clinfk32.exeC:\Windows\system32\Clinfk32.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1216 -
C:\Windows\SysWOW64\Cimooo32.exeC:\Windows\system32\Cimooo32.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:1292 -
C:\Windows\SysWOW64\Cojghf32.exeC:\Windows\system32\Cojghf32.exe66⤵
- Drops file in System32 directory
PID:1540 -
C:\Windows\SysWOW64\Cgaoic32.exeC:\Windows\system32\Cgaoic32.exe67⤵PID:600
-
C:\Windows\SysWOW64\Coldmfkf.exeC:\Windows\system32\Coldmfkf.exe68⤵PID:2492
-
C:\Windows\SysWOW64\Defljp32.exeC:\Windows\system32\Defljp32.exe69⤵
- System Location Discovery: System Language Discovery
PID:2476 -
C:\Windows\SysWOW64\Dlpdfjjp.exeC:\Windows\system32\Dlpdfjjp.exe70⤵PID:2272
-
C:\Windows\SysWOW64\Dammoahg.exeC:\Windows\system32\Dammoahg.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2720 -
C:\Windows\SysWOW64\Dkeahf32.exeC:\Windows\system32\Dkeahf32.exe72⤵PID:2752
-
C:\Windows\SysWOW64\Dapjdq32.exeC:\Windows\system32\Dapjdq32.exe73⤵
- Modifies registry class
PID:2152 -
C:\Windows\SysWOW64\Ddpbfl32.exeC:\Windows\system32\Ddpbfl32.exe74⤵PID:2532
-
C:\Windows\SysWOW64\Dpgckm32.exeC:\Windows\system32\Dpgckm32.exe75⤵PID:2528
-
C:\Windows\SysWOW64\Enkdda32.exeC:\Windows\system32\Enkdda32.exe76⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2084 -
C:\Windows\SysWOW64\Echlmh32.exeC:\Windows\system32\Echlmh32.exe77⤵PID:2992
-
C:\Windows\SysWOW64\Efhenccl.exeC:\Windows\system32\Efhenccl.exe78⤵PID:3048
-
C:\Windows\SysWOW64\Ebofcd32.exeC:\Windows\system32\Ebofcd32.exe79⤵PID:2872
-
C:\Windows\SysWOW64\Ebabicfn.exeC:\Windows\system32\Ebabicfn.exe80⤵
- System Location Discovery: System Language Discovery
PID:2168 -
C:\Windows\SysWOW64\Ebdoocdk.exeC:\Windows\system32\Ebdoocdk.exe81⤵PID:2160
-
C:\Windows\SysWOW64\Fhngkm32.exeC:\Windows\system32\Fhngkm32.exe82⤵PID:2332
-
C:\Windows\SysWOW64\Fipdqmje.exeC:\Windows\system32\Fipdqmje.exe83⤵PID:1032
-
C:\Windows\SysWOW64\Fbiijb32.exeC:\Windows\system32\Fbiijb32.exe84⤵PID:1612
-
C:\Windows\SysWOW64\Ffkncf32.exeC:\Windows\system32\Ffkncf32.exe85⤵
- System Location Discovery: System Language Discovery
PID:1488 -
C:\Windows\SysWOW64\Ffmkhe32.exeC:\Windows\system32\Ffmkhe32.exe86⤵PID:2404
-
C:\Windows\SysWOW64\Gabofn32.exeC:\Windows\system32\Gabofn32.exe87⤵PID:832
-
C:\Windows\SysWOW64\Gindjqnc.exeC:\Windows\system32\Gindjqnc.exe88⤵PID:1048
-
C:\Windows\SysWOW64\Gcchgini.exeC:\Windows\system32\Gcchgini.exe89⤵
- System Location Discovery: System Language Discovery
PID:2408 -
C:\Windows\SysWOW64\Gnmihgkh.exeC:\Windows\system32\Gnmihgkh.exe90⤵PID:1552
-
C:\Windows\SysWOW64\Gnofng32.exeC:\Windows\system32\Gnofng32.exe91⤵PID:1908
-
C:\Windows\SysWOW64\Glcfgk32.exeC:\Windows\system32\Glcfgk32.exe92⤵PID:2824
-
C:\Windows\SysWOW64\Gekkpqnp.exeC:\Windows\system32\Gekkpqnp.exe93⤵PID:2732
-
C:\Windows\SysWOW64\Hndoifdp.exeC:\Windows\system32\Hndoifdp.exe94⤵PID:2852
-
C:\Windows\SysWOW64\Hengep32.exeC:\Windows\system32\Hengep32.exe95⤵PID:2184
-
C:\Windows\SysWOW64\Hipmoc32.exeC:\Windows\system32\Hipmoc32.exe96⤵PID:2608
-
C:\Windows\SysWOW64\Hidfjckg.exeC:\Windows\system32\Hidfjckg.exe97⤵PID:3052
-
C:\Windows\SysWOW64\Iigcobid.exeC:\Windows\system32\Iigcobid.exe98⤵PID:1696
-
C:\Windows\SysWOW64\Iboghh32.exeC:\Windows\system32\Iboghh32.exe99⤵PID:568
-
C:\Windows\SysWOW64\Ilhlan32.exeC:\Windows\system32\Ilhlan32.exe100⤵
- System Location Discovery: System Language Discovery
PID:576 -
C:\Windows\SysWOW64\Ibadnhmb.exeC:\Windows\system32\Ibadnhmb.exe101⤵PID:2180
-
C:\Windows\SysWOW64\Imkeneja.exeC:\Windows\system32\Imkeneja.exe102⤵PID:1364
-
C:\Windows\SysWOW64\Ikoehj32.exeC:\Windows\system32\Ikoehj32.exe103⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1468 -
C:\Windows\SysWOW64\Iplnpq32.exeC:\Windows\system32\Iplnpq32.exe104⤵PID:1012
-
C:\Windows\SysWOW64\Igffmkno.exeC:\Windows\system32\Igffmkno.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1580 -
C:\Windows\SysWOW64\Jnbkodci.exeC:\Windows\system32\Jnbkodci.exe106⤵PID:2916
-
C:\Windows\SysWOW64\Koogbk32.exeC:\Windows\system32\Koogbk32.exe107⤵PID:1476
-
C:\Windows\SysWOW64\Kqcqpc32.exeC:\Windows\system32\Kqcqpc32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2228 -
C:\Windows\SysWOW64\Kjkehhjf.exeC:\Windows\system32\Kjkehhjf.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:628 -
C:\Windows\SysWOW64\Kninog32.exeC:\Windows\system32\Kninog32.exe110⤵
- System Location Discovery: System Language Discovery
PID:2920 -
C:\Windows\SysWOW64\Lmnkpc32.exeC:\Windows\system32\Lmnkpc32.exe111⤵
- Modifies registry class
PID:2856 -
C:\Windows\SysWOW64\Lffohikd.exeC:\Windows\system32\Lffohikd.exe112⤵
- System Location Discovery: System Language Discovery
PID:1876 -
C:\Windows\SysWOW64\Liekddkh.exeC:\Windows\system32\Liekddkh.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2300 -
C:\Windows\SysWOW64\Lckpbm32.exeC:\Windows\system32\Lckpbm32.exe114⤵PID:2428
-
C:\Windows\SysWOW64\Lighjd32.exeC:\Windows\system32\Lighjd32.exe115⤵PID:2032
-
C:\Windows\SysWOW64\Leqeed32.exeC:\Windows\system32\Leqeed32.exe116⤵PID:2504
-
C:\Windows\SysWOW64\Magfjebk.exeC:\Windows\system32\Magfjebk.exe117⤵
- System Location Discovery: System Language Discovery
PID:2108 -
C:\Windows\SysWOW64\Mlmjgnaa.exeC:\Windows\system32\Mlmjgnaa.exe118⤵PID:2136
-
C:\Windows\SysWOW64\Mffkgl32.exeC:\Windows\system32\Mffkgl32.exe119⤵PID:2204
-
C:\Windows\SysWOW64\Mpoppadq.exeC:\Windows\system32\Mpoppadq.exe120⤵PID:1524
-
C:\Windows\SysWOW64\Mmemoe32.exeC:\Windows\system32\Mmemoe32.exe121⤵PID:1320
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-