Analysis
-
max time kernel
69s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
20-09-2024 23:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f8a82b23b5b666c84102b1f7205305782cdb174edbc64bca5eecc592a775e9fc.exe
Resource
win7-20240729-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
f8a82b23b5b666c84102b1f7205305782cdb174edbc64bca5eecc592a775e9fc.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
f8a82b23b5b666c84102b1f7205305782cdb174edbc64bca5eecc592a775e9fc.exe
-
Size
128KB
-
MD5
c6e73860dd00d8fe35d7604cfd91657f
-
SHA1
575b5694ad3ca26a193297ed50228af7d8ba715f
-
SHA256
f8a82b23b5b666c84102b1f7205305782cdb174edbc64bca5eecc592a775e9fc
-
SHA512
962e17f342f66591694a506ee9ff32887a6be4af4a328fa47bb5948d6ee81e87b759ebfa2f28f4b5412b77e524996ccd5d1ecc39840df5638010afd3d4ef609d
-
SSDEEP
3072:6wCQBT8UGL14c6ffCDLFFTHiy9uHFcxJDSPxMeEvPOdgujv6NLPfFFrKP9:6w5BT8Uy14c6aLFFTHiy9uGxdSJML3OF
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hkhbkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjplao32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbflqccl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mchjjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Adekhkng.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gfpjgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ppmkilbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bqambacb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eehqme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nccmng32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljhngfkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfalaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlnjjc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhjghlng.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqoocmcg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfghagio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blgfml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmeiei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnfkheap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhqfie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lflklaoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjhgdqef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Moahdd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eoqeekme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkkaik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oedclm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfaocc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ehlmnfeo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qajfmbna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cafbmdbh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onkjocjd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgbfin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gghloe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ieligmho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kpcbhlki.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahmehqna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jhlgnd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdhigo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nplkhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aapikqel.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmgekh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmiihjak.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibeeeijg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cappnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fjfllm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebghkjjc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiamql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nffcebdd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dicmlpje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mqoocmcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aknnil32.exe -
Executes dropped EXE 64 IoCs
pid Process 2892 Jcnmme32.exe 2100 Jdpidm32.exe 2948 Jnhnmckc.exe 2844 Jgpbfh32.exe 1616 Jhpopk32.exe 1092 Kpkcdn32.exe 1976 Kjchmclb.exe 2452 Klbdiokf.exe 3040 Kldaon32.exe 2924 Kgjelg32.exe 1516 Koejqi32.exe 1272 Khmnio32.exe 1768 Lfaocc32.exe 2440 Llkgpmck.exe 1164 Lhbhdnio.exe 620 Lnopmegg.exe 1200 Lggdfk32.exe 2420 Ljeabf32.exe 1548 Lgiakjld.exe 3036 Ljhngfkh.exe 1788 Lcpbpk32.exe 2076 Mnffnd32.exe 2712 Mogcelgm.exe 2828 Mipgnbnn.exe 2444 Mjodhe32.exe 2912 Mibdcakk.exe 2604 Meidib32.exe 2656 Mlbmem32.exe 3044 Mbmebgpi.exe 2456 Mifmoa32.exe 2268 Mginjnnp.exe 2908 Memncbmj.exe 316 Nlgfqldf.exe 2904 Nnfbmgcj.exe 2256 Nadoiccn.exe 2172 Ncbkenba.exe 2780 Nhngem32.exe 1932 Nnhobgag.exe 764 Nafknbqk.exe 2564 Ndehjnpo.exe 1436 Nfcdfiob.exe 2084 Nnjlhg32.exe 236 Naihdb32.exe 1540 Ndgdpn32.exe 3020 Nfeqli32.exe 2244 Nidmhd32.exe 2816 Nakeib32.exe 1928 Nblaajbd.exe 2628 Njcibgcf.exe 2088 Nifjnd32.exe 2012 Oppbjn32.exe 2212 Odlnkmjg.exe 2272 Ofjjghik.exe 2900 Oiifcdhn.exe 2700 Olgboogb.exe 2052 Ooeolkff.exe 580 Ofmgmhgh.exe 544 Oikcicfl.exe 2384 Olioeoeo.exe 992 Oohlaj32.exe 2152 Oafhmf32.exe 2408 Oebdndlp.exe 1868 Ollljo32.exe 1004 Oojhfj32.exe -
Loads dropped DLL 64 IoCs
pid Process 2544 f8a82b23b5b666c84102b1f7205305782cdb174edbc64bca5eecc592a775e9fc.exe 2544 f8a82b23b5b666c84102b1f7205305782cdb174edbc64bca5eecc592a775e9fc.exe 2892 Jcnmme32.exe 2892 Jcnmme32.exe 2100 Jdpidm32.exe 2100 Jdpidm32.exe 2948 Jnhnmckc.exe 2948 Jnhnmckc.exe 2844 Jgpbfh32.exe 2844 Jgpbfh32.exe 1616 Jhpopk32.exe 1616 Jhpopk32.exe 1092 Kpkcdn32.exe 1092 Kpkcdn32.exe 1976 Kjchmclb.exe 1976 Kjchmclb.exe 2452 Klbdiokf.exe 2452 Klbdiokf.exe 3040 Kldaon32.exe 3040 Kldaon32.exe 2924 Kgjelg32.exe 2924 Kgjelg32.exe 1516 Koejqi32.exe 1516 Koejqi32.exe 1272 Khmnio32.exe 1272 Khmnio32.exe 1768 Lfaocc32.exe 1768 Lfaocc32.exe 2440 Llkgpmck.exe 2440 Llkgpmck.exe 1164 Lhbhdnio.exe 1164 Lhbhdnio.exe 620 Lnopmegg.exe 620 Lnopmegg.exe 1200 Lggdfk32.exe 1200 Lggdfk32.exe 2420 Ljeabf32.exe 2420 Ljeabf32.exe 1548 Lgiakjld.exe 1548 Lgiakjld.exe 3036 Ljhngfkh.exe 3036 Ljhngfkh.exe 1788 Lcpbpk32.exe 1788 Lcpbpk32.exe 2076 Mnffnd32.exe 2076 Mnffnd32.exe 2712 Mogcelgm.exe 2712 Mogcelgm.exe 2828 Mipgnbnn.exe 2828 Mipgnbnn.exe 2444 Mjodhe32.exe 2444 Mjodhe32.exe 2912 Mibdcakk.exe 2912 Mibdcakk.exe 2604 Meidib32.exe 2604 Meidib32.exe 2656 Mlbmem32.exe 2656 Mlbmem32.exe 3044 Mbmebgpi.exe 3044 Mbmebgpi.exe 2456 Mifmoa32.exe 2456 Mifmoa32.exe 2268 Mginjnnp.exe 2268 Mginjnnp.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Mahgejhf.exe Process not Found File created C:\Windows\SysWOW64\Bmhmgbif.exe Bnemlf32.exe File created C:\Windows\SysWOW64\Blfmgmin.dll Cifdmbib.exe File created C:\Windows\SysWOW64\Oafjfokk.exe Obdjjb32.exe File created C:\Windows\SysWOW64\Gdfpegkn.dll Nccmng32.exe File opened for modification C:\Windows\SysWOW64\Dbfaopqo.exe Process not Found File created C:\Windows\SysWOW64\Hilakcna.dll Egdjfo32.exe File opened for modification C:\Windows\SysWOW64\Hibebeqb.exe Hqkmahpp.exe File created C:\Windows\SysWOW64\Koedfbnf.dll Kcahjqfa.exe File created C:\Windows\SysWOW64\Fkmhij32.exe Fholmo32.exe File created C:\Windows\SysWOW64\Cadqllao.dll Pceqfl32.exe File created C:\Windows\SysWOW64\Eecgafkj.exe Eahkag32.exe File created C:\Windows\SysWOW64\Mmdigbbj.dll Flhkhnel.exe File created C:\Windows\SysWOW64\Mclmgema.dll Gnenfjdh.exe File opened for modification C:\Windows\SysWOW64\Mjodhe32.exe Mipgnbnn.exe File created C:\Windows\SysWOW64\Gimmcm32.dll Gjiibm32.exe File created C:\Windows\SysWOW64\Fofhdidp.exe Flhkhnel.exe File opened for modification C:\Windows\SysWOW64\Hggeeo32.exe Gopnca32.exe File created C:\Windows\SysWOW64\Hqhiab32.exe Hnimeg32.exe File opened for modification C:\Windows\SysWOW64\Bnhjae32.exe Bgnaekil.exe File opened for modification C:\Windows\SysWOW64\Khpaidpk.exe Kpiihgoh.exe File created C:\Windows\SysWOW64\Adekhkng.exe Ankckagj.exe File opened for modification C:\Windows\SysWOW64\Oqomkimg.exe Process not Found File opened for modification C:\Windows\SysWOW64\Doocln32.exe Dplbpaim.exe File created C:\Windows\SysWOW64\Jdcihfiq.dll Keehmobp.exe File created C:\Windows\SysWOW64\Kghonhno.dll Happkf32.exe File created C:\Windows\SysWOW64\Lpjiik32.exe Lnlmmo32.exe File created C:\Windows\SysWOW64\Nlhnfg32.exe Process not Found File created C:\Windows\SysWOW64\Fmholgpj.exe Fkjbpkag.exe File created C:\Windows\SysWOW64\Gdkejjnc.dll Ojakdd32.exe File created C:\Windows\SysWOW64\Ehjbaooe.exe Eigbfb32.exe File opened for modification C:\Windows\SysWOW64\Pamnnemo.exe Pooaaink.exe File created C:\Windows\SysWOW64\Mdkcgk32.exe Mnakjaoc.exe File opened for modification C:\Windows\SysWOW64\Gdmcbojl.exe Fangfcki.exe File opened for modification C:\Windows\SysWOW64\Fmjkbfnh.exe Fiopah32.exe File created C:\Windows\SysWOW64\Gfmdfe32.dll Joepjokm.exe File created C:\Windows\SysWOW64\Pddlggin.exe Process not Found File created C:\Windows\SysWOW64\Dbhnfkfh.dll Oohlaj32.exe File opened for modification C:\Windows\SysWOW64\Doapanne.exe Dkfcqo32.exe File opened for modification C:\Windows\SysWOW64\Kgjgepqm.exe Kppohf32.exe File opened for modification C:\Windows\SysWOW64\Cakfcfoc.exe Bnmjgkpo.exe File created C:\Windows\SysWOW64\Dccbefif.dll Gnbelong.exe File created C:\Windows\SysWOW64\Didlinpd.dll Aniffaim.exe File created C:\Windows\SysWOW64\Flhkhnel.exe Fhlogo32.exe File created C:\Windows\SysWOW64\Kpkcdn32.exe Jhpopk32.exe File created C:\Windows\SysWOW64\Hbfein32.dll Mdhnnl32.exe File opened for modification C:\Windows\SysWOW64\Lkkfdmpq.exe Lgpjcnhh.exe File created C:\Windows\SysWOW64\Mgodjico.exe Mhlcnl32.exe File opened for modification C:\Windows\SysWOW64\Gnenfjdh.exe Fldbnb32.exe File created C:\Windows\SysWOW64\Bbflkcao.exe Bkmcni32.exe File created C:\Windows\SysWOW64\Gobopn32.dll Cabldeik.exe File created C:\Windows\SysWOW64\Pblinp32.exe Process not Found File created C:\Windows\SysWOW64\Dqknqleg.exe Process not Found File created C:\Windows\SysWOW64\Aidpiiop.dll Cacegd32.exe File created C:\Windows\SysWOW64\Oafhmf32.exe Oohlaj32.exe File created C:\Windows\SysWOW64\Khdfigma.dll Mnpbgbdd.exe File created C:\Windows\SysWOW64\Bjnjfffm.exe Bgpnjkgi.exe File opened for modification C:\Windows\SysWOW64\Cbagdq32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Oakaheoa.exe Oolelj32.exe File created C:\Windows\SysWOW64\Hignfnfk.dll Process not Found File created C:\Windows\SysWOW64\Ajmdmpmb.dll Process not Found File created C:\Windows\SysWOW64\Hcckbeha.dll Fokaoh32.exe File created C:\Windows\SysWOW64\Qfkbfpca.dll Process not Found File created C:\Windows\SysWOW64\Bkbjmd32.exe Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 1332 3648 Process not Found 1286 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiifcdhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Achikonn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpeonkig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekblplgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cilfka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbmebgpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fepnhjdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijjgkmqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fofhdidp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgdcom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojnelefl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phhonn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccdnipal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdfmccfm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpjchicb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mibdcakk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pamnnemo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgknpfdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cngfqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdloab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppgdjqna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccceeqfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhgpgjoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnhjae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djibogkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olioeoeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofnppgbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcfknooi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jifkmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aniffaim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eipjmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Happkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldfgbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Indnqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbjejojn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kihcakpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eocieq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fokofpif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epdncb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofklpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnopmegg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kldaon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbinad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paemac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hggeeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcapckod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obdjjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jajbfeop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khkmba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hminbkql.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cegbce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mckmpf32.dll" Ibmmkaik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Alfdcp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kaieai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnkifmfo.dll" Peapmhnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Npngng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfbljdjk.dll" Akhndf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Edfqclni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Imkqmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Egfglocf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nhffikob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hedllgjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Olgboogb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mliibj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mnpbgbdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oakcan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fokofpif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dhmchljg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgqmmiph.dll" Hqhiab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gacdmc32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hmfkbeoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgdfgd32.dll" Gghloe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lomidgkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Omonmpcm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jilmkffb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Plneoace.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ccaipaho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kneflplf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bcbedm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahmcbk32.dll" Qamjmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmlank32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Joepjokm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdkejjnc.dll" Ojakdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Janjga32.dll" Pmgnan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bfkakbpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iioinckp.dll" Geplpfnh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gcfioj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plnbai32.dll" Jmqckf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lhbjmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okdqnp32.dll" Fofhdidp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lcqdidim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfohfk32.dll" Fagnmkjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbflok32.dll" Blcmbmip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agffkn32.dll" Eodknifb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ahllda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhkmf32.dll" Eganqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpnnbm32.dll" Phmiimlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eabgjeef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Acemeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoecelol.dll" Bdbkaoce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcdmpg32.dll" Cqlhlo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dbcnpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gllabp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Opfdim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jhlgnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eedmheda.dll" Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2544 wrote to memory of 2892 2544 f8a82b23b5b666c84102b1f7205305782cdb174edbc64bca5eecc592a775e9fc.exe 29 PID 2544 wrote to memory of 2892 2544 f8a82b23b5b666c84102b1f7205305782cdb174edbc64bca5eecc592a775e9fc.exe 29 PID 2544 wrote to memory of 2892 2544 f8a82b23b5b666c84102b1f7205305782cdb174edbc64bca5eecc592a775e9fc.exe 29 PID 2544 wrote to memory of 2892 2544 f8a82b23b5b666c84102b1f7205305782cdb174edbc64bca5eecc592a775e9fc.exe 29 PID 2892 wrote to memory of 2100 2892 Jcnmme32.exe 30 PID 2892 wrote to memory of 2100 2892 Jcnmme32.exe 30 PID 2892 wrote to memory of 2100 2892 Jcnmme32.exe 30 PID 2892 wrote to memory of 2100 2892 Jcnmme32.exe 30 PID 2100 wrote to memory of 2948 2100 Jdpidm32.exe 31 PID 2100 wrote to memory of 2948 2100 Jdpidm32.exe 31 PID 2100 wrote to memory of 2948 2100 Jdpidm32.exe 31 PID 2100 wrote to memory of 2948 2100 Jdpidm32.exe 31 PID 2948 wrote to memory of 2844 2948 Jnhnmckc.exe 32 PID 2948 wrote to memory of 2844 2948 Jnhnmckc.exe 32 PID 2948 wrote to memory of 2844 2948 Jnhnmckc.exe 32 PID 2948 wrote to memory of 2844 2948 Jnhnmckc.exe 32 PID 2844 wrote to memory of 1616 2844 Jgpbfh32.exe 33 PID 2844 wrote to memory of 1616 2844 Jgpbfh32.exe 33 PID 2844 wrote to memory of 1616 2844 Jgpbfh32.exe 33 PID 2844 wrote to memory of 1616 2844 Jgpbfh32.exe 33 PID 1616 wrote to memory of 1092 1616 Jhpopk32.exe 34 PID 1616 wrote to memory of 1092 1616 Jhpopk32.exe 34 PID 1616 wrote to memory of 1092 1616 Jhpopk32.exe 34 PID 1616 wrote to memory of 1092 1616 Jhpopk32.exe 34 PID 1092 wrote to memory of 1976 1092 Kpkcdn32.exe 35 PID 1092 wrote to memory of 1976 1092 Kpkcdn32.exe 35 PID 1092 wrote to memory of 1976 1092 Kpkcdn32.exe 35 PID 1092 wrote to memory of 1976 1092 Kpkcdn32.exe 35 PID 1976 wrote to memory of 2452 1976 Kjchmclb.exe 36 PID 1976 wrote to memory of 2452 1976 Kjchmclb.exe 36 PID 1976 wrote to memory of 2452 1976 Kjchmclb.exe 36 PID 1976 wrote to memory of 2452 1976 Kjchmclb.exe 36 PID 2452 wrote to memory of 3040 2452 Klbdiokf.exe 37 PID 2452 wrote to memory of 3040 2452 Klbdiokf.exe 37 PID 2452 wrote to memory of 3040 2452 Klbdiokf.exe 37 PID 2452 wrote to memory of 3040 2452 Klbdiokf.exe 37 PID 3040 wrote to memory of 2924 3040 Kldaon32.exe 38 PID 3040 wrote to memory of 2924 3040 Kldaon32.exe 38 PID 3040 wrote to memory of 2924 3040 Kldaon32.exe 38 PID 3040 wrote to memory of 2924 3040 Kldaon32.exe 38 PID 2924 wrote to memory of 1516 2924 Kgjelg32.exe 39 PID 2924 wrote to memory of 1516 2924 Kgjelg32.exe 39 PID 2924 wrote to memory of 1516 2924 Kgjelg32.exe 39 PID 2924 wrote to memory of 1516 2924 Kgjelg32.exe 39 PID 1516 wrote to memory of 1272 1516 Koejqi32.exe 40 PID 1516 wrote to memory of 1272 1516 Koejqi32.exe 40 PID 1516 wrote to memory of 1272 1516 Koejqi32.exe 40 PID 1516 wrote to memory of 1272 1516 Koejqi32.exe 40 PID 1272 wrote to memory of 1768 1272 Khmnio32.exe 41 PID 1272 wrote to memory of 1768 1272 Khmnio32.exe 41 PID 1272 wrote to memory of 1768 1272 Khmnio32.exe 41 PID 1272 wrote to memory of 1768 1272 Khmnio32.exe 41 PID 1768 wrote to memory of 2440 1768 Lfaocc32.exe 42 PID 1768 wrote to memory of 2440 1768 Lfaocc32.exe 42 PID 1768 wrote to memory of 2440 1768 Lfaocc32.exe 42 PID 1768 wrote to memory of 2440 1768 Lfaocc32.exe 42 PID 2440 wrote to memory of 1164 2440 Llkgpmck.exe 43 PID 2440 wrote to memory of 1164 2440 Llkgpmck.exe 43 PID 2440 wrote to memory of 1164 2440 Llkgpmck.exe 43 PID 2440 wrote to memory of 1164 2440 Llkgpmck.exe 43 PID 1164 wrote to memory of 620 1164 Lhbhdnio.exe 44 PID 1164 wrote to memory of 620 1164 Lhbhdnio.exe 44 PID 1164 wrote to memory of 620 1164 Lhbhdnio.exe 44 PID 1164 wrote to memory of 620 1164 Lhbhdnio.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\f8a82b23b5b666c84102b1f7205305782cdb174edbc64bca5eecc592a775e9fc.exe"C:\Users\Admin\AppData\Local\Temp\f8a82b23b5b666c84102b1f7205305782cdb174edbc64bca5eecc592a775e9fc.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Jcnmme32.exeC:\Windows\system32\Jcnmme32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Jdpidm32.exeC:\Windows\system32\Jdpidm32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Jnhnmckc.exeC:\Windows\system32\Jnhnmckc.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Jgpbfh32.exeC:\Windows\system32\Jgpbfh32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Jhpopk32.exeC:\Windows\system32\Jhpopk32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\Kpkcdn32.exeC:\Windows\system32\Kpkcdn32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Windows\SysWOW64\Kjchmclb.exeC:\Windows\system32\Kjchmclb.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\Klbdiokf.exeC:\Windows\system32\Klbdiokf.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\Kldaon32.exeC:\Windows\system32\Kldaon32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Kgjelg32.exeC:\Windows\system32\Kgjelg32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Koejqi32.exeC:\Windows\system32\Koejqi32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\Khmnio32.exeC:\Windows\system32\Khmnio32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\SysWOW64\Lfaocc32.exeC:\Windows\system32\Lfaocc32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\Llkgpmck.exeC:\Windows\system32\Llkgpmck.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\Lhbhdnio.exeC:\Windows\system32\Lhbhdnio.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\SysWOW64\Lnopmegg.exeC:\Windows\system32\Lnopmegg.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:620 -
C:\Windows\SysWOW64\Lggdfk32.exeC:\Windows\system32\Lggdfk32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1200 -
C:\Windows\SysWOW64\Ljeabf32.exeC:\Windows\system32\Ljeabf32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2420 -
C:\Windows\SysWOW64\Lgiakjld.exeC:\Windows\system32\Lgiakjld.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1548 -
C:\Windows\SysWOW64\Ljhngfkh.exeC:\Windows\system32\Ljhngfkh.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:3036 -
C:\Windows\SysWOW64\Lcpbpk32.exeC:\Windows\system32\Lcpbpk32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1788 -
C:\Windows\SysWOW64\Mnffnd32.exeC:\Windows\system32\Mnffnd32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2076 -
C:\Windows\SysWOW64\Mogcelgm.exeC:\Windows\system32\Mogcelgm.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2712 -
C:\Windows\SysWOW64\Mipgnbnn.exeC:\Windows\system32\Mipgnbnn.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2828 -
C:\Windows\SysWOW64\Mjodhe32.exeC:\Windows\system32\Mjodhe32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2444 -
C:\Windows\SysWOW64\Mibdcakk.exeC:\Windows\system32\Mibdcakk.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2912 -
C:\Windows\SysWOW64\Meidib32.exeC:\Windows\system32\Meidib32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2604 -
C:\Windows\SysWOW64\Mlbmem32.exeC:\Windows\system32\Mlbmem32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2656 -
C:\Windows\SysWOW64\Mbmebgpi.exeC:\Windows\system32\Mbmebgpi.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3044 -
C:\Windows\SysWOW64\Mifmoa32.exeC:\Windows\system32\Mifmoa32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2456 -
C:\Windows\SysWOW64\Mginjnnp.exeC:\Windows\system32\Mginjnnp.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2268 -
C:\Windows\SysWOW64\Memncbmj.exeC:\Windows\system32\Memncbmj.exe33⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Nlgfqldf.exeC:\Windows\system32\Nlgfqldf.exe34⤵
- Executes dropped EXE
PID:316 -
C:\Windows\SysWOW64\Nnfbmgcj.exeC:\Windows\system32\Nnfbmgcj.exe35⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Nadoiccn.exeC:\Windows\system32\Nadoiccn.exe36⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Ncbkenba.exeC:\Windows\system32\Ncbkenba.exe37⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Nhngem32.exeC:\Windows\system32\Nhngem32.exe38⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Nnhobgag.exeC:\Windows\system32\Nnhobgag.exe39⤵
- Executes dropped EXE
PID:1932 -
C:\Windows\SysWOW64\Nafknbqk.exeC:\Windows\system32\Nafknbqk.exe40⤵
- Executes dropped EXE
PID:764 -
C:\Windows\SysWOW64\Ndehjnpo.exeC:\Windows\system32\Ndehjnpo.exe41⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Nfcdfiob.exeC:\Windows\system32\Nfcdfiob.exe42⤵
- Executes dropped EXE
PID:1436 -
C:\Windows\SysWOW64\Nnjlhg32.exeC:\Windows\system32\Nnjlhg32.exe43⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Naihdb32.exeC:\Windows\system32\Naihdb32.exe44⤵
- Executes dropped EXE
PID:236 -
C:\Windows\SysWOW64\Ndgdpn32.exeC:\Windows\system32\Ndgdpn32.exe45⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Nfeqli32.exeC:\Windows\system32\Nfeqli32.exe46⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Nidmhd32.exeC:\Windows\system32\Nidmhd32.exe47⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Nakeib32.exeC:\Windows\system32\Nakeib32.exe48⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Nblaajbd.exeC:\Windows\system32\Nblaajbd.exe49⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Njcibgcf.exeC:\Windows\system32\Njcibgcf.exe50⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Nifjnd32.exeC:\Windows\system32\Nifjnd32.exe51⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Oppbjn32.exeC:\Windows\system32\Oppbjn32.exe52⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Odlnkmjg.exeC:\Windows\system32\Odlnkmjg.exe53⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Ofjjghik.exeC:\Windows\system32\Ofjjghik.exe54⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Oiifcdhn.exeC:\Windows\system32\Oiifcdhn.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2900 -
C:\Windows\SysWOW64\Olgboogb.exeC:\Windows\system32\Olgboogb.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2700 -
C:\Windows\SysWOW64\Ooeolkff.exeC:\Windows\system32\Ooeolkff.exe57⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Ofmgmhgh.exeC:\Windows\system32\Ofmgmhgh.exe58⤵
- Executes dropped EXE
PID:580 -
C:\Windows\SysWOW64\Oikcicfl.exeC:\Windows\system32\Oikcicfl.exe59⤵
- Executes dropped EXE
PID:544 -
C:\Windows\SysWOW64\Olioeoeo.exeC:\Windows\system32\Olioeoeo.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2384 -
C:\Windows\SysWOW64\Oohlaj32.exeC:\Windows\system32\Oohlaj32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:992 -
C:\Windows\SysWOW64\Oafhmf32.exeC:\Windows\system32\Oafhmf32.exe62⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Oebdndlp.exeC:\Windows\system32\Oebdndlp.exe63⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Ollljo32.exeC:\Windows\system32\Ollljo32.exe64⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Oojhfj32.exeC:\Windows\system32\Oojhfj32.exe65⤵
- Executes dropped EXE
PID:1004 -
C:\Windows\SysWOW64\Oahdce32.exeC:\Windows\system32\Oahdce32.exe66⤵PID:2508
-
C:\Windows\SysWOW64\Odgqoa32.exeC:\Windows\system32\Odgqoa32.exe67⤵PID:3012
-
C:\Windows\SysWOW64\Olnipn32.exeC:\Windows\system32\Olnipn32.exe68⤵PID:2848
-
C:\Windows\SysWOW64\Oolelj32.exeC:\Windows\system32\Oolelj32.exe69⤵
- Drops file in System32 directory
PID:2736 -
C:\Windows\SysWOW64\Oakaheoa.exeC:\Windows\system32\Oakaheoa.exe70⤵PID:1680
-
C:\Windows\SysWOW64\Pghjqlmi.exeC:\Windows\system32\Pghjqlmi.exe71⤵PID:3032
-
C:\Windows\SysWOW64\Pooaaink.exeC:\Windows\system32\Pooaaink.exe72⤵
- Drops file in System32 directory
PID:2576 -
C:\Windows\SysWOW64\Pamnnemo.exeC:\Windows\system32\Pamnnemo.exe73⤵
- System Location Discovery: System Language Discovery
PID:1504 -
C:\Windows\SysWOW64\Pdljjplb.exeC:\Windows\system32\Pdljjplb.exe74⤵PID:2388
-
C:\Windows\SysWOW64\Pgjfflkf.exeC:\Windows\system32\Pgjfflkf.exe75⤵PID:2928
-
C:\Windows\SysWOW64\Pihbbgjj.exeC:\Windows\system32\Pihbbgjj.exe76⤵PID:1068
-
C:\Windows\SysWOW64\Papkcd32.exeC:\Windows\system32\Papkcd32.exe77⤵PID:2168
-
C:\Windows\SysWOW64\Pcagkmaj.exeC:\Windows\system32\Pcagkmaj.exe78⤵PID:2228
-
C:\Windows\SysWOW64\Pkholjam.exeC:\Windows\system32\Pkholjam.exe79⤵PID:1096
-
C:\Windows\SysWOW64\Pnfkheap.exeC:\Windows\system32\Pnfkheap.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2056 -
C:\Windows\SysWOW64\Plildb32.exeC:\Windows\system32\Plildb32.exe81⤵PID:1808
-
C:\Windows\SysWOW64\Pccdqloh.exeC:\Windows\system32\Pccdqloh.exe82⤵PID:1784
-
C:\Windows\SysWOW64\Peapmhnk.exeC:\Windows\system32\Peapmhnk.exe83⤵
- Modifies registry class
PID:1736 -
C:\Windows\SysWOW64\Pimlmf32.exeC:\Windows\system32\Pimlmf32.exe84⤵PID:2732
-
C:\Windows\SysWOW64\Ppgdjqna.exeC:\Windows\system32\Ppgdjqna.exe85⤵
- System Location Discovery: System Language Discovery
PID:2612 -
C:\Windows\SysWOW64\Pceqfl32.exeC:\Windows\system32\Pceqfl32.exe86⤵
- Drops file in System32 directory
PID:2884 -
C:\Windows\SysWOW64\Pgamgken.exeC:\Windows\system32\Pgamgken.exe87⤵PID:2660
-
C:\Windows\SysWOW64\Phbinc32.exeC:\Windows\system32\Phbinc32.exe88⤵PID:3028
-
C:\Windows\SysWOW64\Plneoace.exeC:\Windows\system32\Plneoace.exe89⤵
- Modifies registry class
PID:1992 -
C:\Windows\SysWOW64\Ppiapp32.exeC:\Windows\system32\Ppiapp32.exe90⤵PID:2312
-
C:\Windows\SysWOW64\Qakmghbm.exeC:\Windows\system32\Qakmghbm.exe91⤵PID:2236
-
C:\Windows\SysWOW64\Qhdfdb32.exeC:\Windows\system32\Qhdfdb32.exe92⤵PID:272
-
C:\Windows\SysWOW64\Qlpadaac.exeC:\Windows\system32\Qlpadaac.exe93⤵PID:2396
-
C:\Windows\SysWOW64\Qoonqmqf.exeC:\Windows\system32\Qoonqmqf.exe94⤵PID:948
-
C:\Windows\SysWOW64\Qamjmh32.exeC:\Windows\system32\Qamjmh32.exe95⤵
- Modifies registry class
PID:936 -
C:\Windows\SysWOW64\Qdkfic32.exeC:\Windows\system32\Qdkfic32.exe96⤵PID:1800
-
C:\Windows\SysWOW64\Qlbnja32.exeC:\Windows\system32\Qlbnja32.exe97⤵PID:3052
-
C:\Windows\SysWOW64\Aoakfl32.exeC:\Windows\system32\Aoakfl32.exe98⤵PID:2756
-
C:\Windows\SysWOW64\Aaogbh32.exeC:\Windows\system32\Aaogbh32.exe99⤵PID:2824
-
C:\Windows\SysWOW64\Adncoc32.exeC:\Windows\system32\Adncoc32.exe100⤵PID:2724
-
C:\Windows\SysWOW64\Agloko32.exeC:\Windows\system32\Agloko32.exe101⤵PID:1608
-
C:\Windows\SysWOW64\Aocgll32.exeC:\Windows\system32\Aocgll32.exe102⤵PID:1776
-
C:\Windows\SysWOW64\Aqddcdbo.exeC:\Windows\system32\Aqddcdbo.exe103⤵PID:1484
-
C:\Windows\SysWOW64\Ahllda32.exeC:\Windows\system32\Ahllda32.exe104⤵
- Modifies registry class
PID:2024 -
C:\Windows\SysWOW64\Akjham32.exeC:\Windows\system32\Akjham32.exe105⤵PID:2176
-
C:\Windows\SysWOW64\Anhdmh32.exeC:\Windows\system32\Anhdmh32.exe106⤵PID:2296
-
C:\Windows\SysWOW64\Aqgqid32.exeC:\Windows\system32\Aqgqid32.exe107⤵PID:2560
-
C:\Windows\SysWOW64\Acemeo32.exeC:\Windows\system32\Acemeo32.exe108⤵
- Modifies registry class
PID:2472 -
C:\Windows\SysWOW64\Aklefm32.exeC:\Windows\system32\Aklefm32.exe109⤵PID:2156
-
C:\Windows\SysWOW64\Ajoebigm.exeC:\Windows\system32\Ajoebigm.exe110⤵PID:572
-
C:\Windows\SysWOW64\Aqimoc32.exeC:\Windows\system32\Aqimoc32.exe111⤵PID:2856
-
C:\Windows\SysWOW64\Achikonn.exeC:\Windows\system32\Achikonn.exe112⤵
- System Location Discovery: System Language Discovery
PID:2768 -
C:\Windows\SysWOW64\Afffgjma.exeC:\Windows\system32\Afffgjma.exe113⤵PID:2060
-
C:\Windows\SysWOW64\Anmnhhmd.exeC:\Windows\system32\Anmnhhmd.exe114⤵PID:2372
-
C:\Windows\SysWOW64\Aqljdclg.exeC:\Windows\system32\Aqljdclg.exe115⤵PID:1108
-
C:\Windows\SysWOW64\Acjfpokk.exeC:\Windows\system32\Acjfpokk.exe116⤵PID:2040
-
C:\Windows\SysWOW64\Afhbljko.exeC:\Windows\system32\Afhbljko.exe117⤵PID:780
-
C:\Windows\SysWOW64\Bmbkid32.exeC:\Windows\system32\Bmbkid32.exe118⤵PID:2432
-
C:\Windows\SysWOW64\Bqngjcje.exeC:\Windows\system32\Bqngjcje.exe119⤵PID:944
-
C:\Windows\SysWOW64\Boqgep32.exeC:\Windows\system32\Boqgep32.exe120⤵PID:2852
-
C:\Windows\SysWOW64\Bfkobj32.exeC:\Windows\system32\Bfkobj32.exe121⤵PID:1628
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-