Analysis
-
max time kernel
100s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20-09-2024 18:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1a0db5a185e7d23b175d01510addfcb924e549d4c7bd9290deb365e32f077aef.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
1a0db5a185e7d23b175d01510addfcb924e549d4c7bd9290deb365e32f077aef.exe
Resource
win10v2004-20240910-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
1a0db5a185e7d23b175d01510addfcb924e549d4c7bd9290deb365e32f077aef.exe
-
Size
108KB
-
MD5
f86dd7bb47763d071980b59bb62327dd
-
SHA1
906dd7c488da8d224a2efa4c98e4f79cec4145b5
-
SHA256
1a0db5a185e7d23b175d01510addfcb924e549d4c7bd9290deb365e32f077aef
-
SHA512
bd4ee9adb149d8bb129692b650d86062fb0fdb2636f77a4851a0ece697ab5608ec39908a94e0180f687fcb5a69c0cf9779bd36b4659287b0efb2ecf3d78ba8a1
-
SSDEEP
1536:J5YkuzZa8oyJ1n1WoPsmAMwB+rjm8NiIqhn3HQ8BawTj2wQ3K:J5Ykutn1nuxUjmOiBn3w8BdTj2h3K
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcckjb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdeekjmc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfgbbb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iankbldh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgllof32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plgmabke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnmlgpeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Likbap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgjnpb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khgnff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbnhmdmn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oldajoho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgcoal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikfffh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdmdcc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdogceln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpdfph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djaiho32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nblpbeob.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfadke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inmdjjok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kacenp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iniebmfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjfhgp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elmoqlmh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdflepqo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnoiqpqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hojeka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Linanl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mooppe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjicdl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aklgabbh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpanffhn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqdioaqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icadpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mphhbblp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qlkcjadb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqdeciho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gonlld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgcoal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hojeka32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djaiho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcnleahm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joajdmma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adjkol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdeekjmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggldlpoc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbaebh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djokgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbknjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aiaqie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifecen32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfmekd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlnlcg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qokjcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omddohbm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpldkf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnpoaeek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blplkp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbegkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlblmh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdfpfm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlbokapi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jobnej32.exe -
Executes dropped EXE 64 IoCs
pid Process 1160 Cdjckfda.exe 2200 Ckdlgq32.exe 2828 Cpadpg32.exe 2580 Cgklma32.exe 2600 Ccamabgg.exe 2572 Dpenkgfq.exe 3056 Dllnphkd.exe 1640 Dbighojl.exe 2396 Dkakad32.exe 2876 Dfgpnm32.exe 1816 Dopdgb32.exe 684 Dbpmin32.exe 1752 Ecdffe32.exe 2392 Enijcn32.exe 2164 Efdohq32.exe 1960 Epmcqf32.exe 696 Eiehilaa.exe 1052 Epopff32.exe 2348 Emcqpjhh.exe 832 Fenedlec.exe 1800 Fbbfmqdm.exe 2288 Fagcnmie.exe 2360 Fjpggb32.exe 2292 Ffghlcei.exe 296 Fpoleilj.exe 1464 Gaoiol32.exe 2804 Gpdfph32.exe 2364 Geqnho32.exe 2784 Gbdobc32.exe 764 Geehcoaf.exe 2608 Gonlld32.exe 2748 Hlamfh32.exe 2648 Hgknffcp.exe 2640 Hmefcp32.exe 3048 Hgnjlfam.exe 3044 Hgpgae32.exe 592 Hddgkj32.exe 2908 Ijcmipjh.exe 2184 Iopeagip.exe 2676 Ikfffh32.exe 2340 Idojon32.exe 276 Ifngiqlg.exe 1856 Injlmcib.exe 2224 Ihopjl32.exe 2548 Jjqlbdog.exe 2036 Jqjdon32.exe 1388 Jkpilg32.exe 628 Jqmadn32.exe 2216 Jggiah32.exe 1300 Jnqanbcj.exe 2160 Jobnej32.exe 2800 Jijbnppi.exe 2620 Jcpglhpo.exe 2976 Kmeknakn.exe 2588 Lafpipoa.exe 940 Licbca32.exe 2956 Lejbhbpn.exe 2632 Lobgah32.exe 1632 Mihkoa32.exe 1516 Mbqpgf32.exe 2076 Mogqlgbi.exe 3040 Meaiia32.exe 108 Mojmbg32.exe 1684 Mdfejn32.exe -
Loads dropped DLL 64 IoCs
pid Process 2960 1a0db5a185e7d23b175d01510addfcb924e549d4c7bd9290deb365e32f077aef.exe 2960 1a0db5a185e7d23b175d01510addfcb924e549d4c7bd9290deb365e32f077aef.exe 1160 Cdjckfda.exe 1160 Cdjckfda.exe 2200 Ckdlgq32.exe 2200 Ckdlgq32.exe 2828 Cpadpg32.exe 2828 Cpadpg32.exe 2580 Cgklma32.exe 2580 Cgklma32.exe 2600 Ccamabgg.exe 2600 Ccamabgg.exe 2572 Dpenkgfq.exe 2572 Dpenkgfq.exe 3056 Dllnphkd.exe 3056 Dllnphkd.exe 1640 Dbighojl.exe 1640 Dbighojl.exe 2396 Dkakad32.exe 2396 Dkakad32.exe 2876 Dfgpnm32.exe 2876 Dfgpnm32.exe 1816 Dopdgb32.exe 1816 Dopdgb32.exe 684 Dbpmin32.exe 684 Dbpmin32.exe 1752 Ecdffe32.exe 1752 Ecdffe32.exe 2392 Enijcn32.exe 2392 Enijcn32.exe 2164 Efdohq32.exe 2164 Efdohq32.exe 1960 Epmcqf32.exe 1960 Epmcqf32.exe 696 Eiehilaa.exe 696 Eiehilaa.exe 1052 Epopff32.exe 1052 Epopff32.exe 2348 Emcqpjhh.exe 2348 Emcqpjhh.exe 832 Fenedlec.exe 832 Fenedlec.exe 1800 Fbbfmqdm.exe 1800 Fbbfmqdm.exe 2288 Fagcnmie.exe 2288 Fagcnmie.exe 2360 Fjpggb32.exe 2360 Fjpggb32.exe 2292 Ffghlcei.exe 2292 Ffghlcei.exe 296 Fpoleilj.exe 296 Fpoleilj.exe 1464 Gaoiol32.exe 1464 Gaoiol32.exe 2804 Gpdfph32.exe 2804 Gpdfph32.exe 2364 Geqnho32.exe 2364 Geqnho32.exe 2784 Gbdobc32.exe 2784 Gbdobc32.exe 764 Geehcoaf.exe 764 Geehcoaf.exe 2608 Gonlld32.exe 2608 Gonlld32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Npdohg32.exe Nikflm32.exe File created C:\Windows\SysWOW64\Ffmoim32.dll Eklicjkf.exe File created C:\Windows\SysWOW64\Lnjnocob.dll Mjicdl32.exe File opened for modification C:\Windows\SysWOW64\Lcmdlgoj.exe Kmqldpab.exe File created C:\Windows\SysWOW64\Gogipbln.exe Ggldlpoc.exe File opened for modification C:\Windows\SysWOW64\Jobnej32.exe Jnqanbcj.exe File created C:\Windows\SysWOW64\Eeekfj32.dll Mihkoa32.exe File created C:\Windows\SysWOW64\Eenbnl32.dll Jfffmo32.exe File opened for modification C:\Windows\SysWOW64\Odpghiqc.exe Oijbkpqm.exe File created C:\Windows\SysWOW64\Cfgeap32.dll Ieokjbkp.exe File created C:\Windows\SysWOW64\Mokgqjaa.exe Mhaodqje.exe File opened for modification C:\Windows\SysWOW64\Gadkmj32.exe Ghlgdecf.exe File created C:\Windows\SysWOW64\Ofdqpj32.dll Lpadek32.exe File opened for modification C:\Windows\SysWOW64\Ndofjq32.exe Nnenmfbd.exe File created C:\Windows\SysWOW64\Ohmneokp.exe Oeobidll.exe File opened for modification C:\Windows\SysWOW64\Akbmqmgg.exe Aiaqie32.exe File created C:\Windows\SysWOW64\Ebgifo32.exe Eioemj32.exe File opened for modification C:\Windows\SysWOW64\Bbdakh32.exe Aljinncb.exe File opened for modification C:\Windows\SysWOW64\Aaqnmbdd.exe Aghidl32.exe File opened for modification C:\Windows\SysWOW64\Knapen32.exe Kfflal32.exe File created C:\Windows\SysWOW64\Kcmbco32.exe Khgnff32.exe File opened for modification C:\Windows\SysWOW64\Ogbkakeo.exe Oqhcda32.exe File created C:\Windows\SysWOW64\Jfdgpj32.dll Hgnjlfam.exe File created C:\Windows\SysWOW64\Mmolll32.exe Mfedobef.exe File created C:\Windows\SysWOW64\Gmlokdgp.exe Gqenfc32.exe File created C:\Windows\SysWOW64\Bnqnai32.dll Kfknpj32.exe File created C:\Windows\SysWOW64\Hkpgjl32.dll Ljafifbh.exe File created C:\Windows\SysWOW64\Bfdhdj32.exe Bnmpcmpi.exe File created C:\Windows\SysWOW64\Qbboakna.exe Pmefidoj.exe File opened for modification C:\Windows\SysWOW64\Lmkgajnm.exe Ldpbmg32.exe File created C:\Windows\SysWOW64\Nfebbh32.dll Plnhbk32.exe File created C:\Windows\SysWOW64\Omnapi32.exe Npjage32.exe File created C:\Windows\SysWOW64\Oimaih32.exe Oabmef32.exe File created C:\Windows\SysWOW64\Dapafl32.dll Dopdgb32.exe File created C:\Windows\SysWOW64\Ghlgdecf.exe Gabohk32.exe File created C:\Windows\SysWOW64\Mfbnfcli.exe Mjknab32.exe File created C:\Windows\SysWOW64\Ijekcf32.dll Ldpbmg32.exe File created C:\Windows\SysWOW64\Elgmbnfn.exe Dcohih32.exe File opened for modification C:\Windows\SysWOW64\Giiibqdp.exe Gndedhdj.exe File opened for modification C:\Windows\SysWOW64\Fnodob32.exe Fdfpfm32.exe File opened for modification C:\Windows\SysWOW64\Ilbnfmhd.exe Icgibkki.exe File opened for modification C:\Windows\SysWOW64\Ahnjefcd.exe Acabmpem.exe File created C:\Windows\SysWOW64\Nbhjnbgh.dll Fpjmkhbo.exe File opened for modification C:\Windows\SysWOW64\Ahijpa32.exe Aaobcg32.exe File created C:\Windows\SysWOW64\Npgngokp.exe Nfoinj32.exe File created C:\Windows\SysWOW64\Djaiho32.exe Dpldkf32.exe File opened for modification C:\Windows\SysWOW64\Efkfbp32.exe Dpanffhn.exe File created C:\Windows\SysWOW64\Pfdaae32.exe Pmlmhodi.exe File opened for modification C:\Windows\SysWOW64\Phgjnm32.exe Pbkbff32.exe File created C:\Windows\SysWOW64\Bhcfiogc.exe Bllednao.exe File created C:\Windows\SysWOW64\Jlbgkjec.dll Mpflmbnc.exe File opened for modification C:\Windows\SysWOW64\Djokgk32.exe Cnhjbjam.exe File created C:\Windows\SysWOW64\Ibfkoi32.dll Fdldmokn.exe File created C:\Windows\SysWOW64\Hgagdp32.dll Kpmkjlbi.exe File created C:\Windows\SysWOW64\Mqfjpnmj.exe Mfpfbemc.exe File created C:\Windows\SysWOW64\Jlodfmqd.dll Gjmnmk32.exe File opened for modification C:\Windows\SysWOW64\Eiehilaa.exe Epmcqf32.exe File created C:\Windows\SysWOW64\Oboldi32.dll Laokdekd.exe File opened for modification C:\Windows\SysWOW64\Hmqjoljn.exe Hfgbbb32.exe File created C:\Windows\SysWOW64\Nnephdoi.dll Jbnhmdmn.exe File created C:\Windows\SysWOW64\Kogjib32.exe Jjjaak32.exe File created C:\Windows\SysWOW64\Lhlgaedj.exe Lcooinfc.exe File created C:\Windows\SysWOW64\Pekffp32.exe Ppkahi32.exe File created C:\Windows\SysWOW64\Pmngef32.exe Pdebladb.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2240 2748 WerFault.exe 879 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjaejbmq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bggohi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efkfbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akbmqmgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efdohq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnhmqc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alojlgii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpfblh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmqldpab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kigkmmql.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnimgcjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adkaib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qiclcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppafopqq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idaimfjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jedeea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cocnanmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgppep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hecedmaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iaaqkkme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pncgjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpjmkhbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnocgnoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdfejn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkfcdpfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpldkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koogdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejnqkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaiamamk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihgcof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgkoejig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjfhgp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnebgcqb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhjnmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjpdlj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiehilaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhpajd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgkppkih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knlpphnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpeidjfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikafpbon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qbboakna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjngjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flfbfken.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpnkjq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aalcdngp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iekbob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfbfpnel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lalchnfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kodhbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcmdlgoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgnjlfam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqenfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Donijk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cleaebna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmkkhfmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdbmnchk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmabhfca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejjhlmqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgnnpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jepnck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odkkdqmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnphlc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Belfldoh.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phfaknce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijacgnjj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfflal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fljhojnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahefmala.dll" Gegecopf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhopbf32.dll" Qiclcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilfeidmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdldmokn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahnjefcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggfdldll.dll" Ajelmiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khgenplk.dll" Mpeidjfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfknpj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mochmm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdfmddff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpnbjfjj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmcjldbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npekpg32.dll" Ieglfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjliihgg.dll" Lmkgajnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Madiaabn.dll" Fndfmljk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikafpbon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Laifbnho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbbfmqdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legnoo32.dll" Hjiiemaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfbnmckp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bclbnhmo.dll" Conmkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdpeplpn.dll" Hnbhpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnieah32.dll" Pdebladb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poglgb32.dll" Omnapi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olkebejb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccehgb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcjmkdpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiojjk32.dll" Giiibqdp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jibdff32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpgpfdoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfmekd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anqeihcn.dll" Qjaejbmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbnkomel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgpcgi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akoghnnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cflffnhn.dll" Efdohq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bamdcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbegkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnmlgpeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhlpnbfi.dll" Eeemol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoopdo32.dll" Heqhon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnenmfbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nclfpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bllednao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecdnkl32.dll" Ppafopqq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcpbpgch.dll" Qfpggjdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fldgjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jiecdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Befkimha.dll" Kpenogee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fagbad32.dll" Mogqlgbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ceqlff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apbkag32.dll" Gmkgqncd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idofmp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecdkgg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agjahooi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjlnnp32.dll" Bdidegec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efkfbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpipkb32.dll" Gdlbdken.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgnjlfam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgfpoimj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2960 wrote to memory of 1160 2960 1a0db5a185e7d23b175d01510addfcb924e549d4c7bd9290deb365e32f077aef.exe 29 PID 2960 wrote to memory of 1160 2960 1a0db5a185e7d23b175d01510addfcb924e549d4c7bd9290deb365e32f077aef.exe 29 PID 2960 wrote to memory of 1160 2960 1a0db5a185e7d23b175d01510addfcb924e549d4c7bd9290deb365e32f077aef.exe 29 PID 2960 wrote to memory of 1160 2960 1a0db5a185e7d23b175d01510addfcb924e549d4c7bd9290deb365e32f077aef.exe 29 PID 1160 wrote to memory of 2200 1160 Cdjckfda.exe 30 PID 1160 wrote to memory of 2200 1160 Cdjckfda.exe 30 PID 1160 wrote to memory of 2200 1160 Cdjckfda.exe 30 PID 1160 wrote to memory of 2200 1160 Cdjckfda.exe 30 PID 2200 wrote to memory of 2828 2200 Ckdlgq32.exe 31 PID 2200 wrote to memory of 2828 2200 Ckdlgq32.exe 31 PID 2200 wrote to memory of 2828 2200 Ckdlgq32.exe 31 PID 2200 wrote to memory of 2828 2200 Ckdlgq32.exe 31 PID 2828 wrote to memory of 2580 2828 Cpadpg32.exe 32 PID 2828 wrote to memory of 2580 2828 Cpadpg32.exe 32 PID 2828 wrote to memory of 2580 2828 Cpadpg32.exe 32 PID 2828 wrote to memory of 2580 2828 Cpadpg32.exe 32 PID 2580 wrote to memory of 2600 2580 Cgklma32.exe 33 PID 2580 wrote to memory of 2600 2580 Cgklma32.exe 33 PID 2580 wrote to memory of 2600 2580 Cgklma32.exe 33 PID 2580 wrote to memory of 2600 2580 Cgklma32.exe 33 PID 2600 wrote to memory of 2572 2600 Ccamabgg.exe 34 PID 2600 wrote to memory of 2572 2600 Ccamabgg.exe 34 PID 2600 wrote to memory of 2572 2600 Ccamabgg.exe 34 PID 2600 wrote to memory of 2572 2600 Ccamabgg.exe 34 PID 2572 wrote to memory of 3056 2572 Dpenkgfq.exe 35 PID 2572 wrote to memory of 3056 2572 Dpenkgfq.exe 35 PID 2572 wrote to memory of 3056 2572 Dpenkgfq.exe 35 PID 2572 wrote to memory of 3056 2572 Dpenkgfq.exe 35 PID 3056 wrote to memory of 1640 3056 Dllnphkd.exe 36 PID 3056 wrote to memory of 1640 3056 Dllnphkd.exe 36 PID 3056 wrote to memory of 1640 3056 Dllnphkd.exe 36 PID 3056 wrote to memory of 1640 3056 Dllnphkd.exe 36 PID 1640 wrote to memory of 2396 1640 Dbighojl.exe 37 PID 1640 wrote to memory of 2396 1640 Dbighojl.exe 37 PID 1640 wrote to memory of 2396 1640 Dbighojl.exe 37 PID 1640 wrote to memory of 2396 1640 Dbighojl.exe 37 PID 2396 wrote to memory of 2876 2396 Dkakad32.exe 38 PID 2396 wrote to memory of 2876 2396 Dkakad32.exe 38 PID 2396 wrote to memory of 2876 2396 Dkakad32.exe 38 PID 2396 wrote to memory of 2876 2396 Dkakad32.exe 38 PID 2876 wrote to memory of 1816 2876 Dfgpnm32.exe 39 PID 2876 wrote to memory of 1816 2876 Dfgpnm32.exe 39 PID 2876 wrote to memory of 1816 2876 Dfgpnm32.exe 39 PID 2876 wrote to memory of 1816 2876 Dfgpnm32.exe 39 PID 1816 wrote to memory of 684 1816 Dopdgb32.exe 40 PID 1816 wrote to memory of 684 1816 Dopdgb32.exe 40 PID 1816 wrote to memory of 684 1816 Dopdgb32.exe 40 PID 1816 wrote to memory of 684 1816 Dopdgb32.exe 40 PID 684 wrote to memory of 1752 684 Dbpmin32.exe 41 PID 684 wrote to memory of 1752 684 Dbpmin32.exe 41 PID 684 wrote to memory of 1752 684 Dbpmin32.exe 41 PID 684 wrote to memory of 1752 684 Dbpmin32.exe 41 PID 1752 wrote to memory of 2392 1752 Ecdffe32.exe 42 PID 1752 wrote to memory of 2392 1752 Ecdffe32.exe 42 PID 1752 wrote to memory of 2392 1752 Ecdffe32.exe 42 PID 1752 wrote to memory of 2392 1752 Ecdffe32.exe 42 PID 2392 wrote to memory of 2164 2392 Enijcn32.exe 43 PID 2392 wrote to memory of 2164 2392 Enijcn32.exe 43 PID 2392 wrote to memory of 2164 2392 Enijcn32.exe 43 PID 2392 wrote to memory of 2164 2392 Enijcn32.exe 43 PID 2164 wrote to memory of 1960 2164 Efdohq32.exe 44 PID 2164 wrote to memory of 1960 2164 Efdohq32.exe 44 PID 2164 wrote to memory of 1960 2164 Efdohq32.exe 44 PID 2164 wrote to memory of 1960 2164 Efdohq32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a0db5a185e7d23b175d01510addfcb924e549d4c7bd9290deb365e32f077aef.exe"C:\Users\Admin\AppData\Local\Temp\1a0db5a185e7d23b175d01510addfcb924e549d4c7bd9290deb365e32f077aef.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Cdjckfda.exeC:\Windows\system32\Cdjckfda.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\SysWOW64\Ckdlgq32.exeC:\Windows\system32\Ckdlgq32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\Cpadpg32.exeC:\Windows\system32\Cpadpg32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Cgklma32.exeC:\Windows\system32\Cgklma32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Ccamabgg.exeC:\Windows\system32\Ccamabgg.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Dpenkgfq.exeC:\Windows\system32\Dpenkgfq.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Dllnphkd.exeC:\Windows\system32\Dllnphkd.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\Dbighojl.exeC:\Windows\system32\Dbighojl.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\Dkakad32.exeC:\Windows\system32\Dkakad32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\Dfgpnm32.exeC:\Windows\system32\Dfgpnm32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Dopdgb32.exeC:\Windows\system32\Dopdgb32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\Dbpmin32.exeC:\Windows\system32\Dbpmin32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Windows\SysWOW64\Ecdffe32.exeC:\Windows\system32\Ecdffe32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\Enijcn32.exeC:\Windows\system32\Enijcn32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\Efdohq32.exeC:\Windows\system32\Efdohq32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Epmcqf32.exeC:\Windows\system32\Epmcqf32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1960 -
C:\Windows\SysWOW64\Eiehilaa.exeC:\Windows\system32\Eiehilaa.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:696 -
C:\Windows\SysWOW64\Epopff32.exeC:\Windows\system32\Epopff32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1052 -
C:\Windows\SysWOW64\Emcqpjhh.exeC:\Windows\system32\Emcqpjhh.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2348 -
C:\Windows\SysWOW64\Fenedlec.exeC:\Windows\system32\Fenedlec.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:832 -
C:\Windows\SysWOW64\Fbbfmqdm.exeC:\Windows\system32\Fbbfmqdm.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1800 -
C:\Windows\SysWOW64\Fagcnmie.exeC:\Windows\system32\Fagcnmie.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2288 -
C:\Windows\SysWOW64\Fjpggb32.exeC:\Windows\system32\Fjpggb32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2360 -
C:\Windows\SysWOW64\Ffghlcei.exeC:\Windows\system32\Ffghlcei.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2292 -
C:\Windows\SysWOW64\Fpoleilj.exeC:\Windows\system32\Fpoleilj.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:296 -
C:\Windows\SysWOW64\Gaoiol32.exeC:\Windows\system32\Gaoiol32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1464 -
C:\Windows\SysWOW64\Gpdfph32.exeC:\Windows\system32\Gpdfph32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2804 -
C:\Windows\SysWOW64\Geqnho32.exeC:\Windows\system32\Geqnho32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2364 -
C:\Windows\SysWOW64\Gbdobc32.exeC:\Windows\system32\Gbdobc32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2784 -
C:\Windows\SysWOW64\Geehcoaf.exeC:\Windows\system32\Geehcoaf.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:764 -
C:\Windows\SysWOW64\Gonlld32.exeC:\Windows\system32\Gonlld32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2608 -
C:\Windows\SysWOW64\Hlamfh32.exeC:\Windows\system32\Hlamfh32.exe33⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Hgknffcp.exeC:\Windows\system32\Hgknffcp.exe34⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Hmefcp32.exeC:\Windows\system32\Hmefcp32.exe35⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Hgnjlfam.exeC:\Windows\system32\Hgnjlfam.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3048 -
C:\Windows\SysWOW64\Hgpgae32.exeC:\Windows\system32\Hgpgae32.exe37⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Hddgkj32.exeC:\Windows\system32\Hddgkj32.exe38⤵
- Executes dropped EXE
PID:592 -
C:\Windows\SysWOW64\Ijcmipjh.exeC:\Windows\system32\Ijcmipjh.exe39⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Iopeagip.exeC:\Windows\system32\Iopeagip.exe40⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Ikfffh32.exeC:\Windows\system32\Ikfffh32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Idojon32.exeC:\Windows\system32\Idojon32.exe42⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Ifngiqlg.exeC:\Windows\system32\Ifngiqlg.exe43⤵
- Executes dropped EXE
PID:276 -
C:\Windows\SysWOW64\Injlmcib.exeC:\Windows\system32\Injlmcib.exe44⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Ihopjl32.exeC:\Windows\system32\Ihopjl32.exe45⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Jjqlbdog.exeC:\Windows\system32\Jjqlbdog.exe46⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Jqjdon32.exeC:\Windows\system32\Jqjdon32.exe47⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Jkpilg32.exeC:\Windows\system32\Jkpilg32.exe48⤵
- Executes dropped EXE
PID:1388 -
C:\Windows\SysWOW64\Jqmadn32.exeC:\Windows\system32\Jqmadn32.exe49⤵
- Executes dropped EXE
PID:628 -
C:\Windows\SysWOW64\Jggiah32.exeC:\Windows\system32\Jggiah32.exe50⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Jnqanbcj.exeC:\Windows\system32\Jnqanbcj.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1300 -
C:\Windows\SysWOW64\Jobnej32.exeC:\Windows\system32\Jobnej32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Jijbnppi.exeC:\Windows\system32\Jijbnppi.exe53⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Jcpglhpo.exeC:\Windows\system32\Jcpglhpo.exe54⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Kmeknakn.exeC:\Windows\system32\Kmeknakn.exe55⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Lafpipoa.exeC:\Windows\system32\Lafpipoa.exe56⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Licbca32.exeC:\Windows\system32\Licbca32.exe57⤵
- Executes dropped EXE
PID:940 -
C:\Windows\SysWOW64\Lejbhbpn.exeC:\Windows\system32\Lejbhbpn.exe58⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Lobgah32.exeC:\Windows\system32\Lobgah32.exe59⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Mihkoa32.exeC:\Windows\system32\Mihkoa32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1632 -
C:\Windows\SysWOW64\Mbqpgf32.exeC:\Windows\system32\Mbqpgf32.exe61⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\Mogqlgbi.exeC:\Windows\system32\Mogqlgbi.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:2076 -
C:\Windows\SysWOW64\Meaiia32.exeC:\Windows\system32\Meaiia32.exe63⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Mojmbg32.exeC:\Windows\system32\Mojmbg32.exe64⤵
- Executes dropped EXE
PID:108 -
C:\Windows\SysWOW64\Mdfejn32.exeC:\Windows\system32\Mdfejn32.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1684 -
C:\Windows\SysWOW64\Micnbe32.exeC:\Windows\system32\Micnbe32.exe66⤵PID:2400
-
C:\Windows\SysWOW64\Miekhd32.exeC:\Windows\system32\Miekhd32.exe67⤵PID:2496
-
C:\Windows\SysWOW64\Ndkoemji.exeC:\Windows\system32\Ndkoemji.exe68⤵PID:1644
-
C:\Windows\SysWOW64\Nmccnc32.exeC:\Windows\system32\Nmccnc32.exe69⤵PID:2152
-
C:\Windows\SysWOW64\Ncplfj32.exeC:\Windows\system32\Ncplfj32.exe70⤵PID:904
-
C:\Windows\SysWOW64\Nijdcdgn.exeC:\Windows\system32\Nijdcdgn.exe71⤵PID:2696
-
C:\Windows\SysWOW64\Neaehelb.exeC:\Windows\system32\Neaehelb.exe72⤵PID:2780
-
C:\Windows\SysWOW64\Nceeaikk.exeC:\Windows\system32\Nceeaikk.exe73⤵PID:1400
-
C:\Windows\SysWOW64\Nhbnjpic.exeC:\Windows\system32\Nhbnjpic.exe74⤵PID:2244
-
C:\Windows\SysWOW64\Najbbepc.exeC:\Windows\system32\Najbbepc.exe75⤵PID:2592
-
C:\Windows\SysWOW64\Oggkklnk.exeC:\Windows\system32\Oggkklnk.exe76⤵PID:1140
-
C:\Windows\SysWOW64\Odkkdqmd.exeC:\Windows\system32\Odkkdqmd.exe77⤵
- System Location Discovery: System Language Discovery
PID:1680 -
C:\Windows\SysWOW64\Okecak32.exeC:\Windows\system32\Okecak32.exe78⤵PID:2820
-
C:\Windows\SysWOW64\Oqaliabh.exeC:\Windows\system32\Oqaliabh.exe79⤵PID:2060
-
C:\Windows\SysWOW64\Okgpfjbo.exeC:\Windows\system32\Okgpfjbo.exe80⤵PID:2112
-
C:\Windows\SysWOW64\Oqdioaqf.exeC:\Windows\system32\Oqdioaqf.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:844 -
C:\Windows\SysWOW64\Ofaaghom.exeC:\Windows\system32\Ofaaghom.exe82⤵PID:2860
-
C:\Windows\SysWOW64\Oqfeda32.exeC:\Windows\system32\Oqfeda32.exe83⤵PID:2468
-
C:\Windows\SysWOW64\Ojojmfed.exeC:\Windows\system32\Ojojmfed.exe84⤵PID:2012
-
C:\Windows\SysWOW64\Pbjoaibo.exeC:\Windows\system32\Pbjoaibo.exe85⤵PID:1476
-
C:\Windows\SysWOW64\Pmpcoabe.exeC:\Windows\system32\Pmpcoabe.exe86⤵PID:3064
-
C:\Windows\SysWOW64\Pdkgcd32.exeC:\Windows\system32\Pdkgcd32.exe87⤵PID:2712
-
C:\Windows\SysWOW64\Pkeppngm.exeC:\Windows\system32\Pkeppngm.exe88⤵PID:2604
-
C:\Windows\SysWOW64\Pbohmh32.exeC:\Windows\system32\Pbohmh32.exe89⤵PID:2836
-
C:\Windows\SysWOW64\Pkglenej.exeC:\Windows\system32\Pkglenej.exe90⤵PID:3068
-
C:\Windows\SysWOW64\Pbaebh32.exeC:\Windows\system32\Pbaebh32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2444 -
C:\Windows\SysWOW64\Pkiikm32.exeC:\Windows\system32\Pkiikm32.exe92⤵PID:2128
-
C:\Windows\SysWOW64\Pafacd32.exeC:\Windows\system32\Pafacd32.exe93⤵PID:2172
-
C:\Windows\SysWOW64\Pcdnpp32.exeC:\Windows\system32\Pcdnpp32.exe94⤵PID:1944
-
C:\Windows\SysWOW64\Qmmbhegc.exeC:\Windows\system32\Qmmbhegc.exe95⤵PID:2968
-
C:\Windows\SysWOW64\Qgbfen32.exeC:\Windows\system32\Qgbfen32.exe96⤵PID:928
-
C:\Windows\SysWOW64\Qpnkjq32.exeC:\Windows\system32\Qpnkjq32.exe97⤵
- System Location Discovery: System Language Discovery
PID:1260 -
C:\Windows\SysWOW64\Ajcpgi32.exeC:\Windows\system32\Ajcpgi32.exe98⤵PID:1724
-
C:\Windows\SysWOW64\Apphpp32.exeC:\Windows\system32\Apphpp32.exe99⤵PID:1776
-
C:\Windows\SysWOW64\Ajelmiag.exeC:\Windows\system32\Ajelmiag.exe100⤵
- Modifies registry class
PID:2264 -
C:\Windows\SysWOW64\Aflmbj32.exeC:\Windows\system32\Aflmbj32.exe101⤵PID:2832
-
C:\Windows\SysWOW64\Apeakonl.exeC:\Windows\system32\Apeakonl.exe102⤵PID:2552
-
C:\Windows\SysWOW64\Afojgiei.exeC:\Windows\system32\Afojgiei.exe103⤵PID:2108
-
C:\Windows\SysWOW64\Anjnllbd.exeC:\Windows\system32\Anjnllbd.exe104⤵PID:3060
-
C:\Windows\SysWOW64\Ahbcda32.exeC:\Windows\system32\Ahbcda32.exe105⤵PID:2924
-
C:\Windows\SysWOW64\Bbhgbj32.exeC:\Windows\system32\Bbhgbj32.exe106⤵PID:1744
-
C:\Windows\SysWOW64\Blplkp32.exeC:\Windows\system32\Blplkp32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1100 -
C:\Windows\SysWOW64\Bamdcf32.exeC:\Windows\system32\Bamdcf32.exe108⤵
- Modifies registry class
PID:1664 -
C:\Windows\SysWOW64\Bjehlldb.exeC:\Windows\system32\Bjehlldb.exe109⤵PID:1292
-
C:\Windows\SysWOW64\Bpbadcbj.exeC:\Windows\system32\Bpbadcbj.exe110⤵PID:2020
-
C:\Windows\SysWOW64\Baannfim.exeC:\Windows\system32\Baannfim.exe111⤵PID:2248
-
C:\Windows\SysWOW64\Bbcjfn32.exeC:\Windows\system32\Bbcjfn32.exe112⤵PID:808
-
C:\Windows\SysWOW64\Bkjbgk32.exeC:\Windows\system32\Bkjbgk32.exe113⤵PID:2212
-
C:\Windows\SysWOW64\Blkoocfl.exeC:\Windows\system32\Blkoocfl.exe114⤵PID:2824
-
C:\Windows\SysWOW64\Bbegkn32.exeC:\Windows\system32\Bbegkn32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:952 -
C:\Windows\SysWOW64\Cmkkhfmn.exeC:\Windows\system32\Cmkkhfmn.exe116⤵
- System Location Discovery: System Language Discovery
PID:1688 -
C:\Windows\SysWOW64\Colgpo32.exeC:\Windows\system32\Colgpo32.exe117⤵PID:2144
-
C:\Windows\SysWOW64\Cgcoal32.exeC:\Windows\system32\Cgcoal32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1716 -
C:\Windows\SysWOW64\Chdlidjm.exeC:\Windows\system32\Chdlidjm.exe119⤵PID:1768
-
C:\Windows\SysWOW64\Cpldjajo.exeC:\Windows\system32\Cpldjajo.exe120⤵PID:2316
-
C:\Windows\SysWOW64\Cehlbihg.exeC:\Windows\system32\Cehlbihg.exe121⤵PID:972
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-