Analysis
-
max time kernel
119s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
29/09/2024, 20:35
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
22a7461812ad7661a851dca79bd1ce6fda2261d58ebc1adf582ea3578b27de6aN.exe
Resource
win7-20240704-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
22a7461812ad7661a851dca79bd1ce6fda2261d58ebc1adf582ea3578b27de6aN.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
22a7461812ad7661a851dca79bd1ce6fda2261d58ebc1adf582ea3578b27de6aN.exe
-
Size
377KB
-
MD5
c65d8d36c13d504340c013116b0ef160
-
SHA1
33246e700340965890d8f5e401763e737c677afa
-
SHA256
22a7461812ad7661a851dca79bd1ce6fda2261d58ebc1adf582ea3578b27de6a
-
SHA512
ff1f1a95f5ea0dac533432137eeec083273e98f2765864a8e698014592095d1caa32a10e62905a9c53afe85a4241886ad77b9da0b83986e73dedf5b628d906ff
-
SSDEEP
6144:FXZUh8fY/Np5O4KxVdGGSgnohijgAUv5fKx/SgnohignC5V:FpnoO5HdjdMTv5i1dayV
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejioln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmlfmn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nklopg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nknkeg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amjiln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lljpjchg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggdcbi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppfafcpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boifga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnipak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lddlkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbmfgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmalldcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbfbnddq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 22a7461812ad7661a851dca79bd1ce6fda2261d58ebc1adf582ea3578b27de6aN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbggif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omklkkpl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgddam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bheaiekc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cggcofkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kekkiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epfhde32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eepmlf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doabjbci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkgoff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nenkqi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpboinpd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbppnbhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kadfkhkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpgionie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihlnhffh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qiioon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnqlmq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikqnlh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpieengb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qlfdac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mndhnd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pilbocej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egfjdchi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iflmjihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phgannal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enbogmnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nncbdomg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccgklc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keango32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Noojdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khielcfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnafnopi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klfjpa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcckibfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pioamlkk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abkkpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgjnhaco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jibnop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jaeehmko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pchbmigj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iknafhjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iemalkgd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmcgmkil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhdjno32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqgjdbpi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bphooc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkjhjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inhdgdmk.exe -
Executes dropped EXE 64 IoCs
pid Process 2204 Fgldnkkf.exe 1704 Fqfemqod.exe 2540 Gbjojh32.exe 2732 Gdkgkcpq.exe 2752 Gkephn32.exe 2892 Ggnmbn32.exe 2768 Hnjbeh32.exe 2052 Hpnkbpdd.exe 1876 Hmalldcn.exe 2964 Hneeilgj.exe 828 Iflmjihl.exe 2032 Inhanl32.exe 2308 Iafnjg32.exe 1548 Ihpfgalh.exe 1780 Injndk32.exe 1644 Iahkpg32.exe 888 Ihbcmaje.exe 2060 Ijqoilii.exe 1452 Iakgefqe.exe 1108 Ihdpbq32.exe 304 Ioohokoo.exe 2412 Iamdkfnc.exe 2212 Ihglhp32.exe 1656 Iihiphln.exe 2548 Jaoqqflp.exe 2196 Jbqmhnbo.exe 1940 Jikeeh32.exe 2244 Jpdnbbah.exe 2792 Jbcjnnpl.exe 1092 Jimbkh32.exe 2972 Jpgjgboe.exe 2604 Jgabdlfb.exe 2256 Jpigma32.exe 3004 Jhdlad32.exe 1976 Jbjpom32.exe 2864 Kdklfe32.exe 696 Kkeecogo.exe 2944 Kncaojfb.exe 356 Khielcfh.exe 2040 Kocmim32.exe 540 Kpdjaecc.exe 2688 Kgnbnpkp.exe 1616 Kadfkhkf.exe 2008 Kcecbq32.exe 2744 Knkgpi32.exe 2452 Kcgphp32.exe 2640 Kjahej32.exe 2000 Klpdaf32.exe 2956 Lgehno32.exe 2216 Lhfefgkg.exe 2108 Loqmba32.exe 2016 Lfkeokjp.exe 932 Lldmleam.exe 2092 Lcofio32.exe 3020 Lhknaf32.exe 1676 Lnhgim32.exe 2568 Ldbofgme.exe 2472 Lohccp32.exe 2164 Lddlkg32.exe 2680 Mkndhabp.exe 1988 Mdghaf32.exe 2004 Mgedmb32.exe 276 Mmbmeifk.exe 2504 Mclebc32.exe -
Loads dropped DLL 64 IoCs
pid Process 2304 22a7461812ad7661a851dca79bd1ce6fda2261d58ebc1adf582ea3578b27de6aN.exe 2304 22a7461812ad7661a851dca79bd1ce6fda2261d58ebc1adf582ea3578b27de6aN.exe 2204 Fgldnkkf.exe 2204 Fgldnkkf.exe 1704 Fqfemqod.exe 1704 Fqfemqod.exe 2540 Gbjojh32.exe 2540 Gbjojh32.exe 2732 Gdkgkcpq.exe 2732 Gdkgkcpq.exe 2752 Gkephn32.exe 2752 Gkephn32.exe 2892 Ggnmbn32.exe 2892 Ggnmbn32.exe 2768 Hnjbeh32.exe 2768 Hnjbeh32.exe 2052 Hpnkbpdd.exe 2052 Hpnkbpdd.exe 1876 Hmalldcn.exe 1876 Hmalldcn.exe 2964 Hneeilgj.exe 2964 Hneeilgj.exe 828 Iflmjihl.exe 828 Iflmjihl.exe 2032 Inhanl32.exe 2032 Inhanl32.exe 2308 Iafnjg32.exe 2308 Iafnjg32.exe 1548 Ihpfgalh.exe 1548 Ihpfgalh.exe 1780 Injndk32.exe 1780 Injndk32.exe 1644 Iahkpg32.exe 1644 Iahkpg32.exe 888 Ihbcmaje.exe 888 Ihbcmaje.exe 2060 Ijqoilii.exe 2060 Ijqoilii.exe 1452 Iakgefqe.exe 1452 Iakgefqe.exe 1108 Ihdpbq32.exe 1108 Ihdpbq32.exe 304 Ioohokoo.exe 304 Ioohokoo.exe 2412 Iamdkfnc.exe 2412 Iamdkfnc.exe 2212 Ihglhp32.exe 2212 Ihglhp32.exe 1656 Iihiphln.exe 1656 Iihiphln.exe 2548 Jaoqqflp.exe 2548 Jaoqqflp.exe 2196 Jbqmhnbo.exe 2196 Jbqmhnbo.exe 1940 Jikeeh32.exe 1940 Jikeeh32.exe 2244 Jpdnbbah.exe 2244 Jpdnbbah.exe 2792 Jbcjnnpl.exe 2792 Jbcjnnpl.exe 1092 Jimbkh32.exe 1092 Jimbkh32.exe 2972 Jpgjgboe.exe 2972 Jpgjgboe.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Bbmcibjp.exe Boogmgkl.exe File created C:\Windows\SysWOW64\Ednoihel.dll Ckhdggom.exe File created C:\Windows\SysWOW64\Fbnbckhg.dll Cileqlmg.exe File opened for modification C:\Windows\SysWOW64\Ldgnklmi.exe Lmmfnb32.exe File created C:\Windows\SysWOW64\Pmmqmpdm.exe Pefhlcdk.exe File opened for modification C:\Windows\SysWOW64\Fqfemqod.exe Fgldnkkf.exe File created C:\Windows\SysWOW64\Epnhpglg.exe Eicpcm32.exe File created C:\Windows\SysWOW64\Ioiidfon.exe Ijlaloaf.exe File created C:\Windows\SysWOW64\Djpjjl32.dll Fipbhd32.exe File opened for modification C:\Windows\SysWOW64\Gefolhja.exe Golgon32.exe File created C:\Windows\SysWOW64\Ibkhgp32.dll Mghfdcdi.exe File created C:\Windows\SysWOW64\Nokalbod.dll Mdlfngcc.exe File created C:\Windows\SysWOW64\Ohmoco32.exe Odacbpee.exe File created C:\Windows\SysWOW64\Hoelacdp.dll Ogohdeam.exe File created C:\Windows\SysWOW64\Ffpfeq32.dll Gjifodii.exe File opened for modification C:\Windows\SysWOW64\Dcghkf32.exe Dahkok32.exe File created C:\Windows\SysWOW64\Ejcmmp32.exe Epnhpglg.exe File created C:\Windows\SysWOW64\Moibemdg.dll Ggapbcne.exe File created C:\Windows\SysWOW64\Odlkfk32.dll Einebddd.exe File created C:\Windows\SysWOW64\Bmbccp32.dll Hmfmkjdf.exe File created C:\Windows\SysWOW64\Jcoanb32.exe Jqpebg32.exe File created C:\Windows\SysWOW64\Oeficpoq.dll Afpapcnc.exe File created C:\Windows\SysWOW64\Kkeecogo.exe Kdklfe32.exe File created C:\Windows\SysWOW64\Mhjcec32.exe Mneohj32.exe File opened for modification C:\Windows\SysWOW64\Dppigchi.exe Dekdikhc.exe File created C:\Windows\SysWOW64\Imbige32.dll Ejcofica.exe File created C:\Windows\SysWOW64\Enjoliob.dll Fjaoplho.exe File created C:\Windows\SysWOW64\Nchipb32.exe Nloachkf.exe File created C:\Windows\SysWOW64\Oellihpf.dll Qjdgpcmd.exe File created C:\Windows\SysWOW64\Gkbokl32.dll Eqkjmcmq.exe File created C:\Windows\SysWOW64\Mhiaka32.dll Gkephn32.exe File created C:\Windows\SysWOW64\Hfiocpon.dll Onfoin32.exe File created C:\Windows\SysWOW64\Epeekmjk.exe Ekhmcelc.exe File created C:\Windows\SysWOW64\Hkdemk32.exe Hqnapb32.exe File created C:\Windows\SysWOW64\Oejcpf32.exe Onqkclni.exe File created C:\Windows\SysWOW64\Hbofmcij.exe Hoqjqhjf.exe File opened for modification C:\Windows\SysWOW64\Dfkclf32.exe Dnckki32.exe File created C:\Windows\SysWOW64\Mghfdcdi.exe Mpnngi32.exe File created C:\Windows\SysWOW64\Cnmfdb32.exe Cjakccop.exe File created C:\Windows\SysWOW64\Nqmqcmdh.exe Njchfc32.exe File created C:\Windows\SysWOW64\Ccnddg32.exe Chhpgn32.exe File created C:\Windows\SysWOW64\Lhknaf32.exe Lcofio32.exe File created C:\Windows\SysWOW64\Aoojnc32.exe Alqnah32.exe File created C:\Windows\SysWOW64\Pbemboof.exe Ppfafcpb.exe File created C:\Windows\SysWOW64\Pjihmmbk.exe Ppddpd32.exe File opened for modification C:\Windows\SysWOW64\Iknafhjb.exe Iaimipjl.exe File opened for modification C:\Windows\SysWOW64\Cccdjl32.exe Cjjpag32.exe File created C:\Windows\SysWOW64\Hadfah32.exe Hhlaiccm.exe File created C:\Windows\SysWOW64\Eiefbk32.dll Okhgod32.exe File created C:\Windows\SysWOW64\Jdpkmjnb.dll Bqijljfd.exe File created C:\Windows\SysWOW64\Ckmnbg32.exe Cagienkb.exe File created C:\Windows\SysWOW64\Dnlcjk32.dll Ingkdeak.exe File opened for modification C:\Windows\SysWOW64\Nnahgh32.exe Nhepoaif.exe File created C:\Windows\SysWOW64\Ahedjb32.exe Abhlak32.exe File created C:\Windows\SysWOW64\Pfebnmcj.exe Ponklpcg.exe File created C:\Windows\SysWOW64\Cbamip32.dll Lmmfnb32.exe File created C:\Windows\SysWOW64\Gncgbkki.exe Gdjcjf32.exe File created C:\Windows\SysWOW64\Pncjad32.exe Pgibdjln.exe File opened for modification C:\Windows\SysWOW64\Famcbf32.exe Fheoiqgi.exe File created C:\Windows\SysWOW64\Hnfncjmm.dll Lfkfkopk.exe File created C:\Windows\SysWOW64\Nhnmcb32.dll Iihiphln.exe File created C:\Windows\SysWOW64\Dfefmpeo.dll Boljgg32.exe File created C:\Windows\SysWOW64\Gacdld32.dll Fpbnjjkm.exe File created C:\Windows\SysWOW64\Hpdjnn32.dll Jfjolf32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbeedh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnochnpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dochelmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqolji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mehpga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geilah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mohhea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpgjgboe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnaiol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdqnkoep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehpcehcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jigbebhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afpapcnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmcilp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hofngkga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mciabmlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhlaiccm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edlhqlfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gibbgmfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgpfpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gefolhja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhlbbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peqhgmdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciihklpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgkonj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmmfnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmflee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaojnq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joppeeif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mokdja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nncbdomg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaeehmko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pncjad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blipno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iafnjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcmdnfad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldgnklmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phgannal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Naimepkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odgamdef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnahgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enpban32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoalia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebcmfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abbhje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kadfkhkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjdkjpkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmofdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hijhhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jedehaea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnipak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Injndk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obgnhkkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pebpkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mokilo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcckibfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgfiocfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmkfji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgckoofa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioohokoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oejcpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmkdhq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkmbmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkjmfjmi.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmapmi32.dll" Adnpkjde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldjbkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inajahoe.dll" Adfbpega.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phcleoho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iqcmcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Naimepkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkeeihpg.dll" Llbconkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejcmmp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pilbocej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlnlqk32.dll" Gaplfinb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fqfemqod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mclebc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egajnfoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifemminl.dll" Feddombd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lifcib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmlbjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odiaql32.dll" Hmmdin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfjildbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdecoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eepmlf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kadfkhkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lldmleam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bngpjpqe.dll" Bjmeiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dofohkkf.dll" Kckhdg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bieopm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgkfal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfhfhbce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndjhjkfi.dll" Admgglep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpioba32.dll" Pbagipfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ielqinkm.dll" Ehpcehcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anafme32.dll" Iaimipjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbaghgop.dll" Bgmnpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kigpbioo.dll" Pgibdjln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjjnhnbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nckpfbjj.dll" Blqmid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pchbmigj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oimmjffj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kekkiq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nqpmimbe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jinfli32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnahgh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Loqmba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcckcbgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omklkkpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Indnnfdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imbjcpnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jllqplnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lioglifg.dll" Loclai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjembh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfgjgn32.dll" Cnipak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Anhpkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oqjibkek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhhjdb32.dll" Bjfpdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dahkok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbcqjf32.dll" Doabjbci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Keiqlihp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahfgbkpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Joggci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjkibehc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpfkeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmlecinf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apenjhfe.dll" Mehpga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhecgqad.dll" Ohmoco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pehebbbh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2304 wrote to memory of 2204 2304 22a7461812ad7661a851dca79bd1ce6fda2261d58ebc1adf582ea3578b27de6aN.exe 30 PID 2304 wrote to memory of 2204 2304 22a7461812ad7661a851dca79bd1ce6fda2261d58ebc1adf582ea3578b27de6aN.exe 30 PID 2304 wrote to memory of 2204 2304 22a7461812ad7661a851dca79bd1ce6fda2261d58ebc1adf582ea3578b27de6aN.exe 30 PID 2304 wrote to memory of 2204 2304 22a7461812ad7661a851dca79bd1ce6fda2261d58ebc1adf582ea3578b27de6aN.exe 30 PID 2204 wrote to memory of 1704 2204 Fgldnkkf.exe 31 PID 2204 wrote to memory of 1704 2204 Fgldnkkf.exe 31 PID 2204 wrote to memory of 1704 2204 Fgldnkkf.exe 31 PID 2204 wrote to memory of 1704 2204 Fgldnkkf.exe 31 PID 1704 wrote to memory of 2540 1704 Fqfemqod.exe 32 PID 1704 wrote to memory of 2540 1704 Fqfemqod.exe 32 PID 1704 wrote to memory of 2540 1704 Fqfemqod.exe 32 PID 1704 wrote to memory of 2540 1704 Fqfemqod.exe 32 PID 2540 wrote to memory of 2732 2540 Gbjojh32.exe 33 PID 2540 wrote to memory of 2732 2540 Gbjojh32.exe 33 PID 2540 wrote to memory of 2732 2540 Gbjojh32.exe 33 PID 2540 wrote to memory of 2732 2540 Gbjojh32.exe 33 PID 2732 wrote to memory of 2752 2732 Gdkgkcpq.exe 34 PID 2732 wrote to memory of 2752 2732 Gdkgkcpq.exe 34 PID 2732 wrote to memory of 2752 2732 Gdkgkcpq.exe 34 PID 2732 wrote to memory of 2752 2732 Gdkgkcpq.exe 34 PID 2752 wrote to memory of 2892 2752 Gkephn32.exe 35 PID 2752 wrote to memory of 2892 2752 Gkephn32.exe 35 PID 2752 wrote to memory of 2892 2752 Gkephn32.exe 35 PID 2752 wrote to memory of 2892 2752 Gkephn32.exe 35 PID 2892 wrote to memory of 2768 2892 Ggnmbn32.exe 36 PID 2892 wrote to memory of 2768 2892 Ggnmbn32.exe 36 PID 2892 wrote to memory of 2768 2892 Ggnmbn32.exe 36 PID 2892 wrote to memory of 2768 2892 Ggnmbn32.exe 36 PID 2768 wrote to memory of 2052 2768 Hnjbeh32.exe 37 PID 2768 wrote to memory of 2052 2768 Hnjbeh32.exe 37 PID 2768 wrote to memory of 2052 2768 Hnjbeh32.exe 37 PID 2768 wrote to memory of 2052 2768 Hnjbeh32.exe 37 PID 2052 wrote to memory of 1876 2052 Hpnkbpdd.exe 38 PID 2052 wrote to memory of 1876 2052 Hpnkbpdd.exe 38 PID 2052 wrote to memory of 1876 2052 Hpnkbpdd.exe 38 PID 2052 wrote to memory of 1876 2052 Hpnkbpdd.exe 38 PID 1876 wrote to memory of 2964 1876 Hmalldcn.exe 39 PID 1876 wrote to memory of 2964 1876 Hmalldcn.exe 39 PID 1876 wrote to memory of 2964 1876 Hmalldcn.exe 39 PID 1876 wrote to memory of 2964 1876 Hmalldcn.exe 39 PID 2964 wrote to memory of 828 2964 Hneeilgj.exe 40 PID 2964 wrote to memory of 828 2964 Hneeilgj.exe 40 PID 2964 wrote to memory of 828 2964 Hneeilgj.exe 40 PID 2964 wrote to memory of 828 2964 Hneeilgj.exe 40 PID 828 wrote to memory of 2032 828 Iflmjihl.exe 41 PID 828 wrote to memory of 2032 828 Iflmjihl.exe 41 PID 828 wrote to memory of 2032 828 Iflmjihl.exe 41 PID 828 wrote to memory of 2032 828 Iflmjihl.exe 41 PID 2032 wrote to memory of 2308 2032 Inhanl32.exe 42 PID 2032 wrote to memory of 2308 2032 Inhanl32.exe 42 PID 2032 wrote to memory of 2308 2032 Inhanl32.exe 42 PID 2032 wrote to memory of 2308 2032 Inhanl32.exe 42 PID 2308 wrote to memory of 1548 2308 Iafnjg32.exe 43 PID 2308 wrote to memory of 1548 2308 Iafnjg32.exe 43 PID 2308 wrote to memory of 1548 2308 Iafnjg32.exe 43 PID 2308 wrote to memory of 1548 2308 Iafnjg32.exe 43 PID 1548 wrote to memory of 1780 1548 Ihpfgalh.exe 44 PID 1548 wrote to memory of 1780 1548 Ihpfgalh.exe 44 PID 1548 wrote to memory of 1780 1548 Ihpfgalh.exe 44 PID 1548 wrote to memory of 1780 1548 Ihpfgalh.exe 44 PID 1780 wrote to memory of 1644 1780 Injndk32.exe 45 PID 1780 wrote to memory of 1644 1780 Injndk32.exe 45 PID 1780 wrote to memory of 1644 1780 Injndk32.exe 45 PID 1780 wrote to memory of 1644 1780 Injndk32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\22a7461812ad7661a851dca79bd1ce6fda2261d58ebc1adf582ea3578b27de6aN.exe"C:\Users\Admin\AppData\Local\Temp\22a7461812ad7661a851dca79bd1ce6fda2261d58ebc1adf582ea3578b27de6aN.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\Fgldnkkf.exeC:\Windows\system32\Fgldnkkf.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\Fqfemqod.exeC:\Windows\system32\Fqfemqod.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\Gbjojh32.exeC:\Windows\system32\Gbjojh32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Gdkgkcpq.exeC:\Windows\system32\Gdkgkcpq.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Gkephn32.exeC:\Windows\system32\Gkephn32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Ggnmbn32.exeC:\Windows\system32\Ggnmbn32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Hnjbeh32.exeC:\Windows\system32\Hnjbeh32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Hpnkbpdd.exeC:\Windows\system32\Hpnkbpdd.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\Hmalldcn.exeC:\Windows\system32\Hmalldcn.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\SysWOW64\Hneeilgj.exeC:\Windows\system32\Hneeilgj.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Iflmjihl.exeC:\Windows\system32\Iflmjihl.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Windows\SysWOW64\Inhanl32.exeC:\Windows\system32\Inhanl32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\Iafnjg32.exeC:\Windows\system32\Iafnjg32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\Ihpfgalh.exeC:\Windows\system32\Ihpfgalh.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\SysWOW64\Injndk32.exeC:\Windows\system32\Injndk32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\Iahkpg32.exeC:\Windows\system32\Iahkpg32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1644 -
C:\Windows\SysWOW64\Ihbcmaje.exeC:\Windows\system32\Ihbcmaje.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:888 -
C:\Windows\SysWOW64\Ijqoilii.exeC:\Windows\system32\Ijqoilii.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2060 -
C:\Windows\SysWOW64\Iakgefqe.exeC:\Windows\system32\Iakgefqe.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1452 -
C:\Windows\SysWOW64\Ihdpbq32.exeC:\Windows\system32\Ihdpbq32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1108 -
C:\Windows\SysWOW64\Ioohokoo.exeC:\Windows\system32\Ioohokoo.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:304 -
C:\Windows\SysWOW64\Iamdkfnc.exeC:\Windows\system32\Iamdkfnc.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2412 -
C:\Windows\SysWOW64\Ihglhp32.exeC:\Windows\system32\Ihglhp32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2212 -
C:\Windows\SysWOW64\Iihiphln.exeC:\Windows\system32\Iihiphln.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1656 -
C:\Windows\SysWOW64\Jaoqqflp.exeC:\Windows\system32\Jaoqqflp.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2548 -
C:\Windows\SysWOW64\Jbqmhnbo.exeC:\Windows\system32\Jbqmhnbo.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2196 -
C:\Windows\SysWOW64\Jikeeh32.exeC:\Windows\system32\Jikeeh32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1940 -
C:\Windows\SysWOW64\Jpdnbbah.exeC:\Windows\system32\Jpdnbbah.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2244 -
C:\Windows\SysWOW64\Jbcjnnpl.exeC:\Windows\system32\Jbcjnnpl.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2792 -
C:\Windows\SysWOW64\Jimbkh32.exeC:\Windows\system32\Jimbkh32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1092 -
C:\Windows\SysWOW64\Jpgjgboe.exeC:\Windows\system32\Jpgjgboe.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2972 -
C:\Windows\SysWOW64\Jgabdlfb.exeC:\Windows\system32\Jgabdlfb.exe33⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Jpigma32.exeC:\Windows\system32\Jpigma32.exe34⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Jhdlad32.exeC:\Windows\system32\Jhdlad32.exe35⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Jbjpom32.exeC:\Windows\system32\Jbjpom32.exe36⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Kdklfe32.exeC:\Windows\system32\Kdklfe32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2864 -
C:\Windows\SysWOW64\Kkeecogo.exeC:\Windows\system32\Kkeecogo.exe38⤵
- Executes dropped EXE
PID:696 -
C:\Windows\SysWOW64\Kncaojfb.exeC:\Windows\system32\Kncaojfb.exe39⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Khielcfh.exeC:\Windows\system32\Khielcfh.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:356 -
C:\Windows\SysWOW64\Kocmim32.exeC:\Windows\system32\Kocmim32.exe41⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Kpdjaecc.exeC:\Windows\system32\Kpdjaecc.exe42⤵
- Executes dropped EXE
PID:540 -
C:\Windows\SysWOW64\Kgnbnpkp.exeC:\Windows\system32\Kgnbnpkp.exe43⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Kadfkhkf.exeC:\Windows\system32\Kadfkhkf.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1616 -
C:\Windows\SysWOW64\Kcecbq32.exeC:\Windows\system32\Kcecbq32.exe45⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Knkgpi32.exeC:\Windows\system32\Knkgpi32.exe46⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Kcgphp32.exeC:\Windows\system32\Kcgphp32.exe47⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Kjahej32.exeC:\Windows\system32\Kjahej32.exe48⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Klpdaf32.exeC:\Windows\system32\Klpdaf32.exe49⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Lgehno32.exeC:\Windows\system32\Lgehno32.exe50⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Lhfefgkg.exeC:\Windows\system32\Lhfefgkg.exe51⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Loqmba32.exeC:\Windows\system32\Loqmba32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2108 -
C:\Windows\SysWOW64\Lfkeokjp.exeC:\Windows\system32\Lfkeokjp.exe53⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Lldmleam.exeC:\Windows\system32\Lldmleam.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:932 -
C:\Windows\SysWOW64\Lcofio32.exeC:\Windows\system32\Lcofio32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2092 -
C:\Windows\SysWOW64\Lhknaf32.exeC:\Windows\system32\Lhknaf32.exe56⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Lnhgim32.exeC:\Windows\system32\Lnhgim32.exe57⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Ldbofgme.exeC:\Windows\system32\Ldbofgme.exe58⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Lohccp32.exeC:\Windows\system32\Lohccp32.exe59⤵
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\Lddlkg32.exeC:\Windows\system32\Lddlkg32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Mkndhabp.exeC:\Windows\system32\Mkndhabp.exe61⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Mdghaf32.exeC:\Windows\system32\Mdghaf32.exe62⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Mgedmb32.exeC:\Windows\system32\Mgedmb32.exe63⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Mmbmeifk.exeC:\Windows\system32\Mmbmeifk.exe64⤵
- Executes dropped EXE
PID:276 -
C:\Windows\SysWOW64\Mclebc32.exeC:\Windows\system32\Mclebc32.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:2504 -
C:\Windows\SysWOW64\Mfjann32.exeC:\Windows\system32\Mfjann32.exe66⤵PID:1264
-
C:\Windows\SysWOW64\Mnaiol32.exeC:\Windows\system32\Mnaiol32.exe67⤵
- System Location Discovery: System Language Discovery
PID:1908 -
C:\Windows\SysWOW64\Mqpflg32.exeC:\Windows\system32\Mqpflg32.exe68⤵PID:1104
-
C:\Windows\SysWOW64\Mgjnhaco.exeC:\Windows\system32\Mgjnhaco.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1972 -
C:\Windows\SysWOW64\Mjhjdm32.exeC:\Windows\system32\Mjhjdm32.exe70⤵PID:1532
-
C:\Windows\SysWOW64\Mmgfqh32.exeC:\Windows\system32\Mmgfqh32.exe71⤵PID:1176
-
C:\Windows\SysWOW64\Mcqombic.exeC:\Windows\system32\Mcqombic.exe72⤵PID:3108
-
C:\Windows\SysWOW64\Mfokinhf.exeC:\Windows\system32\Mfokinhf.exe73⤵PID:3148
-
C:\Windows\SysWOW64\Mimgeigj.exeC:\Windows\system32\Mimgeigj.exe74⤵PID:3188
-
C:\Windows\SysWOW64\Mklcadfn.exeC:\Windows\system32\Mklcadfn.exe75⤵PID:3228
-
C:\Windows\SysWOW64\Mcckcbgp.exeC:\Windows\system32\Mcckcbgp.exe76⤵
- Modifies registry class
PID:3268 -
C:\Windows\SysWOW64\Nfahomfd.exeC:\Windows\system32\Nfahomfd.exe77⤵PID:3308
-
C:\Windows\SysWOW64\Nmkplgnq.exeC:\Windows\system32\Nmkplgnq.exe78⤵PID:3348
-
C:\Windows\SysWOW64\Nnmlcp32.exeC:\Windows\system32\Nnmlcp32.exe79⤵PID:3388
-
C:\Windows\SysWOW64\Nfdddm32.exeC:\Windows\system32\Nfdddm32.exe80⤵PID:3428
-
C:\Windows\SysWOW64\Nibqqh32.exeC:\Windows\system32\Nibqqh32.exe81⤵PID:3468
-
C:\Windows\SysWOW64\Nplimbka.exeC:\Windows\system32\Nplimbka.exe82⤵PID:3508
-
C:\Windows\SysWOW64\Nidmfh32.exeC:\Windows\system32\Nidmfh32.exe83⤵PID:3548
-
C:\Windows\SysWOW64\Nlcibc32.exeC:\Windows\system32\Nlcibc32.exe84⤵PID:3588
-
C:\Windows\SysWOW64\Nnafnopi.exeC:\Windows\system32\Nnafnopi.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3628 -
C:\Windows\SysWOW64\Neknki32.exeC:\Windows\system32\Neknki32.exe86⤵PID:3668
-
C:\Windows\SysWOW64\Nhjjgd32.exeC:\Windows\system32\Nhjjgd32.exe87⤵PID:3708
-
C:\Windows\SysWOW64\Nncbdomg.exeC:\Windows\system32\Nncbdomg.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3748 -
C:\Windows\SysWOW64\Nenkqi32.exeC:\Windows\system32\Nenkqi32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3788 -
C:\Windows\SysWOW64\Nhlgmd32.exeC:\Windows\system32\Nhlgmd32.exe90⤵PID:3832
-
C:\Windows\SysWOW64\Onfoin32.exeC:\Windows\system32\Onfoin32.exe91⤵
- Drops file in System32 directory
PID:3872 -
C:\Windows\SysWOW64\Opglafab.exeC:\Windows\system32\Opglafab.exe92⤵PID:3912
-
C:\Windows\SysWOW64\Ohncbdbd.exeC:\Windows\system32\Ohncbdbd.exe93⤵PID:3952
-
C:\Windows\SysWOW64\Ojmpooah.exeC:\Windows\system32\Ojmpooah.exe94⤵PID:3992
-
C:\Windows\SysWOW64\Omklkkpl.exeC:\Windows\system32\Omklkkpl.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4032 -
C:\Windows\SysWOW64\Odedge32.exeC:\Windows\system32\Odedge32.exe96⤵PID:4072
-
C:\Windows\SysWOW64\Ojomdoof.exeC:\Windows\system32\Ojomdoof.exe97⤵PID:2852
-
C:\Windows\SysWOW64\Olpilg32.exeC:\Windows\system32\Olpilg32.exe98⤵PID:2728
-
C:\Windows\SysWOW64\Odgamdef.exeC:\Windows\system32\Odgamdef.exe99⤵
- System Location Discovery: System Language Discovery
PID:2740 -
C:\Windows\SysWOW64\Offmipej.exeC:\Windows\system32\Offmipej.exe100⤵PID:2856
-
C:\Windows\SysWOW64\Ompefj32.exeC:\Windows\system32\Ompefj32.exe101⤵PID:2352
-
C:\Windows\SysWOW64\Opnbbe32.exeC:\Windows\system32\Opnbbe32.exe102⤵PID:1776
-
C:\Windows\SysWOW64\Ofhjopbg.exeC:\Windows\system32\Ofhjopbg.exe103⤵PID:1696
-
C:\Windows\SysWOW64\Ohiffh32.exeC:\Windows\system32\Ohiffh32.exe104⤵PID:904
-
C:\Windows\SysWOW64\Opqoge32.exeC:\Windows\system32\Opqoge32.exe105⤵PID:296
-
C:\Windows\SysWOW64\Oabkom32.exeC:\Windows\system32\Oabkom32.exe106⤵PID:3064
-
C:\Windows\SysWOW64\Piicpk32.exeC:\Windows\system32\Piicpk32.exe107⤵PID:1236
-
C:\Windows\SysWOW64\Plgolf32.exeC:\Windows\system32\Plgolf32.exe108⤵PID:2316
-
C:\Windows\SysWOW64\Pbagipfi.exeC:\Windows\system32\Pbagipfi.exe109⤵
- Modifies registry class
PID:3100 -
C:\Windows\SysWOW64\Pepcelel.exeC:\Windows\system32\Pepcelel.exe110⤵PID:3176
-
C:\Windows\SysWOW64\Phnpagdp.exeC:\Windows\system32\Phnpagdp.exe111⤵PID:3212
-
C:\Windows\SysWOW64\Pohhna32.exeC:\Windows\system32\Pohhna32.exe112⤵PID:3288
-
C:\Windows\SysWOW64\Pebpkk32.exeC:\Windows\system32\Pebpkk32.exe113⤵
- System Location Discovery: System Language Discovery
PID:3340 -
C:\Windows\SysWOW64\Phqmgg32.exeC:\Windows\system32\Phqmgg32.exe114⤵PID:3396
-
C:\Windows\SysWOW64\Pojecajj.exeC:\Windows\system32\Pojecajj.exe115⤵PID:3460
-
C:\Windows\SysWOW64\Paiaplin.exeC:\Windows\system32\Paiaplin.exe116⤵PID:3524
-
C:\Windows\SysWOW64\Pkaehb32.exeC:\Windows\system32\Pkaehb32.exe117⤵PID:3564
-
C:\Windows\SysWOW64\Ppnnai32.exeC:\Windows\system32\Ppnnai32.exe118⤵PID:3620
-
C:\Windows\SysWOW64\Pcljmdmj.exeC:\Windows\system32\Pcljmdmj.exe119⤵PID:1424
-
C:\Windows\SysWOW64\Pnbojmmp.exeC:\Windows\system32\Pnbojmmp.exe120⤵PID:3692
-
C:\Windows\SysWOW64\Qdlggg32.exeC:\Windows\system32\Qdlggg32.exe121⤵PID:3736
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-