Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02-10-2024 01:16
Static task
static1
Behavioral task
behavioral1
Sample
8dc641ee66257505f0494e1dfc04989bb9733ac08f043a666676ac1db392df58N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
8dc641ee66257505f0494e1dfc04989bb9733ac08f043a666676ac1db392df58N.exe
Resource
win10v2004-20240802-en
General
-
Target
8dc641ee66257505f0494e1dfc04989bb9733ac08f043a666676ac1db392df58N.exe
-
Size
93KB
-
MD5
f89f3d6f63681780db5cbffd4af10400
-
SHA1
03c887065cab9586851c8462210c8908eed8325f
-
SHA256
8dc641ee66257505f0494e1dfc04989bb9733ac08f043a666676ac1db392df58
-
SHA512
f0ef968432aede815453d3f2d683ff4374bea06a4d112aff6439fd6df322ebcf5964a31554208a8bcda57617817765112192f47b4a1e1d28f1d823b7730b71e8
-
SSDEEP
1536:srJRoQsrOFINZ0Dxjq7g5VpgfTzx5wbOz5BE7zRPd2Tkjiwg58:sr7oQ5UZ0heg5Tqh9E7zRPd2IY58
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfaefd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhgkil32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pggdejno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aeggbbci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmglajcd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgkhdddo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fjlmpfhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qndigd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aggpdnpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hfmddp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hidcef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ihbcmaje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oihqgbhd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okdmjdol.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dldkmlhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pqnlhpfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlndnacm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eolmip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lkfddc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oaffbqaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bncaekhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eamilh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipehmebh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eacljf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdklfe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmmeon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hjofdi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgnjde32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhiomn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Khkbbc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohkaco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dcccpl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddblgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Heikgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bgblmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hebnlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jhbold32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgclio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnmlcp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgoime32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Epecbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Acfdnihk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jajcdjca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dahifbpk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnbojmmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pdonhj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eggndi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hebnlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kdklfe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chqoipkk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbigpn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biolanld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idkpganf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgoelh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogekpg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opnpimdf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilabmedg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Okpcoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pghfnc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oibmpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Khiccj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgefefnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Danmmd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeielfhk.exe -
Executes dropped EXE 64 IoCs
pid Process 1784 Kdmgclfk.exe 1460 Khiccj32.exe 2484 Kobkpdfa.exe 2828 Kbaglpee.exe 2644 Kgnpeg32.exe 3056 Kbcdbp32.exe 2636 Kqfdnljm.exe 1928 Kjoifb32.exe 668 Kqiaclhj.exe 2500 Kgbipf32.exe 1920 Kmobhmnn.exe 3036 Kgefefnd.exe 2028 Ljcbaamh.exe 1368 Lqmjnk32.exe 696 Lbogfcjc.exe 264 Lihobnap.exe 1576 Lkgkoiqc.exe 2268 Leopgo32.exe 348 Liklhmom.exe 680 Lkihdioa.exe 340 Lnhdqdnd.exe 908 Leammn32.exe 1644 Lgpiij32.exe 780 Lpgajgeg.exe 1424 Ledibnco.exe 1532 Lipecm32.exe 352 Lgbeoibb.exe 2924 Mcifdj32.exe 2740 Mjcoqdoc.exe 2916 Mnojacgm.exe 2996 Mclcijfd.exe 2648 Mjekfd32.exe 2652 Mmdgbp32.exe 2960 Mpbdnk32.exe 296 Mjhhld32.exe 2812 Mabphn32.exe 3032 Mfoiqe32.exe 2016 Mjjdacik.exe 2116 Mmhamoho.exe 984 Mdbiji32.exe 772 Mfaefd32.exe 1712 Mioabp32.exe 2160 Nfcbldmm.exe 2616 Nlpkdkkd.exe 1492 Nplfdj32.exe 3068 Noogpfjh.exe 1276 Namclbil.exe 2364 Nehomq32.exe 2436 Nhgkil32.exe 2820 Nlbgikia.exe 1620 Noacef32.exe 1592 Nblpfepo.exe 2276 Naopaa32.exe 2920 Neklbppb.exe 2852 Nhiholof.exe 2804 Nledoj32.exe 3004 Nkhdkgnj.exe 2984 Nmfqgbmm.exe 3024 Naalga32.exe 2976 Nemhhpmp.exe 2032 Nhlddkmc.exe 2068 Ngneph32.exe 2168 Nkjapglg.exe 1684 Noemqe32.exe -
Loads dropped DLL 64 IoCs
pid Process 2564 8dc641ee66257505f0494e1dfc04989bb9733ac08f043a666676ac1db392df58N.exe 2564 8dc641ee66257505f0494e1dfc04989bb9733ac08f043a666676ac1db392df58N.exe 1784 Kdmgclfk.exe 1784 Kdmgclfk.exe 1460 Khiccj32.exe 1460 Khiccj32.exe 2484 Kobkpdfa.exe 2484 Kobkpdfa.exe 2828 Kbaglpee.exe 2828 Kbaglpee.exe 2644 Kgnpeg32.exe 2644 Kgnpeg32.exe 3056 Kbcdbp32.exe 3056 Kbcdbp32.exe 2636 Kqfdnljm.exe 2636 Kqfdnljm.exe 1928 Kjoifb32.exe 1928 Kjoifb32.exe 668 Kqiaclhj.exe 668 Kqiaclhj.exe 2500 Kgbipf32.exe 2500 Kgbipf32.exe 1920 Kmobhmnn.exe 1920 Kmobhmnn.exe 3036 Kgefefnd.exe 3036 Kgefefnd.exe 2028 Ljcbaamh.exe 2028 Ljcbaamh.exe 1368 Lqmjnk32.exe 1368 Lqmjnk32.exe 696 Lbogfcjc.exe 696 Lbogfcjc.exe 264 Lihobnap.exe 264 Lihobnap.exe 1576 Lkgkoiqc.exe 1576 Lkgkoiqc.exe 2268 Leopgo32.exe 2268 Leopgo32.exe 348 Liklhmom.exe 348 Liklhmom.exe 680 Lkihdioa.exe 680 Lkihdioa.exe 340 Lnhdqdnd.exe 340 Lnhdqdnd.exe 908 Leammn32.exe 908 Leammn32.exe 1644 Lgpiij32.exe 1644 Lgpiij32.exe 780 Lpgajgeg.exe 780 Lpgajgeg.exe 1424 Ledibnco.exe 1424 Ledibnco.exe 1532 Lipecm32.exe 1532 Lipecm32.exe 352 Lgbeoibb.exe 352 Lgbeoibb.exe 2924 Mcifdj32.exe 2924 Mcifdj32.exe 2740 Mjcoqdoc.exe 2740 Mjcoqdoc.exe 2916 Mnojacgm.exe 2916 Mnojacgm.exe 2996 Mclcijfd.exe 2996 Mclcijfd.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bpemjpcl.dll Liqoflfh.exe File created C:\Windows\SysWOW64\Lghakg32.dll Mjnjjbbh.exe File created C:\Windows\SysWOW64\Odmabj32.exe Oanefo32.exe File created C:\Windows\SysWOW64\Cbepdhgc.exe Ccbphk32.exe File created C:\Windows\SysWOW64\Jbglcb32.dll Lgchgb32.exe File created C:\Windows\SysWOW64\Kqfdnljm.exe Kbcdbp32.exe File created C:\Windows\SysWOW64\Abhkfg32.exe Acekjjmk.exe File created C:\Windows\SysWOW64\Ihmpobck.exe Ipehmebh.exe File created C:\Windows\SysWOW64\Cmpgpond.exe Cnmfdb32.exe File created C:\Windows\SysWOW64\Nhjjgd32.exe Ncnngfna.exe File created C:\Windows\SysWOW64\Enemcbio.dll Opqoge32.exe File created C:\Windows\SysWOW64\Apgagg32.exe Allefimb.exe File opened for modification C:\Windows\SysWOW64\Cpnaca32.exe Cmpdgf32.exe File opened for modification C:\Windows\SysWOW64\Dkigoimd.exe Dhkkbmnp.exe File created C:\Windows\SysWOW64\Ladpkl32.dll Mcqombic.exe File created C:\Windows\SysWOW64\Egpbbn32.dll Jkkija32.exe File created C:\Windows\SysWOW64\Adfqgl32.exe Amohfo32.exe File created C:\Windows\SysWOW64\Pbgiha32.dll Gmpcgace.exe File created C:\Windows\SysWOW64\Paodbg32.dll Nhjjgd32.exe File created C:\Windows\SysWOW64\Bodmepdn.dll Akcomepg.exe File created C:\Windows\SysWOW64\Ojbapc32.dll Pdihiook.exe File opened for modification C:\Windows\SysWOW64\Egjbdo32.exe Eeielfhk.exe File opened for modification C:\Windows\SysWOW64\Jofejpmc.exe Jkkija32.exe File created C:\Windows\SysWOW64\Lnbdko32.exe Lkdhoc32.exe File created C:\Windows\SysWOW64\Qackpado.exe Qododfek.exe File created C:\Windows\SysWOW64\Amcbankf.exe Ajeeeblb.exe File opened for modification C:\Windows\SysWOW64\Famope32.exe Fjegog32.exe File created C:\Windows\SysWOW64\Klpdaf32.exe Kjahej32.exe File created C:\Windows\SysWOW64\Pmdmmalf.exe Pnalad32.exe File created C:\Windows\SysWOW64\Nhjpke32.dll Jepmgj32.exe File created C:\Windows\SysWOW64\Oaccbmie.dll Kcopdb32.exe File created C:\Windows\SysWOW64\Qcamkjba.dll Bhjlli32.exe File created C:\Windows\SysWOW64\Ecploipa.exe Epbpbnan.exe File created C:\Windows\SysWOW64\Jojkco32.exe Jpgjgboe.exe File created C:\Windows\SysWOW64\Clojhf32.exe Cgcnghpl.exe File opened for modification C:\Windows\SysWOW64\Mjjdacik.exe Mfoiqe32.exe File created C:\Windows\SysWOW64\Ldjpbign.exe Lqncaj32.exe File opened for modification C:\Windows\SysWOW64\Ajeeeblb.exe Aggiigmn.exe File opened for modification C:\Windows\SysWOW64\Mgjebg32.exe Mihdgkpp.exe File created C:\Windows\SysWOW64\Injndk32.exe Illbhp32.exe File opened for modification C:\Windows\SysWOW64\Lfoojj32.exe Lbcbjlmb.exe File created C:\Windows\SysWOW64\Jnkakl32.exe Jkmeoa32.exe File created C:\Windows\SysWOW64\Kcdjoaee.exe Kohnoc32.exe File created C:\Windows\SysWOW64\Mihdgkpp.exe Mfihkoal.exe File created C:\Windows\SysWOW64\Fbdlkj32.exe Fofpoo32.exe File opened for modification C:\Windows\SysWOW64\Kfnmpn32.exe Kcopdb32.exe File opened for modification C:\Windows\SysWOW64\Meabakda.exe Mbbfep32.exe File created C:\Windows\SysWOW64\Fgdnnl32.exe Edfbaabj.exe File opened for modification C:\Windows\SysWOW64\Gnaooi32.exe Gkbcbn32.exe File created C:\Windows\SysWOW64\Kobkpdfa.exe Khiccj32.exe File opened for modification C:\Windows\SysWOW64\Pcaepg32.exe Olgmcmgh.exe File created C:\Windows\SysWOW64\Bekmle32.exe Bbmapj32.exe File created C:\Windows\SysWOW64\Mbhlek32.exe Mjaddn32.exe File created C:\Windows\SysWOW64\Nemhhpmp.exe Naalga32.exe File opened for modification C:\Windows\SysWOW64\Pcghof32.exe Poklngnf.exe File created C:\Windows\SysWOW64\Hgccgk32.dll Hakkgc32.exe File opened for modification C:\Windows\SysWOW64\Phnpagdp.exe Pdbdqh32.exe File created C:\Windows\SysWOW64\Hmjlhfof.exe Hebdfind.exe File created C:\Windows\SysWOW64\Ebhchpcd.dll Hfbaql32.exe File created C:\Windows\SysWOW64\Oioggmmc.exe Oeckfndj.exe File created C:\Windows\SysWOW64\Bdnlccec.dll Npgihn32.exe File opened for modification C:\Windows\SysWOW64\Oaffbqaa.exe Omkjbb32.exe File created C:\Windows\SysWOW64\Omppei32.dll Lnpgeopa.exe File created C:\Windows\SysWOW64\Olnldn32.dll Hmdhad32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8604 9136 WerFault.exe 964 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfhiplmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbmfkkbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Heikgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjmnjkjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfbaql32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdcifi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgoelh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnopldgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gceailog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Napbjjom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aohdmdoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okojkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odjdmjgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcaepg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkomjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmogmjmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abkhkgbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Liqoflfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjpkqonj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meabakda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmhdkdlg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbnljqic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjcppidk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kncaojfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eniclh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kghpoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eclbcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbcbjlmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdlggg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dakmfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qppkfhlc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aficjnpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpapaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kljabgnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfnneb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oalhqohl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfnoogbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcdnhoac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mabphn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klngkfge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgedmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoiiijcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opqoge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckolek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmejllia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opfbngfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbepdhgc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dldkmlhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dklddhka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmdgbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iinmfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agbpnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhbold32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddliip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjipenda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqhfhigj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njpgpbpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odmabj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klpdaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qododfek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bimoloog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgoopkgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqahqd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pljlbf32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pgckjk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Epbpbnan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mclebc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qpbglhjq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mdbiji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ecfldoph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Olophhjd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fjegog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mjhhld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ohkaco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pnopldgn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pgpgjepk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jedcpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cagienkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdqjn32.dll" Cgfkmgnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hmeolj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibmcpifp.dll" Jkhldafl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kjglkm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fgdnnl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fdmhbplb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeopfn32.dll" Bfccei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mbnljqic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feglhlfm.dll" Eggndi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dejdjfjb.dll" Hbaaik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lbafdlod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kagflkia.dll" Nbhhdnlh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Clojhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhioeeeo.dll" Dcfpel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Egjbdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ilabmedg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbglcb32.dll" Lgchgb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ooabmbbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ciihklpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oifdbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bcmfmlen.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Diaaeepi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gckmjbbc.dll" Aipfmane.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Khcomhbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Olophhjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ihmpobck.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Peedka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dpkibo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Meoell32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncfefh32.dll" Niedqnen.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pomhcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nebhgckp.dll" Fkpjnkig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ihbcmaje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eolmip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iipiljgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lnbdko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Olbfagca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Khkbbc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Olbfagca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdfkqifa.dll" Mpopnejo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaknfc32.dll" Olmcchlg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dmojkc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bgaebe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojklfdgh.dll" Kqfdnljm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odjoikgb.dll" Abkhkgbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llmidedh.dll" Fffefjmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imdbjp32.dll" Neiaeiii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Offmipej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Olgmcmgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mngjeamd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2564 wrote to memory of 1784 2564 8dc641ee66257505f0494e1dfc04989bb9733ac08f043a666676ac1db392df58N.exe 30 PID 2564 wrote to memory of 1784 2564 8dc641ee66257505f0494e1dfc04989bb9733ac08f043a666676ac1db392df58N.exe 30 PID 2564 wrote to memory of 1784 2564 8dc641ee66257505f0494e1dfc04989bb9733ac08f043a666676ac1db392df58N.exe 30 PID 2564 wrote to memory of 1784 2564 8dc641ee66257505f0494e1dfc04989bb9733ac08f043a666676ac1db392df58N.exe 30 PID 1784 wrote to memory of 1460 1784 Kdmgclfk.exe 31 PID 1784 wrote to memory of 1460 1784 Kdmgclfk.exe 31 PID 1784 wrote to memory of 1460 1784 Kdmgclfk.exe 31 PID 1784 wrote to memory of 1460 1784 Kdmgclfk.exe 31 PID 1460 wrote to memory of 2484 1460 Khiccj32.exe 32 PID 1460 wrote to memory of 2484 1460 Khiccj32.exe 32 PID 1460 wrote to memory of 2484 1460 Khiccj32.exe 32 PID 1460 wrote to memory of 2484 1460 Khiccj32.exe 32 PID 2484 wrote to memory of 2828 2484 Kobkpdfa.exe 33 PID 2484 wrote to memory of 2828 2484 Kobkpdfa.exe 33 PID 2484 wrote to memory of 2828 2484 Kobkpdfa.exe 33 PID 2484 wrote to memory of 2828 2484 Kobkpdfa.exe 33 PID 2828 wrote to memory of 2644 2828 Kbaglpee.exe 34 PID 2828 wrote to memory of 2644 2828 Kbaglpee.exe 34 PID 2828 wrote to memory of 2644 2828 Kbaglpee.exe 34 PID 2828 wrote to memory of 2644 2828 Kbaglpee.exe 34 PID 2644 wrote to memory of 3056 2644 Kgnpeg32.exe 35 PID 2644 wrote to memory of 3056 2644 Kgnpeg32.exe 35 PID 2644 wrote to memory of 3056 2644 Kgnpeg32.exe 35 PID 2644 wrote to memory of 3056 2644 Kgnpeg32.exe 35 PID 3056 wrote to memory of 2636 3056 Kbcdbp32.exe 36 PID 3056 wrote to memory of 2636 3056 Kbcdbp32.exe 36 PID 3056 wrote to memory of 2636 3056 Kbcdbp32.exe 36 PID 3056 wrote to memory of 2636 3056 Kbcdbp32.exe 36 PID 2636 wrote to memory of 1928 2636 Kqfdnljm.exe 37 PID 2636 wrote to memory of 1928 2636 Kqfdnljm.exe 37 PID 2636 wrote to memory of 1928 2636 Kqfdnljm.exe 37 PID 2636 wrote to memory of 1928 2636 Kqfdnljm.exe 37 PID 1928 wrote to memory of 668 1928 Kjoifb32.exe 38 PID 1928 wrote to memory of 668 1928 Kjoifb32.exe 38 PID 1928 wrote to memory of 668 1928 Kjoifb32.exe 38 PID 1928 wrote to memory of 668 1928 Kjoifb32.exe 38 PID 668 wrote to memory of 2500 668 Kqiaclhj.exe 39 PID 668 wrote to memory of 2500 668 Kqiaclhj.exe 39 PID 668 wrote to memory of 2500 668 Kqiaclhj.exe 39 PID 668 wrote to memory of 2500 668 Kqiaclhj.exe 39 PID 2500 wrote to memory of 1920 2500 Kgbipf32.exe 40 PID 2500 wrote to memory of 1920 2500 Kgbipf32.exe 40 PID 2500 wrote to memory of 1920 2500 Kgbipf32.exe 40 PID 2500 wrote to memory of 1920 2500 Kgbipf32.exe 40 PID 1920 wrote to memory of 3036 1920 Kmobhmnn.exe 41 PID 1920 wrote to memory of 3036 1920 Kmobhmnn.exe 41 PID 1920 wrote to memory of 3036 1920 Kmobhmnn.exe 41 PID 1920 wrote to memory of 3036 1920 Kmobhmnn.exe 41 PID 3036 wrote to memory of 2028 3036 Kgefefnd.exe 42 PID 3036 wrote to memory of 2028 3036 Kgefefnd.exe 42 PID 3036 wrote to memory of 2028 3036 Kgefefnd.exe 42 PID 3036 wrote to memory of 2028 3036 Kgefefnd.exe 42 PID 2028 wrote to memory of 1368 2028 Ljcbaamh.exe 43 PID 2028 wrote to memory of 1368 2028 Ljcbaamh.exe 43 PID 2028 wrote to memory of 1368 2028 Ljcbaamh.exe 43 PID 2028 wrote to memory of 1368 2028 Ljcbaamh.exe 43 PID 1368 wrote to memory of 696 1368 Lqmjnk32.exe 44 PID 1368 wrote to memory of 696 1368 Lqmjnk32.exe 44 PID 1368 wrote to memory of 696 1368 Lqmjnk32.exe 44 PID 1368 wrote to memory of 696 1368 Lqmjnk32.exe 44 PID 696 wrote to memory of 264 696 Lbogfcjc.exe 45 PID 696 wrote to memory of 264 696 Lbogfcjc.exe 45 PID 696 wrote to memory of 264 696 Lbogfcjc.exe 45 PID 696 wrote to memory of 264 696 Lbogfcjc.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\8dc641ee66257505f0494e1dfc04989bb9733ac08f043a666676ac1db392df58N.exe"C:\Users\Admin\AppData\Local\Temp\8dc641ee66257505f0494e1dfc04989bb9733ac08f043a666676ac1db392df58N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\Kdmgclfk.exeC:\Windows\system32\Kdmgclfk.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\SysWOW64\Khiccj32.exeC:\Windows\system32\Khiccj32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\SysWOW64\Kobkpdfa.exeC:\Windows\system32\Kobkpdfa.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\Kbaglpee.exeC:\Windows\system32\Kbaglpee.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Kgnpeg32.exeC:\Windows\system32\Kgnpeg32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Kbcdbp32.exeC:\Windows\system32\Kbcdbp32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\Kqfdnljm.exeC:\Windows\system32\Kqfdnljm.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Kjoifb32.exeC:\Windows\system32\Kjoifb32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\Kqiaclhj.exeC:\Windows\system32\Kqiaclhj.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:668 -
C:\Windows\SysWOW64\Kgbipf32.exeC:\Windows\system32\Kgbipf32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\Kmobhmnn.exeC:\Windows\system32\Kmobhmnn.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\Kgefefnd.exeC:\Windows\system32\Kgefefnd.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\Ljcbaamh.exeC:\Windows\system32\Ljcbaamh.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Lqmjnk32.exeC:\Windows\system32\Lqmjnk32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\Lbogfcjc.exeC:\Windows\system32\Lbogfcjc.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:696 -
C:\Windows\SysWOW64\Lihobnap.exeC:\Windows\system32\Lihobnap.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:264 -
C:\Windows\SysWOW64\Lkgkoiqc.exeC:\Windows\system32\Lkgkoiqc.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1576 -
C:\Windows\SysWOW64\Leopgo32.exeC:\Windows\system32\Leopgo32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2268 -
C:\Windows\SysWOW64\Liklhmom.exeC:\Windows\system32\Liklhmom.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:348 -
C:\Windows\SysWOW64\Lkihdioa.exeC:\Windows\system32\Lkihdioa.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:680 -
C:\Windows\SysWOW64\Lnhdqdnd.exeC:\Windows\system32\Lnhdqdnd.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:340 -
C:\Windows\SysWOW64\Leammn32.exeC:\Windows\system32\Leammn32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:908 -
C:\Windows\SysWOW64\Lgpiij32.exeC:\Windows\system32\Lgpiij32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1644 -
C:\Windows\SysWOW64\Lpgajgeg.exeC:\Windows\system32\Lpgajgeg.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:780 -
C:\Windows\SysWOW64\Ledibnco.exeC:\Windows\system32\Ledibnco.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1424 -
C:\Windows\SysWOW64\Lipecm32.exeC:\Windows\system32\Lipecm32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1532 -
C:\Windows\SysWOW64\Lgbeoibb.exeC:\Windows\system32\Lgbeoibb.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:352 -
C:\Windows\SysWOW64\Mcifdj32.exeC:\Windows\system32\Mcifdj32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2924 -
C:\Windows\SysWOW64\Mjcoqdoc.exeC:\Windows\system32\Mjcoqdoc.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2740 -
C:\Windows\SysWOW64\Mnojacgm.exeC:\Windows\system32\Mnojacgm.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2916 -
C:\Windows\SysWOW64\Mclcijfd.exeC:\Windows\system32\Mclcijfd.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2996 -
C:\Windows\SysWOW64\Mjekfd32.exeC:\Windows\system32\Mjekfd32.exe33⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Mmdgbp32.exeC:\Windows\system32\Mmdgbp32.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2652 -
C:\Windows\SysWOW64\Mpbdnk32.exeC:\Windows\system32\Mpbdnk32.exe35⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Mjhhld32.exeC:\Windows\system32\Mjhhld32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:296 -
C:\Windows\SysWOW64\Mabphn32.exeC:\Windows\system32\Mabphn32.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2812 -
C:\Windows\SysWOW64\Mfoiqe32.exeC:\Windows\system32\Mfoiqe32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3032 -
C:\Windows\SysWOW64\Mjjdacik.exeC:\Windows\system32\Mjjdacik.exe39⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Mmhamoho.exeC:\Windows\system32\Mmhamoho.exe40⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Mdbiji32.exeC:\Windows\system32\Mdbiji32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:984 -
C:\Windows\SysWOW64\Mfaefd32.exeC:\Windows\system32\Mfaefd32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:772 -
C:\Windows\SysWOW64\Mioabp32.exeC:\Windows\system32\Mioabp32.exe43⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Nfcbldmm.exeC:\Windows\system32\Nfcbldmm.exe44⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Nlpkdkkd.exeC:\Windows\system32\Nlpkdkkd.exe45⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Nplfdj32.exeC:\Windows\system32\Nplfdj32.exe46⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\Noogpfjh.exeC:\Windows\system32\Noogpfjh.exe47⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Namclbil.exeC:\Windows\system32\Namclbil.exe48⤵
- Executes dropped EXE
PID:1276 -
C:\Windows\SysWOW64\Nehomq32.exeC:\Windows\system32\Nehomq32.exe49⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Nhgkil32.exeC:\Windows\system32\Nhgkil32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Nlbgikia.exeC:\Windows\system32\Nlbgikia.exe51⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Noacef32.exeC:\Windows\system32\Noacef32.exe52⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Nblpfepo.exeC:\Windows\system32\Nblpfepo.exe53⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Naopaa32.exeC:\Windows\system32\Naopaa32.exe54⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Neklbppb.exeC:\Windows\system32\Neklbppb.exe55⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Nhiholof.exeC:\Windows\system32\Nhiholof.exe56⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Nledoj32.exeC:\Windows\system32\Nledoj32.exe57⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Nkhdkgnj.exeC:\Windows\system32\Nkhdkgnj.exe58⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Nmfqgbmm.exeC:\Windows\system32\Nmfqgbmm.exe59⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Naalga32.exeC:\Windows\system32\Naalga32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3024 -
C:\Windows\SysWOW64\Nemhhpmp.exeC:\Windows\system32\Nemhhpmp.exe61⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Nhlddkmc.exeC:\Windows\system32\Nhlddkmc.exe62⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Ngneph32.exeC:\Windows\system32\Ngneph32.exe63⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Nkjapglg.exeC:\Windows\system32\Nkjapglg.exe64⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Noemqe32.exeC:\Windows\system32\Noemqe32.exe65⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Npgihn32.exeC:\Windows\system32\Npgihn32.exe66⤵
- Drops file in System32 directory
PID:1572 -
C:\Windows\SysWOW64\Odbeilbg.exeC:\Windows\system32\Odbeilbg.exe67⤵PID:2368
-
C:\Windows\SysWOW64\Ogqaehak.exeC:\Windows\system32\Ogqaehak.exe68⤵PID:2400
-
C:\Windows\SysWOW64\Oklnff32.exeC:\Windows\system32\Oklnff32.exe69⤵PID:1836
-
C:\Windows\SysWOW64\Omkjbb32.exeC:\Windows\system32\Omkjbb32.exe70⤵
- Drops file in System32 directory
PID:2572 -
C:\Windows\SysWOW64\Oaffbqaa.exeC:\Windows\system32\Oaffbqaa.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2148 -
C:\Windows\SysWOW64\Odebolpe.exeC:\Windows\system32\Odebolpe.exe72⤵PID:2844
-
C:\Windows\SysWOW64\Ocgbji32.exeC:\Windows\system32\Ocgbji32.exe73⤵PID:2680
-
C:\Windows\SysWOW64\Okojkf32.exeC:\Windows\system32\Okojkf32.exe74⤵
- System Location Discovery: System Language Discovery
PID:2536 -
C:\Windows\SysWOW64\Oiakgcnl.exeC:\Windows\system32\Oiakgcnl.exe75⤵PID:1848
-
C:\Windows\SysWOW64\Olpgconp.exeC:\Windows\system32\Olpgconp.exe76⤵PID:2724
-
C:\Windows\SysWOW64\Opkccm32.exeC:\Windows\system32\Opkccm32.exe77⤵PID:3008
-
C:\Windows\SysWOW64\Ocjophem.exeC:\Windows\system32\Ocjophem.exe78⤵PID:2952
-
C:\Windows\SysWOW64\Ogekpg32.exeC:\Windows\system32\Ogekpg32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2380 -
C:\Windows\SysWOW64\Oidglb32.exeC:\Windows\system32\Oidglb32.exe80⤵PID:536
-
C:\Windows\SysWOW64\Onocmadb.exeC:\Windows\system32\Onocmadb.exe81⤵PID:1452
-
C:\Windows\SysWOW64\Opnpimdf.exeC:\Windows\system32\Opnpimdf.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1108 -
C:\Windows\SysWOW64\Ocllehcj.exeC:\Windows\system32\Ocllehcj.exe83⤵PID:2336
-
C:\Windows\SysWOW64\Oghhfg32.exeC:\Windows\system32\Oghhfg32.exe84⤵PID:1488
-
C:\Windows\SysWOW64\Oekhacbn.exeC:\Windows\system32\Oekhacbn.exe85⤵PID:2272
-
C:\Windows\SysWOW64\Oifdbb32.exeC:\Windows\system32\Oifdbb32.exe86⤵
- Modifies registry class
PID:2504 -
C:\Windows\SysWOW64\Ohidmoaa.exeC:\Windows\system32\Ohidmoaa.exe87⤵PID:1680
-
C:\Windows\SysWOW64\Opplolac.exeC:\Windows\system32\Opplolac.exe88⤵PID:2244
-
C:\Windows\SysWOW64\Ocohkh32.exeC:\Windows\system32\Ocohkh32.exe89⤵PID:2760
-
C:\Windows\SysWOW64\Oihqgbhd.exeC:\Windows\system32\Oihqgbhd.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2900 -
C:\Windows\SysWOW64\Ohkaco32.exeC:\Windows\system32\Ohkaco32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2832 -
C:\Windows\SysWOW64\Olgmcmgh.exeC:\Windows\system32\Olgmcmgh.exe92⤵
- Drops file in System32 directory
- Modifies registry class
PID:2908 -
C:\Windows\SysWOW64\Pcaepg32.exeC:\Windows\system32\Pcaepg32.exe93⤵
- System Location Discovery: System Language Discovery
PID:2940 -
C:\Windows\SysWOW64\Peoalc32.exeC:\Windows\system32\Peoalc32.exe94⤵PID:1360
-
C:\Windows\SysWOW64\Pdbahpec.exeC:\Windows\system32\Pdbahpec.exe95⤵PID:1668
-
C:\Windows\SysWOW64\Plijimee.exeC:\Windows\system32\Plijimee.exe96⤵PID:2456
-
C:\Windows\SysWOW64\Pohfehdi.exeC:\Windows\system32\Pohfehdi.exe97⤵PID:1124
-
C:\Windows\SysWOW64\Pafbadcm.exeC:\Windows\system32\Pafbadcm.exe98⤵PID:2732
-
C:\Windows\SysWOW64\Peanbblf.exeC:\Windows\system32\Peanbblf.exe99⤵PID:2288
-
C:\Windows\SysWOW64\Phpjnnki.exeC:\Windows\system32\Phpjnnki.exe100⤵PID:900
-
C:\Windows\SysWOW64\Pgckjk32.exeC:\Windows\system32\Pgckjk32.exe101⤵
- Modifies registry class
PID:2860 -
C:\Windows\SysWOW64\Pojbkh32.exeC:\Windows\system32\Pojbkh32.exe102⤵PID:2768
-
C:\Windows\SysWOW64\Pnmcfeia.exeC:\Windows\system32\Pnmcfeia.exe103⤵PID:1936
-
C:\Windows\SysWOW64\Pqkobqhd.exeC:\Windows\system32\Pqkobqhd.exe104⤵PID:1932
-
C:\Windows\SysWOW64\Phbgcnig.exeC:\Windows\system32\Phbgcnig.exe105⤵PID:2932
-
C:\Windows\SysWOW64\Pkacpihj.exeC:\Windows\system32\Pkacpihj.exe106⤵PID:2736
-
C:\Windows\SysWOW64\Pnopldgn.exeC:\Windows\system32\Pnopldgn.exe107⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1188 -
C:\Windows\SysWOW64\Pqnlhpfb.exeC:\Windows\system32\Pqnlhpfb.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:832 -
C:\Windows\SysWOW64\Pdihiook.exeC:\Windows\system32\Pdihiook.exe109⤵
- Drops file in System32 directory
PID:1472 -
C:\Windows\SysWOW64\Pggdejno.exeC:\Windows\system32\Pggdejno.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1228 -
C:\Windows\SysWOW64\Pkcpei32.exeC:\Windows\system32\Pkcpei32.exe111⤵PID:1984
-
C:\Windows\SysWOW64\Pnalad32.exeC:\Windows\system32\Pnalad32.exe112⤵
- Drops file in System32 directory
PID:2848 -
C:\Windows\SysWOW64\Pmdmmalf.exeC:\Windows\system32\Pmdmmalf.exe113⤵PID:2816
-
C:\Windows\SysWOW64\Pdldnomh.exeC:\Windows\system32\Pdldnomh.exe114⤵PID:2748
-
C:\Windows\SysWOW64\Qgjqjjll.exeC:\Windows\system32\Qgjqjjll.exe115⤵PID:2888
-
C:\Windows\SysWOW64\Qfmafg32.exeC:\Windows\system32\Qfmafg32.exe116⤵PID:1408
-
C:\Windows\SysWOW64\Qndigd32.exeC:\Windows\system32\Qndigd32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2624 -
C:\Windows\SysWOW64\Qmgibqjc.exeC:\Windows\system32\Qmgibqjc.exe118⤵PID:2696
-
C:\Windows\SysWOW64\Qoeeolig.exeC:\Windows\system32\Qoeeolig.exe119⤵PID:1440
-
C:\Windows\SysWOW64\Qcqaok32.exeC:\Windows\system32\Qcqaok32.exe120⤵PID:2008
-
C:\Windows\SysWOW64\Qfonkfqd.exeC:\Windows\system32\Qfonkfqd.exe121⤵PID:1552
-
C:\Windows\SysWOW64\Qmifhq32.exeC:\Windows\system32\Qmifhq32.exe122⤵PID:2568
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-