Analysis
-
max time kernel
91s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
03-10-2024 20:31
Static task
static1
Behavioral task
behavioral1
Sample
6a98217e5ba25a82b411715fd5ec780f1d33ef9baf0e077f3af07e8b3a5f7758N.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
6a98217e5ba25a82b411715fd5ec780f1d33ef9baf0e077f3af07e8b3a5f7758N.exe
Resource
win10v2004-20240802-en
General
-
Target
6a98217e5ba25a82b411715fd5ec780f1d33ef9baf0e077f3af07e8b3a5f7758N.exe
-
Size
67KB
-
MD5
da25ab495e5d29467fb796080bfd33c0
-
SHA1
d5b6102b24a130ca34001cd28525acdc1be352f0
-
SHA256
6a98217e5ba25a82b411715fd5ec780f1d33ef9baf0e077f3af07e8b3a5f7758
-
SHA512
b9aeafc6e2a4e6dff1baba01c3c2042847c2901db47641c6e66db60c6d73051d1843b86c43a0b96f757b1317a515602b840b8b65573cb7e90cea146a38d3f5f9
-
SSDEEP
768:2/AjkwhOwQ+ftBJoWCbPS3BQ5Y9dwdEQRjEphFm/UiuhUR2Zz9NrrKnkwLx7JaRw:g8ebPS3BTzcEQ2FfiKURCz9xRQbR/Rj
Malware Config
Extracted
berbew
http://viruslist.com/wcmd.txt
http://viruslist.com/ppslog.php
http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ddbolkac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mchokq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oihdjk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkbpgeai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oahbjmjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bfjmia32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmdaeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gegaeabe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ailboh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkppcmjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nianjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kjihci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pccahc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbjkop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbkaneao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jofdll32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mljnaocd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gnlpeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pmiikipg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nafiej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gcchgini.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amhopfof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlkcbp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdmjfe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbakpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pgjdmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bfmjoqoe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cikbjpqd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iiipeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Milaecdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bjfpdf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Heedqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nmbmii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aokdga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfnlcnih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nianjl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajmfca32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Camqpnel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cpbnaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kfgcieii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cenmfbml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kecmfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mnncii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmpcdfem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gihnkejd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaonji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jjnlikic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mhfoleio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmacej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ambhpljg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ckkenikc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpodgocb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ailboh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ckfeic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceacoqfi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddliklgk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elbmkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fpcblkje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlecmkel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hadhjaaa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hagepa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fejifdab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ohdglfoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcjlap32.exe -
Executes dropped EXE 64 IoCs
pid Process 2216 Pchbmigj.exe 2904 Pmqffonj.exe 3032 Pegnglnm.exe 2780 Pegnglnm.exe 2684 Qcjoci32.exe 2672 Qmcclolh.exe 1864 Qcmkhi32.exe 1512 Qaqlbmbn.exe 1408 Apclnj32.exe 2400 Ajipkb32.exe 2368 Aljmbknm.exe 1428 Afpapcnc.exe 944 Aebakp32.exe 588 Aphehidc.exe 2304 Ankedf32.exe 2192 Aiqjao32.exe 2388 Apkbnibq.exe 2200 Anmbje32.exe 2424 Aalofa32.exe 1668 Ahfgbkpl.exe 1124 Alaccj32.exe 1924 Ajdcofop.exe 1172 Aankkqfl.exe 2416 Admgglep.exe 2032 Bjfpdf32.exe 2812 Bmelpa32.exe 3012 Bdodmlcm.exe 2880 Bodhjdcc.exe 2736 Bacefpbg.exe 2796 Bhmmcjjd.exe 804 Bkkioeig.exe 304 Bphaglgo.exe 2268 Bdcnhk32.exe 1084 Bknfeege.exe 2700 Bmlbaqfh.exe 2972 Bpjnmlel.exe 2280 Bgdfjfmi.exe 636 Bmnofp32.exe 532 Bpmkbl32.exe 2360 Ciepkajj.exe 2132 Clclhmin.exe 2336 Cpohhk32.exe 2160 Celpqbon.exe 1536 Ciglaa32.exe 1988 Cenmfbml.exe 1916 Clhecl32.exe 996 Ckkenikc.exe 2232 Cofaog32.exe 1248 Caenkc32.exe 2992 Cdcjgnbc.exe 2664 Cgbfcjag.exe 2420 Cnlnpd32.exe 2916 Cagjqbam.exe 1152 Cpjklo32.exe 2264 Chabmm32.exe 2484 Cgdciiod.exe 2204 Cjboeenh.exe 2928 Dnnkec32.exe 2924 Dpmgao32.exe 1836 Ddhcbnnn.exe 2136 Dgfpni32.exe 1876 Djeljd32.exe 2496 Dnqhkcdo.exe 2256 Dpodgocb.exe -
Loads dropped DLL 64 IoCs
pid Process 2744 6a98217e5ba25a82b411715fd5ec780f1d33ef9baf0e077f3af07e8b3a5f7758N.exe 2744 6a98217e5ba25a82b411715fd5ec780f1d33ef9baf0e077f3af07e8b3a5f7758N.exe 2216 Pchbmigj.exe 2216 Pchbmigj.exe 2904 Pmqffonj.exe 2904 Pmqffonj.exe 3032 Pegnglnm.exe 3032 Pegnglnm.exe 2780 Pegnglnm.exe 2780 Pegnglnm.exe 2684 Qcjoci32.exe 2684 Qcjoci32.exe 2672 Qmcclolh.exe 2672 Qmcclolh.exe 1864 Qcmkhi32.exe 1864 Qcmkhi32.exe 1512 Qaqlbmbn.exe 1512 Qaqlbmbn.exe 1408 Apclnj32.exe 1408 Apclnj32.exe 2400 Ajipkb32.exe 2400 Ajipkb32.exe 2368 Aljmbknm.exe 2368 Aljmbknm.exe 1428 Afpapcnc.exe 1428 Afpapcnc.exe 944 Aebakp32.exe 944 Aebakp32.exe 588 Aphehidc.exe 588 Aphehidc.exe 2304 Ankedf32.exe 2304 Ankedf32.exe 2192 Aiqjao32.exe 2192 Aiqjao32.exe 2388 Apkbnibq.exe 2388 Apkbnibq.exe 2200 Anmbje32.exe 2200 Anmbje32.exe 2424 Aalofa32.exe 2424 Aalofa32.exe 1668 Ahfgbkpl.exe 1668 Ahfgbkpl.exe 1124 Alaccj32.exe 1124 Alaccj32.exe 1924 Ajdcofop.exe 1924 Ajdcofop.exe 1172 Aankkqfl.exe 1172 Aankkqfl.exe 2416 Admgglep.exe 2416 Admgglep.exe 2032 Bjfpdf32.exe 2032 Bjfpdf32.exe 2812 Bmelpa32.exe 2812 Bmelpa32.exe 3012 Bdodmlcm.exe 3012 Bdodmlcm.exe 2880 Bodhjdcc.exe 2880 Bodhjdcc.exe 2736 Bacefpbg.exe 2736 Bacefpbg.exe 2796 Bhmmcjjd.exe 2796 Bhmmcjjd.exe 804 Bkkioeig.exe 804 Bkkioeig.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Aljmbknm.exe Ajipkb32.exe File opened for modification C:\Windows\SysWOW64\Ajdcofop.exe Alaccj32.exe File opened for modification C:\Windows\SysWOW64\Hoipnl32.exe Hlkcbp32.exe File opened for modification C:\Windows\SysWOW64\Jqfhqe32.exe Jbcgeilh.exe File created C:\Windows\SysWOW64\Pipjpj32.exe Pfando32.exe File created C:\Windows\SysWOW64\Glfiinip.dll Mmngof32.exe File created C:\Windows\SysWOW64\Pmidlkkk.dll Fcilnl32.exe File opened for modification C:\Windows\SysWOW64\Llbnnq32.exe Lckflc32.exe File created C:\Windows\SysWOW64\Mpnehd32.dll Gpeoakhc.exe File opened for modification C:\Windows\SysWOW64\Lelljepm.exe Lbmpnjai.exe File created C:\Windows\SysWOW64\Coldmfkf.exe Cpidai32.exe File opened for modification C:\Windows\SysWOW64\Ehlkfn32.exe Efmoib32.exe File created C:\Windows\SysWOW64\Oaeghhnb.dll Ebdoocdk.exe File created C:\Windows\SysWOW64\Fapjpi32.dll Ifhgcgjq.exe File opened for modification C:\Windows\SysWOW64\Pchbmigj.exe 6a98217e5ba25a82b411715fd5ec780f1d33ef9baf0e077f3af07e8b3a5f7758N.exe File opened for modification C:\Windows\SysWOW64\Aiqjao32.exe Ankedf32.exe File created C:\Windows\SysWOW64\Alqqip32.dll Acjdgf32.exe File created C:\Windows\SysWOW64\Bbannb32.exe Bpbabf32.exe File opened for modification C:\Windows\SysWOW64\Dpcnbn32.exe Dhleaq32.exe File created C:\Windows\SysWOW64\Ikaainpb.dll Kmjaddii.exe File opened for modification C:\Windows\SysWOW64\Nhnemdbf.exe Ndbile32.exe File created C:\Windows\SysWOW64\Ibmkbh32.exe Hpoofm32.exe File created C:\Windows\SysWOW64\Pmjoacao.dll Nokcbm32.exe File opened for modification C:\Windows\SysWOW64\Ejgeogmn.exe Ekddck32.exe File opened for modification C:\Windows\SysWOW64\Gdflgo32.exe Gecklbih.exe File opened for modification C:\Windows\SysWOW64\Qekdpkgj.exe Qnalcqpm.exe File created C:\Windows\SysWOW64\Madfkk32.dll Ekhjlioa.exe File created C:\Windows\SysWOW64\Cdcjgnbc.exe Caenkc32.exe File created C:\Windows\SysWOW64\Magfjebk.exe Mbdfni32.exe File opened for modification C:\Windows\SysWOW64\Dndndbnl.exe Dkeahf32.exe File created C:\Windows\SysWOW64\Gmqlkcao.dll Dnfjiali.exe File created C:\Windows\SysWOW64\Lndqbk32.exe Lkfdfo32.exe File created C:\Windows\SysWOW64\Ghghie32.dll Dpodgocb.exe File created C:\Windows\SysWOW64\Kckjmpko.exe Kopnma32.exe File created C:\Windows\SysWOW64\Olopgm32.dll Oeoeplfn.exe File created C:\Windows\SysWOW64\Dqanjl32.dll Anfeop32.exe File created C:\Windows\SysWOW64\Apkbnibq.exe Aiqjao32.exe File created C:\Windows\SysWOW64\Jcfnnang.dll Pgacaaij.exe File created C:\Windows\SysWOW64\Dnfjiali.exe Dkhnmfle.exe File created C:\Windows\SysWOW64\Pgacaaij.exe Pqhkdg32.exe File opened for modification C:\Windows\SysWOW64\Pchdfb32.exe Pdfdkehc.exe File opened for modification C:\Windows\SysWOW64\Cagjqbam.exe Cnlnpd32.exe File opened for modification C:\Windows\SysWOW64\Moqgiopk.exe Mpngmb32.exe File opened for modification C:\Windows\SysWOW64\Nmogpj32.exe Nkqjdo32.exe File opened for modification C:\Windows\SysWOW64\Bhnffi32.exe Bikfklni.exe File created C:\Windows\SysWOW64\Nejdjf32.exe Nmbmii32.exe File created C:\Windows\SysWOW64\Kehglhah.dll Dgfpni32.exe File opened for modification C:\Windows\SysWOW64\Jbcgeilh.exe Jgnchplb.exe File created C:\Windows\SysWOW64\Hjchkfnl.dll Jhmpbc32.exe File created C:\Windows\SysWOW64\Pgcacc32.dll Mbjfcnkg.exe File created C:\Windows\SysWOW64\Ejgeogmn.exe Ekddck32.exe File opened for modification C:\Windows\SysWOW64\Kihbfg32.exe Kfjfik32.exe File opened for modification C:\Windows\SysWOW64\Qnalcqpm.exe Qonlhd32.exe File opened for modification C:\Windows\SysWOW64\Enmqjq32.exe Effhic32.exe File opened for modification C:\Windows\SysWOW64\Lmlnjcgg.exe Kfbemi32.exe File opened for modification C:\Windows\SysWOW64\Elmkmo32.exe Edeclabl.exe File created C:\Windows\SysWOW64\Pljhmo32.dll Gbkaneao.exe File created C:\Windows\SysWOW64\Hadbbkpk.dll Gekkpqnp.exe File opened for modification C:\Windows\SysWOW64\Heijidbn.exe Hffjng32.exe File opened for modification C:\Windows\SysWOW64\Ghbhhnhk.exe Gdflgo32.exe File created C:\Windows\SysWOW64\Laackgka.exe Lncgollm.exe File created C:\Windows\SysWOW64\Npkfff32.exe Nahfkigd.exe File created C:\Windows\SysWOW64\Pehccb32.dll Jfpmifoa.exe File created C:\Windows\SysWOW64\Feiaknmg.exe Fmbjjp32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7496 7392 WerFault.exe 799 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klonqpbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbdfni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpohhk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cagjqbam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnbmoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlkcbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmkafhnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkoqmhii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acpjga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fghngimj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpcdqpqj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhcgkbja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aiqjao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jopbnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oihdjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmpplh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlpdfjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phmfpddb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqjhjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nknnnoph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkbpgeai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcchgini.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfihml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajdcofop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdlclo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khcbpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdihmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Befpkmph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecoihm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmodaadg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqfhqe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clinfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lenioenj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaikfkgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iockhigl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lffohikd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pchbmigj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apkbnibq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efeoedjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecbfmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ionehnbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhakecld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpjnmlel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajapoqmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imkeneja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmnofp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hadhjaaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqqdjceh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bghfacem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjkehhjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pegnglnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgildi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajociq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlecmkel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iebmpcjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbjkop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkjkcfjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iboghh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idcqep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ninjjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohbjgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dammoahg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkldgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geinjapb.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afnakj32.dll" Fcjeakfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hlecmkel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Neghdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dfbbpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eqcjaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Feobac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdcnch32.dll" Hilgfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qekdpkgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghagcnje.dll" Oknjmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pmiikipg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Feiaknmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mojjfdkn.dll" Imkeneja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onllmobg.dll" Oaqeogll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpedjd32.dll" Djjeedhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfmjiqbg.dll" Qkbpgeai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nilndfgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Anfeop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Egflml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fichqckn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gnlpeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbdkhhcq.dll" Glfjgaih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngdefco.dll" Aemafjeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gjbqjiem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Glomllkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gnabcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Peiaij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pqhkdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bmlbaqfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ohmalgeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cojghf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ebabicfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jhqeka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pjofjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbjkmi32.dll" Cgdciiod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dhlogjko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ighmnbma.dll" Npffaq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nhcgkbja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jhmpbc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nogmin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ncjbba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fbiijb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelhjebf.dll" Pjblcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkfapl32.dll" Djeljd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Doijcjde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pmmcfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paifph32.dll" Ileoknhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Odanqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjdiiidn.dll" Hhadgakg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkokcp32.dll" Jbcgeilh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Npnclf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mfkebkjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agpmcpfm.dll" Nalldh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjnhlm32.dll" Bmnofp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Engplgdp.dll" Fldabn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Memlki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fbfldc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaeghhnb.dll" Ebdoocdk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fqkieogp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ifhgcgjq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jjqiok32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lflonn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iekcqo32.dll" Lpddgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bknkhh32.dll" Aaikfkgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qghagobg.dll" Amplklmj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2744 wrote to memory of 2216 2744 6a98217e5ba25a82b411715fd5ec780f1d33ef9baf0e077f3af07e8b3a5f7758N.exe 30 PID 2744 wrote to memory of 2216 2744 6a98217e5ba25a82b411715fd5ec780f1d33ef9baf0e077f3af07e8b3a5f7758N.exe 30 PID 2744 wrote to memory of 2216 2744 6a98217e5ba25a82b411715fd5ec780f1d33ef9baf0e077f3af07e8b3a5f7758N.exe 30 PID 2744 wrote to memory of 2216 2744 6a98217e5ba25a82b411715fd5ec780f1d33ef9baf0e077f3af07e8b3a5f7758N.exe 30 PID 2216 wrote to memory of 2904 2216 Pchbmigj.exe 31 PID 2216 wrote to memory of 2904 2216 Pchbmigj.exe 31 PID 2216 wrote to memory of 2904 2216 Pchbmigj.exe 31 PID 2216 wrote to memory of 2904 2216 Pchbmigj.exe 31 PID 2904 wrote to memory of 3032 2904 Pmqffonj.exe 32 PID 2904 wrote to memory of 3032 2904 Pmqffonj.exe 32 PID 2904 wrote to memory of 3032 2904 Pmqffonj.exe 32 PID 2904 wrote to memory of 3032 2904 Pmqffonj.exe 32 PID 3032 wrote to memory of 2780 3032 Pegnglnm.exe 33 PID 3032 wrote to memory of 2780 3032 Pegnglnm.exe 33 PID 3032 wrote to memory of 2780 3032 Pegnglnm.exe 33 PID 3032 wrote to memory of 2780 3032 Pegnglnm.exe 33 PID 2780 wrote to memory of 2684 2780 Pegnglnm.exe 34 PID 2780 wrote to memory of 2684 2780 Pegnglnm.exe 34 PID 2780 wrote to memory of 2684 2780 Pegnglnm.exe 34 PID 2780 wrote to memory of 2684 2780 Pegnglnm.exe 34 PID 2684 wrote to memory of 2672 2684 Qcjoci32.exe 35 PID 2684 wrote to memory of 2672 2684 Qcjoci32.exe 35 PID 2684 wrote to memory of 2672 2684 Qcjoci32.exe 35 PID 2684 wrote to memory of 2672 2684 Qcjoci32.exe 35 PID 2672 wrote to memory of 1864 2672 Qmcclolh.exe 36 PID 2672 wrote to memory of 1864 2672 Qmcclolh.exe 36 PID 2672 wrote to memory of 1864 2672 Qmcclolh.exe 36 PID 2672 wrote to memory of 1864 2672 Qmcclolh.exe 36 PID 1864 wrote to memory of 1512 1864 Qcmkhi32.exe 37 PID 1864 wrote to memory of 1512 1864 Qcmkhi32.exe 37 PID 1864 wrote to memory of 1512 1864 Qcmkhi32.exe 37 PID 1864 wrote to memory of 1512 1864 Qcmkhi32.exe 37 PID 1512 wrote to memory of 1408 1512 Qaqlbmbn.exe 38 PID 1512 wrote to memory of 1408 1512 Qaqlbmbn.exe 38 PID 1512 wrote to memory of 1408 1512 Qaqlbmbn.exe 38 PID 1512 wrote to memory of 1408 1512 Qaqlbmbn.exe 38 PID 1408 wrote to memory of 2400 1408 Apclnj32.exe 39 PID 1408 wrote to memory of 2400 1408 Apclnj32.exe 39 PID 1408 wrote to memory of 2400 1408 Apclnj32.exe 39 PID 1408 wrote to memory of 2400 1408 Apclnj32.exe 39 PID 2400 wrote to memory of 2368 2400 Ajipkb32.exe 40 PID 2400 wrote to memory of 2368 2400 Ajipkb32.exe 40 PID 2400 wrote to memory of 2368 2400 Ajipkb32.exe 40 PID 2400 wrote to memory of 2368 2400 Ajipkb32.exe 40 PID 2368 wrote to memory of 1428 2368 Aljmbknm.exe 41 PID 2368 wrote to memory of 1428 2368 Aljmbknm.exe 41 PID 2368 wrote to memory of 1428 2368 Aljmbknm.exe 41 PID 2368 wrote to memory of 1428 2368 Aljmbknm.exe 41 PID 1428 wrote to memory of 944 1428 Afpapcnc.exe 42 PID 1428 wrote to memory of 944 1428 Afpapcnc.exe 42 PID 1428 wrote to memory of 944 1428 Afpapcnc.exe 42 PID 1428 wrote to memory of 944 1428 Afpapcnc.exe 42 PID 944 wrote to memory of 588 944 Aebakp32.exe 43 PID 944 wrote to memory of 588 944 Aebakp32.exe 43 PID 944 wrote to memory of 588 944 Aebakp32.exe 43 PID 944 wrote to memory of 588 944 Aebakp32.exe 43 PID 588 wrote to memory of 2304 588 Aphehidc.exe 44 PID 588 wrote to memory of 2304 588 Aphehidc.exe 44 PID 588 wrote to memory of 2304 588 Aphehidc.exe 44 PID 588 wrote to memory of 2304 588 Aphehidc.exe 44 PID 2304 wrote to memory of 2192 2304 Ankedf32.exe 45 PID 2304 wrote to memory of 2192 2304 Ankedf32.exe 45 PID 2304 wrote to memory of 2192 2304 Ankedf32.exe 45 PID 2304 wrote to memory of 2192 2304 Ankedf32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\6a98217e5ba25a82b411715fd5ec780f1d33ef9baf0e077f3af07e8b3a5f7758N.exe"C:\Users\Admin\AppData\Local\Temp\6a98217e5ba25a82b411715fd5ec780f1d33ef9baf0e077f3af07e8b3a5f7758N.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Pchbmigj.exeC:\Windows\system32\Pchbmigj.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Pmqffonj.exeC:\Windows\system32\Pmqffonj.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Pegnglnm.exeC:\Windows\system32\Pegnglnm.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\Pegnglnm.exeC:\Windows\system32\Pegnglnm.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Qcjoci32.exeC:\Windows\system32\Qcjoci32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Qmcclolh.exeC:\Windows\system32\Qmcclolh.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Qcmkhi32.exeC:\Windows\system32\Qcmkhi32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\Qaqlbmbn.exeC:\Windows\system32\Qaqlbmbn.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\SysWOW64\Apclnj32.exeC:\Windows\system32\Apclnj32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\SysWOW64\Ajipkb32.exeC:\Windows\system32\Ajipkb32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\Aljmbknm.exeC:\Windows\system32\Aljmbknm.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\Afpapcnc.exeC:\Windows\system32\Afpapcnc.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\SysWOW64\Aebakp32.exeC:\Windows\system32\Aebakp32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Windows\SysWOW64\Aphehidc.exeC:\Windows\system32\Aphehidc.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:588 -
C:\Windows\SysWOW64\Ankedf32.exeC:\Windows\system32\Ankedf32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\Aiqjao32.exeC:\Windows\system32\Aiqjao32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2192 -
C:\Windows\SysWOW64\Apkbnibq.exeC:\Windows\system32\Apkbnibq.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2388 -
C:\Windows\SysWOW64\Anmbje32.exeC:\Windows\system32\Anmbje32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2200 -
C:\Windows\SysWOW64\Aalofa32.exeC:\Windows\system32\Aalofa32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2424 -
C:\Windows\SysWOW64\Ahfgbkpl.exeC:\Windows\system32\Ahfgbkpl.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1668 -
C:\Windows\SysWOW64\Alaccj32.exeC:\Windows\system32\Alaccj32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1124 -
C:\Windows\SysWOW64\Ajdcofop.exeC:\Windows\system32\Ajdcofop.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1924 -
C:\Windows\SysWOW64\Aankkqfl.exeC:\Windows\system32\Aankkqfl.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1172 -
C:\Windows\SysWOW64\Admgglep.exeC:\Windows\system32\Admgglep.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2416 -
C:\Windows\SysWOW64\Bjfpdf32.exeC:\Windows\system32\Bjfpdf32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2032 -
C:\Windows\SysWOW64\Bmelpa32.exeC:\Windows\system32\Bmelpa32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2812 -
C:\Windows\SysWOW64\Bdodmlcm.exeC:\Windows\system32\Bdodmlcm.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3012 -
C:\Windows\SysWOW64\Bodhjdcc.exeC:\Windows\system32\Bodhjdcc.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2880 -
C:\Windows\SysWOW64\Bacefpbg.exeC:\Windows\system32\Bacefpbg.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2736 -
C:\Windows\SysWOW64\Bhmmcjjd.exeC:\Windows\system32\Bhmmcjjd.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2796 -
C:\Windows\SysWOW64\Bkkioeig.exeC:\Windows\system32\Bkkioeig.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:804 -
C:\Windows\SysWOW64\Bphaglgo.exeC:\Windows\system32\Bphaglgo.exe33⤵
- Executes dropped EXE
PID:304 -
C:\Windows\SysWOW64\Bdcnhk32.exeC:\Windows\system32\Bdcnhk32.exe34⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Bknfeege.exeC:\Windows\system32\Bknfeege.exe35⤵
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\Bmlbaqfh.exeC:\Windows\system32\Bmlbaqfh.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2700 -
C:\Windows\SysWOW64\Bpjnmlel.exeC:\Windows\system32\Bpjnmlel.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2972 -
C:\Windows\SysWOW64\Bgdfjfmi.exeC:\Windows\system32\Bgdfjfmi.exe38⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Bmnofp32.exeC:\Windows\system32\Bmnofp32.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:636 -
C:\Windows\SysWOW64\Bpmkbl32.exeC:\Windows\system32\Bpmkbl32.exe40⤵
- Executes dropped EXE
PID:532 -
C:\Windows\SysWOW64\Ciepkajj.exeC:\Windows\system32\Ciepkajj.exe41⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Clclhmin.exeC:\Windows\system32\Clclhmin.exe42⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Cpohhk32.exeC:\Windows\system32\Cpohhk32.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2336 -
C:\Windows\SysWOW64\Celpqbon.exeC:\Windows\system32\Celpqbon.exe44⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Ciglaa32.exeC:\Windows\system32\Ciglaa32.exe45⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Cenmfbml.exeC:\Windows\system32\Cenmfbml.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Clhecl32.exeC:\Windows\system32\Clhecl32.exe47⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\Ckkenikc.exeC:\Windows\system32\Ckkenikc.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:996 -
C:\Windows\SysWOW64\Cofaog32.exeC:\Windows\system32\Cofaog32.exe49⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Caenkc32.exeC:\Windows\system32\Caenkc32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1248 -
C:\Windows\SysWOW64\Cdcjgnbc.exeC:\Windows\system32\Cdcjgnbc.exe51⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Cgbfcjag.exeC:\Windows\system32\Cgbfcjag.exe52⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Cnlnpd32.exeC:\Windows\system32\Cnlnpd32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2420 -
C:\Windows\SysWOW64\Cagjqbam.exeC:\Windows\system32\Cagjqbam.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2916 -
C:\Windows\SysWOW64\Cpjklo32.exeC:\Windows\system32\Cpjklo32.exe55⤵
- Executes dropped EXE
PID:1152 -
C:\Windows\SysWOW64\Chabmm32.exeC:\Windows\system32\Chabmm32.exe56⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Cgdciiod.exeC:\Windows\system32\Cgdciiod.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2484 -
C:\Windows\SysWOW64\Cjboeenh.exeC:\Windows\system32\Cjboeenh.exe58⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Dnnkec32.exeC:\Windows\system32\Dnnkec32.exe59⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Dpmgao32.exeC:\Windows\system32\Dpmgao32.exe60⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Ddhcbnnn.exeC:\Windows\system32\Ddhcbnnn.exe61⤵
- Executes dropped EXE
PID:1836 -
C:\Windows\SysWOW64\Dgfpni32.exeC:\Windows\system32\Dgfpni32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2136 -
C:\Windows\SysWOW64\Djeljd32.exeC:\Windows\system32\Djeljd32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:1876 -
C:\Windows\SysWOW64\Dnqhkcdo.exeC:\Windows\system32\Dnqhkcdo.exe64⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Dpodgocb.exeC:\Windows\system32\Dpodgocb.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2256 -
C:\Windows\SysWOW64\Dcmpcjcf.exeC:\Windows\system32\Dcmpcjcf.exe66⤵PID:1928
-
C:\Windows\SysWOW64\Dgildi32.exeC:\Windows\system32\Dgildi32.exe67⤵
- System Location Discovery: System Language Discovery
PID:1948 -
C:\Windows\SysWOW64\Dflmpebj.exeC:\Windows\system32\Dflmpebj.exe68⤵PID:2848
-
C:\Windows\SysWOW64\Djghpd32.exeC:\Windows\system32\Djghpd32.exe69⤵PID:2876
-
C:\Windows\SysWOW64\Dncdqcbl.exeC:\Windows\system32\Dncdqcbl.exe70⤵PID:2244
-
C:\Windows\SysWOW64\Dpaqmnap.exeC:\Windows\system32\Dpaqmnap.exe71⤵PID:2956
-
C:\Windows\SysWOW64\Dodahk32.exeC:\Windows\system32\Dodahk32.exe72⤵PID:444
-
C:\Windows\SysWOW64\Dfniee32.exeC:\Windows\system32\Dfniee32.exe73⤵PID:436
-
C:\Windows\SysWOW64\Djjeedhp.exeC:\Windows\system32\Djjeedhp.exe74⤵
- Modifies registry class
PID:2008 -
C:\Windows\SysWOW64\Dhleaq32.exeC:\Windows\system32\Dhleaq32.exe75⤵
- Drops file in System32 directory
PID:2408 -
C:\Windows\SysWOW64\Dpcnbn32.exeC:\Windows\system32\Dpcnbn32.exe76⤵PID:1420
-
C:\Windows\SysWOW64\Dbejjfek.exeC:\Windows\system32\Dbejjfek.exe77⤵PID:2164
-
C:\Windows\SysWOW64\Djlbkcfn.exeC:\Windows\system32\Djlbkcfn.exe78⤵PID:2412
-
C:\Windows\SysWOW64\Dljngoea.exeC:\Windows\system32\Dljngoea.exe79⤵PID:1060
-
C:\Windows\SysWOW64\Dkmncl32.exeC:\Windows\system32\Dkmncl32.exe80⤵PID:980
-
C:\Windows\SysWOW64\Doijcjde.exeC:\Windows\system32\Doijcjde.exe81⤵
- Modifies registry class
PID:1468 -
C:\Windows\SysWOW64\Dcdfdi32.exeC:\Windows\system32\Dcdfdi32.exe82⤵PID:1768
-
C:\Windows\SysWOW64\Dbggpfci.exeC:\Windows\system32\Dbggpfci.exe83⤵PID:1044
-
C:\Windows\SysWOW64\Dfbbpd32.exeC:\Windows\system32\Dfbbpd32.exe84⤵
- Modifies registry class
PID:1724 -
C:\Windows\SysWOW64\Edeclabl.exeC:\Windows\system32\Edeclabl.exe85⤵
- Drops file in System32 directory
PID:2960 -
C:\Windows\SysWOW64\Elmkmo32.exeC:\Windows\system32\Elmkmo32.exe86⤵PID:2720
-
C:\Windows\SysWOW64\Ekpkhkji.exeC:\Windows\system32\Ekpkhkji.exe87⤵PID:2772
-
C:\Windows\SysWOW64\Eokgij32.exeC:\Windows\system32\Eokgij32.exe88⤵PID:3056
-
C:\Windows\SysWOW64\Enngdgim.exeC:\Windows\system32\Enngdgim.exe89⤵PID:1416
-
C:\Windows\SysWOW64\Efeoedjo.exeC:\Windows\system32\Efeoedjo.exe90⤵
- System Location Discovery: System Language Discovery
PID:1604 -
C:\Windows\SysWOW64\Ehclbpic.exeC:\Windows\system32\Ehclbpic.exe91⤵PID:984
-
C:\Windows\SysWOW64\Egflml32.exeC:\Windows\system32\Egflml32.exe92⤵
- Modifies registry class
PID:2844 -
C:\Windows\SysWOW64\Ekbhnkhf.exeC:\Windows\system32\Ekbhnkhf.exe93⤵PID:1384
-
C:\Windows\SysWOW64\Enpdjfgj.exeC:\Windows\system32\Enpdjfgj.exe94⤵PID:1640
-
C:\Windows\SysWOW64\Eblpke32.exeC:\Windows\system32\Eblpke32.exe95⤵PID:2592
-
C:\Windows\SysWOW64\Eqopfbfn.exeC:\Windows\system32\Eqopfbfn.exe96⤵PID:2440
-
C:\Windows\SysWOW64\Ehfhgogp.exeC:\Windows\system32\Ehfhgogp.exe97⤵PID:3000
-
C:\Windows\SysWOW64\Egihcl32.exeC:\Windows\system32\Egihcl32.exe98⤵PID:1080
-
C:\Windows\SysWOW64\Ekddck32.exeC:\Windows\system32\Ekddck32.exe99⤵
- Drops file in System32 directory
PID:2500 -
C:\Windows\SysWOW64\Ejgeogmn.exeC:\Windows\system32\Ejgeogmn.exe100⤵PID:2260
-
C:\Windows\SysWOW64\Enbapf32.exeC:\Windows\system32\Enbapf32.exe101⤵PID:2724
-
C:\Windows\SysWOW64\Eqamla32.exeC:\Windows\system32\Eqamla32.exe102⤵PID:2300
-
C:\Windows\SysWOW64\Ecoihm32.exeC:\Windows\system32\Ecoihm32.exe103⤵
- System Location Discovery: System Language Discovery
PID:536 -
C:\Windows\SysWOW64\Ejiadgkl.exeC:\Windows\system32\Ejiadgkl.exe104⤵PID:1792
-
C:\Windows\SysWOW64\Eqcjaa32.exeC:\Windows\system32\Eqcjaa32.exe105⤵
- Modifies registry class
PID:344 -
C:\Windows\SysWOW64\Edofbpja.exeC:\Windows\system32\Edofbpja.exe106⤵PID:2324
-
C:\Windows\SysWOW64\Ecbfmm32.exeC:\Windows\system32\Ecbfmm32.exe107⤵
- System Location Discovery: System Language Discovery
PID:2696 -
C:\Windows\SysWOW64\Efpbih32.exeC:\Windows\system32\Efpbih32.exe108⤵PID:3028
-
C:\Windows\SysWOW64\Ejlnjg32.exeC:\Windows\system32\Ejlnjg32.exe109⤵PID:1912
-
C:\Windows\SysWOW64\Emjjfb32.exeC:\Windows\system32\Emjjfb32.exe110⤵PID:1892
-
C:\Windows\SysWOW64\Fqffgapf.exeC:\Windows\system32\Fqffgapf.exe111⤵PID:2740
-
C:\Windows\SysWOW64\Fcdbcloi.exeC:\Windows\system32\Fcdbcloi.exe112⤵PID:3052
-
C:\Windows\SysWOW64\Fgpock32.exeC:\Windows\system32\Fgpock32.exe113⤵PID:568
-
C:\Windows\SysWOW64\Fjnkpf32.exeC:\Windows\system32\Fjnkpf32.exe114⤵PID:1424
-
C:\Windows\SysWOW64\Fiakkcma.exeC:\Windows\system32\Fiakkcma.exe115⤵PID:2220
-
C:\Windows\SysWOW64\Fmlglb32.exeC:\Windows\system32\Fmlglb32.exe116⤵PID:1692
-
C:\Windows\SysWOW64\Fpkchm32.exeC:\Windows\system32\Fpkchm32.exe117⤵PID:2708
-
C:\Windows\SysWOW64\Fcfohlmg.exeC:\Windows\system32\Fcfohlmg.exe118⤵PID:2668
-
C:\Windows\SysWOW64\Fjqhef32.exeC:\Windows\system32\Fjqhef32.exe119⤵PID:2492
-
C:\Windows\SysWOW64\Fichqckn.exeC:\Windows\system32\Fichqckn.exe120⤵
- Modifies registry class
PID:1780 -
C:\Windows\SysWOW64\Fmodaadg.exeC:\Windows\system32\Fmodaadg.exe121⤵
- System Location Discovery: System Language Discovery
PID:1452 -
C:\Windows\SysWOW64\Fladmn32.exeC:\Windows\system32\Fladmn32.exe122⤵PID:2188
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-