Analysis
-
max time kernel
99s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
22-11-2024 04:12
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cbae59e9fd0727b30ed0e04fd66a9a3645f8a1e6ca6179d2a3e6e37a4249ac26.exe
Resource
win7-20241010-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
cbae59e9fd0727b30ed0e04fd66a9a3645f8a1e6ca6179d2a3e6e37a4249ac26.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
cbae59e9fd0727b30ed0e04fd66a9a3645f8a1e6ca6179d2a3e6e37a4249ac26.exe
-
Size
320KB
-
MD5
0a850d973dd00ddc73ca8e700b5aca92
-
SHA1
313a015d50703fc10cbd5af79da125dab14b48ee
-
SHA256
cbae59e9fd0727b30ed0e04fd66a9a3645f8a1e6ca6179d2a3e6e37a4249ac26
-
SHA512
e19ba5f9a6791c0398eedb7203982b55943d46c31d10d192c8ec9ac925bdbc59ac491ebcd63a668b4aaf3c5cc57a3cd9b0c768f1e237cc6c1b11b4928a1ef241
-
SSDEEP
3072:eGyqnwkEt3ty8/41QUUZm8/41QrAoUZ4pWLB51jozFWLBggS2LHqN:Qk+3HZgZ0Wd/OWdPS2L8
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfcoel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjkgampo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jaejfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lofono32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cqlhlo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Haggkf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iionacad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppcoqbao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aieihpgi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agmbolin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebgifo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gomjckqc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajnnipnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccehgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abjnei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bghcjk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjalch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bojogp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmbeecaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihhlbegd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmqlgppo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnhffm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngecbndm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjgjmipf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aifpcfjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aieihpgi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcodcp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oakdkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnbgfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qjnoacdc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nonqca32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Polbemck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpnhhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Haldgbkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abejlj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nabegpbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Paelcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfbifgln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gljdlq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikkoagjo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ageedflj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnegod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihnhfmjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aaiodh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plbdfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlhbgc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abkncmhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mglpjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfhjmpam.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpjecn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dffopi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhkiae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Caomgjnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcbchhmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aejncedk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Liddljan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hemggm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngkepl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjnkac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnphlc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjnqhh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mamjchoa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppcoqbao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bodhlane.exe -
Executes dropped EXE 64 IoCs
pid Process 1516 Mglpjc32.exe 2840 Mogene32.exe 2992 Mgjpcf32.exe 3032 Nmkbfmpf.exe 2728 Nplkhh32.exe 2592 Obdjjb32.exe 1676 Obffpa32.exe 2108 Pikaqppk.exe 1020 Pfobjdoe.exe 2180 Aapikqel.exe 1400 Agakog32.exe 2896 Bcjhig32.exe 1272 Bcmeogam.exe 2236 Bnkpjd32.exe 2428 Cqlhlo32.exe 2168 Cbdkdffm.exe 1712 Dkaihkih.exe 1052 Dndoof32.exe 2284 Dnfkefad.exe 1396 Eibikc32.exe 568 Fofhdidp.exe 472 Fillabde.exe 2680 Flmecm32.exe 2324 Faljqcmk.exe 1132 Gmegkd32.exe 1576 Gljdlq32.exe 2944 Gomjckqc.exe 2984 Hancef32.exe 2936 Hgmhcm32.exe 2708 Hkkaik32.exe 2784 Hchbcmlh.exe 1660 Ikfdmogp.exe 2808 Iilalc32.exe 1580 Iionacad.exe 3048 Jeenfd32.exe 2172 Jehklc32.exe 2700 Jgidnobg.exe 2004 Jcodcp32.exe 1812 Jpfehq32.exe 2204 Knkbimbg.exe 2488 Kpkocpjj.exe 2452 Khfcgbge.exe 2492 Khhpmbeb.exe 1552 Ldangbhd.exe 340 Lpkkbcle.exe 1000 Lpodmb32.exe 1944 Laqadknn.exe 2688 Lhkiae32.exe 2460 Mcpmonea.exe 1940 Mlhbgc32.exe 236 Mhaobd32.exe 2448 Mqoqlfkl.exe 2836 Nodnmb32.exe 2748 Nbegonmd.exe 2532 Nfcoel32.exe 2780 Nnndin32.exe 1584 Nonqca32.exe 3020 Oqomkimg.exe 1984 Oqajqi32.exe 2248 Okgnna32.exe 1804 Ocbbbd32.exe 1160 Onggom32.exe 1776 Oiahpkdj.exe 2584 Pjqdjn32.exe -
Loads dropped DLL 64 IoCs
pid Process 840 cbae59e9fd0727b30ed0e04fd66a9a3645f8a1e6ca6179d2a3e6e37a4249ac26.exe 840 cbae59e9fd0727b30ed0e04fd66a9a3645f8a1e6ca6179d2a3e6e37a4249ac26.exe 1516 Mglpjc32.exe 1516 Mglpjc32.exe 2840 Mogene32.exe 2840 Mogene32.exe 2992 Mgjpcf32.exe 2992 Mgjpcf32.exe 3032 Nmkbfmpf.exe 3032 Nmkbfmpf.exe 2728 Nplkhh32.exe 2728 Nplkhh32.exe 2592 Obdjjb32.exe 2592 Obdjjb32.exe 1676 Obffpa32.exe 1676 Obffpa32.exe 2108 Pikaqppk.exe 2108 Pikaqppk.exe 1020 Pfobjdoe.exe 1020 Pfobjdoe.exe 2180 Aapikqel.exe 2180 Aapikqel.exe 1400 Agakog32.exe 1400 Agakog32.exe 2896 Bcjhig32.exe 2896 Bcjhig32.exe 1272 Bcmeogam.exe 1272 Bcmeogam.exe 2236 Bnkpjd32.exe 2236 Bnkpjd32.exe 2428 Cqlhlo32.exe 2428 Cqlhlo32.exe 2168 Cbdkdffm.exe 2168 Cbdkdffm.exe 1712 Dkaihkih.exe 1712 Dkaihkih.exe 1052 Dndoof32.exe 1052 Dndoof32.exe 2284 Dnfkefad.exe 2284 Dnfkefad.exe 1396 Eibikc32.exe 1396 Eibikc32.exe 568 Fofhdidp.exe 568 Fofhdidp.exe 472 Fillabde.exe 472 Fillabde.exe 2680 Flmecm32.exe 2680 Flmecm32.exe 2324 Faljqcmk.exe 2324 Faljqcmk.exe 1132 Gmegkd32.exe 1132 Gmegkd32.exe 1576 Gljdlq32.exe 1576 Gljdlq32.exe 2944 Gomjckqc.exe 2944 Gomjckqc.exe 2984 Hancef32.exe 2984 Hancef32.exe 2936 Hgmhcm32.exe 2936 Hgmhcm32.exe 2708 Hkkaik32.exe 2708 Hkkaik32.exe 2784 Hchbcmlh.exe 2784 Hchbcmlh.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bmccoajo.dll Kknfme32.exe File created C:\Windows\SysWOW64\Bcjhig32.exe Agakog32.exe File created C:\Windows\SysWOW64\Bonenbgj.exe Bhdmahpn.exe File created C:\Windows\SysWOW64\Llojpghe.exe Linanl32.exe File opened for modification C:\Windows\SysWOW64\Aocgnh32.exe Ajfoea32.exe File created C:\Windows\SysWOW64\Bjqjoolp.exe Bgbncdmm.exe File created C:\Windows\SysWOW64\Dcjmcpqj.dll Dhapfd32.exe File opened for modification C:\Windows\SysWOW64\Lnlohdhc.exe Ldcjooac.exe File created C:\Windows\SysWOW64\Pdhhepmo.exe Phbhpo32.exe File created C:\Windows\SysWOW64\Cgcmiclk.exe Bjomoo32.exe File created C:\Windows\SysWOW64\Emjnikpc.exe Ddoiei32.exe File opened for modification C:\Windows\SysWOW64\Nhbnjpic.exe Nknmplji.exe File created C:\Windows\SysWOW64\Oncpmf32.exe Odkkdqmd.exe File created C:\Windows\SysWOW64\Chfadndo.exe Cffejk32.exe File opened for modification C:\Windows\SysWOW64\Dlomnp32.exe Dlmqip32.exe File opened for modification C:\Windows\SysWOW64\Bklpglom.exe Apflic32.exe File opened for modification C:\Windows\SysWOW64\Ondcacad.exe Oeloin32.exe File created C:\Windows\SysWOW64\Godaagfg.dll Lghigl32.exe File created C:\Windows\SysWOW64\Gokpgd32.exe Gbdobc32.exe File created C:\Windows\SysWOW64\Ncnkblgl.dll Nijdcdgn.exe File created C:\Windows\SysWOW64\Mejjeh32.dll Ecibjn32.exe File created C:\Windows\SysWOW64\Njilpjke.dll Kpliac32.exe File created C:\Windows\SysWOW64\Eioicpja.dll Kenaoojo.exe File created C:\Windows\SysWOW64\Bcodol32.exe Bghcjk32.exe File created C:\Windows\SysWOW64\Almmlg32.exe Abehcbci.exe File created C:\Windows\SysWOW64\Aocgnh32.exe Ajfoea32.exe File created C:\Windows\SysWOW64\Bpepbkhk.exe Bjfkde32.exe File created C:\Windows\SysWOW64\Kjqgbf32.dll Bpepbkhk.exe File created C:\Windows\SysWOW64\Bclnfm32.exe Bhfjid32.exe File created C:\Windows\SysWOW64\Gqllie32.dll Nbdpfc32.exe File created C:\Windows\SysWOW64\Mlhbgc32.exe Mcpmonea.exe File created C:\Windows\SysWOW64\Jppngale.dll Ecfcle32.exe File created C:\Windows\SysWOW64\Lkiibmmc.dll Ihjfolmn.exe File opened for modification C:\Windows\SysWOW64\Mdpqec32.exe Mmdlqa32.exe File created C:\Windows\SysWOW64\Eghifl32.dll Pikaqppk.exe File created C:\Windows\SysWOW64\Bmigep32.dll Knkkngol.exe File opened for modification C:\Windows\SysWOW64\Ockhpgbf.exe Npjonlee.exe File created C:\Windows\SysWOW64\Hnedfljc.exe Haadlh32.exe File created C:\Windows\SysWOW64\Jmongbai.dll Gmnkqcem.exe File created C:\Windows\SysWOW64\Kenaoojo.exe Kodhbe32.exe File created C:\Windows\SysWOW64\Lhmijn32.exe Lodeahen.exe File opened for modification C:\Windows\SysWOW64\Iifphj32.exe Ikbpof32.exe File created C:\Windows\SysWOW64\Jbkoam32.dll Ncjijhch.exe File opened for modification C:\Windows\SysWOW64\Hgbdge32.exe Hincna32.exe File created C:\Windows\SysWOW64\Cocnanmd.exe Caomgjnk.exe File created C:\Windows\SysWOW64\Pmeemp32.exe Pnphlc32.exe File created C:\Windows\SysWOW64\Nbnpaflj.dll Gcnleahm.exe File opened for modification C:\Windows\SysWOW64\Komhfcgj.exe Kbfgab32.exe File created C:\Windows\SysWOW64\Cabnokkq.exe Ckeffdmi.exe File created C:\Windows\SysWOW64\Kiepca32.exe Kdhgkk32.exe File created C:\Windows\SysWOW64\Dlokegib.exe Dkookd32.exe File opened for modification C:\Windows\SysWOW64\Gljfeimi.exe Gdobqgpn.exe File opened for modification C:\Windows\SysWOW64\Nlnlcg32.exe Nhpcmi32.exe File created C:\Windows\SysWOW64\Bbeflgfa.dll Gnfajgbg.exe File created C:\Windows\SysWOW64\Nejjfh32.exe Megmpi32.exe File opened for modification C:\Windows\SysWOW64\Hnanceem.exe Hehikpol.exe File created C:\Windows\SysWOW64\Komhfcgj.exe Kbfgab32.exe File opened for modification C:\Windows\SysWOW64\Pbhepfbq.exe Pmlmhodi.exe File created C:\Windows\SysWOW64\Imqkdcib.dll Kpndlobg.exe File opened for modification C:\Windows\SysWOW64\Gbdobc32.exe Gljfeimi.exe File created C:\Windows\SysWOW64\Nabegpbp.exe Napibq32.exe File created C:\Windows\SysWOW64\Imekobfb.dll Fcipaien.exe File opened for modification C:\Windows\SysWOW64\Cabnokkq.exe Ckeffdmi.exe File created C:\Windows\SysWOW64\Aaiamamk.exe Qpjecn32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2088 4448 WerFault.exe 924 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfdjbcim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbpcgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjgpqjqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alifee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgadba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnlcoage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldpfoipj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oakdkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdmmemih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nomdfjpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Memonbnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmaghc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcodhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqomkimg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aifpcfjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhgonj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jookedhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Angklf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aijgemok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Facmhk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmfbckfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkaihkih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmbeecaq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ockhpgbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feiamj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Appikd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afkcqg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhnlmjie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obdjjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdbqflae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfdlehlc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbefen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmdfglhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcljjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbieejff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiboedpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpodmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnkqih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbeeliin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oimaih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pocmhnlk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnnjco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cabnokkq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chmpicbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epgabhdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkookd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecdkgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djhnmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anpgdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eopehg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aocgnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jebjijqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfpphp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acabmpem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcnleahm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajmihn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiaiooja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egchocif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phiekdeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijkjde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkklpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfkbfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhipcbdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khbmqpii.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnaempnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fillabde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nekbjf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecklgdag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngajeg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aaeeoihj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Minkceml.dll" Mcghcgfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojiphp32.dll" Ipcjlaqd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cchfek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bekcef32.dll" Ppacfg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikbpof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knijji32.dll" Mcpmonea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkgikkp.dll" Ggqamh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdcide32.dll" Nkkjpf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbeeliin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bodhlane.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oijbkpqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idkbll32.dll" Ldcjooac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Injhic32.dll" Ondcacad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emmnch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjaocifl.dll" Dnonjqdq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnndco32.dll" Ccmcfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Komhohde.dll" Hincna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Daqoafkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnpejklj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnkanl32.dll" Plnkkccp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efnlko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeiicejf.dll" Gggkqq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dffopi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bchmolkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qqiqam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hehikpol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmebod32.dll" Klipfpeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohefjnqk.dll" Aeajcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onejljep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajfoea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpodmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlidplcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjkgampo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbcofobg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekmeec32.dll" Ocmbmnio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlpllqnn.dll" Hhfqejoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fihojl32.dll" Cgfdmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpliac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjbhaf32.dll" Alifee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmcgdlhl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbdkdffm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plfjme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hemggm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cokaco32.dll" Cipaqqli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djnfdgld.dll" Fhhiqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aaiodh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebjpqc32.dll" Eebpil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gihdblpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpkkbcle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilolol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofaaghom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkpkepnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbhkdgbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjgihdib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onejljep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Genifa32.dll" Cnedilio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Indkgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjiffd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 840 wrote to memory of 1516 840 cbae59e9fd0727b30ed0e04fd66a9a3645f8a1e6ca6179d2a3e6e37a4249ac26.exe 29 PID 840 wrote to memory of 1516 840 cbae59e9fd0727b30ed0e04fd66a9a3645f8a1e6ca6179d2a3e6e37a4249ac26.exe 29 PID 840 wrote to memory of 1516 840 cbae59e9fd0727b30ed0e04fd66a9a3645f8a1e6ca6179d2a3e6e37a4249ac26.exe 29 PID 840 wrote to memory of 1516 840 cbae59e9fd0727b30ed0e04fd66a9a3645f8a1e6ca6179d2a3e6e37a4249ac26.exe 29 PID 1516 wrote to memory of 2840 1516 Mglpjc32.exe 30 PID 1516 wrote to memory of 2840 1516 Mglpjc32.exe 30 PID 1516 wrote to memory of 2840 1516 Mglpjc32.exe 30 PID 1516 wrote to memory of 2840 1516 Mglpjc32.exe 30 PID 2840 wrote to memory of 2992 2840 Mogene32.exe 31 PID 2840 wrote to memory of 2992 2840 Mogene32.exe 31 PID 2840 wrote to memory of 2992 2840 Mogene32.exe 31 PID 2840 wrote to memory of 2992 2840 Mogene32.exe 31 PID 2992 wrote to memory of 3032 2992 Mgjpcf32.exe 32 PID 2992 wrote to memory of 3032 2992 Mgjpcf32.exe 32 PID 2992 wrote to memory of 3032 2992 Mgjpcf32.exe 32 PID 2992 wrote to memory of 3032 2992 Mgjpcf32.exe 32 PID 3032 wrote to memory of 2728 3032 Nmkbfmpf.exe 33 PID 3032 wrote to memory of 2728 3032 Nmkbfmpf.exe 33 PID 3032 wrote to memory of 2728 3032 Nmkbfmpf.exe 33 PID 3032 wrote to memory of 2728 3032 Nmkbfmpf.exe 33 PID 2728 wrote to memory of 2592 2728 Nplkhh32.exe 34 PID 2728 wrote to memory of 2592 2728 Nplkhh32.exe 34 PID 2728 wrote to memory of 2592 2728 Nplkhh32.exe 34 PID 2728 wrote to memory of 2592 2728 Nplkhh32.exe 34 PID 2592 wrote to memory of 1676 2592 Obdjjb32.exe 35 PID 2592 wrote to memory of 1676 2592 Obdjjb32.exe 35 PID 2592 wrote to memory of 1676 2592 Obdjjb32.exe 35 PID 2592 wrote to memory of 1676 2592 Obdjjb32.exe 35 PID 1676 wrote to memory of 2108 1676 Obffpa32.exe 36 PID 1676 wrote to memory of 2108 1676 Obffpa32.exe 36 PID 1676 wrote to memory of 2108 1676 Obffpa32.exe 36 PID 1676 wrote to memory of 2108 1676 Obffpa32.exe 36 PID 2108 wrote to memory of 1020 2108 Pikaqppk.exe 37 PID 2108 wrote to memory of 1020 2108 Pikaqppk.exe 37 PID 2108 wrote to memory of 1020 2108 Pikaqppk.exe 37 PID 2108 wrote to memory of 1020 2108 Pikaqppk.exe 37 PID 1020 wrote to memory of 2180 1020 Pfobjdoe.exe 38 PID 1020 wrote to memory of 2180 1020 Pfobjdoe.exe 38 PID 1020 wrote to memory of 2180 1020 Pfobjdoe.exe 38 PID 1020 wrote to memory of 2180 1020 Pfobjdoe.exe 38 PID 2180 wrote to memory of 1400 2180 Aapikqel.exe 39 PID 2180 wrote to memory of 1400 2180 Aapikqel.exe 39 PID 2180 wrote to memory of 1400 2180 Aapikqel.exe 39 PID 2180 wrote to memory of 1400 2180 Aapikqel.exe 39 PID 1400 wrote to memory of 2896 1400 Agakog32.exe 40 PID 1400 wrote to memory of 2896 1400 Agakog32.exe 40 PID 1400 wrote to memory of 2896 1400 Agakog32.exe 40 PID 1400 wrote to memory of 2896 1400 Agakog32.exe 40 PID 2896 wrote to memory of 1272 2896 Bcjhig32.exe 41 PID 2896 wrote to memory of 1272 2896 Bcjhig32.exe 41 PID 2896 wrote to memory of 1272 2896 Bcjhig32.exe 41 PID 2896 wrote to memory of 1272 2896 Bcjhig32.exe 41 PID 1272 wrote to memory of 2236 1272 Bcmeogam.exe 42 PID 1272 wrote to memory of 2236 1272 Bcmeogam.exe 42 PID 1272 wrote to memory of 2236 1272 Bcmeogam.exe 42 PID 1272 wrote to memory of 2236 1272 Bcmeogam.exe 42 PID 2236 wrote to memory of 2428 2236 Bnkpjd32.exe 43 PID 2236 wrote to memory of 2428 2236 Bnkpjd32.exe 43 PID 2236 wrote to memory of 2428 2236 Bnkpjd32.exe 43 PID 2236 wrote to memory of 2428 2236 Bnkpjd32.exe 43 PID 2428 wrote to memory of 2168 2428 Cqlhlo32.exe 44 PID 2428 wrote to memory of 2168 2428 Cqlhlo32.exe 44 PID 2428 wrote to memory of 2168 2428 Cqlhlo32.exe 44 PID 2428 wrote to memory of 2168 2428 Cqlhlo32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\cbae59e9fd0727b30ed0e04fd66a9a3645f8a1e6ca6179d2a3e6e37a4249ac26.exe"C:\Users\Admin\AppData\Local\Temp\cbae59e9fd0727b30ed0e04fd66a9a3645f8a1e6ca6179d2a3e6e37a4249ac26.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\SysWOW64\Mglpjc32.exeC:\Windows\system32\Mglpjc32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\Mogene32.exeC:\Windows\system32\Mogene32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Mgjpcf32.exeC:\Windows\system32\Mgjpcf32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\Nmkbfmpf.exeC:\Windows\system32\Nmkbfmpf.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\Nplkhh32.exeC:\Windows\system32\Nplkhh32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Obdjjb32.exeC:\Windows\system32\Obdjjb32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Obffpa32.exeC:\Windows\system32\Obffpa32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\Pikaqppk.exeC:\Windows\system32\Pikaqppk.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\Pfobjdoe.exeC:\Windows\system32\Pfobjdoe.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\SysWOW64\Aapikqel.exeC:\Windows\system32\Aapikqel.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Agakog32.exeC:\Windows\system32\Agakog32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\SysWOW64\Bcjhig32.exeC:\Windows\system32\Bcjhig32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Bcmeogam.exeC:\Windows\system32\Bcmeogam.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\SysWOW64\Bnkpjd32.exeC:\Windows\system32\Bnkpjd32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Cqlhlo32.exeC:\Windows\system32\Cqlhlo32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Cbdkdffm.exeC:\Windows\system32\Cbdkdffm.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2168 -
C:\Windows\SysWOW64\Dkaihkih.exeC:\Windows\system32\Dkaihkih.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1712 -
C:\Windows\SysWOW64\Dndoof32.exeC:\Windows\system32\Dndoof32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1052 -
C:\Windows\SysWOW64\Dnfkefad.exeC:\Windows\system32\Dnfkefad.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2284 -
C:\Windows\SysWOW64\Eibikc32.exeC:\Windows\system32\Eibikc32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1396 -
C:\Windows\SysWOW64\Fofhdidp.exeC:\Windows\system32\Fofhdidp.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:568 -
C:\Windows\SysWOW64\Fillabde.exeC:\Windows\system32\Fillabde.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:472 -
C:\Windows\SysWOW64\Flmecm32.exeC:\Windows\system32\Flmecm32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2680 -
C:\Windows\SysWOW64\Faljqcmk.exeC:\Windows\system32\Faljqcmk.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2324 -
C:\Windows\SysWOW64\Gmegkd32.exeC:\Windows\system32\Gmegkd32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1132 -
C:\Windows\SysWOW64\Gljdlq32.exeC:\Windows\system32\Gljdlq32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1576 -
C:\Windows\SysWOW64\Gomjckqc.exeC:\Windows\system32\Gomjckqc.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2944 -
C:\Windows\SysWOW64\Hancef32.exeC:\Windows\system32\Hancef32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2984 -
C:\Windows\SysWOW64\Hgmhcm32.exeC:\Windows\system32\Hgmhcm32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2936 -
C:\Windows\SysWOW64\Hkkaik32.exeC:\Windows\system32\Hkkaik32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2708 -
C:\Windows\SysWOW64\Hchbcmlh.exeC:\Windows\system32\Hchbcmlh.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2784 -
C:\Windows\SysWOW64\Ikfdmogp.exeC:\Windows\system32\Ikfdmogp.exe33⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Iilalc32.exeC:\Windows\system32\Iilalc32.exe34⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Iionacad.exeC:\Windows\system32\Iionacad.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Jeenfd32.exeC:\Windows\system32\Jeenfd32.exe36⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Jehklc32.exeC:\Windows\system32\Jehklc32.exe37⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Jgidnobg.exeC:\Windows\system32\Jgidnobg.exe38⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Jcodcp32.exeC:\Windows\system32\Jcodcp32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Jpfehq32.exeC:\Windows\system32\Jpfehq32.exe40⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Knkbimbg.exeC:\Windows\system32\Knkbimbg.exe41⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Kpkocpjj.exeC:\Windows\system32\Kpkocpjj.exe42⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Khfcgbge.exeC:\Windows\system32\Khfcgbge.exe43⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Khhpmbeb.exeC:\Windows\system32\Khhpmbeb.exe44⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Ldangbhd.exeC:\Windows\system32\Ldangbhd.exe45⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Lpkkbcle.exeC:\Windows\system32\Lpkkbcle.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:340 -
C:\Windows\SysWOW64\Lpodmb32.exeC:\Windows\system32\Lpodmb32.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1000 -
C:\Windows\SysWOW64\Laqadknn.exeC:\Windows\system32\Laqadknn.exe48⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Lhkiae32.exeC:\Windows\system32\Lhkiae32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Mcpmonea.exeC:\Windows\system32\Mcpmonea.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2460 -
C:\Windows\SysWOW64\Mlhbgc32.exeC:\Windows\system32\Mlhbgc32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Mhaobd32.exeC:\Windows\system32\Mhaobd32.exe52⤵
- Executes dropped EXE
PID:236 -
C:\Windows\SysWOW64\Mqoqlfkl.exeC:\Windows\system32\Mqoqlfkl.exe53⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Nodnmb32.exeC:\Windows\system32\Nodnmb32.exe54⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Nbegonmd.exeC:\Windows\system32\Nbegonmd.exe55⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Nfcoel32.exeC:\Windows\system32\Nfcoel32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Nnndin32.exeC:\Windows\system32\Nnndin32.exe57⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Nonqca32.exeC:\Windows\system32\Nonqca32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\Oqomkimg.exeC:\Windows\system32\Oqomkimg.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3020 -
C:\Windows\SysWOW64\Oqajqi32.exeC:\Windows\system32\Oqajqi32.exe60⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Okgnna32.exeC:\Windows\system32\Okgnna32.exe61⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Ocbbbd32.exeC:\Windows\system32\Ocbbbd32.exe62⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Onggom32.exeC:\Windows\system32\Onggom32.exe63⤵
- Executes dropped EXE
PID:1160 -
C:\Windows\SysWOW64\Oiahpkdj.exeC:\Windows\system32\Oiahpkdj.exe64⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Pjqdjn32.exeC:\Windows\system32\Pjqdjn32.exe65⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Pblinp32.exeC:\Windows\system32\Pblinp32.exe66⤵PID:1668
-
C:\Windows\SysWOW64\Pnbjca32.exeC:\Windows\system32\Pnbjca32.exe67⤵PID:1772
-
C:\Windows\SysWOW64\Plfjme32.exeC:\Windows\system32\Plfjme32.exe68⤵
- Modifies registry class
PID:2376 -
C:\Windows\SysWOW64\Pngcnpkg.exeC:\Windows\system32\Pngcnpkg.exe69⤵PID:2256
-
C:\Windows\SysWOW64\Phphgf32.exeC:\Windows\system32\Phphgf32.exe70⤵PID:2124
-
C:\Windows\SysWOW64\Qahlpkhh.exeC:\Windows\system32\Qahlpkhh.exe71⤵PID:2856
-
C:\Windows\SysWOW64\Qmomelml.exeC:\Windows\system32\Qmomelml.exe72⤵PID:2980
-
C:\Windows\SysWOW64\Qjcmoqlf.exeC:\Windows\system32\Qjcmoqlf.exe73⤵PID:2716
-
C:\Windows\SysWOW64\Afjncabj.exeC:\Windows\system32\Afjncabj.exe74⤵PID:1048
-
C:\Windows\SysWOW64\Aijgemok.exeC:\Windows\system32\Aijgemok.exe75⤵
- System Location Discovery: System Language Discovery
PID:2440 -
C:\Windows\SysWOW64\Aogpmcmb.exeC:\Windows\system32\Aogpmcmb.exe76⤵PID:2352
-
C:\Windows\SysWOW64\Ahpdficc.exeC:\Windows\system32\Ahpdficc.exe77⤵PID:1688
-
C:\Windows\SysWOW64\Abehcbci.exeC:\Windows\system32\Abehcbci.exe78⤵
- Drops file in System32 directory
PID:2300 -
C:\Windows\SysWOW64\Almmlg32.exeC:\Windows\system32\Almmlg32.exe79⤵PID:1312
-
C:\Windows\SysWOW64\Bhdmahpn.exeC:\Windows\system32\Bhdmahpn.exe80⤵
- Drops file in System32 directory
PID:1536 -
C:\Windows\SysWOW64\Bonenbgj.exeC:\Windows\system32\Bonenbgj.exe81⤵PID:1728
-
C:\Windows\SysWOW64\Bgijbede.exeC:\Windows\system32\Bgijbede.exe82⤵PID:2080
-
C:\Windows\SysWOW64\Bjjcdp32.exeC:\Windows\system32\Bjjcdp32.exe83⤵PID:2052
-
C:\Windows\SysWOW64\Bdpgai32.exeC:\Windows\system32\Bdpgai32.exe84⤵PID:1244
-
C:\Windows\SysWOW64\Blklfk32.exeC:\Windows\system32\Blklfk32.exe85⤵PID:1556
-
C:\Windows\SysWOW64\Bjomoo32.exeC:\Windows\system32\Bjomoo32.exe86⤵
- Drops file in System32 directory
PID:1816 -
C:\Windows\SysWOW64\Cgcmiclk.exeC:\Windows\system32\Cgcmiclk.exe87⤵PID:524
-
C:\Windows\SysWOW64\Clpeajjb.exeC:\Windows\system32\Clpeajjb.exe88⤵PID:1528
-
C:\Windows\SysWOW64\Cfhjjp32.exeC:\Windows\system32\Cfhjjp32.exe89⤵PID:964
-
C:\Windows\SysWOW64\Copobe32.exeC:\Windows\system32\Copobe32.exe90⤵PID:1464
-
C:\Windows\SysWOW64\Cbagdq32.exeC:\Windows\system32\Cbagdq32.exe91⤵PID:1620
-
C:\Windows\SysWOW64\Coehnecn.exeC:\Windows\system32\Coehnecn.exe92⤵PID:2816
-
C:\Windows\SysWOW64\Cdbqflae.exeC:\Windows\system32\Cdbqflae.exe93⤵
- System Location Discovery: System Language Discovery
PID:1044 -
C:\Windows\SysWOW64\Djoinbpm.exeC:\Windows\system32\Djoinbpm.exe94⤵PID:2660
-
C:\Windows\SysWOW64\Dddmkkpb.exeC:\Windows\system32\Dddmkkpb.exe95⤵PID:2828
-
C:\Windows\SysWOW64\Dmobpn32.exeC:\Windows\system32\Dmobpn32.exe96⤵PID:2608
-
C:\Windows\SysWOW64\Dnonjqdq.exeC:\Windows\system32\Dnonjqdq.exe97⤵
- Modifies registry class
PID:2472 -
C:\Windows\SysWOW64\Dclgbgbh.exeC:\Windows\system32\Dclgbgbh.exe98⤵PID:2224
-
C:\Windows\SysWOW64\Dcnchg32.exeC:\Windows\system32\Dcnchg32.exe99⤵PID:1136
-
C:\Windows\SysWOW64\Dkihli32.exeC:\Windows\system32\Dkihli32.exe100⤵PID:1296
-
C:\Windows\SysWOW64\Ebcqicem.exeC:\Windows\system32\Ebcqicem.exe101⤵PID:1532
-
C:\Windows\SysWOW64\Epgabhdg.exeC:\Windows\system32\Epgabhdg.exe102⤵
- System Location Discovery: System Language Discovery
PID:1616 -
C:\Windows\SysWOW64\Epinhg32.exeC:\Windows\system32\Epinhg32.exe103⤵PID:2260
-
C:\Windows\SysWOW64\Eibbqmhd.exeC:\Windows\system32\Eibbqmhd.exe104⤵PID:2480
-
C:\Windows\SysWOW64\Ejeknelp.exeC:\Windows\system32\Ejeknelp.exe105⤵PID:2652
-
C:\Windows\SysWOW64\Efllcf32.exeC:\Windows\system32\Efllcf32.exe106⤵PID:2128
-
C:\Windows\SysWOW64\Fdpmljan.exeC:\Windows\system32\Fdpmljan.exe107⤵PID:2436
-
C:\Windows\SysWOW64\Ghihfl32.exeC:\Windows\system32\Ghihfl32.exe108⤵PID:1372
-
C:\Windows\SysWOW64\Glgqlkdl.exeC:\Windows\system32\Glgqlkdl.exe109⤵PID:2064
-
C:\Windows\SysWOW64\Ggqamh32.exeC:\Windows\system32\Ggqamh32.exe110⤵
- Modifies registry class
PID:2388 -
C:\Windows\SysWOW64\Gkojcgga.exeC:\Windows\system32\Gkojcgga.exe111⤵PID:2296
-
C:\Windows\SysWOW64\Gcjogidl.exeC:\Windows\system32\Gcjogidl.exe112⤵PID:2844
-
C:\Windows\SysWOW64\Hekhid32.exeC:\Windows\system32\Hekhid32.exe113⤵PID:2876
-
C:\Windows\SysWOW64\Hocmbjhn.exeC:\Windows\system32\Hocmbjhn.exe114⤵PID:2848
-
C:\Windows\SysWOW64\Hjhaob32.exeC:\Windows\system32\Hjhaob32.exe115⤵PID:2104
-
C:\Windows\SysWOW64\Hjkneb32.exeC:\Windows\system32\Hjkneb32.exe116⤵PID:1100
-
C:\Windows\SysWOW64\Hccbnhla.exeC:\Windows\system32\Hccbnhla.exe117⤵PID:2800
-
C:\Windows\SysWOW64\Hojbbiae.exeC:\Windows\system32\Hojbbiae.exe118⤵PID:2016
-
C:\Windows\SysWOW64\Igeggkoq.exeC:\Windows\system32\Igeggkoq.exe119⤵PID:2244
-
C:\Windows\SysWOW64\Idihponj.exeC:\Windows\system32\Idihponj.exe120⤵PID:1968
-
C:\Windows\SysWOW64\Igjabj32.exeC:\Windows\system32\Igjabj32.exe121⤵PID:2012
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-