Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
01-08-2024 21:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
216cd5fc8daca1a433a71f7e5060cd2eab5ac866b57a64afb59c336aa3945cce.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
216cd5fc8daca1a433a71f7e5060cd2eab5ac866b57a64afb59c336aa3945cce.exe
Resource
win10v2004-20240730-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
216cd5fc8daca1a433a71f7e5060cd2eab5ac866b57a64afb59c336aa3945cce.exe
-
Size
107KB
-
MD5
150aceba85167a8d99eca07c7614c02c
-
SHA1
4208f7a8a49d93df91e98e1e8a8408cba1273e5f
-
SHA256
216cd5fc8daca1a433a71f7e5060cd2eab5ac866b57a64afb59c336aa3945cce
-
SHA512
bb28f3e47aebc7aaeb7305a0953757b6410a8d4edb501d84fb07e4d6aa8923177456b2f37b30d20360e2ec605a7a0b3a3b24762ea4143035f04a14be19bc9430
-
SSDEEP
3072:4MMUwasOl1MAo+Q+5t01aMU7uihJ5233y:4pUSOfM9QO1ni5i3y
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohfcfb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edibhmml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooabmbbe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pebpkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijibng32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmipdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qododfek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pepcelel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahpifj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gefmcp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkpfmnlb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohiffh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijphofem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llgljn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcpgdhpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihbcmaje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pplaki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfehhn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khnapkjg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmpbdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clojhf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goiongbc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnhgha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqipkhbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbchni32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pilfpqaa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipeaco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifjlcmmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jolghndm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Debadpeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjkkbjln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jokqnhpa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nijpdfhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfoaho32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkjpggkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohfqmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbgqjdce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eipgjaoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mopbgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Legaoehg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adipfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmkcil32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jeqopcld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfbdci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmfmojcb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnefhpma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iknafhjb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njhfcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmfbpk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahebaiac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gqlhkofn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inojhc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qqfkln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljddjj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmgfqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibfmmb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oagoep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkgngb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpbcek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbclgf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agdmdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgldnkkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfmbek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inhdgdmk.exe -
Executes dropped EXE 64 IoCs
pid Process 1996 Micklk32.exe 2348 Mpmcielb.exe 2744 Mfglep32.exe 3032 Mejlalji.exe 2760 Mfihkoal.exe 2736 Mbpipp32.exe 2644 Mgmahg32.exe 1988 Mjkndb32.exe 1476 Mnifja32.exe 2964 Nmlgfnal.exe 1352 Nnkcpq32.exe 1864 Nfghdcfj.exe 2212 Nmqpam32.exe 2404 Njdqka32.exe 2372 Nbpeoc32.exe 448 Nlhjhi32.exe 776 Neqnqofm.exe 1728 Oagoep32.exe 2472 Okpcoe32.exe 2452 Oajlkojn.exe 1404 Odhhgkib.exe 876 Oehdan32.exe 3064 Ohfqmi32.exe 2136 Okdmjdol.exe 1596 Ogknoe32.exe 2704 Pcbncfjd.exe 2884 Pilfpqaa.exe 2716 Pgpgjepk.exe 2712 Pnjofo32.exe 1976 Ppkhhjei.exe 2688 Pciddedl.exe 1808 Pegqpacp.exe 2840 Phfmllbd.exe 948 Pckajebj.exe 2240 Phhjblpa.exe 2444 Qododfek.exe 2112 Qqfkln32.exe 988 Anjlebjc.exe 1796 Abegfa32.exe 1156 Adcdbl32.exe 544 Amohfo32.exe 328 Adfqgl32.exe 1040 Agdmdg32.exe 584 Ajcipc32.exe 1912 Aopahjll.exe 1308 Aggiigmn.exe 1568 Aihfap32.exe 1812 Amcbankf.exe 2912 Aflfjc32.exe 2824 Akiobk32.exe 2956 Bcpgdhpp.exe 2764 Beackp32.exe 2632 Bofgii32.exe 1540 Becpap32.exe 2828 Bgblmk32.exe 2932 Bbgqjdce.exe 380 Bajqfq32.exe 3000 Bgdibkam.exe 1944 Bnnaoe32.exe 2140 Behilopf.exe 824 Bckjhl32.exe 916 Bkbaii32.exe 1684 Bmcnqama.exe 2044 Bejfao32.exe -
Loads dropped DLL 64 IoCs
pid Process 1344 216cd5fc8daca1a433a71f7e5060cd2eab5ac866b57a64afb59c336aa3945cce.exe 1344 216cd5fc8daca1a433a71f7e5060cd2eab5ac866b57a64afb59c336aa3945cce.exe 1996 Micklk32.exe 1996 Micklk32.exe 2348 Mpmcielb.exe 2348 Mpmcielb.exe 2744 Mfglep32.exe 2744 Mfglep32.exe 3032 Mejlalji.exe 3032 Mejlalji.exe 2760 Mfihkoal.exe 2760 Mfihkoal.exe 2736 Mbpipp32.exe 2736 Mbpipp32.exe 2644 Mgmahg32.exe 2644 Mgmahg32.exe 1988 Mjkndb32.exe 1988 Mjkndb32.exe 1476 Mnifja32.exe 1476 Mnifja32.exe 2964 Nmlgfnal.exe 2964 Nmlgfnal.exe 1352 Nnkcpq32.exe 1352 Nnkcpq32.exe 1864 Nfghdcfj.exe 1864 Nfghdcfj.exe 2212 Nmqpam32.exe 2212 Nmqpam32.exe 2404 Njdqka32.exe 2404 Njdqka32.exe 2372 Nbpeoc32.exe 2372 Nbpeoc32.exe 448 Nlhjhi32.exe 448 Nlhjhi32.exe 776 Neqnqofm.exe 776 Neqnqofm.exe 1728 Oagoep32.exe 1728 Oagoep32.exe 2472 Okpcoe32.exe 2472 Okpcoe32.exe 2452 Oajlkojn.exe 2452 Oajlkojn.exe 1404 Odhhgkib.exe 1404 Odhhgkib.exe 876 Oehdan32.exe 876 Oehdan32.exe 3064 Ohfqmi32.exe 3064 Ohfqmi32.exe 2136 Okdmjdol.exe 2136 Okdmjdol.exe 1596 Ogknoe32.exe 1596 Ogknoe32.exe 2704 Pcbncfjd.exe 2704 Pcbncfjd.exe 2884 Pilfpqaa.exe 2884 Pilfpqaa.exe 2716 Pgpgjepk.exe 2716 Pgpgjepk.exe 2712 Pnjofo32.exe 2712 Pnjofo32.exe 1976 Ppkhhjei.exe 1976 Ppkhhjei.exe 2688 Pciddedl.exe 2688 Pciddedl.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Hfdoodan.dll Jfofol32.exe File opened for modification C:\Windows\SysWOW64\Eibgpnjk.exe Dbiocd32.exe File created C:\Windows\SysWOW64\Ggagmjbq.exe Fepjea32.exe File opened for modification C:\Windows\SysWOW64\Homdhjai.exe Hiclkp32.exe File created C:\Windows\SysWOW64\Lcohahpn.exe Lpqlemaj.exe File created C:\Windows\SysWOW64\Nbhhdnlh.exe Nnmlcp32.exe File created C:\Windows\SysWOW64\Nnafnopi.exe Njfjnpgp.exe File opened for modification C:\Windows\SysWOW64\Pepcelel.exe Pbagipfi.exe File opened for modification C:\Windows\SysWOW64\Pghfnc32.exe Pdjjag32.exe File created C:\Windows\SysWOW64\Cbffoabe.exe Cjonncab.exe File opened for modification C:\Windows\SysWOW64\Eheglk32.exe Eibgpnjk.exe File created C:\Windows\SysWOW64\Mhfjjdjf.exe Mjcjog32.exe File created C:\Windows\SysWOW64\Micklk32.exe 216cd5fc8daca1a433a71f7e5060cd2eab5ac866b57a64afb59c336aa3945cce.exe File created C:\Windows\SysWOW64\Hifhgh32.dll Mpgobc32.exe File opened for modification C:\Windows\SysWOW64\Cepipm32.exe Cfmhdpnc.exe File created C:\Windows\SysWOW64\Ofaejacl.dll Cnmfdb32.exe File opened for modification C:\Windows\SysWOW64\Nijpdfhm.exe Nbpghl32.exe File opened for modification C:\Windows\SysWOW64\Flnlkgjq.exe Fhbpkh32.exe File opened for modification C:\Windows\SysWOW64\Fgfdie32.exe Fplllkdc.exe File created C:\Windows\SysWOW64\Khadpa32.exe Kechdf32.exe File created C:\Windows\SysWOW64\Ckmhkeef.dll Jcciqi32.exe File created C:\Windows\SysWOW64\Ogegmkqk.dll Loaokjjg.exe File created C:\Windows\SysWOW64\Fimoiopk.exe Fgocmc32.exe File opened for modification C:\Windows\SysWOW64\Odedge32.exe Oaghki32.exe File created C:\Windows\SysWOW64\Nqmnjd32.exe Nnnbni32.exe File created C:\Windows\SysWOW64\Bcbfbp32.exe Bkknac32.exe File created C:\Windows\SysWOW64\Cnlpnk32.dll Fepjea32.exe File created C:\Windows\SysWOW64\Nlfnje32.dll Gqodqodl.exe File created C:\Windows\SysWOW64\Elibpg32.exe Eikfdl32.exe File opened for modification C:\Windows\SysWOW64\Hcjilgdb.exe Hqkmplen.exe File created C:\Windows\SysWOW64\Injqmdki.exe Igqhpj32.exe File created C:\Windows\SysWOW64\Damocb32.dll Pckajebj.exe File created C:\Windows\SysWOW64\Bkbaii32.exe Bckjhl32.exe File opened for modification C:\Windows\SysWOW64\Fggkcl32.exe Fhdjgoha.exe File created C:\Windows\SysWOW64\Iqpflded.dll Ldpbpgoh.exe File created C:\Windows\SysWOW64\Glffke32.dll Ekdchf32.exe File created C:\Windows\SysWOW64\Lpeeijod.dll Bfabnl32.exe File created C:\Windows\SysWOW64\Eoebgcol.exe Elgfkhpi.exe File created C:\Windows\SysWOW64\Leoolamp.dll Nmqpam32.exe File created C:\Windows\SysWOW64\Jhpondph.dll Ccbphk32.exe File created C:\Windows\SysWOW64\Njfjnpgp.exe Nlcibc32.exe File created C:\Windows\SysWOW64\Ehlmljkm.exe Epeekmjk.exe File created C:\Windows\SysWOW64\Benmkbnn.dll Hieiqo32.exe File created C:\Windows\SysWOW64\Glnhjjml.exe Giolnomh.exe File opened for modification C:\Windows\SysWOW64\Llpfjomf.exe Libjncnc.exe File opened for modification C:\Windows\SysWOW64\Aakjdo32.exe Alnalh32.exe File created C:\Windows\SysWOW64\Qcamkjba.dll Bgllgedi.exe File opened for modification C:\Windows\SysWOW64\Dgnjqe32.exe Dcbnpgkh.exe File created C:\Windows\SysWOW64\Keppajog.dll Iclbpj32.exe File created C:\Windows\SysWOW64\Pilfpqaa.exe Pcbncfjd.exe File created C:\Windows\SysWOW64\Goknhdma.dll Cpkmcldj.exe File created C:\Windows\SysWOW64\Jmgghnmp.dll Opnbbe32.exe File opened for modification C:\Windows\SysWOW64\Agbbgqhh.exe Aaejojjq.exe File opened for modification C:\Windows\SysWOW64\Jliaac32.exe Jmfafgbd.exe File opened for modification C:\Windows\SysWOW64\Ggfpgi32.exe Gckdgjeb.exe File opened for modification C:\Windows\SysWOW64\Imaapa32.exe Ifgicg32.exe File created C:\Windows\SysWOW64\Ncfalqpm.exe Nqhepeai.exe File created C:\Windows\SysWOW64\Iinhdmma.exe Ifolhann.exe File created C:\Windows\SysWOW64\Danpemej.exe Djdgic32.exe File opened for modification C:\Windows\SysWOW64\Jbfilffm.exe Jcciqi32.exe File created C:\Windows\SysWOW64\Ipomlm32.exe Imaapa32.exe File created C:\Windows\SysWOW64\Aeqbijmn.dll Nbpghl32.exe File opened for modification C:\Windows\SysWOW64\Paocnkph.exe Popgboae.exe File created C:\Windows\SysWOW64\Bbjpil32.exe Bolcma32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8456 8440 WerFault.exe 888 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enlidg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gconbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmjoqo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqdgom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkqnoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jndjmifj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kadica32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odhhgkib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjhcegll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmalldcn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlfgcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdbdqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfpfdeon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iacjjacb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elgfkhpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfhfhbce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pckajebj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdpfadlm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nenkqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfofol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcbnpgkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibfmmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcbecl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcofio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgedmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifgicg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmjaohol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdkklp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmkilb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jliaac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebklic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alageg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdeaelok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccbphk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmijfmfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggagmjbq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhkeohhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifolhann.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bajqfq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onfoin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikfbbjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efjmbaba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hifbdnbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aojabdlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdqlajbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdogedmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nijpdfhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 216cd5fc8daca1a433a71f7e5060cd2eab5ac866b57a64afb59c336aa3945cce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgeaoinb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbjpil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgibnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfokinhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfoghakb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oabkom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fglfgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neqnqofm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgingm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfglep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbgqjdce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfibhjlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agglbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnifja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Godaakic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bofgii32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pplaki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjmicg32.dll" Ljldnhid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blbjlj32.dll" Jnofgg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aoagccfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnibcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmkbjj32.dll" Hcojam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcdhgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edidqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncbdnb32.dll" Ikjhki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maljaabb.dll" Akiobk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emdmjamj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gckdgjeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncfalqpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnjofo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coamkc32.dll" Mcjhmcok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmjoqo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adipfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojefcohi.dll" Dobgihgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iikifegp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcacjhob.dll" Lpnmgdli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkqnoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oidiekdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmfpmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpgionie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fplllkdc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdmkoepk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oajlkojn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggkqmoma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjcppidk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmalldcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fplheofl.dll" Eihgfd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Goiongbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iladfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fgjjad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hclfag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Daofpchf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apedah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcllbhdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dcbnpgkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggfpgi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohbikbkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oehgjfhi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plbkfdba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmlgfnal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldpbpgoh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ephbal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gqlhkofn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkcekfad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikqnlh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llbconkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hakapcjd.dll" Iakgefqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afbioogg.dll" Mfjann32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohiffh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aficjnpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adcdbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eggndi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eecafd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iafnjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdpgph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mejlalji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfofol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llgjaeoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aemgfj32.dll" Aacmij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajhibfpo.dll" Lnjldf32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1344 wrote to memory of 1996 1344 216cd5fc8daca1a433a71f7e5060cd2eab5ac866b57a64afb59c336aa3945cce.exe 30 PID 1344 wrote to memory of 1996 1344 216cd5fc8daca1a433a71f7e5060cd2eab5ac866b57a64afb59c336aa3945cce.exe 30 PID 1344 wrote to memory of 1996 1344 216cd5fc8daca1a433a71f7e5060cd2eab5ac866b57a64afb59c336aa3945cce.exe 30 PID 1344 wrote to memory of 1996 1344 216cd5fc8daca1a433a71f7e5060cd2eab5ac866b57a64afb59c336aa3945cce.exe 30 PID 1996 wrote to memory of 2348 1996 Micklk32.exe 31 PID 1996 wrote to memory of 2348 1996 Micklk32.exe 31 PID 1996 wrote to memory of 2348 1996 Micklk32.exe 31 PID 1996 wrote to memory of 2348 1996 Micklk32.exe 31 PID 2348 wrote to memory of 2744 2348 Mpmcielb.exe 32 PID 2348 wrote to memory of 2744 2348 Mpmcielb.exe 32 PID 2348 wrote to memory of 2744 2348 Mpmcielb.exe 32 PID 2348 wrote to memory of 2744 2348 Mpmcielb.exe 32 PID 2744 wrote to memory of 3032 2744 Mfglep32.exe 33 PID 2744 wrote to memory of 3032 2744 Mfglep32.exe 33 PID 2744 wrote to memory of 3032 2744 Mfglep32.exe 33 PID 2744 wrote to memory of 3032 2744 Mfglep32.exe 33 PID 3032 wrote to memory of 2760 3032 Mejlalji.exe 34 PID 3032 wrote to memory of 2760 3032 Mejlalji.exe 34 PID 3032 wrote to memory of 2760 3032 Mejlalji.exe 34 PID 3032 wrote to memory of 2760 3032 Mejlalji.exe 34 PID 2760 wrote to memory of 2736 2760 Mfihkoal.exe 35 PID 2760 wrote to memory of 2736 2760 Mfihkoal.exe 35 PID 2760 wrote to memory of 2736 2760 Mfihkoal.exe 35 PID 2760 wrote to memory of 2736 2760 Mfihkoal.exe 35 PID 2736 wrote to memory of 2644 2736 Mbpipp32.exe 36 PID 2736 wrote to memory of 2644 2736 Mbpipp32.exe 36 PID 2736 wrote to memory of 2644 2736 Mbpipp32.exe 36 PID 2736 wrote to memory of 2644 2736 Mbpipp32.exe 36 PID 2644 wrote to memory of 1988 2644 Mgmahg32.exe 37 PID 2644 wrote to memory of 1988 2644 Mgmahg32.exe 37 PID 2644 wrote to memory of 1988 2644 Mgmahg32.exe 37 PID 2644 wrote to memory of 1988 2644 Mgmahg32.exe 37 PID 1988 wrote to memory of 1476 1988 Mjkndb32.exe 38 PID 1988 wrote to memory of 1476 1988 Mjkndb32.exe 38 PID 1988 wrote to memory of 1476 1988 Mjkndb32.exe 38 PID 1988 wrote to memory of 1476 1988 Mjkndb32.exe 38 PID 1476 wrote to memory of 2964 1476 Mnifja32.exe 39 PID 1476 wrote to memory of 2964 1476 Mnifja32.exe 39 PID 1476 wrote to memory of 2964 1476 Mnifja32.exe 39 PID 1476 wrote to memory of 2964 1476 Mnifja32.exe 39 PID 2964 wrote to memory of 1352 2964 Nmlgfnal.exe 40 PID 2964 wrote to memory of 1352 2964 Nmlgfnal.exe 40 PID 2964 wrote to memory of 1352 2964 Nmlgfnal.exe 40 PID 2964 wrote to memory of 1352 2964 Nmlgfnal.exe 40 PID 1352 wrote to memory of 1864 1352 Nnkcpq32.exe 41 PID 1352 wrote to memory of 1864 1352 Nnkcpq32.exe 41 PID 1352 wrote to memory of 1864 1352 Nnkcpq32.exe 41 PID 1352 wrote to memory of 1864 1352 Nnkcpq32.exe 41 PID 1864 wrote to memory of 2212 1864 Nfghdcfj.exe 42 PID 1864 wrote to memory of 2212 1864 Nfghdcfj.exe 42 PID 1864 wrote to memory of 2212 1864 Nfghdcfj.exe 42 PID 1864 wrote to memory of 2212 1864 Nfghdcfj.exe 42 PID 2212 wrote to memory of 2404 2212 Nmqpam32.exe 43 PID 2212 wrote to memory of 2404 2212 Nmqpam32.exe 43 PID 2212 wrote to memory of 2404 2212 Nmqpam32.exe 43 PID 2212 wrote to memory of 2404 2212 Nmqpam32.exe 43 PID 2404 wrote to memory of 2372 2404 Njdqka32.exe 44 PID 2404 wrote to memory of 2372 2404 Njdqka32.exe 44 PID 2404 wrote to memory of 2372 2404 Njdqka32.exe 44 PID 2404 wrote to memory of 2372 2404 Njdqka32.exe 44 PID 2372 wrote to memory of 448 2372 Nbpeoc32.exe 45 PID 2372 wrote to memory of 448 2372 Nbpeoc32.exe 45 PID 2372 wrote to memory of 448 2372 Nbpeoc32.exe 45 PID 2372 wrote to memory of 448 2372 Nbpeoc32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\216cd5fc8daca1a433a71f7e5060cd2eab5ac866b57a64afb59c336aa3945cce.exe"C:\Users\Admin\AppData\Local\Temp\216cd5fc8daca1a433a71f7e5060cd2eab5ac866b57a64afb59c336aa3945cce.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Windows\SysWOW64\Micklk32.exeC:\Windows\system32\Micklk32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\Mpmcielb.exeC:\Windows\system32\Mpmcielb.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\Mfglep32.exeC:\Windows\system32\Mfglep32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Mejlalji.exeC:\Windows\system32\Mejlalji.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\Mfihkoal.exeC:\Windows\system32\Mfihkoal.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Mbpipp32.exeC:\Windows\system32\Mbpipp32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Mgmahg32.exeC:\Windows\system32\Mgmahg32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Mjkndb32.exeC:\Windows\system32\Mjkndb32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\Mnifja32.exeC:\Windows\system32\Mnifja32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\SysWOW64\Nmlgfnal.exeC:\Windows\system32\Nmlgfnal.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Nnkcpq32.exeC:\Windows\system32\Nnkcpq32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\SysWOW64\Nfghdcfj.exeC:\Windows\system32\Nfghdcfj.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\Nmqpam32.exeC:\Windows\system32\Nmqpam32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Njdqka32.exeC:\Windows\system32\Njdqka32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\Nbpeoc32.exeC:\Windows\system32\Nbpeoc32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\Nlhjhi32.exeC:\Windows\system32\Nlhjhi32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:448 -
C:\Windows\SysWOW64\Neqnqofm.exeC:\Windows\system32\Neqnqofm.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:776 -
C:\Windows\SysWOW64\Oagoep32.exeC:\Windows\system32\Oagoep32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1728 -
C:\Windows\SysWOW64\Okpcoe32.exeC:\Windows\system32\Okpcoe32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2472 -
C:\Windows\SysWOW64\Oajlkojn.exeC:\Windows\system32\Oajlkojn.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2452 -
C:\Windows\SysWOW64\Odhhgkib.exeC:\Windows\system32\Odhhgkib.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1404 -
C:\Windows\SysWOW64\Oehdan32.exeC:\Windows\system32\Oehdan32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:876 -
C:\Windows\SysWOW64\Ohfqmi32.exeC:\Windows\system32\Ohfqmi32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:3064 -
C:\Windows\SysWOW64\Okdmjdol.exeC:\Windows\system32\Okdmjdol.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2136 -
C:\Windows\SysWOW64\Ogknoe32.exeC:\Windows\system32\Ogknoe32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1596 -
C:\Windows\SysWOW64\Pcbncfjd.exeC:\Windows\system32\Pcbncfjd.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2704 -
C:\Windows\SysWOW64\Pilfpqaa.exeC:\Windows\system32\Pilfpqaa.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2884 -
C:\Windows\SysWOW64\Pgpgjepk.exeC:\Windows\system32\Pgpgjepk.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2716 -
C:\Windows\SysWOW64\Pnjofo32.exeC:\Windows\system32\Pnjofo32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2712 -
C:\Windows\SysWOW64\Ppkhhjei.exeC:\Windows\system32\Ppkhhjei.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1976 -
C:\Windows\SysWOW64\Pciddedl.exeC:\Windows\system32\Pciddedl.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2688 -
C:\Windows\SysWOW64\Pegqpacp.exeC:\Windows\system32\Pegqpacp.exe33⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Phfmllbd.exeC:\Windows\system32\Phfmllbd.exe34⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Pckajebj.exeC:\Windows\system32\Pckajebj.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:948 -
C:\Windows\SysWOW64\Phhjblpa.exeC:\Windows\system32\Phhjblpa.exe36⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Qododfek.exeC:\Windows\system32\Qododfek.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Qqfkln32.exeC:\Windows\system32\Qqfkln32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Anjlebjc.exeC:\Windows\system32\Anjlebjc.exe39⤵
- Executes dropped EXE
PID:988 -
C:\Windows\SysWOW64\Abegfa32.exeC:\Windows\system32\Abegfa32.exe40⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Adcdbl32.exeC:\Windows\system32\Adcdbl32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:1156 -
C:\Windows\SysWOW64\Amohfo32.exeC:\Windows\system32\Amohfo32.exe42⤵
- Executes dropped EXE
PID:544 -
C:\Windows\SysWOW64\Adfqgl32.exeC:\Windows\system32\Adfqgl32.exe43⤵
- Executes dropped EXE
PID:328 -
C:\Windows\SysWOW64\Agdmdg32.exeC:\Windows\system32\Agdmdg32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Ajcipc32.exeC:\Windows\system32\Ajcipc32.exe45⤵
- Executes dropped EXE
PID:584 -
C:\Windows\SysWOW64\Aopahjll.exeC:\Windows\system32\Aopahjll.exe46⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Aggiigmn.exeC:\Windows\system32\Aggiigmn.exe47⤵
- Executes dropped EXE
PID:1308 -
C:\Windows\SysWOW64\Aihfap32.exeC:\Windows\system32\Aihfap32.exe48⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Amcbankf.exeC:\Windows\system32\Amcbankf.exe49⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Aflfjc32.exeC:\Windows\system32\Aflfjc32.exe50⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Akiobk32.exeC:\Windows\system32\Akiobk32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:2824 -
C:\Windows\SysWOW64\Bcpgdhpp.exeC:\Windows\system32\Bcpgdhpp.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Beackp32.exeC:\Windows\system32\Beackp32.exe53⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Bofgii32.exeC:\Windows\system32\Bofgii32.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2632 -
C:\Windows\SysWOW64\Becpap32.exeC:\Windows\system32\Becpap32.exe55⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Bgblmk32.exeC:\Windows\system32\Bgblmk32.exe56⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Bbgqjdce.exeC:\Windows\system32\Bbgqjdce.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2932 -
C:\Windows\SysWOW64\Bajqfq32.exeC:\Windows\system32\Bajqfq32.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:380 -
C:\Windows\SysWOW64\Bgdibkam.exeC:\Windows\system32\Bgdibkam.exe59⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Bnnaoe32.exeC:\Windows\system32\Bnnaoe32.exe60⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Behilopf.exeC:\Windows\system32\Behilopf.exe61⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Bckjhl32.exeC:\Windows\system32\Bckjhl32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:824 -
C:\Windows\SysWOW64\Bkbaii32.exeC:\Windows\system32\Bkbaii32.exe63⤵
- Executes dropped EXE
PID:916 -
C:\Windows\SysWOW64\Bmcnqama.exeC:\Windows\system32\Bmcnqama.exe64⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Bejfao32.exeC:\Windows\system32\Bejfao32.exe65⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Bgibnj32.exeC:\Windows\system32\Bgibnj32.exe66⤵
- System Location Discovery: System Language Discovery
PID:1536 -
C:\Windows\SysWOW64\Cjgoje32.exeC:\Windows\system32\Cjgoje32.exe67⤵PID:300
-
C:\Windows\SysWOW64\Caaggpdh.exeC:\Windows\system32\Caaggpdh.exe68⤵PID:2464
-
C:\Windows\SysWOW64\Cgkocj32.exeC:\Windows\system32\Cgkocj32.exe69⤵PID:1584
-
C:\Windows\SysWOW64\Cjjkpe32.exeC:\Windows\system32\Cjjkpe32.exe70⤵PID:1784
-
C:\Windows\SysWOW64\Cmhglq32.exeC:\Windows\system32\Cmhglq32.exe71⤵PID:2708
-
C:\Windows\SysWOW64\Cpfdhl32.exeC:\Windows\system32\Cpfdhl32.exe72⤵PID:2800
-
C:\Windows\SysWOW64\Ccbphk32.exeC:\Windows\system32\Ccbphk32.exe73⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2868 -
C:\Windows\SysWOW64\Cjlheehe.exeC:\Windows\system32\Cjlheehe.exe74⤵PID:2344
-
C:\Windows\SysWOW64\Cmjdaqgi.exeC:\Windows\system32\Cmjdaqgi.exe75⤵PID:2324
-
C:\Windows\SysWOW64\Cpiqmlfm.exeC:\Windows\system32\Cpiqmlfm.exe76⤵PID:2844
-
C:\Windows\SysWOW64\Ceeieced.exeC:\Windows\system32\Ceeieced.exe77⤵PID:1948
-
C:\Windows\SysWOW64\Cmmagpef.exeC:\Windows\system32\Cmmagpef.exe78⤵PID:2116
-
C:\Windows\SysWOW64\Cpkmcldj.exeC:\Windows\system32\Cpkmcldj.exe79⤵
- Drops file in System32 directory
PID:2576 -
C:\Windows\SysWOW64\Cehfkb32.exeC:\Windows\system32\Cehfkb32.exe80⤵PID:836
-
C:\Windows\SysWOW64\Clbnhmjo.exeC:\Windows\system32\Clbnhmjo.exe81⤵PID:900
-
C:\Windows\SysWOW64\Copjdhib.exeC:\Windows\system32\Copjdhib.exe82⤵PID:1316
-
C:\Windows\SysWOW64\Daofpchf.exeC:\Windows\system32\Daofpchf.exe83⤵
- Modifies registry class
PID:684 -
C:\Windows\SysWOW64\Dhiomn32.exeC:\Windows\system32\Dhiomn32.exe84⤵PID:2476
-
C:\Windows\SysWOW64\Dobgihgp.exeC:\Windows\system32\Dobgihgp.exe85⤵
- Modifies registry class
PID:2128 -
C:\Windows\SysWOW64\Daacecfc.exeC:\Windows\system32\Daacecfc.exe86⤵PID:1720
-
C:\Windows\SysWOW64\Ddpobo32.exeC:\Windows\system32\Ddpobo32.exe87⤵PID:2804
-
C:\Windows\SysWOW64\Dlfgcl32.exeC:\Windows\system32\Dlfgcl32.exe88⤵
- System Location Discovery: System Language Discovery
PID:2756 -
C:\Windows\SysWOW64\Doecog32.exeC:\Windows\system32\Doecog32.exe89⤵PID:2904
-
C:\Windows\SysWOW64\Dmhdkdlg.exeC:\Windows\system32\Dmhdkdlg.exe90⤵PID:2948
-
C:\Windows\SysWOW64\Deollamj.exeC:\Windows\system32\Deollamj.exe91⤵PID:2204
-
C:\Windows\SysWOW64\Dfphcj32.exeC:\Windows\system32\Dfphcj32.exe92⤵PID:2780
-
C:\Windows\SysWOW64\Dklddhka.exeC:\Windows\system32\Dklddhka.exe93⤵PID:2856
-
C:\Windows\SysWOW64\Dmjqpdje.exeC:\Windows\system32\Dmjqpdje.exe94⤵PID:2832
-
C:\Windows\SysWOW64\Dhpemm32.exeC:\Windows\system32\Dhpemm32.exe95⤵PID:2332
-
C:\Windows\SysWOW64\Dknajh32.exeC:\Windows\system32\Dknajh32.exe96⤵PID:2388
-
C:\Windows\SysWOW64\Diaaeepi.exeC:\Windows\system32\Diaaeepi.exe97⤵PID:2696
-
C:\Windows\SysWOW64\Dahifbpk.exeC:\Windows\system32\Dahifbpk.exe98⤵PID:3040
-
C:\Windows\SysWOW64\Dpkibo32.exeC:\Windows\system32\Dpkibo32.exe99⤵PID:1196
-
C:\Windows\SysWOW64\Dgeaoinb.exeC:\Windows\system32\Dgeaoinb.exe100⤵
- System Location Discovery: System Language Discovery
PID:1480 -
C:\Windows\SysWOW64\Dkqnoh32.exeC:\Windows\system32\Dkqnoh32.exe101⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2228 -
C:\Windows\SysWOW64\Elajgpmj.exeC:\Windows\system32\Elajgpmj.exe102⤵PID:2692
-
C:\Windows\SysWOW64\Edibhmml.exeC:\Windows\system32\Edibhmml.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2880 -
C:\Windows\SysWOW64\Eggndi32.exeC:\Windows\system32\Eggndi32.exe104⤵
- Modifies registry class
PID:2648 -
C:\Windows\SysWOW64\Eejopecj.exeC:\Windows\system32\Eejopecj.exe105⤵PID:1804
-
C:\Windows\SysWOW64\Emagacdm.exeC:\Windows\system32\Emagacdm.exe106⤵PID:2836
-
C:\Windows\SysWOW64\Eppcmncq.exeC:\Windows\system32\Eppcmncq.exe107⤵PID:2312
-
C:\Windows\SysWOW64\Egikjh32.exeC:\Windows\system32\Egikjh32.exe108⤵PID:1816
-
C:\Windows\SysWOW64\Eihgfd32.exeC:\Windows\system32\Eihgfd32.exe109⤵
- Modifies registry class
PID:1920 -
C:\Windows\SysWOW64\Elfcbo32.exeC:\Windows\system32\Elfcbo32.exe110⤵PID:3048
-
C:\Windows\SysWOW64\Eoepnk32.exeC:\Windows\system32\Eoepnk32.exe111⤵PID:2296
-
C:\Windows\SysWOW64\Ecploipa.exeC:\Windows\system32\Ecploipa.exe112⤵PID:1556
-
C:\Windows\SysWOW64\Eacljf32.exeC:\Windows\system32\Eacljf32.exe113⤵PID:2408
-
C:\Windows\SysWOW64\Eijdkcgn.exeC:\Windows\system32\Eijdkcgn.exe114⤵PID:2448
-
C:\Windows\SysWOW64\Ehmdgp32.exeC:\Windows\system32\Ehmdgp32.exe115⤵PID:2608
-
C:\Windows\SysWOW64\Eklqcl32.exeC:\Windows\system32\Eklqcl32.exe116⤵PID:2604
-
C:\Windows\SysWOW64\Eogmcjef.exeC:\Windows\system32\Eogmcjef.exe117⤵PID:2928
-
C:\Windows\SysWOW64\Eeaepd32.exeC:\Windows\system32\Eeaepd32.exe118⤵PID:2776
-
C:\Windows\SysWOW64\Ehpalp32.exeC:\Windows\system32\Ehpalp32.exe119⤵PID:1752
-
C:\Windows\SysWOW64\Eknmhk32.exeC:\Windows\system32\Eknmhk32.exe120⤵PID:608
-
C:\Windows\SysWOW64\Enlidg32.exeC:\Windows\system32\Enlidg32.exe121⤵
- System Location Discovery: System Language Discovery
PID:1612
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-