Analysis
-
max time kernel
144s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
14/08/2024, 00:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
dc3961f6b42c7ce0bbc4c067dfef74d67ca77fcecdc5c033c75c10ec0bae5b90.exe
Resource
win7-20240729-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
dc3961f6b42c7ce0bbc4c067dfef74d67ca77fcecdc5c033c75c10ec0bae5b90.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
dc3961f6b42c7ce0bbc4c067dfef74d67ca77fcecdc5c033c75c10ec0bae5b90.exe
-
Size
144KB
-
MD5
9125023814e8a2d7f91b4363f5dd5aaa
-
SHA1
a9d0a31c5053469c7bdd1fdc26eff99c1aa879b1
-
SHA256
dc3961f6b42c7ce0bbc4c067dfef74d67ca77fcecdc5c033c75c10ec0bae5b90
-
SHA512
38a4f4554d252af2d26f825ba9a02868a26ccb61b56454d9c2c8575760ff0bb0cd0e847e94f891c5727b42bea622b62ebb6022f550ef7844ce2337e3be3ead14
-
SSDEEP
3072:x7URfaPCFdL8Phvuzp4j+oVGCzGYJpD9r8XxrYnQg4sI+:5ES8dYAirVGYGyZ6Yu+
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jljgni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbinad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eajhgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iclfccmq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbhnpplb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndgdpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eoalpaaa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgaoec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljpqlqmd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnneabff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljhppo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lkemli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fepnhjdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgmofbpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jljgni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mbehgabe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pddinn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cncmei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcfknooi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppegdapd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Omjeba32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkpnph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jnafop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pghjqlmi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ienfml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ophanl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Alknnodh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Himkgf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhpmhgbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oppbjn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gklkdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jhndcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Opcaiggo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njipabhe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obcgaill.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjkamk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ldchdjom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnmcge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ijmkkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kngcbpjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bncpffdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhdddnep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmfkbeoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Acjfpokk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmmgbbeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qiekadkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eaoaafli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ifoljn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jaaoakmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kekkkm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Janihlcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dkkmln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehlmnfeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kiqdmm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flmlmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kikpgk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pooaaink.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmeohnil.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmpkal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnambeed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pkebgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbfeam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbnqln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kanfgofa.exe -
Executes dropped EXE 64 IoCs
pid Process 1832 Jcnmme32.exe 2820 Jkjaaglp.exe 2708 Jacjna32.exe 2836 Jklnggjm.exe 1616 Jnjjcbiq.exe 2724 Jaffca32.exe 3048 Jgbolhoa.exe 2368 Kknklg32.exe 1992 Kpkcdn32.exe 1556 Kdgoelnk.exe 2864 Kjchmclb.exe 2928 Klbdiokf.exe 500 Kcllfi32.exe 2184 Kfjibdbf.exe 1580 Knaqcabh.exe 2428 Kppmpmal.exe 948 Kcnilhap.exe 1964 Kfmehdpc.exe 684 Kjhahb32.exe 488 Klfndn32.exe 2084 Kpbiempj.exe 1724 Kcqfahom.exe 2552 Kbcfme32.exe 928 Kfobmc32.exe 796 Klijjnen.exe 2744 Kkljfj32.exe 1016 Lddoopbi.exe 2880 Lhpkoo32.exe 2764 Lkngkj32.exe 2772 Lnmcge32.exe 3044 Lfckhc32.exe 2104 Lgehpk32.exe 1820 Lolpah32.exe 2908 Lqmliqfj.exe 844 Lhddjngm.exe 2452 Lkcqfifp.exe 2792 Lnambeed.exe 2556 Ldkeoo32.exe 1696 Lcneklck.exe 1940 Lkemli32.exe 2036 Lncjhd32.exe 2080 Ldnbeokn.exe 1344 Lfonlg32.exe 1932 Mqdbjp32.exe 344 Mgnkfjho.exe 3052 Mfakbf32.exe 2564 Mjmgbe32.exe 2812 Mmkcoq32.exe 2640 Mqfooonp.exe 2776 Mcekkkmc.exe 2632 Mbhlgg32.exe 2272 Mjodhe32.exe 1040 Mmmpdp32.exe 3032 Mpllpl32.exe 2268 Mcghajkq.exe 1524 Mbjhlg32.exe 1984 Meidib32.exe 988 Mmpmjpba.exe 2052 Mlbmem32.exe 1804 Mpnifkae.exe 2088 Mbmebgpi.exe 2384 Mekanbol.exe 1968 Mifmoa32.exe 3060 Mlejkl32.exe -
Loads dropped DLL 64 IoCs
pid Process 2544 dc3961f6b42c7ce0bbc4c067dfef74d67ca77fcecdc5c033c75c10ec0bae5b90.exe 2544 dc3961f6b42c7ce0bbc4c067dfef74d67ca77fcecdc5c033c75c10ec0bae5b90.exe 1832 Jcnmme32.exe 1832 Jcnmme32.exe 2820 Jkjaaglp.exe 2820 Jkjaaglp.exe 2708 Jacjna32.exe 2708 Jacjna32.exe 2836 Jklnggjm.exe 2836 Jklnggjm.exe 1616 Jnjjcbiq.exe 1616 Jnjjcbiq.exe 2724 Jaffca32.exe 2724 Jaffca32.exe 3048 Jgbolhoa.exe 3048 Jgbolhoa.exe 2368 Kknklg32.exe 2368 Kknklg32.exe 1992 Kpkcdn32.exe 1992 Kpkcdn32.exe 1556 Kdgoelnk.exe 1556 Kdgoelnk.exe 2864 Kjchmclb.exe 2864 Kjchmclb.exe 2928 Klbdiokf.exe 2928 Klbdiokf.exe 500 Kcllfi32.exe 500 Kcllfi32.exe 2184 Kfjibdbf.exe 2184 Kfjibdbf.exe 1580 Knaqcabh.exe 1580 Knaqcabh.exe 2428 Kppmpmal.exe 2428 Kppmpmal.exe 948 Kcnilhap.exe 948 Kcnilhap.exe 1964 Kfmehdpc.exe 1964 Kfmehdpc.exe 684 Kjhahb32.exe 684 Kjhahb32.exe 488 Klfndn32.exe 488 Klfndn32.exe 2084 Kpbiempj.exe 2084 Kpbiempj.exe 1724 Kcqfahom.exe 1724 Kcqfahom.exe 2552 Kbcfme32.exe 2552 Kbcfme32.exe 928 Kfobmc32.exe 928 Kfobmc32.exe 796 Klijjnen.exe 796 Klijjnen.exe 2744 Kkljfj32.exe 2744 Kkljfj32.exe 1016 Lddoopbi.exe 1016 Lddoopbi.exe 2880 Lhpkoo32.exe 2880 Lhpkoo32.exe 2764 Lkngkj32.exe 2764 Lkngkj32.exe 2772 Lnmcge32.exe 2772 Lnmcge32.exe 3044 Lfckhc32.exe 3044 Lfckhc32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Licpdaeg.dll Mnneabff.exe File created C:\Windows\SysWOW64\Gddfepbh.dll Jmhpfl32.exe File created C:\Windows\SysWOW64\Djcdmp32.dll Cmdcngbd.exe File created C:\Windows\SysWOW64\Iffdlkng.dll Ljpqlqmd.exe File created C:\Windows\SysWOW64\Npfhjifm.exe Nmhlnngi.exe File created C:\Windows\SysWOW64\Mdnkcibn.dll Obijpgcf.exe File created C:\Windows\SysWOW64\Dcfknooi.exe Dahobdpe.exe File opened for modification C:\Windows\SysWOW64\Iiodliep.exe Ibeloo32.exe File created C:\Windows\SysWOW64\Bmhjjiab.dll Gbkdgn32.exe File opened for modification C:\Windows\SysWOW64\Cicggcke.exe Bbjoki32.exe File opened for modification C:\Windows\SysWOW64\Fkjbpkag.exe Fgnfpm32.exe File opened for modification C:\Windows\SysWOW64\Jlbjcd32.exe Jidngh32.exe File opened for modification C:\Windows\SysWOW64\Lahaqm32.exe Lnmfpnqn.exe File opened for modification C:\Windows\SysWOW64\Bipaodah.exe Bnkmakbb.exe File created C:\Windows\SysWOW64\Oicjmn32.dll Mmpmjpba.exe File created C:\Windows\SysWOW64\Mfijfdca.exe Mcknjidn.exe File opened for modification C:\Windows\SysWOW64\Ldnbeokn.exe Lncjhd32.exe File created C:\Windows\SysWOW64\Dfegjknm.exe Dcfknooi.exe File created C:\Windows\SysWOW64\Qncmki32.dll Egljjmkp.exe File created C:\Windows\SysWOW64\Jplinckj.exe Iefeaj32.exe File opened for modification C:\Windows\SysWOW64\Nakeib32.exe Nidmhd32.exe File opened for modification C:\Windows\SysWOW64\Ldchdjom.exe Lllpclnk.exe File opened for modification C:\Windows\SysWOW64\Omlahqeo.exe Ofbikf32.exe File created C:\Windows\SysWOW64\Bcgoolln.exe Bmmgbbeq.exe File opened for modification C:\Windows\SysWOW64\Hcajjf32.exe Hqbnnj32.exe File opened for modification C:\Windows\SysWOW64\Kaillp32.exe Kbflqccl.exe File created C:\Windows\SysWOW64\Idmele32.dll Lpjiik32.exe File created C:\Windows\SysWOW64\Agpqhl32.dll Damhmc32.exe File created C:\Windows\SysWOW64\Oljagk32.dll Kpiihgoh.exe File created C:\Windows\SysWOW64\Jkjaaglp.exe Jcnmme32.exe File opened for modification C:\Windows\SysWOW64\Cbfeam32.exe Cpgieb32.exe File opened for modification C:\Windows\SysWOW64\Heqfdh32.exe Haejcj32.exe File opened for modification C:\Windows\SysWOW64\Ilhnjfmi.exe Iijbnkne.exe File opened for modification C:\Windows\SysWOW64\Deonff32.exe Ddnaonia.exe File created C:\Windows\SysWOW64\Bipaodah.exe Bnkmakbb.exe File created C:\Windows\SysWOW64\Cmbghgdg.exe Cgeopqfp.exe File created C:\Windows\SysWOW64\Nhdjdk32.exe Neemgp32.exe File opened for modification C:\Windows\SysWOW64\Eahkag32.exe Eojoelcm.exe File opened for modification C:\Windows\SysWOW64\Jbooen32.exe Jlegic32.exe File created C:\Windows\SysWOW64\Lllihf32.exe Lhpmhgbf.exe File created C:\Windows\SysWOW64\Jmndle32.dll Mbhlgg32.exe File opened for modification C:\Windows\SysWOW64\Hbkpfa32.exe Hchpjddc.exe File created C:\Windows\SysWOW64\Nmbenc32.exe Njcibgcf.exe File created C:\Windows\SysWOW64\Nolgkp32.dll Njlcah32.exe File created C:\Windows\SysWOW64\Lajhba32.dll Bgqeea32.exe File created C:\Windows\SysWOW64\Edicfeme.dll Gmnlog32.exe File created C:\Windows\SysWOW64\Nicfnn32.exe Nalnmahf.exe File opened for modification C:\Windows\SysWOW64\Pgbejj32.exe Pddinn32.exe File created C:\Windows\SysWOW64\Fdldjnpc.dll Lppkgi32.exe File opened for modification C:\Windows\SysWOW64\Mbobgfnf.exe Mpqekkob.exe File created C:\Windows\SysWOW64\Lgpjhf32.dll Abjcleqm.exe File opened for modification C:\Windows\SysWOW64\Gnhkkjbf.exe Gkiooocb.exe File opened for modification C:\Windows\SysWOW64\Kfenjq32.exe Kbjbibli.exe File opened for modification C:\Windows\SysWOW64\Jbdokceo.exe Jpfcohfk.exe File created C:\Windows\SysWOW64\Allben32.dll Hbhmfk32.exe File created C:\Windows\SysWOW64\Nidmhd32.exe Njammhei.exe File created C:\Windows\SysWOW64\Kphpdhdh.exe Jhahcjcf.exe File created C:\Windows\SysWOW64\Ngpfbjkg.dll Pkkeeikj.exe File created C:\Windows\SysWOW64\Ibhieo32.exe Ipimic32.exe File created C:\Windows\SysWOW64\Pkegkb32.dll Mcekkkmc.exe File opened for modification C:\Windows\SysWOW64\Imqdcjkd.exe Hjbhgolp.exe File created C:\Windows\SysWOW64\Dflhfbdc.dll Moflkfca.exe File created C:\Windows\SysWOW64\Pejcab32.exe Pfgcff32.exe File opened for modification C:\Windows\SysWOW64\Bgnaekil.exe Bdoeipjh.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7852 7812 WerFault.exe 765 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdffcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aagfffbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccileljk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hojqjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klbdiokf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbkolmia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fokofpif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldokhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlegic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncggifep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obamebfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcneklck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmkcoq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmlkhk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgmkef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdkcgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgmofbpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofnppgbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaoaafli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jekoljgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcqfahom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qefihg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdcdcmai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klimcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdgcnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Indnqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lohiob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lolbjahp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcnilhap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhgbibgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpemob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dplbpaim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npngng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adeiobgc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmbnhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjlnaghp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfcadq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljfckodo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfdngl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjbdfbnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fiopah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Himkgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibeloo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Leaallcb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccloea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnjdpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iclfccmq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifoljn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddcadd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehgmiq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaaoakmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcnhcdkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbddfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofefqf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phmiimlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pahjgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olnipn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eleliepj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbpmbndm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbflqccl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akbgdkgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egljjmkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkiooocb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfenjq32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgnbfdao.dll" Mbjhlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bknaehom.dll" Cmbghgdg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cfjdfg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dcfknooi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hleggpll.dll" Ipecndab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mpllpl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Acnpjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmiggh32.dll" Bgnaekil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fefhnhpc.dll" Fdbgia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpmggm32.dll" Jlegic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hgobpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aenileon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eiocbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dflhfbdc.dll" Moflkfca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kdakoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bmmgbbeq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lahaqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ooeolkff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ldkeoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldmcknm.dll" Helmiiec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jkdalb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fldbnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajlema32.dll" Mnakjaoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kbcfme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Afhbljko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lhhjcmpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Acplpjpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oicjmn32.dll" Mmpmjpba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Andkbien.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hjplao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jmbnhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ieiegf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmjnmj32.dll" Ooeolkff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ehlmnfeo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pejcab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ccdnipal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baaadl32.dll" Kknklg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alahklnm.dll" Pddinn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dcfknooi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ghkbccdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qhdfdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jpfcohfk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nhdjdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjcjb32.dll" Polakmbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pamnnemo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fgfckbfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjebph32.dll" Jpfcohfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaplgfio.dll" Ljejgp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Moflkfca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jplinckj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ankomldp.dll" Ollljo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Anmnhhmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dfdngl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfoogjlk.dll" Dbkolmia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hpjgdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hdapggln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgkjfeka.dll" Ibeloo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnkbglmp.dll" Kidjfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lfonlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbhbpk32.dll" Idepdhia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcgmedpl.dll" Bgkeol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dogbolep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffaoi32.dll" Fcmdpcle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Njobpa32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2544 wrote to memory of 1832 2544 dc3961f6b42c7ce0bbc4c067dfef74d67ca77fcecdc5c033c75c10ec0bae5b90.exe 29 PID 2544 wrote to memory of 1832 2544 dc3961f6b42c7ce0bbc4c067dfef74d67ca77fcecdc5c033c75c10ec0bae5b90.exe 29 PID 2544 wrote to memory of 1832 2544 dc3961f6b42c7ce0bbc4c067dfef74d67ca77fcecdc5c033c75c10ec0bae5b90.exe 29 PID 2544 wrote to memory of 1832 2544 dc3961f6b42c7ce0bbc4c067dfef74d67ca77fcecdc5c033c75c10ec0bae5b90.exe 29 PID 1832 wrote to memory of 2820 1832 Jcnmme32.exe 30 PID 1832 wrote to memory of 2820 1832 Jcnmme32.exe 30 PID 1832 wrote to memory of 2820 1832 Jcnmme32.exe 30 PID 1832 wrote to memory of 2820 1832 Jcnmme32.exe 30 PID 2820 wrote to memory of 2708 2820 Jkjaaglp.exe 31 PID 2820 wrote to memory of 2708 2820 Jkjaaglp.exe 31 PID 2820 wrote to memory of 2708 2820 Jkjaaglp.exe 31 PID 2820 wrote to memory of 2708 2820 Jkjaaglp.exe 31 PID 2708 wrote to memory of 2836 2708 Jacjna32.exe 32 PID 2708 wrote to memory of 2836 2708 Jacjna32.exe 32 PID 2708 wrote to memory of 2836 2708 Jacjna32.exe 32 PID 2708 wrote to memory of 2836 2708 Jacjna32.exe 32 PID 2836 wrote to memory of 1616 2836 Jklnggjm.exe 33 PID 2836 wrote to memory of 1616 2836 Jklnggjm.exe 33 PID 2836 wrote to memory of 1616 2836 Jklnggjm.exe 33 PID 2836 wrote to memory of 1616 2836 Jklnggjm.exe 33 PID 1616 wrote to memory of 2724 1616 Jnjjcbiq.exe 34 PID 1616 wrote to memory of 2724 1616 Jnjjcbiq.exe 34 PID 1616 wrote to memory of 2724 1616 Jnjjcbiq.exe 34 PID 1616 wrote to memory of 2724 1616 Jnjjcbiq.exe 34 PID 2724 wrote to memory of 3048 2724 Jaffca32.exe 35 PID 2724 wrote to memory of 3048 2724 Jaffca32.exe 35 PID 2724 wrote to memory of 3048 2724 Jaffca32.exe 35 PID 2724 wrote to memory of 3048 2724 Jaffca32.exe 35 PID 3048 wrote to memory of 2368 3048 Jgbolhoa.exe 36 PID 3048 wrote to memory of 2368 3048 Jgbolhoa.exe 36 PID 3048 wrote to memory of 2368 3048 Jgbolhoa.exe 36 PID 3048 wrote to memory of 2368 3048 Jgbolhoa.exe 36 PID 2368 wrote to memory of 1992 2368 Kknklg32.exe 37 PID 2368 wrote to memory of 1992 2368 Kknklg32.exe 37 PID 2368 wrote to memory of 1992 2368 Kknklg32.exe 37 PID 2368 wrote to memory of 1992 2368 Kknklg32.exe 37 PID 1992 wrote to memory of 1556 1992 Kpkcdn32.exe 38 PID 1992 wrote to memory of 1556 1992 Kpkcdn32.exe 38 PID 1992 wrote to memory of 1556 1992 Kpkcdn32.exe 38 PID 1992 wrote to memory of 1556 1992 Kpkcdn32.exe 38 PID 1556 wrote to memory of 2864 1556 Kdgoelnk.exe 39 PID 1556 wrote to memory of 2864 1556 Kdgoelnk.exe 39 PID 1556 wrote to memory of 2864 1556 Kdgoelnk.exe 39 PID 1556 wrote to memory of 2864 1556 Kdgoelnk.exe 39 PID 2864 wrote to memory of 2928 2864 Kjchmclb.exe 40 PID 2864 wrote to memory of 2928 2864 Kjchmclb.exe 40 PID 2864 wrote to memory of 2928 2864 Kjchmclb.exe 40 PID 2864 wrote to memory of 2928 2864 Kjchmclb.exe 40 PID 2928 wrote to memory of 500 2928 Klbdiokf.exe 41 PID 2928 wrote to memory of 500 2928 Klbdiokf.exe 41 PID 2928 wrote to memory of 500 2928 Klbdiokf.exe 41 PID 2928 wrote to memory of 500 2928 Klbdiokf.exe 41 PID 500 wrote to memory of 2184 500 Kcllfi32.exe 42 PID 500 wrote to memory of 2184 500 Kcllfi32.exe 42 PID 500 wrote to memory of 2184 500 Kcllfi32.exe 42 PID 500 wrote to memory of 2184 500 Kcllfi32.exe 42 PID 2184 wrote to memory of 1580 2184 Kfjibdbf.exe 43 PID 2184 wrote to memory of 1580 2184 Kfjibdbf.exe 43 PID 2184 wrote to memory of 1580 2184 Kfjibdbf.exe 43 PID 2184 wrote to memory of 1580 2184 Kfjibdbf.exe 43 PID 1580 wrote to memory of 2428 1580 Knaqcabh.exe 44 PID 1580 wrote to memory of 2428 1580 Knaqcabh.exe 44 PID 1580 wrote to memory of 2428 1580 Knaqcabh.exe 44 PID 1580 wrote to memory of 2428 1580 Knaqcabh.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\dc3961f6b42c7ce0bbc4c067dfef74d67ca77fcecdc5c033c75c10ec0bae5b90.exe"C:\Users\Admin\AppData\Local\Temp\dc3961f6b42c7ce0bbc4c067dfef74d67ca77fcecdc5c033c75c10ec0bae5b90.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Jcnmme32.exeC:\Windows\system32\Jcnmme32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\SysWOW64\Jkjaaglp.exeC:\Windows\system32\Jkjaaglp.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Jacjna32.exeC:\Windows\system32\Jacjna32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Jklnggjm.exeC:\Windows\system32\Jklnggjm.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Jnjjcbiq.exeC:\Windows\system32\Jnjjcbiq.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\Jaffca32.exeC:\Windows\system32\Jaffca32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Jgbolhoa.exeC:\Windows\system32\Jgbolhoa.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\Kknklg32.exeC:\Windows\system32\Kknklg32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\Kpkcdn32.exeC:\Windows\system32\Kpkcdn32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\Kdgoelnk.exeC:\Windows\system32\Kdgoelnk.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\Kjchmclb.exeC:\Windows\system32\Kjchmclb.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Klbdiokf.exeC:\Windows\system32\Klbdiokf.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Kcllfi32.exeC:\Windows\system32\Kcllfi32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:500 -
C:\Windows\SysWOW64\Kfjibdbf.exeC:\Windows\system32\Kfjibdbf.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Knaqcabh.exeC:\Windows\system32\Knaqcabh.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\Kppmpmal.exeC:\Windows\system32\Kppmpmal.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2428 -
C:\Windows\SysWOW64\Kcnilhap.exeC:\Windows\system32\Kcnilhap.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:948 -
C:\Windows\SysWOW64\Kfmehdpc.exeC:\Windows\system32\Kfmehdpc.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1964 -
C:\Windows\SysWOW64\Kjhahb32.exeC:\Windows\system32\Kjhahb32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:684 -
C:\Windows\SysWOW64\Klfndn32.exeC:\Windows\system32\Klfndn32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:488 -
C:\Windows\SysWOW64\Kpbiempj.exeC:\Windows\system32\Kpbiempj.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2084 -
C:\Windows\SysWOW64\Kcqfahom.exeC:\Windows\system32\Kcqfahom.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1724 -
C:\Windows\SysWOW64\Kbcfme32.exeC:\Windows\system32\Kbcfme32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2552 -
C:\Windows\SysWOW64\Kfobmc32.exeC:\Windows\system32\Kfobmc32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:928 -
C:\Windows\SysWOW64\Klijjnen.exeC:\Windows\system32\Klijjnen.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:796 -
C:\Windows\SysWOW64\Kkljfj32.exeC:\Windows\system32\Kkljfj32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2744 -
C:\Windows\SysWOW64\Lddoopbi.exeC:\Windows\system32\Lddoopbi.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1016 -
C:\Windows\SysWOW64\Lhpkoo32.exeC:\Windows\system32\Lhpkoo32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2880 -
C:\Windows\SysWOW64\Lkngkj32.exeC:\Windows\system32\Lkngkj32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2764 -
C:\Windows\SysWOW64\Lnmcge32.exeC:\Windows\system32\Lnmcge32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2772 -
C:\Windows\SysWOW64\Lfckhc32.exeC:\Windows\system32\Lfckhc32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3044 -
C:\Windows\SysWOW64\Lgehpk32.exeC:\Windows\system32\Lgehpk32.exe33⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Lolpah32.exeC:\Windows\system32\Lolpah32.exe34⤵
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\Lqmliqfj.exeC:\Windows\system32\Lqmliqfj.exe35⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Lhddjngm.exeC:\Windows\system32\Lhddjngm.exe36⤵
- Executes dropped EXE
PID:844 -
C:\Windows\SysWOW64\Lkcqfifp.exeC:\Windows\system32\Lkcqfifp.exe37⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Lnambeed.exeC:\Windows\system32\Lnambeed.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Ldkeoo32.exeC:\Windows\system32\Ldkeoo32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:2556 -
C:\Windows\SysWOW64\Lcneklck.exeC:\Windows\system32\Lcneklck.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1696 -
C:\Windows\SysWOW64\Lkemli32.exeC:\Windows\system32\Lkemli32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Lncjhd32.exeC:\Windows\system32\Lncjhd32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2036 -
C:\Windows\SysWOW64\Ldnbeokn.exeC:\Windows\system32\Ldnbeokn.exe43⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Lfonlg32.exeC:\Windows\system32\Lfonlg32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:1344 -
C:\Windows\SysWOW64\Mqdbjp32.exeC:\Windows\system32\Mqdbjp32.exe45⤵
- Executes dropped EXE
PID:1932 -
C:\Windows\SysWOW64\Mgnkfjho.exeC:\Windows\system32\Mgnkfjho.exe46⤵
- Executes dropped EXE
PID:344 -
C:\Windows\SysWOW64\Mfakbf32.exeC:\Windows\system32\Mfakbf32.exe47⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Mjmgbe32.exeC:\Windows\system32\Mjmgbe32.exe48⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Mmkcoq32.exeC:\Windows\system32\Mmkcoq32.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2812 -
C:\Windows\SysWOW64\Mqfooonp.exeC:\Windows\system32\Mqfooonp.exe50⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Mcekkkmc.exeC:\Windows\system32\Mcekkkmc.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2776 -
C:\Windows\SysWOW64\Mbhlgg32.exeC:\Windows\system32\Mbhlgg32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2632 -
C:\Windows\SysWOW64\Mjodhe32.exeC:\Windows\system32\Mjodhe32.exe53⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Mmmpdp32.exeC:\Windows\system32\Mmmpdp32.exe54⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Mpllpl32.exeC:\Windows\system32\Mpllpl32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:3032 -
C:\Windows\SysWOW64\Mcghajkq.exeC:\Windows\system32\Mcghajkq.exe56⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Mbjhlg32.exeC:\Windows\system32\Mbjhlg32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:1524 -
C:\Windows\SysWOW64\Meidib32.exeC:\Windows\system32\Meidib32.exe58⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Mmpmjpba.exeC:\Windows\system32\Mmpmjpba.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:988 -
C:\Windows\SysWOW64\Mlbmem32.exeC:\Windows\system32\Mlbmem32.exe60⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Mpnifkae.exeC:\Windows\system32\Mpnifkae.exe61⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Mbmebgpi.exeC:\Windows\system32\Mbmebgpi.exe62⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Mekanbol.exeC:\Windows\system32\Mekanbol.exe63⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Mifmoa32.exeC:\Windows\system32\Mifmoa32.exe64⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Mlejkl32.exeC:\Windows\system32\Mlejkl32.exe65⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Mpqekkob.exeC:\Windows\system32\Mpqekkob.exe66⤵
- Drops file in System32 directory
PID:2152 -
C:\Windows\SysWOW64\Mbobgfnf.exeC:\Windows\system32\Mbobgfnf.exe67⤵PID:1644
-
C:\Windows\SysWOW64\Maabcc32.exeC:\Windows\system32\Maabcc32.exe68⤵PID:1224
-
C:\Windows\SysWOW64\Niijdq32.exeC:\Windows\system32\Niijdq32.exe69⤵PID:2680
-
C:\Windows\SysWOW64\Nhljpmlm.exeC:\Windows\system32\Nhljpmlm.exe70⤵PID:1540
-
C:\Windows\SysWOW64\Nlgfqldf.exeC:\Windows\system32\Nlgfqldf.exe71⤵PID:2816
-
C:\Windows\SysWOW64\Njjfli32.exeC:\Windows\system32\Njjfli32.exe72⤵PID:3028
-
C:\Windows\SysWOW64\Nbaomf32.exeC:\Windows\system32\Nbaomf32.exe73⤵PID:1100
-
C:\Windows\SysWOW64\Nepkia32.exeC:\Windows\system32\Nepkia32.exe74⤵PID:2876
-
C:\Windows\SysWOW64\Ncbkenba.exeC:\Windows\system32\Ncbkenba.exe75⤵PID:1108
-
C:\Windows\SysWOW64\Nhngem32.exeC:\Windows\system32\Nhngem32.exe76⤵PID:1672
-
C:\Windows\SysWOW64\Nljcflbd.exeC:\Windows\system32\Nljcflbd.exe77⤵PID:1504
-
C:\Windows\SysWOW64\Njlcah32.exeC:\Windows\system32\Njlcah32.exe78⤵
- Drops file in System32 directory
PID:1872 -
C:\Windows\SysWOW64\Nmkpnd32.exeC:\Windows\system32\Nmkpnd32.exe79⤵PID:764
-
C:\Windows\SysWOW64\Nebgoa32.exeC:\Windows\system32\Nebgoa32.exe80⤵PID:992
-
C:\Windows\SysWOW64\Ndehjnpo.exeC:\Windows\system32\Ndehjnpo.exe81⤵PID:2848
-
C:\Windows\SysWOW64\Nhpdkm32.exeC:\Windows\system32\Nhpdkm32.exe82⤵PID:1548
-
C:\Windows\SysWOW64\Njopgh32.exeC:\Windows\system32\Njopgh32.exe83⤵PID:268
-
C:\Windows\SysWOW64\Nnjlhg32.exeC:\Windows\system32\Nnjlhg32.exe84⤵PID:2636
-
C:\Windows\SysWOW64\Nmmlccfp.exeC:\Windows\system32\Nmmlccfp.exe85⤵PID:1748
-
C:\Windows\SysWOW64\Naihdb32.exeC:\Windows\system32\Naihdb32.exe86⤵PID:2748
-
C:\Windows\SysWOW64\Ndgdpn32.exeC:\Windows\system32\Ndgdpn32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1148 -
C:\Windows\SysWOW64\Nhbqqlfe.exeC:\Windows\system32\Nhbqqlfe.exe88⤵PID:2396
-
C:\Windows\SysWOW64\Njammhei.exeC:\Windows\system32\Njammhei.exe89⤵
- Drops file in System32 directory
PID:2028 -
C:\Windows\SysWOW64\Nidmhd32.exeC:\Windows\system32\Nidmhd32.exe90⤵
- Drops file in System32 directory
PID:2280 -
C:\Windows\SysWOW64\Nakeib32.exeC:\Windows\system32\Nakeib32.exe91⤵PID:1800
-
C:\Windows\SysWOW64\Ndiaem32.exeC:\Windows\system32\Ndiaem32.exe92⤵PID:2328
-
C:\Windows\SysWOW64\Nblaajbd.exeC:\Windows\system32\Nblaajbd.exe93⤵PID:2244
-
C:\Windows\SysWOW64\Njcibgcf.exeC:\Windows\system32\Njcibgcf.exe94⤵
- Drops file in System32 directory
PID:2676 -
C:\Windows\SysWOW64\Nmbenc32.exeC:\Windows\system32\Nmbenc32.exe95⤵PID:2616
-
C:\Windows\SysWOW64\Oppbjn32.exeC:\Windows\system32\Oppbjn32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1624 -
C:\Windows\SysWOW64\Obonfj32.exeC:\Windows\system32\Obonfj32.exe97⤵PID:308
-
C:\Windows\SysWOW64\Oiifcdhn.exeC:\Windows\system32\Oiifcdhn.exe98⤵PID:2372
-
C:\Windows\SysWOW64\Ooeolkff.exeC:\Windows\system32\Ooeolkff.exe99⤵
- Modifies registry class
PID:316 -
C:\Windows\SysWOW64\Obakli32.exeC:\Windows\system32\Obakli32.exe100⤵PID:2840
-
C:\Windows\SysWOW64\Ohncdp32.exeC:\Windows\system32\Ohncdp32.exe101⤵PID:2172
-
C:\Windows\SysWOW64\Olioeoeo.exeC:\Windows\system32\Olioeoeo.exe102⤵PID:1688
-
C:\Windows\SysWOW64\Obcgaill.exeC:\Windows\system32\Obcgaill.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2964 -
C:\Windows\SysWOW64\Oebdndlp.exeC:\Windows\system32\Oebdndlp.exe104⤵PID:2300
-
C:\Windows\SysWOW64\Ollljo32.exeC:\Windows\system32\Ollljo32.exe105⤵
- Modifies registry class
PID:2000 -
C:\Windows\SysWOW64\Okolfkjg.exeC:\Windows\system32\Okolfkjg.exe106⤵PID:2728
-
C:\Windows\SysWOW64\Oahdce32.exeC:\Windows\system32\Oahdce32.exe107⤵PID:1532
-
C:\Windows\SysWOW64\Odgqoa32.exeC:\Windows\system32\Odgqoa32.exe108⤵PID:1916
-
C:\Windows\SysWOW64\Olnipn32.exeC:\Windows\system32\Olnipn32.exe109⤵
- System Location Discovery: System Language Discovery
PID:2492 -
C:\Windows\SysWOW64\Okailkhd.exeC:\Windows\system32\Okailkhd.exe110⤵PID:2944
-
C:\Windows\SysWOW64\Omoehf32.exeC:\Windows\system32\Omoehf32.exe111⤵PID:1068
-
C:\Windows\SysWOW64\Oefmid32.exeC:\Windows\system32\Oefmid32.exe112⤵PID:2332
-
C:\Windows\SysWOW64\Pghjqlmi.exeC:\Windows\system32\Pghjqlmi.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2176 -
C:\Windows\SysWOW64\Pooaaink.exeC:\Windows\system32\Pooaaink.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1352 -
C:\Windows\SysWOW64\Pamnnemo.exeC:\Windows\system32\Pamnnemo.exe115⤵
- Modifies registry class
PID:2284 -
C:\Windows\SysWOW64\Pdljjplb.exeC:\Windows\system32\Pdljjplb.exe116⤵PID:572
-
C:\Windows\SysWOW64\Pkebgj32.exeC:\Windows\system32\Pkebgj32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1444 -
C:\Windows\SysWOW64\Papkcd32.exeC:\Windows\system32\Papkcd32.exe118⤵PID:2804
-
C:\Windows\SysWOW64\Pcagkmaj.exeC:\Windows\system32\Pcagkmaj.exe119⤵PID:340
-
C:\Windows\SysWOW64\Pkholjam.exeC:\Windows\system32\Pkholjam.exe120⤵PID:2168
-
C:\Windows\SysWOW64\Pnfkheap.exeC:\Windows\system32\Pnfkheap.exe121⤵PID:2256
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-