Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
22/08/2024, 10:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b53005bfa21b4db0a017897a7d10e6c0N.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
b53005bfa21b4db0a017897a7d10e6c0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
b53005bfa21b4db0a017897a7d10e6c0N.exe
-
Size
96KB
-
MD5
b53005bfa21b4db0a017897a7d10e6c0
-
SHA1
967fc7e898d5a1986ba97651091a15834da6d041
-
SHA256
35d998fbea78a15d6cb0bc17bacbb907b3b14bcd65ec220cbe88a781afce753b
-
SHA512
01e71ee1a3440ea8f28d66828c0371fcd380579e7a93fe217e5cf94065f92541c6b0241dcf8f6861170bd829c484689aca34c67f552cf7093f1d87922ec49bfd
-
SSDEEP
1536:XO3ME/qSwACzfK8wCnsbKKHxZuTz7oFahOPgCbuWx5duV9jojTIvjrH:XOcE/qSwnzpwCnGMz7oFahOPgMLHd69J
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dphhka32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kckhdg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afgnkilf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebappk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Blnpddeo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Immjnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pllkpn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffbmfo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjoilfek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmqihg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qjfalj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdojnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bakaaepk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cppobaeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojmbgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cqjhcfpc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcjaeamd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fenphjei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpcfcddp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dphhka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gdcmig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ioiidfon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Okinik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pncjad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Penihe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bnicbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dkjpdcfj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhcndhap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjlgle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bfjkphjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bimphc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abhlak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hljaigmo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pflbpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pcbookpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ggfbpaeo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebialmjb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpkhoj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Diqmcgca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfinam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpfkeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kppldhla.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofaolcmh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfkclf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fllaopcg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aiknnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Endklmlq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hkpnjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfeeff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Apnfno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bknmok32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enmnahnm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akdafn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpgnoo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqpmimbe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joppeeif.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nklopg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bheaiekc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ppopja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcjjkkji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhbciaki.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Halcmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oqmmbqgd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppipdl32.exe -
Executes dropped EXE 64 IoCs
pid Process 2872 Mkofaj32.exe 2992 Mgegfk32.exe 2732 Mkacfiga.exe 2612 Mpnkopeh.exe 2400 Mghckj32.exe 1048 Mnblhddb.exe 2316 Mpphdpcf.exe 2924 Mjilmejf.exe 2900 Moeeelhn.exe 2816 Mhninb32.exe 1748 Nohaklfk.exe 2332 Nhpfdaml.exe 2156 Nkobpmlo.exe 2052 Nhbciaki.exe 1720 Nomkfk32.exe 1400 Nnokahip.exe 676 Nhepoaif.exe 1796 Nnahgh32.exe 2384 Nbmdhfog.exe 1728 Ndlpdbnj.exe 1948 Nbpqmfmd.exe 1524 Okhefl32.exe 984 Omiand32.exe 872 Ojmbgh32.exe 2776 Omlncc32.exe 3004 Opjkpo32.exe 2760 Ofdclinq.exe 2936 Ochcem32.exe 2572 Offpbi32.exe 1192 Ojblbgdg.exe 3020 Oielnd32.exe 2960 Oekmceaf.exe 2464 Opaqpn32.exe 1184 Pfkimhhi.exe 2804 Penihe32.exe 2808 Padjmfdg.exe 2108 Pepfnd32.exe 2012 Phobjp32.exe 2248 Pnhjgj32.exe 2040 Paggce32.exe 2336 Pllkpn32.exe 2096 Pnkglj32.exe 1108 Peeoidik.exe 2608 Pfflql32.exe 1536 Pnmdbi32.exe 2540 Palpneop.exe 2480 Ppopja32.exe 2204 Phehko32.exe 2796 Qjddgj32.exe 2696 Qigebglj.exe 2944 Qpamoa32.exe 2684 Qdlipplq.exe 2076 Qfkelkkd.exe 3008 Qjfalj32.exe 2844 Qlgndbil.exe 2180 Qpcjeaad.exe 2744 Qbafalph.exe 1716 Afmbak32.exe 1740 Aiknnf32.exe 1788 Amgjnepn.exe 2420 Aljjjb32.exe 3040 Aohgfm32.exe 496 Afpogk32.exe 1472 Aebobgmi.exe -
Loads dropped DLL 64 IoCs
pid Process 2672 b53005bfa21b4db0a017897a7d10e6c0N.exe 2672 b53005bfa21b4db0a017897a7d10e6c0N.exe 2872 Mkofaj32.exe 2872 Mkofaj32.exe 2992 Mgegfk32.exe 2992 Mgegfk32.exe 2732 Mkacfiga.exe 2732 Mkacfiga.exe 2612 Mpnkopeh.exe 2612 Mpnkopeh.exe 2400 Mghckj32.exe 2400 Mghckj32.exe 1048 Mnblhddb.exe 1048 Mnblhddb.exe 2316 Mpphdpcf.exe 2316 Mpphdpcf.exe 2924 Mjilmejf.exe 2924 Mjilmejf.exe 2900 Moeeelhn.exe 2900 Moeeelhn.exe 2816 Mhninb32.exe 2816 Mhninb32.exe 1748 Nohaklfk.exe 1748 Nohaklfk.exe 2332 Nhpfdaml.exe 2332 Nhpfdaml.exe 2156 Nkobpmlo.exe 2156 Nkobpmlo.exe 2052 Nhbciaki.exe 2052 Nhbciaki.exe 1720 Nomkfk32.exe 1720 Nomkfk32.exe 1400 Nnokahip.exe 1400 Nnokahip.exe 676 Nhepoaif.exe 676 Nhepoaif.exe 1796 Nnahgh32.exe 1796 Nnahgh32.exe 2384 Nbmdhfog.exe 2384 Nbmdhfog.exe 1728 Ndlpdbnj.exe 1728 Ndlpdbnj.exe 1948 Nbpqmfmd.exe 1948 Nbpqmfmd.exe 1524 Okhefl32.exe 1524 Okhefl32.exe 984 Omiand32.exe 984 Omiand32.exe 872 Ojmbgh32.exe 872 Ojmbgh32.exe 2776 Omlncc32.exe 2776 Omlncc32.exe 3004 Opjkpo32.exe 3004 Opjkpo32.exe 2760 Ofdclinq.exe 2760 Ofdclinq.exe 2936 Ochcem32.exe 2936 Ochcem32.exe 2572 Offpbi32.exe 2572 Offpbi32.exe 1192 Ojblbgdg.exe 1192 Ojblbgdg.exe 3020 Oielnd32.exe 3020 Oielnd32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ejfllhao.exe Ebockkal.exe File created C:\Windows\SysWOW64\Joppeeif.exe Imacijjb.exe File opened for modification C:\Windows\SysWOW64\Pfqlkfoc.exe Pcbookpp.exe File opened for modification C:\Windows\SysWOW64\Mgnfji32.exe Mdojnm32.exe File opened for modification C:\Windows\SysWOW64\Bhjneadb.exe Bpcfcddp.exe File created C:\Windows\SysWOW64\Cchdpbog.exe Cqjhcfpc.exe File opened for modification C:\Windows\SysWOW64\Pfflql32.exe Peeoidik.exe File opened for modification C:\Windows\SysWOW64\Njeelc32.exe Nggipg32.exe File opened for modification C:\Windows\SysWOW64\Imogcj32.exe Iickckcl.exe File created C:\Windows\SysWOW64\Apenjhfe.dll Mlahdkjc.exe File opened for modification C:\Windows\SysWOW64\Einebddd.exe Eebibf32.exe File opened for modification C:\Windows\SysWOW64\Gckfpc32.exe Gpmjcg32.exe File opened for modification C:\Windows\SysWOW64\Mkdioh32.exe Mlahdkjc.exe File opened for modification C:\Windows\SysWOW64\Pgibdjln.exe Oqojhp32.exe File opened for modification C:\Windows\SysWOW64\Offpbi32.exe Ochcem32.exe File created C:\Windows\SysWOW64\Mcggef32.exe Mpikik32.exe File created C:\Windows\SysWOW64\Alhina32.dll Glckihcg.exe File opened for modification C:\Windows\SysWOW64\Aldfcpjn.exe Aifjgdkj.exe File created C:\Windows\SysWOW64\Jdhpfnbe.dll Cqjhcfpc.exe File created C:\Windows\SysWOW64\Dfngll32.exe Dqaode32.exe File created C:\Windows\SysWOW64\Pbihnp32.dll Adblnnbk.exe File created C:\Windows\SysWOW64\Eccjdobp.dll Ejfllhao.exe File created C:\Windows\SysWOW64\Ffbmfo32.exe Edcqjc32.exe File created C:\Windows\SysWOW64\Fjglncdn.dll Jmocbnop.exe File created C:\Windows\SysWOW64\Jajdfk32.dll Cmqihg32.exe File created C:\Windows\SysWOW64\Keigbd32.dll Hhfkihon.exe File created C:\Windows\SysWOW64\Djqdbbek.dll Pmmqmpdm.exe File created C:\Windows\SysWOW64\Cdgjcl32.dll Elaeeb32.exe File created C:\Windows\SysWOW64\Nnjklb32.exe Nklopg32.exe File created C:\Windows\SysWOW64\Cjgmmkof.dll Nlohmonb.exe File created C:\Windows\SysWOW64\Nglaha32.dll Ejklan32.exe File opened for modification C:\Windows\SysWOW64\Lalhgogb.exe Lonlkcho.exe File created C:\Windows\SysWOW64\Cceapl32.exe Cpgecq32.exe File created C:\Windows\SysWOW64\Djafaf32.exe Cbjnqh32.exe File created C:\Windows\SysWOW64\Dkbioqbg.dll Ojmbgh32.exe File opened for modification C:\Windows\SysWOW64\Dpfkeb32.exe Dkjpdcfj.exe File opened for modification C:\Windows\SysWOW64\Llkbcl32.exe Lmhbgpia.exe File created C:\Windows\SysWOW64\Hijhhl32.exe Genlgnhd.exe File created C:\Windows\SysWOW64\Ikfdkc32.exe Igkhjdde.exe File created C:\Windows\SysWOW64\Nladco32.exe Njchfc32.exe File created C:\Windows\SysWOW64\Aaaqjc32.dll Ojblbgdg.exe File opened for modification C:\Windows\SysWOW64\Jjlmkb32.exe Jkimpfmg.exe File created C:\Windows\SysWOW64\Lcpnpp32.dll Mpkhoj32.exe File created C:\Windows\SysWOW64\Amoibc32.exe Aicmadmm.exe File created C:\Windows\SysWOW64\Baboljno.dll Dfhgggim.exe File opened for modification C:\Windows\SysWOW64\Opjkpo32.exe Omlncc32.exe File opened for modification C:\Windows\SysWOW64\Iickckcl.exe Ifengpdh.exe File created C:\Windows\SysWOW64\Fbpclofe.exe Fkilka32.exe File opened for modification C:\Windows\SysWOW64\Jbphgpfg.exe Joblkegc.exe File created C:\Windows\SysWOW64\Kimjhnnl.exe Keango32.exe File created C:\Windows\SysWOW64\Qdkcda32.dll Ppipdl32.exe File opened for modification C:\Windows\SysWOW64\Dinpnged.exe Dfpcblfp.exe File created C:\Windows\SysWOW64\Hhcndhap.exe Hfebhmbm.exe File opened for modification C:\Windows\SysWOW64\Nhkbmo32.exe Njhbabif.exe File opened for modification C:\Windows\SysWOW64\Nkobpmlo.exe Nhpfdaml.exe File created C:\Windows\SysWOW64\Iemkpefi.dll Dijfch32.exe File opened for modification C:\Windows\SysWOW64\Fllaopcg.exe Einebddd.exe File opened for modification C:\Windows\SysWOW64\Ojblbgdg.exe Offpbi32.exe File opened for modification C:\Windows\SysWOW64\Pcpbik32.exe Paafmp32.exe File opened for modification C:\Windows\SysWOW64\Bedamd32.exe Bceeqi32.exe File created C:\Windows\SysWOW64\Dnhefh32.exe Dkjhjm32.exe File created C:\Windows\SysWOW64\Ekfhjgmd.dll Bccoeo32.exe File created C:\Windows\SysWOW64\Eiabmg32.dll Ekghcq32.exe File created C:\Windows\SysWOW64\Gonakpgj.dll Padjmfdg.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5224 5340 WerFault.exe 571 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaqkcimg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gckfpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhcndhap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fenphjei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lehdhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjhckg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpcjeaad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afpogk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abhlak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckomqopi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nddcimag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odacbpee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqojhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbglpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Addhcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdaojbjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hljaigmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcpbik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fllaopcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igpaec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epeajo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjilmejf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpgecq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjoilfek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Genlgnhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofdclinq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdjoii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iciopdca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npkdnnfk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amjpgdik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbjnqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okhefl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Padjmfdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hokjkbkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjpceebh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcidkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eikimeff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cngcll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hajfgnjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnifaajh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aldfcpjn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiahnnji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbqkeioh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cppobaeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peeoidik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Babbng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnhnfckm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njeelc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aadobccg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgnpjkhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfhgggim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnokahip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmhbgpia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ochcem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aohgfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcmnja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Naegmabc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqkpmaif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aocbokia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddbmcb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bheaiekc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmqihg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddkgbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbadagln.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olcdph32.dll" Allgoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gaeqmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djqdbbek.dll" Pmmqmpdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pomebdea.dll" Kckhdg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Plbmom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Clkicbfa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kimjhnnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Chbihc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Heldbm32.dll" Pnkglj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bdaojbjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Einlmkhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fpgnoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nbmdhfog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dmcfngde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Glckihcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bdckobhd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ifengpdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deafohkc.dll" Onjgkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baboljno.dll" Dfhgggim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggoekd32.dll" Ggfbpaeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgclj32.dll" Ijlaloaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjbmip32.dll" Ibibfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hkpnjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iifpfl32.dll" Ockinl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bafhff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmkmnp32.dll" Eebibf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qfkelkkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Diqmcgca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gajjhkgh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gcppkbia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oebblmoe.dll" Hcblqb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ahhaobfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eaqkcimg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Npkdnnfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iokhldhb.dll" Blnpddeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bgddam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kbbakc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lajkbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lmeebpkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nnjklb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Okhefl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Blnpddeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dfinam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnbdeb32.dll" Kjbclamj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnknlm32.dll" Cgjgol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pnhjgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aoaill32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncofng32.dll" Gckfpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Offpbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ifgklp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Epeajo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fhjoof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bogljj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nanhfpff.dll" Llpoohik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpblmaab.dll" Anecfgdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dglpdomh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bkkgfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppgeni32.dll" Fejfmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eojkndbh.dll" Hcdifa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knohabdl.dll" Aljjjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bafmhm32.dll" Djafaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dnjalhpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpbelhkp.dll" Njalacon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cbjnqh32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2672 wrote to memory of 2872 2672 b53005bfa21b4db0a017897a7d10e6c0N.exe 30 PID 2672 wrote to memory of 2872 2672 b53005bfa21b4db0a017897a7d10e6c0N.exe 30 PID 2672 wrote to memory of 2872 2672 b53005bfa21b4db0a017897a7d10e6c0N.exe 30 PID 2672 wrote to memory of 2872 2672 b53005bfa21b4db0a017897a7d10e6c0N.exe 30 PID 2872 wrote to memory of 2992 2872 Mkofaj32.exe 31 PID 2872 wrote to memory of 2992 2872 Mkofaj32.exe 31 PID 2872 wrote to memory of 2992 2872 Mkofaj32.exe 31 PID 2872 wrote to memory of 2992 2872 Mkofaj32.exe 31 PID 2992 wrote to memory of 2732 2992 Mgegfk32.exe 32 PID 2992 wrote to memory of 2732 2992 Mgegfk32.exe 32 PID 2992 wrote to memory of 2732 2992 Mgegfk32.exe 32 PID 2992 wrote to memory of 2732 2992 Mgegfk32.exe 32 PID 2732 wrote to memory of 2612 2732 Mkacfiga.exe 33 PID 2732 wrote to memory of 2612 2732 Mkacfiga.exe 33 PID 2732 wrote to memory of 2612 2732 Mkacfiga.exe 33 PID 2732 wrote to memory of 2612 2732 Mkacfiga.exe 33 PID 2612 wrote to memory of 2400 2612 Mpnkopeh.exe 34 PID 2612 wrote to memory of 2400 2612 Mpnkopeh.exe 34 PID 2612 wrote to memory of 2400 2612 Mpnkopeh.exe 34 PID 2612 wrote to memory of 2400 2612 Mpnkopeh.exe 34 PID 2400 wrote to memory of 1048 2400 Mghckj32.exe 35 PID 2400 wrote to memory of 1048 2400 Mghckj32.exe 35 PID 2400 wrote to memory of 1048 2400 Mghckj32.exe 35 PID 2400 wrote to memory of 1048 2400 Mghckj32.exe 35 PID 1048 wrote to memory of 2316 1048 Mnblhddb.exe 36 PID 1048 wrote to memory of 2316 1048 Mnblhddb.exe 36 PID 1048 wrote to memory of 2316 1048 Mnblhddb.exe 36 PID 1048 wrote to memory of 2316 1048 Mnblhddb.exe 36 PID 2316 wrote to memory of 2924 2316 Mpphdpcf.exe 37 PID 2316 wrote to memory of 2924 2316 Mpphdpcf.exe 37 PID 2316 wrote to memory of 2924 2316 Mpphdpcf.exe 37 PID 2316 wrote to memory of 2924 2316 Mpphdpcf.exe 37 PID 2924 wrote to memory of 2900 2924 Mjilmejf.exe 38 PID 2924 wrote to memory of 2900 2924 Mjilmejf.exe 38 PID 2924 wrote to memory of 2900 2924 Mjilmejf.exe 38 PID 2924 wrote to memory of 2900 2924 Mjilmejf.exe 38 PID 2900 wrote to memory of 2816 2900 Moeeelhn.exe 39 PID 2900 wrote to memory of 2816 2900 Moeeelhn.exe 39 PID 2900 wrote to memory of 2816 2900 Moeeelhn.exe 39 PID 2900 wrote to memory of 2816 2900 Moeeelhn.exe 39 PID 2816 wrote to memory of 1748 2816 Mhninb32.exe 40 PID 2816 wrote to memory of 1748 2816 Mhninb32.exe 40 PID 2816 wrote to memory of 1748 2816 Mhninb32.exe 40 PID 2816 wrote to memory of 1748 2816 Mhninb32.exe 40 PID 1748 wrote to memory of 2332 1748 Nohaklfk.exe 41 PID 1748 wrote to memory of 2332 1748 Nohaklfk.exe 41 PID 1748 wrote to memory of 2332 1748 Nohaklfk.exe 41 PID 1748 wrote to memory of 2332 1748 Nohaklfk.exe 41 PID 2332 wrote to memory of 2156 2332 Nhpfdaml.exe 42 PID 2332 wrote to memory of 2156 2332 Nhpfdaml.exe 42 PID 2332 wrote to memory of 2156 2332 Nhpfdaml.exe 42 PID 2332 wrote to memory of 2156 2332 Nhpfdaml.exe 42 PID 2156 wrote to memory of 2052 2156 Nkobpmlo.exe 43 PID 2156 wrote to memory of 2052 2156 Nkobpmlo.exe 43 PID 2156 wrote to memory of 2052 2156 Nkobpmlo.exe 43 PID 2156 wrote to memory of 2052 2156 Nkobpmlo.exe 43 PID 2052 wrote to memory of 1720 2052 Nhbciaki.exe 44 PID 2052 wrote to memory of 1720 2052 Nhbciaki.exe 44 PID 2052 wrote to memory of 1720 2052 Nhbciaki.exe 44 PID 2052 wrote to memory of 1720 2052 Nhbciaki.exe 44 PID 1720 wrote to memory of 1400 1720 Nomkfk32.exe 45 PID 1720 wrote to memory of 1400 1720 Nomkfk32.exe 45 PID 1720 wrote to memory of 1400 1720 Nomkfk32.exe 45 PID 1720 wrote to memory of 1400 1720 Nomkfk32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\b53005bfa21b4db0a017897a7d10e6c0N.exe"C:\Users\Admin\AppData\Local\Temp\b53005bfa21b4db0a017897a7d10e6c0N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Mkofaj32.exeC:\Windows\system32\Mkofaj32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Mgegfk32.exeC:\Windows\system32\Mgegfk32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\Mkacfiga.exeC:\Windows\system32\Mkacfiga.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Mpnkopeh.exeC:\Windows\system32\Mpnkopeh.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Mghckj32.exeC:\Windows\system32\Mghckj32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\Mnblhddb.exeC:\Windows\system32\Mnblhddb.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\SysWOW64\Mpphdpcf.exeC:\Windows\system32\Mpphdpcf.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Mjilmejf.exeC:\Windows\system32\Mjilmejf.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Moeeelhn.exeC:\Windows\system32\Moeeelhn.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Mhninb32.exeC:\Windows\system32\Mhninb32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Nohaklfk.exeC:\Windows\system32\Nohaklfk.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\Nhpfdaml.exeC:\Windows\system32\Nhpfdaml.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\Nkobpmlo.exeC:\Windows\system32\Nkobpmlo.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Nhbciaki.exeC:\Windows\system32\Nhbciaki.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\Nomkfk32.exeC:\Windows\system32\Nomkfk32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\Nnokahip.exeC:\Windows\system32\Nnokahip.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1400 -
C:\Windows\SysWOW64\Nhepoaif.exeC:\Windows\system32\Nhepoaif.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:676 -
C:\Windows\SysWOW64\Nnahgh32.exeC:\Windows\system32\Nnahgh32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1796 -
C:\Windows\SysWOW64\Nbmdhfog.exeC:\Windows\system32\Nbmdhfog.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2384 -
C:\Windows\SysWOW64\Ndlpdbnj.exeC:\Windows\system32\Ndlpdbnj.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1728 -
C:\Windows\SysWOW64\Nbpqmfmd.exeC:\Windows\system32\Nbpqmfmd.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1948 -
C:\Windows\SysWOW64\Okhefl32.exeC:\Windows\system32\Okhefl32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1524 -
C:\Windows\SysWOW64\Omiand32.exeC:\Windows\system32\Omiand32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:984 -
C:\Windows\SysWOW64\Ojmbgh32.exeC:\Windows\system32\Ojmbgh32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:872 -
C:\Windows\SysWOW64\Omlncc32.exeC:\Windows\system32\Omlncc32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2776 -
C:\Windows\SysWOW64\Opjkpo32.exeC:\Windows\system32\Opjkpo32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3004 -
C:\Windows\SysWOW64\Ofdclinq.exeC:\Windows\system32\Ofdclinq.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2760 -
C:\Windows\SysWOW64\Ochcem32.exeC:\Windows\system32\Ochcem32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2936 -
C:\Windows\SysWOW64\Offpbi32.exeC:\Windows\system32\Offpbi32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2572 -
C:\Windows\SysWOW64\Ojblbgdg.exeC:\Windows\system32\Ojblbgdg.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1192 -
C:\Windows\SysWOW64\Oielnd32.exeC:\Windows\system32\Oielnd32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3020 -
C:\Windows\SysWOW64\Oekmceaf.exeC:\Windows\system32\Oekmceaf.exe33⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Opaqpn32.exeC:\Windows\system32\Opaqpn32.exe34⤵
- Executes dropped EXE
PID:2464 -
C:\Windows\SysWOW64\Pfkimhhi.exeC:\Windows\system32\Pfkimhhi.exe35⤵
- Executes dropped EXE
PID:1184 -
C:\Windows\SysWOW64\Penihe32.exeC:\Windows\system32\Penihe32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Padjmfdg.exeC:\Windows\system32\Padjmfdg.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2808 -
C:\Windows\SysWOW64\Pepfnd32.exeC:\Windows\system32\Pepfnd32.exe38⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Phobjp32.exeC:\Windows\system32\Phobjp32.exe39⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Pnhjgj32.exeC:\Windows\system32\Pnhjgj32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2248 -
C:\Windows\SysWOW64\Paggce32.exeC:\Windows\system32\Paggce32.exe41⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Pllkpn32.exeC:\Windows\system32\Pllkpn32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Pnkglj32.exeC:\Windows\system32\Pnkglj32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:2096 -
C:\Windows\SysWOW64\Peeoidik.exeC:\Windows\system32\Peeoidik.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1108 -
C:\Windows\SysWOW64\Pfflql32.exeC:\Windows\system32\Pfflql32.exe45⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Pnmdbi32.exeC:\Windows\system32\Pnmdbi32.exe46⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Palpneop.exeC:\Windows\system32\Palpneop.exe47⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Ppopja32.exeC:\Windows\system32\Ppopja32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Phehko32.exeC:\Windows\system32\Phehko32.exe49⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Qjddgj32.exeC:\Windows\system32\Qjddgj32.exe50⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Qigebglj.exeC:\Windows\system32\Qigebglj.exe51⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Qpamoa32.exeC:\Windows\system32\Qpamoa32.exe52⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Qdlipplq.exeC:\Windows\system32\Qdlipplq.exe53⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Qfkelkkd.exeC:\Windows\system32\Qfkelkkd.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2076 -
C:\Windows\SysWOW64\Qjfalj32.exeC:\Windows\system32\Qjfalj32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Qlgndbil.exeC:\Windows\system32\Qlgndbil.exe56⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Qpcjeaad.exeC:\Windows\system32\Qpcjeaad.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2180 -
C:\Windows\SysWOW64\Qbafalph.exeC:\Windows\system32\Qbafalph.exe58⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Afmbak32.exeC:\Windows\system32\Afmbak32.exe59⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Aiknnf32.exeC:\Windows\system32\Aiknnf32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Amgjnepn.exeC:\Windows\system32\Amgjnepn.exe61⤵
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\Aljjjb32.exeC:\Windows\system32\Aljjjb32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:2420 -
C:\Windows\SysWOW64\Aohgfm32.exeC:\Windows\system32\Aohgfm32.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3040 -
C:\Windows\SysWOW64\Afpogk32.exeC:\Windows\system32\Afpogk32.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:496 -
C:\Windows\SysWOW64\Aebobgmi.exeC:\Windows\system32\Aebobgmi.exe65⤵
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\Ahqkocmm.exeC:\Windows\system32\Ahqkocmm.exe66⤵PID:1940
-
C:\Windows\SysWOW64\Allgoa32.exeC:\Windows\system32\Allgoa32.exe67⤵
- Modifies registry class
PID:680 -
C:\Windows\SysWOW64\Abfoll32.exeC:\Windows\system32\Abfoll32.exe68⤵PID:2216
-
C:\Windows\SysWOW64\Aaipghcn.exeC:\Windows\system32\Aaipghcn.exe69⤵PID:2396
-
C:\Windows\SysWOW64\Aipgifcp.exeC:\Windows\system32\Aipgifcp.exe70⤵PID:1724
-
C:\Windows\SysWOW64\Alodeacc.exeC:\Windows\system32\Alodeacc.exe71⤵PID:1212
-
C:\Windows\SysWOW64\Akadpn32.exeC:\Windows\system32\Akadpn32.exe72⤵PID:2884
-
C:\Windows\SysWOW64\Abhlak32.exeC:\Windows\system32\Abhlak32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1412 -
C:\Windows\SysWOW64\Aeghng32.exeC:\Windows\system32\Aeghng32.exe74⤵PID:2976
-
C:\Windows\SysWOW64\Ahedjb32.exeC:\Windows\system32\Ahedjb32.exe75⤵PID:2184
-
C:\Windows\SysWOW64\Akdafn32.exeC:\Windows\system32\Akdafn32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2080 -
C:\Windows\SysWOW64\Aoomflpd.exeC:\Windows\system32\Aoomflpd.exe77⤵PID:536
-
C:\Windows\SysWOW64\Aanibhoh.exeC:\Windows\system32\Aanibhoh.exe78⤵PID:2408
-
C:\Windows\SysWOW64\Ahhaobfe.exeC:\Windows\system32\Ahhaobfe.exe79⤵
- Modifies registry class
PID:1072 -
C:\Windows\SysWOW64\Agkako32.exeC:\Windows\system32\Agkako32.exe80⤵PID:1112
-
C:\Windows\SysWOW64\Aoaill32.exeC:\Windows\system32\Aoaill32.exe81⤵
- Modifies registry class
PID:864 -
C:\Windows\SysWOW64\Bapfhg32.exeC:\Windows\system32\Bapfhg32.exe82⤵PID:1452
-
C:\Windows\SysWOW64\Bpcfcddp.exeC:\Windows\system32\Bpcfcddp.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2288 -
C:\Windows\SysWOW64\Bhjneadb.exeC:\Windows\system32\Bhjneadb.exe84⤵PID:888
-
C:\Windows\SysWOW64\Bkhjamcf.exeC:\Windows\system32\Bkhjamcf.exe85⤵PID:1604
-
C:\Windows\SysWOW64\Bikjmj32.exeC:\Windows\system32\Bikjmj32.exe86⤵PID:2616
-
C:\Windows\SysWOW64\Babbng32.exeC:\Windows\system32\Babbng32.exe87⤵
- System Location Discovery: System Language Discovery
PID:3012 -
C:\Windows\SysWOW64\Bdaojbjf.exeC:\Windows\system32\Bdaojbjf.exe88⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2888 -
C:\Windows\SysWOW64\Bccoeo32.exeC:\Windows\system32\Bccoeo32.exe89⤵
- Drops file in System32 directory
PID:2952 -
C:\Windows\SysWOW64\Bkkgfm32.exeC:\Windows\system32\Bkkgfm32.exe90⤵
- Modifies registry class
PID:2144 -
C:\Windows\SysWOW64\Bnicbh32.exeC:\Windows\system32\Bnicbh32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:540 -
C:\Windows\SysWOW64\Bphooc32.exeC:\Windows\system32\Bphooc32.exe92⤵PID:1124
-
C:\Windows\SysWOW64\Bdckobhd.exeC:\Windows\system32\Bdckobhd.exe93⤵
- Modifies registry class
PID:2236 -
C:\Windows\SysWOW64\Bgahkngh.exeC:\Windows\system32\Bgahkngh.exe94⤵PID:2164
-
C:\Windows\SysWOW64\Bedhgj32.exeC:\Windows\system32\Bedhgj32.exe95⤵PID:924
-
C:\Windows\SysWOW64\Blnpddeo.exeC:\Windows\system32\Blnpddeo.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2548 -
C:\Windows\SysWOW64\Bpjldc32.exeC:\Windows\system32\Bpjldc32.exe97⤵PID:2280
-
C:\Windows\SysWOW64\Bgddam32.exeC:\Windows\system32\Bgddam32.exe98⤵
- Modifies registry class
PID:1444 -
C:\Windows\SysWOW64\Bfgdmjlp.exeC:\Windows\system32\Bfgdmjlp.exe99⤵PID:1600
-
C:\Windows\SysWOW64\Bheaiekc.exeC:\Windows\system32\Bheaiekc.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2564 -
C:\Windows\SysWOW64\Bplijcle.exeC:\Windows\system32\Bplijcle.exe101⤵PID:2640
-
C:\Windows\SysWOW64\Booiep32.exeC:\Windows\system32\Booiep32.exe102⤵PID:2368
-
C:\Windows\SysWOW64\Baneak32.exeC:\Windows\system32\Baneak32.exe103⤵PID:1100
-
C:\Windows\SysWOW64\Bjembh32.exeC:\Windows\system32\Bjembh32.exe104⤵PID:1900
-
C:\Windows\SysWOW64\Chgnneiq.exeC:\Windows\system32\Chgnneiq.exe105⤵PID:1256
-
C:\Windows\SysWOW64\Clciod32.exeC:\Windows\system32\Clciod32.exe106⤵PID:1148
-
C:\Windows\SysWOW64\Coafko32.exeC:\Windows\system32\Coafko32.exe107⤵PID:2948
-
C:\Windows\SysWOW64\Cbpbgk32.exeC:\Windows\system32\Cbpbgk32.exe108⤵PID:776
-
C:\Windows\SysWOW64\Cfknhi32.exeC:\Windows\system32\Cfknhi32.exe109⤵PID:2984
-
C:\Windows\SysWOW64\Chjjde32.exeC:\Windows\system32\Chjjde32.exe110⤵PID:2864
-
C:\Windows\SysWOW64\Clefdcog.exeC:\Windows\system32\Clefdcog.exe111⤵PID:1464
-
C:\Windows\SysWOW64\Codbqonk.exeC:\Windows\system32\Codbqonk.exe112⤵PID:2568
-
C:\Windows\SysWOW64\Cngcll32.exeC:\Windows\system32\Cngcll32.exe113⤵
- System Location Discovery: System Language Discovery
PID:2100 -
C:\Windows\SysWOW64\Cfnkmi32.exeC:\Windows\system32\Cfnkmi32.exe114⤵PID:1220
-
C:\Windows\SysWOW64\Cdqkifmb.exeC:\Windows\system32\Cdqkifmb.exe115⤵PID:1032
-
C:\Windows\SysWOW64\Cgogealf.exeC:\Windows\system32\Cgogealf.exe116⤵PID:2392
-
C:\Windows\SysWOW64\Cofofolh.exeC:\Windows\system32\Cofofolh.exe117⤵PID:2016
-
C:\Windows\SysWOW64\Cqglng32.exeC:\Windows\system32\Cqglng32.exe118⤵PID:1892
-
C:\Windows\SysWOW64\Cdchneko.exeC:\Windows\system32\Cdchneko.exe119⤵PID:944
-
C:\Windows\SysWOW64\Cgadja32.exeC:\Windows\system32\Cgadja32.exe120⤵PID:288
-
C:\Windows\SysWOW64\Cjppfl32.exeC:\Windows\system32\Cjppfl32.exe121⤵PID:2784
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-