Analysis
-
max time kernel
63s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15/09/2024, 00:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
dbfa22b14ef46f446a0648383093f510N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
dbfa22b14ef46f446a0648383093f510N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
dbfa22b14ef46f446a0648383093f510N.exe
-
Size
59KB
-
MD5
dbfa22b14ef46f446a0648383093f510
-
SHA1
e0606204f973b1d5c6225819a30b5927c6bf40fa
-
SHA256
ec0ad5360eaa07af4fdf691e46b25ea513eed42dfcac7ea44e172762494e57a0
-
SHA512
6f9267146cb8ff9353ac8d5f3f46c45f02efadb9d526698321da7235dc1b2d28968900a9091adfaa2f5be8ccbfb422ec70c1b87e2fb527136c8bb3d77f2c4384
-
SSDEEP
768:WIpnBEzOsKOXhAroCTfOK2l8rW8HP333333tSAZ/1H5o5nf1fZMEBFELvkVgFR:znBGDbAroCTfOKHW8puNCyVs
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nagbgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eclbcj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iimfld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdklfe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahgofi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Diidjpbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kofaicon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgqkbb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjpdmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhakcfab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aodkci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfmeccao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmcjedcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhjcec32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccmpce32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijnkifgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnpkflne.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Macilmnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnqned32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Diaaeepi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgldnkkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gepafc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oajndh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ioooiack.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlckbh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhiakf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Halbai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkbcbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmpbdm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipomlm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njpihk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aknlofim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hakkgc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpcoeb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jagnlkjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofhjopbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahpifj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpfmmf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjgehgnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppkjac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pomhcg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bieopm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alddjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpjeialg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biolanld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbgqjdce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcomce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clpabm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjlmpfhg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keqkofno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhhgcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndmecgba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aobnniji.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oalkih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhkipdeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aknngo32.exe -
Executes dropped EXE 64 IoCs
pid Process 2512 Hfpdkl32.exe 2176 Hllmcc32.exe 2744 Hnkion32.exe 2864 Heealhla.exe 2900 Hpjeialg.exe 1796 Halbai32.exe 2636 Hhejnc32.exe 2476 Hnpbjnpo.exe 1040 Heikgh32.exe 1716 Hhhgcc32.exe 1188 Hnbopmnm.exe 2080 Hapklimq.exe 1336 Hhjcic32.exe 2932 Hndlem32.exe 1868 Idadnd32.exe 1488 Ifoqjo32.exe 448 Iinmfk32.exe 2692 Iaeegh32.exe 1744 Ibfaopoi.exe 340 Ijmipn32.exe 1996 Imleli32.exe 908 Ipjahd32.exe 1044 Iibfajdc.exe 2168 Ilabmedg.exe 2440 Ioooiack.exe 2368 Iiecgjba.exe 1284 Ilcoce32.exe 2760 Ielclkhe.exe 2720 Jbpdeogo.exe 2028 Jabdql32.exe 2600 Jdaqmg32.exe 2656 Jlhhndno.exe 3064 Jniefm32.exe 540 Jepmgj32.exe 320 Joiappkp.exe 1508 Jagnlkjd.exe 1720 Jhafhe32.exe 1956 Jgdfdbhk.exe 1776 Jjbbpmgo.exe 1028 Jplkmgol.exe 1560 Jdhgnf32.exe 2100 Jgfcja32.exe 2584 Jnpkflne.exe 1596 Jlckbh32.exe 284 Kfkpknkq.exe 1676 Knbhlkkc.exe 2316 Kgkleabc.exe 2184 Kfnmpn32.exe 1820 Kofaicon.exe 1576 Kcamjb32.exe 2256 Kfpifm32.exe 2528 Kjleflod.exe 2984 Kljabgnh.exe 2788 Kcdjoaee.exe 2604 Kllnhg32.exe 1540 Kkoncdcp.exe 1840 Knnkpobc.exe 2916 Kbigpn32.exe 2920 Kdhcli32.exe 2492 Lkakicam.exe 2280 Lnpgeopa.exe 1252 Lqncaj32.exe 1876 Ldjpbign.exe 916 Lhelbh32.exe -
Loads dropped DLL 64 IoCs
pid Process 1724 dbfa22b14ef46f446a0648383093f510N.exe 1724 dbfa22b14ef46f446a0648383093f510N.exe 2512 Hfpdkl32.exe 2512 Hfpdkl32.exe 2176 Hllmcc32.exe 2176 Hllmcc32.exe 2744 Hnkion32.exe 2744 Hnkion32.exe 2864 Heealhla.exe 2864 Heealhla.exe 2900 Hpjeialg.exe 2900 Hpjeialg.exe 1796 Halbai32.exe 1796 Halbai32.exe 2636 Hhejnc32.exe 2636 Hhejnc32.exe 2476 Hnpbjnpo.exe 2476 Hnpbjnpo.exe 1040 Heikgh32.exe 1040 Heikgh32.exe 1716 Hhhgcc32.exe 1716 Hhhgcc32.exe 1188 Hnbopmnm.exe 1188 Hnbopmnm.exe 2080 Hapklimq.exe 2080 Hapklimq.exe 1336 Hhjcic32.exe 1336 Hhjcic32.exe 2932 Hndlem32.exe 2932 Hndlem32.exe 1868 Idadnd32.exe 1868 Idadnd32.exe 1488 Ifoqjo32.exe 1488 Ifoqjo32.exe 448 Iinmfk32.exe 448 Iinmfk32.exe 2692 Iaeegh32.exe 2692 Iaeegh32.exe 1744 Ibfaopoi.exe 1744 Ibfaopoi.exe 340 Ijmipn32.exe 340 Ijmipn32.exe 1996 Imleli32.exe 1996 Imleli32.exe 908 Ipjahd32.exe 908 Ipjahd32.exe 1044 Iibfajdc.exe 1044 Iibfajdc.exe 2168 Ilabmedg.exe 2168 Ilabmedg.exe 2440 Ioooiack.exe 2440 Ioooiack.exe 2368 Iiecgjba.exe 2368 Iiecgjba.exe 1284 Ilcoce32.exe 1284 Ilcoce32.exe 2760 Ielclkhe.exe 2760 Ielclkhe.exe 2720 Jbpdeogo.exe 2720 Jbpdeogo.exe 2028 Jabdql32.exe 2028 Jabdql32.exe 2600 Jdaqmg32.exe 2600 Jdaqmg32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Cicalakk.exe Cfeepelg.exe File created C:\Windows\SysWOW64\Hgccgk32.dll Hakkgc32.exe File opened for modification C:\Windows\SysWOW64\Ijehdl32.exe Ifjlcmmj.exe File opened for modification C:\Windows\SysWOW64\Fdiqpigl.exe Process not Found File opened for modification C:\Windows\SysWOW64\Dpjbgh32.exe Dlofgj32.exe File created C:\Windows\SysWOW64\Ihnoip32.dll Imleli32.exe File created C:\Windows\SysWOW64\Mnbpjb32.exe Mkddnf32.exe File opened for modification C:\Windows\SysWOW64\Anjlebjc.exe Akkoig32.exe File opened for modification C:\Windows\SysWOW64\Cjjkpe32.exe Cgkocj32.exe File created C:\Windows\SysWOW64\Enmkijgm.dll Jbjpom32.exe File created C:\Windows\SysWOW64\Oabhggjd.dll Bceibfgj.exe File opened for modification C:\Windows\SysWOW64\Nfdddm32.exe Nbhhdnlh.exe File created C:\Windows\SysWOW64\Mfmhch32.dll Aqjdgmgd.exe File opened for modification C:\Windows\SysWOW64\Iliebpfc.exe Ihniaa32.exe File created C:\Windows\SysWOW64\Idicbbpi.exe Iefcfe32.exe File created C:\Windows\SysWOW64\Akafaiao.dll Ndqkleln.exe File created C:\Windows\SysWOW64\Bgaebe32.exe Bceibfgj.exe File created C:\Windows\SysWOW64\Pofhpf32.dll Process not Found File created C:\Windows\SysWOW64\Eldhjg32.dll Hieiqo32.exe File created C:\Windows\SysWOW64\Ehpcehcj.exe Process not Found File created C:\Windows\SysWOW64\Kdnkdmec.exe Process not Found File created C:\Windows\SysWOW64\Afmjbf32.dll Jlckbh32.exe File created C:\Windows\SysWOW64\Dcohghbk.exe Daplkmbg.exe File created C:\Windows\SysWOW64\Nlfnje32.dll Gqodqodl.exe File created C:\Windows\SysWOW64\Jhndmp32.dll Ipmqgmcd.exe File opened for modification C:\Windows\SysWOW64\Mcfemmna.exe Mphiqbon.exe File opened for modification C:\Windows\SysWOW64\Kmimcbja.exe Process not Found File created C:\Windows\SysWOW64\Nmejllia.exe Nijnln32.exe File created C:\Windows\SysWOW64\Dhbccb32.dll Process not Found File created C:\Windows\SysWOW64\Pljcllqe.exe Pkifdd32.exe File created C:\Windows\SysWOW64\Ldpbpgoh.exe Lfmbek32.exe File created C:\Windows\SysWOW64\Homdhjai.exe Hkahgk32.exe File created C:\Windows\SysWOW64\Iejiodbl.exe Ibkmchbh.exe File created C:\Windows\SysWOW64\Ofadnq32.exe Opglafab.exe File created C:\Windows\SysWOW64\Gbdnfd32.dll Ijkocg32.exe File opened for modification C:\Windows\SysWOW64\Bbgqjdce.exe Bkmhnjlh.exe File created C:\Windows\SysWOW64\Fklkbele.dll Copjdhib.exe File created C:\Windows\SysWOW64\Kkjnnn32.exe Khkbbc32.exe File created C:\Windows\SysWOW64\Lpkadj32.dll Mmadbjkk.exe File opened for modification C:\Windows\SysWOW64\Gjbpne32.exe Gkoobhhg.exe File opened for modification C:\Windows\SysWOW64\Gqodqodl.exe Gnphdceh.exe File created C:\Windows\SysWOW64\Hiqoeplo.exe Hfbcidmk.exe File created C:\Windows\SysWOW64\Hkahgk32.exe Hiclkp32.exe File opened for modification C:\Windows\SysWOW64\Fmfocnjg.exe Process not Found File opened for modification C:\Windows\SysWOW64\Pojecajj.exe Pgcmbcih.exe File opened for modification C:\Windows\SysWOW64\Cgoelh32.exe Cepipm32.exe File created C:\Windows\SysWOW64\Ifemminl.dll Process not Found File opened for modification C:\Windows\SysWOW64\Ndmecgba.exe Npaich32.exe File opened for modification C:\Windows\SysWOW64\Ljddjj32.exe Lfhhjklc.exe File opened for modification C:\Windows\SysWOW64\Kajiigba.exe Kokmmkcm.exe File opened for modification C:\Windows\SysWOW64\Ciaefa32.exe Ceeieced.exe File opened for modification C:\Windows\SysWOW64\Diidjpbe.exe Djfdob32.exe File created C:\Windows\SysWOW64\Dgcgbb32.dll Process not Found File created C:\Windows\SysWOW64\Iakgefqe.exe Imokehhl.exe File created C:\Windows\SysWOW64\Eibkmp32.dll Pkcbnanl.exe File opened for modification C:\Windows\SysWOW64\Bchfhfeh.exe Bqijljfd.exe File opened for modification C:\Windows\SysWOW64\Fpjofl32.exe Flocfmnl.exe File created C:\Windows\SysWOW64\Paocnkph.exe Popgboae.exe File created C:\Windows\SysWOW64\Akiobk32.exe Aijbfo32.exe File opened for modification C:\Windows\SysWOW64\Bckjhl32.exe Behilopf.exe File opened for modification C:\Windows\SysWOW64\Mqbbagjo.exe Mikjpiim.exe File created C:\Windows\SysWOW64\Mhmdim32.dll Poklngnf.exe File created C:\Windows\SysWOW64\Kncinl32.dll Bnqned32.exe File created C:\Windows\SysWOW64\Opglafab.exe Oadkej32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1808 11392 Process not Found 1306 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olbogqoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnbpjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbmaon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqeqqk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bieopm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmgmpnhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghofam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhjcec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcdfnehp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkecij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odgamdef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npmphinm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oadkej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hahnac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pidfdofi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjbbpmgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bckjhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkhibino.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joggci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlhjhi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Accqnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncpdbohb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lboiol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Danpemej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daacecfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbagipfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nijpdfhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjhjdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgoime32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flclam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajckilei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqfaldbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Illbhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnbojmmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bceibfgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npaich32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbfook32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pljcllqe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eheglk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opfbngfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ookpodkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpmbfbgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mobfgdcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqcnln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipjahd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmhglq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifjlcmmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajpepm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dipjkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fplllkdc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kokmmkcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abmgjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njdqka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnnnnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilkekm32.dll" Lnecigcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aacmij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbcoio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bniajoic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oiafee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkndhabp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjcaimgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khadpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljnqdhga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpifad32.dll" Pmmneg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qgmfchei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bieopm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edcnakpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifjic32.dll" Ifdlng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhndmp32.dll" Ipmqgmcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qejpoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akiobk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfjmnpei.dll" Iladfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olkfmi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Panaeb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ciaefa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hahnac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icblnd32.dll" Nidmfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njpgpbpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bglbcj32.dll" Ggicgopd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbkipjbh.dll" Iafnjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciohdhad.dll" Cegoqlof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhiaka32.dll" Gepafc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghfcobil.dll" Oiffkkbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmgmpnhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbagipfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpkclikh.dll" Khadpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgnadkic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfkeokjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eepejpil.dll" Cagienkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flocfmnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adnpkjde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppmncnbh.dll" Jfdhmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhhgcc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agbpnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifjlcmmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iokofcne.dll" Kenoifpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnbojmmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eaphjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clffbc32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olpilg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcjjof32.dll" Elfcbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eeohkeoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjkgjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oehgjfhi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjpqkajf.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbhlek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opnbbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkbaci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbmfgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kofcbl32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1724 wrote to memory of 2512 1724 dbfa22b14ef46f446a0648383093f510N.exe 30 PID 1724 wrote to memory of 2512 1724 dbfa22b14ef46f446a0648383093f510N.exe 30 PID 1724 wrote to memory of 2512 1724 dbfa22b14ef46f446a0648383093f510N.exe 30 PID 1724 wrote to memory of 2512 1724 dbfa22b14ef46f446a0648383093f510N.exe 30 PID 2512 wrote to memory of 2176 2512 Hfpdkl32.exe 31 PID 2512 wrote to memory of 2176 2512 Hfpdkl32.exe 31 PID 2512 wrote to memory of 2176 2512 Hfpdkl32.exe 31 PID 2512 wrote to memory of 2176 2512 Hfpdkl32.exe 31 PID 2176 wrote to memory of 2744 2176 Hllmcc32.exe 32 PID 2176 wrote to memory of 2744 2176 Hllmcc32.exe 32 PID 2176 wrote to memory of 2744 2176 Hllmcc32.exe 32 PID 2176 wrote to memory of 2744 2176 Hllmcc32.exe 32 PID 2744 wrote to memory of 2864 2744 Hnkion32.exe 33 PID 2744 wrote to memory of 2864 2744 Hnkion32.exe 33 PID 2744 wrote to memory of 2864 2744 Hnkion32.exe 33 PID 2744 wrote to memory of 2864 2744 Hnkion32.exe 33 PID 2864 wrote to memory of 2900 2864 Heealhla.exe 34 PID 2864 wrote to memory of 2900 2864 Heealhla.exe 34 PID 2864 wrote to memory of 2900 2864 Heealhla.exe 34 PID 2864 wrote to memory of 2900 2864 Heealhla.exe 34 PID 2900 wrote to memory of 1796 2900 Hpjeialg.exe 35 PID 2900 wrote to memory of 1796 2900 Hpjeialg.exe 35 PID 2900 wrote to memory of 1796 2900 Hpjeialg.exe 35 PID 2900 wrote to memory of 1796 2900 Hpjeialg.exe 35 PID 1796 wrote to memory of 2636 1796 Halbai32.exe 36 PID 1796 wrote to memory of 2636 1796 Halbai32.exe 36 PID 1796 wrote to memory of 2636 1796 Halbai32.exe 36 PID 1796 wrote to memory of 2636 1796 Halbai32.exe 36 PID 2636 wrote to memory of 2476 2636 Hhejnc32.exe 37 PID 2636 wrote to memory of 2476 2636 Hhejnc32.exe 37 PID 2636 wrote to memory of 2476 2636 Hhejnc32.exe 37 PID 2636 wrote to memory of 2476 2636 Hhejnc32.exe 37 PID 2476 wrote to memory of 1040 2476 Hnpbjnpo.exe 38 PID 2476 wrote to memory of 1040 2476 Hnpbjnpo.exe 38 PID 2476 wrote to memory of 1040 2476 Hnpbjnpo.exe 38 PID 2476 wrote to memory of 1040 2476 Hnpbjnpo.exe 38 PID 1040 wrote to memory of 1716 1040 Heikgh32.exe 39 PID 1040 wrote to memory of 1716 1040 Heikgh32.exe 39 PID 1040 wrote to memory of 1716 1040 Heikgh32.exe 39 PID 1040 wrote to memory of 1716 1040 Heikgh32.exe 39 PID 1716 wrote to memory of 1188 1716 Hhhgcc32.exe 40 PID 1716 wrote to memory of 1188 1716 Hhhgcc32.exe 40 PID 1716 wrote to memory of 1188 1716 Hhhgcc32.exe 40 PID 1716 wrote to memory of 1188 1716 Hhhgcc32.exe 40 PID 1188 wrote to memory of 2080 1188 Hnbopmnm.exe 41 PID 1188 wrote to memory of 2080 1188 Hnbopmnm.exe 41 PID 1188 wrote to memory of 2080 1188 Hnbopmnm.exe 41 PID 1188 wrote to memory of 2080 1188 Hnbopmnm.exe 41 PID 2080 wrote to memory of 1336 2080 Hapklimq.exe 42 PID 2080 wrote to memory of 1336 2080 Hapklimq.exe 42 PID 2080 wrote to memory of 1336 2080 Hapklimq.exe 42 PID 2080 wrote to memory of 1336 2080 Hapklimq.exe 42 PID 1336 wrote to memory of 2932 1336 Hhjcic32.exe 43 PID 1336 wrote to memory of 2932 1336 Hhjcic32.exe 43 PID 1336 wrote to memory of 2932 1336 Hhjcic32.exe 43 PID 1336 wrote to memory of 2932 1336 Hhjcic32.exe 43 PID 2932 wrote to memory of 1868 2932 Hndlem32.exe 44 PID 2932 wrote to memory of 1868 2932 Hndlem32.exe 44 PID 2932 wrote to memory of 1868 2932 Hndlem32.exe 44 PID 2932 wrote to memory of 1868 2932 Hndlem32.exe 44 PID 1868 wrote to memory of 1488 1868 Idadnd32.exe 45 PID 1868 wrote to memory of 1488 1868 Idadnd32.exe 45 PID 1868 wrote to memory of 1488 1868 Idadnd32.exe 45 PID 1868 wrote to memory of 1488 1868 Idadnd32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\dbfa22b14ef46f446a0648383093f510N.exe"C:\Users\Admin\AppData\Local\Temp\dbfa22b14ef46f446a0648383093f510N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\Hfpdkl32.exeC:\Windows\system32\Hfpdkl32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\Hllmcc32.exeC:\Windows\system32\Hllmcc32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\Hnkion32.exeC:\Windows\system32\Hnkion32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Heealhla.exeC:\Windows\system32\Heealhla.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Hpjeialg.exeC:\Windows\system32\Hpjeialg.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Halbai32.exeC:\Windows\system32\Halbai32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\Hhejnc32.exeC:\Windows\system32\Hhejnc32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Hnpbjnpo.exeC:\Windows\system32\Hnpbjnpo.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Heikgh32.exeC:\Windows\system32\Heikgh32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\SysWOW64\Hhhgcc32.exeC:\Windows\system32\Hhhgcc32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\Hnbopmnm.exeC:\Windows\system32\Hnbopmnm.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Windows\SysWOW64\Hapklimq.exeC:\Windows\system32\Hapklimq.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\Hhjcic32.exeC:\Windows\system32\Hhjcic32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\SysWOW64\Hndlem32.exeC:\Windows\system32\Hndlem32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Idadnd32.exeC:\Windows\system32\Idadnd32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\Ifoqjo32.exeC:\Windows\system32\Ifoqjo32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1488 -
C:\Windows\SysWOW64\Iinmfk32.exeC:\Windows\system32\Iinmfk32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:448 -
C:\Windows\SysWOW64\Iaeegh32.exeC:\Windows\system32\Iaeegh32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2692 -
C:\Windows\SysWOW64\Ibfaopoi.exeC:\Windows\system32\Ibfaopoi.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1744 -
C:\Windows\SysWOW64\Ijmipn32.exeC:\Windows\system32\Ijmipn32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:340 -
C:\Windows\SysWOW64\Imleli32.exeC:\Windows\system32\Imleli32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1996 -
C:\Windows\SysWOW64\Ipjahd32.exeC:\Windows\system32\Ipjahd32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:908 -
C:\Windows\SysWOW64\Iibfajdc.exeC:\Windows\system32\Iibfajdc.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1044 -
C:\Windows\SysWOW64\Ilabmedg.exeC:\Windows\system32\Ilabmedg.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2168 -
C:\Windows\SysWOW64\Ioooiack.exeC:\Windows\system32\Ioooiack.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2440 -
C:\Windows\SysWOW64\Iiecgjba.exeC:\Windows\system32\Iiecgjba.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2368 -
C:\Windows\SysWOW64\Ilcoce32.exeC:\Windows\system32\Ilcoce32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1284 -
C:\Windows\SysWOW64\Ielclkhe.exeC:\Windows\system32\Ielclkhe.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2760 -
C:\Windows\SysWOW64\Jbpdeogo.exeC:\Windows\system32\Jbpdeogo.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2720 -
C:\Windows\SysWOW64\Jabdql32.exeC:\Windows\system32\Jabdql32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2028 -
C:\Windows\SysWOW64\Jdaqmg32.exeC:\Windows\system32\Jdaqmg32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2600 -
C:\Windows\SysWOW64\Jlhhndno.exeC:\Windows\system32\Jlhhndno.exe33⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Jniefm32.exeC:\Windows\system32\Jniefm32.exe34⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Jepmgj32.exeC:\Windows\system32\Jepmgj32.exe35⤵
- Executes dropped EXE
PID:540 -
C:\Windows\SysWOW64\Joiappkp.exeC:\Windows\system32\Joiappkp.exe36⤵
- Executes dropped EXE
PID:320 -
C:\Windows\SysWOW64\Jagnlkjd.exeC:\Windows\system32\Jagnlkjd.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Jhafhe32.exeC:\Windows\system32\Jhafhe32.exe38⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Jgdfdbhk.exeC:\Windows\system32\Jgdfdbhk.exe39⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Jjbbpmgo.exeC:\Windows\system32\Jjbbpmgo.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1776 -
C:\Windows\SysWOW64\Jplkmgol.exeC:\Windows\system32\Jplkmgol.exe41⤵
- Executes dropped EXE
PID:1028 -
C:\Windows\SysWOW64\Jdhgnf32.exeC:\Windows\system32\Jdhgnf32.exe42⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Jgfcja32.exeC:\Windows\system32\Jgfcja32.exe43⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Jnpkflne.exeC:\Windows\system32\Jnpkflne.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Jlckbh32.exeC:\Windows\system32\Jlckbh32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1596 -
C:\Windows\SysWOW64\Kfkpknkq.exeC:\Windows\system32\Kfkpknkq.exe46⤵
- Executes dropped EXE
PID:284 -
C:\Windows\SysWOW64\Knbhlkkc.exeC:\Windows\system32\Knbhlkkc.exe47⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Kgkleabc.exeC:\Windows\system32\Kgkleabc.exe48⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Kfnmpn32.exeC:\Windows\system32\Kfnmpn32.exe49⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Kofaicon.exeC:\Windows\system32\Kofaicon.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\Kcamjb32.exeC:\Windows\system32\Kcamjb32.exe51⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Kfpifm32.exeC:\Windows\system32\Kfpifm32.exe52⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Kjleflod.exeC:\Windows\system32\Kjleflod.exe53⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Kljabgnh.exeC:\Windows\system32\Kljabgnh.exe54⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Kcdjoaee.exeC:\Windows\system32\Kcdjoaee.exe55⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Kllnhg32.exeC:\Windows\system32\Kllnhg32.exe56⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Kkoncdcp.exeC:\Windows\system32\Kkoncdcp.exe57⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Knnkpobc.exeC:\Windows\system32\Knnkpobc.exe58⤵
- Executes dropped EXE
PID:1840 -
C:\Windows\SysWOW64\Kbigpn32.exeC:\Windows\system32\Kbigpn32.exe59⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Kdhcli32.exeC:\Windows\system32\Kdhcli32.exe60⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Lkakicam.exeC:\Windows\system32\Lkakicam.exe61⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Lnpgeopa.exeC:\Windows\system32\Lnpgeopa.exe62⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Lqncaj32.exeC:\Windows\system32\Lqncaj32.exe63⤵
- Executes dropped EXE
PID:1252 -
C:\Windows\SysWOW64\Ldjpbign.exeC:\Windows\system32\Ldjpbign.exe64⤵
- Executes dropped EXE
PID:1876 -
C:\Windows\SysWOW64\Lhelbh32.exeC:\Windows\system32\Lhelbh32.exe65⤵
- Executes dropped EXE
PID:916 -
C:\Windows\SysWOW64\Lkdhoc32.exeC:\Windows\system32\Lkdhoc32.exe66⤵PID:2016
-
C:\Windows\SysWOW64\Lnbdko32.exeC:\Windows\system32\Lnbdko32.exe67⤵PID:2568
-
C:\Windows\SysWOW64\Lqqpgj32.exeC:\Windows\system32\Lqqpgj32.exe68⤵PID:2220
-
C:\Windows\SysWOW64\Ldllgiek.exeC:\Windows\system32\Ldllgiek.exe69⤵PID:2380
-
C:\Windows\SysWOW64\Lcomce32.exeC:\Windows\system32\Lcomce32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2848 -
C:\Windows\SysWOW64\Lkfddc32.exeC:\Windows\system32\Lkfddc32.exe71⤵PID:2136
-
C:\Windows\SysWOW64\Ljieppcb.exeC:\Windows\system32\Ljieppcb.exe72⤵PID:2856
-
C:\Windows\SysWOW64\Lmgalkcf.exeC:\Windows\system32\Lmgalkcf.exe73⤵PID:2880
-
C:\Windows\SysWOW64\Lqcmmjko.exeC:\Windows\system32\Lqcmmjko.exe74⤵PID:2808
-
C:\Windows\SysWOW64\Ldoimh32.exeC:\Windows\system32\Ldoimh32.exe75⤵PID:2792
-
C:\Windows\SysWOW64\Lcaiiejc.exeC:\Windows\system32\Lcaiiejc.exe76⤵PID:1264
-
C:\Windows\SysWOW64\Lfpeeqig.exeC:\Windows\system32\Lfpeeqig.exe77⤵PID:1668
-
C:\Windows\SysWOW64\Lngnfnji.exeC:\Windows\system32\Lngnfnji.exe78⤵PID:2944
-
C:\Windows\SysWOW64\Lohjnf32.exeC:\Windows\system32\Lohjnf32.exe79⤵PID:2108
-
C:\Windows\SysWOW64\Lcdfnehp.exeC:\Windows\system32\Lcdfnehp.exe80⤵
- System Location Discovery: System Language Discovery
PID:2588 -
C:\Windows\SysWOW64\Lgoboc32.exeC:\Windows\system32\Lgoboc32.exe81⤵PID:2264
-
C:\Windows\SysWOW64\Ljnnko32.exeC:\Windows\system32\Ljnnko32.exe82⤵PID:3044
-
C:\Windows\SysWOW64\Liqoflfh.exeC:\Windows\system32\Liqoflfh.exe83⤵PID:2364
-
C:\Windows\SysWOW64\Lqhfhigj.exeC:\Windows\system32\Lqhfhigj.exe84⤵PID:2392
-
C:\Windows\SysWOW64\Lcfbdd32.exeC:\Windows\system32\Lcfbdd32.exe85⤵PID:1580
-
C:\Windows\SysWOW64\Mfdopp32.exeC:\Windows\system32\Mfdopp32.exe86⤵PID:2312
-
C:\Windows\SysWOW64\Micklk32.exeC:\Windows\system32\Micklk32.exe87⤵PID:2660
-
C:\Windows\SysWOW64\Mmogmjmn.exeC:\Windows\system32\Mmogmjmn.exe88⤵PID:1848
-
C:\Windows\SysWOW64\Mpmcielb.exeC:\Windows\system32\Mpmcielb.exe89⤵PID:780
-
C:\Windows\SysWOW64\Mbkpeake.exeC:\Windows\system32\Mbkpeake.exe90⤵PID:2092
-
C:\Windows\SysWOW64\Mfglep32.exeC:\Windows\system32\Mfglep32.exe91⤵PID:352
-
C:\Windows\SysWOW64\Miehak32.exeC:\Windows\system32\Miehak32.exe92⤵PID:2116
-
C:\Windows\SysWOW64\Mmadbjkk.exeC:\Windows\system32\Mmadbjkk.exe93⤵
- Drops file in System32 directory
PID:2076 -
C:\Windows\SysWOW64\Mkddnf32.exeC:\Windows\system32\Mkddnf32.exe94⤵
- Drops file in System32 directory
PID:3068 -
C:\Windows\SysWOW64\Mnbpjb32.exeC:\Windows\system32\Mnbpjb32.exe95⤵
- System Location Discovery: System Language Discovery
PID:2576 -
C:\Windows\SysWOW64\Mfihkoal.exeC:\Windows\system32\Mfihkoal.exe96⤵PID:3016
-
C:\Windows\SysWOW64\Melifl32.exeC:\Windows\system32\Melifl32.exe97⤵PID:2160
-
C:\Windows\SysWOW64\Mgjebg32.exeC:\Windows\system32\Mgjebg32.exe98⤵PID:2860
-
C:\Windows\SysWOW64\Mpamde32.exeC:\Windows\system32\Mpamde32.exe99⤵PID:2872
-
C:\Windows\SysWOW64\Mbpipp32.exeC:\Windows\system32\Mbpipp32.exe100⤵PID:2624
-
C:\Windows\SysWOW64\Macilmnk.exeC:\Windows\system32\Macilmnk.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1444 -
C:\Windows\SysWOW64\Meoell32.exeC:\Windows\system32\Meoell32.exe102⤵PID:2272
-
C:\Windows\SysWOW64\Mgmahg32.exeC:\Windows\system32\Mgmahg32.exe103⤵PID:1256
-
C:\Windows\SysWOW64\Mjkndb32.exeC:\Windows\system32\Mjkndb32.exe104⤵PID:1000
-
C:\Windows\SysWOW64\Mbbfep32.exeC:\Windows\system32\Mbbfep32.exe105⤵PID:568
-
C:\Windows\SysWOW64\Meabakda.exeC:\Windows\system32\Meabakda.exe106⤵PID:2940
-
C:\Windows\SysWOW64\Mlkjne32.exeC:\Windows\system32\Mlkjne32.exe107⤵PID:612
-
C:\Windows\SysWOW64\Mjnjjbbh.exeC:\Windows\system32\Mjnjjbbh.exe108⤵PID:280
-
C:\Windows\SysWOW64\Nmlgfnal.exeC:\Windows\system32\Nmlgfnal.exe109⤵PID:924
-
C:\Windows\SysWOW64\Nagbgl32.exeC:\Windows\system32\Nagbgl32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1556 -
C:\Windows\SysWOW64\Ncfoch32.exeC:\Windows\system32\Ncfoch32.exe111⤵PID:2888
-
C:\Windows\SysWOW64\Nhakcfab.exeC:\Windows\system32\Nhakcfab.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2936 -
C:\Windows\SysWOW64\Njpgpbpf.exeC:\Windows\system32\Njpgpbpf.exe113⤵
- Modifies registry class
PID:2652 -
C:\Windows\SysWOW64\Nnkcpq32.exeC:\Windows\system32\Nnkcpq32.exe114⤵PID:1312
-
C:\Windows\SysWOW64\Najpll32.exeC:\Windows\system32\Najpll32.exe115⤵PID:2060
-
C:\Windows\SysWOW64\Npmphinm.exeC:\Windows\system32\Npmphinm.exe116⤵
- System Location Discovery: System Language Discovery
PID:2396 -
C:\Windows\SysWOW64\Nhdhif32.exeC:\Windows\system32\Nhdhif32.exe117⤵PID:3004
-
C:\Windows\SysWOW64\Nfghdcfj.exeC:\Windows\system32\Nfghdcfj.exe118⤵PID:640
-
C:\Windows\SysWOW64\Njbdea32.exeC:\Windows\system32\Njbdea32.exe119⤵PID:2908
-
C:\Windows\SysWOW64\Nmqpam32.exeC:\Windows\system32\Nmqpam32.exe120⤵PID:2832
-
C:\Windows\SysWOW64\Npolmh32.exeC:\Windows\system32\Npolmh32.exe121⤵PID:708
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-