Analysis
-
max time kernel
110s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
21/09/2024, 00:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
207d2c40a8e284c6586d90dfb13236680396a8462f0c8a07ab503f9f87fdd2acN.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
207d2c40a8e284c6586d90dfb13236680396a8462f0c8a07ab503f9f87fdd2acN.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
207d2c40a8e284c6586d90dfb13236680396a8462f0c8a07ab503f9f87fdd2acN.exe
-
Size
386KB
-
MD5
21d86d2852997a49b695556b225d09d0
-
SHA1
5af2db59c8b60eabc8f52eaf4d28700f8c794142
-
SHA256
207d2c40a8e284c6586d90dfb13236680396a8462f0c8a07ab503f9f87fdd2ac
-
SHA512
a02721d623f7eb8f02dbac26ea87e09b61416256e038ce3577bdbeccec542005d7ca821af521f56a241b3a012486942c95eec755879848bd365d865e4ad92e16
-
SSDEEP
12288:xPrtNwQZ7287xmPFRkfJg9qwQZ7287xmP:xPpNZZ/aFKm9qZZ/a
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oegdcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ifiilp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnlqemal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boeppomj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbpmbndm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkepdbkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgamgken.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbfklolh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Indnqb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aglhph32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lppkgi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdigakic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnhobgag.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccjbobnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fkmfpabp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kaliaphd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qnoklc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfnjqifb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoegoqng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kplfmfmf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jnhnmckc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfckhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Beplcfmd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcmopepp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdbgia32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjchmclb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jlhjijpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llomhllh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Neemgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Conpdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hdapggln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njlcah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jonqfq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nicfnn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Naokbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcqfahom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njopgh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pooaaink.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Boeppomj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gdpfbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gacgli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifkfap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Emfbgg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Opbopn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cabldeik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fgjmfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhdjdk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imidgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nfcfob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiabjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obonfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oolelj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppogok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bgihjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kccbgh32.exe -
Executes dropped EXE 64 IoCs
pid Process 3004 Jkabmi32.exe 2824 Jakjjcnd.exe 2940 Jdjgfomh.exe 3000 Jpcdqpqj.exe 1988 Jcaqmkpn.exe 2728 Jjneoeeh.exe 2440 Kfdfdf32.exe 376 Knpkhhhg.exe 2620 Kheofahm.exe 2776 Kdlpkb32.exe 3032 Kngaig32.exe 1276 Lmlnjcgg.exe 2220 Ljpnch32.exe 2176 Liekddkh.exe 2104 Lfilnh32.exe 2484 Lbbiii32.exe 1248 Mljnaocd.exe 1492 Mcfbfaao.exe 2008 Meeopdhb.exe 3056 Mcjlap32.exe 2312 Mfihml32.exe 2400 Mmemoe32.exe 2348 Npcika32.exe 1952 Nbbegl32.exe 2352 Nilndfgl.exe 2432 Nbfobllj.exe 2864 Niqgof32.exe 2876 Nomphm32.exe 2916 Neghdg32.exe 2712 Oobiclmh.exe 1896 Oaqeogll.exe 3012 Okijhmcm.exe 1932 Ocdnloph.exe 2460 Oingii32.exe 544 Ogbgbn32.exe 2616 Opjlkc32.exe 2604 Oegdcj32.exe 1700 Oheppe32.exe 1752 Panehkaj.exe 2192 Plcied32.exe 2216 Pdonjf32.exe 1064 Pkifgpeh.exe 824 Pabncj32.exe 624 Pdajpf32.exe 1704 Pgogla32.exe 2360 Paekijkb.exe 2116 Pdcgeejf.exe 3008 Pkmobp32.exe 1332 Pnllnk32.exe 2196 Pdfdkehc.exe 2804 Pkplgoop.exe 2884 Qmahog32.exe 2792 Qckalamk.exe 1552 Qgfmlp32.exe 2324 Qnpeijla.exe 1892 Qoaaqb32.exe 2308 Qgiibp32.exe 2416 Ajgfnk32.exe 2064 Aqanke32.exe 1596 Acpjga32.exe 600 Ajibckpc.exe 2204 Amhopfof.exe 1508 Acbglq32.exe 1716 Abeghmmn.exe -
Loads dropped DLL 64 IoCs
pid Process 1736 207d2c40a8e284c6586d90dfb13236680396a8462f0c8a07ab503f9f87fdd2acN.exe 1736 207d2c40a8e284c6586d90dfb13236680396a8462f0c8a07ab503f9f87fdd2acN.exe 3004 Jkabmi32.exe 3004 Jkabmi32.exe 2824 Jakjjcnd.exe 2824 Jakjjcnd.exe 2940 Jdjgfomh.exe 2940 Jdjgfomh.exe 3000 Jpcdqpqj.exe 3000 Jpcdqpqj.exe 1988 Jcaqmkpn.exe 1988 Jcaqmkpn.exe 2728 Jjneoeeh.exe 2728 Jjneoeeh.exe 2440 Kfdfdf32.exe 2440 Kfdfdf32.exe 376 Knpkhhhg.exe 376 Knpkhhhg.exe 2620 Kheofahm.exe 2620 Kheofahm.exe 2776 Kdlpkb32.exe 2776 Kdlpkb32.exe 3032 Kngaig32.exe 3032 Kngaig32.exe 1276 Lmlnjcgg.exe 1276 Lmlnjcgg.exe 2220 Ljpnch32.exe 2220 Ljpnch32.exe 2176 Liekddkh.exe 2176 Liekddkh.exe 2104 Lfilnh32.exe 2104 Lfilnh32.exe 2484 Lbbiii32.exe 2484 Lbbiii32.exe 1248 Mljnaocd.exe 1248 Mljnaocd.exe 1492 Mcfbfaao.exe 1492 Mcfbfaao.exe 2008 Meeopdhb.exe 2008 Meeopdhb.exe 3056 Mcjlap32.exe 3056 Mcjlap32.exe 2312 Mfihml32.exe 2312 Mfihml32.exe 2400 Mmemoe32.exe 2400 Mmemoe32.exe 2348 Npcika32.exe 2348 Npcika32.exe 1952 Nbbegl32.exe 1952 Nbbegl32.exe 2352 Nilndfgl.exe 2352 Nilndfgl.exe 2432 Nbfobllj.exe 2432 Nbfobllj.exe 2864 Niqgof32.exe 2864 Niqgof32.exe 2876 Nomphm32.exe 2876 Nomphm32.exe 2916 Neghdg32.exe 2916 Neghdg32.exe 2712 Oobiclmh.exe 2712 Oobiclmh.exe 1896 Oaqeogll.exe 1896 Oaqeogll.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Kiamql32.exe Kkomepon.exe File created C:\Windows\SysWOW64\Qfchcq32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Hkfgnldd.exe Process not Found File opened for modification C:\Windows\SysWOW64\Bemfjgdg.exe Baajji32.exe File created C:\Windows\SysWOW64\Mclmgema.dll Gnenfjdh.exe File created C:\Windows\SysWOW64\Pdgldnpb.dll Imidgh32.exe File created C:\Windows\SysWOW64\Fhaibnim.exe Process not Found File created C:\Windows\SysWOW64\Pfobjdoe.exe Pbcfie32.exe File opened for modification C:\Windows\SysWOW64\Lbbiii32.exe Lfilnh32.exe File created C:\Windows\SysWOW64\Aboope32.dll Iefeaj32.exe File created C:\Windows\SysWOW64\Gmkapcaf.dll Gddpndhp.exe File created C:\Windows\SysWOW64\Mhpigk32.exe Mgomoboc.exe File created C:\Windows\SysWOW64\Iqidng32.dll Process not Found File created C:\Windows\SysWOW64\Cfbnjjmf.dll Cealdjcm.exe File created C:\Windows\SysWOW64\Ifkfap32.exe Indnqb32.exe File created C:\Windows\SysWOW64\Qdhcinme.exe Qajfmbna.exe File opened for modification C:\Windows\SysWOW64\Pgpjegfd.dll Fgbnbcmd.exe File created C:\Windows\SysWOW64\Lfckhc32.exe Lnmcge32.exe File created C:\Windows\SysWOW64\Cfaaalep.exe Ccceeqfl.exe File created C:\Windows\SysWOW64\Jhndcd32.exe Jadlgjjq.exe File opened for modification C:\Windows\SysWOW64\Dmgokcja.exe Process not Found File opened for modification C:\Windows\SysWOW64\Eplood32.exe Emncci32.exe File created C:\Windows\SysWOW64\Jlhjijpe.exe Jiinmnaa.exe File opened for modification C:\Windows\SysWOW64\Pfobjdoe.exe Pbcfie32.exe File created C:\Windows\SysWOW64\Mcfbfaao.exe Mljnaocd.exe File created C:\Windows\SysWOW64\Mcghajkq.exe Mmmpdp32.exe File created C:\Windows\SysWOW64\Khkdmh32.exe Kgjgepqm.exe File created C:\Windows\SysWOW64\Blhphg32.dll Lgjcdc32.exe File created C:\Windows\SysWOW64\Bngnoa32.dll Mmpobi32.exe File opened for modification C:\Windows\SysWOW64\Gghloe32.exe Gdjpcj32.exe File opened for modification C:\Windows\SysWOW64\Jljgni32.exe Jepoao32.exe File created C:\Windows\SysWOW64\Hccllbjf.dll Kaliaphd.exe File created C:\Windows\SysWOW64\Ncbdjhnf.exe Nlklik32.exe File opened for modification C:\Windows\SysWOW64\Gcljdpke.exe Gqmmhdka.exe File created C:\Windows\SysWOW64\Gmcmgp32.dll Fnjiin32.exe File created C:\Windows\SysWOW64\Nkikgn32.dll Ckajqo32.exe File created C:\Windows\SysWOW64\Cmjcngni.dll Fnelmb32.exe File opened for modification C:\Windows\SysWOW64\Kaillp32.exe Kphpdhdh.exe File created C:\Windows\SysWOW64\Ekblplgo.exe Elpldp32.exe File created C:\Windows\SysWOW64\Opgmqq32.dll Kkomepon.exe File created C:\Windows\SysWOW64\Cilfka32.exe Process not Found File created C:\Windows\SysWOW64\Npcika32.exe Mmemoe32.exe File created C:\Windows\SysWOW64\Apfamf32.dll Abeghmmn.exe File opened for modification C:\Windows\SysWOW64\Mliibj32.exe Mnfhfmhc.exe File opened for modification C:\Windows\SysWOW64\Hjnaehgj.exe Process not Found File created C:\Windows\SysWOW64\Nqbdik32.dll Fmofjj32.exe File created C:\Windows\SysWOW64\Alqplmlb.exe Process not Found File created C:\Windows\SysWOW64\Cfmeqg32.dll Eecgafkj.exe File created C:\Windows\SysWOW64\Bpncbi32.dll Process not Found File created C:\Windows\SysWOW64\Oikgjlgb.dll Dpdbdo32.exe File created C:\Windows\SysWOW64\Dpmeij32.exe Process not Found File created C:\Windows\SysWOW64\Oobiclmh.exe Neghdg32.exe File opened for modification C:\Windows\SysWOW64\Eipjmk32.exe Ekmjanpd.exe File created C:\Windows\SysWOW64\Cnkifmfo.dll Pgopak32.exe File opened for modification C:\Windows\SysWOW64\Gimmpj32.exe Gbcecpck.exe File opened for modification C:\Windows\SysWOW64\Pgjfflkf.exe Pdljjplb.exe File created C:\Windows\SysWOW64\Dekhnh32.exe Dbmlal32.exe File opened for modification C:\Windows\SysWOW64\Pieobaiq.exe Pfgcff32.exe File created C:\Windows\SysWOW64\Koehka32.dll Hmfkbeoc.exe File created C:\Windows\SysWOW64\Hjcajn32.exe Hkpaoape.exe File opened for modification C:\Windows\SysWOW64\Obonfj32.exe Nlefjpid.exe File created C:\Windows\SysWOW64\Aocgll32.exe Agloko32.exe File created C:\Windows\SysWOW64\Eioaillo.exe Eagiho32.exe File opened for modification C:\Windows\SysWOW64\Imfeip32.exe Iflmlfcn.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1588 10116 Process not Found 1217 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojnelefl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pldknmhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpnfdbig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnobfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paekijkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdcgeejf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggpmkgab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oebdndlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Domffn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oddmokoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbcikn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqbnnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppmkilbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eijffhjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcekkkmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lngpac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnjbfhqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekblplgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekbjgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmofjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pelpgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aenileon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibeloo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljpnch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieiegf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcllfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhccoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjmolp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmbclj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olokighn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oheieo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfkkam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gofajcog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbigao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bblpae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Conpdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mchjjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gihpcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beplcfmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnkekfkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjljpjjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmighemp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdjgfomh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oheppe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckgmon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iijbnkne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggppdpif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfajhblm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfpjgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqdaal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmdldmja.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fdaephpc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ijenpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnjqcn32.dll" Ipkgejcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Epjbienl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkaohl32.dll" Alknnodh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jjhgdqef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iemdfn32.dll" Qkcbpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgfhfhcl.dll" Fcaaloed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oaeacppk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agffkn32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ciknhb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cmmcae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geeqlobc.dll" Pgbejj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgbbec32.dll" Pknakhig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gaajfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oijmjdgq.dll" Jekoljgo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gamkol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mncfgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Khjkiikl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnfindfp.dll" Lphlck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkicala.dll" Hogddpld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbcimj32.dll" Pabncj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fopilf32.dll" Llomhllh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppehbh32.dll" Dimfmeef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Elnonp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Agdlfd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fmjkbfnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kikakd32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ogbgbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ldndng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Baiingae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dmiihjak.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfjckd32.dll" Ifcbme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cfghagio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiaqif32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iefbpdca.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fhqfie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmmjolll.dll" Neghdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecagpdpe.dll" Ddkbqfcp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nlefjpid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agfbfl32.dll" Bghfacem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dibjcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Febjmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djmiha32.dll" Cemebcnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbkgliff.dll" Mnfhfmhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdakhmhh.dll" Cejfckie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcfjelcc.dll" Fcmdpcle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Llcfck32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bbolge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmolej32.dll" Jadlgjjq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ifcbme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfebofm.dll" Phelnhnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kneacffj.dll" Iijbnkne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mcfbfaao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eiimci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nnkekfkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nqdaal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ojoood32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikcoomeg.dll" Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1736 wrote to memory of 3004 1736 207d2c40a8e284c6586d90dfb13236680396a8462f0c8a07ab503f9f87fdd2acN.exe 30 PID 1736 wrote to memory of 3004 1736 207d2c40a8e284c6586d90dfb13236680396a8462f0c8a07ab503f9f87fdd2acN.exe 30 PID 1736 wrote to memory of 3004 1736 207d2c40a8e284c6586d90dfb13236680396a8462f0c8a07ab503f9f87fdd2acN.exe 30 PID 1736 wrote to memory of 3004 1736 207d2c40a8e284c6586d90dfb13236680396a8462f0c8a07ab503f9f87fdd2acN.exe 30 PID 3004 wrote to memory of 2824 3004 Jkabmi32.exe 31 PID 3004 wrote to memory of 2824 3004 Jkabmi32.exe 31 PID 3004 wrote to memory of 2824 3004 Jkabmi32.exe 31 PID 3004 wrote to memory of 2824 3004 Jkabmi32.exe 31 PID 2824 wrote to memory of 2940 2824 Jakjjcnd.exe 32 PID 2824 wrote to memory of 2940 2824 Jakjjcnd.exe 32 PID 2824 wrote to memory of 2940 2824 Jakjjcnd.exe 32 PID 2824 wrote to memory of 2940 2824 Jakjjcnd.exe 32 PID 2940 wrote to memory of 3000 2940 Jdjgfomh.exe 33 PID 2940 wrote to memory of 3000 2940 Jdjgfomh.exe 33 PID 2940 wrote to memory of 3000 2940 Jdjgfomh.exe 33 PID 2940 wrote to memory of 3000 2940 Jdjgfomh.exe 33 PID 3000 wrote to memory of 1988 3000 Jpcdqpqj.exe 34 PID 3000 wrote to memory of 1988 3000 Jpcdqpqj.exe 34 PID 3000 wrote to memory of 1988 3000 Jpcdqpqj.exe 34 PID 3000 wrote to memory of 1988 3000 Jpcdqpqj.exe 34 PID 1988 wrote to memory of 2728 1988 Jcaqmkpn.exe 35 PID 1988 wrote to memory of 2728 1988 Jcaqmkpn.exe 35 PID 1988 wrote to memory of 2728 1988 Jcaqmkpn.exe 35 PID 1988 wrote to memory of 2728 1988 Jcaqmkpn.exe 35 PID 2728 wrote to memory of 2440 2728 Jjneoeeh.exe 36 PID 2728 wrote to memory of 2440 2728 Jjneoeeh.exe 36 PID 2728 wrote to memory of 2440 2728 Jjneoeeh.exe 36 PID 2728 wrote to memory of 2440 2728 Jjneoeeh.exe 36 PID 2440 wrote to memory of 376 2440 Kfdfdf32.exe 37 PID 2440 wrote to memory of 376 2440 Kfdfdf32.exe 37 PID 2440 wrote to memory of 376 2440 Kfdfdf32.exe 37 PID 2440 wrote to memory of 376 2440 Kfdfdf32.exe 37 PID 376 wrote to memory of 2620 376 Knpkhhhg.exe 38 PID 376 wrote to memory of 2620 376 Knpkhhhg.exe 38 PID 376 wrote to memory of 2620 376 Knpkhhhg.exe 38 PID 376 wrote to memory of 2620 376 Knpkhhhg.exe 38 PID 2620 wrote to memory of 2776 2620 Kheofahm.exe 39 PID 2620 wrote to memory of 2776 2620 Kheofahm.exe 39 PID 2620 wrote to memory of 2776 2620 Kheofahm.exe 39 PID 2620 wrote to memory of 2776 2620 Kheofahm.exe 39 PID 2776 wrote to memory of 3032 2776 Kdlpkb32.exe 40 PID 2776 wrote to memory of 3032 2776 Kdlpkb32.exe 40 PID 2776 wrote to memory of 3032 2776 Kdlpkb32.exe 40 PID 2776 wrote to memory of 3032 2776 Kdlpkb32.exe 40 PID 3032 wrote to memory of 1276 3032 Kngaig32.exe 41 PID 3032 wrote to memory of 1276 3032 Kngaig32.exe 41 PID 3032 wrote to memory of 1276 3032 Kngaig32.exe 41 PID 3032 wrote to memory of 1276 3032 Kngaig32.exe 41 PID 1276 wrote to memory of 2220 1276 Lmlnjcgg.exe 42 PID 1276 wrote to memory of 2220 1276 Lmlnjcgg.exe 42 PID 1276 wrote to memory of 2220 1276 Lmlnjcgg.exe 42 PID 1276 wrote to memory of 2220 1276 Lmlnjcgg.exe 42 PID 2220 wrote to memory of 2176 2220 Ljpnch32.exe 43 PID 2220 wrote to memory of 2176 2220 Ljpnch32.exe 43 PID 2220 wrote to memory of 2176 2220 Ljpnch32.exe 43 PID 2220 wrote to memory of 2176 2220 Ljpnch32.exe 43 PID 2176 wrote to memory of 2104 2176 Liekddkh.exe 44 PID 2176 wrote to memory of 2104 2176 Liekddkh.exe 44 PID 2176 wrote to memory of 2104 2176 Liekddkh.exe 44 PID 2176 wrote to memory of 2104 2176 Liekddkh.exe 44 PID 2104 wrote to memory of 2484 2104 Lfilnh32.exe 45 PID 2104 wrote to memory of 2484 2104 Lfilnh32.exe 45 PID 2104 wrote to memory of 2484 2104 Lfilnh32.exe 45 PID 2104 wrote to memory of 2484 2104 Lfilnh32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\207d2c40a8e284c6586d90dfb13236680396a8462f0c8a07ab503f9f87fdd2acN.exe"C:\Users\Admin\AppData\Local\Temp\207d2c40a8e284c6586d90dfb13236680396a8462f0c8a07ab503f9f87fdd2acN.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\Jkabmi32.exeC:\Windows\system32\Jkabmi32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\Jakjjcnd.exeC:\Windows\system32\Jakjjcnd.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Jdjgfomh.exeC:\Windows\system32\Jdjgfomh.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Jpcdqpqj.exeC:\Windows\system32\Jpcdqpqj.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\Jcaqmkpn.exeC:\Windows\system32\Jcaqmkpn.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\Jjneoeeh.exeC:\Windows\system32\Jjneoeeh.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Kfdfdf32.exeC:\Windows\system32\Kfdfdf32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\Knpkhhhg.exeC:\Windows\system32\Knpkhhhg.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:376 -
C:\Windows\SysWOW64\Kheofahm.exeC:\Windows\system32\Kheofahm.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Kdlpkb32.exeC:\Windows\system32\Kdlpkb32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Kngaig32.exeC:\Windows\system32\Kngaig32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\Lmlnjcgg.exeC:\Windows\system32\Lmlnjcgg.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Windows\SysWOW64\Ljpnch32.exeC:\Windows\system32\Ljpnch32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\Liekddkh.exeC:\Windows\system32\Liekddkh.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\Lfilnh32.exeC:\Windows\system32\Lfilnh32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Lbbiii32.exeC:\Windows\system32\Lbbiii32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2484 -
C:\Windows\SysWOW64\Mljnaocd.exeC:\Windows\system32\Mljnaocd.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1248 -
C:\Windows\SysWOW64\Mcfbfaao.exeC:\Windows\system32\Mcfbfaao.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1492 -
C:\Windows\SysWOW64\Meeopdhb.exeC:\Windows\system32\Meeopdhb.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2008 -
C:\Windows\SysWOW64\Mcjlap32.exeC:\Windows\system32\Mcjlap32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3056 -
C:\Windows\SysWOW64\Mfihml32.exeC:\Windows\system32\Mfihml32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2312 -
C:\Windows\SysWOW64\Mmemoe32.exeC:\Windows\system32\Mmemoe32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2400 -
C:\Windows\SysWOW64\Npcika32.exeC:\Windows\system32\Npcika32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2348 -
C:\Windows\SysWOW64\Nbbegl32.exeC:\Windows\system32\Nbbegl32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1952 -
C:\Windows\SysWOW64\Nilndfgl.exeC:\Windows\system32\Nilndfgl.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2352 -
C:\Windows\SysWOW64\Nbfobllj.exeC:\Windows\system32\Nbfobllj.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2432 -
C:\Windows\SysWOW64\Niqgof32.exeC:\Windows\system32\Niqgof32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2864 -
C:\Windows\SysWOW64\Nomphm32.exeC:\Windows\system32\Nomphm32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2876 -
C:\Windows\SysWOW64\Neghdg32.exeC:\Windows\system32\Neghdg32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2916 -
C:\Windows\SysWOW64\Oobiclmh.exeC:\Windows\system32\Oobiclmh.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2712 -
C:\Windows\SysWOW64\Oaqeogll.exeC:\Windows\system32\Oaqeogll.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1896 -
C:\Windows\SysWOW64\Okijhmcm.exeC:\Windows\system32\Okijhmcm.exe33⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Ocdnloph.exeC:\Windows\system32\Ocdnloph.exe34⤵
- Executes dropped EXE
PID:1932 -
C:\Windows\SysWOW64\Oingii32.exeC:\Windows\system32\Oingii32.exe35⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Ogbgbn32.exeC:\Windows\system32\Ogbgbn32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:544 -
C:\Windows\SysWOW64\Opjlkc32.exeC:\Windows\system32\Opjlkc32.exe37⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Oegdcj32.exeC:\Windows\system32\Oegdcj32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Oheppe32.exeC:\Windows\system32\Oheppe32.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1700 -
C:\Windows\SysWOW64\Panehkaj.exeC:\Windows\system32\Panehkaj.exe40⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Plcied32.exeC:\Windows\system32\Plcied32.exe41⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Pdonjf32.exeC:\Windows\system32\Pdonjf32.exe42⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Pkifgpeh.exeC:\Windows\system32\Pkifgpeh.exe43⤵
- Executes dropped EXE
PID:1064 -
C:\Windows\SysWOW64\Pabncj32.exeC:\Windows\system32\Pabncj32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:824 -
C:\Windows\SysWOW64\Pdajpf32.exeC:\Windows\system32\Pdajpf32.exe45⤵
- Executes dropped EXE
PID:624 -
C:\Windows\SysWOW64\Pgogla32.exeC:\Windows\system32\Pgogla32.exe46⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Paekijkb.exeC:\Windows\system32\Paekijkb.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2360 -
C:\Windows\SysWOW64\Pdcgeejf.exeC:\Windows\system32\Pdcgeejf.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2116 -
C:\Windows\SysWOW64\Pkmobp32.exeC:\Windows\system32\Pkmobp32.exe49⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Pnllnk32.exeC:\Windows\system32\Pnllnk32.exe50⤵
- Executes dropped EXE
PID:1332 -
C:\Windows\SysWOW64\Pdfdkehc.exeC:\Windows\system32\Pdfdkehc.exe51⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Pkplgoop.exeC:\Windows\system32\Pkplgoop.exe52⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Qmahog32.exeC:\Windows\system32\Qmahog32.exe53⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Qckalamk.exeC:\Windows\system32\Qckalamk.exe54⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Qgfmlp32.exeC:\Windows\system32\Qgfmlp32.exe55⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Qnpeijla.exeC:\Windows\system32\Qnpeijla.exe56⤵
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Qoaaqb32.exeC:\Windows\system32\Qoaaqb32.exe57⤵
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\Qgiibp32.exeC:\Windows\system32\Qgiibp32.exe58⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Ajgfnk32.exeC:\Windows\system32\Ajgfnk32.exe59⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Aqanke32.exeC:\Windows\system32\Aqanke32.exe60⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Acpjga32.exeC:\Windows\system32\Acpjga32.exe61⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Ajibckpc.exeC:\Windows\system32\Ajibckpc.exe62⤵
- Executes dropped EXE
PID:600 -
C:\Windows\SysWOW64\Amhopfof.exeC:\Windows\system32\Amhopfof.exe63⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Acbglq32.exeC:\Windows\system32\Acbglq32.exe64⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Abeghmmn.exeC:\Windows\system32\Abeghmmn.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1716 -
C:\Windows\SysWOW64\Aioodg32.exeC:\Windows\system32\Aioodg32.exe66⤵PID:280
-
C:\Windows\SysWOW64\Akmlacdn.exeC:\Windows\system32\Akmlacdn.exe67⤵PID:2020
-
C:\Windows\SysWOW64\Abgdnm32.exeC:\Windows\system32\Abgdnm32.exe68⤵PID:736
-
C:\Windows\SysWOW64\Agdlfd32.exeC:\Windows\system32\Agdlfd32.exe69⤵
- Modifies registry class
PID:1728 -
C:\Windows\SysWOW64\Aokdga32.exeC:\Windows\system32\Aokdga32.exe70⤵PID:2420
-
C:\Windows\SysWOW64\Abiqcm32.exeC:\Windows\system32\Abiqcm32.exe71⤵PID:2980
-
C:\Windows\SysWOW64\Akbelbpi.exeC:\Windows\system32\Akbelbpi.exe72⤵PID:3040
-
C:\Windows\SysWOW64\Ablmilgf.exeC:\Windows\system32\Ablmilgf.exe73⤵PID:2852
-
C:\Windows\SysWOW64\Bejiehfi.exeC:\Windows\system32\Bejiehfi.exe74⤵PID:2908
-
C:\Windows\SysWOW64\Bghfacem.exeC:\Windows\system32\Bghfacem.exe75⤵
- Modifies registry class
PID:1944 -
C:\Windows\SysWOW64\Bjgbmoda.exeC:\Windows\system32\Bjgbmoda.exe76⤵PID:936
-
C:\Windows\SysWOW64\Baajji32.exeC:\Windows\system32\Baajji32.exe77⤵
- Drops file in System32 directory
PID:2168 -
C:\Windows\SysWOW64\Bemfjgdg.exeC:\Windows\system32\Bemfjgdg.exe78⤵PID:976
-
C:\Windows\SysWOW64\Bfncbp32.exeC:\Windows\system32\Bfncbp32.exe79⤵PID:1120
-
C:\Windows\SysWOW64\Bnekcm32.exeC:\Windows\system32\Bnekcm32.exe80⤵PID:1888
-
C:\Windows\SysWOW64\Bacgohjk.exeC:\Windows\system32\Bacgohjk.exe81⤵PID:1780
-
C:\Windows\SysWOW64\Bcackdio.exeC:\Windows\system32\Bcackdio.exe82⤵PID:1680
-
C:\Windows\SysWOW64\Bfppgohb.exeC:\Windows\system32\Bfppgohb.exe83⤵PID:2180
-
C:\Windows\SysWOW64\Biolckgf.exeC:\Windows\system32\Biolckgf.exe84⤵PID:2264
-
C:\Windows\SysWOW64\Baecehhh.exeC:\Windows\system32\Baecehhh.exe85⤵PID:2512
-
C:\Windows\SysWOW64\Bphdpe32.exeC:\Windows\system32\Bphdpe32.exe86⤵PID:2296
-
C:\Windows\SysWOW64\Bjnhnn32.exeC:\Windows\system32\Bjnhnn32.exe87⤵PID:540
-
C:\Windows\SysWOW64\Biahijec.exeC:\Windows\system32\Biahijec.exe88⤵PID:980
-
C:\Windows\SysWOW64\Blodefdg.exeC:\Windows\system32\Blodefdg.exe89⤵PID:1196
-
C:\Windows\SysWOW64\Bpkqfdmp.exeC:\Windows\system32\Bpkqfdmp.exe90⤵PID:968
-
C:\Windows\SysWOW64\Bfeibo32.exeC:\Windows\system32\Bfeibo32.exe91⤵PID:2640
-
C:\Windows\SysWOW64\Behinlkh.exeC:\Windows\system32\Behinlkh.exe92⤵PID:1568
-
C:\Windows\SysWOW64\Claake32.exeC:\Windows\system32\Claake32.exe93⤵PID:2664
-
C:\Windows\SysWOW64\Cnpnga32.exeC:\Windows\system32\Cnpnga32.exe94⤵PID:2068
-
C:\Windows\SysWOW64\Cejfckie.exeC:\Windows\system32\Cejfckie.exe95⤵
- Modifies registry class
PID:2832 -
C:\Windows\SysWOW64\Ciebdj32.exeC:\Windows\system32\Ciebdj32.exe96⤵PID:2780
-
C:\Windows\SysWOW64\Cldnqe32.exeC:\Windows\system32\Cldnqe32.exe97⤵PID:2788
-
C:\Windows\SysWOW64\Cbnfmo32.exeC:\Windows\system32\Cbnfmo32.exe98⤵PID:2364
-
C:\Windows\SysWOW64\Celbik32.exeC:\Windows\system32\Celbik32.exe99⤵PID:1052
-
C:\Windows\SysWOW64\Chkoef32.exeC:\Windows\system32\Chkoef32.exe100⤵PID:3060
-
C:\Windows\SysWOW64\Cjikaa32.exeC:\Windows\system32\Cjikaa32.exe101⤵PID:2960
-
C:\Windows\SysWOW64\Codgbqmc.exeC:\Windows\system32\Codgbqmc.exe102⤵PID:1216
-
C:\Windows\SysWOW64\Ceoooj32.exeC:\Windows\system32\Ceoooj32.exe103⤵PID:1612
-
C:\Windows\SysWOW64\Cdapjglj.exeC:\Windows\system32\Cdapjglj.exe104⤵PID:832
-
C:\Windows\SysWOW64\Chmkkf32.exeC:\Windows\system32\Chmkkf32.exe105⤵PID:2548
-
C:\Windows\SysWOW64\Cogdhpkp.exeC:\Windows\system32\Cogdhpkp.exe106⤵PID:1388
-
C:\Windows\SysWOW64\Cealdjcm.exeC:\Windows\system32\Cealdjcm.exe107⤵
- Drops file in System32 directory
PID:1756 -
C:\Windows\SysWOW64\Cddlpg32.exeC:\Windows\system32\Cddlpg32.exe108⤵PID:760
-
C:\Windows\SysWOW64\Cfbhlb32.exeC:\Windows\system32\Cfbhlb32.exe109⤵PID:1688
-
C:\Windows\SysWOW64\Coiqmp32.exeC:\Windows\system32\Coiqmp32.exe110⤵PID:2132
-
C:\Windows\SysWOW64\Cahmik32.exeC:\Windows\system32\Cahmik32.exe111⤵PID:2368
-
C:\Windows\SysWOW64\Cdfief32.exeC:\Windows\system32\Cdfief32.exe112⤵PID:2724
-
C:\Windows\SysWOW64\Dkpabqoa.exeC:\Windows\system32\Dkpabqoa.exe113⤵PID:1656
-
C:\Windows\SysWOW64\Dicann32.exeC:\Windows\system32\Dicann32.exe114⤵PID:1460
-
C:\Windows\SysWOW64\Dajiok32.exeC:\Windows\system32\Dajiok32.exe115⤵PID:1868
-
C:\Windows\SysWOW64\Dbkffc32.exeC:\Windows\system32\Dbkffc32.exe116⤵PID:1644
-
C:\Windows\SysWOW64\Dkbnhq32.exeC:\Windows\system32\Dkbnhq32.exe117⤵PID:1808
-
C:\Windows\SysWOW64\Dalfdjdl.exeC:\Windows\system32\Dalfdjdl.exe118⤵PID:576
-
C:\Windows\SysWOW64\Ddkbqfcp.exeC:\Windows\system32\Ddkbqfcp.exe119⤵
- Modifies registry class
PID:2156 -
C:\Windows\SysWOW64\Dbnblb32.exeC:\Windows\system32\Dbnblb32.exe120⤵PID:2384
-
C:\Windows\SysWOW64\Dihkimag.exeC:\Windows\system32\Dihkimag.exe121⤵PID:1468
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-