Analysis
-
max time kernel
122s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11/10/2024, 21:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
565151405029a5ed91409ec45d81fb86329208df5209fd2c987cc4c0546b59cc.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
565151405029a5ed91409ec45d81fb86329208df5209fd2c987cc4c0546b59cc.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
565151405029a5ed91409ec45d81fb86329208df5209fd2c987cc4c0546b59cc.exe
-
Size
93KB
-
MD5
94ea97d0c685063e43bd78e074b4fe5a
-
SHA1
bcecd63c2a1179fdce31a76f357f4216e32fb7e2
-
SHA256
565151405029a5ed91409ec45d81fb86329208df5209fd2c987cc4c0546b59cc
-
SHA512
61f89520fbfde13214877eb4320bfa18e54c88e0f6c2141deea3f2a41009a879dc1166ffa73d5ef0209d2557d9c39b35d444cfedc12573ef8923a445c08595a3
-
SSDEEP
1536:fm7hKdRLjxS1Wn4G1NQCFiUDuhFtcFIRH55UgrbPsRQXRkRLJzeLD9N0iQGRNQR5:fm7h+RLjQ1WnDvGMu9eIkeXSJdEN0s4X
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jbpfnh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Objjnkie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjmlhbbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmhahkdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kdnkdmec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Libjncnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mciabmlo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnlgbnbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bnapnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dlifadkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dmkcil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iebldo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdkelolf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qejpoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bbjpil32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjfnnajl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpflkb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhbdleol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lcohahpn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmabjfek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aklabp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lmmfnb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcbfbp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbabho32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmkcil32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goldfelp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kbhbai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Llomfpag.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aphjjf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikjhki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kbmome32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mlafkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pjihmmbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljnqdhga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aknngo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfckcoen.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fppaej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kkjpggkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ahmefdcp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnapnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fhdmph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kgcnahoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nbeedh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plmbkd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpafapbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obbdml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fgocmc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imggplgm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iiqldc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lgingm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ohdfqbio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ijaaae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pfnmmn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfabnl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmhjdiap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inojhc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lemdncoa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgfjggll.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcdhgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbigmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Alddjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bfabnl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dboeco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnfkba32.exe -
Executes dropped EXE 64 IoCs
pid Process 2856 Hgkfal32.exe 2808 Ikfbbjdj.exe 2372 Icafgmbe.exe 2560 Ingkdeak.exe 2608 Iaegpaao.exe 2948 Ijnkifgp.exe 2428 Iiqldc32.exe 1212 Ibipmiek.exe 2792 Ijphofem.exe 328 Ibkmchbh.exe 792 Iieepbje.exe 1844 Jbnjhh32.exe 2408 Jfieigio.exe 1404 Jbpfnh32.exe 1320 Jacfidem.exe 1532 Jbbccgmp.exe 1704 Jeqopcld.exe 1624 Jlkglm32.exe 2020 Joidhh32.exe 2148 Jfdhmk32.exe 976 Jmnqje32.exe 700 Jkbaci32.exe 112 Kmqmod32.exe 2484 Kpojkp32.exe 2980 Kdkelolf.exe 2568 Kfibhjlj.exe 2684 Kmcjedcg.exe 1540 Kpafapbk.exe 3032 Kijkje32.exe 2912 Kofcbl32.exe 2784 Kgnkci32.exe 576 Kpfplo32.exe 2932 Koipglep.exe 2920 Kaglcgdc.exe 3000 Kechdf32.exe 2412 Kkpqlm32.exe 2108 Kokmmkcm.exe 2488 Kcginj32.exe 1312 Kajiigba.exe 860 Lhcafa32.exe 2764 Llomfpag.exe 1616 Lonibk32.exe 2516 Laleof32.exe 2356 Ldjbkb32.exe 1852 Lgingm32.exe 2888 Lanbdf32.exe 2492 Lpabpcdf.exe 2824 Lkggmldl.exe 2640 Ljigih32.exe 1052 Laqojfli.exe 2028 Lpcoeb32.exe 1248 Lcblan32.exe 2552 Lgngbmjp.exe 1888 Ljldnhid.exe 1208 Lngpog32.exe 2416 Lpflkb32.exe 2420 Lcdhgn32.exe 2436 Lgpdglhn.exe 2040 Ljnqdhga.exe 2524 Mphiqbon.exe 684 Mokilo32.exe 1424 Mgbaml32.exe 1924 Mjqmig32.exe 2192 Mhcmedli.exe -
Loads dropped DLL 64 IoCs
pid Process 2692 565151405029a5ed91409ec45d81fb86329208df5209fd2c987cc4c0546b59cc.exe 2692 565151405029a5ed91409ec45d81fb86329208df5209fd2c987cc4c0546b59cc.exe 2856 Hgkfal32.exe 2856 Hgkfal32.exe 2808 Ikfbbjdj.exe 2808 Ikfbbjdj.exe 2372 Icafgmbe.exe 2372 Icafgmbe.exe 2560 Ingkdeak.exe 2560 Ingkdeak.exe 2608 Iaegpaao.exe 2608 Iaegpaao.exe 2948 Ijnkifgp.exe 2948 Ijnkifgp.exe 2428 Iiqldc32.exe 2428 Iiqldc32.exe 1212 Ibipmiek.exe 1212 Ibipmiek.exe 2792 Ijphofem.exe 2792 Ijphofem.exe 328 Ibkmchbh.exe 328 Ibkmchbh.exe 792 Iieepbje.exe 792 Iieepbje.exe 1844 Jbnjhh32.exe 1844 Jbnjhh32.exe 2408 Jfieigio.exe 2408 Jfieigio.exe 1404 Jbpfnh32.exe 1404 Jbpfnh32.exe 1320 Jacfidem.exe 1320 Jacfidem.exe 1532 Jbbccgmp.exe 1532 Jbbccgmp.exe 1704 Jeqopcld.exe 1704 Jeqopcld.exe 1624 Jlkglm32.exe 1624 Jlkglm32.exe 2020 Joidhh32.exe 2020 Joidhh32.exe 2148 Jfdhmk32.exe 2148 Jfdhmk32.exe 976 Jmnqje32.exe 976 Jmnqje32.exe 700 Jkbaci32.exe 700 Jkbaci32.exe 112 Kmqmod32.exe 112 Kmqmod32.exe 2484 Kpojkp32.exe 2484 Kpojkp32.exe 2980 Kdkelolf.exe 2980 Kdkelolf.exe 2568 Kfibhjlj.exe 2568 Kfibhjlj.exe 2684 Kmcjedcg.exe 2684 Kmcjedcg.exe 1540 Kpafapbk.exe 1540 Kpafapbk.exe 3032 Kijkje32.exe 3032 Kijkje32.exe 2912 Kofcbl32.exe 2912 Kofcbl32.exe 2784 Kgnkci32.exe 2784 Kgnkci32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ipbkjl32.dll Kgcnahoo.exe File created C:\Windows\SysWOW64\Fahhnn32.exe Eojlbb32.exe File opened for modification C:\Windows\SysWOW64\Hnmacpfj.exe Hjaeba32.exe File opened for modification C:\Windows\SysWOW64\Jimdcqom.exe Jfohgepi.exe File opened for modification C:\Windows\SysWOW64\Aognbnkm.exe Aklabp32.exe File opened for modification C:\Windows\SysWOW64\Bpbmqe32.exe Blfapfpg.exe File created C:\Windows\SysWOW64\Cncmcm32.exe Cjhabndo.exe File created C:\Windows\SysWOW64\Fglfgd32.exe Fcqjfeja.exe File created C:\Windows\SysWOW64\Ngohbhce.dll Ngbmlo32.exe File created C:\Windows\SysWOW64\Nekkhdgo.dll Nqjaeeog.exe File opened for modification C:\Windows\SysWOW64\Ibhicbao.exe Ijaaae32.exe File created C:\Windows\SysWOW64\Iclbpj32.exe Iamfdo32.exe File opened for modification C:\Windows\SysWOW64\Jfcabd32.exe Jbhebfck.exe File created C:\Windows\SysWOW64\Hfopbgif.dll Ldgnklmi.exe File opened for modification C:\Windows\SysWOW64\Lcmklh32.exe Loaokjjg.exe File created C:\Windows\SysWOW64\Qopmpa32.dll Agihgp32.exe File created C:\Windows\SysWOW64\Eemnnn32.exe Efjmbaba.exe File opened for modification C:\Windows\SysWOW64\Eojlbb32.exe Eknpadcn.exe File created C:\Windows\SysWOW64\Ljnfmlph.dll Jcnoejch.exe File created C:\Windows\SysWOW64\Bkbdabog.exe Bhdhefpc.exe File opened for modification C:\Windows\SysWOW64\Eldiehbk.exe Eifmimch.exe File opened for modification C:\Windows\SysWOW64\Dnjoco32.exe Djocbqpb.exe File created C:\Windows\SysWOW64\Eoebgcol.exe Elgfkhpi.exe File opened for modification C:\Windows\SysWOW64\Flnlkgjq.exe Fdgdji32.exe File opened for modification C:\Windows\SysWOW64\Oiafee32.exe Onlahm32.exe File created C:\Windows\SysWOW64\Dcdkef32.exe Dafoikjb.exe File opened for modification C:\Windows\SysWOW64\Plmbkd32.exe Pmjaohol.exe File created C:\Windows\SysWOW64\Bhdhefpc.exe Bqmpdioa.exe File created C:\Windows\SysWOW64\Ciagojda.exe Cfckcoen.exe File opened for modification C:\Windows\SysWOW64\Jcciqi32.exe Jpgmpk32.exe File opened for modification C:\Windows\SysWOW64\Ikfbbjdj.exe Hgkfal32.exe File opened for modification C:\Windows\SysWOW64\Kgnkci32.exe Kofcbl32.exe File created C:\Windows\SysWOW64\Hnkdnqhm.exe Hjohmbpd.exe File created C:\Windows\SysWOW64\Mmichb32.dll Hjohmbpd.exe File created C:\Windows\SysWOW64\Imggplgm.exe Ieponofk.exe File created C:\Windows\SysWOW64\Acfgdc32.dll Bhonjg32.exe File created C:\Windows\SysWOW64\Dokggo32.dll Elibpg32.exe File created C:\Windows\SysWOW64\Lknocpdc.dll Feddombd.exe File created C:\Windows\SysWOW64\Hjleia32.dll Fliook32.exe File created C:\Windows\SysWOW64\Glnhjjml.exe Ghbljk32.exe File opened for modification C:\Windows\SysWOW64\Hadcipbi.exe Hjmlhbbg.exe File created C:\Windows\SysWOW64\Ibacbcgg.exe Iocgfhhc.exe File created C:\Windows\SysWOW64\Jbclgf32.exe Jcqlkjae.exe File opened for modification C:\Windows\SysWOW64\Laqojfli.exe Ljigih32.exe File created C:\Windows\SysWOW64\Nedamakn.dll Cfckcoen.exe File created C:\Windows\SysWOW64\Onkckhkp.dll Liipnb32.exe File opened for modification C:\Windows\SysWOW64\Ehnfpifm.exe Eeojcmfi.exe File created C:\Windows\SysWOW64\Gkgoff32.exe Ghibjjnk.exe File opened for modification C:\Windows\SysWOW64\Fijbco32.exe Fglfgd32.exe File created C:\Windows\SysWOW64\Kekkiq32.exe Kbmome32.exe File opened for modification C:\Windows\SysWOW64\Mblbnj32.exe Mciabmlo.exe File opened for modification C:\Windows\SysWOW64\Bknjfb32.exe Bhonjg32.exe File opened for modification C:\Windows\SysWOW64\Bkbdabog.exe Bhdhefpc.exe File created C:\Windows\SysWOW64\Dlgjldnm.exe Dihmpinj.exe File created C:\Windows\SysWOW64\Bieepc32.dll Eblelb32.exe File created C:\Windows\SysWOW64\Aaqbpk32.dll Jpgmpk32.exe File opened for modification C:\Windows\SysWOW64\Oflpgnld.exe Odmckcmq.exe File opened for modification C:\Windows\SysWOW64\Qkghgpfi.exe Qhilkege.exe File opened for modification C:\Windows\SysWOW64\Gajqbakc.exe Gcgqgd32.exe File created C:\Windows\SysWOW64\Jfohgepi.exe Jbclgf32.exe File created C:\Windows\SysWOW64\Kpfplo32.exe Kgnkci32.exe File created C:\Windows\SysWOW64\Pjleclph.exe Pbemboof.exe File created C:\Windows\SysWOW64\Difqji32.exe Dfhdnn32.exe File created C:\Windows\SysWOW64\Kneoni32.dll Djjjga32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5144 4612 WerFault.exe 480 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blfapfpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccpeld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fglfgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpcoeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odkgec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mciabmlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnnbni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bknjfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eimcjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgjjad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gojhafnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icifjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgbaml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkghgpfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfehhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igebkiof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onlahm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coicfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Colpld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qemldifo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eicpcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flnlkgjq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfgjml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkkmgncb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpnladjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfhdnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcgqgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpqlemaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcdhgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iediin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aognbnkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcbnpgkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iocgfhhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oimmjffj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbhccm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akpkmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lanbdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcblan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhjcec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjjnhnbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbjlhpkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmdbnnlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmnqje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iamfdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lonibk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpabpcdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajehnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebckmaec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmhkin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcqlkjae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldgnklmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kijkje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnleiipc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppkjac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agglbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkcilc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iakino32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpojkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efjmbaba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoebgcol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Honnki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcdkef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbnjhh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmhejhao.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khljoh32.dll" Jmipdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jplfkjbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hadcipbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faibdo32.dll" Hnkdnqhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kpgionie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kokmmkcm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fcqjfeja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bdkhjgeh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Goqnae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlflfm32.dll" Kipmhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kmcjedcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chmihd32.dll" Kijkje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cmppehkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gockgdeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jcnoejch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilfjg32.dll" Oflpgnld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdilhpcp.dll" Pehcij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keppajog.dll" Iclbpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iglhhc32.dll" Kdkelolf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmjqf32.dll" Mgbaml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cqaiph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jmkmjoec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lcmklh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Joidhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bbllnlfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fpbnjjkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dblhmoio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eldiehbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iediin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdeonhfo.dll" Cjjnhnbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dcbnpgkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npneccok.dll" Ijaaae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kbhbai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oejcpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaoobkci.dll" Aknngo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopmpa32.dll" Agihgp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Goldfelp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gkcekfad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Igebkiof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ohdfqbio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Objjnkie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lifcib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hgqlafap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jnagmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkeba32.dll" Alddjg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Coicfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djgfah32.dll" Dhbdleol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Licpomcb.dll" Eifmimch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lpcoeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lgngbmjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lgingm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aeoijidl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bccblb32.dll" Cgnnab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ijcngenj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ingkdeak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpkclikh.dll" Kechdf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bcbfbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aamhcmdo.dll" Bnlgbnbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pmhejhao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qmhahkdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqfopomn.dll" Hcjilgdb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gdkjdl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ibipmiek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cbjlhpkb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2692 wrote to memory of 2856 2692 565151405029a5ed91409ec45d81fb86329208df5209fd2c987cc4c0546b59cc.exe 30 PID 2692 wrote to memory of 2856 2692 565151405029a5ed91409ec45d81fb86329208df5209fd2c987cc4c0546b59cc.exe 30 PID 2692 wrote to memory of 2856 2692 565151405029a5ed91409ec45d81fb86329208df5209fd2c987cc4c0546b59cc.exe 30 PID 2692 wrote to memory of 2856 2692 565151405029a5ed91409ec45d81fb86329208df5209fd2c987cc4c0546b59cc.exe 30 PID 2856 wrote to memory of 2808 2856 Hgkfal32.exe 31 PID 2856 wrote to memory of 2808 2856 Hgkfal32.exe 31 PID 2856 wrote to memory of 2808 2856 Hgkfal32.exe 31 PID 2856 wrote to memory of 2808 2856 Hgkfal32.exe 31 PID 2808 wrote to memory of 2372 2808 Ikfbbjdj.exe 32 PID 2808 wrote to memory of 2372 2808 Ikfbbjdj.exe 32 PID 2808 wrote to memory of 2372 2808 Ikfbbjdj.exe 32 PID 2808 wrote to memory of 2372 2808 Ikfbbjdj.exe 32 PID 2372 wrote to memory of 2560 2372 Icafgmbe.exe 33 PID 2372 wrote to memory of 2560 2372 Icafgmbe.exe 33 PID 2372 wrote to memory of 2560 2372 Icafgmbe.exe 33 PID 2372 wrote to memory of 2560 2372 Icafgmbe.exe 33 PID 2560 wrote to memory of 2608 2560 Ingkdeak.exe 34 PID 2560 wrote to memory of 2608 2560 Ingkdeak.exe 34 PID 2560 wrote to memory of 2608 2560 Ingkdeak.exe 34 PID 2560 wrote to memory of 2608 2560 Ingkdeak.exe 34 PID 2608 wrote to memory of 2948 2608 Iaegpaao.exe 35 PID 2608 wrote to memory of 2948 2608 Iaegpaao.exe 35 PID 2608 wrote to memory of 2948 2608 Iaegpaao.exe 35 PID 2608 wrote to memory of 2948 2608 Iaegpaao.exe 35 PID 2948 wrote to memory of 2428 2948 Ijnkifgp.exe 36 PID 2948 wrote to memory of 2428 2948 Ijnkifgp.exe 36 PID 2948 wrote to memory of 2428 2948 Ijnkifgp.exe 36 PID 2948 wrote to memory of 2428 2948 Ijnkifgp.exe 36 PID 2428 wrote to memory of 1212 2428 Iiqldc32.exe 37 PID 2428 wrote to memory of 1212 2428 Iiqldc32.exe 37 PID 2428 wrote to memory of 1212 2428 Iiqldc32.exe 37 PID 2428 wrote to memory of 1212 2428 Iiqldc32.exe 37 PID 1212 wrote to memory of 2792 1212 Ibipmiek.exe 38 PID 1212 wrote to memory of 2792 1212 Ibipmiek.exe 38 PID 1212 wrote to memory of 2792 1212 Ibipmiek.exe 38 PID 1212 wrote to memory of 2792 1212 Ibipmiek.exe 38 PID 2792 wrote to memory of 328 2792 Ijphofem.exe 39 PID 2792 wrote to memory of 328 2792 Ijphofem.exe 39 PID 2792 wrote to memory of 328 2792 Ijphofem.exe 39 PID 2792 wrote to memory of 328 2792 Ijphofem.exe 39 PID 328 wrote to memory of 792 328 Ibkmchbh.exe 40 PID 328 wrote to memory of 792 328 Ibkmchbh.exe 40 PID 328 wrote to memory of 792 328 Ibkmchbh.exe 40 PID 328 wrote to memory of 792 328 Ibkmchbh.exe 40 PID 792 wrote to memory of 1844 792 Iieepbje.exe 41 PID 792 wrote to memory of 1844 792 Iieepbje.exe 41 PID 792 wrote to memory of 1844 792 Iieepbje.exe 41 PID 792 wrote to memory of 1844 792 Iieepbje.exe 41 PID 1844 wrote to memory of 2408 1844 Jbnjhh32.exe 42 PID 1844 wrote to memory of 2408 1844 Jbnjhh32.exe 42 PID 1844 wrote to memory of 2408 1844 Jbnjhh32.exe 42 PID 1844 wrote to memory of 2408 1844 Jbnjhh32.exe 42 PID 2408 wrote to memory of 1404 2408 Jfieigio.exe 43 PID 2408 wrote to memory of 1404 2408 Jfieigio.exe 43 PID 2408 wrote to memory of 1404 2408 Jfieigio.exe 43 PID 2408 wrote to memory of 1404 2408 Jfieigio.exe 43 PID 1404 wrote to memory of 1320 1404 Jbpfnh32.exe 44 PID 1404 wrote to memory of 1320 1404 Jbpfnh32.exe 44 PID 1404 wrote to memory of 1320 1404 Jbpfnh32.exe 44 PID 1404 wrote to memory of 1320 1404 Jbpfnh32.exe 44 PID 1320 wrote to memory of 1532 1320 Jacfidem.exe 45 PID 1320 wrote to memory of 1532 1320 Jacfidem.exe 45 PID 1320 wrote to memory of 1532 1320 Jacfidem.exe 45 PID 1320 wrote to memory of 1532 1320 Jacfidem.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\565151405029a5ed91409ec45d81fb86329208df5209fd2c987cc4c0546b59cc.exe"C:\Users\Admin\AppData\Local\Temp\565151405029a5ed91409ec45d81fb86329208df5209fd2c987cc4c0546b59cc.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Hgkfal32.exeC:\Windows\system32\Hgkfal32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Ikfbbjdj.exeC:\Windows\system32\Ikfbbjdj.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Icafgmbe.exeC:\Windows\system32\Icafgmbe.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\Ingkdeak.exeC:\Windows\system32\Ingkdeak.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\Iaegpaao.exeC:\Windows\system32\Iaegpaao.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Ijnkifgp.exeC:\Windows\system32\Ijnkifgp.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Iiqldc32.exeC:\Windows\system32\Iiqldc32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Ibipmiek.exeC:\Windows\system32\Ibipmiek.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\SysWOW64\Ijphofem.exeC:\Windows\system32\Ijphofem.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Ibkmchbh.exeC:\Windows\system32\Ibkmchbh.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:328 -
C:\Windows\SysWOW64\Iieepbje.exeC:\Windows\system32\Iieepbje.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:792 -
C:\Windows\SysWOW64\Jbnjhh32.exeC:\Windows\system32\Jbnjhh32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\SysWOW64\Jfieigio.exeC:\Windows\system32\Jfieigio.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\Jbpfnh32.exeC:\Windows\system32\Jbpfnh32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\SysWOW64\Jacfidem.exeC:\Windows\system32\Jacfidem.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\SysWOW64\Jbbccgmp.exeC:\Windows\system32\Jbbccgmp.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1532 -
C:\Windows\SysWOW64\Jeqopcld.exeC:\Windows\system32\Jeqopcld.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1704 -
C:\Windows\SysWOW64\Jlkglm32.exeC:\Windows\system32\Jlkglm32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1624 -
C:\Windows\SysWOW64\Joidhh32.exeC:\Windows\system32\Joidhh32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2020 -
C:\Windows\SysWOW64\Jfdhmk32.exeC:\Windows\system32\Jfdhmk32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2148 -
C:\Windows\SysWOW64\Jmnqje32.exeC:\Windows\system32\Jmnqje32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:976 -
C:\Windows\SysWOW64\Jkbaci32.exeC:\Windows\system32\Jkbaci32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:700 -
C:\Windows\SysWOW64\Kmqmod32.exeC:\Windows\system32\Kmqmod32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:112 -
C:\Windows\SysWOW64\Kpojkp32.exeC:\Windows\system32\Kpojkp32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2484 -
C:\Windows\SysWOW64\Kdkelolf.exeC:\Windows\system32\Kdkelolf.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2980 -
C:\Windows\SysWOW64\Kfibhjlj.exeC:\Windows\system32\Kfibhjlj.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2568 -
C:\Windows\SysWOW64\Kmcjedcg.exeC:\Windows\system32\Kmcjedcg.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2684 -
C:\Windows\SysWOW64\Kpafapbk.exeC:\Windows\system32\Kpafapbk.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1540 -
C:\Windows\SysWOW64\Kijkje32.exeC:\Windows\system32\Kijkje32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3032 -
C:\Windows\SysWOW64\Kofcbl32.exeC:\Windows\system32\Kofcbl32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2912 -
C:\Windows\SysWOW64\Kgnkci32.exeC:\Windows\system32\Kgnkci32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2784 -
C:\Windows\SysWOW64\Kpfplo32.exeC:\Windows\system32\Kpfplo32.exe33⤵
- Executes dropped EXE
PID:576 -
C:\Windows\SysWOW64\Koipglep.exeC:\Windows\system32\Koipglep.exe34⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Kaglcgdc.exeC:\Windows\system32\Kaglcgdc.exe35⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Kechdf32.exeC:\Windows\system32\Kechdf32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:3000 -
C:\Windows\SysWOW64\Kkpqlm32.exeC:\Windows\system32\Kkpqlm32.exe37⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Kokmmkcm.exeC:\Windows\system32\Kokmmkcm.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:2108 -
C:\Windows\SysWOW64\Kcginj32.exeC:\Windows\system32\Kcginj32.exe39⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Kajiigba.exeC:\Windows\system32\Kajiigba.exe40⤵
- Executes dropped EXE
PID:1312 -
C:\Windows\SysWOW64\Lhcafa32.exeC:\Windows\system32\Lhcafa32.exe41⤵
- Executes dropped EXE
PID:860 -
C:\Windows\SysWOW64\Llomfpag.exeC:\Windows\system32\Llomfpag.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Lonibk32.exeC:\Windows\system32\Lonibk32.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1616 -
C:\Windows\SysWOW64\Laleof32.exeC:\Windows\system32\Laleof32.exe44⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Ldjbkb32.exeC:\Windows\system32\Ldjbkb32.exe45⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Lgingm32.exeC:\Windows\system32\Lgingm32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1852 -
C:\Windows\SysWOW64\Lanbdf32.exeC:\Windows\system32\Lanbdf32.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2888 -
C:\Windows\SysWOW64\Lpabpcdf.exeC:\Windows\system32\Lpabpcdf.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2492 -
C:\Windows\SysWOW64\Lhhkapeh.exeC:\Windows\system32\Lhhkapeh.exe49⤵PID:352
-
C:\Windows\SysWOW64\Lkggmldl.exeC:\Windows\system32\Lkggmldl.exe50⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Ljigih32.exeC:\Windows\system32\Ljigih32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2640 -
C:\Windows\SysWOW64\Laqojfli.exeC:\Windows\system32\Laqojfli.exe52⤵
- Executes dropped EXE
PID:1052 -
C:\Windows\SysWOW64\Lpcoeb32.exeC:\Windows\system32\Lpcoeb32.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2028 -
C:\Windows\SysWOW64\Lcblan32.exeC:\Windows\system32\Lcblan32.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1248 -
C:\Windows\SysWOW64\Lgngbmjp.exeC:\Windows\system32\Lgngbmjp.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2552 -
C:\Windows\SysWOW64\Ljldnhid.exeC:\Windows\system32\Ljldnhid.exe56⤵
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\Lngpog32.exeC:\Windows\system32\Lngpog32.exe57⤵
- Executes dropped EXE
PID:1208 -
C:\Windows\SysWOW64\Lpflkb32.exeC:\Windows\system32\Lpflkb32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Lcdhgn32.exeC:\Windows\system32\Lcdhgn32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2420 -
C:\Windows\SysWOW64\Lgpdglhn.exeC:\Windows\system32\Lgpdglhn.exe60⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Ljnqdhga.exeC:\Windows\system32\Ljnqdhga.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Mphiqbon.exeC:\Windows\system32\Mphiqbon.exe62⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Mokilo32.exeC:\Windows\system32\Mokilo32.exe63⤵
- Executes dropped EXE
PID:684 -
C:\Windows\SysWOW64\Mgbaml32.exeC:\Windows\system32\Mgbaml32.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1424 -
C:\Windows\SysWOW64\Mjqmig32.exeC:\Windows\system32\Mjqmig32.exe65⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Mhcmedli.exeC:\Windows\system32\Mhcmedli.exe66⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Mciabmlo.exeC:\Windows\system32\Mciabmlo.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2320 -
C:\Windows\SysWOW64\Mblbnj32.exeC:\Windows\system32\Mblbnj32.exe68⤵PID:1760
-
C:\Windows\SysWOW64\Mhfjjdjf.exeC:\Windows\system32\Mhfjjdjf.exe69⤵PID:2700
-
C:\Windows\SysWOW64\Mlafkb32.exeC:\Windows\system32\Mlafkb32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2564 -
C:\Windows\SysWOW64\Mcknhm32.exeC:\Windows\system32\Mcknhm32.exe71⤵PID:1536
-
C:\Windows\SysWOW64\Mbnocipg.exeC:\Windows\system32\Mbnocipg.exe72⤵PID:3064
-
C:\Windows\SysWOW64\Mmccqbpm.exeC:\Windows\system32\Mmccqbpm.exe73⤵PID:1744
-
C:\Windows\SysWOW64\Mkfclo32.exeC:\Windows\system32\Mkfclo32.exe74⤵PID:2084
-
C:\Windows\SysWOW64\Mneohj32.exeC:\Windows\system32\Mneohj32.exe75⤵PID:2652
-
C:\Windows\SysWOW64\Mbqkiind.exeC:\Windows\system32\Mbqkiind.exe76⤵PID:400
-
C:\Windows\SysWOW64\Mflgih32.exeC:\Windows\system32\Mflgih32.exe77⤵PID:2124
-
C:\Windows\SysWOW64\Mhjcec32.exeC:\Windows\system32\Mhjcec32.exe78⤵
- System Location Discovery: System Language Discovery
PID:2128 -
C:\Windows\SysWOW64\Modlbmmn.exeC:\Windows\system32\Modlbmmn.exe79⤵PID:2480
-
C:\Windows\SysWOW64\Mnglnj32.exeC:\Windows\system32\Mnglnj32.exe80⤵PID:1796
-
C:\Windows\SysWOW64\Mdadjd32.exeC:\Windows\system32\Mdadjd32.exe81⤵PID:2460
-
C:\Windows\SysWOW64\Mimpkcdn.exeC:\Windows\system32\Mimpkcdn.exe82⤵PID:704
-
C:\Windows\SysWOW64\Nkkmgncb.exeC:\Windows\system32\Nkkmgncb.exe83⤵
- System Location Discovery: System Language Discovery
PID:1124 -
C:\Windows\SysWOW64\Njnmbk32.exeC:\Windows\system32\Njnmbk32.exe84⤵PID:1416
-
C:\Windows\SysWOW64\Nbeedh32.exeC:\Windows\system32\Nbeedh32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2960 -
C:\Windows\SysWOW64\Ndcapd32.exeC:\Windows\system32\Ndcapd32.exe86⤵PID:2672
-
C:\Windows\SysWOW64\Ngbmlo32.exeC:\Windows\system32\Ngbmlo32.exe87⤵
- Drops file in System32 directory
PID:3060 -
C:\Windows\SysWOW64\Nknimnap.exeC:\Windows\system32\Nknimnap.exe88⤵PID:2660
-
C:\Windows\SysWOW64\Nnleiipc.exeC:\Windows\system32\Nnleiipc.exe89⤵
- System Location Discovery: System Language Discovery
PID:2188 -
C:\Windows\SysWOW64\Nqjaeeog.exeC:\Windows\system32\Nqjaeeog.exe90⤵
- Drops file in System32 directory
PID:2804 -
C:\Windows\SysWOW64\Ncinap32.exeC:\Windows\system32\Ncinap32.exe91⤵PID:2776
-
C:\Windows\SysWOW64\Nfgjml32.exeC:\Windows\system32\Nfgjml32.exe92⤵
- System Location Discovery: System Language Discovery
PID:2992 -
C:\Windows\SysWOW64\Nnnbni32.exeC:\Windows\system32\Nnnbni32.exe93⤵
- System Location Discovery: System Language Discovery
PID:624 -
C:\Windows\SysWOW64\Nmabjfek.exeC:\Windows\system32\Nmabjfek.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1872 -
C:\Windows\SysWOW64\Nckkgp32.exeC:\Windows\system32\Nckkgp32.exe95⤵PID:2464
-
C:\Windows\SysWOW64\Nggggoda.exeC:\Windows\system32\Nggggoda.exe96⤵PID:1912
-
C:\Windows\SysWOW64\Nfigck32.exeC:\Windows\system32\Nfigck32.exe97⤵PID:2476
-
C:\Windows\SysWOW64\Nmcopebh.exeC:\Windows\system32\Nmcopebh.exe98⤵PID:2352
-
C:\Windows\SysWOW64\Npbklabl.exeC:\Windows\system32\Npbklabl.exe99⤵PID:2344
-
C:\Windows\SysWOW64\Ncmglp32.exeC:\Windows\system32\Ncmglp32.exe100⤵PID:2580
-
C:\Windows\SysWOW64\Nflchkii.exeC:\Windows\system32\Nflchkii.exe101⤵PID:588
-
C:\Windows\SysWOW64\Nijpdfhm.exeC:\Windows\system32\Nijpdfhm.exe102⤵PID:2172
-
C:\Windows\SysWOW64\Nlilqbgp.exeC:\Windows\system32\Nlilqbgp.exe103⤵PID:2796
-
C:\Windows\SysWOW64\Obbdml32.exeC:\Windows\system32\Obbdml32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1308 -
C:\Windows\SysWOW64\Oimmjffj.exeC:\Windows\system32\Oimmjffj.exe105⤵
- System Location Discovery: System Language Discovery
PID:2740 -
C:\Windows\SysWOW64\Omhhke32.exeC:\Windows\system32\Omhhke32.exe106⤵PID:1200
-
C:\Windows\SysWOW64\Oniebmda.exeC:\Windows\system32\Oniebmda.exe107⤵PID:840
-
C:\Windows\SysWOW64\Obeacl32.exeC:\Windows\system32\Obeacl32.exe108⤵PID:1612
-
C:\Windows\SysWOW64\Oecmogln.exeC:\Windows\system32\Oecmogln.exe109⤵PID:2152
-
C:\Windows\SysWOW64\Ohbikbkb.exeC:\Windows\system32\Ohbikbkb.exe110⤵PID:1712
-
C:\Windows\SysWOW64\Opialpld.exeC:\Windows\system32\Opialpld.exe111⤵PID:1000
-
C:\Windows\SysWOW64\Onlahm32.exeC:\Windows\system32\Onlahm32.exe112⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2732 -
C:\Windows\SysWOW64\Oiafee32.exeC:\Windows\system32\Oiafee32.exe113⤵PID:1520
-
C:\Windows\SysWOW64\Ohdfqbio.exeC:\Windows\system32\Ohdfqbio.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2780 -
C:\Windows\SysWOW64\Onnnml32.exeC:\Windows\system32\Onnnml32.exe115⤵PID:2284
-
C:\Windows\SysWOW64\Objjnkie.exeC:\Windows\system32\Objjnkie.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1648 -
C:\Windows\SysWOW64\Odkgec32.exeC:\Windows\system32\Odkgec32.exe117⤵
- System Location Discovery: System Language Discovery
PID:1860 -
C:\Windows\SysWOW64\Ohfcfb32.exeC:\Windows\system32\Ohfcfb32.exe118⤵PID:2340
-
C:\Windows\SysWOW64\Ojeobm32.exeC:\Windows\system32\Ojeobm32.exe119⤵PID:1512
-
C:\Windows\SysWOW64\Onqkclni.exeC:\Windows\system32\Onqkclni.exe120⤵PID:3008
-
C:\Windows\SysWOW64\Oejcpf32.exeC:\Windows\system32\Oejcpf32.exe121⤵
- Modifies registry class
PID:564
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-