Analysis
-
max time kernel
54s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
14/08/2024, 19:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2908d0e4c3b3839019ddace6fbe8e46fe0b748cdb8d3c5a16103d6326cb3c64e.exe
Resource
win7-20240729-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
2908d0e4c3b3839019ddace6fbe8e46fe0b748cdb8d3c5a16103d6326cb3c64e.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
2908d0e4c3b3839019ddace6fbe8e46fe0b748cdb8d3c5a16103d6326cb3c64e.exe
-
Size
96KB
-
MD5
ce8493a07d64c9739d99a7c0dff67733
-
SHA1
fa626c5076cb2abb04e175af84292fa2dd12304b
-
SHA256
2908d0e4c3b3839019ddace6fbe8e46fe0b748cdb8d3c5a16103d6326cb3c64e
-
SHA512
e31619beaa73e3c7b88e1bd332fdd822a9322a3362a4b40d553abd102bad20067d5878166a33f6ec64666b3f4dc4d04b9b8a378bc4a59a412c97b670dfd9f017
-
SSDEEP
1536:QEnyEu/htTWczbn2vLN1GGzT/RJ0XhuouX/BOmuwCMy0QiLiizHNQNdq:2/XLCvKGv5OmhCMyELiAHONdq
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ilheam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgbkgkdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fcejkgfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ciagnf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdhopa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmbholim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kpqfpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aodmkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kcdbamnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pgjbbopk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Akhqjpdm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dicpbibe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fkplfpnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lpjhkkbc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgpjko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndjjelic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oopkbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hfbicg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdoepq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmdnefpe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aolmgpgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dcoklagc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggccaemi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abeinf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gonqkafh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pkqegnmi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhbceb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfcalafd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ohfbendg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dbndbkdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nehqdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajhkmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mfijcdek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmjgbj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpbigm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfmimank.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Migfopeo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfeggkpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eoloae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gfhpbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gncnln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibellopm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knjfofme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qodplkjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hfcllpdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hgbheblh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbnflp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bekodj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqikdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dlfika32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmbholim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjkplh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gieckned.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbjccf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kdmikakj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lckhbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mefhpcek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfqgnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mnnlihll.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqcodopn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ookagioi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cliplc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pgbegj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hnjdmm32.exe -
Executes dropped EXE 64 IoCs
pid Process 1720 Cgbhibkd.exe 1648 Cloqaiil.exe 2424 Cciincqi.exe 2880 Cheafjop.exe 2748 Cckeccnf.exe 2972 Cdlbkk32.exe 2904 Dkfjhela.exe 2100 Dgmkmfae.exe 2988 Dodcncbh.exe 2448 Dpepfl32.exe 1248 Dhmggi32.exe 2920 Dphlkk32.exe 2876 Dgbdhe32.exe 1772 Djbmjq32.exe 2716 Dlajfl32.exe 376 Ehhjkm32.exe 988 Eqoblj32.exe 1324 Ecmohf32.exe 1796 Elfcakep.exe 1672 Edahen32.exe 1288 Emhpfk32.exe 1436 Ebehob32.exe 1704 Edcdkm32.exe 1020 Eoiihf32.exe 2572 Ekpimg32.exe 2832 Fdhnfmmb.exe 2772 Fcknai32.exe 2740 Fmcbjojn.exe 2948 Fcmkgi32.exe 2632 Fgiggh32.exe 2616 Ffkgcdqn.exe 2976 Fjgcdc32.exe 2440 Fcpgmiph.exe 2804 Fpfhaj32.exe 2680 Fcbdbhme.exe 2796 Ffpqndmi.exe 2996 Fiomjp32.exe 2500 Fphegici.exe 2364 Fcdahh32.exe 2436 Fbgacebm.exe 2588 Geemoqaq.exe 1812 Giaipo32.exe 908 Gmleqnbc.exe 1152 Gpkamiag.exe 444 Gnnbhf32.exe 1984 Gfejic32.exe 1964 Gehjepon.exe 2260 Glabajgk.exe 1576 Gpmnbi32.exe 2064 Gaokjaeb.exe 2760 Gejgjp32.exe 3016 Gieckned.exe 2792 Gldogjeh.exe 2696 Gjgobg32.exe 2924 Gaagoqcp.exe 1888 Gdodllbc.exe 1276 Ghkplk32.exe 1084 Gjilhfip.exe 2116 Gmghdahd.exe 1808 Gacdeq32.exe 1708 Geopeoif.exe 2200 Ghmmakhj.exe 1912 Gjlinfgm.exe 540 Gmjejafa.exe -
Loads dropped DLL 64 IoCs
pid Process 2536 2908d0e4c3b3839019ddace6fbe8e46fe0b748cdb8d3c5a16103d6326cb3c64e.exe 2536 2908d0e4c3b3839019ddace6fbe8e46fe0b748cdb8d3c5a16103d6326cb3c64e.exe 1720 Cgbhibkd.exe 1720 Cgbhibkd.exe 1648 Cloqaiil.exe 1648 Cloqaiil.exe 2424 Cciincqi.exe 2424 Cciincqi.exe 2880 Cheafjop.exe 2880 Cheafjop.exe 2748 Cckeccnf.exe 2748 Cckeccnf.exe 2972 Cdlbkk32.exe 2972 Cdlbkk32.exe 2904 Dkfjhela.exe 2904 Dkfjhela.exe 2100 Dgmkmfae.exe 2100 Dgmkmfae.exe 2988 Dodcncbh.exe 2988 Dodcncbh.exe 2448 Dpepfl32.exe 2448 Dpepfl32.exe 1248 Dhmggi32.exe 1248 Dhmggi32.exe 2920 Dphlkk32.exe 2920 Dphlkk32.exe 2876 Dgbdhe32.exe 2876 Dgbdhe32.exe 1772 Djbmjq32.exe 1772 Djbmjq32.exe 2716 Dlajfl32.exe 2716 Dlajfl32.exe 376 Ehhjkm32.exe 376 Ehhjkm32.exe 988 Eqoblj32.exe 988 Eqoblj32.exe 1324 Ecmohf32.exe 1324 Ecmohf32.exe 1796 Elfcakep.exe 1796 Elfcakep.exe 1672 Edahen32.exe 1672 Edahen32.exe 1288 Emhpfk32.exe 1288 Emhpfk32.exe 1436 Ebehob32.exe 1436 Ebehob32.exe 1704 Edcdkm32.exe 1704 Edcdkm32.exe 1020 Eoiihf32.exe 1020 Eoiihf32.exe 2572 Ekpimg32.exe 2572 Ekpimg32.exe 2832 Fdhnfmmb.exe 2832 Fdhnfmmb.exe 2772 Fcknai32.exe 2772 Fcknai32.exe 2740 Fmcbjojn.exe 2740 Fmcbjojn.exe 2948 Fcmkgi32.exe 2948 Fcmkgi32.exe 2632 Fgiggh32.exe 2632 Fgiggh32.exe 2616 Ffkgcdqn.exe 2616 Ffkgcdqn.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Fbodhpdi.exe Fndhga32.exe File created C:\Windows\SysWOW64\Jfholkpp.dll Jhlnek32.exe File opened for modification C:\Windows\SysWOW64\Kdehoo32.exe Kkmcfiia.exe File created C:\Windows\SysWOW64\Knmlgdfb.exe Kojllh32.exe File created C:\Windows\SysWOW64\Lqekjonl.exe Lmjoip32.exe File created C:\Windows\SysWOW64\Jgmjmeol.dll Dobhamlo.exe File opened for modification C:\Windows\SysWOW64\Jjonod32.exe Jfcboejh.exe File created C:\Windows\SysWOW64\Ekeplb32.exe Egjclc32.exe File opened for modification C:\Windows\SysWOW64\Mfdqhe32.exe Lcfdlj32.exe File created C:\Windows\SysWOW64\Mjmlagfg.exe Mljlfk32.exe File created C:\Windows\SysWOW64\Mledlo32.dll Ilcqkj32.exe File created C:\Windows\SysWOW64\Jdqbdl32.exe Jabfhq32.exe File opened for modification C:\Windows\SysWOW64\Nponen32.exe Nmqbib32.exe File opened for modification C:\Windows\SysWOW64\Phcbobhe.exe Peeebfib.exe File created C:\Windows\SysWOW64\Plonoq32.exe Phcbobhe.exe File opened for modification C:\Windows\SysWOW64\Dgpjko32.exe Dhmjpbpl.exe File created C:\Windows\SysWOW64\Bimbfckl.dll Ibellopm.exe File created C:\Windows\SysWOW64\Edpkapgf.dll Jhaokqik.exe File opened for modification C:\Windows\SysWOW64\Mpdblpnd.exe Mlifka32.exe File opened for modification C:\Windows\SysWOW64\Hnodbben.exe Hjchad32.exe File created C:\Windows\SysWOW64\Gdejlllj.dll Eognkojd.exe File created C:\Windows\SysWOW64\Kkgagk32.exe Kgkegljn.exe File created C:\Windows\SysWOW64\Ciqidp32.dll Pqkqjemc.exe File created C:\Windows\SysWOW64\Anljbgmp.exe Ajpnbh32.exe File opened for modification C:\Windows\SysWOW64\Goigpb32.exe Fmkkdg32.exe File opened for modification C:\Windows\SysWOW64\Fjgcdc32.exe Ffkgcdqn.exe File opened for modification C:\Windows\SysWOW64\Gnnbhf32.exe Gpkamiag.exe File created C:\Windows\SysWOW64\Eoooga32.exe Ekccgbmd.exe File opened for modification C:\Windows\SysWOW64\Gbammb32.exe Gpcaqg32.exe File created C:\Windows\SysWOW64\Megacbqk.exe Mfdqhe32.exe File created C:\Windows\SysWOW64\Encpla32.dll Pgbegj32.exe File created C:\Windows\SysWOW64\Obohhd32.dll Ialcjb32.exe File opened for modification C:\Windows\SysWOW64\Pqkqjemc.exe Pnmdnjnp.exe File opened for modification C:\Windows\SysWOW64\Pcljlq32.exe Pqmmpe32.exe File created C:\Windows\SysWOW64\Aibejf32.exe Abhmnlhd.exe File created C:\Windows\SysWOW64\Ecbpef32.dll Mieiip32.exe File created C:\Windows\SysWOW64\Aeplhnoo.dll Nagdna32.exe File created C:\Windows\SysWOW64\Bglmeien.dll Qdolobjd.exe File created C:\Windows\SysWOW64\Khophjfm.dll Iflobnlk.exe File created C:\Windows\SysWOW64\Nbhbel32.dll Ihdoamem.exe File created C:\Windows\SysWOW64\Nleqboik.dll Ocjqgnil.exe File created C:\Windows\SysWOW64\Kaieoo32.dll Qfoockec.exe File opened for modification C:\Windows\SysWOW64\Fjacnn32.exe Fffgnoah.exe File created C:\Windows\SysWOW64\Kahjbimb.dll Jkodleec.exe File created C:\Windows\SysWOW64\Mngndblh.dll Mgjfjm32.exe File created C:\Windows\SysWOW64\Pancmg32.exe Popgal32.exe File created C:\Windows\SysWOW64\Kmocpbbm.exe Kjqgdgcj.exe File created C:\Windows\SysWOW64\Okfjck32.dll Odddfadd.exe File opened for modification C:\Windows\SysWOW64\Pqmmpe32.exe Pnoacjlm.exe File created C:\Windows\SysWOW64\Bfhohmoc.exe Bnafgpoa.exe File created C:\Windows\SysWOW64\Eigckn32.dll Lfpgmfne.exe File opened for modification C:\Windows\SysWOW64\Bniilkan.exe Bkkmpobj.exe File created C:\Windows\SysWOW64\Bfmajonm.dll Ijghoe32.exe File opened for modification C:\Windows\SysWOW64\Anlammpk.exe Akndabag.exe File created C:\Windows\SysWOW64\Mannkkka.dll Amfgii32.exe File created C:\Windows\SysWOW64\Jneadc32.exe Jenicf32.exe File created C:\Windows\SysWOW64\Akndabag.exe Aiphefbd.exe File opened for modification C:\Windows\SysWOW64\Fookfdgh.exe Fmpoji32.exe File created C:\Windows\SysWOW64\Chkqko32.exe Cpdija32.exe File created C:\Windows\SysWOW64\Geobnh32.exe Gqcfniha.exe File created C:\Windows\SysWOW64\Anlgan32.dll Hafccifn.exe File opened for modification C:\Windows\SysWOW64\Kgkegljn.exe Kdmikakj.exe File created C:\Windows\SysWOW64\Fkhpemhh.dll Mmhbedmn.exe File created C:\Windows\SysWOW64\Gpmijbcp.dll Npdnkcpp.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8612 8576 WerFault.exe 896 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfhohmoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qobcfklm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdolobjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjljmjmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdkmde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfconhmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anonbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afgogijk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpiffnhq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bejhid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgiipqah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hembhk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfcboejh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klgfemdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abplajnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihmkif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cifgcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpfjfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjgpak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipdckdcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgbdhe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kofbahdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkmcfiia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbndbkdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjacnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egjclc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjbgfkeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpcaqg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbbbgdec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldjajnlm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qngqgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgkhhigb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgeigp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afolbogn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knmlgdfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmnidoam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ledkjcgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hieojahp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekccgbmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdehoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbeemi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmodofgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdmikakj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dolbba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdnqdkdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iabjim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akndabag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcpgmiph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjgcdc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoiihf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aidapf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhkmjbbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elfejd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlajfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfpgmfne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Megacbqk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dejdhg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbjccf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhbceb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmpkilkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npcgpmmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epaajcem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjgobg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hebfnnbc.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmdhlcmh.dll" Elkoecin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gjjnao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnbogemj.dll" Hpknlm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pfionfel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cephoibi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ogkofk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmlfhnng.dll" Hfgego32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mbcnhkmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qbccbm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Elnbei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdanafka.dll" Glgephne.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Opfdfmka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnecjmjc.dll" Hfcllpdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkoeldio.dll" Nmceihco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Behbnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Adfboa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dccega32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nigbncgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Idkpfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgldogbp.dll" Opihfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mjgjcipm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Imkgdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeplhnoo.dll" Nagdna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jjonod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmjqak32.dll" Jkpkglho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fmblpifb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fdnqdkdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mngndblh.dll" Mgjfjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igfjlfha.dll" Dgpjko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jpfjfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kcdbamnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gbammb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jnpmnqbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgclikfd.dll" Gnnbhf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pjfbikaa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lmjoip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Beenndfh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qikojg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ibklbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gmgajk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jjdanb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lcchfjmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jenkgpqo.dll" Pheodafc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Elfcakep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oiopihen.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Elkeoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fheini32.dll" Kojllh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aoocpoqk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fhapjdob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fkdeao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fmkkdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajfilj32.dll" Gmleqnbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noeijl32.dll" Mdnagohp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhndla32.dll" Hpcmpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mlcfel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebcmok32.dll" Amagdcag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fjgcdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ikbkmhda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajfgngek.dll" Hnodbben.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Illkjk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oomnlimg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dgbdhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqkcaf32.dll" Pjfbikaa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mbbgmeim.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2536 wrote to memory of 1720 2536 2908d0e4c3b3839019ddace6fbe8e46fe0b748cdb8d3c5a16103d6326cb3c64e.exe 29 PID 2536 wrote to memory of 1720 2536 2908d0e4c3b3839019ddace6fbe8e46fe0b748cdb8d3c5a16103d6326cb3c64e.exe 29 PID 2536 wrote to memory of 1720 2536 2908d0e4c3b3839019ddace6fbe8e46fe0b748cdb8d3c5a16103d6326cb3c64e.exe 29 PID 2536 wrote to memory of 1720 2536 2908d0e4c3b3839019ddace6fbe8e46fe0b748cdb8d3c5a16103d6326cb3c64e.exe 29 PID 1720 wrote to memory of 1648 1720 Cgbhibkd.exe 30 PID 1720 wrote to memory of 1648 1720 Cgbhibkd.exe 30 PID 1720 wrote to memory of 1648 1720 Cgbhibkd.exe 30 PID 1720 wrote to memory of 1648 1720 Cgbhibkd.exe 30 PID 1648 wrote to memory of 2424 1648 Cloqaiil.exe 31 PID 1648 wrote to memory of 2424 1648 Cloqaiil.exe 31 PID 1648 wrote to memory of 2424 1648 Cloqaiil.exe 31 PID 1648 wrote to memory of 2424 1648 Cloqaiil.exe 31 PID 2424 wrote to memory of 2880 2424 Cciincqi.exe 32 PID 2424 wrote to memory of 2880 2424 Cciincqi.exe 32 PID 2424 wrote to memory of 2880 2424 Cciincqi.exe 32 PID 2424 wrote to memory of 2880 2424 Cciincqi.exe 32 PID 2880 wrote to memory of 2748 2880 Cheafjop.exe 33 PID 2880 wrote to memory of 2748 2880 Cheafjop.exe 33 PID 2880 wrote to memory of 2748 2880 Cheafjop.exe 33 PID 2880 wrote to memory of 2748 2880 Cheafjop.exe 33 PID 2748 wrote to memory of 2972 2748 Cckeccnf.exe 34 PID 2748 wrote to memory of 2972 2748 Cckeccnf.exe 34 PID 2748 wrote to memory of 2972 2748 Cckeccnf.exe 34 PID 2748 wrote to memory of 2972 2748 Cckeccnf.exe 34 PID 2972 wrote to memory of 2904 2972 Cdlbkk32.exe 35 PID 2972 wrote to memory of 2904 2972 Cdlbkk32.exe 35 PID 2972 wrote to memory of 2904 2972 Cdlbkk32.exe 35 PID 2972 wrote to memory of 2904 2972 Cdlbkk32.exe 35 PID 2904 wrote to memory of 2100 2904 Dkfjhela.exe 36 PID 2904 wrote to memory of 2100 2904 Dkfjhela.exe 36 PID 2904 wrote to memory of 2100 2904 Dkfjhela.exe 36 PID 2904 wrote to memory of 2100 2904 Dkfjhela.exe 36 PID 2100 wrote to memory of 2988 2100 Dgmkmfae.exe 37 PID 2100 wrote to memory of 2988 2100 Dgmkmfae.exe 37 PID 2100 wrote to memory of 2988 2100 Dgmkmfae.exe 37 PID 2100 wrote to memory of 2988 2100 Dgmkmfae.exe 37 PID 2988 wrote to memory of 2448 2988 Dodcncbh.exe 38 PID 2988 wrote to memory of 2448 2988 Dodcncbh.exe 38 PID 2988 wrote to memory of 2448 2988 Dodcncbh.exe 38 PID 2988 wrote to memory of 2448 2988 Dodcncbh.exe 38 PID 2448 wrote to memory of 1248 2448 Dpepfl32.exe 39 PID 2448 wrote to memory of 1248 2448 Dpepfl32.exe 39 PID 2448 wrote to memory of 1248 2448 Dpepfl32.exe 39 PID 2448 wrote to memory of 1248 2448 Dpepfl32.exe 39 PID 1248 wrote to memory of 2920 1248 Dhmggi32.exe 40 PID 1248 wrote to memory of 2920 1248 Dhmggi32.exe 40 PID 1248 wrote to memory of 2920 1248 Dhmggi32.exe 40 PID 1248 wrote to memory of 2920 1248 Dhmggi32.exe 40 PID 2920 wrote to memory of 2876 2920 Dphlkk32.exe 41 PID 2920 wrote to memory of 2876 2920 Dphlkk32.exe 41 PID 2920 wrote to memory of 2876 2920 Dphlkk32.exe 41 PID 2920 wrote to memory of 2876 2920 Dphlkk32.exe 41 PID 2876 wrote to memory of 1772 2876 Dgbdhe32.exe 42 PID 2876 wrote to memory of 1772 2876 Dgbdhe32.exe 42 PID 2876 wrote to memory of 1772 2876 Dgbdhe32.exe 42 PID 2876 wrote to memory of 1772 2876 Dgbdhe32.exe 42 PID 1772 wrote to memory of 2716 1772 Djbmjq32.exe 43 PID 1772 wrote to memory of 2716 1772 Djbmjq32.exe 43 PID 1772 wrote to memory of 2716 1772 Djbmjq32.exe 43 PID 1772 wrote to memory of 2716 1772 Djbmjq32.exe 43 PID 2716 wrote to memory of 376 2716 Dlajfl32.exe 44 PID 2716 wrote to memory of 376 2716 Dlajfl32.exe 44 PID 2716 wrote to memory of 376 2716 Dlajfl32.exe 44 PID 2716 wrote to memory of 376 2716 Dlajfl32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\2908d0e4c3b3839019ddace6fbe8e46fe0b748cdb8d3c5a16103d6326cb3c64e.exe"C:\Users\Admin\AppData\Local\Temp\2908d0e4c3b3839019ddace6fbe8e46fe0b748cdb8d3c5a16103d6326cb3c64e.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\Cgbhibkd.exeC:\Windows\system32\Cgbhibkd.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\Cloqaiil.exeC:\Windows\system32\Cloqaiil.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\Cciincqi.exeC:\Windows\system32\Cciincqi.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\Cheafjop.exeC:\Windows\system32\Cheafjop.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Cckeccnf.exeC:\Windows\system32\Cckeccnf.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Cdlbkk32.exeC:\Windows\system32\Cdlbkk32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Dkfjhela.exeC:\Windows\system32\Dkfjhela.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Dgmkmfae.exeC:\Windows\system32\Dgmkmfae.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Dodcncbh.exeC:\Windows\system32\Dodcncbh.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Dpepfl32.exeC:\Windows\system32\Dpepfl32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\Dhmggi32.exeC:\Windows\system32\Dhmggi32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\SysWOW64\Dphlkk32.exeC:\Windows\system32\Dphlkk32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Dgbdhe32.exeC:\Windows\system32\Dgbdhe32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Djbmjq32.exeC:\Windows\system32\Djbmjq32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\Dlajfl32.exeC:\Windows\system32\Dlajfl32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Ehhjkm32.exeC:\Windows\system32\Ehhjkm32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:376 -
C:\Windows\SysWOW64\Eqoblj32.exeC:\Windows\system32\Eqoblj32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:988 -
C:\Windows\SysWOW64\Ecmohf32.exeC:\Windows\system32\Ecmohf32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1324 -
C:\Windows\SysWOW64\Elfcakep.exeC:\Windows\system32\Elfcakep.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1796 -
C:\Windows\SysWOW64\Edahen32.exeC:\Windows\system32\Edahen32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1672 -
C:\Windows\SysWOW64\Emhpfk32.exeC:\Windows\system32\Emhpfk32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1288 -
C:\Windows\SysWOW64\Ebehob32.exeC:\Windows\system32\Ebehob32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1436 -
C:\Windows\SysWOW64\Edcdkm32.exeC:\Windows\system32\Edcdkm32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1704 -
C:\Windows\SysWOW64\Eoiihf32.exeC:\Windows\system32\Eoiihf32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1020 -
C:\Windows\SysWOW64\Ekpimg32.exeC:\Windows\system32\Ekpimg32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2572 -
C:\Windows\SysWOW64\Fdhnfmmb.exeC:\Windows\system32\Fdhnfmmb.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2832 -
C:\Windows\SysWOW64\Fcknai32.exeC:\Windows\system32\Fcknai32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2772 -
C:\Windows\SysWOW64\Fmcbjojn.exeC:\Windows\system32\Fmcbjojn.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2740 -
C:\Windows\SysWOW64\Fcmkgi32.exeC:\Windows\system32\Fcmkgi32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2948 -
C:\Windows\SysWOW64\Fgiggh32.exeC:\Windows\system32\Fgiggh32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2632 -
C:\Windows\SysWOW64\Ffkgcdqn.exeC:\Windows\system32\Ffkgcdqn.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2616 -
C:\Windows\SysWOW64\Fjgcdc32.exeC:\Windows\system32\Fjgcdc32.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2976 -
C:\Windows\SysWOW64\Fcpgmiph.exeC:\Windows\system32\Fcpgmiph.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2440 -
C:\Windows\SysWOW64\Fpfhaj32.exeC:\Windows\system32\Fpfhaj32.exe35⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Fcbdbhme.exeC:\Windows\system32\Fcbdbhme.exe36⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Ffpqndmi.exeC:\Windows\system32\Ffpqndmi.exe37⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Fiomjp32.exeC:\Windows\system32\Fiomjp32.exe38⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Fphegici.exeC:\Windows\system32\Fphegici.exe39⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Fcdahh32.exeC:\Windows\system32\Fcdahh32.exe40⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Fbgacebm.exeC:\Windows\system32\Fbgacebm.exe41⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Geemoqaq.exeC:\Windows\system32\Geemoqaq.exe42⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Giaipo32.exeC:\Windows\system32\Giaipo32.exe43⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Gmleqnbc.exeC:\Windows\system32\Gmleqnbc.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:908 -
C:\Windows\SysWOW64\Gpkamiag.exeC:\Windows\system32\Gpkamiag.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1152 -
C:\Windows\SysWOW64\Gnnbhf32.exeC:\Windows\system32\Gnnbhf32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:444 -
C:\Windows\SysWOW64\Gfejic32.exeC:\Windows\system32\Gfejic32.exe47⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Gehjepon.exeC:\Windows\system32\Gehjepon.exe48⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Glabajgk.exeC:\Windows\system32\Glabajgk.exe49⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Gpmnbi32.exeC:\Windows\system32\Gpmnbi32.exe50⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Gaokjaeb.exeC:\Windows\system32\Gaokjaeb.exe51⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Gejgjp32.exeC:\Windows\system32\Gejgjp32.exe52⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Gieckned.exeC:\Windows\system32\Gieckned.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Gldogjeh.exeC:\Windows\system32\Gldogjeh.exe54⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Gjgobg32.exeC:\Windows\system32\Gjgobg32.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2696 -
C:\Windows\SysWOW64\Gaagoqcp.exeC:\Windows\system32\Gaagoqcp.exe56⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Gdodllbc.exeC:\Windows\system32\Gdodllbc.exe57⤵
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\Ghkplk32.exeC:\Windows\system32\Ghkplk32.exe58⤵
- Executes dropped EXE
PID:1276 -
C:\Windows\SysWOW64\Gjilhfip.exeC:\Windows\system32\Gjilhfip.exe59⤵
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\Gmghdahd.exeC:\Windows\system32\Gmghdahd.exe60⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Gacdeq32.exeC:\Windows\system32\Gacdeq32.exe61⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Geopeoif.exeC:\Windows\system32\Geopeoif.exe62⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Ghmmakhj.exeC:\Windows\system32\Ghmmakhj.exe63⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Gjlinfgm.exeC:\Windows\system32\Gjlinfgm.exe64⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Gmjejafa.exeC:\Windows\system32\Gmjejafa.exe65⤵
- Executes dropped EXE
PID:540 -
C:\Windows\SysWOW64\Haeajp32.exeC:\Windows\system32\Haeajp32.exe66⤵PID:600
-
C:\Windows\SysWOW64\Hhpigjfg.exeC:\Windows\system32\Hhpigjfg.exe67⤵PID:1776
-
C:\Windows\SysWOW64\Hfbicg32.exeC:\Windows\system32\Hfbicg32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1740 -
C:\Windows\SysWOW64\Hmlapa32.exeC:\Windows\system32\Hmlapa32.exe69⤵PID:1600
-
C:\Windows\SysWOW64\Hpknlm32.exeC:\Windows\system32\Hpknlm32.exe70⤵
- Modifies registry class
PID:1924 -
C:\Windows\SysWOW64\Hdfjlklk.exeC:\Windows\system32\Hdfjlklk.exe71⤵PID:1684
-
C:\Windows\SysWOW64\Hbijhh32.exeC:\Windows\system32\Hbijhh32.exe72⤵PID:2444
-
C:\Windows\SysWOW64\Hicbdbjb.exeC:\Windows\system32\Hicbdbjb.exe73⤵PID:2812
-
C:\Windows\SysWOW64\Hpmkal32.exeC:\Windows\system32\Hpmkal32.exe74⤵PID:2784
-
C:\Windows\SysWOW64\Hbkgmh32.exeC:\Windows\system32\Hbkgmh32.exe75⤵PID:2020
-
C:\Windows\SysWOW64\Hejcic32.exeC:\Windows\system32\Hejcic32.exe76⤵PID:628
-
C:\Windows\SysWOW64\Hieojahp.exeC:\Windows\system32\Hieojahp.exe77⤵
- System Location Discovery: System Language Discovery
PID:2216 -
C:\Windows\SysWOW64\Hldkfm32.exeC:\Windows\system32\Hldkfm32.exe78⤵PID:892
-
C:\Windows\SysWOW64\Hpogglpm.exeC:\Windows\system32\Hpogglpm.exe79⤵PID:2868
-
C:\Windows\SysWOW64\Hbnccgoq.exeC:\Windows\system32\Hbnccgoq.exe80⤵PID:1652
-
C:\Windows\SysWOW64\Helpocnd.exeC:\Windows\system32\Helpocnd.exe81⤵PID:2212
-
C:\Windows\SysWOW64\Hihlpa32.exeC:\Windows\system32\Hihlpa32.exe82⤵PID:928
-
C:\Windows\SysWOW64\Hlfhlm32.exeC:\Windows\system32\Hlfhlm32.exe83⤵PID:2156
-
C:\Windows\SysWOW64\Hpadllnj.exeC:\Windows\system32\Hpadllnj.exe84⤵PID:1972
-
C:\Windows\SysWOW64\Hoddhh32.exeC:\Windows\system32\Hoddhh32.exe85⤵PID:1328
-
C:\Windows\SysWOW64\Hbpphgmn.exeC:\Windows\system32\Hbpphgmn.exe86⤵PID:1596
-
C:\Windows\SysWOW64\Hijhea32.exeC:\Windows\system32\Hijhea32.exe87⤵PID:2348
-
C:\Windows\SysWOW64\Ihmiqnke.exeC:\Windows\system32\Ihmiqnke.exe88⤵PID:2820
-
C:\Windows\SysWOW64\Ilheam32.exeC:\Windows\system32\Ilheam32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2840 -
C:\Windows\SysWOW64\Iogamhbb.exeC:\Windows\system32\Iogamhbb.exe90⤵PID:2888
-
C:\Windows\SysWOW64\Iddieoqi.exeC:\Windows\system32\Iddieoqi.exe91⤵PID:2144
-
C:\Windows\SysWOW64\Ihoefn32.exeC:\Windows\system32\Ihoefn32.exe92⤵PID:896
-
C:\Windows\SysWOW64\Ilkaglal.exeC:\Windows\system32\Ilkaglal.exe93⤵PID:2872
-
C:\Windows\SysWOW64\Ioinchpo.exeC:\Windows\system32\Ioinchpo.exe94⤵PID:1968
-
C:\Windows\SysWOW64\Iahjococ.exeC:\Windows\system32\Iahjococ.exe95⤵PID:1432
-
C:\Windows\SysWOW64\Idffkoog.exeC:\Windows\system32\Idffkoog.exe96⤵PID:2556
-
C:\Windows\SysWOW64\Igdbgjnj.exeC:\Windows\system32\Igdbgjnj.exe97⤵PID:1868
-
C:\Windows\SysWOW64\Ikpnhi32.exeC:\Windows\system32\Ikpnhi32.exe98⤵PID:1564
-
C:\Windows\SysWOW64\Innkddeg.exeC:\Windows\system32\Innkddeg.exe99⤵PID:3052
-
C:\Windows\SysWOW64\Iajgdc32.exeC:\Windows\system32\Iajgdc32.exe100⤵PID:2372
-
C:\Windows\SysWOW64\Idhcqn32.exeC:\Windows\system32\Idhcqn32.exe101⤵PID:2548
-
C:\Windows\SysWOW64\Ihdoamem.exeC:\Windows\system32\Ihdoamem.exe102⤵
- Drops file in System32 directory
PID:2052 -
C:\Windows\SysWOW64\Ikbkmhda.exeC:\Windows\system32\Ikbkmhda.exe103⤵
- Modifies registry class
PID:2668 -
C:\Windows\SysWOW64\Iiekie32.exeC:\Windows\system32\Iiekie32.exe104⤵PID:1096
-
C:\Windows\SysWOW64\Ialcjb32.exeC:\Windows\system32\Ialcjb32.exe105⤵
- Drops file in System32 directory
PID:2660 -
C:\Windows\SysWOW64\Idkpfn32.exeC:\Windows\system32\Idkpfn32.exe106⤵
- Modifies registry class
PID:1280 -
C:\Windows\SysWOW64\Igilbi32.exeC:\Windows\system32\Igilbi32.exe107⤵PID:2332
-
C:\Windows\SysWOW64\Ijghoe32.exeC:\Windows\system32\Ijghoe32.exe108⤵
- Drops file in System32 directory
PID:2452 -
C:\Windows\SysWOW64\Incdocab.exeC:\Windows\system32\Incdocab.exe109⤵PID:1928
-
C:\Windows\SysWOW64\Idmllnho.exeC:\Windows\system32\Idmllnho.exe110⤵PID:3036
-
C:\Windows\SysWOW64\Jgkhhigb.exeC:\Windows\system32\Jgkhhigb.exe111⤵
- System Location Discovery: System Language Discovery
PID:2400 -
C:\Windows\SysWOW64\Jenicf32.exeC:\Windows\system32\Jenicf32.exe112⤵
- Drops file in System32 directory
PID:1608 -
C:\Windows\SysWOW64\Jneadc32.exeC:\Windows\system32\Jneadc32.exe113⤵PID:1604
-
C:\Windows\SysWOW64\Jlhappfj.exeC:\Windows\system32\Jlhappfj.exe114⤵PID:2540
-
C:\Windows\SysWOW64\Jogmlken.exeC:\Windows\system32\Jogmlken.exe115⤵PID:2636
-
C:\Windows\SysWOW64\Jcbimj32.exeC:\Windows\system32\Jcbimj32.exe116⤵PID:2164
-
C:\Windows\SysWOW64\Jfqeie32.exeC:\Windows\system32\Jfqeie32.exe117⤵PID:2224
-
C:\Windows\SysWOW64\Jjlajddc.exeC:\Windows\system32\Jjlajddc.exe118⤵PID:2508
-
C:\Windows\SysWOW64\Jhobea32.exeC:\Windows\system32\Jhobea32.exe119⤵PID:2288
-
C:\Windows\SysWOW64\Jpfjfn32.exeC:\Windows\system32\Jpfjfn32.exe120⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1348 -
C:\Windows\SysWOW64\Jcdfbjkd.exeC:\Windows\system32\Jcdfbjkd.exe121⤵PID:1760
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-