Analysis
-
max time kernel
120s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
19-08-2024 08:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f586b05e0367b9397e9c1a87f9ed5dd0N.exe
Resource
win7-20240705-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
f586b05e0367b9397e9c1a87f9ed5dd0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
f586b05e0367b9397e9c1a87f9ed5dd0N.exe
-
Size
512KB
-
MD5
f586b05e0367b9397e9c1a87f9ed5dd0
-
SHA1
653926dc2c454e4cf0aaef8fe760ecf73cba3800
-
SHA256
90c901f7f712c8f12942ea880bf19b33585a85f0cd17a5eb1e5dc90834675634
-
SHA512
cebe60f4f1ad8aeab9f4be33804c448ed3ab7cd10ab9e666ca3639622a2e5ae77a344392de0ade5697011a6b46f33af06973b448be1d182b861eee9d6c47bbe6
-
SSDEEP
12288:aiNSN6G5tdh5t6NSN6G5t1sI5yl48pArv8o4L:Tc6W0c6Ysd
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okdlha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hapaekng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnaqkb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddfllp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpekmnmh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maplej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pplejj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifhfeggb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpemgcoe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afiidppd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddihapnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbigio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adokdbib.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fihhch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmnino32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgdoemdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igijjqba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Magbeifp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loaaab32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmhplk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhaami32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfeadjlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgaino32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmmhbfjq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpghcn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifnfkmgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnmnph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghmmakhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehoqklia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgnall32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gakchj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkhfoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iqoamf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnmiegma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikhkcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iqiooh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kebggncm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qjmmkgga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpdmao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkggkphi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbgacebm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fblcaohd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elogdoon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihablm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qnflff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pimmgkjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpcbik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cphplh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaagoqcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oindba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbpplglj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpamnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abldpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ollbbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inpeak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpnkmadn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifqgaibk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mijgfmoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fojjfogp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikeldenf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Binkqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fklaqp32.exe -
Executes dropped EXE 64 IoCs
pid Process 1336 Phfaknce.exe 1752 Pbpbklpd.exe 2004 Pdpoeo32.exe 1224 Qlkcjadb.exe 2280 Qiodcecl.exe 2724 Qpilpo32.exe 588 Adkaib32.exe 296 Ancfbhdh.exe 2668 Akgfll32.exe 1644 Adokdbib.exe 2136 Adagjagp.exe 2716 Bphhobmd.exe 2952 Bjamhh32.exe 2328 Bonepo32.exe 2876 Bfjjbi32.exe 2340 Bcnklm32.exe 1928 Bkiopock.exe 2400 Cbcgmi32.exe 856 Coghfn32.exe 1488 Chpmocpa.exe 1984 Cknikooe.exe 2296 Cbhahigb.exe 2444 Ccinpa32.exe 2236 Cjcflkdm.exe 1312 Cckjeq32.exe 1540 Cfjfal32.exe 1616 Cqokoeig.exe 1524 Ccngkphk.exe 2160 Cikocggb.exe 2768 Dqagddge.exe 2752 Djjlmj32.exe 2524 Dpgdealm.exe 2504 Dfambk32.exe 2760 Dknejb32.exe 2208 Deficgha.exe 2888 Dlpbpa32.exe 1732 Dbjjll32.exe 2848 Dlboeanl.exe 2604 Daognhlc.exe 1412 Ehiojb32.exe 2352 Ejgkfn32.exe 2432 Emfhbi32.exe 916 Eempcfbi.exe 1492 Enedml32.exe 1996 Eadpig32.exe 1716 Ehnieaoj.exe 2164 Emkanhnb.exe 1680 Eafmng32.exe 1548 Eddijbeo.exe 1704 Ejoagm32.exe 2592 Emmnch32.exe 2692 Edgfpbcl.exe 1044 Eidohiac.exe 2516 Emojih32.exe 1744 Fblcaohd.exe 2476 Ffhoam32.exe 2928 Fldgjd32.exe 2896 Foccfp32.exe 2824 Faapbk32.exe 2560 Fihhch32.exe 2176 Fkjdkqcl.exe 936 Feoihi32.exe 1464 Fhnede32.exe 320 Fklaqp32.exe -
Loads dropped DLL 64 IoCs
pid Process 1896 f586b05e0367b9397e9c1a87f9ed5dd0N.exe 1896 f586b05e0367b9397e9c1a87f9ed5dd0N.exe 1336 Phfaknce.exe 1336 Phfaknce.exe 1752 Pbpbklpd.exe 1752 Pbpbklpd.exe 2004 Pdpoeo32.exe 2004 Pdpoeo32.exe 1224 Qlkcjadb.exe 1224 Qlkcjadb.exe 2280 Qiodcecl.exe 2280 Qiodcecl.exe 2724 Qpilpo32.exe 2724 Qpilpo32.exe 588 Adkaib32.exe 588 Adkaib32.exe 296 Ancfbhdh.exe 296 Ancfbhdh.exe 2668 Akgfll32.exe 2668 Akgfll32.exe 1644 Adokdbib.exe 1644 Adokdbib.exe 2136 Adagjagp.exe 2136 Adagjagp.exe 2716 Bphhobmd.exe 2716 Bphhobmd.exe 2952 Bjamhh32.exe 2952 Bjamhh32.exe 2328 Bonepo32.exe 2328 Bonepo32.exe 2876 Bfjjbi32.exe 2876 Bfjjbi32.exe 2340 Bcnklm32.exe 2340 Bcnklm32.exe 1928 Bkiopock.exe 1928 Bkiopock.exe 2400 Cbcgmi32.exe 2400 Cbcgmi32.exe 856 Coghfn32.exe 856 Coghfn32.exe 1488 Chpmocpa.exe 1488 Chpmocpa.exe 1984 Cknikooe.exe 1984 Cknikooe.exe 2296 Cbhahigb.exe 2296 Cbhahigb.exe 2444 Ccinpa32.exe 2444 Ccinpa32.exe 2236 Cjcflkdm.exe 2236 Cjcflkdm.exe 1312 Cckjeq32.exe 1312 Cckjeq32.exe 1540 Cfjfal32.exe 1540 Cfjfal32.exe 1616 Cqokoeig.exe 1616 Cqokoeig.exe 1524 Ccngkphk.exe 1524 Ccngkphk.exe 2160 Cikocggb.exe 2160 Cikocggb.exe 2768 Dqagddge.exe 2768 Dqagddge.exe 2752 Djjlmj32.exe 2752 Djjlmj32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mqfgok32.dll Nlejhmge.exe File created C:\Windows\SysWOW64\Dqdfbmmf.exe Dlijbn32.exe File opened for modification C:\Windows\SysWOW64\Ffhoam32.exe Fblcaohd.exe File created C:\Windows\SysWOW64\Mhaacc32.dll Jagfnf32.exe File created C:\Windows\SysWOW64\Alcbno32.exe Aidfacjf.exe File created C:\Windows\SysWOW64\Abmkjiqg.exe Adjkol32.exe File created C:\Windows\SysWOW64\Kacomcbc.dll Mijgfmoc.exe File created C:\Windows\SysWOW64\Mogefmni.dll Pdpoeo32.exe File created C:\Windows\SysWOW64\Bkpqffcm.dll Lbhbnn32.exe File created C:\Windows\SysWOW64\Dhjkai32.exe Deloen32.exe File opened for modification C:\Windows\SysWOW64\Abjgjc32.exe Alponiga.exe File created C:\Windows\SysWOW64\Ldcema32.exe Lpgimbmb.exe File created C:\Windows\SysWOW64\Ponhqakn.dll Nkmfhb32.exe File opened for modification C:\Windows\SysWOW64\Mlkqhhld.exe Mmhplk32.exe File opened for modification C:\Windows\SysWOW64\Dgdoemdi.exe Dmnkgddc.exe File created C:\Windows\SysWOW64\Inaipp32.dll Process not Found File created C:\Windows\SysWOW64\Lpjfbb32.exe Ljmnjkmh.exe File created C:\Windows\SysWOW64\Bkiopock.exe Bcnklm32.exe File created C:\Windows\SysWOW64\Jcfnie32.dll Ahdcmj32.exe File created C:\Windows\SysWOW64\Bcnklm32.exe Bfjjbi32.exe File created C:\Windows\SysWOW64\Gikahkng.exe Gcqika32.exe File created C:\Windows\SysWOW64\Afafaooo.dll Iekdhkfi.exe File created C:\Windows\SysWOW64\Ojkcfdgh.exe Oglgji32.exe File created C:\Windows\SysWOW64\Mfnjhj32.exe Process not Found File created C:\Windows\SysWOW64\Bibndjkh.dll Jnpapn32.exe File created C:\Windows\SysWOW64\Blodbffq.exe Bhchag32.exe File created C:\Windows\SysWOW64\Akgfll32.exe Ancfbhdh.exe File created C:\Windows\SysWOW64\Mdenaded.exe Mpjbae32.exe File created C:\Windows\SysWOW64\Jefdka32.dll Ocanbc32.exe File opened for modification C:\Windows\SysWOW64\Comkdl32.exe Ckaodmhb.exe File opened for modification C:\Windows\SysWOW64\Abgjecap.exe Alnbhi32.exe File created C:\Windows\SysWOW64\Loehjg32.dll Ceehdo32.exe File created C:\Windows\SysWOW64\Nfhefc32.exe Ncjijhch.exe File created C:\Windows\SysWOW64\Jjppbb32.dll Pijmanoe.exe File created C:\Windows\SysWOW64\Maplej32.exe Mbmlimfn.exe File opened for modification C:\Windows\SysWOW64\Dlpbpa32.exe Deficgha.exe File created C:\Windows\SysWOW64\Pggcdf32.exe Pamkgl32.exe File created C:\Windows\SysWOW64\Hifcgkkh.dll Bfkbhc32.exe File opened for modification C:\Windows\SysWOW64\Amnemb32.exe Ajoiqg32.exe File opened for modification C:\Windows\SysWOW64\Lijkgj32.exe Lodgja32.exe File created C:\Windows\SysWOW64\Bpjcec32.dll Cjkiaffj.exe File created C:\Windows\SysWOW64\Knicoj32.dll Lijkgj32.exe File created C:\Windows\SysWOW64\Pamkgl32.exe Pnooka32.exe File created C:\Windows\SysWOW64\Flbmmm32.exe Effdef32.exe File created C:\Windows\SysWOW64\Niiapeka.dll Mgoojgai.exe File created C:\Windows\SysWOW64\Ahnmno32.exe Aepqac32.exe File opened for modification C:\Windows\SysWOW64\Oikpbklj.exe Ofldfpmf.exe File opened for modification C:\Windows\SysWOW64\Ahnmno32.exe Aepqac32.exe File created C:\Windows\SysWOW64\Mogckqib.dll Gfeadjlo.exe File created C:\Windows\SysWOW64\Ccfcic32.dll Modlnn32.exe File opened for modification C:\Windows\SysWOW64\Plnmcl32.exe Pjmqldee.exe File opened for modification C:\Windows\SysWOW64\Opkdkbjh.exe Process not Found File created C:\Windows\SysWOW64\Bnpoaeek.exe Bkabejfg.exe File created C:\Windows\SysWOW64\Pimmgkjg.exe Peaagl32.exe File created C:\Windows\SysWOW64\Ehnieaoj.exe Eadpig32.exe File opened for modification C:\Windows\SysWOW64\Nqpfil32.exe Nlejhmge.exe File opened for modification C:\Windows\SysWOW64\Kmgdld32.exe Kfmlojfi.exe File created C:\Windows\SysWOW64\Ioalek32.dll Hldkfm32.exe File created C:\Windows\SysWOW64\Nhjabc32.dll Ncjijhch.exe File opened for modification C:\Windows\SysWOW64\Pndoqf32.exe Plecdk32.exe File created C:\Windows\SysWOW64\Lgenddca.dll Fdehbo32.exe File created C:\Windows\SysWOW64\Igaajlfa.dll Ijdbffpl.exe File created C:\Windows\SysWOW64\Ncaacp32.exe Nlgigemg.exe File created C:\Windows\SysWOW64\Jjpijhna.dll Infefqkg.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2644 2484 Process not Found 1108 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqkbbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnjlog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnpoaeek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lolmjpfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhlagcbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fepkabjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmdblcpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioikjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngcknpeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iahjococ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Incdocab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjgbeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onlffncp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eafmng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Labllf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpbnijic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pednllpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljmnjkmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifckaodd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcggjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efchog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfkbhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibmhlpge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koodlbeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plecdk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdajgfkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikbkmhda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikbpof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mklhpfho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjgcdc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igilbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eecbbeid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gompompm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahnmno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Habnkkld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifnfkmgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maocak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pflpecpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abjgjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Moanpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhnkdjhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Madepihc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knkmil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hldkfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kikfbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnlpghmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdplcfoi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnabkgfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djpnkhep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Linaph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfmlojfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcpang32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqngac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kakfkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nejkam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddfllp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llcgnple.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebgeda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfgcnfil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqbini32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkngckie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Honpqaff.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blgamkdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kikfbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aefgao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfehdnde.dll" Fpqfcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aelinh32.dll" Dgdane32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imcbkiem.dll" Gaeoaggf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enqfbqok.dll" Fbckjfip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhbnpdnq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flejbmfh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgphbfoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Geemoqaq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkhfoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flnibcdn.dll" Jjgbeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjkiaffj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkmckm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcajaqai.dll" Feaeni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoobin32.dll" Oopocfgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhhjljgp.dll" Cgbochop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcokem32.dll" Enffedpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgeogaeo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgficdgo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qkhbbcjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhjkai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iahjococ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aljomhjp.dll" Diekle32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjhqaobe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnpalh32.dll" Gicfeogg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgjnho32.dll" Knkmil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmfiol32.dll" Ibghfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adcncabg.dll" Nnkpkdio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocqkfn32.dll" Ejoagm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcffonnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffihelkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onaflccf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgeppn32.dll" Bjphhcon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhaacc32.dll" Jagfnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akocmjfk.dll" Jfcboejh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogbnjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndlgdn32.dll" Gbakdjnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mekhehea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cieknp32.dll" Iqanbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebofpc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alfalgok.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onaflccf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdjcmcoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epapoo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihablm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqfgok32.dll" Nlejhmge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qnflff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpileedj.dll" Qaadblog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Geemoqaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moolip32.dll" Ejjjef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icjhpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knjbcd32.dll" Pndoqf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qjkbnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihocmeao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmnino32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aciiofbg.dll" Epapoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpdcddde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccinpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkikjdeb.dll" Banggcka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkbnpaln.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1896 wrote to memory of 1336 1896 f586b05e0367b9397e9c1a87f9ed5dd0N.exe 29 PID 1896 wrote to memory of 1336 1896 f586b05e0367b9397e9c1a87f9ed5dd0N.exe 29 PID 1896 wrote to memory of 1336 1896 f586b05e0367b9397e9c1a87f9ed5dd0N.exe 29 PID 1896 wrote to memory of 1336 1896 f586b05e0367b9397e9c1a87f9ed5dd0N.exe 29 PID 1336 wrote to memory of 1752 1336 Phfaknce.exe 30 PID 1336 wrote to memory of 1752 1336 Phfaknce.exe 30 PID 1336 wrote to memory of 1752 1336 Phfaknce.exe 30 PID 1336 wrote to memory of 1752 1336 Phfaknce.exe 30 PID 1752 wrote to memory of 2004 1752 Pbpbklpd.exe 31 PID 1752 wrote to memory of 2004 1752 Pbpbklpd.exe 31 PID 1752 wrote to memory of 2004 1752 Pbpbklpd.exe 31 PID 1752 wrote to memory of 2004 1752 Pbpbklpd.exe 31 PID 2004 wrote to memory of 1224 2004 Pdpoeo32.exe 32 PID 2004 wrote to memory of 1224 2004 Pdpoeo32.exe 32 PID 2004 wrote to memory of 1224 2004 Pdpoeo32.exe 32 PID 2004 wrote to memory of 1224 2004 Pdpoeo32.exe 32 PID 1224 wrote to memory of 2280 1224 Qlkcjadb.exe 33 PID 1224 wrote to memory of 2280 1224 Qlkcjadb.exe 33 PID 1224 wrote to memory of 2280 1224 Qlkcjadb.exe 33 PID 1224 wrote to memory of 2280 1224 Qlkcjadb.exe 33 PID 2280 wrote to memory of 2724 2280 Qiodcecl.exe 34 PID 2280 wrote to memory of 2724 2280 Qiodcecl.exe 34 PID 2280 wrote to memory of 2724 2280 Qiodcecl.exe 34 PID 2280 wrote to memory of 2724 2280 Qiodcecl.exe 34 PID 2724 wrote to memory of 588 2724 Qpilpo32.exe 35 PID 2724 wrote to memory of 588 2724 Qpilpo32.exe 35 PID 2724 wrote to memory of 588 2724 Qpilpo32.exe 35 PID 2724 wrote to memory of 588 2724 Qpilpo32.exe 35 PID 588 wrote to memory of 296 588 Adkaib32.exe 36 PID 588 wrote to memory of 296 588 Adkaib32.exe 36 PID 588 wrote to memory of 296 588 Adkaib32.exe 36 PID 588 wrote to memory of 296 588 Adkaib32.exe 36 PID 296 wrote to memory of 2668 296 Ancfbhdh.exe 37 PID 296 wrote to memory of 2668 296 Ancfbhdh.exe 37 PID 296 wrote to memory of 2668 296 Ancfbhdh.exe 37 PID 296 wrote to memory of 2668 296 Ancfbhdh.exe 37 PID 2668 wrote to memory of 1644 2668 Akgfll32.exe 38 PID 2668 wrote to memory of 1644 2668 Akgfll32.exe 38 PID 2668 wrote to memory of 1644 2668 Akgfll32.exe 38 PID 2668 wrote to memory of 1644 2668 Akgfll32.exe 38 PID 1644 wrote to memory of 2136 1644 Adokdbib.exe 39 PID 1644 wrote to memory of 2136 1644 Adokdbib.exe 39 PID 1644 wrote to memory of 2136 1644 Adokdbib.exe 39 PID 1644 wrote to memory of 2136 1644 Adokdbib.exe 39 PID 2136 wrote to memory of 2716 2136 Adagjagp.exe 40 PID 2136 wrote to memory of 2716 2136 Adagjagp.exe 40 PID 2136 wrote to memory of 2716 2136 Adagjagp.exe 40 PID 2136 wrote to memory of 2716 2136 Adagjagp.exe 40 PID 2716 wrote to memory of 2952 2716 Bphhobmd.exe 41 PID 2716 wrote to memory of 2952 2716 Bphhobmd.exe 41 PID 2716 wrote to memory of 2952 2716 Bphhobmd.exe 41 PID 2716 wrote to memory of 2952 2716 Bphhobmd.exe 41 PID 2952 wrote to memory of 2328 2952 Bjamhh32.exe 42 PID 2952 wrote to memory of 2328 2952 Bjamhh32.exe 42 PID 2952 wrote to memory of 2328 2952 Bjamhh32.exe 42 PID 2952 wrote to memory of 2328 2952 Bjamhh32.exe 42 PID 2328 wrote to memory of 2876 2328 Bonepo32.exe 43 PID 2328 wrote to memory of 2876 2328 Bonepo32.exe 43 PID 2328 wrote to memory of 2876 2328 Bonepo32.exe 43 PID 2328 wrote to memory of 2876 2328 Bonepo32.exe 43 PID 2876 wrote to memory of 2340 2876 Bfjjbi32.exe 44 PID 2876 wrote to memory of 2340 2876 Bfjjbi32.exe 44 PID 2876 wrote to memory of 2340 2876 Bfjjbi32.exe 44 PID 2876 wrote to memory of 2340 2876 Bfjjbi32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\f586b05e0367b9397e9c1a87f9ed5dd0N.exe"C:\Users\Admin\AppData\Local\Temp\f586b05e0367b9397e9c1a87f9ed5dd0N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\Phfaknce.exeC:\Windows\system32\Phfaknce.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\SysWOW64\Pbpbklpd.exeC:\Windows\system32\Pbpbklpd.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\Pdpoeo32.exeC:\Windows\system32\Pdpoeo32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\Qlkcjadb.exeC:\Windows\system32\Qlkcjadb.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\SysWOW64\Qiodcecl.exeC:\Windows\system32\Qiodcecl.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\Qpilpo32.exeC:\Windows\system32\Qpilpo32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Adkaib32.exeC:\Windows\system32\Adkaib32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:588 -
C:\Windows\SysWOW64\Ancfbhdh.exeC:\Windows\system32\Ancfbhdh.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:296 -
C:\Windows\SysWOW64\Akgfll32.exeC:\Windows\system32\Akgfll32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Adokdbib.exeC:\Windows\system32\Adokdbib.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\Adagjagp.exeC:\Windows\system32\Adagjagp.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\Bphhobmd.exeC:\Windows\system32\Bphhobmd.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Bjamhh32.exeC:\Windows\system32\Bjamhh32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Bonepo32.exeC:\Windows\system32\Bonepo32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\Bfjjbi32.exeC:\Windows\system32\Bfjjbi32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Bcnklm32.exeC:\Windows\system32\Bcnklm32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2340 -
C:\Windows\SysWOW64\Bkiopock.exeC:\Windows\system32\Bkiopock.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1928 -
C:\Windows\SysWOW64\Cbcgmi32.exeC:\Windows\system32\Cbcgmi32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2400 -
C:\Windows\SysWOW64\Coghfn32.exeC:\Windows\system32\Coghfn32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:856 -
C:\Windows\SysWOW64\Chpmocpa.exeC:\Windows\system32\Chpmocpa.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1488 -
C:\Windows\SysWOW64\Cknikooe.exeC:\Windows\system32\Cknikooe.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1984 -
C:\Windows\SysWOW64\Cbhahigb.exeC:\Windows\system32\Cbhahigb.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2296 -
C:\Windows\SysWOW64\Ccinpa32.exeC:\Windows\system32\Ccinpa32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2444 -
C:\Windows\SysWOW64\Cjcflkdm.exeC:\Windows\system32\Cjcflkdm.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2236 -
C:\Windows\SysWOW64\Cckjeq32.exeC:\Windows\system32\Cckjeq32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1312 -
C:\Windows\SysWOW64\Cfjfal32.exeC:\Windows\system32\Cfjfal32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1540 -
C:\Windows\SysWOW64\Cqokoeig.exeC:\Windows\system32\Cqokoeig.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1616 -
C:\Windows\SysWOW64\Ccngkphk.exeC:\Windows\system32\Ccngkphk.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1524 -
C:\Windows\SysWOW64\Cikocggb.exeC:\Windows\system32\Cikocggb.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2160 -
C:\Windows\SysWOW64\Dqagddge.exeC:\Windows\system32\Dqagddge.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2768 -
C:\Windows\SysWOW64\Djjlmj32.exeC:\Windows\system32\Djjlmj32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2752 -
C:\Windows\SysWOW64\Dpgdealm.exeC:\Windows\system32\Dpgdealm.exe33⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Dfambk32.exeC:\Windows\system32\Dfambk32.exe34⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Dknejb32.exeC:\Windows\system32\Dknejb32.exe35⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Deficgha.exeC:\Windows\system32\Deficgha.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2208 -
C:\Windows\SysWOW64\Dlpbpa32.exeC:\Windows\system32\Dlpbpa32.exe37⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Dbjjll32.exeC:\Windows\system32\Dbjjll32.exe38⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Dlboeanl.exeC:\Windows\system32\Dlboeanl.exe39⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Daognhlc.exeC:\Windows\system32\Daognhlc.exe40⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Ehiojb32.exeC:\Windows\system32\Ehiojb32.exe41⤵
- Executes dropped EXE
PID:1412 -
C:\Windows\SysWOW64\Ejgkfn32.exeC:\Windows\system32\Ejgkfn32.exe42⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Emfhbi32.exeC:\Windows\system32\Emfhbi32.exe43⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Eempcfbi.exeC:\Windows\system32\Eempcfbi.exe44⤵
- Executes dropped EXE
PID:916 -
C:\Windows\SysWOW64\Enedml32.exeC:\Windows\system32\Enedml32.exe45⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\Eadpig32.exeC:\Windows\system32\Eadpig32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1996 -
C:\Windows\SysWOW64\Ehnieaoj.exeC:\Windows\system32\Ehnieaoj.exe47⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Emkanhnb.exeC:\Windows\system32\Emkanhnb.exe48⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Eafmng32.exeC:\Windows\system32\Eafmng32.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1680 -
C:\Windows\SysWOW64\Eddijbeo.exeC:\Windows\system32\Eddijbeo.exe50⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Ejoagm32.exeC:\Windows\system32\Ejoagm32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:1704 -
C:\Windows\SysWOW64\Emmnch32.exeC:\Windows\system32\Emmnch32.exe52⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Edgfpbcl.exeC:\Windows\system32\Edgfpbcl.exe53⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Eidohiac.exeC:\Windows\system32\Eidohiac.exe54⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Emojih32.exeC:\Windows\system32\Emojih32.exe55⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Fblcaohd.exeC:\Windows\system32\Fblcaohd.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1744 -
C:\Windows\SysWOW64\Ffhoam32.exeC:\Windows\system32\Ffhoam32.exe57⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Fldgjd32.exeC:\Windows\system32\Fldgjd32.exe58⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Foccfp32.exeC:\Windows\system32\Foccfp32.exe59⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Faapbk32.exeC:\Windows\system32\Faapbk32.exe60⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Fihhch32.exeC:\Windows\system32\Fihhch32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Fkjdkqcl.exeC:\Windows\system32\Fkjdkqcl.exe62⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Feoihi32.exeC:\Windows\system32\Feoihi32.exe63⤵
- Executes dropped EXE
PID:936 -
C:\Windows\SysWOW64\Fhnede32.exeC:\Windows\system32\Fhnede32.exe64⤵
- Executes dropped EXE
PID:1464 -
C:\Windows\SysWOW64\Fklaqp32.exeC:\Windows\system32\Fklaqp32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:320 -
C:\Windows\SysWOW64\Feaeni32.exeC:\Windows\system32\Feaeni32.exe66⤵
- Modifies registry class
PID:2436 -
C:\Windows\SysWOW64\Fddeifgj.exeC:\Windows\system32\Fddeifgj.exe67⤵PID:1748
-
C:\Windows\SysWOW64\Fojjfogp.exeC:\Windows\system32\Fojjfogp.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3036 -
C:\Windows\SysWOW64\Fpkfng32.exeC:\Windows\system32\Fpkfng32.exe69⤵PID:976
-
C:\Windows\SysWOW64\Fhbnpdnq.exeC:\Windows\system32\Fhbnpdnq.exe70⤵
- Modifies registry class
PID:1676 -
C:\Windows\SysWOW64\Gkqjlpmd.exeC:\Windows\system32\Gkqjlpmd.exe71⤵PID:2632
-
C:\Windows\SysWOW64\Gakchj32.exeC:\Windows\system32\Gakchj32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2720 -
C:\Windows\SysWOW64\Gpncdfkl.exeC:\Windows\system32\Gpncdfkl.exe73⤵PID:2544
-
C:\Windows\SysWOW64\Gclopbjo.exeC:\Windows\system32\Gclopbjo.exe74⤵PID:2520
-
C:\Windows\SysWOW64\Gmacmkje.exeC:\Windows\system32\Gmacmkje.exe75⤵PID:2832
-
C:\Windows\SysWOW64\Gpppifii.exeC:\Windows\system32\Gpppifii.exe76⤵PID:2028
-
C:\Windows\SysWOW64\Gemham32.exeC:\Windows\system32\Gemham32.exe77⤵PID:2180
-
C:\Windows\SysWOW64\Gndpcj32.exeC:\Windows\system32\Gndpcj32.exe78⤵PID:456
-
C:\Windows\SysWOW64\Gcqika32.exeC:\Windows\system32\Gcqika32.exe79⤵
- Drops file in System32 directory
PID:2144 -
C:\Windows\SysWOW64\Gikahkng.exeC:\Windows\system32\Gikahkng.exe80⤵PID:2152
-
C:\Windows\SysWOW64\Glimdgmj.exeC:\Windows\system32\Glimdgmj.exe81⤵PID:2308
-
C:\Windows\SysWOW64\Gogipbln.exeC:\Windows\system32\Gogipbln.exe82⤵PID:1872
-
C:\Windows\SysWOW64\Gjmnmk32.exeC:\Windows\system32\Gjmnmk32.exe83⤵PID:2080
-
C:\Windows\SysWOW64\Glkjif32.exeC:\Windows\system32\Glkjif32.exe84⤵PID:2192
-
C:\Windows\SysWOW64\Gcebfqbd.exeC:\Windows\system32\Gcebfqbd.exe85⤵PID:2212
-
C:\Windows\SysWOW64\Hdfoni32.exeC:\Windows\system32\Hdfoni32.exe86⤵PID:2324
-
C:\Windows\SysWOW64\Hlnfof32.exeC:\Windows\system32\Hlnfof32.exe87⤵PID:2732
-
C:\Windows\SysWOW64\Hajogm32.exeC:\Windows\system32\Hajogm32.exe88⤵PID:2528
-
C:\Windows\SysWOW64\Hdikch32.exeC:\Windows\system32\Hdikch32.exe89⤵PID:2572
-
C:\Windows\SysWOW64\Honpqaff.exeC:\Windows\system32\Honpqaff.exe90⤵
- System Location Discovery: System Language Discovery
PID:2384 -
C:\Windows\SysWOW64\Hamlmmej.exeC:\Windows\system32\Hamlmmej.exe91⤵PID:2932
-
C:\Windows\SysWOW64\Hqplhi32.exeC:\Windows\system32\Hqplhi32.exe92⤵PID:2884
-
C:\Windows\SysWOW64\Hkepfb32.exeC:\Windows\system32\Hkepfb32.exe93⤵PID:2968
-
C:\Windows\SysWOW64\Hjhqaobe.exeC:\Windows\system32\Hjhqaobe.exe94⤵
- Modifies registry class
PID:2368 -
C:\Windows\SysWOW64\Hqbini32.exeC:\Windows\system32\Hqbini32.exe95⤵
- System Location Discovery: System Language Discovery
PID:1992 -
C:\Windows\SysWOW64\Hcpejd32.exeC:\Windows\system32\Hcpejd32.exe96⤵PID:1580
-
C:\Windows\SysWOW64\Hjjmgo32.exeC:\Windows\system32\Hjjmgo32.exe97⤵PID:1588
-
C:\Windows\SysWOW64\Hnfigmhk.exeC:\Windows\system32\Hnfigmhk.exe98⤵PID:820
-
C:\Windows\SysWOW64\Hdpadg32.exeC:\Windows\system32\Hdpadg32.exe99⤵PID:1924
-
C:\Windows\SysWOW64\Hgnnpc32.exeC:\Windows\system32\Hgnnpc32.exe100⤵PID:1272
-
C:\Windows\SysWOW64\Hjmjln32.exeC:\Windows\system32\Hjmjln32.exe101⤵PID:2688
-
C:\Windows\SysWOW64\Icenedep.exeC:\Windows\system32\Icenedep.exe102⤵PID:2808
-
C:\Windows\SysWOW64\Ifckaodd.exeC:\Windows\system32\Ifckaodd.exe103⤵
- System Location Discovery: System Language Discovery
PID:2556 -
C:\Windows\SysWOW64\Iibgmk32.exeC:\Windows\system32\Iibgmk32.exe104⤵PID:1480
-
C:\Windows\SysWOW64\Iqiooh32.exeC:\Windows\system32\Iqiooh32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2892 -
C:\Windows\SysWOW64\Iffggo32.exeC:\Windows\system32\Iffggo32.exe106⤵PID:2696
-
C:\Windows\SysWOW64\Ikbpof32.exeC:\Windows\system32\Ikbpof32.exe107⤵
- System Location Discovery: System Language Discovery
PID:2956 -
C:\Windows\SysWOW64\Icjhpc32.exeC:\Windows\system32\Icjhpc32.exe108⤵
- Modifies registry class
PID:2484 -
C:\Windows\SysWOW64\Ibmhlpge.exeC:\Windows\system32\Ibmhlpge.exe109⤵
- System Location Discovery: System Language Discovery
PID:1424 -
C:\Windows\SysWOW64\Iekdhkfi.exeC:\Windows\system32\Iekdhkfi.exe110⤵
- Drops file in System32 directory
PID:832 -
C:\Windows\SysWOW64\Ikeldenf.exeC:\Windows\system32\Ikeldenf.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2060 -
C:\Windows\SysWOW64\Ioqhed32.exeC:\Windows\system32\Ioqhed32.exe112⤵PID:612
-
C:\Windows\SysWOW64\Iboeap32.exeC:\Windows\system32\Iboeap32.exe113⤵PID:2316
-
C:\Windows\SysWOW64\Iemank32.exeC:\Windows\system32\Iemank32.exe114⤵PID:2996
-
C:\Windows\SysWOW64\Iiimnjmp.exeC:\Windows\system32\Iiimnjmp.exe115⤵PID:2548
-
C:\Windows\SysWOW64\Infefqkg.exeC:\Windows\system32\Infefqkg.exe116⤵
- Drops file in System32 directory
PID:2904 -
C:\Windows\SysWOW64\Jepnck32.exeC:\Windows\system32\Jepnck32.exe117⤵PID:2588
-
C:\Windows\SysWOW64\Jkjfpe32.exeC:\Windows\system32\Jkjfpe32.exe118⤵PID:2184
-
C:\Windows\SysWOW64\Jnhblp32.exeC:\Windows\system32\Jnhblp32.exe119⤵PID:676
-
C:\Windows\SysWOW64\Jebjijqa.exeC:\Windows\system32\Jebjijqa.exe120⤵PID:2388
-
C:\Windows\SysWOW64\Jklbed32.exeC:\Windows\system32\Jklbed32.exe121⤵PID:1052
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-