Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
19/08/2024, 11:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a9e3d5724d81685c48c7d48de59f1340N.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
a9e3d5724d81685c48c7d48de59f1340N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
a9e3d5724d81685c48c7d48de59f1340N.exe
-
Size
512KB
-
MD5
a9e3d5724d81685c48c7d48de59f1340
-
SHA1
2ab314b344be7ce09049f4e6b2ffa9111334de66
-
SHA256
3051965308cdab92dbe0bf0aab96c10d3419c41d569c4f422473c99a3e754b33
-
SHA512
86586de3cb709399a0e5866916e157c12e9cce8db8e4ef7b5715691bb185aae452847837ce63bf1d6ebd13c2ec861f6e9b022ed59677322242154da4e8882774
-
SSDEEP
12288:x8LlGyXu1jGG1ws5iETdqvZNemWrsiLk6mqgSg9:6xGyXsGG1ws5ipr
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndmecgba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bgaebe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbffoabe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jckgicnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgqocoin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llbqfe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfhjbobc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndfnecgp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elhnof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Flhmfbim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iibfajdc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpmcielb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dddimn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llbqfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hohkmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajmfad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdbhge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fpjofl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfnjne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jeclebja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ciifbchf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qackpado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdghaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odchbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Edaalk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddhpod32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcmcoblm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcdjoaee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Omcifpnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Elajgpmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndqkleln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oococb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pplaki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfhmqhkd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dedlag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fnofjfhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ikbifcpb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcckcbgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mimpkcdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad a9e3d5724d81685c48c7d48de59f1340N.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpcnonob.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjjpjgjj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmpgpond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Danpemej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Emifeqid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpkkjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmegncpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Plolgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lanbdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dgbeiiqe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hakkgc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmmeon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqmpni32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjllab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfeikcfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found -
Executes dropped EXE 64 IoCs
pid Process 2708 Pqjfoa32.exe 2636 Pbkbgjcc.exe 2656 Pihgic32.exe 2012 Qeohnd32.exe 320 Qngmgjeb.exe 2024 Qiladcdh.exe 2188 Acfaeq32.exe 2668 Aeenochi.exe 2352 Aaloddnn.exe 1804 Agfgqo32.exe 2200 Afkdakjb.exe 1188 Apdhjq32.exe 2448 Bnielm32.exe 1048 Bhajdblk.exe 2572 Bonoflae.exe 624 Balkchpi.exe 1592 Bfkpqn32.exe 2140 Bmeimhdj.exe 1044 Chkmkacq.exe 2544 Ckiigmcd.exe 2536 Cmgechbh.exe 2112 Cbdnko32.exe 316 Cklfll32.exe 2400 Cddjebgb.exe 2836 Cmlong32.exe 2008 Cpkkjc32.exe 2864 Cegcbjkn.exe 1844 Cpmhpbkc.exe 768 Cejphiik.exe 2196 Dobdqo32.exe 2224 Daqamj32.exe 2176 Ddomif32.exe 2136 Dacnbjml.exe 1320 Deojci32.exe 1852 Dognlnlf.exe 1756 Dgbcpq32.exe 236 Djqoll32.exe 2504 Dpjgifpa.exe 1688 Dkpkfooh.exe 2576 Dlahng32.exe 2220 Ddhpod32.exe 1768 Egglkp32.exe 324 Enqdhj32.exe 2912 Eobapbbg.exe 2560 Egiiapci.exe 2392 Ejgemkbm.exe 1600 Eqamje32.exe 2608 Efnfbl32.exe 2612 Elhnof32.exe 2676 Eogjka32.exe 1484 Edccch32.exe 632 Eoigpa32.exe 2888 Efcomkcl.exe 1036 Egdlec32.exe 2660 Fnndan32.exe 912 Fqmpni32.exe 2964 Fgfhjcgg.exe 1480 Fjeefofk.exe 2524 Fqomci32.exe 2984 Fgiepced.exe 828 Fncmmmma.exe 852 Fmfnhj32.exe 2680 Femeig32.exe 2228 Fgkbeb32.exe -
Loads dropped DLL 64 IoCs
pid Process 2848 a9e3d5724d81685c48c7d48de59f1340N.exe 2848 a9e3d5724d81685c48c7d48de59f1340N.exe 2708 Pqjfoa32.exe 2708 Pqjfoa32.exe 2636 Pbkbgjcc.exe 2636 Pbkbgjcc.exe 2656 Pihgic32.exe 2656 Pihgic32.exe 2012 Qeohnd32.exe 2012 Qeohnd32.exe 320 Qngmgjeb.exe 320 Qngmgjeb.exe 2024 Qiladcdh.exe 2024 Qiladcdh.exe 2188 Acfaeq32.exe 2188 Acfaeq32.exe 2668 Aeenochi.exe 2668 Aeenochi.exe 2352 Aaloddnn.exe 2352 Aaloddnn.exe 1804 Agfgqo32.exe 1804 Agfgqo32.exe 2200 Afkdakjb.exe 2200 Afkdakjb.exe 1188 Apdhjq32.exe 1188 Apdhjq32.exe 2448 Bnielm32.exe 2448 Bnielm32.exe 1048 Bhajdblk.exe 1048 Bhajdblk.exe 2572 Bonoflae.exe 2572 Bonoflae.exe 624 Balkchpi.exe 624 Balkchpi.exe 1592 Bfkpqn32.exe 1592 Bfkpqn32.exe 2140 Bmeimhdj.exe 2140 Bmeimhdj.exe 1044 Chkmkacq.exe 1044 Chkmkacq.exe 2544 Ckiigmcd.exe 2544 Ckiigmcd.exe 2536 Cmgechbh.exe 2536 Cmgechbh.exe 2112 Cbdnko32.exe 2112 Cbdnko32.exe 316 Cklfll32.exe 316 Cklfll32.exe 2728 Ciqcmiei.exe 2728 Ciqcmiei.exe 2836 Cmlong32.exe 2836 Cmlong32.exe 2008 Cpkkjc32.exe 2008 Cpkkjc32.exe 2864 Cegcbjkn.exe 2864 Cegcbjkn.exe 1844 Cpmhpbkc.exe 1844 Cpmhpbkc.exe 768 Cejphiik.exe 768 Cejphiik.exe 2196 Dobdqo32.exe 2196 Dobdqo32.exe 2224 Daqamj32.exe 2224 Daqamj32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Fgfhjcgg.exe Fqmpni32.exe File created C:\Windows\SysWOW64\Fhbnbpjc.exe Eaheeecg.exe File opened for modification C:\Windows\SysWOW64\Cmpgpond.exe Clojhf32.exe File opened for modification C:\Windows\SysWOW64\Gmoqnhla.exe Gfehan32.exe File opened for modification C:\Windows\SysWOW64\Fjdnlhco.exe Fcjeon32.exe File created C:\Windows\SysWOW64\Mkgpnd32.dll Ldoimh32.exe File created C:\Windows\SysWOW64\Ojglhm32.exe Oejcpf32.exe File opened for modification C:\Windows\SysWOW64\Hdiejfej.exe Hajinjff.exe File created C:\Windows\SysWOW64\Gpabcbdb.exe Gnpflj32.exe File created C:\Windows\SysWOW64\Mfjgooni.dll Endjaief.exe File opened for modification C:\Windows\SysWOW64\Mmogmjmn.exe Mjpkqonj.exe File opened for modification C:\Windows\SysWOW64\Fmcjhdbc.exe Fjdnlhco.exe File created C:\Windows\SysWOW64\Ckoelflc.dll Jhafhe32.exe File opened for modification C:\Windows\SysWOW64\Fjegog32.exe Fdiogq32.exe File opened for modification C:\Windows\SysWOW64\Phqmgg32.exe Pafdjmkq.exe File opened for modification C:\Windows\SysWOW64\Fnibcd32.exe Flhflleb.exe File opened for modification C:\Windows\SysWOW64\Kbbobkol.exe Kpdcfoph.exe File opened for modification C:\Windows\SysWOW64\Indnnfdn.exe Ikfbbjdj.exe File opened for modification C:\Windows\SysWOW64\Efhqmadd.exe Process not Found File created C:\Windows\SysWOW64\Nadimacd.exe Nkjapglg.exe File created C:\Windows\SysWOW64\Opnpimdf.exe Olbchn32.exe File created C:\Windows\SysWOW64\Mjaddn32.exe Lgchgb32.exe File created C:\Windows\SysWOW64\Bkhhhd32.exe Bhjlli32.exe File created C:\Windows\SysWOW64\Jnpojnle.dll Pdppqbkn.exe File opened for modification C:\Windows\SysWOW64\Dojddmec.exe Dhplhc32.exe File created C:\Windows\SysWOW64\Lblcfnhj.exe Lkakicam.exe File created C:\Windows\SysWOW64\Behilopf.exe Bnnaoe32.exe File created C:\Windows\SysWOW64\Aoapfe32.dll Mcckcbgp.exe File created C:\Windows\SysWOW64\Pbkbgjcc.exe Pqjfoa32.exe File opened for modification C:\Windows\SysWOW64\Goiongbc.exe Ghofam32.exe File created C:\Windows\SysWOW64\Bgghac32.exe Bdhleh32.exe File created C:\Windows\SysWOW64\Ibfmmb32.exe Process not Found File created C:\Windows\SysWOW64\Abqcpo32.dll Process not Found File created C:\Windows\SysWOW64\Kldcnd32.dll Jdpgjhbm.exe File created C:\Windows\SysWOW64\Mleijpbj.dll Plolgk32.exe File created C:\Windows\SysWOW64\Kkjpggkn.exe Process not Found File created C:\Windows\SysWOW64\Hpnkbpdd.exe Hakkgc32.exe File opened for modification C:\Windows\SysWOW64\Bolcma32.exe Bdfooh32.exe File created C:\Windows\SysWOW64\Oqelhkhc.dll Hkdemk32.exe File created C:\Windows\SysWOW64\Npneccok.dll Process not Found File created C:\Windows\SysWOW64\Cegcbjkn.exe Cpkkjc32.exe File created C:\Windows\SysWOW64\Ifdofiam.dll Enbnkigh.exe File opened for modification C:\Windows\SysWOW64\Nhdhif32.exe Nmnclmoj.exe File created C:\Windows\SysWOW64\Hmmbqegc.exe Hfcjdkpg.exe File created C:\Windows\SysWOW64\Gnpincmg.dll Ihdpbq32.exe File created C:\Windows\SysWOW64\Elcpbigl.exe Eanldqgf.exe File created C:\Windows\SysWOW64\Gmbmdane.dll Amnocpdk.exe File opened for modification C:\Windows\SysWOW64\Fkmqdpce.exe Fdbhge32.exe File created C:\Windows\SysWOW64\Nlbjim32.dll Pghfnc32.exe File created C:\Windows\SysWOW64\Fflkbagk.dll Jdcpkp32.exe File created C:\Windows\SysWOW64\Cjjnhnbl.exe Cglalbbi.exe File created C:\Windows\SysWOW64\Omcifpnp.exe Okdmjdol.exe File created C:\Windows\SysWOW64\Kdklfe32.exe Jampjian.exe File opened for modification C:\Windows\SysWOW64\Kechdf32.exe Kaglcgdc.exe File created C:\Windows\SysWOW64\Mgmdapml.exe Mdogedmh.exe File created C:\Windows\SysWOW64\Pigckoki.dll Process not Found File created C:\Windows\SysWOW64\Fmjgcipg.exe Ffqofohj.exe File created C:\Windows\SysWOW64\Nhakcfab.exe Necogkbo.exe File opened for modification C:\Windows\SysWOW64\Ljddjj32.exe Lcjlnpmo.exe File opened for modification C:\Windows\SysWOW64\Jdcpkp32.exe Jeqopcld.exe File created C:\Windows\SysWOW64\Opkccm32.exe Olpgconp.exe File opened for modification C:\Windows\SysWOW64\Blkjkflb.exe Bcbfbp32.exe File opened for modification C:\Windows\SysWOW64\Kjhcag32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Lnhgim32.exe Loefnpnn.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4112 4304 Process not Found 1199 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jeadap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajmijmnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhdegn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpcnonob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojmpooah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhhhbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hokhbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chnbcpmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olkfmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkephn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loefnpnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pepcelel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hejmpqop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgckjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoojnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icfpbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opfegp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elhnof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hijgml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Illbhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klngkfge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfdddm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lngpog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lobgoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oemegc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eabcggll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbifnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfejjgli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pplaki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnnaoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqodqodl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aahfdihn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cegcbjkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmnopp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnejbmko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlklnjoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmjqpdje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flfpabkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jeafjiop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofqmcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olgmcmgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoompl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fchijone.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddiibc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhoice32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjpkqonj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aihfap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpkibo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dicnkdnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfhjbobc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbaaik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpgffe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mimpkcdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kddmdk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpadhg32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eqjmncna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ilcoce32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cillkbac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ajmijmnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ilabmedg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qqfkln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nlilqbgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ponklpcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ipdojfgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gomlpk32.dll" Qjhmfekp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biliep32.dll" Cifelgmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdhkd32.dll" Pmmeon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbqmnm32.dll" Edclib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Opkccm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfogcjhb.dll" Afajafoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bmcnqama.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnbamjbm.dll" Bgaebe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jeqopcld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gmmdiind.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpjmnknl.dll" Fkecij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ojbbmnhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gicaikhj.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jamkpp32.dll" Egjbdo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gncldi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfmnocmn.dll" Gnbejb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cmgechbh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kmobhmnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljajkolc.dll" Hbiaemkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfmlmhlo.dll" Ljddjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbnbckhg.dll" Cgoelh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igcphbih.dll" Blfapfpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jkbfdfbm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gfejjgli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Knfndjdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaokcb32.dll" Ndqkleln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkofeknc.dll" Mejlalji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gckdgjeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epaqjmil.dll" Oejcpf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cinafkkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jliohkak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edaimkbc.dll" Ljcbaamh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Olkfmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhhigm32.dll" Bnnaoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gneolbel.dll" a9e3d5724d81685c48c7d48de59f1340N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Apdhjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doohmk32.dll" Goiehm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qdlggg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Flclam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mijamjnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldkeee32.dll" Npijoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnhgdb32.dll" Ldjbkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ckjamgmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mommgm32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aebfidim.dll" Aoojnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naffihgj.dll" Dgoopkgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifkloned.dll" Qkibcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oococb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cagienkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofehob32.dll" Ehmdgp32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2848 wrote to memory of 2708 2848 a9e3d5724d81685c48c7d48de59f1340N.exe 30 PID 2848 wrote to memory of 2708 2848 a9e3d5724d81685c48c7d48de59f1340N.exe 30 PID 2848 wrote to memory of 2708 2848 a9e3d5724d81685c48c7d48de59f1340N.exe 30 PID 2848 wrote to memory of 2708 2848 a9e3d5724d81685c48c7d48de59f1340N.exe 30 PID 2708 wrote to memory of 2636 2708 Pqjfoa32.exe 31 PID 2708 wrote to memory of 2636 2708 Pqjfoa32.exe 31 PID 2708 wrote to memory of 2636 2708 Pqjfoa32.exe 31 PID 2708 wrote to memory of 2636 2708 Pqjfoa32.exe 31 PID 2636 wrote to memory of 2656 2636 Pbkbgjcc.exe 32 PID 2636 wrote to memory of 2656 2636 Pbkbgjcc.exe 32 PID 2636 wrote to memory of 2656 2636 Pbkbgjcc.exe 32 PID 2636 wrote to memory of 2656 2636 Pbkbgjcc.exe 32 PID 2656 wrote to memory of 2012 2656 Pihgic32.exe 33 PID 2656 wrote to memory of 2012 2656 Pihgic32.exe 33 PID 2656 wrote to memory of 2012 2656 Pihgic32.exe 33 PID 2656 wrote to memory of 2012 2656 Pihgic32.exe 33 PID 2012 wrote to memory of 320 2012 Qeohnd32.exe 34 PID 2012 wrote to memory of 320 2012 Qeohnd32.exe 34 PID 2012 wrote to memory of 320 2012 Qeohnd32.exe 34 PID 2012 wrote to memory of 320 2012 Qeohnd32.exe 34 PID 320 wrote to memory of 2024 320 Qngmgjeb.exe 35 PID 320 wrote to memory of 2024 320 Qngmgjeb.exe 35 PID 320 wrote to memory of 2024 320 Qngmgjeb.exe 35 PID 320 wrote to memory of 2024 320 Qngmgjeb.exe 35 PID 2024 wrote to memory of 2188 2024 Qiladcdh.exe 36 PID 2024 wrote to memory of 2188 2024 Qiladcdh.exe 36 PID 2024 wrote to memory of 2188 2024 Qiladcdh.exe 36 PID 2024 wrote to memory of 2188 2024 Qiladcdh.exe 36 PID 2188 wrote to memory of 2668 2188 Acfaeq32.exe 37 PID 2188 wrote to memory of 2668 2188 Acfaeq32.exe 37 PID 2188 wrote to memory of 2668 2188 Acfaeq32.exe 37 PID 2188 wrote to memory of 2668 2188 Acfaeq32.exe 37 PID 2668 wrote to memory of 2352 2668 Aeenochi.exe 38 PID 2668 wrote to memory of 2352 2668 Aeenochi.exe 38 PID 2668 wrote to memory of 2352 2668 Aeenochi.exe 38 PID 2668 wrote to memory of 2352 2668 Aeenochi.exe 38 PID 2352 wrote to memory of 1804 2352 Aaloddnn.exe 39 PID 2352 wrote to memory of 1804 2352 Aaloddnn.exe 39 PID 2352 wrote to memory of 1804 2352 Aaloddnn.exe 39 PID 2352 wrote to memory of 1804 2352 Aaloddnn.exe 39 PID 1804 wrote to memory of 2200 1804 Agfgqo32.exe 40 PID 1804 wrote to memory of 2200 1804 Agfgqo32.exe 40 PID 1804 wrote to memory of 2200 1804 Agfgqo32.exe 40 PID 1804 wrote to memory of 2200 1804 Agfgqo32.exe 40 PID 2200 wrote to memory of 1188 2200 Afkdakjb.exe 41 PID 2200 wrote to memory of 1188 2200 Afkdakjb.exe 41 PID 2200 wrote to memory of 1188 2200 Afkdakjb.exe 41 PID 2200 wrote to memory of 1188 2200 Afkdakjb.exe 41 PID 1188 wrote to memory of 2448 1188 Apdhjq32.exe 42 PID 1188 wrote to memory of 2448 1188 Apdhjq32.exe 42 PID 1188 wrote to memory of 2448 1188 Apdhjq32.exe 42 PID 1188 wrote to memory of 2448 1188 Apdhjq32.exe 42 PID 2448 wrote to memory of 1048 2448 Bnielm32.exe 43 PID 2448 wrote to memory of 1048 2448 Bnielm32.exe 43 PID 2448 wrote to memory of 1048 2448 Bnielm32.exe 43 PID 2448 wrote to memory of 1048 2448 Bnielm32.exe 43 PID 1048 wrote to memory of 2572 1048 Bhajdblk.exe 44 PID 1048 wrote to memory of 2572 1048 Bhajdblk.exe 44 PID 1048 wrote to memory of 2572 1048 Bhajdblk.exe 44 PID 1048 wrote to memory of 2572 1048 Bhajdblk.exe 44 PID 2572 wrote to memory of 624 2572 Bonoflae.exe 45 PID 2572 wrote to memory of 624 2572 Bonoflae.exe 45 PID 2572 wrote to memory of 624 2572 Bonoflae.exe 45 PID 2572 wrote to memory of 624 2572 Bonoflae.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\a9e3d5724d81685c48c7d48de59f1340N.exe"C:\Users\Admin\AppData\Local\Temp\a9e3d5724d81685c48c7d48de59f1340N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Pqjfoa32.exeC:\Windows\system32\Pqjfoa32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Pbkbgjcc.exeC:\Windows\system32\Pbkbgjcc.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Pihgic32.exeC:\Windows\system32\Pihgic32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Qeohnd32.exeC:\Windows\system32\Qeohnd32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\Qngmgjeb.exeC:\Windows\system32\Qngmgjeb.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\SysWOW64\Qiladcdh.exeC:\Windows\system32\Qiladcdh.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\Acfaeq32.exeC:\Windows\system32\Acfaeq32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Aeenochi.exeC:\Windows\system32\Aeenochi.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Aaloddnn.exeC:\Windows\system32\Aaloddnn.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Agfgqo32.exeC:\Windows\system32\Agfgqo32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\SysWOW64\Afkdakjb.exeC:\Windows\system32\Afkdakjb.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\Apdhjq32.exeC:\Windows\system32\Apdhjq32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Windows\SysWOW64\Bnielm32.exeC:\Windows\system32\Bnielm32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\Bhajdblk.exeC:\Windows\system32\Bhajdblk.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\SysWOW64\Bonoflae.exeC:\Windows\system32\Bonoflae.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Balkchpi.exeC:\Windows\system32\Balkchpi.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:624 -
C:\Windows\SysWOW64\Bfkpqn32.exeC:\Windows\system32\Bfkpqn32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1592 -
C:\Windows\SysWOW64\Bmeimhdj.exeC:\Windows\system32\Bmeimhdj.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2140 -
C:\Windows\SysWOW64\Chkmkacq.exeC:\Windows\system32\Chkmkacq.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1044 -
C:\Windows\SysWOW64\Ckiigmcd.exeC:\Windows\system32\Ckiigmcd.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2544 -
C:\Windows\SysWOW64\Cmgechbh.exeC:\Windows\system32\Cmgechbh.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2536 -
C:\Windows\SysWOW64\Cbdnko32.exeC:\Windows\system32\Cbdnko32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2112 -
C:\Windows\SysWOW64\Cklfll32.exeC:\Windows\system32\Cklfll32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:316 -
C:\Windows\SysWOW64\Cddjebgb.exeC:\Windows\system32\Cddjebgb.exe25⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Ciqcmiei.exeC:\Windows\system32\Ciqcmiei.exe26⤵
- Loads dropped DLL
PID:2728 -
C:\Windows\SysWOW64\Cmlong32.exeC:\Windows\system32\Cmlong32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2836 -
C:\Windows\SysWOW64\Cpkkjc32.exeC:\Windows\system32\Cpkkjc32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2008 -
C:\Windows\SysWOW64\Cegcbjkn.exeC:\Windows\system32\Cegcbjkn.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2864 -
C:\Windows\SysWOW64\Cpmhpbkc.exeC:\Windows\system32\Cpmhpbkc.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1844 -
C:\Windows\SysWOW64\Cejphiik.exeC:\Windows\system32\Cejphiik.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:768 -
C:\Windows\SysWOW64\Dobdqo32.exeC:\Windows\system32\Dobdqo32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2196 -
C:\Windows\SysWOW64\Daqamj32.exeC:\Windows\system32\Daqamj32.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2224 -
C:\Windows\SysWOW64\Ddomif32.exeC:\Windows\system32\Ddomif32.exe34⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Dacnbjml.exeC:\Windows\system32\Dacnbjml.exe35⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Deojci32.exeC:\Windows\system32\Deojci32.exe36⤵
- Executes dropped EXE
PID:1320 -
C:\Windows\SysWOW64\Dognlnlf.exeC:\Windows\system32\Dognlnlf.exe37⤵
- Executes dropped EXE
PID:1852 -
C:\Windows\SysWOW64\Dgbcpq32.exeC:\Windows\system32\Dgbcpq32.exe38⤵
- Executes dropped EXE
PID:1756 -
C:\Windows\SysWOW64\Djqoll32.exeC:\Windows\system32\Djqoll32.exe39⤵
- Executes dropped EXE
PID:236 -
C:\Windows\SysWOW64\Dpjgifpa.exeC:\Windows\system32\Dpjgifpa.exe40⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Dkpkfooh.exeC:\Windows\system32\Dkpkfooh.exe41⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Dlahng32.exeC:\Windows\system32\Dlahng32.exe42⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Ddhpod32.exeC:\Windows\system32\Ddhpod32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Egglkp32.exeC:\Windows\system32\Egglkp32.exe44⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Enqdhj32.exeC:\Windows\system32\Enqdhj32.exe45⤵
- Executes dropped EXE
PID:324 -
C:\Windows\SysWOW64\Eobapbbg.exeC:\Windows\system32\Eobapbbg.exe46⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Egiiapci.exeC:\Windows\system32\Egiiapci.exe47⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Ejgemkbm.exeC:\Windows\system32\Ejgemkbm.exe48⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Eqamje32.exeC:\Windows\system32\Eqamje32.exe49⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Efnfbl32.exeC:\Windows\system32\Efnfbl32.exe50⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Elhnof32.exeC:\Windows\system32\Elhnof32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2612 -
C:\Windows\SysWOW64\Eogjka32.exeC:\Windows\system32\Eogjka32.exe52⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Edccch32.exeC:\Windows\system32\Edccch32.exe53⤵
- Executes dropped EXE
PID:1484 -
C:\Windows\SysWOW64\Eoigpa32.exeC:\Windows\system32\Eoigpa32.exe54⤵
- Executes dropped EXE
PID:632 -
C:\Windows\SysWOW64\Efcomkcl.exeC:\Windows\system32\Efcomkcl.exe55⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Egdlec32.exeC:\Windows\system32\Egdlec32.exe56⤵
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\Fnndan32.exeC:\Windows\system32\Fnndan32.exe57⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Fqmpni32.exeC:\Windows\system32\Fqmpni32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:912 -
C:\Windows\SysWOW64\Fgfhjcgg.exeC:\Windows\system32\Fgfhjcgg.exe59⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Fjeefofk.exeC:\Windows\system32\Fjeefofk.exe60⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Fqomci32.exeC:\Windows\system32\Fqomci32.exe61⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Fgiepced.exeC:\Windows\system32\Fgiepced.exe62⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Fncmmmma.exeC:\Windows\system32\Fncmmmma.exe63⤵
- Executes dropped EXE
PID:828 -
C:\Windows\SysWOW64\Fmfnhj32.exeC:\Windows\system32\Fmfnhj32.exe64⤵
- Executes dropped EXE
PID:852 -
C:\Windows\SysWOW64\Femeig32.exeC:\Windows\system32\Femeig32.exe65⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Fgkbeb32.exeC:\Windows\system32\Fgkbeb32.exe66⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Fnejbmko.exeC:\Windows\system32\Fnejbmko.exe67⤵
- System Location Discovery: System Language Discovery
PID:888 -
C:\Windows\SysWOW64\Fpffje32.exeC:\Windows\system32\Fpffje32.exe68⤵PID:2748
-
C:\Windows\SysWOW64\Fcbbjcif.exeC:\Windows\system32\Fcbbjcif.exe69⤵PID:1956
-
C:\Windows\SysWOW64\Ffqofohj.exeC:\Windows\system32\Ffqofohj.exe70⤵
- Drops file in System32 directory
PID:2616 -
C:\Windows\SysWOW64\Fmjgcipg.exeC:\Windows\system32\Fmjgcipg.exe71⤵PID:3056
-
C:\Windows\SysWOW64\Fafcdh32.exeC:\Windows\system32\Fafcdh32.exe72⤵PID:1772
-
C:\Windows\SysWOW64\Fbgpkpnn.exeC:\Windows\system32\Fbgpkpnn.exe73⤵PID:2344
-
C:\Windows\SysWOW64\Ffcllo32.exeC:\Windows\system32\Ffcllo32.exe74⤵PID:2144
-
C:\Windows\SysWOW64\Gmmdiind.exeC:\Windows\system32\Gmmdiind.exe75⤵
- Modifies registry class
PID:1980 -
C:\Windows\SysWOW64\Gfehan32.exeC:\Windows\system32\Gfehan32.exe76⤵
- Drops file in System32 directory
PID:1728 -
C:\Windows\SysWOW64\Gmoqnhla.exeC:\Windows\system32\Gmoqnhla.exe77⤵PID:2960
-
C:\Windows\SysWOW64\Gpnmjd32.exeC:\Windows\system32\Gpnmjd32.exe78⤵PID:664
-
C:\Windows\SysWOW64\Gblifo32.exeC:\Windows\system32\Gblifo32.exe79⤵PID:1984
-
C:\Windows\SysWOW64\Gfgegnbb.exeC:\Windows\system32\Gfgegnbb.exe80⤵PID:812
-
C:\Windows\SysWOW64\Gldmoepi.exeC:\Windows\system32\Gldmoepi.exe81⤵PID:328
-
C:\Windows\SysWOW64\Gbnflo32.exeC:\Windows\system32\Gbnflo32.exe82⤵PID:1944
-
C:\Windows\SysWOW64\Gihniioc.exeC:\Windows\system32\Gihniioc.exe83⤵PID:2876
-
C:\Windows\SysWOW64\Gjijqa32.exeC:\Windows\system32\Gjijqa32.exe84⤵PID:2756
-
C:\Windows\SysWOW64\Gacbmk32.exeC:\Windows\system32\Gacbmk32.exe85⤵PID:2832
-
C:\Windows\SysWOW64\Gdboig32.exeC:\Windows\system32\Gdboig32.exe86⤵PID:2248
-
C:\Windows\SysWOW64\Gjlgfaco.exeC:\Windows\system32\Gjlgfaco.exe87⤵PID:1964
-
C:\Windows\SysWOW64\Gmjcblbb.exeC:\Windows\system32\Gmjcblbb.exe88⤵PID:2204
-
C:\Windows\SysWOW64\Hhpgpebh.exeC:\Windows\system32\Hhpgpebh.exe89⤵PID:2416
-
C:\Windows\SysWOW64\Hmmphlpp.exeC:\Windows\system32\Hmmphlpp.exe90⤵PID:2844
-
C:\Windows\SysWOW64\Hdfhdfgl.exeC:\Windows\system32\Hdfhdfgl.exe91⤵PID:1428
-
C:\Windows\SysWOW64\Hajinjff.exeC:\Windows\system32\Hajinjff.exe92⤵
- Drops file in System32 directory
PID:2456 -
C:\Windows\SysWOW64\Hdiejfej.exeC:\Windows\system32\Hdiejfej.exe93⤵PID:1252
-
C:\Windows\SysWOW64\Hfgafadm.exeC:\Windows\system32\Hfgafadm.exe94⤵PID:1364
-
C:\Windows\SysWOW64\Hmaick32.exeC:\Windows\system32\Hmaick32.exe95⤵PID:2192
-
C:\Windows\SysWOW64\Hfjnla32.exeC:\Windows\system32\Hfjnla32.exe96⤵PID:2064
-
C:\Windows\SysWOW64\Hihjhl32.exeC:\Windows\system32\Hihjhl32.exe97⤵PID:1280
-
C:\Windows\SysWOW64\Hoebpc32.exeC:\Windows\system32\Hoebpc32.exe98⤵PID:2752
-
C:\Windows\SysWOW64\Hflkaq32.exeC:\Windows\system32\Hflkaq32.exe99⤵PID:2796
-
C:\Windows\SysWOW64\Hijgml32.exeC:\Windows\system32\Hijgml32.exe100⤵
- System Location Discovery: System Language Discovery
PID:2772 -
C:\Windows\SysWOW64\Ipdojfgh.exeC:\Windows\system32\Ipdojfgh.exe101⤵
- Modifies registry class
PID:568 -
C:\Windows\SysWOW64\Ibckfa32.exeC:\Windows\system32\Ibckfa32.exe102⤵PID:2132
-
C:\Windows\SysWOW64\Ieagbm32.exeC:\Windows\system32\Ieagbm32.exe103⤵PID:2028
-
C:\Windows\SysWOW64\Ihpdoh32.exeC:\Windows\system32\Ihpdoh32.exe104⤵PID:1244
-
C:\Windows\SysWOW64\Iknpkd32.exeC:\Windows\system32\Iknpkd32.exe105⤵PID:2116
-
C:\Windows\SysWOW64\Ibehla32.exeC:\Windows\system32\Ibehla32.exe106⤵PID:2244
-
C:\Windows\SysWOW64\Ihbqdh32.exeC:\Windows\system32\Ihbqdh32.exe107⤵PID:1368
-
C:\Windows\SysWOW64\Ioliqbjn.exeC:\Windows\system32\Ioliqbjn.exe108⤵PID:564
-
C:\Windows\SysWOW64\Iajemnia.exeC:\Windows\system32\Iajemnia.exe109⤵PID:2968
-
C:\Windows\SysWOW64\Ihdmihpn.exeC:\Windows\system32\Ihdmihpn.exe110⤵PID:1300
-
C:\Windows\SysWOW64\Ikbifcpb.exeC:\Windows\system32\Ikbifcpb.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3052 -
C:\Windows\SysWOW64\Ippbnjni.exeC:\Windows\system32\Ippbnjni.exe112⤵PID:2268
-
C:\Windows\SysWOW64\Ihfjognl.exeC:\Windows\system32\Ihfjognl.exe113⤵PID:2432
-
C:\Windows\SysWOW64\Iaonhm32.exeC:\Windows\system32\Iaonhm32.exe114⤵PID:1856
-
C:\Windows\SysWOW64\Jcpkpe32.exeC:\Windows\system32\Jcpkpe32.exe115⤵PID:880
-
C:\Windows\SysWOW64\Jliohkak.exeC:\Windows\system32\Jliohkak.exe116⤵
- Modifies registry class
PID:848 -
C:\Windows\SysWOW64\Jdpgjhbm.exeC:\Windows\system32\Jdpgjhbm.exe117⤵
- Drops file in System32 directory
PID:1312 -
C:\Windows\SysWOW64\Jeadap32.exeC:\Windows\system32\Jeadap32.exe118⤵
- System Location Discovery: System Language Discovery
PID:2500 -
C:\Windows\SysWOW64\Jlklnjoh.exeC:\Windows\system32\Jlklnjoh.exe119⤵
- System Location Discovery: System Language Discovery
PID:2076 -
C:\Windows\SysWOW64\Joihjfnl.exeC:\Windows\system32\Joihjfnl.exe120⤵PID:2404
-
C:\Windows\SysWOW64\Jjomgo32.exeC:\Windows\system32\Jjomgo32.exe121⤵PID:2632
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-