Analysis
-
max time kernel
110s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
24-08-2024 15:33
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d279d3af11867e2562dd333f28d1d1e0N.exe
Resource
win7-20240705-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
d279d3af11867e2562dd333f28d1d1e0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
d279d3af11867e2562dd333f28d1d1e0N.exe
-
Size
384KB
-
MD5
d279d3af11867e2562dd333f28d1d1e0
-
SHA1
b2bfda94570328f68f05e530e1796f3fab38238a
-
SHA256
b20a2ba8f671e3e936281c6539b2565ab13721ef7fd412538b5a34f23a9d7bc9
-
SHA512
dae4931419da52b906cb705e4e49f3b40944df53ca778900c34fcf22eb422264df3bf5fef88553133986e485fc46d76e81170e64775c269e1b85c05a7e733765
-
SSDEEP
6144:zbNzKQcu+zXGyZ6YugQdjGG1wsKm6eBgdQbkoKTBEAz/6DG1ETdqvZNemWrsiLk6:VzKQcu+DGyXu1jGG1wsGeBgRTGAzciEh
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dcmkciap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olhhmele.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmocjn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Higkdm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgmmnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jngfei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qokjcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajladp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghmokomm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilicgl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghjkki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gabpco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mkdhlh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojbdbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dkojjgfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abfonl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlhblc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ghhoej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbhhbojn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Phghedga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqlfpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Opmpenbj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjkpjkni.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbihccpg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fjpbeecn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bgjngb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lljbpl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcbjfjnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfippego.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lhodgebh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qhoeqide.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hekfpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebojbaga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khmmkj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekcpdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Diljpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kbikah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mllcodig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogjjie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fffckf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Opgjfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Inpchbdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jdodel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kiomec32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eccadhkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohjofgfo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgfbhb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adhbkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Diofenki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kojihjbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bapcaocc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bfmlif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgionbbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Deegjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbaqhk32.exe -
Executes dropped EXE 64 IoCs
pid Process 1988 Kncmknkg.exe 2664 Ljjnpo32.exe 2784 Lnejqmie.exe 2708 Lceond32.exe 2956 Lmmcgilj.exe 2572 Ljadqn32.exe 2616 Lkbphfab.exe 2808 Lkdmneoo.exe 816 Mfjaknoe.exe 1720 Mbabpodi.exe 2952 Mgnjhfbq.exe 2976 Mllcodig.exe 1784 Mmmpfm32.exe 2000 Makhlkel.exe 2552 Njcmeqkl.exe 2216 Nbnajcig.exe 1900 Nihjfm32.exe 836 Nlgfbh32.exe 2152 Nbqnobge.exe 2132 Npdohg32.exe 2260 Nbckeb32.exe 2524 Nhpcmi32.exe 1568 Nojljcjf.exe 1920 Nbehjb32.exe 1820 Nolhoc32.exe 2768 Oakdkn32.exe 1284 Ohdmhhod.exe 2700 Omaepoml.exe 2312 Oamaan32.exe 2620 Ogjjie32.exe 2644 Ooabjbdn.exe 2812 Odnjbibf.exe 1732 Oglfodai.exe 2640 Omfoko32.exe 2560 Okjoec32.exe 2944 Olklmk32.exe 308 Oiolfo32.exe 1288 Pnkhfnea.exe 2420 Pefmkpbl.exe 1984 Piaiko32.exe 1456 Ppkahi32.exe 1684 Ponadfim.exe 1512 Pamnpahp.exe 3052 Pjdeaohb.exe 984 Plbbmjhf.exe 2924 Poqniegj.exe 1044 Paojeafn.exe 2336 Pdnfalea.exe 3024 Pockoeeg.exe 2444 Pnfkjb32.exe 2800 Pfmclold.exe 2744 Pgnpcg32.exe 2256 Poegde32.exe 2156 Pqfdlmic.exe 2432 Qhnlmjie.exe 2916 Qgqlig32.exe 2988 Qjoheb32.exe 1332 Qqiqam32.exe 2228 Qddmbkoi.exe 264 Qgcingnm.exe 1592 Qjaejbmq.exe 1108 Qnmaka32.exe 3064 Aqkmgl32.exe 2548 Acjjch32.exe -
Loads dropped DLL 64 IoCs
pid Process 1712 d279d3af11867e2562dd333f28d1d1e0N.exe 1712 d279d3af11867e2562dd333f28d1d1e0N.exe 1988 Kncmknkg.exe 1988 Kncmknkg.exe 2664 Ljjnpo32.exe 2664 Ljjnpo32.exe 2784 Lnejqmie.exe 2784 Lnejqmie.exe 2708 Lceond32.exe 2708 Lceond32.exe 2956 Lmmcgilj.exe 2956 Lmmcgilj.exe 2572 Ljadqn32.exe 2572 Ljadqn32.exe 2616 Lkbphfab.exe 2616 Lkbphfab.exe 2808 Lkdmneoo.exe 2808 Lkdmneoo.exe 816 Mfjaknoe.exe 816 Mfjaknoe.exe 1720 Mbabpodi.exe 1720 Mbabpodi.exe 2952 Mgnjhfbq.exe 2952 Mgnjhfbq.exe 2976 Mllcodig.exe 2976 Mllcodig.exe 1784 Mmmpfm32.exe 1784 Mmmpfm32.exe 2000 Makhlkel.exe 2000 Makhlkel.exe 2552 Njcmeqkl.exe 2552 Njcmeqkl.exe 2216 Nbnajcig.exe 2216 Nbnajcig.exe 1900 Nihjfm32.exe 1900 Nihjfm32.exe 836 Nlgfbh32.exe 836 Nlgfbh32.exe 2152 Nbqnobge.exe 2152 Nbqnobge.exe 2132 Npdohg32.exe 2132 Npdohg32.exe 2260 Nbckeb32.exe 2260 Nbckeb32.exe 2524 Nhpcmi32.exe 2524 Nhpcmi32.exe 1568 Nojljcjf.exe 1568 Nojljcjf.exe 1612 Niopgljl.exe 1612 Niopgljl.exe 1820 Nolhoc32.exe 1820 Nolhoc32.exe 2768 Oakdkn32.exe 2768 Oakdkn32.exe 1284 Ohdmhhod.exe 1284 Ohdmhhod.exe 2700 Omaepoml.exe 2700 Omaepoml.exe 2312 Oamaan32.exe 2312 Oamaan32.exe 2620 Ogjjie32.exe 2620 Ogjjie32.exe 2644 Ooabjbdn.exe 2644 Ooabjbdn.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Fhiqmobf.dll Process not Found File created C:\Windows\SysWOW64\Hmkdpafo.exe Hcbogk32.exe File created C:\Windows\SysWOW64\Mhippbem.exe Mfkcdgfi.exe File opened for modification C:\Windows\SysWOW64\Fikkcnog.exe Fgmogcpc.exe File created C:\Windows\SysWOW64\Kpgiln32.exe Kimpocda.exe File created C:\Windows\SysWOW64\Ponadfim.exe Ppkahi32.exe File created C:\Windows\SysWOW64\Joajdmma.exe Jhhagb32.exe File created C:\Windows\SysWOW64\Gedelbdk.dll Nnboonmb.exe File created C:\Windows\SysWOW64\Ohjofgfo.exe Oelcjkgk.exe File created C:\Windows\SysWOW64\Agkhbece.exe Admlfida.exe File opened for modification C:\Windows\SysWOW64\Dfdpbaeb.exe Debcjiod.exe File created C:\Windows\SysWOW64\Iikgkq32.exe Iacojc32.exe File opened for modification C:\Windows\SysWOW64\Iikgkq32.exe Iacojc32.exe File opened for modification C:\Windows\SysWOW64\Alifee32.exe Aadbhl32.exe File created C:\Windows\SysWOW64\Hfpehq32.exe Hofmlf32.exe File created C:\Windows\SysWOW64\Gcqika32.exe Process not Found File created C:\Windows\SysWOW64\Pdfifg32.exe Pagmjlhj.exe File opened for modification C:\Windows\SysWOW64\Peqidn32.exe Pcbmhb32.exe File opened for modification C:\Windows\SysWOW64\Ifjoie32.exe Ippflkok.exe File opened for modification C:\Windows\SysWOW64\Jifmgman.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fhpflblk.exe Ffbjpfmg.exe File created C:\Windows\SysWOW64\Nfepljba.dll Hpgcfmge.exe File created C:\Windows\SysWOW64\Ochhka32.dll Mpaado32.exe File created C:\Windows\SysWOW64\Maldcblg.exe Lkblghdj.exe File created C:\Windows\SysWOW64\Gpeqpl32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Anebhh32.exe Process not Found File created C:\Windows\SysWOW64\Cdhjjddc.exe Process not Found File created C:\Windows\SysWOW64\Dbjonicb.exe Ddgnbl32.exe File created C:\Windows\SysWOW64\Lhodgebh.exe Lbdljk32.exe File created C:\Windows\SysWOW64\Cidnjk32.dll Papmnj32.exe File opened for modification C:\Windows\SysWOW64\Bfdhdj32.exe Bnmpcmpi.exe File opened for modification C:\Windows\SysWOW64\Cnanbijd.exe Process not Found File opened for modification C:\Windows\SysWOW64\Elgmbnfn.exe Eiipfbgj.exe File created C:\Windows\SysWOW64\Jkcjchco.exe Jfgnbi32.exe File opened for modification C:\Windows\SysWOW64\Plmdqmpd.exe Process not Found File created C:\Windows\SysWOW64\Ckpkkl32.dll Gceghn32.exe File created C:\Windows\SysWOW64\Fclckhlb.dll Dmklikob.exe File created C:\Windows\SysWOW64\Ijbjbdnf.exe Igcnfhob.exe File opened for modification C:\Windows\SysWOW64\Mmlilfkj.exe Mfbqol32.exe File opened for modification C:\Windows\SysWOW64\Ckjqog32.exe Chldbl32.exe File created C:\Windows\SysWOW64\Ifkecl32.exe Ipqmgbbf.exe File created C:\Windows\SysWOW64\Hcpphd32.dll Ijfadkbm.exe File created C:\Windows\SysWOW64\Akfdcckn.exe Agkhbece.exe File created C:\Windows\SysWOW64\Ojbdbf32.exe Obllai32.exe File created C:\Windows\SysWOW64\Iacelcgc.dll Process not Found File opened for modification C:\Windows\SysWOW64\Lgdcqj32.exe Lecfiahe.exe File created C:\Windows\SysWOW64\Opgqdo32.dll Acjjch32.exe File created C:\Windows\SysWOW64\Dakbajhh.dll Kfiajj32.exe File opened for modification C:\Windows\SysWOW64\Fhhbffkk.exe Fdlfeh32.exe File opened for modification C:\Windows\SysWOW64\Olklmk32.exe Okjoec32.exe File opened for modification C:\Windows\SysWOW64\Omnapi32.exe Oicfpkci.exe File opened for modification C:\Windows\SysWOW64\Cnnpdaeb.exe Cfggccdp.exe File opened for modification C:\Windows\SysWOW64\Jngfei32.exe Jkhjin32.exe File created C:\Windows\SysWOW64\Bpkebm32.dll Oficoo32.exe File opened for modification C:\Windows\SysWOW64\Blmlnd32.exe Process not Found File created C:\Windows\SysWOW64\Cobkja32.exe Process not Found File created C:\Windows\SysWOW64\Oknqkmgf.dll Ncjgao32.exe File created C:\Windows\SysWOW64\Paojeafn.exe Poqniegj.exe File created C:\Windows\SysWOW64\Kpoegc32.exe Kfiajj32.exe File created C:\Windows\SysWOW64\Ehkjgi32.exe Epdafl32.exe File created C:\Windows\SysWOW64\Glgpfkgh.dll Nojljcjf.exe File opened for modification C:\Windows\SysWOW64\Dohiefpc.exe Dfaachpa.exe File opened for modification C:\Windows\SysWOW64\Ppcplg32.exe Pnedpl32.exe File created C:\Windows\SysWOW64\Hklkhk32.dll Ieepad32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1756 3628 Process not Found 1256 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elgmbnfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnedpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcpaag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mllcodig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gccjbo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijodiedi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opjjlo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifndbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfaachpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccfoah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgdfbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaoadb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Johpcgap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbdljk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbieejff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnklol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmlilfkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emmljodk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkkkgkla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncnplogn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Objcnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqenfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lohlcoid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghlhpiia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbaqhk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeaoncjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajhkka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkflii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oicfpkci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oimkob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iljjabfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kchhholk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jckiolgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdflepqo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lceond32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekacnjfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkhdfhmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poqniegj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bknani32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofellh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deegjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbihccpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofmigm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhippbem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plfhfiqc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adhbkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Diackmif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akadmnlg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jegheghc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cenjoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbhkdgbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmebkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llpbeaak.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jebojh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fommfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ibfcei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jkqmnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fcdpld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ifkecl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pklnfalh.dll" Lnpejklj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gfclic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cbjbof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcpphd32.dll" Ijfadkbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mgkghp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fnhnnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkomjmah.dll" Lcmdlgoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nopqlj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnogne32.dll" Hinolcbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gmdapoil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cidnjk32.dll" Papmnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchjmkho.dll" Ndjloanf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ljjnpo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ifjoie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kdinea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alikdf32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lnejqmie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ncjgao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciagloib.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ldedlfhl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fklohgie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Klpffn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbdkoe32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ekcpdi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fmnoapba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ibdcnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pceefg32.dll" Eaoadb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ijodiedi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgephkni.dll" Abfmecba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Anepooja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mgcflnfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pimanc32.dll" Fhhbffkk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gdimlllq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oogdiqki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfnghjmh.dll" Fldeakgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnahbgfm.dll" Pamnpahp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaehalqj.dll" Hcnfllcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ihinkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fidfhd32.dll" Jihgdd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bdghpggf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fjpbeecn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cnifia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gdflepqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hjgnhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pmqkellk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kbikah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lkblghdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lijcbcie.dll" Ahcoli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cehaip32.dll" Dolondiq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Afmack32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmadag32.dll" Ehechn32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1712 wrote to memory of 1988 1712 d279d3af11867e2562dd333f28d1d1e0N.exe 29 PID 1712 wrote to memory of 1988 1712 d279d3af11867e2562dd333f28d1d1e0N.exe 29 PID 1712 wrote to memory of 1988 1712 d279d3af11867e2562dd333f28d1d1e0N.exe 29 PID 1712 wrote to memory of 1988 1712 d279d3af11867e2562dd333f28d1d1e0N.exe 29 PID 1988 wrote to memory of 2664 1988 Kncmknkg.exe 30 PID 1988 wrote to memory of 2664 1988 Kncmknkg.exe 30 PID 1988 wrote to memory of 2664 1988 Kncmknkg.exe 30 PID 1988 wrote to memory of 2664 1988 Kncmknkg.exe 30 PID 2664 wrote to memory of 2784 2664 Ljjnpo32.exe 31 PID 2664 wrote to memory of 2784 2664 Ljjnpo32.exe 31 PID 2664 wrote to memory of 2784 2664 Ljjnpo32.exe 31 PID 2664 wrote to memory of 2784 2664 Ljjnpo32.exe 31 PID 2784 wrote to memory of 2708 2784 Lnejqmie.exe 32 PID 2784 wrote to memory of 2708 2784 Lnejqmie.exe 32 PID 2784 wrote to memory of 2708 2784 Lnejqmie.exe 32 PID 2784 wrote to memory of 2708 2784 Lnejqmie.exe 32 PID 2708 wrote to memory of 2956 2708 Lceond32.exe 33 PID 2708 wrote to memory of 2956 2708 Lceond32.exe 33 PID 2708 wrote to memory of 2956 2708 Lceond32.exe 33 PID 2708 wrote to memory of 2956 2708 Lceond32.exe 33 PID 2956 wrote to memory of 2572 2956 Lmmcgilj.exe 34 PID 2956 wrote to memory of 2572 2956 Lmmcgilj.exe 34 PID 2956 wrote to memory of 2572 2956 Lmmcgilj.exe 34 PID 2956 wrote to memory of 2572 2956 Lmmcgilj.exe 34 PID 2572 wrote to memory of 2616 2572 Ljadqn32.exe 35 PID 2572 wrote to memory of 2616 2572 Ljadqn32.exe 35 PID 2572 wrote to memory of 2616 2572 Ljadqn32.exe 35 PID 2572 wrote to memory of 2616 2572 Ljadqn32.exe 35 PID 2616 wrote to memory of 2808 2616 Lkbphfab.exe 36 PID 2616 wrote to memory of 2808 2616 Lkbphfab.exe 36 PID 2616 wrote to memory of 2808 2616 Lkbphfab.exe 36 PID 2616 wrote to memory of 2808 2616 Lkbphfab.exe 36 PID 2808 wrote to memory of 816 2808 Lkdmneoo.exe 37 PID 2808 wrote to memory of 816 2808 Lkdmneoo.exe 37 PID 2808 wrote to memory of 816 2808 Lkdmneoo.exe 37 PID 2808 wrote to memory of 816 2808 Lkdmneoo.exe 37 PID 816 wrote to memory of 1720 816 Mfjaknoe.exe 38 PID 816 wrote to memory of 1720 816 Mfjaknoe.exe 38 PID 816 wrote to memory of 1720 816 Mfjaknoe.exe 38 PID 816 wrote to memory of 1720 816 Mfjaknoe.exe 38 PID 1720 wrote to memory of 2952 1720 Mbabpodi.exe 39 PID 1720 wrote to memory of 2952 1720 Mbabpodi.exe 39 PID 1720 wrote to memory of 2952 1720 Mbabpodi.exe 39 PID 1720 wrote to memory of 2952 1720 Mbabpodi.exe 39 PID 2952 wrote to memory of 2976 2952 Mgnjhfbq.exe 40 PID 2952 wrote to memory of 2976 2952 Mgnjhfbq.exe 40 PID 2952 wrote to memory of 2976 2952 Mgnjhfbq.exe 40 PID 2952 wrote to memory of 2976 2952 Mgnjhfbq.exe 40 PID 2976 wrote to memory of 1784 2976 Mllcodig.exe 41 PID 2976 wrote to memory of 1784 2976 Mllcodig.exe 41 PID 2976 wrote to memory of 1784 2976 Mllcodig.exe 41 PID 2976 wrote to memory of 1784 2976 Mllcodig.exe 41 PID 1784 wrote to memory of 2000 1784 Mmmpfm32.exe 42 PID 1784 wrote to memory of 2000 1784 Mmmpfm32.exe 42 PID 1784 wrote to memory of 2000 1784 Mmmpfm32.exe 42 PID 1784 wrote to memory of 2000 1784 Mmmpfm32.exe 42 PID 2000 wrote to memory of 2552 2000 Makhlkel.exe 43 PID 2000 wrote to memory of 2552 2000 Makhlkel.exe 43 PID 2000 wrote to memory of 2552 2000 Makhlkel.exe 43 PID 2000 wrote to memory of 2552 2000 Makhlkel.exe 43 PID 2552 wrote to memory of 2216 2552 Njcmeqkl.exe 44 PID 2552 wrote to memory of 2216 2552 Njcmeqkl.exe 44 PID 2552 wrote to memory of 2216 2552 Njcmeqkl.exe 44 PID 2552 wrote to memory of 2216 2552 Njcmeqkl.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\d279d3af11867e2562dd333f28d1d1e0N.exe"C:\Users\Admin\AppData\Local\Temp\d279d3af11867e2562dd333f28d1d1e0N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\Kncmknkg.exeC:\Windows\system32\Kncmknkg.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\Ljjnpo32.exeC:\Windows\system32\Ljjnpo32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Lnejqmie.exeC:\Windows\system32\Lnejqmie.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Lceond32.exeC:\Windows\system32\Lceond32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Lmmcgilj.exeC:\Windows\system32\Lmmcgilj.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Ljadqn32.exeC:\Windows\system32\Ljadqn32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Lkbphfab.exeC:\Windows\system32\Lkbphfab.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Lkdmneoo.exeC:\Windows\system32\Lkdmneoo.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Mfjaknoe.exeC:\Windows\system32\Mfjaknoe.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Windows\SysWOW64\Mbabpodi.exeC:\Windows\system32\Mbabpodi.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\Mgnjhfbq.exeC:\Windows\system32\Mgnjhfbq.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Mllcodig.exeC:\Windows\system32\Mllcodig.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Mmmpfm32.exeC:\Windows\system32\Mmmpfm32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\SysWOW64\Makhlkel.exeC:\Windows\system32\Makhlkel.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\Njcmeqkl.exeC:\Windows\system32\Njcmeqkl.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Nbnajcig.exeC:\Windows\system32\Nbnajcig.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2216 -
C:\Windows\SysWOW64\Nihjfm32.exeC:\Windows\system32\Nihjfm32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1900 -
C:\Windows\SysWOW64\Nlgfbh32.exeC:\Windows\system32\Nlgfbh32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:836 -
C:\Windows\SysWOW64\Nbqnobge.exeC:\Windows\system32\Nbqnobge.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2152 -
C:\Windows\SysWOW64\Npdohg32.exeC:\Windows\system32\Npdohg32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2132 -
C:\Windows\SysWOW64\Nbckeb32.exeC:\Windows\system32\Nbckeb32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2260 -
C:\Windows\SysWOW64\Nhpcmi32.exeC:\Windows\system32\Nhpcmi32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2524 -
C:\Windows\SysWOW64\Nojljcjf.exeC:\Windows\system32\Nojljcjf.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1568 -
C:\Windows\SysWOW64\Nbehjb32.exeC:\Windows\system32\Nbehjb32.exe25⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Niopgljl.exeC:\Windows\system32\Niopgljl.exe26⤵
- Loads dropped DLL
PID:1612 -
C:\Windows\SysWOW64\Nolhoc32.exeC:\Windows\system32\Nolhoc32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1820 -
C:\Windows\SysWOW64\Oakdkn32.exeC:\Windows\system32\Oakdkn32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2768 -
C:\Windows\SysWOW64\Ohdmhhod.exeC:\Windows\system32\Ohdmhhod.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1284 -
C:\Windows\SysWOW64\Omaepoml.exeC:\Windows\system32\Omaepoml.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2700 -
C:\Windows\SysWOW64\Oamaan32.exeC:\Windows\system32\Oamaan32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2312 -
C:\Windows\SysWOW64\Ogjjie32.exeC:\Windows\system32\Ogjjie32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2620 -
C:\Windows\SysWOW64\Ooabjbdn.exeC:\Windows\system32\Ooabjbdn.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2644 -
C:\Windows\SysWOW64\Odnjbibf.exeC:\Windows\system32\Odnjbibf.exe34⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Oglfodai.exeC:\Windows\system32\Oglfodai.exe35⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Omfoko32.exeC:\Windows\system32\Omfoko32.exe36⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Okjoec32.exeC:\Windows\system32\Okjoec32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2560 -
C:\Windows\SysWOW64\Olklmk32.exeC:\Windows\system32\Olklmk32.exe38⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Oiolfo32.exeC:\Windows\system32\Oiolfo32.exe39⤵
- Executes dropped EXE
PID:308 -
C:\Windows\SysWOW64\Pnkhfnea.exeC:\Windows\system32\Pnkhfnea.exe40⤵
- Executes dropped EXE
PID:1288 -
C:\Windows\SysWOW64\Pefmkpbl.exeC:\Windows\system32\Pefmkpbl.exe41⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Piaiko32.exeC:\Windows\system32\Piaiko32.exe42⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Ppkahi32.exeC:\Windows\system32\Ppkahi32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1456 -
C:\Windows\SysWOW64\Ponadfim.exeC:\Windows\system32\Ponadfim.exe44⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Pamnpahp.exeC:\Windows\system32\Pamnpahp.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:1512 -
C:\Windows\SysWOW64\Pjdeaohb.exeC:\Windows\system32\Pjdeaohb.exe46⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Plbbmjhf.exeC:\Windows\system32\Plbbmjhf.exe47⤵
- Executes dropped EXE
PID:984 -
C:\Windows\SysWOW64\Poqniegj.exeC:\Windows\system32\Poqniegj.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2924 -
C:\Windows\SysWOW64\Paojeafn.exeC:\Windows\system32\Paojeafn.exe49⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Pdnfalea.exeC:\Windows\system32\Pdnfalea.exe50⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Pockoeeg.exeC:\Windows\system32\Pockoeeg.exe51⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Pnfkjb32.exeC:\Windows\system32\Pnfkjb32.exe52⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Pfmclold.exeC:\Windows\system32\Pfmclold.exe53⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Pgnpcg32.exeC:\Windows\system32\Pgnpcg32.exe54⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Poegde32.exeC:\Windows\system32\Poegde32.exe55⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Pqfdlmic.exeC:\Windows\system32\Pqfdlmic.exe56⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Qhnlmjie.exeC:\Windows\system32\Qhnlmjie.exe57⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Qgqlig32.exeC:\Windows\system32\Qgqlig32.exe58⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Qjoheb32.exeC:\Windows\system32\Qjoheb32.exe59⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Qqiqam32.exeC:\Windows\system32\Qqiqam32.exe60⤵
- Executes dropped EXE
PID:1332 -
C:\Windows\SysWOW64\Qddmbkoi.exeC:\Windows\system32\Qddmbkoi.exe61⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Qgcingnm.exeC:\Windows\system32\Qgcingnm.exe62⤵
- Executes dropped EXE
PID:264 -
C:\Windows\SysWOW64\Qjaejbmq.exeC:\Windows\system32\Qjaejbmq.exe63⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Qnmaka32.exeC:\Windows\system32\Qnmaka32.exe64⤵
- Executes dropped EXE
PID:1108 -
C:\Windows\SysWOW64\Aqkmgl32.exeC:\Windows\system32\Aqkmgl32.exe65⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Acjjch32.exeC:\Windows\system32\Acjjch32.exe66⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2548 -
C:\Windows\SysWOW64\Ageedflj.exeC:\Windows\system32\Ageedflj.exe67⤵PID:2500
-
C:\Windows\SysWOW64\Anonqq32.exeC:\Windows\system32\Anonqq32.exe68⤵PID:2168
-
C:\Windows\SysWOW64\Aqnjml32.exeC:\Windows\system32\Aqnjml32.exe69⤵PID:2868
-
C:\Windows\SysWOW64\Aclfigao.exeC:\Windows\system32\Aclfigao.exe70⤵PID:2772
-
C:\Windows\SysWOW64\Aiioanpf.exeC:\Windows\system32\Aiioanpf.exe71⤵PID:884
-
C:\Windows\SysWOW64\Aqpgblqh.exeC:\Windows\system32\Aqpgblqh.exe72⤵PID:2368
-
C:\Windows\SysWOW64\Aocgnh32.exeC:\Windows\system32\Aocgnh32.exe73⤵PID:2056
-
C:\Windows\SysWOW64\Abacjd32.exeC:\Windows\system32\Abacjd32.exe74⤵PID:2088
-
C:\Windows\SysWOW64\Afmokbop.exeC:\Windows\system32\Afmokbop.exe75⤵PID:2632
-
C:\Windows\SysWOW64\Ajhkka32.exeC:\Windows\system32\Ajhkka32.exe76⤵
- System Location Discovery: System Language Discovery
PID:2960 -
C:\Windows\SysWOW64\Abcppcdc.exeC:\Windows\system32\Abcppcdc.exe77⤵PID:3068
-
C:\Windows\SysWOW64\Aebllocg.exeC:\Windows\system32\Aebllocg.exe78⤵PID:548
-
C:\Windows\SysWOW64\Aogqihcm.exeC:\Windows\system32\Aogqihcm.exe79⤵PID:2104
-
C:\Windows\SysWOW64\Abfmecba.exeC:\Windows\system32\Abfmecba.exe80⤵
- Modifies registry class
PID:2492 -
C:\Windows\SysWOW64\Aediaoae.exeC:\Windows\system32\Aediaoae.exe81⤵PID:2512
-
C:\Windows\SysWOW64\Aipebm32.exeC:\Windows\system32\Aipebm32.exe82⤵PID:3060
-
C:\Windows\SysWOW64\Bknani32.exeC:\Windows\system32\Bknani32.exe83⤵
- System Location Discovery: System Language Discovery
PID:720 -
C:\Windows\SysWOW64\Bbhikcpn.exeC:\Windows\system32\Bbhikcpn.exe84⤵PID:2248
-
C:\Windows\SysWOW64\Begegn32.exeC:\Windows\system32\Begegn32.exe85⤵PID:1620
-
C:\Windows\SysWOW64\Bibagmhk.exeC:\Windows\system32\Bibagmhk.exe86⤵PID:2724
-
C:\Windows\SysWOW64\Bjcnoe32.exeC:\Windows\system32\Bjcnoe32.exe87⤵PID:2608
-
C:\Windows\SysWOW64\Bnojpdfb.exeC:\Windows\system32\Bnojpdfb.exe88⤵PID:2900
-
C:\Windows\SysWOW64\Beibln32.exeC:\Windows\system32\Beibln32.exe89⤵PID:2928
-
C:\Windows\SysWOW64\Bclbhkdj.exeC:\Windows\system32\Bclbhkdj.exe90⤵PID:600
-
C:\Windows\SysWOW64\Bmdgqp32.exeC:\Windows\system32\Bmdgqp32.exe91⤵PID:2936
-
C:\Windows\SysWOW64\Bapcaocc.exeC:\Windows\system32\Bapcaocc.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1948 -
C:\Windows\SysWOW64\Bgjknijp.exeC:\Windows\system32\Bgjknijp.exe93⤵PID:2344
-
C:\Windows\SysWOW64\Bfmlif32.exeC:\Windows\system32\Bfmlif32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2456 -
C:\Windows\SysWOW64\Bmfdfpih.exeC:\Windows\system32\Bmfdfpih.exe95⤵PID:676
-
C:\Windows\SysWOW64\Bpepbkhk.exeC:\Windows\system32\Bpepbkhk.exe96⤵PID:1908
-
C:\Windows\SysWOW64\Bfohoe32.exeC:\Windows\system32\Bfohoe32.exe97⤵PID:1728
-
C:\Windows\SysWOW64\Bjjdpdga.exeC:\Windows\system32\Bjjdpdga.exe98⤵PID:1508
-
C:\Windows\SysWOW64\Badlln32.exeC:\Windows\system32\Badlln32.exe99⤵PID:2852
-
C:\Windows\SysWOW64\Bccihj32.exeC:\Windows\system32\Bccihj32.exe100⤵PID:1656
-
C:\Windows\SysWOW64\Cbfidfem.exeC:\Windows\system32\Cbfidfem.exe101⤵PID:2024
-
C:\Windows\SysWOW64\Cfaedeme.exeC:\Windows\system32\Cfaedeme.exe102⤵PID:1228
-
C:\Windows\SysWOW64\Clnmmlkm.exeC:\Windows\system32\Clnmmlkm.exe103⤵PID:2364
-
C:\Windows\SysWOW64\Cpjimk32.exeC:\Windows\system32\Cpjimk32.exe104⤵PID:1136
-
C:\Windows\SysWOW64\Cbhejf32.exeC:\Windows\system32\Cbhejf32.exe105⤵PID:1648
-
C:\Windows\SysWOW64\Cefbfa32.exeC:\Windows\system32\Cefbfa32.exe106⤵PID:2392
-
C:\Windows\SysWOW64\Clqjblij.exeC:\Windows\system32\Clqjblij.exe107⤵PID:920
-
C:\Windows\SysWOW64\Coofoghn.exeC:\Windows\system32\Coofoghn.exe108⤵PID:584
-
C:\Windows\SysWOW64\Cbjbof32.exeC:\Windows\system32\Cbjbof32.exe109⤵
- Modifies registry class
PID:2332 -
C:\Windows\SysWOW64\Cidklp32.exeC:\Windows\system32\Cidklp32.exe110⤵PID:2760
-
C:\Windows\SysWOW64\Coacdg32.exeC:\Windows\system32\Coacdg32.exe111⤵PID:2948
-
C:\Windows\SysWOW64\Capopb32.exeC:\Windows\system32\Capopb32.exe112⤵PID:2628
-
C:\Windows\SysWOW64\Ciggap32.exeC:\Windows\system32\Ciggap32.exe113⤵PID:1208
-
C:\Windows\SysWOW64\Clecnk32.exeC:\Windows\system32\Clecnk32.exe114⤵PID:2904
-
C:\Windows\SysWOW64\Cablfb32.exeC:\Windows\system32\Cablfb32.exe115⤵PID:3028
-
C:\Windows\SysWOW64\Cdphbm32.exeC:\Windows\system32\Cdphbm32.exe116⤵PID:1500
-
C:\Windows\SysWOW64\Chldbl32.exeC:\Windows\system32\Chldbl32.exe117⤵
- Drops file in System32 directory
PID:328 -
C:\Windows\SysWOW64\Ckjqog32.exeC:\Windows\system32\Ckjqog32.exe118⤵PID:2220
-
C:\Windows\SysWOW64\Dadikaaj.exeC:\Windows\system32\Dadikaaj.exe119⤵PID:1884
-
C:\Windows\SysWOW64\Depelp32.exeC:\Windows\system32\Depelp32.exe120⤵PID:2124
-
C:\Windows\SysWOW64\Dfaachpa.exeC:\Windows\system32\Dfaachpa.exe121⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1868
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-