Analysis
-
max time kernel
37s -
max time network
20s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
25-08-2024 23:33
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9d69694a7860b2d029586db6e3d87050N.exe
Resource
win7-20240729-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
9d69694a7860b2d029586db6e3d87050N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
9d69694a7860b2d029586db6e3d87050N.exe
-
Size
109KB
-
MD5
9d69694a7860b2d029586db6e3d87050
-
SHA1
f9ddfacc06e3a2357d53cd8266d0271cbe2ff350
-
SHA256
e40617a2d2168f129db99a5138ab153a4c488e835f466743a863f295b14d6fb0
-
SHA512
719c2462a4bef2c56b6466717fa5902fd39d6b07d3ba4f34a78c5589c09830b73674bfc96079fee3ba1ab5743912fae3f266fa5a09ceb0e0fa17828635783f22
-
SSDEEP
3072:UwksRHIEY3B/ve0eJ9pbLCqwzBu1DjHLMVDqqkSpR:xJlIEqk0eJ9pwtu1DjrFqhz
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fnneib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iahjococ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kbaidejd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mecgifji.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlnpfqaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oiopihen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fgkcmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fjipic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcgogm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kbllhiqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fqookn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Geopeoif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jgkhhigb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llkfan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mihmifhj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddakfjpo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doofbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmghdahd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hhpigjfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnqchgep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Copjcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Helpocnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jnqchgep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lngfhibc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ngnfgm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbpphgmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jneadc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgnall32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqffeaol.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mflncjgd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfeodehe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lihajcfo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Miocjebb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnipop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fnpbob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gjilhfip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jneadc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jkbgllfl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkeimmdk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nackdfgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfjdnggk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lafbdeag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdpnlo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjipic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ioljhg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbeonhhj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhfmqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Olphkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gpkamiag.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iknabi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kngjifph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kqffeaol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhjkai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejggepfl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdaqal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnlpci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdnagohp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpgoaplb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hejcic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhgqan32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpbefp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfnjhj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elcfklgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebehob32.exe -
Executes dropped EXE 64 IoCs
pid Process 1004 Cicakm32.exe 2704 Copjcd32.exe 2292 Dlcjlh32.exe 2896 Dnefdqke.exe 2848 Deloen32.exe 2856 Dhjkai32.exe 2904 Dkigme32.exe 2672 Dabojoak.exe 1764 Ddakfjpo.exe 2216 Dgphbfoc.exe 2860 Dnipop32.exe 892 Ddchlj32.exe 1656 Dgbdhe32.exe 2944 Dlompl32.exe 1652 Dciemfcd.exe 2564 Dfgaibbh.exe 376 Dnnijocj.exe 3040 Doofbg32.exe 908 Eckbbf32.exe 676 Egfnceik.exe 2196 Elcfklgb.exe 1972 Eoabgggf.exe 308 Eflkda32.exe 1436 Ejggepfl.exe 2280 Elfcakep.exe 1768 Eodomgdc.exe 2916 Efngjalp.exe 2880 Eoflbf32.exe 2824 Ebehob32.exe 2936 Ebgeda32.exe 2052 Edeapm32.exe 2596 Egdmlhni.exe 2224 Fnneib32.exe 2732 Fqlben32.exe 2484 Fcknai32.exe 2248 Fnpbob32.exe 1808 Fqookn32.exe 2012 Fgiggh32.exe 2452 Fnbodbaq.exe 1916 Fqakqmpd.exe 920 Fpdllj32.exe 2852 Fgkcmg32.exe 1796 Fjipic32.exe 2928 Filpepno.exe 1928 Ffpqndmi.exe 2236 Fmjikndf.exe 2276 Fphegici.exe 1592 Fcdahh32.exe 2800 Geemoqaq.exe 3016 Gmleqnbc.exe 608 Gpkamiag.exe 2700 Gbinidpj.exe 2340 Gfejic32.exe 2000 Ghffal32.exe 1552 Glabajgk.exe 2920 Gnponefo.exe 2200 Gaokjaeb.exe 2108 Gieckned.exe 3004 Gldogjeh.exe 3048 Gnbkcedl.exe 2600 Gaagoqcp.exe 2488 Glflmi32.exe 2744 Gjilhfip.exe 1140 Gmghdahd.exe -
Loads dropped DLL 64 IoCs
pid Process 1244 9d69694a7860b2d029586db6e3d87050N.exe 1244 9d69694a7860b2d029586db6e3d87050N.exe 1004 Cicakm32.exe 1004 Cicakm32.exe 2704 Copjcd32.exe 2704 Copjcd32.exe 2292 Dlcjlh32.exe 2292 Dlcjlh32.exe 2896 Dnefdqke.exe 2896 Dnefdqke.exe 2848 Deloen32.exe 2848 Deloen32.exe 2856 Dhjkai32.exe 2856 Dhjkai32.exe 2904 Dkigme32.exe 2904 Dkigme32.exe 2672 Dabojoak.exe 2672 Dabojoak.exe 1764 Ddakfjpo.exe 1764 Ddakfjpo.exe 2216 Dgphbfoc.exe 2216 Dgphbfoc.exe 2860 Dnipop32.exe 2860 Dnipop32.exe 892 Ddchlj32.exe 892 Ddchlj32.exe 1656 Dgbdhe32.exe 1656 Dgbdhe32.exe 2944 Dlompl32.exe 2944 Dlompl32.exe 1652 Dciemfcd.exe 1652 Dciemfcd.exe 2564 Dfgaibbh.exe 2564 Dfgaibbh.exe 376 Dnnijocj.exe 376 Dnnijocj.exe 3040 Doofbg32.exe 3040 Doofbg32.exe 908 Eckbbf32.exe 908 Eckbbf32.exe 676 Egfnceik.exe 676 Egfnceik.exe 2196 Elcfklgb.exe 2196 Elcfklgb.exe 1972 Eoabgggf.exe 1972 Eoabgggf.exe 308 Eflkda32.exe 308 Eflkda32.exe 1436 Ejggepfl.exe 1436 Ejggepfl.exe 2280 Elfcakep.exe 2280 Elfcakep.exe 1768 Eodomgdc.exe 1768 Eodomgdc.exe 2916 Efngjalp.exe 2916 Efngjalp.exe 2880 Eoflbf32.exe 2880 Eoflbf32.exe 2824 Ebehob32.exe 2824 Ebehob32.exe 2936 Ebgeda32.exe 2936 Ebgeda32.exe 2052 Edeapm32.exe 2052 Edeapm32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Hfipcf32.exe Hobgbi32.exe File created C:\Windows\SysWOW64\Nadpqb32.dll Fcdahh32.exe File opened for modification C:\Windows\SysWOW64\Iajgdc32.exe Ioljhg32.exe File created C:\Windows\SysWOW64\Agjlbabp.dll Lpplamon.exe File opened for modification C:\Windows\SysWOW64\Kboloelf.exe Kncpng32.exe File opened for modification C:\Windows\SysWOW64\Iahjococ.exe Imlnod32.exe File created C:\Windows\SysWOW64\Jfcboejh.exe Jagfnf32.exe File created C:\Windows\SysWOW64\Paqlgjbc.dll Kkgagk32.exe File opened for modification C:\Windows\SysWOW64\Liknpbdl.exe Leoaod32.exe File created C:\Windows\SysWOW64\Mbekmkke.exe Mpgoaplb.exe File created C:\Windows\SysWOW64\Hffehgbq.dll Hpadllnj.exe File created C:\Windows\SysWOW64\Npfkpc32.exe Nackdfgc.exe File created C:\Windows\SysWOW64\Bpcfbjpm.dll Oeepni32.exe File created C:\Windows\SysWOW64\Hbijhh32.exe Hpknlm32.exe File opened for modification C:\Windows\SysWOW64\Mjcphj32.exe Mfgdhkki.exe File opened for modification C:\Windows\SysWOW64\Nonhhlog.exe Nkblgm32.exe File created C:\Windows\SysWOW64\Cgnddc32.dll Kncpng32.exe File created C:\Windows\SysWOW64\Aheoohdh.dll Iajgdc32.exe File created C:\Windows\SysWOW64\Kmkhlbkj.dll Kicgoc32.exe File created C:\Windows\SysWOW64\Qgenhoef.dll Elfcakep.exe File created C:\Windows\SysWOW64\Kdabfp32.exe Kqffeaol.exe File created C:\Windows\SysWOW64\Oehkkgkb.dll Nkblgm32.exe File created C:\Windows\SysWOW64\Eodomgdc.exe Elfcakep.exe File opened for modification C:\Windows\SysWOW64\Hpknlm32.exe Hahnppmh.exe File opened for modification C:\Windows\SysWOW64\Hbpphgmn.exe Hoddhh32.exe File opened for modification C:\Windows\SysWOW64\Lckhbl32.exe Lpplamon.exe File created C:\Windows\SysWOW64\Cenhlpli.dll Nhfmqa32.exe File created C:\Windows\SysWOW64\Ogqcmmfj.exe Odbgqaff.exe File created C:\Windows\SysWOW64\Eghabp32.dll Ogcpbmcg.exe File created C:\Windows\SysWOW64\Dgphbfoc.exe Ddakfjpo.exe File opened for modification C:\Windows\SysWOW64\Glflmi32.exe Gaagoqcp.exe File created C:\Windows\SysWOW64\Lfobej32.dll Jcgbhiia.exe File created C:\Windows\SysWOW64\Aaafakdb.dll Lemejd32.exe File created C:\Windows\SysWOW64\Mipdio32.dll Ebehob32.exe File created C:\Windows\SysWOW64\Caegea32.dll Jlknfpcg.exe File opened for modification C:\Windows\SysWOW64\Jblpifni.exe Jnqchgep.exe File created C:\Windows\SysWOW64\Mmalde32.exe Mnnlihll.exe File opened for modification C:\Windows\SysWOW64\Mckdaojc.exe Mppiqq32.exe File created C:\Windows\SysWOW64\Fmjikndf.exe Ffpqndmi.exe File created C:\Windows\SysWOW64\Blgejn32.dll Filpepno.exe File created C:\Windows\SysWOW64\Gpcgnaod.dll Gfpmmg32.exe File created C:\Windows\SysWOW64\Mbonob32.dll Hfipcf32.exe File opened for modification C:\Windows\SysWOW64\Dfgaibbh.exe Dciemfcd.exe File opened for modification C:\Windows\SysWOW64\Ipocfobh.exe Inagjdcd.exe File created C:\Windows\SysWOW64\Jpdmao32.exe Jneadc32.exe File created C:\Windows\SysWOW64\Nqngkama.dll Maoejcim.exe File created C:\Windows\SysWOW64\Fdflal32.dll Dhjkai32.exe File created C:\Windows\SysWOW64\Mdpnlo32.exe Mpdblpnd.exe File opened for modification C:\Windows\SysWOW64\Dabojoak.exe Dkigme32.exe File created C:\Windows\SysWOW64\Gckmeged.dll Hbpphgmn.exe File created C:\Windows\SysWOW64\Nbjdhj32.exe Nonhhlog.exe File created C:\Windows\SysWOW64\Nackdfgc.exe Nmhodg32.exe File created C:\Windows\SysWOW64\Helickoa.dll Hejcic32.exe File created C:\Windows\SysWOW64\Ikehchbn.exe Igilbi32.exe File created C:\Windows\SysWOW64\Mbcnhkmh.exe Mdpnlo32.exe File opened for modification C:\Windows\SysWOW64\Noqemk32.exe Nkeimmdk.exe File created C:\Windows\SysWOW64\Hehmjb32.dll Nhijface.exe File opened for modification C:\Windows\SysWOW64\Jkpkglho.exe Jlmjko32.exe File created C:\Windows\SysWOW64\Lookgg32.dll Jfcboejh.exe File created C:\Windows\SysWOW64\Najhngpm.exe Nbghck32.exe File created C:\Windows\SysWOW64\Cklapcah.dll Nkeimmdk.exe File opened for modification C:\Windows\SysWOW64\Odddfadd.exe Opihfb32.exe File created C:\Windows\SysWOW64\Ogcpbmcg.exe Ocgdbn32.exe File created C:\Windows\SysWOW64\Fkanpk32.dll Jpfjfn32.exe -
Program crash 1 IoCs
pid pid_target Process 3612 3628 WerFault.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbpphgmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgpjaohd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbeonhhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndkapbmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oonego32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiqfoble.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Helpocnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnqchgep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfconhmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqffeaol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndpjkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkjbhlpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogcpbmcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebgeda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmoneq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Incdocab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcgbhiia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngljbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cicakm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Liknpbdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfgdhkki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mflncjgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmcije32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpbefp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngnfgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oialohck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbinidpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilkaglal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjjeddff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcbimj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpdblpnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjipic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfipcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iahjococ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mihmifhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iknabi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlmjko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfjdnggk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnipop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioljhg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opihfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hphafmee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlknfpcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgpnbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mijjof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nimccigq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejggepfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebehob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geemoqaq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgnall32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koppbjmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kicgoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eckbbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgiggh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmleqnbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpknlm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffpqndmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjgjcipm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elfcakep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpplamon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lngfhibc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbaidejd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lckhbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgbgfofa.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fcdahh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmblbpnf.dll" Copjcd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dnipop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gmleqnbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hiqfoble.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hbpphgmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ikehchbn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oialohck.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fgiggh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ghffal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnalol32.dll" Mmalde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nadpqb32.dll" Fcdahh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gaagoqcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ilheam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihpflo32.dll" Kgpnbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hpadllnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jagjejid.dll" Jfqeie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jfqeie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lbnininb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jdhopa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbpmib32.dll" Mmffpdoa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nhkflqab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Edeapm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Koppbjmc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kncpng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lkdqao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lihajcfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Omjljg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Olphkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ddakfjpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hbpphgmn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Inagjdcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lafbdeag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mjgjcipm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aanjkcmp.dll" Omjljg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Filpepno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ioljhg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kkgagk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kjqgdgcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Meakdgll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nbghck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nackdfgc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hpknlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opknijfg.dll" Hoddhh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jnqchgep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ndpjkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfqghcae.dll" Fmjikndf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iaemicaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ipapko32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jfcboejh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hfipcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dnefdqke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohakme32.dll" Kqffeaol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fnneib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jjlajddc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbnbga32.dll" Kdoepq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dlcjlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Filpepno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hhpigjfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kokcfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dognlmdd.dll" Lmapebpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Llkfan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pliida32.dll" Namedgnk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fphegici.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1244 wrote to memory of 1004 1244 9d69694a7860b2d029586db6e3d87050N.exe 29 PID 1244 wrote to memory of 1004 1244 9d69694a7860b2d029586db6e3d87050N.exe 29 PID 1244 wrote to memory of 1004 1244 9d69694a7860b2d029586db6e3d87050N.exe 29 PID 1244 wrote to memory of 1004 1244 9d69694a7860b2d029586db6e3d87050N.exe 29 PID 1004 wrote to memory of 2704 1004 Cicakm32.exe 30 PID 1004 wrote to memory of 2704 1004 Cicakm32.exe 30 PID 1004 wrote to memory of 2704 1004 Cicakm32.exe 30 PID 1004 wrote to memory of 2704 1004 Cicakm32.exe 30 PID 2704 wrote to memory of 2292 2704 Copjcd32.exe 31 PID 2704 wrote to memory of 2292 2704 Copjcd32.exe 31 PID 2704 wrote to memory of 2292 2704 Copjcd32.exe 31 PID 2704 wrote to memory of 2292 2704 Copjcd32.exe 31 PID 2292 wrote to memory of 2896 2292 Dlcjlh32.exe 32 PID 2292 wrote to memory of 2896 2292 Dlcjlh32.exe 32 PID 2292 wrote to memory of 2896 2292 Dlcjlh32.exe 32 PID 2292 wrote to memory of 2896 2292 Dlcjlh32.exe 32 PID 2896 wrote to memory of 2848 2896 Dnefdqke.exe 33 PID 2896 wrote to memory of 2848 2896 Dnefdqke.exe 33 PID 2896 wrote to memory of 2848 2896 Dnefdqke.exe 33 PID 2896 wrote to memory of 2848 2896 Dnefdqke.exe 33 PID 2848 wrote to memory of 2856 2848 Deloen32.exe 34 PID 2848 wrote to memory of 2856 2848 Deloen32.exe 34 PID 2848 wrote to memory of 2856 2848 Deloen32.exe 34 PID 2848 wrote to memory of 2856 2848 Deloen32.exe 34 PID 2856 wrote to memory of 2904 2856 Dhjkai32.exe 35 PID 2856 wrote to memory of 2904 2856 Dhjkai32.exe 35 PID 2856 wrote to memory of 2904 2856 Dhjkai32.exe 35 PID 2856 wrote to memory of 2904 2856 Dhjkai32.exe 35 PID 2904 wrote to memory of 2672 2904 Dkigme32.exe 36 PID 2904 wrote to memory of 2672 2904 Dkigme32.exe 36 PID 2904 wrote to memory of 2672 2904 Dkigme32.exe 36 PID 2904 wrote to memory of 2672 2904 Dkigme32.exe 36 PID 2672 wrote to memory of 1764 2672 Dabojoak.exe 37 PID 2672 wrote to memory of 1764 2672 Dabojoak.exe 37 PID 2672 wrote to memory of 1764 2672 Dabojoak.exe 37 PID 2672 wrote to memory of 1764 2672 Dabojoak.exe 37 PID 1764 wrote to memory of 2216 1764 Ddakfjpo.exe 38 PID 1764 wrote to memory of 2216 1764 Ddakfjpo.exe 38 PID 1764 wrote to memory of 2216 1764 Ddakfjpo.exe 38 PID 1764 wrote to memory of 2216 1764 Ddakfjpo.exe 38 PID 2216 wrote to memory of 2860 2216 Dgphbfoc.exe 39 PID 2216 wrote to memory of 2860 2216 Dgphbfoc.exe 39 PID 2216 wrote to memory of 2860 2216 Dgphbfoc.exe 39 PID 2216 wrote to memory of 2860 2216 Dgphbfoc.exe 39 PID 2860 wrote to memory of 892 2860 Dnipop32.exe 40 PID 2860 wrote to memory of 892 2860 Dnipop32.exe 40 PID 2860 wrote to memory of 892 2860 Dnipop32.exe 40 PID 2860 wrote to memory of 892 2860 Dnipop32.exe 40 PID 892 wrote to memory of 1656 892 Ddchlj32.exe 41 PID 892 wrote to memory of 1656 892 Ddchlj32.exe 41 PID 892 wrote to memory of 1656 892 Ddchlj32.exe 41 PID 892 wrote to memory of 1656 892 Ddchlj32.exe 41 PID 1656 wrote to memory of 2944 1656 Dgbdhe32.exe 42 PID 1656 wrote to memory of 2944 1656 Dgbdhe32.exe 42 PID 1656 wrote to memory of 2944 1656 Dgbdhe32.exe 42 PID 1656 wrote to memory of 2944 1656 Dgbdhe32.exe 42 PID 2944 wrote to memory of 1652 2944 Dlompl32.exe 43 PID 2944 wrote to memory of 1652 2944 Dlompl32.exe 43 PID 2944 wrote to memory of 1652 2944 Dlompl32.exe 43 PID 2944 wrote to memory of 1652 2944 Dlompl32.exe 43 PID 1652 wrote to memory of 2564 1652 Dciemfcd.exe 44 PID 1652 wrote to memory of 2564 1652 Dciemfcd.exe 44 PID 1652 wrote to memory of 2564 1652 Dciemfcd.exe 44 PID 1652 wrote to memory of 2564 1652 Dciemfcd.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\9d69694a7860b2d029586db6e3d87050N.exe"C:\Users\Admin\AppData\Local\Temp\9d69694a7860b2d029586db6e3d87050N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\SysWOW64\Cicakm32.exeC:\Windows\system32\Cicakm32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Windows\SysWOW64\Copjcd32.exeC:\Windows\system32\Copjcd32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Dlcjlh32.exeC:\Windows\system32\Dlcjlh32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\Dnefdqke.exeC:\Windows\system32\Dnefdqke.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Deloen32.exeC:\Windows\system32\Deloen32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Dhjkai32.exeC:\Windows\system32\Dhjkai32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Dkigme32.exeC:\Windows\system32\Dkigme32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Dabojoak.exeC:\Windows\system32\Dabojoak.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Ddakfjpo.exeC:\Windows\system32\Ddakfjpo.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\SysWOW64\Dgphbfoc.exeC:\Windows\system32\Dgphbfoc.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Dnipop32.exeC:\Windows\system32\Dnipop32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Ddchlj32.exeC:\Windows\system32\Ddchlj32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Windows\SysWOW64\Dgbdhe32.exeC:\Windows\system32\Dgbdhe32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\Dlompl32.exeC:\Windows\system32\Dlompl32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Dciemfcd.exeC:\Windows\system32\Dciemfcd.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\Dfgaibbh.exeC:\Windows\system32\Dfgaibbh.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2564 -
C:\Windows\SysWOW64\Dnnijocj.exeC:\Windows\system32\Dnnijocj.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:376 -
C:\Windows\SysWOW64\Doofbg32.exeC:\Windows\system32\Doofbg32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:3040 -
C:\Windows\SysWOW64\Eckbbf32.exeC:\Windows\system32\Eckbbf32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:908 -
C:\Windows\SysWOW64\Egfnceik.exeC:\Windows\system32\Egfnceik.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:676 -
C:\Windows\SysWOW64\Elcfklgb.exeC:\Windows\system32\Elcfklgb.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2196 -
C:\Windows\SysWOW64\Eoabgggf.exeC:\Windows\system32\Eoabgggf.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1972 -
C:\Windows\SysWOW64\Eflkda32.exeC:\Windows\system32\Eflkda32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:308 -
C:\Windows\SysWOW64\Ejggepfl.exeC:\Windows\system32\Ejggepfl.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1436 -
C:\Windows\SysWOW64\Elfcakep.exeC:\Windows\system32\Elfcakep.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2280 -
C:\Windows\SysWOW64\Eodomgdc.exeC:\Windows\system32\Eodomgdc.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1768 -
C:\Windows\SysWOW64\Efngjalp.exeC:\Windows\system32\Efngjalp.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2916 -
C:\Windows\SysWOW64\Eoflbf32.exeC:\Windows\system32\Eoflbf32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2880 -
C:\Windows\SysWOW64\Ebehob32.exeC:\Windows\system32\Ebehob32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2824 -
C:\Windows\SysWOW64\Ebgeda32.exeC:\Windows\system32\Ebgeda32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2936 -
C:\Windows\SysWOW64\Edeapm32.exeC:\Windows\system32\Edeapm32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2052 -
C:\Windows\SysWOW64\Egdmlhni.exeC:\Windows\system32\Egdmlhni.exe33⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Fnneib32.exeC:\Windows\system32\Fnneib32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2224 -
C:\Windows\SysWOW64\Fqlben32.exeC:\Windows\system32\Fqlben32.exe35⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Fcknai32.exeC:\Windows\system32\Fcknai32.exe36⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Fnpbob32.exeC:\Windows\system32\Fnpbob32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Fqookn32.exeC:\Windows\system32\Fqookn32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Fgiggh32.exeC:\Windows\system32\Fgiggh32.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2012 -
C:\Windows\SysWOW64\Fnbodbaq.exeC:\Windows\system32\Fnbodbaq.exe40⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Fqakqmpd.exeC:\Windows\system32\Fqakqmpd.exe41⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\Fpdllj32.exeC:\Windows\system32\Fpdllj32.exe42⤵
- Executes dropped EXE
PID:920 -
C:\Windows\SysWOW64\Fgkcmg32.exeC:\Windows\system32\Fgkcmg32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Fjipic32.exeC:\Windows\system32\Fjipic32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1796 -
C:\Windows\SysWOW64\Filpepno.exeC:\Windows\system32\Filpepno.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2928 -
C:\Windows\SysWOW64\Ffpqndmi.exeC:\Windows\system32\Ffpqndmi.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1928 -
C:\Windows\SysWOW64\Fmjikndf.exeC:\Windows\system32\Fmjikndf.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:2236 -
C:\Windows\SysWOW64\Fphegici.exeC:\Windows\system32\Fphegici.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:2276 -
C:\Windows\SysWOW64\Fcdahh32.exeC:\Windows\system32\Fcdahh32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1592 -
C:\Windows\SysWOW64\Geemoqaq.exeC:\Windows\system32\Geemoqaq.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2800 -
C:\Windows\SysWOW64\Gmleqnbc.exeC:\Windows\system32\Gmleqnbc.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3016 -
C:\Windows\SysWOW64\Gpkamiag.exeC:\Windows\system32\Gpkamiag.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:608 -
C:\Windows\SysWOW64\Gbinidpj.exeC:\Windows\system32\Gbinidpj.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2700 -
C:\Windows\SysWOW64\Gfejic32.exeC:\Windows\system32\Gfejic32.exe54⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Ghffal32.exeC:\Windows\system32\Ghffal32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2000 -
C:\Windows\SysWOW64\Glabajgk.exeC:\Windows\system32\Glabajgk.exe56⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Gnponefo.exeC:\Windows\system32\Gnponefo.exe57⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Gaokjaeb.exeC:\Windows\system32\Gaokjaeb.exe58⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Gieckned.exeC:\Windows\system32\Gieckned.exe59⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Gldogjeh.exeC:\Windows\system32\Gldogjeh.exe60⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Gnbkcedl.exeC:\Windows\system32\Gnbkcedl.exe61⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Gaagoqcp.exeC:\Windows\system32\Gaagoqcp.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2600 -
C:\Windows\SysWOW64\Glflmi32.exeC:\Windows\system32\Glflmi32.exe63⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Gjilhfip.exeC:\Windows\system32\Gjilhfip.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Gmghdahd.exeC:\Windows\system32\Gmghdahd.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\Geopeoif.exeC:\Windows\system32\Geopeoif.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1288 -
C:\Windows\SysWOW64\Gdaqal32.exeC:\Windows\system32\Gdaqal32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1324 -
C:\Windows\SysWOW64\Gfpmmg32.exeC:\Windows\system32\Gfpmmg32.exe68⤵
- Drops file in System32 directory
PID:1672 -
C:\Windows\SysWOW64\Gjlinfgm.exeC:\Windows\system32\Gjlinfgm.exe69⤵PID:2808
-
C:\Windows\SysWOW64\Gmjejafa.exeC:\Windows\system32\Gmjejafa.exe70⤵PID:2924
-
C:\Windows\SysWOW64\Hphafmee.exeC:\Windows\system32\Hphafmee.exe71⤵
- System Location Discovery: System Language Discovery
PID:796 -
C:\Windows\SysWOW64\Hhpigjfg.exeC:\Windows\system32\Hhpigjfg.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2144 -
C:\Windows\SysWOW64\Hfbicg32.exeC:\Windows\system32\Hfbicg32.exe73⤵PID:2764
-
C:\Windows\SysWOW64\Hiqfoble.exeC:\Windows\system32\Hiqfoble.exe74⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2428 -
C:\Windows\SysWOW64\Hahnppmh.exeC:\Windows\system32\Hahnppmh.exe75⤵
- Drops file in System32 directory
PID:1248 -
C:\Windows\SysWOW64\Hpknlm32.exeC:\Windows\system32\Hpknlm32.exe76⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2156 -
C:\Windows\SysWOW64\Hbijhh32.exeC:\Windows\system32\Hbijhh32.exe77⤵PID:1348
-
C:\Windows\SysWOW64\Hfdfhgko.exeC:\Windows\system32\Hfdfhgko.exe78⤵PID:1992
-
C:\Windows\SysWOW64\Hicbdbjb.exeC:\Windows\system32\Hicbdbjb.exe79⤵PID:2440
-
C:\Windows\SysWOW64\Hmoneq32.exeC:\Windows\system32\Hmoneq32.exe80⤵
- System Location Discovery: System Language Discovery
PID:2172 -
C:\Windows\SysWOW64\Hpmkal32.exeC:\Windows\system32\Hpmkal32.exe81⤵PID:2100
-
C:\Windows\SysWOW64\Hdigakji.exeC:\Windows\system32\Hdigakji.exe82⤵PID:1180
-
C:\Windows\SysWOW64\Hbkgmh32.exeC:\Windows\system32\Hbkgmh32.exe83⤵PID:1240
-
C:\Windows\SysWOW64\Hejcic32.exeC:\Windows\system32\Hejcic32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2740 -
C:\Windows\SysWOW64\Hldkfm32.exeC:\Windows\system32\Hldkfm32.exe85⤵PID:2424
-
C:\Windows\SysWOW64\Hobgbi32.exeC:\Windows\system32\Hobgbi32.exe86⤵
- Drops file in System32 directory
PID:1276 -
C:\Windows\SysWOW64\Hfipcf32.exeC:\Windows\system32\Hfipcf32.exe87⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2980 -
C:\Windows\SysWOW64\Helpocnd.exeC:\Windows\system32\Helpocnd.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2444 -
C:\Windows\SysWOW64\Hhklknmh.exeC:\Windows\system32\Hhklknmh.exe89⤵PID:2984
-
C:\Windows\SysWOW64\Hpadllnj.exeC:\Windows\system32\Hpadllnj.exe90⤵
- Drops file in System32 directory
- Modifies registry class
PID:600 -
C:\Windows\SysWOW64\Hoddhh32.exeC:\Windows\system32\Hoddhh32.exe91⤵
- Drops file in System32 directory
- Modifies registry class
PID:1740 -
C:\Windows\SysWOW64\Hbpphgmn.exeC:\Windows\system32\Hbpphgmn.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:264 -
C:\Windows\SysWOW64\Heomdbla.exeC:\Windows\system32\Heomdbla.exe93⤵PID:704
-
C:\Windows\SysWOW64\Ilheam32.exeC:\Windows\system32\Ilheam32.exe94⤵
- Modifies registry class
PID:2840 -
C:\Windows\SysWOW64\Ikkemiji.exeC:\Windows\system32\Ikkemiji.exe95⤵PID:1648
-
C:\Windows\SysWOW64\Iogamhbb.exeC:\Windows\system32\Iogamhbb.exe96⤵PID:1488
-
C:\Windows\SysWOW64\Iaemicaf.exeC:\Windows\system32\Iaemicaf.exe97⤵
- Modifies registry class
PID:2708 -
C:\Windows\SysWOW64\Iddieoqi.exeC:\Windows\system32\Iddieoqi.exe98⤵PID:2392
-
C:\Windows\SysWOW64\Ilkaglal.exeC:\Windows\system32\Ilkaglal.exe99⤵
- System Location Discovery: System Language Discovery
PID:1772 -
C:\Windows\SysWOW64\Iknabi32.exeC:\Windows\system32\Iknabi32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3036 -
C:\Windows\SysWOW64\Imlnod32.exeC:\Windows\system32\Imlnod32.exe101⤵
- Drops file in System32 directory
PID:2288 -
C:\Windows\SysWOW64\Iahjococ.exeC:\Windows\system32\Iahjococ.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:444 -
C:\Windows\SysWOW64\Idffkoog.exeC:\Windows\system32\Idffkoog.exe103⤵PID:2320
-
C:\Windows\SysWOW64\Igdbgjnj.exeC:\Windows\system32\Igdbgjnj.exe104⤵PID:2520
-
C:\Windows\SysWOW64\Ikpnhi32.exeC:\Windows\system32\Ikpnhi32.exe105⤵PID:2828
-
C:\Windows\SysWOW64\Ioljhg32.exeC:\Windows\system32\Ioljhg32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2508 -
C:\Windows\SysWOW64\Iajgdc32.exeC:\Windows\system32\Iajgdc32.exe107⤵
- Drops file in System32 directory
PID:1956 -
C:\Windows\SysWOW64\Ipmgppdk.exeC:\Windows\system32\Ipmgppdk.exe108⤵PID:2784
-
C:\Windows\SysWOW64\Ihdoamem.exeC:\Windows\system32\Ihdoamem.exe109⤵PID:1036
-
C:\Windows\SysWOW64\Iggomj32.exeC:\Windows\system32\Iggomj32.exe110⤵PID:2528
-
C:\Windows\SysWOW64\Iiekie32.exeC:\Windows\system32\Iiekie32.exe111⤵PID:3044
-
C:\Windows\SysWOW64\Inagjdcd.exeC:\Windows\system32\Inagjdcd.exe112⤵
- Drops file in System32 directory
- Modifies registry class
PID:2952 -
C:\Windows\SysWOW64\Ipocfobh.exeC:\Windows\system32\Ipocfobh.exe113⤵PID:2804
-
C:\Windows\SysWOW64\Idkpfn32.exeC:\Windows\system32\Idkpfn32.exe114⤵PID:2352
-
C:\Windows\SysWOW64\Igilbi32.exeC:\Windows\system32\Igilbi32.exe115⤵
- Drops file in System32 directory
PID:408 -
C:\Windows\SysWOW64\Ikehchbn.exeC:\Windows\system32\Ikehchbn.exe116⤵
- Modifies registry class
PID:1160 -
C:\Windows\SysWOW64\Incdocab.exeC:\Windows\system32\Incdocab.exe117⤵
- System Location Discovery: System Language Discovery
PID:1888 -
C:\Windows\SysWOW64\Ipapko32.exeC:\Windows\system32\Ipapko32.exe118⤵
- Modifies registry class
PID:2792 -
C:\Windows\SysWOW64\Idmllnho.exeC:\Windows\system32\Idmllnho.exe119⤵PID:1328
-
C:\Windows\SysWOW64\Jgkhhigb.exeC:\Windows\system32\Jgkhhigb.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1960 -
C:\Windows\SysWOW64\Jjjeddff.exeC:\Windows\system32\Jjjeddff.exe121⤵
- System Location Discovery: System Language Discovery
PID:2864
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-