Analysis
-
max time kernel
119s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
25/08/2024, 20:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d3034d9388b8b5d766867d8904027490N.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
d3034d9388b8b5d766867d8904027490N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
d3034d9388b8b5d766867d8904027490N.exe
-
Size
96KB
-
MD5
d3034d9388b8b5d766867d8904027490
-
SHA1
7d923fb274a160cba6f3f0cd8eaca3cab20fee34
-
SHA256
a5d59064e22bb4b575e7f820d7ae92ce73d84d1b27d7d4e4592736ca9a752ced
-
SHA512
1c037eacb796d4098c2673f6264c7826af0767bfa98c668a3c95dd2f8febe480a0f9427124a655c9ee7e3914b03c0783ed6d46a3a84efdd04cccca1f96ba2dcc
-
SSDEEP
1536:O1tpJgoFNmMvNIreUHMR6q8fPVOqqM/BOm1CMy0QiLiizHNQNdq:akMvQLsiVP15Om1CMyELiAHONdq
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbhfajia.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpemhb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joebccpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Liibgkoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Amkbpm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmpbja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nepokogo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iebmpcjc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmqgec32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lelljepm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Okpdjjil.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piadma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iojopp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojdjqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ekfaij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjnlikic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogddhmdl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbmnea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Honiikpa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oddbqhkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckfeic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gpjilj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Meeopdhb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gampaipe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nipefmkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikoehj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmiikipg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajjinaco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhbmip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elieipej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gampaipe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Idekbgji.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqgmmk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnicoh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddpbfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjhchg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mbpibm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qlggjlep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkmncl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Honiikpa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lefikg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmmcfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Migdig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fgjkmijh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lonlkcho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppdfimji.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edhpaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbnenk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hhadgakg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddnfql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ecnpdnho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djlbkcfn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdmjfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Doqkpl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgckoofa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pildgl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohmalgeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biiiempl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjmjdnop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajjinaco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bggjjlnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Epqgopbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ihnjmf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjfmem32.exe -
Executes dropped EXE 64 IoCs
pid Process 2760 Jjlmkb32.exe 2732 Jcdadhjb.exe 2508 Jjnjqb32.exe 2528 Kiecgo32.exe 3028 Kihpmnbb.exe 2848 Kcmdjgbh.exe 2932 Kijmbnpo.exe 2148 Lonlkcho.exe 1136 Lmcilp32.exe 2724 Ldpnoj32.exe 524 Mpkhoj32.exe 1196 Mlahdkjc.exe 2340 Maanab32.exe 1916 Ncgcdi32.exe 2228 Nladco32.exe 692 Nldahn32.exe 2176 Omfnnnhj.exe 1984 Ogbldk32.exe 1072 Oqkpmaif.exe 2452 Okpdjjil.exe 1780 Oqmmbqgd.exe 1888 Omcngamh.exe 860 Ppdfimji.exe 2708 Pjjkfe32.exe 344 Pjlgle32.exe 2740 Piadma32.exe 1832 Plbmom32.exe 2608 Qaofgc32.exe 3024 Qncfphff.exe 1492 Qlggjlep.exe 1140 Anhpkg32.exe 236 Apilcoho.exe 2400 Aicmadmm.exe 2828 Bklpjlmc.exe 2324 Bhpqcpkm.exe 2132 Bhbmip32.exe 2108 Bnofaf32.exe 2092 Bggjjlnb.exe 2768 Chggdoee.exe 2084 Caokmd32.exe 1064 Cjjpag32.exe 1540 Cfaqfh32.exe 2356 Cojeomee.exe 1480 Coladm32.exe 2272 Dkbbinig.exe 2440 Dbmkfh32.exe 1736 Doqkpl32.exe 2028 Dkgldm32.exe 1700 Dqddmd32.exe 2752 Dnhefh32.exe 2916 Dgqion32.exe 2552 Dqinhcoc.exe 2184 Eqkjmcmq.exe 1596 Eifobe32.exe 1056 Epqgopbi.exe 1324 Ejfllhao.exe 444 Ecnpdnho.exe 2380 Elieipej.exe 2076 Einebddd.exe 1764 Faijggao.exe 2280 Fhbbcail.exe 1692 Fbhfajia.exe 1632 Fjckelfm.exe 944 Fdlpnamm.exe -
Loads dropped DLL 64 IoCs
pid Process 1980 d3034d9388b8b5d766867d8904027490N.exe 1980 d3034d9388b8b5d766867d8904027490N.exe 2760 Jjlmkb32.exe 2760 Jjlmkb32.exe 2732 Jcdadhjb.exe 2732 Jcdadhjb.exe 2508 Jjnjqb32.exe 2508 Jjnjqb32.exe 2528 Kiecgo32.exe 2528 Kiecgo32.exe 3028 Kihpmnbb.exe 3028 Kihpmnbb.exe 2848 Kcmdjgbh.exe 2848 Kcmdjgbh.exe 2932 Kijmbnpo.exe 2932 Kijmbnpo.exe 2148 Lonlkcho.exe 2148 Lonlkcho.exe 1136 Lmcilp32.exe 1136 Lmcilp32.exe 2724 Ldpnoj32.exe 2724 Ldpnoj32.exe 524 Mpkhoj32.exe 524 Mpkhoj32.exe 1196 Mlahdkjc.exe 1196 Mlahdkjc.exe 2340 Maanab32.exe 2340 Maanab32.exe 1916 Ncgcdi32.exe 1916 Ncgcdi32.exe 2228 Nladco32.exe 2228 Nladco32.exe 692 Nldahn32.exe 692 Nldahn32.exe 2176 Omfnnnhj.exe 2176 Omfnnnhj.exe 1984 Ogbldk32.exe 1984 Ogbldk32.exe 1072 Oqkpmaif.exe 1072 Oqkpmaif.exe 2452 Okpdjjil.exe 2452 Okpdjjil.exe 1780 Oqmmbqgd.exe 1780 Oqmmbqgd.exe 1888 Omcngamh.exe 1888 Omcngamh.exe 860 Ppdfimji.exe 860 Ppdfimji.exe 2708 Pjjkfe32.exe 2708 Pjjkfe32.exe 344 Pjlgle32.exe 344 Pjlgle32.exe 2740 Piadma32.exe 2740 Piadma32.exe 1832 Plbmom32.exe 1832 Plbmom32.exe 2608 Qaofgc32.exe 2608 Qaofgc32.exe 3024 Qncfphff.exe 3024 Qncfphff.exe 1492 Qlggjlep.exe 1492 Qlggjlep.exe 1140 Anhpkg32.exe 1140 Anhpkg32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Lnkmkbpj.dll Nipefmkb.exe File created C:\Windows\SysWOW64\Qnalcqpm.exe Qidckjae.exe File opened for modification C:\Windows\SysWOW64\Bojkib32.exe Bafkookd.exe File created C:\Windows\SysWOW64\Gegknghg.dll Bhelghol.exe File opened for modification C:\Windows\SysWOW64\Lelljepm.exe Lckpbm32.exe File opened for modification C:\Windows\SysWOW64\Fbhfajia.exe Fhbbcail.exe File created C:\Windows\SysWOW64\Ifdhgj32.dll Ebnmpemq.exe File opened for modification C:\Windows\SysWOW64\Mbdfni32.exe Mgoaap32.exe File opened for modification C:\Windows\SysWOW64\Mmemoe32.exe Mbpibm32.exe File created C:\Windows\SysWOW64\Gnkqpnqp.dll Nknnnoph.exe File created C:\Windows\SysWOW64\Hmfmoo32.dll Iboghh32.exe File created C:\Windows\SysWOW64\Fpdopknp.dll Ilmlfcel.exe File created C:\Windows\SysWOW64\Bneancnc.exe Biiiempl.exe File created C:\Windows\SysWOW64\Piadma32.exe Pjlgle32.exe File created C:\Windows\SysWOW64\Dkgldm32.exe Doqkpl32.exe File created C:\Windows\SysWOW64\Dnhefh32.exe Dqddmd32.exe File created C:\Windows\SysWOW64\Kdgfnh32.dll Aphehidc.exe File created C:\Windows\SysWOW64\Ecbfmm32.exe Emhnqbjo.exe File opened for modification C:\Windows\SysWOW64\Cbajme32.exe Ckfeic32.exe File created C:\Windows\SysWOW64\Nladco32.exe Ncgcdi32.exe File created C:\Windows\SysWOW64\Hmdkip32.dll Dgqion32.exe File opened for modification C:\Windows\SysWOW64\Qjgcecja.exe Qpaohjkk.exe File opened for modification C:\Windows\SysWOW64\Kmfklepl.exe Kobkbaac.exe File opened for modification C:\Windows\SysWOW64\Lmckeidj.exe Lehfafgp.exe File created C:\Windows\SysWOW64\Fohphgce.exe Ejfnda32.exe File created C:\Windows\SysWOW64\Icipkhcj.dll Lelljepm.exe File opened for modification C:\Windows\SysWOW64\Piadma32.exe Pjlgle32.exe File opened for modification C:\Windows\SysWOW64\Ihnjmf32.exe Ikjjda32.exe File created C:\Windows\SysWOW64\Emokgnoa.dll Liibgkoo.exe File opened for modification C:\Windows\SysWOW64\Pkfghh32.exe Ojdjqp32.exe File created C:\Windows\SysWOW64\Ahfgbkpl.exe Abinjdad.exe File created C:\Windows\SysWOW64\Oggghc32.exe Onocon32.exe File opened for modification C:\Windows\SysWOW64\Lmcilp32.exe Lonlkcho.exe File created C:\Windows\SysWOW64\Jmhdkakc.dll Cojeomee.exe File created C:\Windows\SysWOW64\Epqgopbi.exe Eifobe32.exe File opened for modification C:\Windows\SysWOW64\Igpdnlgd.exe Iilceh32.exe File created C:\Windows\SysWOW64\Jjnlikic.exe Jdadadkl.exe File opened for modification C:\Windows\SysWOW64\Jjfmem32.exe Jdidmf32.exe File created C:\Windows\SysWOW64\Ladgkmlj.exe Liibgkoo.exe File opened for modification C:\Windows\SysWOW64\Pnimpcke.exe Pildgl32.exe File created C:\Windows\SysWOW64\Kglgpo32.dll Fqffgapf.exe File created C:\Windows\SysWOW64\Gofbagcb.dll Nldahn32.exe File created C:\Windows\SysWOW64\Egihcl32.exe Enpdjfgj.exe File created C:\Windows\SysWOW64\Pdndggcl.exe Pjhpin32.exe File created C:\Windows\SysWOW64\Fdnpephg.dll Ckfeic32.exe File created C:\Windows\SysWOW64\Lcffgnnc.exe Kgoebmip.exe File created C:\Windows\SysWOW64\Epdcmhdd.dll Lcedne32.exe File created C:\Windows\SysWOW64\Heknhioh.dll Ndgbgefh.exe File created C:\Windows\SysWOW64\Hfdmhh32.exe Hagepa32.exe File opened for modification C:\Windows\SysWOW64\Docjne32.exe Ddnfql32.exe File created C:\Windows\SysWOW64\Cebedebg.dll Gbdlnf32.exe File opened for modification C:\Windows\SysWOW64\Okkddd32.exe Ogmkne32.exe File opened for modification C:\Windows\SysWOW64\Idokma32.exe Igkjcm32.exe File opened for modification C:\Windows\SysWOW64\Jobocn32.exe Jdmjfe32.exe File created C:\Windows\SysWOW64\Nknnnoph.exe Nmjmekan.exe File created C:\Windows\SysWOW64\Chilje32.dll Pjhpin32.exe File created C:\Windows\SysWOW64\Dofnnkfg.exe Dfniee32.exe File created C:\Windows\SysWOW64\Gfgdij32.exe Gajlac32.exe File created C:\Windows\SysWOW64\Hpomlhqo.dll Bakdjn32.exe File created C:\Windows\SysWOW64\Ohebjg32.dll Enpdjfgj.exe File created C:\Windows\SysWOW64\Iopeoknn.exe Hhfmbq32.exe File created C:\Windows\SysWOW64\Kphipide.dll Defljp32.exe File created C:\Windows\SysWOW64\Cdokfc32.dll Ogbldk32.exe File opened for modification C:\Windows\SysWOW64\Dqddmd32.exe Dkgldm32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4560 4528 WerFault.exe 397 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Faijggao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knaeeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbipdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhfmbq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhgelk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apilcoho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilemce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfacdqhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpanne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccpqjfnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpjilj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiljcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bggjjlnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjjkfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjjpag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikjjda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kihbfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbopon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fclbgj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmqgec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d3034d9388b8b5d766867d8904027490N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aiqjao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbnenk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gihnkejd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcgkcccn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbijcgbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oingii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iojopp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgckoofa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdlfngcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgbibb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iebmpcjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdlclo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anhpkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nldahn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okkddd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cimooo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lenioenj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opcejd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjnjqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahfgbkpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqffgapf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qidckjae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geddoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghgjflof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmngof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcoanb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coladm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Liibgkoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Malmllfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blobmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecbfmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbniohpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdmbhnjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlggjlep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kckjmpko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjhpin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnhgoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhfjadim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enpdjfgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkfhglen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bldpiifb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfniee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Honiikpa.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfdgjene.dll" Maanab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Apilcoho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljkaejba.dll" Bfbjdf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jclnnmic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nldeka32.dll" Fhbbcail.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hoipnl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pmmcfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dhgelk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nladco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Coladm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Khcbpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jinqgg32.dll" Fdgefn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfhi32.dll" Lidilk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kmfklepl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Onocon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kekjepjd.dll" Dnhgoa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Omfnnnhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffdiiopj.dll" Fdlpnamm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jakjjcnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qaofgc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Afndjdpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iojopp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bikfklni.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Epqgopbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leaohdkk.dll" Gedbfimc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcbonine.dll" Gfdhck32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iboghh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hpnlndkp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lidilk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgmjbn32.dll" Hpoofm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kijmbnpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cjjpag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eqkjmcmq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gbmlkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkhmod32.dll" Kiecgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jcoanb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oddbqhkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aodkcd32.dll" Pjmjdnop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oggghc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fdgefn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppicjm32.dll" Migdig32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oheppe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jacgio32.dll" Dqinhcoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fmddgg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dkmghe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ejfnda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbeede32.dll" Mpkhoj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mffkgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oqmmbqgd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Plbmom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bbikig32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jnlepioj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jdadadkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jbijcgbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lbkchj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Habkeacd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmggpigb.dll" Kgoebmip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnjkec32.dll" Naimepkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pioamlkk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ccpqjfnh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pmiikipg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ekfaij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agacff32.dll" Poibmdmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kafano32.dll" Iaaekl32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1980 wrote to memory of 2760 1980 d3034d9388b8b5d766867d8904027490N.exe 30 PID 1980 wrote to memory of 2760 1980 d3034d9388b8b5d766867d8904027490N.exe 30 PID 1980 wrote to memory of 2760 1980 d3034d9388b8b5d766867d8904027490N.exe 30 PID 1980 wrote to memory of 2760 1980 d3034d9388b8b5d766867d8904027490N.exe 30 PID 2760 wrote to memory of 2732 2760 Jjlmkb32.exe 31 PID 2760 wrote to memory of 2732 2760 Jjlmkb32.exe 31 PID 2760 wrote to memory of 2732 2760 Jjlmkb32.exe 31 PID 2760 wrote to memory of 2732 2760 Jjlmkb32.exe 31 PID 2732 wrote to memory of 2508 2732 Jcdadhjb.exe 32 PID 2732 wrote to memory of 2508 2732 Jcdadhjb.exe 32 PID 2732 wrote to memory of 2508 2732 Jcdadhjb.exe 32 PID 2732 wrote to memory of 2508 2732 Jcdadhjb.exe 32 PID 2508 wrote to memory of 2528 2508 Jjnjqb32.exe 33 PID 2508 wrote to memory of 2528 2508 Jjnjqb32.exe 33 PID 2508 wrote to memory of 2528 2508 Jjnjqb32.exe 33 PID 2508 wrote to memory of 2528 2508 Jjnjqb32.exe 33 PID 2528 wrote to memory of 3028 2528 Kiecgo32.exe 34 PID 2528 wrote to memory of 3028 2528 Kiecgo32.exe 34 PID 2528 wrote to memory of 3028 2528 Kiecgo32.exe 34 PID 2528 wrote to memory of 3028 2528 Kiecgo32.exe 34 PID 3028 wrote to memory of 2848 3028 Kihpmnbb.exe 35 PID 3028 wrote to memory of 2848 3028 Kihpmnbb.exe 35 PID 3028 wrote to memory of 2848 3028 Kihpmnbb.exe 35 PID 3028 wrote to memory of 2848 3028 Kihpmnbb.exe 35 PID 2848 wrote to memory of 2932 2848 Kcmdjgbh.exe 36 PID 2848 wrote to memory of 2932 2848 Kcmdjgbh.exe 36 PID 2848 wrote to memory of 2932 2848 Kcmdjgbh.exe 36 PID 2848 wrote to memory of 2932 2848 Kcmdjgbh.exe 36 PID 2932 wrote to memory of 2148 2932 Kijmbnpo.exe 37 PID 2932 wrote to memory of 2148 2932 Kijmbnpo.exe 37 PID 2932 wrote to memory of 2148 2932 Kijmbnpo.exe 37 PID 2932 wrote to memory of 2148 2932 Kijmbnpo.exe 37 PID 2148 wrote to memory of 1136 2148 Lonlkcho.exe 38 PID 2148 wrote to memory of 1136 2148 Lonlkcho.exe 38 PID 2148 wrote to memory of 1136 2148 Lonlkcho.exe 38 PID 2148 wrote to memory of 1136 2148 Lonlkcho.exe 38 PID 1136 wrote to memory of 2724 1136 Lmcilp32.exe 39 PID 1136 wrote to memory of 2724 1136 Lmcilp32.exe 39 PID 1136 wrote to memory of 2724 1136 Lmcilp32.exe 39 PID 1136 wrote to memory of 2724 1136 Lmcilp32.exe 39 PID 2724 wrote to memory of 524 2724 Ldpnoj32.exe 40 PID 2724 wrote to memory of 524 2724 Ldpnoj32.exe 40 PID 2724 wrote to memory of 524 2724 Ldpnoj32.exe 40 PID 2724 wrote to memory of 524 2724 Ldpnoj32.exe 40 PID 524 wrote to memory of 1196 524 Mpkhoj32.exe 41 PID 524 wrote to memory of 1196 524 Mpkhoj32.exe 41 PID 524 wrote to memory of 1196 524 Mpkhoj32.exe 41 PID 524 wrote to memory of 1196 524 Mpkhoj32.exe 41 PID 1196 wrote to memory of 2340 1196 Mlahdkjc.exe 42 PID 1196 wrote to memory of 2340 1196 Mlahdkjc.exe 42 PID 1196 wrote to memory of 2340 1196 Mlahdkjc.exe 42 PID 1196 wrote to memory of 2340 1196 Mlahdkjc.exe 42 PID 2340 wrote to memory of 1916 2340 Maanab32.exe 43 PID 2340 wrote to memory of 1916 2340 Maanab32.exe 43 PID 2340 wrote to memory of 1916 2340 Maanab32.exe 43 PID 2340 wrote to memory of 1916 2340 Maanab32.exe 43 PID 1916 wrote to memory of 2228 1916 Ncgcdi32.exe 44 PID 1916 wrote to memory of 2228 1916 Ncgcdi32.exe 44 PID 1916 wrote to memory of 2228 1916 Ncgcdi32.exe 44 PID 1916 wrote to memory of 2228 1916 Ncgcdi32.exe 44 PID 2228 wrote to memory of 692 2228 Nladco32.exe 45 PID 2228 wrote to memory of 692 2228 Nladco32.exe 45 PID 2228 wrote to memory of 692 2228 Nladco32.exe 45 PID 2228 wrote to memory of 692 2228 Nladco32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\d3034d9388b8b5d766867d8904027490N.exe"C:\Users\Admin\AppData\Local\Temp\d3034d9388b8b5d766867d8904027490N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\Jjlmkb32.exeC:\Windows\system32\Jjlmkb32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Jcdadhjb.exeC:\Windows\system32\Jcdadhjb.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Jjnjqb32.exeC:\Windows\system32\Jjnjqb32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Kiecgo32.exeC:\Windows\system32\Kiecgo32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\Kihpmnbb.exeC:\Windows\system32\Kihpmnbb.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\Kcmdjgbh.exeC:\Windows\system32\Kcmdjgbh.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Kijmbnpo.exeC:\Windows\system32\Kijmbnpo.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Lonlkcho.exeC:\Windows\system32\Lonlkcho.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\Lmcilp32.exeC:\Windows\system32\Lmcilp32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\Ldpnoj32.exeC:\Windows\system32\Ldpnoj32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Mpkhoj32.exeC:\Windows\system32\Mpkhoj32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:524 -
C:\Windows\SysWOW64\Mlahdkjc.exeC:\Windows\system32\Mlahdkjc.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\SysWOW64\Maanab32.exeC:\Windows\system32\Maanab32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\Ncgcdi32.exeC:\Windows\system32\Ncgcdi32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\Nladco32.exeC:\Windows\system32\Nladco32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\Nldahn32.exeC:\Windows\system32\Nldahn32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:692 -
C:\Windows\SysWOW64\Omfnnnhj.exeC:\Windows\system32\Omfnnnhj.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2176 -
C:\Windows\SysWOW64\Ogbldk32.exeC:\Windows\system32\Ogbldk32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1984 -
C:\Windows\SysWOW64\Oqkpmaif.exeC:\Windows\system32\Oqkpmaif.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1072 -
C:\Windows\SysWOW64\Okpdjjil.exeC:\Windows\system32\Okpdjjil.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2452 -
C:\Windows\SysWOW64\Oqmmbqgd.exeC:\Windows\system32\Oqmmbqgd.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1780 -
C:\Windows\SysWOW64\Omcngamh.exeC:\Windows\system32\Omcngamh.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1888 -
C:\Windows\SysWOW64\Ppdfimji.exeC:\Windows\system32\Ppdfimji.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:860 -
C:\Windows\SysWOW64\Pjjkfe32.exeC:\Windows\system32\Pjjkfe32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2708 -
C:\Windows\SysWOW64\Pjlgle32.exeC:\Windows\system32\Pjlgle32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:344 -
C:\Windows\SysWOW64\Piadma32.exeC:\Windows\system32\Piadma32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2740 -
C:\Windows\SysWOW64\Plbmom32.exeC:\Windows\system32\Plbmom32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1832 -
C:\Windows\SysWOW64\Qaofgc32.exeC:\Windows\system32\Qaofgc32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2608 -
C:\Windows\SysWOW64\Qncfphff.exeC:\Windows\system32\Qncfphff.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3024 -
C:\Windows\SysWOW64\Qlggjlep.exeC:\Windows\system32\Qlggjlep.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1492 -
C:\Windows\SysWOW64\Anhpkg32.exeC:\Windows\system32\Anhpkg32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1140 -
C:\Windows\SysWOW64\Apilcoho.exeC:\Windows\system32\Apilcoho.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:236 -
C:\Windows\SysWOW64\Aicmadmm.exeC:\Windows\system32\Aicmadmm.exe34⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Bklpjlmc.exeC:\Windows\system32\Bklpjlmc.exe35⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Bhpqcpkm.exeC:\Windows\system32\Bhpqcpkm.exe36⤵
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Bhbmip32.exeC:\Windows\system32\Bhbmip32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Bnofaf32.exeC:\Windows\system32\Bnofaf32.exe38⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Bggjjlnb.exeC:\Windows\system32\Bggjjlnb.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2092 -
C:\Windows\SysWOW64\Chggdoee.exeC:\Windows\system32\Chggdoee.exe40⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Caokmd32.exeC:\Windows\system32\Caokmd32.exe41⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Cjjpag32.exeC:\Windows\system32\Cjjpag32.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1064 -
C:\Windows\SysWOW64\Cfaqfh32.exeC:\Windows\system32\Cfaqfh32.exe43⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Cojeomee.exeC:\Windows\system32\Cojeomee.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2356 -
C:\Windows\SysWOW64\Coladm32.exeC:\Windows\system32\Coladm32.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1480 -
C:\Windows\SysWOW64\Dkbbinig.exeC:\Windows\system32\Dkbbinig.exe46⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Dbmkfh32.exeC:\Windows\system32\Dbmkfh32.exe47⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Doqkpl32.exeC:\Windows\system32\Doqkpl32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1736 -
C:\Windows\SysWOW64\Dkgldm32.exeC:\Windows\system32\Dkgldm32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2028 -
C:\Windows\SysWOW64\Dqddmd32.exeC:\Windows\system32\Dqddmd32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1700 -
C:\Windows\SysWOW64\Dnhefh32.exeC:\Windows\system32\Dnhefh32.exe51⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Dgqion32.exeC:\Windows\system32\Dgqion32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2916 -
C:\Windows\SysWOW64\Dqinhcoc.exeC:\Windows\system32\Dqinhcoc.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2552 -
C:\Windows\SysWOW64\Eqkjmcmq.exeC:\Windows\system32\Eqkjmcmq.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2184 -
C:\Windows\SysWOW64\Eifobe32.exeC:\Windows\system32\Eifobe32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1596 -
C:\Windows\SysWOW64\Epqgopbi.exeC:\Windows\system32\Epqgopbi.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1056 -
C:\Windows\SysWOW64\Ejfllhao.exeC:\Windows\system32\Ejfllhao.exe57⤵
- Executes dropped EXE
PID:1324 -
C:\Windows\SysWOW64\Ecnpdnho.exeC:\Windows\system32\Ecnpdnho.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:444 -
C:\Windows\SysWOW64\Elieipej.exeC:\Windows\system32\Elieipej.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Einebddd.exeC:\Windows\system32\Einebddd.exe60⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Faijggao.exeC:\Windows\system32\Faijggao.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1764 -
C:\Windows\SysWOW64\Fhbbcail.exeC:\Windows\system32\Fhbbcail.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2280 -
C:\Windows\SysWOW64\Fbhfajia.exeC:\Windows\system32\Fbhfajia.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Fjckelfm.exeC:\Windows\system32\Fjckelfm.exe64⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Fdlpnamm.exeC:\Windows\system32\Fdlpnamm.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:944 -
C:\Windows\SysWOW64\Fmddgg32.exeC:\Windows\system32\Fmddgg32.exe66⤵
- Modifies registry class
PID:2572 -
C:\Windows\SysWOW64\Fhjhdp32.exeC:\Windows\system32\Fhjhdp32.exe67⤵PID:1556
-
C:\Windows\SysWOW64\Fpemhb32.exeC:\Windows\system32\Fpemhb32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:600 -
C:\Windows\SysWOW64\Gimaah32.exeC:\Windows\system32\Gimaah32.exe69⤵PID:1912
-
C:\Windows\SysWOW64\Gdcfoq32.exeC:\Windows\system32\Gdcfoq32.exe70⤵PID:1012
-
C:\Windows\SysWOW64\Gedbfimc.exeC:\Windows\system32\Gedbfimc.exe71⤵
- Modifies registry class
PID:2372 -
C:\Windows\SysWOW64\Gbhcpmkm.exeC:\Windows\system32\Gbhcpmkm.exe72⤵PID:2644
-
C:\Windows\SysWOW64\Ghekhd32.exeC:\Windows\system32\Ghekhd32.exe73⤵PID:2284
-
C:\Windows\SysWOW64\Gampaipe.exeC:\Windows\system32\Gampaipe.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2484 -
C:\Windows\SysWOW64\Gbmlkl32.exeC:\Windows\system32\Gbmlkl32.exe75⤵
- Modifies registry class
PID:3032 -
C:\Windows\SysWOW64\Hocmpm32.exeC:\Windows\system32\Hocmpm32.exe76⤵PID:1612
-
C:\Windows\SysWOW64\Hememgdi.exeC:\Windows\system32\Hememgdi.exe77⤵PID:2684
-
C:\Windows\SysWOW64\Hgoadp32.exeC:\Windows\system32\Hgoadp32.exe78⤵PID:2548
-
C:\Windows\SysWOW64\Hhnnnbaj.exeC:\Windows\system32\Hhnnnbaj.exe79⤵PID:2392
-
C:\Windows\SysWOW64\Hkmjjn32.exeC:\Windows\system32\Hkmjjn32.exe80⤵PID:2136
-
C:\Windows\SysWOW64\Hgckoofa.exeC:\Windows\system32\Hgckoofa.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:332 -
C:\Windows\SysWOW64\Hgfheodo.exeC:\Windows\system32\Hgfheodo.exe82⤵PID:2328
-
C:\Windows\SysWOW64\Hpnlndkp.exeC:\Windows\system32\Hpnlndkp.exe83⤵
- Modifies registry class
PID:1840 -
C:\Windows\SysWOW64\Ilemce32.exeC:\Windows\system32\Ilemce32.exe84⤵
- System Location Discovery: System Language Discovery
PID:2780 -
C:\Windows\SysWOW64\Iaaekl32.exeC:\Windows\system32\Iaaekl32.exe85⤵
- Modifies registry class
PID:1976 -
C:\Windows\SysWOW64\Ikjjda32.exeC:\Windows\system32\Ikjjda32.exe86⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1836 -
C:\Windows\SysWOW64\Ihnjmf32.exeC:\Windows\system32\Ihnjmf32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2232 -
C:\Windows\SysWOW64\Idekbgji.exeC:\Windows\system32\Idekbgji.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2424 -
C:\Windows\SysWOW64\Iojopp32.exeC:\Windows\system32\Iojopp32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:916 -
C:\Windows\SysWOW64\Idghhf32.exeC:\Windows\system32\Idghhf32.exe90⤵PID:1600
-
C:\Windows\SysWOW64\Jdidmf32.exeC:\Windows\system32\Jdidmf32.exe91⤵
- Drops file in System32 directory
PID:2992 -
C:\Windows\SysWOW64\Jjfmem32.exeC:\Windows\system32\Jjfmem32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2512 -
C:\Windows\SysWOW64\Jcoanb32.exeC:\Windows\system32\Jcoanb32.exe93⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2716 -
C:\Windows\SysWOW64\Jndflk32.exeC:\Windows\system32\Jndflk32.exe94⤵PID:2468
-
C:\Windows\SysWOW64\Joebccpp.exeC:\Windows\system32\Joebccpp.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2784 -
C:\Windows\SysWOW64\Jmibmhoj.exeC:\Windows\system32\Jmibmhoj.exe96⤵PID:2388
-
C:\Windows\SysWOW64\Knaeeo32.exeC:\Windows\system32\Knaeeo32.exe97⤵
- System Location Discovery: System Language Discovery
PID:1904 -
C:\Windows\SysWOW64\Kbpnkm32.exeC:\Windows\system32\Kbpnkm32.exe98⤵PID:2128
-
C:\Windows\SysWOW64\Kfacdqhf.exeC:\Windows\system32\Kfacdqhf.exe99⤵
- System Location Discovery: System Language Discovery
PID:1792 -
C:\Windows\SysWOW64\Lcedne32.exeC:\Windows\system32\Lcedne32.exe100⤵
- Drops file in System32 directory
PID:884 -
C:\Windows\SysWOW64\Ljplkonl.exeC:\Windows\system32\Ljplkonl.exe101⤵PID:876
-
C:\Windows\SysWOW64\Lidilk32.exeC:\Windows\system32\Lidilk32.exe102⤵
- Modifies registry class
PID:2180 -
C:\Windows\SysWOW64\Lbmnea32.exeC:\Windows\system32\Lbmnea32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2244 -
C:\Windows\SysWOW64\Lpanne32.exeC:\Windows\system32\Lpanne32.exe104⤵
- System Location Discovery: System Language Discovery
PID:940 -
C:\Windows\SysWOW64\Liibgkoo.exeC:\Windows\system32\Liibgkoo.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2620 -
C:\Windows\SysWOW64\Ladgkmlj.exeC:\Windows\system32\Ladgkmlj.exe106⤵PID:2648
-
C:\Windows\SysWOW64\Lhoohgdg.exeC:\Windows\system32\Lhoohgdg.exe107⤵PID:1096
-
C:\Windows\SysWOW64\Magdam32.exeC:\Windows\system32\Magdam32.exe108⤵PID:2464
-
C:\Windows\SysWOW64\Mllhne32.exeC:\Windows\system32\Mllhne32.exe109⤵PID:2276
-
C:\Windows\SysWOW64\Mhcicf32.exeC:\Windows\system32\Mhcicf32.exe110⤵PID:1336
-
C:\Windows\SysWOW64\Malmllfb.exeC:\Windows\system32\Malmllfb.exe111⤵
- System Location Discovery: System Language Discovery
PID:556 -
C:\Windows\SysWOW64\Mghfdcdi.exeC:\Windows\system32\Mghfdcdi.exe112⤵PID:2032
-
C:\Windows\SysWOW64\Mdlfngcc.exeC:\Windows\system32\Mdlfngcc.exe113⤵
- System Location Discovery: System Language Discovery
PID:1176 -
C:\Windows\SysWOW64\Mlgkbi32.exeC:\Windows\system32\Mlgkbi32.exe114⤵PID:1544
-
C:\Windows\SysWOW64\Nepokogo.exeC:\Windows\system32\Nepokogo.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1528 -
C:\Windows\SysWOW64\Ncdpdcfh.exeC:\Windows\system32\Ncdpdcfh.exe116⤵PID:2044
-
C:\Windows\SysWOW64\Nhqhmj32.exeC:\Windows\system32\Nhqhmj32.exe117⤵PID:2616
-
C:\Windows\SysWOW64\Naimepkp.exeC:\Windows\system32\Naimepkp.exe118⤵
- Modifies registry class
PID:2744 -
C:\Windows\SysWOW64\Nipefmkb.exeC:\Windows\system32\Nipefmkb.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2564 -
C:\Windows\SysWOW64\Nakikpin.exeC:\Windows\system32\Nakikpin.exe120⤵PID:2472
-
C:\Windows\SysWOW64\Nlanhh32.exeC:\Windows\system32\Nlanhh32.exe121⤵PID:2936
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-