Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
02/09/2024, 15:35
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b559808575a6391296d227eb4102df10N.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
b559808575a6391296d227eb4102df10N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
b559808575a6391296d227eb4102df10N.exe
-
Size
1.4MB
-
MD5
b559808575a6391296d227eb4102df10
-
SHA1
fccf5c8ac59a0075ac8024393452e00058582303
-
SHA256
f2b183ec919af5425d900e358247ea0c2e727878d181848a24a00f65c613f1f5
-
SHA512
912a9f0755eb3d1580fb6898c13e708feb691b076076c0cc8bf673818a17666d532a3726b6c919cc4da507b1299a75f22185ad380ffaafd0eb74d9251e85cda2
-
SSDEEP
12288:+sB3j6rCzXjOYpV6yYPbHCXwpnsKvNA+XTvZHWuEo3oWL5g:+K3j6rCzXjOYW3psKv2EvZHp3oWNg
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ejioln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flcojeak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fhjoof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pcpbik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aocbokia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Djafaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Padjmfdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gncgbkki.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkbkpcpd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgkdigfa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcikog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Meljbqna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cglcek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnhefh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Emdhhdqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kngekdnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mlahdkjc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efmlqigc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnpobefe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aaklmhak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hoimecmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlmoilni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nggipg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pidaba32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhpqcpkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdapcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nggipg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emgkhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eldbkbop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ajldkhjh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjmmffgn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebcmfj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcmcebkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ibibfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Keango32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anhpkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cjmmffgn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fopnpaba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hokjkbkp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icplje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idohdhbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcpbik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aoomflpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jngilalk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkbpke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eddjhb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebialmjb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkmaed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jijacjnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bdinnqon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdendpbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gncgbkki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Idohdhbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jnifaajh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qmenhe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cqleifna.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofobgc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qnqjkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Imacijjb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccgnelll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kbhbai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lghgmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Emgkhj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojeakfnd.exe -
Executes dropped EXE 64 IoCs
pid Process 2692 Kmkihbho.exe 2652 Kbhbai32.exe 3040 Lghgmg32.exe 2660 Mdendpbg.exe 2172 Mnpobefe.exe 2984 Mlgiiaij.exe 1500 Mfpmbf32.exe 2636 Nghpjn32.exe 2424 Ncamen32.exe 2428 Ojpomh32.exe 1200 Offpbi32.exe 1996 Padjmfdg.exe 2324 Phobjp32.exe 2384 Qboikm32.exe 848 Qmenhe32.exe 328 Aaklmhak.exe 1392 Aoomflpd.exe 2280 Bccoeo32.exe 1812 Bkkgfm32.exe 1064 Bnlphh32.exe 1580 Bchhqo32.exe 1012 Bfiabjjm.exe 1988 Chgnneiq.exe 1868 Ckfjjqhd.exe 2700 Cfknhi32.exe 2708 Ckkcep32.exe 2744 Cqglng32.exe 2796 Chocodch.exe 3064 Cnnimkom.exe 1260 Cqleifna.exe 2996 Dcjaeamd.exe 2936 Dcmnja32.exe 2900 Djgfgkbo.exe 2616 Dmebcgbb.exe 600 Dbbklnpj.exe 596 Dmgoif32.exe 2328 Dbdham32.exe 2136 Dphhka32.exe 2368 Dfbqgldn.exe 980 Diqmcgca.exe 1068 Ebialmjb.exe 920 Eegmhhie.exe 2252 Ejdfqogm.exe 1952 Eldbkbop.exe 1636 Emeobj32.exe 1472 Ecogodlk.exe 2388 Ejioln32.exe 2392 Emgkhj32.exe 2508 Eacghhkd.exe 2840 Efppqoil.exe 2680 Ephdjeol.exe 1760 Fmlecinf.exe 2544 Floeof32.exe 1460 Ficehj32.exe 1560 Fopnpaba.exe 2912 Fiebnjbg.exe 2908 Flcojeak.exe 1256 Felcbk32.exe 1964 Fhjoof32.exe 2332 Fodgkp32.exe 1936 Fdapcg32.exe 2168 Flhhed32.exe 2232 Geqlnjcf.exe 1816 Gmlablaa.exe -
Loads dropped DLL 64 IoCs
pid Process 2640 b559808575a6391296d227eb4102df10N.exe 2640 b559808575a6391296d227eb4102df10N.exe 2692 Kmkihbho.exe 2692 Kmkihbho.exe 2652 Kbhbai32.exe 2652 Kbhbai32.exe 3040 Lghgmg32.exe 3040 Lghgmg32.exe 2660 Mdendpbg.exe 2660 Mdendpbg.exe 2172 Mnpobefe.exe 2172 Mnpobefe.exe 2984 Mlgiiaij.exe 2984 Mlgiiaij.exe 1500 Mfpmbf32.exe 1500 Mfpmbf32.exe 2636 Nghpjn32.exe 2636 Nghpjn32.exe 2424 Ncamen32.exe 2424 Ncamen32.exe 2428 Ojpomh32.exe 2428 Ojpomh32.exe 1200 Offpbi32.exe 1200 Offpbi32.exe 1996 Padjmfdg.exe 1996 Padjmfdg.exe 2324 Phobjp32.exe 2324 Phobjp32.exe 2384 Qboikm32.exe 2384 Qboikm32.exe 848 Qmenhe32.exe 848 Qmenhe32.exe 328 Aaklmhak.exe 328 Aaklmhak.exe 1392 Aoomflpd.exe 1392 Aoomflpd.exe 2280 Bccoeo32.exe 2280 Bccoeo32.exe 1812 Bkkgfm32.exe 1812 Bkkgfm32.exe 1064 Bnlphh32.exe 1064 Bnlphh32.exe 1580 Bchhqo32.exe 1580 Bchhqo32.exe 1012 Bfiabjjm.exe 1012 Bfiabjjm.exe 1988 Chgnneiq.exe 1988 Chgnneiq.exe 1868 Ckfjjqhd.exe 1868 Ckfjjqhd.exe 2700 Cfknhi32.exe 2700 Cfknhi32.exe 2708 Ckkcep32.exe 2708 Ckkcep32.exe 2744 Cqglng32.exe 2744 Cqglng32.exe 2796 Chocodch.exe 2796 Chocodch.exe 3064 Cnnimkom.exe 3064 Cnnimkom.exe 1260 Cqleifna.exe 1260 Cqleifna.exe 2996 Dcjaeamd.exe 2996 Dcjaeamd.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mfeilp32.dll Keango32.exe File opened for modification C:\Windows\SysWOW64\Idohdhbo.exe Ijidfpci.exe File created C:\Windows\SysWOW64\Cekfoolj.dll Dmebcgbb.exe File created C:\Windows\SysWOW64\Ndmomfda.dll Ejioln32.exe File created C:\Windows\SysWOW64\Fdapcg32.exe Fodgkp32.exe File created C:\Windows\SysWOW64\Jifaeqgo.dll Iqfiii32.exe File created C:\Windows\SysWOW64\Igkdaemk.dll Cglcek32.exe File created C:\Windows\SysWOW64\Cqleifna.exe Cnnimkom.exe File opened for modification C:\Windows\SysWOW64\Ijidfpci.exe Icplje32.exe File opened for modification C:\Windows\SysWOW64\Qaablcej.exe Qhincn32.exe File created C:\Windows\SysWOW64\Gmlablaa.exe Geqlnjcf.exe File created C:\Windows\SysWOW64\Gdhfdffl.exe Ghaeoe32.exe File opened for modification C:\Windows\SysWOW64\Npfjbn32.exe Mdojnm32.exe File created C:\Windows\SysWOW64\Abnopj32.exe Aocbokia.exe File created C:\Windows\SysWOW64\Kecfmlgq.dll Cceapl32.exe File opened for modification C:\Windows\SysWOW64\Djafaf32.exe Ccgnelll.exe File opened for modification C:\Windows\SysWOW64\Emdhhdqb.exe Eiilge32.exe File created C:\Windows\SysWOW64\Ppgeni32.dll Fiebnjbg.exe File created C:\Windows\SysWOW64\Emeobj32.exe Eldbkbop.exe File opened for modification C:\Windows\SysWOW64\Nldahn32.exe Nggipg32.exe File created C:\Windows\SysWOW64\Chocodch.exe Cqglng32.exe File created C:\Windows\SysWOW64\Gpjmnh32.exe Gmlablaa.exe File opened for modification C:\Windows\SysWOW64\Oqkpmaif.exe Obhpad32.exe File created C:\Windows\SysWOW64\Lldpji32.dll Pfnoegaf.exe File opened for modification C:\Windows\SysWOW64\Ephdjeol.exe Efppqoil.exe File created C:\Windows\SysWOW64\Jbnlaqhi.exe Imacijjb.exe File created C:\Windows\SysWOW64\Jcikog32.exe Jjpgfbom.exe File opened for modification C:\Windows\SysWOW64\Nggipg32.exe Njchfc32.exe File created C:\Windows\SysWOW64\Afgnkilf.exe Adiaommc.exe File created C:\Windows\SysWOW64\Aoqbnfda.dll Dochelmj.exe File opened for modification C:\Windows\SysWOW64\Eacghhkd.exe Emgkhj32.exe File created C:\Windows\SysWOW64\Cfknhi32.exe Ckfjjqhd.exe File created C:\Windows\SysWOW64\Eegmhhie.exe Ebialmjb.exe File created C:\Windows\SysWOW64\Honfqb32.exe Hkbkpcpd.exe File created C:\Windows\SysWOW64\Pjfdnp32.dll Ijidfpci.exe File created C:\Windows\SysWOW64\Ifgklp32.exe Iomcpe32.exe File created C:\Windows\SysWOW64\Opdnkeqd.dll Oqkpmaif.exe File created C:\Windows\SysWOW64\Hefqbobh.dll Qhincn32.exe File opened for modification C:\Windows\SysWOW64\Padjmfdg.exe Offpbi32.exe File created C:\Windows\SysWOW64\Aaklmhak.exe Qmenhe32.exe File created C:\Windows\SysWOW64\Lhdcojaa.exe Klmbjh32.exe File created C:\Windows\SysWOW64\Nacjlp32.dll Naegmabc.exe File created C:\Windows\SysWOW64\Chplalhi.dll Ojpomh32.exe File created C:\Windows\SysWOW64\Feiepkmi.dll Floeof32.exe File created C:\Windows\SysWOW64\Okinik32.exe Nbqjqehd.exe File created C:\Windows\SysWOW64\Nkadbc32.dll Qifnhaho.exe File created C:\Windows\SysWOW64\Cqglng32.exe Ckkcep32.exe File created C:\Windows\SysWOW64\Lnapncmc.dll Gncgbkki.exe File created C:\Windows\SysWOW64\Landhm32.dll Ijnnao32.exe File created C:\Windows\SysWOW64\Ekfhjgmd.dll Bccoeo32.exe File created C:\Windows\SysWOW64\Kidncq32.dll Djgfgkbo.exe File created C:\Windows\SysWOW64\Aedkomok.dll Fmlecinf.exe File created C:\Windows\SysWOW64\Kckhdg32.exe Kjbclamj.exe File opened for modification C:\Windows\SysWOW64\Ldmaijdc.exe Lfippfej.exe File created C:\Windows\SysWOW64\Mpikik32.exe Mlmoilni.exe File created C:\Windows\SysWOW64\Qnqjkh32.exe Pidaba32.exe File opened for modification C:\Windows\SysWOW64\Qnqjkh32.exe Pidaba32.exe File created C:\Windows\SysWOW64\Embbek32.dll Ckkcep32.exe File created C:\Windows\SysWOW64\Peqiahfi.dll Dnfhqi32.exe File opened for modification C:\Windows\SysWOW64\Eiilge32.exe Eqngcc32.exe File created C:\Windows\SysWOW64\Pagmgi32.dll Ggklka32.exe File created C:\Windows\SysWOW64\Bpkbha32.dll Cqglng32.exe File created C:\Windows\SysWOW64\Hkmaed32.exe Hcblqb32.exe File opened for modification C:\Windows\SysWOW64\Mlolnllf.exe Mgbcfdmo.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3252 3212 WerFault.exe 265 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpjmnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojceef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhincn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbfjkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nggipg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofaolcmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnhefh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Empomd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nghpjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jahbmlil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpikik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifengpdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkkjeeke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoomflpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bchhqo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckfjjqhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chocodch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcikog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncamen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfknhi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cccdjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkmaed32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imacijjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqkpmaif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djmiejji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djoeki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djgfgkbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Floeof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebialmjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fodgkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkbpke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efppqoil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmmqmpdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeokba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcjaeamd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fopnpaba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geqlnjcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbglpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afgnkilf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Felcbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhimji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gncgbkki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfippfej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdinnqon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfkclf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecogodlk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgbcfdmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlggjlep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqpmimbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amhcad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bikcbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejdfqogm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghaeoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkpnjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkdgecna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnbcaome.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnifaajh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfggkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojeakfnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bedamd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccgnelll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egcfdn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlmoilni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Camnge32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mdmmhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnngnk32.dll" Empomd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkhdcccf.dll" Ephdjeol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eomgdlji.dll" Eldbkbop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Icplje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cqglng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obilkm32.dll" Cfknhi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gncgbkki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ijlaloaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihjpll32.dll" Jelhmlgm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Njnokdaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opdnkeqd.dll" Oqkpmaif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pfnoegaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ckfjjqhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Afcdpi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fbfjkj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qlggjlep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ckkcep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dmgoif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eacghhkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lehdhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Njalacon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dgqion32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ecjgio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlmfbm32.dll" Bkkgfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gdhfdffl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iqfiii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmcmif32.dll" Lbbnjgik.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ojceef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Afgnkilf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eddjhb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Felcbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djqdbbek.dll" Pmmqmpdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hhcndhap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jbnlaqhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kfggkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghbakjma.dll" Befnbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnnmoiqo.dll" Fhjoof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hkmaed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Landhm32.dll" Ijnnao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jgkdigfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jahbmlil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lkifkdjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mgbcfdmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Emgdmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flhbifkd.dll" Hcblqb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gigkbm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jgkdigfa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mpikik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nggipg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dochelmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gieommdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccboal32.dll" Gigkbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khdlbn32.dll" Aicmadmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ckecpjdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dnckki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpokpklp.dll" Eddjhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aedkomok.dll" Fmlecinf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fihbcdgp.dll" Gpogiglp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hkdgecna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfeilp32.dll" Keango32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dbmkfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onndkg32.dll" Fbfjkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmgfal32.dll" Fopnpaba.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2640 wrote to memory of 2692 2640 b559808575a6391296d227eb4102df10N.exe 30 PID 2640 wrote to memory of 2692 2640 b559808575a6391296d227eb4102df10N.exe 30 PID 2640 wrote to memory of 2692 2640 b559808575a6391296d227eb4102df10N.exe 30 PID 2640 wrote to memory of 2692 2640 b559808575a6391296d227eb4102df10N.exe 30 PID 2692 wrote to memory of 2652 2692 Kmkihbho.exe 31 PID 2692 wrote to memory of 2652 2692 Kmkihbho.exe 31 PID 2692 wrote to memory of 2652 2692 Kmkihbho.exe 31 PID 2692 wrote to memory of 2652 2692 Kmkihbho.exe 31 PID 2652 wrote to memory of 3040 2652 Kbhbai32.exe 32 PID 2652 wrote to memory of 3040 2652 Kbhbai32.exe 32 PID 2652 wrote to memory of 3040 2652 Kbhbai32.exe 32 PID 2652 wrote to memory of 3040 2652 Kbhbai32.exe 32 PID 3040 wrote to memory of 2660 3040 Lghgmg32.exe 33 PID 3040 wrote to memory of 2660 3040 Lghgmg32.exe 33 PID 3040 wrote to memory of 2660 3040 Lghgmg32.exe 33 PID 3040 wrote to memory of 2660 3040 Lghgmg32.exe 33 PID 2660 wrote to memory of 2172 2660 Mdendpbg.exe 34 PID 2660 wrote to memory of 2172 2660 Mdendpbg.exe 34 PID 2660 wrote to memory of 2172 2660 Mdendpbg.exe 34 PID 2660 wrote to memory of 2172 2660 Mdendpbg.exe 34 PID 2172 wrote to memory of 2984 2172 Mnpobefe.exe 35 PID 2172 wrote to memory of 2984 2172 Mnpobefe.exe 35 PID 2172 wrote to memory of 2984 2172 Mnpobefe.exe 35 PID 2172 wrote to memory of 2984 2172 Mnpobefe.exe 35 PID 2984 wrote to memory of 1500 2984 Mlgiiaij.exe 36 PID 2984 wrote to memory of 1500 2984 Mlgiiaij.exe 36 PID 2984 wrote to memory of 1500 2984 Mlgiiaij.exe 36 PID 2984 wrote to memory of 1500 2984 Mlgiiaij.exe 36 PID 1500 wrote to memory of 2636 1500 Mfpmbf32.exe 37 PID 1500 wrote to memory of 2636 1500 Mfpmbf32.exe 37 PID 1500 wrote to memory of 2636 1500 Mfpmbf32.exe 37 PID 1500 wrote to memory of 2636 1500 Mfpmbf32.exe 37 PID 2636 wrote to memory of 2424 2636 Nghpjn32.exe 38 PID 2636 wrote to memory of 2424 2636 Nghpjn32.exe 38 PID 2636 wrote to memory of 2424 2636 Nghpjn32.exe 38 PID 2636 wrote to memory of 2424 2636 Nghpjn32.exe 38 PID 2424 wrote to memory of 2428 2424 Ncamen32.exe 39 PID 2424 wrote to memory of 2428 2424 Ncamen32.exe 39 PID 2424 wrote to memory of 2428 2424 Ncamen32.exe 39 PID 2424 wrote to memory of 2428 2424 Ncamen32.exe 39 PID 2428 wrote to memory of 1200 2428 Ojpomh32.exe 40 PID 2428 wrote to memory of 1200 2428 Ojpomh32.exe 40 PID 2428 wrote to memory of 1200 2428 Ojpomh32.exe 40 PID 2428 wrote to memory of 1200 2428 Ojpomh32.exe 40 PID 1200 wrote to memory of 1996 1200 Offpbi32.exe 41 PID 1200 wrote to memory of 1996 1200 Offpbi32.exe 41 PID 1200 wrote to memory of 1996 1200 Offpbi32.exe 41 PID 1200 wrote to memory of 1996 1200 Offpbi32.exe 41 PID 1996 wrote to memory of 2324 1996 Padjmfdg.exe 42 PID 1996 wrote to memory of 2324 1996 Padjmfdg.exe 42 PID 1996 wrote to memory of 2324 1996 Padjmfdg.exe 42 PID 1996 wrote to memory of 2324 1996 Padjmfdg.exe 42 PID 2324 wrote to memory of 2384 2324 Phobjp32.exe 43 PID 2324 wrote to memory of 2384 2324 Phobjp32.exe 43 PID 2324 wrote to memory of 2384 2324 Phobjp32.exe 43 PID 2324 wrote to memory of 2384 2324 Phobjp32.exe 43 PID 2384 wrote to memory of 848 2384 Qboikm32.exe 44 PID 2384 wrote to memory of 848 2384 Qboikm32.exe 44 PID 2384 wrote to memory of 848 2384 Qboikm32.exe 44 PID 2384 wrote to memory of 848 2384 Qboikm32.exe 44 PID 848 wrote to memory of 328 848 Qmenhe32.exe 45 PID 848 wrote to memory of 328 848 Qmenhe32.exe 45 PID 848 wrote to memory of 328 848 Qmenhe32.exe 45 PID 848 wrote to memory of 328 848 Qmenhe32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\b559808575a6391296d227eb4102df10N.exe"C:\Users\Admin\AppData\Local\Temp\b559808575a6391296d227eb4102df10N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Kmkihbho.exeC:\Windows\system32\Kmkihbho.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Kbhbai32.exeC:\Windows\system32\Kbhbai32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Lghgmg32.exeC:\Windows\system32\Lghgmg32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Mdendpbg.exeC:\Windows\system32\Mdendpbg.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Mnpobefe.exeC:\Windows\system32\Mnpobefe.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\Mlgiiaij.exeC:\Windows\system32\Mlgiiaij.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Mfpmbf32.exeC:\Windows\system32\Mfpmbf32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\SysWOW64\Nghpjn32.exeC:\Windows\system32\Nghpjn32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Ncamen32.exeC:\Windows\system32\Ncamen32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\Ojpomh32.exeC:\Windows\system32\Ojpomh32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Offpbi32.exeC:\Windows\system32\Offpbi32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\SysWOW64\Padjmfdg.exeC:\Windows\system32\Padjmfdg.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\Phobjp32.exeC:\Windows\system32\Phobjp32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\Qboikm32.exeC:\Windows\system32\Qboikm32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Qmenhe32.exeC:\Windows\system32\Qmenhe32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Windows\SysWOW64\Aaklmhak.exeC:\Windows\system32\Aaklmhak.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:328 -
C:\Windows\SysWOW64\Aoomflpd.exeC:\Windows\system32\Aoomflpd.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1392 -
C:\Windows\SysWOW64\Bccoeo32.exeC:\Windows\system32\Bccoeo32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2280 -
C:\Windows\SysWOW64\Bkkgfm32.exeC:\Windows\system32\Bkkgfm32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1812 -
C:\Windows\SysWOW64\Bnlphh32.exeC:\Windows\system32\Bnlphh32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1064 -
C:\Windows\SysWOW64\Bchhqo32.exeC:\Windows\system32\Bchhqo32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1580 -
C:\Windows\SysWOW64\Bfiabjjm.exeC:\Windows\system32\Bfiabjjm.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1012 -
C:\Windows\SysWOW64\Chgnneiq.exeC:\Windows\system32\Chgnneiq.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1988 -
C:\Windows\SysWOW64\Ckfjjqhd.exeC:\Windows\system32\Ckfjjqhd.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1868 -
C:\Windows\SysWOW64\Cfknhi32.exeC:\Windows\system32\Cfknhi32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2700 -
C:\Windows\SysWOW64\Ckkcep32.exeC:\Windows\system32\Ckkcep32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2708 -
C:\Windows\SysWOW64\Cqglng32.exeC:\Windows\system32\Cqglng32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2744 -
C:\Windows\SysWOW64\Chocodch.exeC:\Windows\system32\Chocodch.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2796 -
C:\Windows\SysWOW64\Cnnimkom.exeC:\Windows\system32\Cnnimkom.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3064 -
C:\Windows\SysWOW64\Cqleifna.exeC:\Windows\system32\Cqleifna.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1260 -
C:\Windows\SysWOW64\Dcjaeamd.exeC:\Windows\system32\Dcjaeamd.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2996 -
C:\Windows\SysWOW64\Dcmnja32.exeC:\Windows\system32\Dcmnja32.exe33⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Djgfgkbo.exeC:\Windows\system32\Djgfgkbo.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2900 -
C:\Windows\SysWOW64\Dmebcgbb.exeC:\Windows\system32\Dmebcgbb.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2616 -
C:\Windows\SysWOW64\Dbbklnpj.exeC:\Windows\system32\Dbbklnpj.exe36⤵
- Executes dropped EXE
PID:600 -
C:\Windows\SysWOW64\Dmgoif32.exeC:\Windows\system32\Dmgoif32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:596 -
C:\Windows\SysWOW64\Dbdham32.exeC:\Windows\system32\Dbdham32.exe38⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Dphhka32.exeC:\Windows\system32\Dphhka32.exe39⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Dfbqgldn.exeC:\Windows\system32\Dfbqgldn.exe40⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Diqmcgca.exeC:\Windows\system32\Diqmcgca.exe41⤵
- Executes dropped EXE
PID:980 -
C:\Windows\SysWOW64\Ebialmjb.exeC:\Windows\system32\Ebialmjb.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1068 -
C:\Windows\SysWOW64\Eegmhhie.exeC:\Windows\system32\Eegmhhie.exe43⤵
- Executes dropped EXE
PID:920 -
C:\Windows\SysWOW64\Ejdfqogm.exeC:\Windows\system32\Ejdfqogm.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2252 -
C:\Windows\SysWOW64\Eldbkbop.exeC:\Windows\system32\Eldbkbop.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1952 -
C:\Windows\SysWOW64\Emeobj32.exeC:\Windows\system32\Emeobj32.exe46⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Ecogodlk.exeC:\Windows\system32\Ecogodlk.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1472 -
C:\Windows\SysWOW64\Ejioln32.exeC:\Windows\system32\Ejioln32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2388 -
C:\Windows\SysWOW64\Emgkhj32.exeC:\Windows\system32\Emgkhj32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2392 -
C:\Windows\SysWOW64\Eacghhkd.exeC:\Windows\system32\Eacghhkd.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:2508 -
C:\Windows\SysWOW64\Efppqoil.exeC:\Windows\system32\Efppqoil.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2840 -
C:\Windows\SysWOW64\Ephdjeol.exeC:\Windows\system32\Ephdjeol.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2680 -
C:\Windows\SysWOW64\Fmlecinf.exeC:\Windows\system32\Fmlecinf.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1760 -
C:\Windows\SysWOW64\Floeof32.exeC:\Windows\system32\Floeof32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2544 -
C:\Windows\SysWOW64\Ficehj32.exeC:\Windows\system32\Ficehj32.exe55⤵
- Executes dropped EXE
PID:1460 -
C:\Windows\SysWOW64\Fopnpaba.exeC:\Windows\system32\Fopnpaba.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1560 -
C:\Windows\SysWOW64\Fiebnjbg.exeC:\Windows\system32\Fiebnjbg.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2912 -
C:\Windows\SysWOW64\Flcojeak.exeC:\Windows\system32\Flcojeak.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Felcbk32.exeC:\Windows\system32\Felcbk32.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1256 -
C:\Windows\SysWOW64\Fhjoof32.exeC:\Windows\system32\Fhjoof32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1964 -
C:\Windows\SysWOW64\Fodgkp32.exeC:\Windows\system32\Fodgkp32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2332 -
C:\Windows\SysWOW64\Fdapcg32.exeC:\Windows\system32\Fdapcg32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Flhhed32.exeC:\Windows\system32\Flhhed32.exe63⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Geqlnjcf.exeC:\Windows\system32\Geqlnjcf.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2232 -
C:\Windows\SysWOW64\Gmlablaa.exeC:\Windows\system32\Gmlablaa.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1816 -
C:\Windows\SysWOW64\Gpjmnh32.exeC:\Windows\system32\Gpjmnh32.exe66⤵
- System Location Discovery: System Language Discovery
PID:288 -
C:\Windows\SysWOW64\Ghaeoe32.exeC:\Windows\system32\Ghaeoe32.exe67⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1948 -
C:\Windows\SysWOW64\Gdhfdffl.exeC:\Windows\system32\Gdhfdffl.exe68⤵
- Modifies registry class
PID:1752 -
C:\Windows\SysWOW64\Gieommdc.exeC:\Windows\system32\Gieommdc.exe69⤵
- Modifies registry class
PID:2976 -
C:\Windows\SysWOW64\Gpogiglp.exeC:\Windows\system32\Gpogiglp.exe70⤵
- Modifies registry class
PID:1484 -
C:\Windows\SysWOW64\Gcmcebkc.exeC:\Windows\system32\Gcmcebkc.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1612 -
C:\Windows\SysWOW64\Gigkbm32.exeC:\Windows\system32\Gigkbm32.exe72⤵
- Modifies registry class
PID:2824 -
C:\Windows\SysWOW64\Gncgbkki.exeC:\Windows\system32\Gncgbkki.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2828 -
C:\Windows\SysWOW64\Ggklka32.exeC:\Windows\system32\Ggklka32.exe74⤵
- Drops file in System32 directory
PID:3052 -
C:\Windows\SysWOW64\Hofqpc32.exeC:\Windows\system32\Hofqpc32.exe75⤵PID:2200
-
C:\Windows\SysWOW64\Hcblqb32.exeC:\Windows\system32\Hcblqb32.exe76⤵
- Drops file in System32 directory
- Modifies registry class
PID:2028 -
C:\Windows\SysWOW64\Hkmaed32.exeC:\Windows\system32\Hkmaed32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2896 -
C:\Windows\SysWOW64\Hoimecmb.exeC:\Windows\system32\Hoimecmb.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2864 -
C:\Windows\SysWOW64\Hkpnjd32.exeC:\Windows\system32\Hkpnjd32.exe79⤵
- System Location Discovery: System Language Discovery
PID:2340 -
C:\Windows\SysWOW64\Hokjkbkp.exeC:\Windows\system32\Hokjkbkp.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2420 -
C:\Windows\SysWOW64\Hhcndhap.exeC:\Windows\system32\Hhcndhap.exe81⤵
- Modifies registry class
PID:2372 -
C:\Windows\SysWOW64\Hkbkpcpd.exeC:\Windows\system32\Hkbkpcpd.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2416 -
C:\Windows\SysWOW64\Honfqb32.exeC:\Windows\system32\Honfqb32.exe83⤵PID:372
-
C:\Windows\SysWOW64\Hkdgecna.exeC:\Windows\system32\Hkdgecna.exe84⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2288 -
C:\Windows\SysWOW64\Hnbcaome.exeC:\Windows\system32\Hnbcaome.exe85⤵
- System Location Discovery: System Language Discovery
PID:1680 -
C:\Windows\SysWOW64\Icplje32.exeC:\Windows\system32\Icplje32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:624 -
C:\Windows\SysWOW64\Ijidfpci.exeC:\Windows\system32\Ijidfpci.exe87⤵
- Drops file in System32 directory
PID:876 -
C:\Windows\SysWOW64\Idohdhbo.exeC:\Windows\system32\Idohdhbo.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1056 -
C:\Windows\SysWOW64\Ijlaloaf.exeC:\Windows\system32\Ijlaloaf.exe89⤵
- Modifies registry class
PID:1496 -
C:\Windows\SysWOW64\Ingmmn32.exeC:\Windows\system32\Ingmmn32.exe90⤵PID:2972
-
C:\Windows\SysWOW64\Iqfiii32.exeC:\Windows\system32\Iqfiii32.exe91⤵
- Drops file in System32 directory
- Modifies registry class
PID:2568 -
C:\Windows\SysWOW64\Ijnnao32.exeC:\Windows\system32\Ijnnao32.exe92⤵
- Drops file in System32 directory
- Modifies registry class
PID:3056 -
C:\Windows\SysWOW64\Ibibfa32.exeC:\Windows\system32\Ibibfa32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2312 -
C:\Windows\SysWOW64\Ifengpdh.exeC:\Windows\system32\Ifengpdh.exe94⤵
- System Location Discovery: System Language Discovery
PID:2360 -
C:\Windows\SysWOW64\Iomcpe32.exeC:\Windows\system32\Iomcpe32.exe95⤵
- Drops file in System32 directory
PID:2928 -
C:\Windows\SysWOW64\Ifgklp32.exeC:\Windows\system32\Ifgklp32.exe96⤵PID:1696
-
C:\Windows\SysWOW64\Imacijjb.exeC:\Windows\system32\Imacijjb.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:560 -
C:\Windows\SysWOW64\Jbnlaqhi.exeC:\Windows\system32\Jbnlaqhi.exe98⤵
- Modifies registry class
PID:2304 -
C:\Windows\SysWOW64\Jelhmlgm.exeC:\Windows\system32\Jelhmlgm.exe99⤵
- Modifies registry class
PID:1720 -
C:\Windows\SysWOW64\Jgkdigfa.exeC:\Windows\system32\Jgkdigfa.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2300 -
C:\Windows\SysWOW64\Jijacjnc.exeC:\Windows\system32\Jijacjnc.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1140 -
C:\Windows\SysWOW64\Jngilalk.exeC:\Windows\system32\Jngilalk.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2468 -
C:\Windows\SysWOW64\Jkkjeeke.exeC:\Windows\system32\Jkkjeeke.exe103⤵
- System Location Discovery: System Language Discovery
PID:1488 -
C:\Windows\SysWOW64\Jnifaajh.exeC:\Windows\system32\Jnifaajh.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2404 -
C:\Windows\SysWOW64\Jahbmlil.exeC:\Windows\system32\Jahbmlil.exe105⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2844 -
C:\Windows\SysWOW64\Jjpgfbom.exeC:\Windows\system32\Jjpgfbom.exe106⤵
- Drops file in System32 directory
PID:3016 -
C:\Windows\SysWOW64\Jcikog32.exeC:\Windows\system32\Jcikog32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2076 -
C:\Windows\SysWOW64\Kfggkc32.exeC:\Windows\system32\Kfggkc32.exe108⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1848 -
C:\Windows\SysWOW64\Kjbclamj.exeC:\Windows\system32\Kjbclamj.exe109⤵
- Drops file in System32 directory
PID:2816 -
C:\Windows\SysWOW64\Kckhdg32.exeC:\Windows\system32\Kckhdg32.exe110⤵PID:1060
-
C:\Windows\SysWOW64\Klfmijae.exeC:\Windows\system32\Klfmijae.exe111⤵PID:704
-
C:\Windows\SysWOW64\Kpbhjh32.exeC:\Windows\system32\Kpbhjh32.exe112⤵PID:480
-
C:\Windows\SysWOW64\Kbpefc32.exeC:\Windows\system32\Kbpefc32.exe113⤵PID:1864
-
C:\Windows\SysWOW64\Kpdeoh32.exeC:\Windows\system32\Kpdeoh32.exe114⤵PID:2488
-
C:\Windows\SysWOW64\Kngekdnf.exeC:\Windows\system32\Kngekdnf.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2008 -
C:\Windows\SysWOW64\Keango32.exeC:\Windows\system32\Keango32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1008 -
C:\Windows\SysWOW64\Khojcj32.exeC:\Windows\system32\Khojcj32.exe117⤵PID:2000
-
C:\Windows\SysWOW64\Klmbjh32.exeC:\Windows\system32\Klmbjh32.exe118⤵
- Drops file in System32 directory
PID:2180 -
C:\Windows\SysWOW64\Lhdcojaa.exeC:\Windows\system32\Lhdcojaa.exe119⤵PID:2812
-
C:\Windows\SysWOW64\Lkbpke32.exeC:\Windows\system32\Lkbpke32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2748 -
C:\Windows\SysWOW64\Lehdhn32.exeC:\Windows\system32\Lehdhn32.exe121⤵
- Modifies registry class
PID:2888
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-