Analysis
-
max time kernel
111s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
05-09-2024 12:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a9f7ac006dbb19762418304d66a75a30N.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
a9f7ac006dbb19762418304d66a75a30N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
a9f7ac006dbb19762418304d66a75a30N.exe
-
Size
144KB
-
MD5
a9f7ac006dbb19762418304d66a75a30
-
SHA1
be0f99de61cd73fe6e8b39e88a3983aa2dabbf0e
-
SHA256
57da0561d28396d4af053254d314b4a428d9e73b13dcec59a4beb63d0544604e
-
SHA512
94fa1759806b06fd979e93d33866657083f28bf96bfc032f129982f611312b06df3d6b9b4e1353cbfa48f3e50b99af9297dc7fd63186437c96f2601efc306cc8
-
SSDEEP
3072:ruV77g1d1/odTKudxADIVoaFmqzGYJpD9r8XxrYnQg4sI+:S77+d1/odVeDIVo2mAGyZ6Yu+
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqlhkofn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obgnhkkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcbfbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbgobp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jimbkh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdbbgdjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfkeokjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhgnaehm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dboeco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmkcil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Feddombd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qackpado.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmfkfa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiekpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkoicb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kenoifpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndcapd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eaheeecg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjaddn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Calcpm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goiongbc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Diaaeepi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aebmjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ijibng32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boifga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Glklejoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Akkoig32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfpldf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjokokha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npjlhcmd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofadnq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgllgedi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ohipla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pdbmfb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npaich32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bkpeci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhiomn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eoiiijcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bnihdemo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dogpdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hihlqeib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njeccjcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmkeke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adnpkjde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Daaenlng.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Giolnomh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gncldi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfbcidmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hifbdnbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cpkmcldj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgoime32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qemldifo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afdiondb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oajndh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdbmfb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acnlgajg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bolcma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjohmbpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfbfkmeh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noffdd32.exe -
Executes dropped EXE 64 IoCs
pid Process 624 Jdhgnf32.exe 2380 Jkbojpna.exe 2956 Kghpoa32.exe 2348 Knbhlkkc.exe 2984 Kpadhg32.exe 2748 Kcopdb32.exe 2724 Khlili32.exe 2620 Kcamjb32.exe 1800 Kbdmeoob.exe 1292 Kohnoc32.exe 1476 Kbgjkn32.exe 1596 Kfbfkmeh.exe 1656 Kokjdb32.exe 2928 Kfebambf.exe 2440 Lkakicam.exe 1472 Lblcfnhj.exe 2948 Lqncaj32.exe 580 Lhelbh32.exe 944 Lkdhoc32.exe 2444 Lnbdko32.exe 1668 Ldllgiek.exe 1560 Lkfddc32.exe 3000 Lneaqn32.exe 2312 Lmgalkcf.exe 2192 Lcaiiejc.exe 1692 Lfpeeqig.exe 3032 Lngnfnji.exe 1508 Lfbbjpgd.exe 2112 Liqoflfh.exe 2736 Mfdopp32.exe 2968 Micklk32.exe 2612 Mkaghg32.exe 2784 Mfglep32.exe 2428 Miehak32.exe 264 Mkddnf32.exe 2408 Mnbpjb32.exe 1328 Mgjebg32.exe 1184 Mndmoaog.exe 1208 Mjkndb32.exe 2912 Mbbfep32.exe 1864 Mccbmh32.exe 1556 Mjnjjbbh.exe 2080 Nagbgl32.exe 1940 Nhakcfab.exe 1804 Nnkcpq32.exe 2044 Najpll32.exe 940 Njbdea32.exe 2324 Nmqpam32.exe 2320 Ndkhngdd.exe 1996 Nbniid32.exe 3036 Njdqka32.exe 2560 Npaich32.exe 2240 Nbpeoc32.exe 2712 Nenakoho.exe 2872 Nlhjhi32.exe 2916 Noffdd32.exe 776 Nfnneb32.exe 2876 Oiljam32.exe 536 Olkfmi32.exe 2780 Ooicid32.exe 2936 Oagoep32.exe 2472 Oioggmmc.exe 900 Olmcchlg.exe 2108 Oeehln32.exe -
Loads dropped DLL 64 IoCs
pid Process 2356 a9f7ac006dbb19762418304d66a75a30N.exe 2356 a9f7ac006dbb19762418304d66a75a30N.exe 624 Jdhgnf32.exe 624 Jdhgnf32.exe 2380 Jkbojpna.exe 2380 Jkbojpna.exe 2956 Kghpoa32.exe 2956 Kghpoa32.exe 2348 Knbhlkkc.exe 2348 Knbhlkkc.exe 2984 Kpadhg32.exe 2984 Kpadhg32.exe 2748 Kcopdb32.exe 2748 Kcopdb32.exe 2724 Khlili32.exe 2724 Khlili32.exe 2620 Kcamjb32.exe 2620 Kcamjb32.exe 1800 Kbdmeoob.exe 1800 Kbdmeoob.exe 1292 Kohnoc32.exe 1292 Kohnoc32.exe 1476 Kbgjkn32.exe 1476 Kbgjkn32.exe 1596 Kfbfkmeh.exe 1596 Kfbfkmeh.exe 1656 Kokjdb32.exe 1656 Kokjdb32.exe 2928 Kfebambf.exe 2928 Kfebambf.exe 2440 Lkakicam.exe 2440 Lkakicam.exe 1472 Lblcfnhj.exe 1472 Lblcfnhj.exe 2948 Lqncaj32.exe 2948 Lqncaj32.exe 580 Lhelbh32.exe 580 Lhelbh32.exe 944 Lkdhoc32.exe 944 Lkdhoc32.exe 2444 Lnbdko32.exe 2444 Lnbdko32.exe 1668 Ldllgiek.exe 1668 Ldllgiek.exe 1560 Lkfddc32.exe 1560 Lkfddc32.exe 3000 Lneaqn32.exe 3000 Lneaqn32.exe 2312 Lmgalkcf.exe 2312 Lmgalkcf.exe 2192 Lcaiiejc.exe 2192 Lcaiiejc.exe 1692 Lfpeeqig.exe 1692 Lfpeeqig.exe 3032 Lngnfnji.exe 3032 Lngnfnji.exe 1508 Lfbbjpgd.exe 1508 Lfbbjpgd.exe 2112 Liqoflfh.exe 2112 Liqoflfh.exe 2736 Mfdopp32.exe 2736 Mfdopp32.exe 2968 Micklk32.exe 2968 Micklk32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mfmndn32.exe Mcnbhb32.exe File created C:\Windows\SysWOW64\Jcnllk32.dll Eakhdj32.exe File opened for modification C:\Windows\SysWOW64\Diaaeepi.exe Dknajh32.exe File created C:\Windows\SysWOW64\Fpmbfbgo.exe Fnofjfhk.exe File created C:\Windows\SysWOW64\Giqhcmil.dll Ihpfgalh.exe File created C:\Windows\SysWOW64\Eakooqih.exe Domccejd.exe File opened for modification C:\Windows\SysWOW64\Aobnniji.exe Aqonbm32.exe File opened for modification C:\Windows\SysWOW64\Lgkkmm32.exe Ldmopa32.exe File created C:\Windows\SysWOW64\Aggiigmn.exe Ackmih32.exe File created C:\Windows\SysWOW64\Mhfjjdjf.exe Mfgnnhkc.exe File created C:\Windows\SysWOW64\Pgodelnq.dll Process not Found File opened for modification C:\Windows\SysWOW64\Pdbmfb32.exe Pacajg32.exe File created C:\Windows\SysWOW64\Qejpoi32.exe Pblcbn32.exe File opened for modification C:\Windows\SysWOW64\Jmipdo32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Edibhmml.exe Dmojkc32.exe File opened for modification C:\Windows\SysWOW64\Gaihob32.exe Gkoobhhg.exe File opened for modification C:\Windows\SysWOW64\Hinbppna.exe Hjlbdc32.exe File created C:\Windows\SysWOW64\Mjqmig32.exe Mfeaiime.exe File created C:\Windows\SysWOW64\Ibcphc32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ijcngenj.exe Process not Found File created C:\Windows\SysWOW64\Palepb32.exe Pomhcg32.exe File opened for modification C:\Windows\SysWOW64\Jimbkh32.exe Jfofol32.exe File created C:\Windows\SysWOW64\Ippbdn32.dll Nlqmmd32.exe File created C:\Windows\SysWOW64\Ikjhki32.exe Process not Found File created C:\Windows\SysWOW64\Coicfd32.exe Cmkfji32.exe File opened for modification C:\Windows\SysWOW64\Nenakoho.exe Nbpeoc32.exe File created C:\Windows\SysWOW64\Jhbcjo32.dll Pleofj32.exe File created C:\Windows\SysWOW64\Pacajg32.exe Pmhejhao.exe File opened for modification C:\Windows\SysWOW64\Nmfbpk32.exe Njhfcp32.exe File opened for modification C:\Windows\SysWOW64\Kofcbl32.exe Klhgfq32.exe File opened for modification C:\Windows\SysWOW64\Nnjicjbf.exe Ngpqfp32.exe File opened for modification C:\Windows\SysWOW64\Lkgngb32.exe Lhiakf32.exe File created C:\Windows\SysWOW64\Fdapnj32.dll Nnnbni32.exe File created C:\Windows\SysWOW64\Odohol32.dll Oagoep32.exe File created C:\Windows\SysWOW64\Bkklhjnk.exe Bmhkmm32.exe File created C:\Windows\SysWOW64\Edibhmml.exe Dmojkc32.exe File opened for modification C:\Windows\SysWOW64\Fjjpjgjj.exe Ffodjh32.exe File opened for modification C:\Windows\SysWOW64\Ibcnojnp.exe Ipeaco32.exe File created C:\Windows\SysWOW64\Ilnomp32.exe Idgglb32.exe File created C:\Windows\SysWOW64\Klncqmjg.dll Hfbcidmk.exe File opened for modification C:\Windows\SysWOW64\Mqjefamk.exe Mhcmedli.exe File created C:\Windows\SysWOW64\Aeoijidl.exe Qmhahkdj.exe File opened for modification C:\Windows\SysWOW64\Hpkompgg.exe Hahnac32.exe File created C:\Windows\SysWOW64\Jqnodo32.dll Kalipcmb.exe File created C:\Windows\SysWOW64\Mdceqkca.dll Mcfemmna.exe File created C:\Windows\SysWOW64\Paaddgkj.exe Pnchhllf.exe File opened for modification C:\Windows\SysWOW64\Nbpeoc32.exe Npaich32.exe File created C:\Windows\SysWOW64\Kjpndcho.dll Process not Found File created C:\Windows\SysWOW64\Edgeao32.dll Eeohkeoe.exe File opened for modification C:\Windows\SysWOW64\Hjlbdc32.exe Hfpfdeon.exe File created C:\Windows\SysWOW64\Hbkqdepm.exe Homdhjai.exe File created C:\Windows\SysWOW64\Ipomlm32.exe Iieepbje.exe File created C:\Windows\SysWOW64\Baleem32.dll Bkklhjnk.exe File created C:\Windows\SysWOW64\Ihkknn32.dll Fpohakbp.exe File opened for modification C:\Windows\SysWOW64\Dfmeccao.exe Dbaice32.exe File created C:\Windows\SysWOW64\Licpomcb.dll Eifmimch.exe File opened for modification C:\Windows\SysWOW64\Bnihdemo.exe Bofgii32.exe File created C:\Windows\SysWOW64\Cfpldf32.exe Ccbphk32.exe File opened for modification C:\Windows\SysWOW64\Jkhejkcq.exe Jbqmhnbo.exe File created C:\Windows\SysWOW64\Behjbjcf.dll Knfndjdp.exe File created C:\Windows\SysWOW64\Dgkjaa32.dll Aqonbm32.exe File created C:\Windows\SysWOW64\Alqnah32.exe Adifpk32.exe File created C:\Windows\SysWOW64\Lkdhoc32.exe Lhelbh32.exe File created C:\Windows\SysWOW64\Idkhmgco.dll Pphkbj32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 11224 11196 Process not Found 1120 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oajndh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pddjlb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnqlmq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdhkfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Injndk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phnpagdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmegjdad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pomhcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lddlkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obgnhkkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dadbdkld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhpgfeao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmhglq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibejdjln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajpepm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bchfhfeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fapeic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppkjac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agpeaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eihjolae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldllgiek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbbfep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioohokoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhnkffeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqjaeeog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agdmdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hihlqeib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihdpbq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncnngfna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohipla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a9f7ac006dbb19762418304d66a75a30N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gceailog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbaaik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laleof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oflpgnld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdiqpigl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khlili32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccmpce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcojam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opfegp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppddpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaejojjq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eclbcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeohkeoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opqoge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgdgcfmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odmabj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjjmijme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncmglp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgeelf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgdnnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkbgckgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baefnmml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eicpcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqalaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adifpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnnbni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njeccjcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjdkjpkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjnhhjjk.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfehcipm.dll" Kcdlhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Angldo32.dll" Fckhhgcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Egajnfoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faffik32.dll" Bbjpil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ceeieced.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cfpldf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olpecfkn.dll" Qcogbdkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iphgln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ibkmchbh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jmnqje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pldebkhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mpgobc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cocphf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jofial32.dll" Mokilo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cpmjhk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aihfap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jlnklcej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bfoeil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gmhkin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pincfpoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Afffenbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bndlbd32.dll" Igoomk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oioggmmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fbegbacp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eligcnhi.dll" Ghajacmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ahpifj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gceailog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liobdl32.dll" Lngnfnji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Folfoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecnlcm32.dll" Ggkibhjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inppon32.dll" Bhdhefpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lkakicam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpkjkkdg.dll" Qhjfgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlomqkmp.dll" Ipeaco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fphbpd32.dll" Dphfbiem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gdegfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mnbpjb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Feggob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ikfbbjdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mobfgdcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pgpgjepk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bjkhdacm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cmedlk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Imodkadq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnbkmo32.dll" Kcopdb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fqalaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ajckilei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nakpkfka.dll" Hcdgmimg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hannfn32.dll" Adaiee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcchb32.dll" Nmfbpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccdbdc32.dll" Edcnakpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqdhpbib.dll" Modlbmmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dobfbpbc.dll" Cidddj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ncmglp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ekdchf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hjcaha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bibjaofg.dll" Pohhna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gdegfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ijnkifgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ldokfakl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gamnel32.dll" Momfan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojgfoglc.dll" Cqdfehii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjfkcopd.dll" Plgolf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnqjhh32.dll" Ehhdaj32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2356 wrote to memory of 624 2356 a9f7ac006dbb19762418304d66a75a30N.exe 30 PID 2356 wrote to memory of 624 2356 a9f7ac006dbb19762418304d66a75a30N.exe 30 PID 2356 wrote to memory of 624 2356 a9f7ac006dbb19762418304d66a75a30N.exe 30 PID 2356 wrote to memory of 624 2356 a9f7ac006dbb19762418304d66a75a30N.exe 30 PID 624 wrote to memory of 2380 624 Jdhgnf32.exe 31 PID 624 wrote to memory of 2380 624 Jdhgnf32.exe 31 PID 624 wrote to memory of 2380 624 Jdhgnf32.exe 31 PID 624 wrote to memory of 2380 624 Jdhgnf32.exe 31 PID 2380 wrote to memory of 2956 2380 Jkbojpna.exe 32 PID 2380 wrote to memory of 2956 2380 Jkbojpna.exe 32 PID 2380 wrote to memory of 2956 2380 Jkbojpna.exe 32 PID 2380 wrote to memory of 2956 2380 Jkbojpna.exe 32 PID 2956 wrote to memory of 2348 2956 Kghpoa32.exe 33 PID 2956 wrote to memory of 2348 2956 Kghpoa32.exe 33 PID 2956 wrote to memory of 2348 2956 Kghpoa32.exe 33 PID 2956 wrote to memory of 2348 2956 Kghpoa32.exe 33 PID 2348 wrote to memory of 2984 2348 Knbhlkkc.exe 34 PID 2348 wrote to memory of 2984 2348 Knbhlkkc.exe 34 PID 2348 wrote to memory of 2984 2348 Knbhlkkc.exe 34 PID 2348 wrote to memory of 2984 2348 Knbhlkkc.exe 34 PID 2984 wrote to memory of 2748 2984 Kpadhg32.exe 35 PID 2984 wrote to memory of 2748 2984 Kpadhg32.exe 35 PID 2984 wrote to memory of 2748 2984 Kpadhg32.exe 35 PID 2984 wrote to memory of 2748 2984 Kpadhg32.exe 35 PID 2748 wrote to memory of 2724 2748 Kcopdb32.exe 36 PID 2748 wrote to memory of 2724 2748 Kcopdb32.exe 36 PID 2748 wrote to memory of 2724 2748 Kcopdb32.exe 36 PID 2748 wrote to memory of 2724 2748 Kcopdb32.exe 36 PID 2724 wrote to memory of 2620 2724 Khlili32.exe 37 PID 2724 wrote to memory of 2620 2724 Khlili32.exe 37 PID 2724 wrote to memory of 2620 2724 Khlili32.exe 37 PID 2724 wrote to memory of 2620 2724 Khlili32.exe 37 PID 2620 wrote to memory of 1800 2620 Kcamjb32.exe 38 PID 2620 wrote to memory of 1800 2620 Kcamjb32.exe 38 PID 2620 wrote to memory of 1800 2620 Kcamjb32.exe 38 PID 2620 wrote to memory of 1800 2620 Kcamjb32.exe 38 PID 1800 wrote to memory of 1292 1800 Kbdmeoob.exe 39 PID 1800 wrote to memory of 1292 1800 Kbdmeoob.exe 39 PID 1800 wrote to memory of 1292 1800 Kbdmeoob.exe 39 PID 1800 wrote to memory of 1292 1800 Kbdmeoob.exe 39 PID 1292 wrote to memory of 1476 1292 Kohnoc32.exe 40 PID 1292 wrote to memory of 1476 1292 Kohnoc32.exe 40 PID 1292 wrote to memory of 1476 1292 Kohnoc32.exe 40 PID 1292 wrote to memory of 1476 1292 Kohnoc32.exe 40 PID 1476 wrote to memory of 1596 1476 Kbgjkn32.exe 41 PID 1476 wrote to memory of 1596 1476 Kbgjkn32.exe 41 PID 1476 wrote to memory of 1596 1476 Kbgjkn32.exe 41 PID 1476 wrote to memory of 1596 1476 Kbgjkn32.exe 41 PID 1596 wrote to memory of 1656 1596 Kfbfkmeh.exe 42 PID 1596 wrote to memory of 1656 1596 Kfbfkmeh.exe 42 PID 1596 wrote to memory of 1656 1596 Kfbfkmeh.exe 42 PID 1596 wrote to memory of 1656 1596 Kfbfkmeh.exe 42 PID 1656 wrote to memory of 2928 1656 Kokjdb32.exe 43 PID 1656 wrote to memory of 2928 1656 Kokjdb32.exe 43 PID 1656 wrote to memory of 2928 1656 Kokjdb32.exe 43 PID 1656 wrote to memory of 2928 1656 Kokjdb32.exe 43 PID 2928 wrote to memory of 2440 2928 Kfebambf.exe 44 PID 2928 wrote to memory of 2440 2928 Kfebambf.exe 44 PID 2928 wrote to memory of 2440 2928 Kfebambf.exe 44 PID 2928 wrote to memory of 2440 2928 Kfebambf.exe 44 PID 2440 wrote to memory of 1472 2440 Lkakicam.exe 45 PID 2440 wrote to memory of 1472 2440 Lkakicam.exe 45 PID 2440 wrote to memory of 1472 2440 Lkakicam.exe 45 PID 2440 wrote to memory of 1472 2440 Lkakicam.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\a9f7ac006dbb19762418304d66a75a30N.exe"C:\Users\Admin\AppData\Local\Temp\a9f7ac006dbb19762418304d66a75a30N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\Jdhgnf32.exeC:\Windows\system32\Jdhgnf32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\SysWOW64\Jkbojpna.exeC:\Windows\system32\Jkbojpna.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Kghpoa32.exeC:\Windows\system32\Kghpoa32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Knbhlkkc.exeC:\Windows\system32\Knbhlkkc.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\Kpadhg32.exeC:\Windows\system32\Kpadhg32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Kcopdb32.exeC:\Windows\system32\Kcopdb32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Khlili32.exeC:\Windows\system32\Khlili32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Kcamjb32.exeC:\Windows\system32\Kcamjb32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Kbdmeoob.exeC:\Windows\system32\Kbdmeoob.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\Kohnoc32.exeC:\Windows\system32\Kohnoc32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\SysWOW64\Kbgjkn32.exeC:\Windows\system32\Kbgjkn32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\SysWOW64\Kfbfkmeh.exeC:\Windows\system32\Kfbfkmeh.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\SysWOW64\Kokjdb32.exeC:\Windows\system32\Kokjdb32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\Kfebambf.exeC:\Windows\system32\Kfebambf.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Lkakicam.exeC:\Windows\system32\Lkakicam.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\Lblcfnhj.exeC:\Windows\system32\Lblcfnhj.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1472 -
C:\Windows\SysWOW64\Lqncaj32.exeC:\Windows\system32\Lqncaj32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2948 -
C:\Windows\SysWOW64\Lhelbh32.exeC:\Windows\system32\Lhelbh32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:580 -
C:\Windows\SysWOW64\Lkdhoc32.exeC:\Windows\system32\Lkdhoc32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:944 -
C:\Windows\SysWOW64\Lnbdko32.exeC:\Windows\system32\Lnbdko32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2444 -
C:\Windows\SysWOW64\Ldllgiek.exeC:\Windows\system32\Ldllgiek.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1668 -
C:\Windows\SysWOW64\Lkfddc32.exeC:\Windows\system32\Lkfddc32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1560 -
C:\Windows\SysWOW64\Lneaqn32.exeC:\Windows\system32\Lneaqn32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3000 -
C:\Windows\SysWOW64\Lmgalkcf.exeC:\Windows\system32\Lmgalkcf.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2312 -
C:\Windows\SysWOW64\Lcaiiejc.exeC:\Windows\system32\Lcaiiejc.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2192 -
C:\Windows\SysWOW64\Lfpeeqig.exeC:\Windows\system32\Lfpeeqig.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1692 -
C:\Windows\SysWOW64\Lngnfnji.exeC:\Windows\system32\Lngnfnji.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3032 -
C:\Windows\SysWOW64\Lfbbjpgd.exeC:\Windows\system32\Lfbbjpgd.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1508 -
C:\Windows\SysWOW64\Liqoflfh.exeC:\Windows\system32\Liqoflfh.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2112 -
C:\Windows\SysWOW64\Mfdopp32.exeC:\Windows\system32\Mfdopp32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2736 -
C:\Windows\SysWOW64\Micklk32.exeC:\Windows\system32\Micklk32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2968 -
C:\Windows\SysWOW64\Mkaghg32.exeC:\Windows\system32\Mkaghg32.exe33⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Mfglep32.exeC:\Windows\system32\Mfglep32.exe34⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Miehak32.exeC:\Windows\system32\Miehak32.exe35⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Mkddnf32.exeC:\Windows\system32\Mkddnf32.exe36⤵
- Executes dropped EXE
PID:264 -
C:\Windows\SysWOW64\Mnbpjb32.exeC:\Windows\system32\Mnbpjb32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:2408 -
C:\Windows\SysWOW64\Mgjebg32.exeC:\Windows\system32\Mgjebg32.exe38⤵
- Executes dropped EXE
PID:1328 -
C:\Windows\SysWOW64\Mndmoaog.exeC:\Windows\system32\Mndmoaog.exe39⤵
- Executes dropped EXE
PID:1184 -
C:\Windows\SysWOW64\Mjkndb32.exeC:\Windows\system32\Mjkndb32.exe40⤵
- Executes dropped EXE
PID:1208 -
C:\Windows\SysWOW64\Mbbfep32.exeC:\Windows\system32\Mbbfep32.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2912 -
C:\Windows\SysWOW64\Mccbmh32.exeC:\Windows\system32\Mccbmh32.exe42⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Mjnjjbbh.exeC:\Windows\system32\Mjnjjbbh.exe43⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Nagbgl32.exeC:\Windows\system32\Nagbgl32.exe44⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Nhakcfab.exeC:\Windows\system32\Nhakcfab.exe45⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Nnkcpq32.exeC:\Windows\system32\Nnkcpq32.exe46⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Najpll32.exeC:\Windows\system32\Najpll32.exe47⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Njbdea32.exeC:\Windows\system32\Njbdea32.exe48⤵
- Executes dropped EXE
PID:940 -
C:\Windows\SysWOW64\Nmqpam32.exeC:\Windows\system32\Nmqpam32.exe49⤵
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Ndkhngdd.exeC:\Windows\system32\Ndkhngdd.exe50⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Nbniid32.exeC:\Windows\system32\Nbniid32.exe51⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Njdqka32.exeC:\Windows\system32\Njdqka32.exe52⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Npaich32.exeC:\Windows\system32\Npaich32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2560 -
C:\Windows\SysWOW64\Nbpeoc32.exeC:\Windows\system32\Nbpeoc32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2240 -
C:\Windows\SysWOW64\Nenakoho.exeC:\Windows\system32\Nenakoho.exe55⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Nlhjhi32.exeC:\Windows\system32\Nlhjhi32.exe56⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Noffdd32.exeC:\Windows\system32\Noffdd32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Nfnneb32.exeC:\Windows\system32\Nfnneb32.exe58⤵
- Executes dropped EXE
PID:776 -
C:\Windows\SysWOW64\Oiljam32.exeC:\Windows\system32\Oiljam32.exe59⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Olkfmi32.exeC:\Windows\system32\Olkfmi32.exe60⤵
- Executes dropped EXE
PID:536 -
C:\Windows\SysWOW64\Ooicid32.exeC:\Windows\system32\Ooicid32.exe61⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Oagoep32.exeC:\Windows\system32\Oagoep32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2936 -
C:\Windows\SysWOW64\Oioggmmc.exeC:\Windows\system32\Oioggmmc.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:2472 -
C:\Windows\SysWOW64\Olmcchlg.exeC:\Windows\system32\Olmcchlg.exe64⤵
- Executes dropped EXE
PID:900 -
C:\Windows\SysWOW64\Oeehln32.exeC:\Windows\system32\Oeehln32.exe65⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Olophhjd.exeC:\Windows\system32\Olophhjd.exe66⤵PID:1732
-
C:\Windows\SysWOW64\Okbpde32.exeC:\Windows\system32\Okbpde32.exe67⤵PID:464
-
C:\Windows\SysWOW64\Odmabj32.exeC:\Windows\system32\Odmabj32.exe68⤵
- System Location Discovery: System Language Discovery
PID:2336 -
C:\Windows\SysWOW64\Odmabj32.exeC:\Windows\system32\Odmabj32.exe69⤵PID:2256
-
C:\Windows\SysWOW64\Ohhmcinf.exeC:\Windows\system32\Ohhmcinf.exe70⤵PID:1628
-
C:\Windows\SysWOW64\Okgjodmi.exeC:\Windows\system32\Okgjodmi.exe71⤵PID:3028
-
C:\Windows\SysWOW64\Omefkplm.exeC:\Windows\system32\Omefkplm.exe72⤵PID:3020
-
C:\Windows\SysWOW64\Pdonhj32.exeC:\Windows\system32\Pdonhj32.exe73⤵PID:2124
-
C:\Windows\SysWOW64\Pcbncfjd.exeC:\Windows\system32\Pcbncfjd.exe74⤵PID:2864
-
C:\Windows\SysWOW64\Pkifdd32.exeC:\Windows\system32\Pkifdd32.exe75⤵PID:2836
-
C:\Windows\SysWOW64\Pilfpqaa.exeC:\Windows\system32\Pilfpqaa.exe76⤵PID:2644
-
C:\Windows\SysWOW64\Ppfomk32.exeC:\Windows\system32\Ppfomk32.exe77⤵PID:2664
-
C:\Windows\SysWOW64\Pcdkif32.exeC:\Windows\system32\Pcdkif32.exe78⤵PID:1660
-
C:\Windows\SysWOW64\Pgpgjepk.exeC:\Windows\system32\Pgpgjepk.exe79⤵
- Modifies registry class
PID:372 -
C:\Windows\SysWOW64\Pincfpoo.exeC:\Windows\system32\Pincfpoo.exe80⤵
- Modifies registry class
PID:1492 -
C:\Windows\SysWOW64\Pnjofo32.exeC:\Windows\system32\Pnjofo32.exe81⤵PID:1332
-
C:\Windows\SysWOW64\Pphkbj32.exeC:\Windows\system32\Pphkbj32.exe82⤵
- Drops file in System32 directory
PID:1848 -
C:\Windows\SysWOW64\Pcghof32.exeC:\Windows\system32\Pcghof32.exe83⤵PID:2076
-
C:\Windows\SysWOW64\Peedka32.exeC:\Windows\system32\Peedka32.exe84⤵PID:2204
-
C:\Windows\SysWOW64\Piqpkpml.exeC:\Windows\system32\Piqpkpml.exe85⤵PID:2436
-
C:\Windows\SysWOW64\Plolgk32.exeC:\Windows\system32\Plolgk32.exe86⤵PID:1080
-
C:\Windows\SysWOW64\Pomhcg32.exeC:\Windows\system32\Pomhcg32.exe87⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1640 -
C:\Windows\SysWOW64\Palepb32.exeC:\Windows\system32\Palepb32.exe88⤵PID:1956
-
C:\Windows\SysWOW64\Phfmllbd.exeC:\Windows\system32\Phfmllbd.exe89⤵PID:2040
-
C:\Windows\SysWOW64\Pckajebj.exeC:\Windows\system32\Pckajebj.exe90⤵PID:1888
-
C:\Windows\SysWOW64\Panaeb32.exeC:\Windows\system32\Panaeb32.exe91⤵PID:2840
-
C:\Windows\SysWOW64\Pdmnam32.exeC:\Windows\system32\Pdmnam32.exe92⤵PID:2760
-
C:\Windows\SysWOW64\Pldebkhj.exeC:\Windows\system32\Pldebkhj.exe93⤵
- Modifies registry class
PID:2068 -
C:\Windows\SysWOW64\Qnebjc32.exeC:\Windows\system32\Qnebjc32.exe94⤵PID:828
-
C:\Windows\SysWOW64\Qfljkp32.exeC:\Windows\system32\Qfljkp32.exe95⤵PID:888
-
C:\Windows\SysWOW64\Qhjfgl32.exeC:\Windows\system32\Qhjfgl32.exe96⤵
- Modifies registry class
PID:1968 -
C:\Windows\SysWOW64\Qhjfgl32.exeC:\Windows\system32\Qhjfgl32.exe97⤵PID:1360
-
C:\Windows\SysWOW64\Qkibcg32.exeC:\Windows\system32\Qkibcg32.exe98⤵PID:1896
-
C:\Windows\SysWOW64\Qododfek.exeC:\Windows\system32\Qododfek.exe99⤵PID:836
-
C:\Windows\SysWOW64\Qackpado.exeC:\Windows\system32\Qackpado.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2496 -
C:\Windows\SysWOW64\Qhmcmk32.exeC:\Windows\system32\Qhmcmk32.exe101⤵PID:2368
-
C:\Windows\SysWOW64\Akkoig32.exeC:\Windows\system32\Akkoig32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2932 -
C:\Windows\SysWOW64\Akkoig32.exeC:\Windows\system32\Akkoig32.exe103⤵PID:3016
-
C:\Windows\SysWOW64\Ajnpecbj.exeC:\Windows\system32\Ajnpecbj.exe104⤵PID:2696
-
C:\Windows\SysWOW64\Anjlebjc.exeC:\Windows\system32\Anjlebjc.exe105⤵PID:2700
-
C:\Windows\SysWOW64\Aqhhanig.exeC:\Windows\system32\Aqhhanig.exe106⤵PID:2608
-
C:\Windows\SysWOW64\Agbpnh32.exeC:\Windows\system32\Agbpnh32.exe107⤵PID:2488
-
C:\Windows\SysWOW64\Anlhkbhq.exeC:\Windows\system32\Anlhkbhq.exe108⤵PID:1072
-
C:\Windows\SysWOW64\Amohfo32.exeC:\Windows\system32\Amohfo32.exe109⤵PID:1156
-
C:\Windows\SysWOW64\Agdmdg32.exeC:\Windows\system32\Agdmdg32.exe110⤵
- System Location Discovery: System Language Discovery
PID:2940 -
C:\Windows\SysWOW64\Afgmodel.exeC:\Windows\system32\Afgmodel.exe111⤵PID:760
-
C:\Windows\SysWOW64\Anneqafn.exeC:\Windows\system32\Anneqafn.exe112⤵PID:2032
-
C:\Windows\SysWOW64\Aqmamm32.exeC:\Windows\system32\Aqmamm32.exe113⤵PID:892
-
C:\Windows\SysWOW64\Aopahjll.exeC:\Windows\system32\Aopahjll.exe114⤵PID:2512
-
C:\Windows\SysWOW64\Ackmih32.exeC:\Windows\system32\Ackmih32.exe115⤵
- Drops file in System32 directory
PID:2288 -
C:\Windows\SysWOW64\Aggiigmn.exeC:\Windows\system32\Aggiigmn.exe116⤵PID:2364
-
C:\Windows\SysWOW64\Ajeeeblb.exeC:\Windows\system32\Ajeeeblb.exe117⤵PID:2812
-
C:\Windows\SysWOW64\Aihfap32.exeC:\Windows\system32\Aihfap32.exe118⤵
- Modifies registry class
PID:3056 -
C:\Windows\SysWOW64\Aqonbm32.exeC:\Windows\system32\Aqonbm32.exe119⤵
- Drops file in System32 directory
PID:568 -
C:\Windows\SysWOW64\Aobnniji.exeC:\Windows\system32\Aobnniji.exe120⤵PID:2676
-
C:\Windows\SysWOW64\Abpjjeim.exeC:\Windows\system32\Abpjjeim.exe121⤵PID:2184
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-