Analysis
-
max time kernel
91s -
max time network
20s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
06/09/2024, 16:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c459a3bcfc6e7f36f32ffb94406095c0N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
c459a3bcfc6e7f36f32ffb94406095c0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
c459a3bcfc6e7f36f32ffb94406095c0N.exe
-
Size
314KB
-
MD5
c459a3bcfc6e7f36f32ffb94406095c0
-
SHA1
5724ca709e5f21980fa589524b219f6742423567
-
SHA256
02c2c8c27d8c9fa9cba4a04d954e27bd654e0639373fbe7ea6a5ce5853ffebb5
-
SHA512
747e3b8ecea4f2e17841feada0483c1fad14ea7705f3b8b094de29403502b59df54a131f772b6a79869a9bcf395099872c2fb484ae4173d33a882325a3e677be
-
SSDEEP
6144:ekOJgNjkj6MB8MhjwszeXmr8SeNpgdyuH1lFDjC:edg06Najb87gP3C
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fflgahfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipkhpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgkbac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijbjbdnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aiaqie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpbkgbaf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Domgache.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgaaiian.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnojpdfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmlokdgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgcecn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fipdci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eonhbg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpbjmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpnmoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmbmbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opokbdhc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmcjceam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eccadhkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfjpcjhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgipif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aejmha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbblbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlmipk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inihff32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcpecdio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcmmhmhd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckcdof32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odnngfpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlogojjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkhkha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkfaqkcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbohblcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbffga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caohfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgppep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfppop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmpckbci.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jphcgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efqian32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mganhpgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obllai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbpplglj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bopmdaca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpifln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbkbff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfeijocl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dceodhjg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcpfbhof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbbeomon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpqfcl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inkekelj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbhlilip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qafboi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jblmpmfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmejemhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qokhjjbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oeqmek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkflpi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npcegd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pamnpahp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkdbmblb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qlmpoqbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdfpmm32.exe -
Executes dropped EXE 64 IoCs
pid Process 2336 Boiagp32.exe 2780 Cnnohmog.exe 2744 Cgmiba32.exe 2824 Dbighojl.exe 2776 Domgache.exe 2672 Dkdhfdnj.exe 1524 Eqjceidf.exe 2116 Endmgb32.exe 560 Filnjk32.exe 1312 Fdkheh32.exe 1080 Gfnnmboa.exe 2568 Gajlcp32.exe 1960 Gonlld32.exe 2996 Hdakej32.exe 2256 Ipkhpk32.exe 1788 Icnngeof.exe 2280 Ifngiqlg.exe 1928 Jjqlbdog.exe 1940 Jobnej32.exe 1540 Kcbcah32.exe 600 Kmjhjndm.exe 1276 Knqnmeff.exe 3048 Kcmfeldm.exe 848 Lhnlqjha.exe 2136 Lpiqel32.exe 1692 Lpmjplag.exe 2972 Lifoia32.exe 2700 Memonbnl.exe 2896 Mmjqhd32.exe 2900 Mddidnqa.exe 2884 Mpkjjofe.exe 2952 Mpmfoodb.exe 2488 Nppceo32.exe 2932 Neohbe32.exe 2500 Nhpadpke.exe 1144 Oggkklnk.exe 1176 Opoocb32.exe 2940 Odpeop32.exe 1556 Onhihepp.exe 1712 Ohajic32.exe 2264 Pcgnfl32.exe 1980 Pfhghgie.exe 2404 Pmbpda32.exe 1104 Pfjdmggb.exe 1688 Peoanckj.exe 1336 Pbcahgjd.exe 1984 Qklfqm32.exe 3032 Qcgkeonp.exe 1636 Qakkncmi.exe 1736 Aamhdckg.exe 344 Acnqen32.exe 2544 Ahpfoa32.exe 2828 Aedghf32.exe 2608 Ajqoqm32.exe 1664 Bhdpjaga.exe 2044 Bmahbhei.exe 2944 Boadlk32.exe 1720 Bfliqmjg.exe 2076 Cefpmiji.exe 2580 Ckgapo32.exe 2344 Cdpfiekl.exe 1088 Dlpdifda.exe 2244 Djddbkck.exe 1932 Dpnmoe32.exe -
Loads dropped DLL 64 IoCs
pid Process 2364 c459a3bcfc6e7f36f32ffb94406095c0N.exe 2364 c459a3bcfc6e7f36f32ffb94406095c0N.exe 2336 Boiagp32.exe 2336 Boiagp32.exe 2780 Cnnohmog.exe 2780 Cnnohmog.exe 2744 Cgmiba32.exe 2744 Cgmiba32.exe 2824 Dbighojl.exe 2824 Dbighojl.exe 2776 Domgache.exe 2776 Domgache.exe 2672 Dkdhfdnj.exe 2672 Dkdhfdnj.exe 1524 Eqjceidf.exe 1524 Eqjceidf.exe 2116 Endmgb32.exe 2116 Endmgb32.exe 560 Filnjk32.exe 560 Filnjk32.exe 1312 Fdkheh32.exe 1312 Fdkheh32.exe 1080 Gfnnmboa.exe 1080 Gfnnmboa.exe 2568 Gajlcp32.exe 2568 Gajlcp32.exe 1960 Gonlld32.exe 1960 Gonlld32.exe 2996 Hdakej32.exe 2996 Hdakej32.exe 2256 Ipkhpk32.exe 2256 Ipkhpk32.exe 1788 Icnngeof.exe 1788 Icnngeof.exe 2280 Ifngiqlg.exe 2280 Ifngiqlg.exe 1928 Jjqlbdog.exe 1928 Jjqlbdog.exe 1940 Jobnej32.exe 1940 Jobnej32.exe 1540 Kcbcah32.exe 1540 Kcbcah32.exe 600 Kmjhjndm.exe 600 Kmjhjndm.exe 1276 Knqnmeff.exe 1276 Knqnmeff.exe 3048 Kcmfeldm.exe 3048 Kcmfeldm.exe 848 Lhnlqjha.exe 848 Lhnlqjha.exe 2136 Lpiqel32.exe 2136 Lpiqel32.exe 1692 Lpmjplag.exe 1692 Lpmjplag.exe 2972 Lifoia32.exe 2972 Lifoia32.exe 2700 Memonbnl.exe 2700 Memonbnl.exe 2896 Mmjqhd32.exe 2896 Mmjqhd32.exe 2900 Mddidnqa.exe 2900 Mddidnqa.exe 2884 Mpkjjofe.exe 2884 Mpkjjofe.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Lepihndm.exe Kmedck32.exe File created C:\Windows\SysWOW64\Clqjblij.exe Cfcajekc.exe File created C:\Windows\SysWOW64\Kcdgkioi.dll Cggffocg.exe File created C:\Windows\SysWOW64\Glkfjgkk.dll Pgofia32.exe File created C:\Windows\SysWOW64\Egooijaa.dll Kmjhjndm.exe File created C:\Windows\SysWOW64\Fqdong32.exe Ffokan32.exe File opened for modification C:\Windows\SysWOW64\Plbbmjhf.exe Pamnpahp.exe File opened for modification C:\Windows\SysWOW64\Ciggap32.exe Clcghk32.exe File created C:\Windows\SysWOW64\Pabhlikn.dll Kdaoacif.exe File created C:\Windows\SysWOW64\Ncddjjgn.dll Egbcne32.exe File created C:\Windows\SysWOW64\Mkjmak32.dll Fgaibb32.exe File created C:\Windows\SysWOW64\Aaioemba.dll Aleoco32.exe File opened for modification C:\Windows\SysWOW64\Cdpfiekl.exe Ckgapo32.exe File created C:\Windows\SysWOW64\Ofdqmm32.dll Hepdml32.exe File opened for modification C:\Windows\SysWOW64\Gfjicd32.exe Fjchnclk.exe File opened for modification C:\Windows\SysWOW64\Pmcjceam.exe Pdkejo32.exe File opened for modification C:\Windows\SysWOW64\Dnqkammo.exe Dnnnlmob.exe File opened for modification C:\Windows\SysWOW64\Cakpfa32.exe Cdfpmm32.exe File created C:\Windows\SysWOW64\Gppbbo32.exe Gifjeeip.exe File created C:\Windows\SysWOW64\Lefndc32.dll Qbpnjn32.exe File created C:\Windows\SysWOW64\Ifngiqlg.exe Icnngeof.exe File created C:\Windows\SysWOW64\Mbpekm32.dll Fdnabo32.exe File created C:\Windows\SysWOW64\Hnmkog32.dll Jpjndh32.exe File opened for modification C:\Windows\SysWOW64\Hnocgnoc.exe Hahbam32.exe File created C:\Windows\SysWOW64\Jhedmkif.dll Dlkggn32.exe File created C:\Windows\SysWOW64\Fmhdod32.dll Lpgekanj.exe File opened for modification C:\Windows\SysWOW64\Mnhgga32.exe Mdpbnlbe.exe File opened for modification C:\Windows\SysWOW64\Nbqnobge.exe Nmaialjp.exe File created C:\Windows\SysWOW64\Fdlnmk32.dll Ohmllf32.exe File created C:\Windows\SysWOW64\Jlmipk32.exe Iachom32.exe File created C:\Windows\SysWOW64\Anikdo32.exe Qccggfgh.exe File created C:\Windows\SysWOW64\Hacabgig.exe Haadlh32.exe File created C:\Windows\SysWOW64\Lcpecdio.exe Kjhajo32.exe File opened for modification C:\Windows\SysWOW64\Ifgpkm32.exe Iehcajjc.exe File created C:\Windows\SysWOW64\Fmcffnnq.dll Lmbmbi32.exe File created C:\Windows\SysWOW64\Cfaedeme.exe Badlln32.exe File created C:\Windows\SysWOW64\Doflofbf.exe Cenhfqle.exe File created C:\Windows\SysWOW64\Oeqmek32.exe Oogdiqki.exe File created C:\Windows\SysWOW64\Oiboedpn.exe Onmkhlph.exe File created C:\Windows\SysWOW64\Odcnabap.dll Pbcahgjd.exe File opened for modification C:\Windows\SysWOW64\Boadlk32.exe Bmahbhei.exe File created C:\Windows\SysWOW64\Jbinbd32.exe Jeenip32.exe File created C:\Windows\SysWOW64\Enkgkj32.exe Emcdbc32.exe File created C:\Windows\SysWOW64\Hbfdoi32.exe Gimpfdch.exe File created C:\Windows\SysWOW64\Ofnfjaqb.dll Jnkajiof.exe File created C:\Windows\SysWOW64\Kjhajo32.exe Konpjafp.exe File created C:\Windows\SysWOW64\Blmlnd32.exe Adagjagp.exe File created C:\Windows\SysWOW64\Eemobc32.dll Kcnmjf32.exe File opened for modification C:\Windows\SysWOW64\Nhnhcnkg.exe Noecjh32.exe File created C:\Windows\SysWOW64\Liifjdja.dll Gdckncfj.exe File opened for modification C:\Windows\SysWOW64\Hegdkkje.exe Hpjlcdln.exe File opened for modification C:\Windows\SysWOW64\Hgfnlejd.exe Hjbncqkj.exe File created C:\Windows\SysWOW64\Nefejg32.dll Moijkk32.exe File opened for modification C:\Windows\SysWOW64\Cffejk32.exe Cmnqae32.exe File created C:\Windows\SysWOW64\Okhboc32.exe Okefjcle.exe File created C:\Windows\SysWOW64\Hkddne32.dll Okefjcle.exe File created C:\Windows\SysWOW64\Eobenc32.exe Daoeeo32.exe File created C:\Windows\SysWOW64\Ebfdocio.dll Hqjijk32.exe File created C:\Windows\SysWOW64\Lijkgj32.exe Llfkne32.exe File created C:\Windows\SysWOW64\Naagdj32.dll Jfdigocb.exe File opened for modification C:\Windows\SysWOW64\Kqijck32.exe Kgaejeoc.exe File opened for modification C:\Windows\SysWOW64\Nmiakdll.exe Nlieqa32.exe File created C:\Windows\SysWOW64\Ajgfdhmb.dll Pfgeaklb.exe File opened for modification C:\Windows\SysWOW64\Oqkimp32.exe Oddhho32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4260 1660 Process not Found 1282 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qbpnjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebfpglkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iaknmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajhkka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nagakhfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmcgalio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocoodjan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emifaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmbmbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Memonbnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpjlcdln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfeijocl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbhnfpoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgcecn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hepffelp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjabhjec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekohac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiikff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nppceo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngajeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhcpkmef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qimifn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adjhfcbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jiiimmok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oheple32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjkbnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hepdml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqepolio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blmlnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flmgnbcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnmgpbfm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffokan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmiakdll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aiaqie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggjhfpqf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pigghpeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgnkkjgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdneohbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojiijmpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckgapo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnjnbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Didiclbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdplcfoi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojajfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdfpmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kimpocda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oppmkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfnpek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imbakfcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apinihbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aamgfpfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dceodhjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdbbedhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpkfng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnfkpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jobnej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amidmldj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cocpjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llkdieii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldcema32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngonpgqg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlkfli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgnfgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bldbococ.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmcnge32.dll" Cqeoegfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgnnpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpjlcdln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gajlcp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cefpmiji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehkgnpbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mniiepja.dll" Oeqmek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eobenc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajddik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aadbhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cffqhmqd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eqjceidf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmoakfcf.dll" Ajqoqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggniamja.dll" Nmlcbafa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkjief32.dll" Qokhjjbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lffjih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dokccf32.dll" Qhoqolhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbbeomon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogicdck.dll" Hhjjbe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbinbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnnnlmob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnocgnoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhgdig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ioibde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbnica32.dll" Igijjqba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofgkkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdgcniko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Filnjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cefpmiji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kenamefo.dll" Aejmha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlkdim32.dll" Oiebej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mijgfmoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Inihff32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgaino32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbmhnekp.dll" Mfbnfcli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhhkiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elcfmlgl.dll" Lhlgaedj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efeelejl.dll" Peclcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhefnd32.dll" Bonepo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knogdkml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fndfmljk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmbaklha.dll" Cgbjbgph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilblbnaf.dll" Nfmlhjfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qafboi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aenaeg32.dll" Fhikiefk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icjjilho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nploge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqbkknqb.dll" Pkopjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibmbdkmk.dll" Kkkigf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcqaml32.dll" Diaecf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Likbap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjobna32.dll" Dogfnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odpeop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fgpcgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eempnnjn.dll" Bkflpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Meikpi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnhlgoia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lilehl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbamjgeq.dll" Paldmbmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmmboc32.dll" Qjoheb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgalpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfiajj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpebhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imebbgph.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2364 wrote to memory of 2336 2364 c459a3bcfc6e7f36f32ffb94406095c0N.exe 29 PID 2364 wrote to memory of 2336 2364 c459a3bcfc6e7f36f32ffb94406095c0N.exe 29 PID 2364 wrote to memory of 2336 2364 c459a3bcfc6e7f36f32ffb94406095c0N.exe 29 PID 2364 wrote to memory of 2336 2364 c459a3bcfc6e7f36f32ffb94406095c0N.exe 29 PID 2336 wrote to memory of 2780 2336 Boiagp32.exe 30 PID 2336 wrote to memory of 2780 2336 Boiagp32.exe 30 PID 2336 wrote to memory of 2780 2336 Boiagp32.exe 30 PID 2336 wrote to memory of 2780 2336 Boiagp32.exe 30 PID 2780 wrote to memory of 2744 2780 Cnnohmog.exe 31 PID 2780 wrote to memory of 2744 2780 Cnnohmog.exe 31 PID 2780 wrote to memory of 2744 2780 Cnnohmog.exe 31 PID 2780 wrote to memory of 2744 2780 Cnnohmog.exe 31 PID 2744 wrote to memory of 2824 2744 Cgmiba32.exe 32 PID 2744 wrote to memory of 2824 2744 Cgmiba32.exe 32 PID 2744 wrote to memory of 2824 2744 Cgmiba32.exe 32 PID 2744 wrote to memory of 2824 2744 Cgmiba32.exe 32 PID 2824 wrote to memory of 2776 2824 Dbighojl.exe 33 PID 2824 wrote to memory of 2776 2824 Dbighojl.exe 33 PID 2824 wrote to memory of 2776 2824 Dbighojl.exe 33 PID 2824 wrote to memory of 2776 2824 Dbighojl.exe 33 PID 2776 wrote to memory of 2672 2776 Domgache.exe 34 PID 2776 wrote to memory of 2672 2776 Domgache.exe 34 PID 2776 wrote to memory of 2672 2776 Domgache.exe 34 PID 2776 wrote to memory of 2672 2776 Domgache.exe 34 PID 2672 wrote to memory of 1524 2672 Dkdhfdnj.exe 35 PID 2672 wrote to memory of 1524 2672 Dkdhfdnj.exe 35 PID 2672 wrote to memory of 1524 2672 Dkdhfdnj.exe 35 PID 2672 wrote to memory of 1524 2672 Dkdhfdnj.exe 35 PID 1524 wrote to memory of 2116 1524 Eqjceidf.exe 36 PID 1524 wrote to memory of 2116 1524 Eqjceidf.exe 36 PID 1524 wrote to memory of 2116 1524 Eqjceidf.exe 36 PID 1524 wrote to memory of 2116 1524 Eqjceidf.exe 36 PID 2116 wrote to memory of 560 2116 Endmgb32.exe 37 PID 2116 wrote to memory of 560 2116 Endmgb32.exe 37 PID 2116 wrote to memory of 560 2116 Endmgb32.exe 37 PID 2116 wrote to memory of 560 2116 Endmgb32.exe 37 PID 560 wrote to memory of 1312 560 Filnjk32.exe 38 PID 560 wrote to memory of 1312 560 Filnjk32.exe 38 PID 560 wrote to memory of 1312 560 Filnjk32.exe 38 PID 560 wrote to memory of 1312 560 Filnjk32.exe 38 PID 1312 wrote to memory of 1080 1312 Fdkheh32.exe 39 PID 1312 wrote to memory of 1080 1312 Fdkheh32.exe 39 PID 1312 wrote to memory of 1080 1312 Fdkheh32.exe 39 PID 1312 wrote to memory of 1080 1312 Fdkheh32.exe 39 PID 1080 wrote to memory of 2568 1080 Gfnnmboa.exe 40 PID 1080 wrote to memory of 2568 1080 Gfnnmboa.exe 40 PID 1080 wrote to memory of 2568 1080 Gfnnmboa.exe 40 PID 1080 wrote to memory of 2568 1080 Gfnnmboa.exe 40 PID 2568 wrote to memory of 1960 2568 Gajlcp32.exe 41 PID 2568 wrote to memory of 1960 2568 Gajlcp32.exe 41 PID 2568 wrote to memory of 1960 2568 Gajlcp32.exe 41 PID 2568 wrote to memory of 1960 2568 Gajlcp32.exe 41 PID 1960 wrote to memory of 2996 1960 Gonlld32.exe 42 PID 1960 wrote to memory of 2996 1960 Gonlld32.exe 42 PID 1960 wrote to memory of 2996 1960 Gonlld32.exe 42 PID 1960 wrote to memory of 2996 1960 Gonlld32.exe 42 PID 2996 wrote to memory of 2256 2996 Hdakej32.exe 43 PID 2996 wrote to memory of 2256 2996 Hdakej32.exe 43 PID 2996 wrote to memory of 2256 2996 Hdakej32.exe 43 PID 2996 wrote to memory of 2256 2996 Hdakej32.exe 43 PID 2256 wrote to memory of 1788 2256 Ipkhpk32.exe 44 PID 2256 wrote to memory of 1788 2256 Ipkhpk32.exe 44 PID 2256 wrote to memory of 1788 2256 Ipkhpk32.exe 44 PID 2256 wrote to memory of 1788 2256 Ipkhpk32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\c459a3bcfc6e7f36f32ffb94406095c0N.exe"C:\Users\Admin\AppData\Local\Temp\c459a3bcfc6e7f36f32ffb94406095c0N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\Boiagp32.exeC:\Windows\system32\Boiagp32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\Cnnohmog.exeC:\Windows\system32\Cnnohmog.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Cgmiba32.exeC:\Windows\system32\Cgmiba32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Dbighojl.exeC:\Windows\system32\Dbighojl.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Domgache.exeC:\Windows\system32\Domgache.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Dkdhfdnj.exeC:\Windows\system32\Dkdhfdnj.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Eqjceidf.exeC:\Windows\system32\Eqjceidf.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\SysWOW64\Endmgb32.exeC:\Windows\system32\Endmgb32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\Filnjk32.exeC:\Windows\system32\Filnjk32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Windows\SysWOW64\Fdkheh32.exeC:\Windows\system32\Fdkheh32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\SysWOW64\Gfnnmboa.exeC:\Windows\system32\Gfnnmboa.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\SysWOW64\Gajlcp32.exeC:\Windows\system32\Gajlcp32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Gonlld32.exeC:\Windows\system32\Gonlld32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\Hdakej32.exeC:\Windows\system32\Hdakej32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\Ipkhpk32.exeC:\Windows\system32\Ipkhpk32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\Icnngeof.exeC:\Windows\system32\Icnngeof.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1788 -
C:\Windows\SysWOW64\Ifngiqlg.exeC:\Windows\system32\Ifngiqlg.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2280 -
C:\Windows\SysWOW64\Jjqlbdog.exeC:\Windows\system32\Jjqlbdog.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1928 -
C:\Windows\SysWOW64\Jobnej32.exeC:\Windows\system32\Jobnej32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1940 -
C:\Windows\SysWOW64\Kcbcah32.exeC:\Windows\system32\Kcbcah32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1540 -
C:\Windows\SysWOW64\Kmjhjndm.exeC:\Windows\system32\Kmjhjndm.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:600 -
C:\Windows\SysWOW64\Knqnmeff.exeC:\Windows\system32\Knqnmeff.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1276 -
C:\Windows\SysWOW64\Kcmfeldm.exeC:\Windows\system32\Kcmfeldm.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3048 -
C:\Windows\SysWOW64\Lhnlqjha.exeC:\Windows\system32\Lhnlqjha.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:848 -
C:\Windows\SysWOW64\Lpiqel32.exeC:\Windows\system32\Lpiqel32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2136 -
C:\Windows\SysWOW64\Lpmjplag.exeC:\Windows\system32\Lpmjplag.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1692 -
C:\Windows\SysWOW64\Lifoia32.exeC:\Windows\system32\Lifoia32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2972 -
C:\Windows\SysWOW64\Memonbnl.exeC:\Windows\system32\Memonbnl.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2700 -
C:\Windows\SysWOW64\Mmjqhd32.exeC:\Windows\system32\Mmjqhd32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2896 -
C:\Windows\SysWOW64\Mddidnqa.exeC:\Windows\system32\Mddidnqa.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2900 -
C:\Windows\SysWOW64\Mpkjjofe.exeC:\Windows\system32\Mpkjjofe.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2884 -
C:\Windows\SysWOW64\Mpmfoodb.exeC:\Windows\system32\Mpmfoodb.exe33⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Nppceo32.exeC:\Windows\system32\Nppceo32.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2488 -
C:\Windows\SysWOW64\Neohbe32.exeC:\Windows\system32\Neohbe32.exe35⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Nhpadpke.exeC:\Windows\system32\Nhpadpke.exe36⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Oggkklnk.exeC:\Windows\system32\Oggkklnk.exe37⤵
- Executes dropped EXE
PID:1144 -
C:\Windows\SysWOW64\Opoocb32.exeC:\Windows\system32\Opoocb32.exe38⤵
- Executes dropped EXE
PID:1176 -
C:\Windows\SysWOW64\Odpeop32.exeC:\Windows\system32\Odpeop32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:2940 -
C:\Windows\SysWOW64\Onhihepp.exeC:\Windows\system32\Onhihepp.exe40⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Ohajic32.exeC:\Windows\system32\Ohajic32.exe41⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Pcgnfl32.exeC:\Windows\system32\Pcgnfl32.exe42⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Pfhghgie.exeC:\Windows\system32\Pfhghgie.exe43⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Pmbpda32.exeC:\Windows\system32\Pmbpda32.exe44⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Pfjdmggb.exeC:\Windows\system32\Pfjdmggb.exe45⤵
- Executes dropped EXE
PID:1104 -
C:\Windows\SysWOW64\Peoanckj.exeC:\Windows\system32\Peoanckj.exe46⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Pbcahgjd.exeC:\Windows\system32\Pbcahgjd.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1336 -
C:\Windows\SysWOW64\Qklfqm32.exeC:\Windows\system32\Qklfqm32.exe48⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Qcgkeonp.exeC:\Windows\system32\Qcgkeonp.exe49⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Qakkncmi.exeC:\Windows\system32\Qakkncmi.exe50⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Aamhdckg.exeC:\Windows\system32\Aamhdckg.exe51⤵
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Acnqen32.exeC:\Windows\system32\Acnqen32.exe52⤵
- Executes dropped EXE
PID:344 -
C:\Windows\SysWOW64\Ahpfoa32.exeC:\Windows\system32\Ahpfoa32.exe53⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Aedghf32.exeC:\Windows\system32\Aedghf32.exe54⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Ajqoqm32.exeC:\Windows\system32\Ajqoqm32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2608 -
C:\Windows\SysWOW64\Bhdpjaga.exeC:\Windows\system32\Bhdpjaga.exe56⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Bmahbhei.exeC:\Windows\system32\Bmahbhei.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2044 -
C:\Windows\SysWOW64\Boadlk32.exeC:\Windows\system32\Boadlk32.exe58⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Bfliqmjg.exeC:\Windows\system32\Bfliqmjg.exe59⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Cefpmiji.exeC:\Windows\system32\Cefpmiji.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:2076 -
C:\Windows\SysWOW64\Ckgapo32.exeC:\Windows\system32\Ckgapo32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2580 -
C:\Windows\SysWOW64\Cdpfiekl.exeC:\Windows\system32\Cdpfiekl.exe62⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Dlpdifda.exeC:\Windows\system32\Dlpdifda.exe63⤵
- Executes dropped EXE
PID:1088 -
C:\Windows\SysWOW64\Djddbkck.exeC:\Windows\system32\Djddbkck.exe64⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Dpnmoe32.exeC:\Windows\system32\Dpnmoe32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1932 -
C:\Windows\SysWOW64\Dfjegl32.exeC:\Windows\system32\Dfjegl32.exe66⤵PID:764
-
C:\Windows\SysWOW64\Dppiddie.exeC:\Windows\system32\Dppiddie.exe67⤵PID:1704
-
C:\Windows\SysWOW64\Dhknigfq.exeC:\Windows\system32\Dhknigfq.exe68⤵PID:2172
-
C:\Windows\SysWOW64\Ecabfpff.exeC:\Windows\system32\Ecabfpff.exe69⤵PID:824
-
C:\Windows\SysWOW64\Ebfpglkn.exeC:\Windows\system32\Ebfpglkn.exe70⤵
- System Location Discovery: System Language Discovery
PID:2448 -
C:\Windows\SysWOW64\Ebhlmlhl.exeC:\Windows\system32\Ebhlmlhl.exe71⤵PID:1700
-
C:\Windows\SysWOW64\Egedebgc.exeC:\Windows\system32\Egedebgc.exe72⤵PID:900
-
C:\Windows\SysWOW64\Ebkibk32.exeC:\Windows\system32\Ebkibk32.exe73⤵PID:2792
-
C:\Windows\SysWOW64\Ekcmkamj.exeC:\Windows\system32\Ekcmkamj.exe74⤵PID:1036
-
C:\Windows\SysWOW64\Eqpfchka.exeC:\Windows\system32\Eqpfchka.exe75⤵PID:2748
-
C:\Windows\SysWOW64\Fndfmljk.exeC:\Windows\system32\Fndfmljk.exe76⤵
- Modifies registry class
PID:2416 -
C:\Windows\SysWOW64\Ffokan32.exeC:\Windows\system32\Ffokan32.exe77⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2380 -
C:\Windows\SysWOW64\Fqdong32.exeC:\Windows\system32\Fqdong32.exe78⤵PID:1920
-
C:\Windows\SysWOW64\Fipdci32.exeC:\Windows\system32\Fipdci32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1180 -
C:\Windows\SysWOW64\Fbhhlo32.exeC:\Windows\system32\Fbhhlo32.exe80⤵PID:440
-
C:\Windows\SysWOW64\Flqmddah.exeC:\Windows\system32\Flqmddah.exe81⤵PID:1752
-
C:\Windows\SysWOW64\Fidmniqa.exeC:\Windows\system32\Fidmniqa.exe82⤵PID:2228
-
C:\Windows\SysWOW64\Fpnekc32.exeC:\Windows\system32\Fpnekc32.exe83⤵PID:2272
-
C:\Windows\SysWOW64\Gekncjfe.exeC:\Windows\system32\Gekncjfe.exe84⤵PID:2496
-
C:\Windows\SysWOW64\Gboolneo.exeC:\Windows\system32\Gboolneo.exe85⤵PID:1016
-
C:\Windows\SysWOW64\Gdpkdf32.exeC:\Windows\system32\Gdpkdf32.exe86⤵PID:956
-
C:\Windows\SysWOW64\Gmipmlan.exeC:\Windows\system32\Gmipmlan.exe87⤵PID:2980
-
C:\Windows\SysWOW64\Ghndjd32.exeC:\Windows\system32\Ghndjd32.exe88⤵PID:828
-
C:\Windows\SysWOW64\Gnhlgoia.exeC:\Windows\system32\Gnhlgoia.exe89⤵
- Modifies registry class
PID:2516 -
C:\Windows\SysWOW64\Ghqqpd32.exeC:\Windows\system32\Ghqqpd32.exe90⤵PID:784
-
C:\Windows\SysWOW64\Gmmihk32.exeC:\Windows\system32\Gmmihk32.exe91⤵PID:3000
-
C:\Windows\SysWOW64\Hmpemkkf.exeC:\Windows\system32\Hmpemkkf.exe92⤵PID:2716
-
C:\Windows\SysWOW64\Hbmnfajm.exeC:\Windows\system32\Hbmnfajm.exe93⤵PID:2084
-
C:\Windows\SysWOW64\Hpqoofhg.exeC:\Windows\system32\Hpqoofhg.exe94⤵PID:1388
-
C:\Windows\SysWOW64\Hfjglppd.exeC:\Windows\system32\Hfjglppd.exe95⤵PID:1000
-
C:\Windows\SysWOW64\Hpckee32.exeC:\Windows\system32\Hpckee32.exe96⤵PID:2032
-
C:\Windows\SysWOW64\Hepdml32.exeC:\Windows\system32\Hepdml32.exe97⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1488 -
C:\Windows\SysWOW64\Hbcdfq32.exeC:\Windows\system32\Hbcdfq32.exe98⤵PID:2368
-
C:\Windows\SysWOW64\Hinlck32.exeC:\Windows\system32\Hinlck32.exe99⤵PID:684
-
C:\Windows\SysWOW64\Hkoikcaq.exeC:\Windows\system32\Hkoikcaq.exe100⤵PID:1468
-
C:\Windows\SysWOW64\Iedmhlqf.exeC:\Windows\system32\Iedmhlqf.exe101⤵PID:2520
-
C:\Windows\SysWOW64\Iaknmm32.exeC:\Windows\system32\Iaknmm32.exe102⤵
- System Location Discovery: System Language Discovery
PID:1640 -
C:\Windows\SysWOW64\Ighfecdb.exeC:\Windows\system32\Ighfecdb.exe103⤵PID:864
-
C:\Windows\SysWOW64\Ihgcof32.exeC:\Windows\system32\Ihgcof32.exe104⤵PID:1460
-
C:\Windows\SysWOW64\Iapghlbe.exeC:\Windows\system32\Iapghlbe.exe105⤵PID:2728
-
C:\Windows\SysWOW64\Ijklmn32.exeC:\Windows\system32\Ijklmn32.exe106⤵PID:2964
-
C:\Windows\SysWOW64\Idqpjg32.exeC:\Windows\system32\Idqpjg32.exe107⤵PID:1648
-
C:\Windows\SysWOW64\Jlleni32.exeC:\Windows\system32\Jlleni32.exe108⤵PID:1860
-
C:\Windows\SysWOW64\Jfdigocb.exeC:\Windows\system32\Jfdigocb.exe109⤵
- Drops file in System32 directory
PID:2064 -
C:\Windows\SysWOW64\Jpjndh32.exeC:\Windows\system32\Jpjndh32.exe110⤵
- Drops file in System32 directory
PID:2384 -
C:\Windows\SysWOW64\Jakjlpif.exeC:\Windows\system32\Jakjlpif.exe111⤵PID:1056
-
C:\Windows\SysWOW64\Jlqniihl.exeC:\Windows\system32\Jlqniihl.exe112⤵PID:1812
-
C:\Windows\SysWOW64\Jdlcnkfg.exeC:\Windows\system32\Jdlcnkfg.exe113⤵PID:592
-
C:\Windows\SysWOW64\Jhjldiln.exeC:\Windows\system32\Jhjldiln.exe114⤵PID:884
-
C:\Windows\SysWOW64\Jocdqc32.exeC:\Windows\system32\Jocdqc32.exe115⤵PID:268
-
C:\Windows\SysWOW64\Jdpmij32.exeC:\Windows\system32\Jdpmij32.exe116⤵PID:2200
-
C:\Windows\SysWOW64\Kgaejeoc.exeC:\Windows\system32\Kgaejeoc.exe117⤵
- Drops file in System32 directory
PID:2880 -
C:\Windows\SysWOW64\Kqijck32.exeC:\Windows\system32\Kqijck32.exe118⤵PID:2104
-
C:\Windows\SysWOW64\Kjbnlqld.exeC:\Windows\system32\Kjbnlqld.exe119⤵PID:3044
-
C:\Windows\SysWOW64\Kjdkap32.exeC:\Windows\system32\Kjdkap32.exe120⤵PID:2844
-
C:\Windows\SysWOW64\Koacjg32.exeC:\Windows\system32\Koacjg32.exe121⤵PID:368
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-