Analysis
-
max time kernel
150s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12-09-2024 19:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
19edf4d6800f59e925f5a41f4d209848b1008e9a5b483f92a01d0ac7433ff978.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
19edf4d6800f59e925f5a41f4d209848b1008e9a5b483f92a01d0ac7433ff978.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
19edf4d6800f59e925f5a41f4d209848b1008e9a5b483f92a01d0ac7433ff978.exe
-
Size
340KB
-
MD5
873eb14345bd0c2d269ecc6fb5fdb869
-
SHA1
5abe88bc34004a2bfa9f52792e065b456809fb91
-
SHA256
19edf4d6800f59e925f5a41f4d209848b1008e9a5b483f92a01d0ac7433ff978
-
SHA512
9021579e54bf41419c027904c35c2ded062d8a768d810fbe911e255f6911ca44d561c34da351fee60fdeace51ed22c0b8d87e609cffe1b6a2ec5cedc9907bae6
-
SSDEEP
6144:6QX6aCxsIyedZwlNPjLs+H8rtMsQBJyJyymeH:OvyGZwlNPjLYRMsXJvmeH
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmacmkje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfjjoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfdcjnbn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agioab32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bioddj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjjdaqbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Danblfmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcbogk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfhjmpam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncafemqk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehiojb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbnccgoq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ponokmah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Impdeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihinkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdbfanao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pigiah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdhnfmmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hilbfc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Giolpo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcpejd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pndoqf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hegdkkje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hegdkkje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlcjlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pncgjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glkjif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imenpfap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnghjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfjjoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdgadeee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Degage32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjfiap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ganiah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipipllec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmklikob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iddieoqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdlmnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbjjfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkpboe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fadoqc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqejjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikcbfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnmlgpeo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llnhikkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdjgnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijeiplcg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pohngd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aedldh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpnchjpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgmnhojl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbfdoi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcgegb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cafidj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jakjlpif.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppkahi32.exe -
Executes dropped EXE 64 IoCs
pid Process 2356 Dkookd32.exe 2248 Ddgcdjip.exe 2736 Eqejjj32.exe 2972 Emogdk32.exe 2572 Fgmaphdg.exe 2640 Fhonegbd.exe 1720 Fnkchahn.exe 2420 Fnnpma32.exe 2432 Gaoiol32.exe 2560 Glhjpjok.exe 1860 Goicaell.exe 2328 Gbglgcbc.exe 1752 Galhhp32.exe 2996 Hkdmaenk.exe 2176 Hobfgcdb.exe 1096 Hpfoekhm.exe 2548 Hcghffen.exe 776 Igdqmeke.exe 1560 Ilcfjkgj.exe 1528 Iackhb32.exe 2316 Iqhhin32.exe 316 Jciaki32.exe 2424 Jfijmdbh.exe 1300 Jijbnppi.exe 2096 Jmhkdnfp.exe 2852 Koidficq.exe 2780 Kamncagl.exe 2812 Lfeegfkf.exe 1824 Mbqpgf32.exe 2600 Mkldli32.exe 2956 Mknaahhn.exe 2236 Mpmfoodb.exe 3068 Nppceo32.exe 1032 Nliqoofa.exe 2436 Nlkmeo32.exe 2128 Nolffjap.exe 1700 Oaolne32.exe 1392 Onelbfab.exe 108 Onhihepp.exe 2112 Ohajic32.exe 2020 Ponokmah.exe 1292 Pdkgcd32.exe 2136 Pbohmh32.exe 2968 Pgkqeo32.exe 2412 Peoanckj.exe 2292 Pafacd32.exe 2500 Qmmbhegc.exe 392 Qcigjolm.exe 880 Aifpcfjd.exe 1696 Afjplj32.exe 2816 Aflmbj32.exe 2800 Amfeodoh.exe 2592 Ahpfoa32.exe 1680 Anjnllbd.exe 2460 Ajqoqm32.exe 1744 Befcne32.exe 612 Bhglpqeo.exe 1548 Boadlk32.exe 2092 Bkheal32.exe 1052 Bbcjfn32.exe 1712 Bmhncg32.exe 1684 Clnkdc32.exe 1648 Clphjc32.exe 2172 Cidhcg32.exe -
Loads dropped DLL 64 IoCs
pid Process 904 19edf4d6800f59e925f5a41f4d209848b1008e9a5b483f92a01d0ac7433ff978.exe 904 19edf4d6800f59e925f5a41f4d209848b1008e9a5b483f92a01d0ac7433ff978.exe 2356 Dkookd32.exe 2356 Dkookd32.exe 2248 Ddgcdjip.exe 2248 Ddgcdjip.exe 2736 Eqejjj32.exe 2736 Eqejjj32.exe 2972 Emogdk32.exe 2972 Emogdk32.exe 2572 Fgmaphdg.exe 2572 Fgmaphdg.exe 2640 Fhonegbd.exe 2640 Fhonegbd.exe 1720 Fnkchahn.exe 1720 Fnkchahn.exe 2420 Fnnpma32.exe 2420 Fnnpma32.exe 2432 Gaoiol32.exe 2432 Gaoiol32.exe 2560 Glhjpjok.exe 2560 Glhjpjok.exe 1860 Goicaell.exe 1860 Goicaell.exe 2328 Gbglgcbc.exe 2328 Gbglgcbc.exe 1752 Galhhp32.exe 1752 Galhhp32.exe 2996 Hkdmaenk.exe 2996 Hkdmaenk.exe 2176 Hobfgcdb.exe 2176 Hobfgcdb.exe 1096 Hpfoekhm.exe 1096 Hpfoekhm.exe 2548 Hcghffen.exe 2548 Hcghffen.exe 776 Igdqmeke.exe 776 Igdqmeke.exe 1560 Ilcfjkgj.exe 1560 Ilcfjkgj.exe 1528 Iackhb32.exe 1528 Iackhb32.exe 2316 Iqhhin32.exe 2316 Iqhhin32.exe 316 Jciaki32.exe 316 Jciaki32.exe 2424 Jfijmdbh.exe 2424 Jfijmdbh.exe 1300 Jijbnppi.exe 1300 Jijbnppi.exe 2096 Jmhkdnfp.exe 2096 Jmhkdnfp.exe 2852 Koidficq.exe 2852 Koidficq.exe 2780 Kamncagl.exe 2780 Kamncagl.exe 2812 Lfeegfkf.exe 2812 Lfeegfkf.exe 1824 Mbqpgf32.exe 1824 Mbqpgf32.exe 2600 Mkldli32.exe 2600 Mkldli32.exe 2956 Mknaahhn.exe 2956 Mknaahhn.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dkmqhdfi.exe Dkkdcd32.exe File opened for modification C:\Windows\SysWOW64\Mfgpfmoa.exe Process not Found File created C:\Windows\SysWOW64\Pmcdmaqg.dll Process not Found File created C:\Windows\SysWOW64\Ponokmah.exe Ohajic32.exe File opened for modification C:\Windows\SysWOW64\Aflmbj32.exe Afjplj32.exe File created C:\Windows\SysWOW64\Hobfgcdb.exe Hkdmaenk.exe File created C:\Windows\SysWOW64\Lnflif32.exe Ldngqqjh.exe File created C:\Windows\SysWOW64\Lggedfpo.dll Ilekgamm.exe File created C:\Windows\SysWOW64\Odnngfpe.exe Ogjmnbak.exe File created C:\Windows\SysWOW64\Qpplnnpb.exe Process not Found File created C:\Windows\SysWOW64\Gjgdbk32.dll Process not Found File created C:\Windows\SysWOW64\Mbpekm32.dll Fqbeapqb.exe File created C:\Windows\SysWOW64\Dffhfc32.exe Dhbhloho.exe File opened for modification C:\Windows\SysWOW64\Cphbeakl.exe Process not Found File opened for modification C:\Windows\SysWOW64\Adnacoid.exe Process not Found File created C:\Windows\SysWOW64\Afjplj32.exe Aifpcfjd.exe File created C:\Windows\SysWOW64\Maaiimhq.dll Jlckoh32.exe File opened for modification C:\Windows\SysWOW64\Eiapjq32.exe Eddgaj32.exe File created C:\Windows\SysWOW64\Jijbnppi.exe Jfijmdbh.exe File created C:\Windows\SysWOW64\Inknaqhd.dll Kbdmboqk.exe File created C:\Windows\SysWOW64\Qaifoo32.exe Qhabfibb.exe File created C:\Windows\SysWOW64\Fofohe32.dll Hnaqhbbl.exe File created C:\Windows\SysWOW64\Mjafkb32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Hbjjfl32.exe Gefjlg32.exe File created C:\Windows\SysWOW64\Mqfajdpe.exe Mkjibnbn.exe File opened for modification C:\Windows\SysWOW64\Boccmpmo.exe Blegqdnk.exe File opened for modification C:\Windows\SysWOW64\Hppjpd32.exe Process not Found File created C:\Windows\SysWOW64\Cmlofj32.dll Process not Found File created C:\Windows\SysWOW64\Manfid32.dll Oihacbfh.exe File created C:\Windows\SysWOW64\Fbkpmokm.dll Hkaicl32.exe File opened for modification C:\Windows\SysWOW64\Nbghck32.exe Mbekmkke.exe File opened for modification C:\Windows\SysWOW64\Eqklhh32.exe Ehnknfdn.exe File created C:\Windows\SysWOW64\Adhnillo.exe Ajoiqg32.exe File created C:\Windows\SysWOW64\Blbhbl32.exe Bmmkao32.exe File created C:\Windows\SysWOW64\Caegea32.dll Jjlajddc.exe File opened for modification C:\Windows\SysWOW64\Hpckee32.exe Hiichkog.exe File created C:\Windows\SysWOW64\Pdmpgfae.exe Pncgjl32.exe File created C:\Windows\SysWOW64\Iceohloo.dll Feiamj32.exe File opened for modification C:\Windows\SysWOW64\Pacgcijn.exe Ohkbkd32.exe File created C:\Windows\SysWOW64\Ifbalb32.dll Qfegakmc.exe File created C:\Windows\SysWOW64\Mggplkch.dll Beelel32.exe File created C:\Windows\SysWOW64\Mndapo32.exe Process not Found File created C:\Windows\SysWOW64\Hjdkhpih.exe Hqlfpk32.exe File created C:\Windows\SysWOW64\Mijgfmoc.exe Mhdace32.exe File opened for modification C:\Windows\SysWOW64\Gbammb32.exe Gboqgc32.exe File opened for modification C:\Windows\SysWOW64\Hbhcmaoj.exe Haigco32.exe File created C:\Windows\SysWOW64\Blgcji32.dll Process not Found File created C:\Windows\SysWOW64\Qcigjolm.exe Qfegakmc.exe File created C:\Windows\SysWOW64\Aqnjml32.exe Afhfpc32.exe File created C:\Windows\SysWOW64\Njjdqigf.dll Dpnogmbl.exe File created C:\Windows\SysWOW64\Lkkcmqcn.exe Llefld32.exe File created C:\Windows\SysWOW64\Gblmgmel.exe Process not Found File created C:\Windows\SysWOW64\Celoieha.dll Process not Found File opened for modification C:\Windows\SysWOW64\Lenmnb32.exe Lhjmdn32.exe File created C:\Windows\SysWOW64\Ifnfkmgi.exe Inbbfk32.exe File created C:\Windows\SysWOW64\Hhgfbpdk.exe Hlpemo32.exe File opened for modification C:\Windows\SysWOW64\Gndedhdj.exe Gdlplb32.exe File created C:\Windows\SysWOW64\Qdbbedhp.exe Pkjnmo32.exe File created C:\Windows\SysWOW64\Cklqgppp.exe Cjjdaqbc.exe File created C:\Windows\SysWOW64\Himmid32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Lfghih32.exe Kfekch32.exe File created C:\Windows\SysWOW64\Lidhic32.dll Process not Found File created C:\Windows\SysWOW64\Bnqbeb32.exe Process not Found File created C:\Windows\SysWOW64\Ffppjh32.dll Immqeq32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3132 2732 Process not Found 1346 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcfjik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjmjln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bokdiahg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihmiqnke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhdfec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olchgp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fopnma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqiooh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Haigco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ippdcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfggccdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deegjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlbokapi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdbbedhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfjipe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfgaibbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpmfoodb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Impdeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bblocaik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epflbbpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqkked32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqlmnldd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhbhloho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejhnofjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aibejf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akjhcimg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okoqdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccfjpkkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oodioe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbnininb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpblfffm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jckiolgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjlajddc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aedldh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbohmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emhdhipd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jghonnaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpomdmqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmcjldbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcagma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqgmdkgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlkonhkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcbogk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeaoncjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgolhoik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cblogb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfjicd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmmiik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afjplj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnegod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mofidn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amfeodoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmdgqp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjdkhpih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4052 Process not Found -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehhghdgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdkoelai.dll" Palincli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bcnklm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dikpokmn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Anpgdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eehkba32.dll" Elmoqlmh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mqfajdpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqmogi32.dll" Efakjgni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oicidh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkheal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nqlmnldd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fikkcnog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gedgnd32.dll" Ehklpbam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfkngccd.dll" Mdbocl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Polmom32.dll" Dnobmnnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahpfoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Haaiipcn.dll" Lnflif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeiiblhg.dll" Kacenp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpmokkel.dll" Imppciin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emiioh32.dll" Fanlbekb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnedodmj.dll" Ogjmnbak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgijop32.dll" Jmhkdnfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mocbfd32.dll" Egomgcnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hajogm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcpmqj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekbhbi32.dll" Gmacmkje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqckln32.dll" Capopb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Boadlk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pefoci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnbinl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cqgkkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dddodd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckcjeg32.dll" Kaeokg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhaefbfi.dll" Blbhbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Clmdliko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbinidpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebnokjpf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljljenoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkafofde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpikhk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aedldh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbacphkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgbjmi32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihcaepei.dll" Hblidd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilekgamm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmicok32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Namebk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klcofleb.dll" Gcbchhmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eofaakek.dll" Bpcdhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jokdobid.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 904 wrote to memory of 2356 904 19edf4d6800f59e925f5a41f4d209848b1008e9a5b483f92a01d0ac7433ff978.exe 29 PID 904 wrote to memory of 2356 904 19edf4d6800f59e925f5a41f4d209848b1008e9a5b483f92a01d0ac7433ff978.exe 29 PID 904 wrote to memory of 2356 904 19edf4d6800f59e925f5a41f4d209848b1008e9a5b483f92a01d0ac7433ff978.exe 29 PID 904 wrote to memory of 2356 904 19edf4d6800f59e925f5a41f4d209848b1008e9a5b483f92a01d0ac7433ff978.exe 29 PID 2356 wrote to memory of 2248 2356 Dkookd32.exe 30 PID 2356 wrote to memory of 2248 2356 Dkookd32.exe 30 PID 2356 wrote to memory of 2248 2356 Dkookd32.exe 30 PID 2356 wrote to memory of 2248 2356 Dkookd32.exe 30 PID 2248 wrote to memory of 2736 2248 Ddgcdjip.exe 31 PID 2248 wrote to memory of 2736 2248 Ddgcdjip.exe 31 PID 2248 wrote to memory of 2736 2248 Ddgcdjip.exe 31 PID 2248 wrote to memory of 2736 2248 Ddgcdjip.exe 31 PID 2736 wrote to memory of 2972 2736 Eqejjj32.exe 32 PID 2736 wrote to memory of 2972 2736 Eqejjj32.exe 32 PID 2736 wrote to memory of 2972 2736 Eqejjj32.exe 32 PID 2736 wrote to memory of 2972 2736 Eqejjj32.exe 32 PID 2972 wrote to memory of 2572 2972 Emogdk32.exe 33 PID 2972 wrote to memory of 2572 2972 Emogdk32.exe 33 PID 2972 wrote to memory of 2572 2972 Emogdk32.exe 33 PID 2972 wrote to memory of 2572 2972 Emogdk32.exe 33 PID 2572 wrote to memory of 2640 2572 Fgmaphdg.exe 34 PID 2572 wrote to memory of 2640 2572 Fgmaphdg.exe 34 PID 2572 wrote to memory of 2640 2572 Fgmaphdg.exe 34 PID 2572 wrote to memory of 2640 2572 Fgmaphdg.exe 34 PID 2640 wrote to memory of 1720 2640 Fhonegbd.exe 35 PID 2640 wrote to memory of 1720 2640 Fhonegbd.exe 35 PID 2640 wrote to memory of 1720 2640 Fhonegbd.exe 35 PID 2640 wrote to memory of 1720 2640 Fhonegbd.exe 35 PID 1720 wrote to memory of 2420 1720 Fnkchahn.exe 36 PID 1720 wrote to memory of 2420 1720 Fnkchahn.exe 36 PID 1720 wrote to memory of 2420 1720 Fnkchahn.exe 36 PID 1720 wrote to memory of 2420 1720 Fnkchahn.exe 36 PID 2420 wrote to memory of 2432 2420 Fnnpma32.exe 37 PID 2420 wrote to memory of 2432 2420 Fnnpma32.exe 37 PID 2420 wrote to memory of 2432 2420 Fnnpma32.exe 37 PID 2420 wrote to memory of 2432 2420 Fnnpma32.exe 37 PID 2432 wrote to memory of 2560 2432 Gaoiol32.exe 38 PID 2432 wrote to memory of 2560 2432 Gaoiol32.exe 38 PID 2432 wrote to memory of 2560 2432 Gaoiol32.exe 38 PID 2432 wrote to memory of 2560 2432 Gaoiol32.exe 38 PID 2560 wrote to memory of 1860 2560 Glhjpjok.exe 39 PID 2560 wrote to memory of 1860 2560 Glhjpjok.exe 39 PID 2560 wrote to memory of 1860 2560 Glhjpjok.exe 39 PID 2560 wrote to memory of 1860 2560 Glhjpjok.exe 39 PID 1860 wrote to memory of 2328 1860 Goicaell.exe 40 PID 1860 wrote to memory of 2328 1860 Goicaell.exe 40 PID 1860 wrote to memory of 2328 1860 Goicaell.exe 40 PID 1860 wrote to memory of 2328 1860 Goicaell.exe 40 PID 2328 wrote to memory of 1752 2328 Gbglgcbc.exe 41 PID 2328 wrote to memory of 1752 2328 Gbglgcbc.exe 41 PID 2328 wrote to memory of 1752 2328 Gbglgcbc.exe 41 PID 2328 wrote to memory of 1752 2328 Gbglgcbc.exe 41 PID 1752 wrote to memory of 2996 1752 Galhhp32.exe 42 PID 1752 wrote to memory of 2996 1752 Galhhp32.exe 42 PID 1752 wrote to memory of 2996 1752 Galhhp32.exe 42 PID 1752 wrote to memory of 2996 1752 Galhhp32.exe 42 PID 2996 wrote to memory of 2176 2996 Hkdmaenk.exe 43 PID 2996 wrote to memory of 2176 2996 Hkdmaenk.exe 43 PID 2996 wrote to memory of 2176 2996 Hkdmaenk.exe 43 PID 2996 wrote to memory of 2176 2996 Hkdmaenk.exe 43 PID 2176 wrote to memory of 1096 2176 Hobfgcdb.exe 44 PID 2176 wrote to memory of 1096 2176 Hobfgcdb.exe 44 PID 2176 wrote to memory of 1096 2176 Hobfgcdb.exe 44 PID 2176 wrote to memory of 1096 2176 Hobfgcdb.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\19edf4d6800f59e925f5a41f4d209848b1008e9a5b483f92a01d0ac7433ff978.exe"C:\Users\Admin\AppData\Local\Temp\19edf4d6800f59e925f5a41f4d209848b1008e9a5b483f92a01d0ac7433ff978.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Windows\SysWOW64\Dkookd32.exeC:\Windows\system32\Dkookd32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\Ddgcdjip.exeC:\Windows\system32\Ddgcdjip.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\Eqejjj32.exeC:\Windows\system32\Eqejjj32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Emogdk32.exeC:\Windows\system32\Emogdk32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Fgmaphdg.exeC:\Windows\system32\Fgmaphdg.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Fhonegbd.exeC:\Windows\system32\Fhonegbd.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Fnkchahn.exeC:\Windows\system32\Fnkchahn.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\Fnnpma32.exeC:\Windows\system32\Fnnpma32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Gaoiol32.exeC:\Windows\system32\Gaoiol32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\Glhjpjok.exeC:\Windows\system32\Glhjpjok.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\Goicaell.exeC:\Windows\system32\Goicaell.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\Gbglgcbc.exeC:\Windows\system32\Gbglgcbc.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\Galhhp32.exeC:\Windows\system32\Galhhp32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\Hkdmaenk.exeC:\Windows\system32\Hkdmaenk.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\Hobfgcdb.exeC:\Windows\system32\Hobfgcdb.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\Hpfoekhm.exeC:\Windows\system32\Hpfoekhm.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1096 -
C:\Windows\SysWOW64\Hcghffen.exeC:\Windows\system32\Hcghffen.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2548 -
C:\Windows\SysWOW64\Igdqmeke.exeC:\Windows\system32\Igdqmeke.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:776 -
C:\Windows\SysWOW64\Ilcfjkgj.exeC:\Windows\system32\Ilcfjkgj.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1560 -
C:\Windows\SysWOW64\Iackhb32.exeC:\Windows\system32\Iackhb32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1528 -
C:\Windows\SysWOW64\Iqhhin32.exeC:\Windows\system32\Iqhhin32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2316 -
C:\Windows\SysWOW64\Jciaki32.exeC:\Windows\system32\Jciaki32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:316 -
C:\Windows\SysWOW64\Jfijmdbh.exeC:\Windows\system32\Jfijmdbh.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2424 -
C:\Windows\SysWOW64\Jijbnppi.exeC:\Windows\system32\Jijbnppi.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1300 -
C:\Windows\SysWOW64\Jmhkdnfp.exeC:\Windows\system32\Jmhkdnfp.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2096 -
C:\Windows\SysWOW64\Koidficq.exeC:\Windows\system32\Koidficq.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2852 -
C:\Windows\SysWOW64\Kamncagl.exeC:\Windows\system32\Kamncagl.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2780 -
C:\Windows\SysWOW64\Lfeegfkf.exeC:\Windows\system32\Lfeegfkf.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2812 -
C:\Windows\SysWOW64\Mbqpgf32.exeC:\Windows\system32\Mbqpgf32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1824 -
C:\Windows\SysWOW64\Mkldli32.exeC:\Windows\system32\Mkldli32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2600 -
C:\Windows\SysWOW64\Mknaahhn.exeC:\Windows\system32\Mknaahhn.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2956 -
C:\Windows\SysWOW64\Mpmfoodb.exeC:\Windows\system32\Mpmfoodb.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2236 -
C:\Windows\SysWOW64\Nppceo32.exeC:\Windows\system32\Nppceo32.exe34⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Nliqoofa.exeC:\Windows\system32\Nliqoofa.exe35⤵
- Executes dropped EXE
PID:1032 -
C:\Windows\SysWOW64\Nlkmeo32.exeC:\Windows\system32\Nlkmeo32.exe36⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Nolffjap.exeC:\Windows\system32\Nolffjap.exe37⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Oaolne32.exeC:\Windows\system32\Oaolne32.exe38⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Onelbfab.exeC:\Windows\system32\Onelbfab.exe39⤵
- Executes dropped EXE
PID:1392 -
C:\Windows\SysWOW64\Onhihepp.exeC:\Windows\system32\Onhihepp.exe40⤵
- Executes dropped EXE
PID:108 -
C:\Windows\SysWOW64\Ohajic32.exeC:\Windows\system32\Ohajic32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2112 -
C:\Windows\SysWOW64\Ponokmah.exeC:\Windows\system32\Ponokmah.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Pdkgcd32.exeC:\Windows\system32\Pdkgcd32.exe43⤵
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\Pbohmh32.exeC:\Windows\system32\Pbohmh32.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2136 -
C:\Windows\SysWOW64\Pgkqeo32.exeC:\Windows\system32\Pgkqeo32.exe45⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Peoanckj.exeC:\Windows\system32\Peoanckj.exe46⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Pafacd32.exeC:\Windows\system32\Pafacd32.exe47⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Qmmbhegc.exeC:\Windows\system32\Qmmbhegc.exe48⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Qfegakmc.exeC:\Windows\system32\Qfegakmc.exe49⤵
- Drops file in System32 directory
PID:2408 -
C:\Windows\SysWOW64\Qcigjolm.exeC:\Windows\system32\Qcigjolm.exe50⤵
- Executes dropped EXE
PID:392 -
C:\Windows\SysWOW64\Aifpcfjd.exeC:\Windows\system32\Aifpcfjd.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:880 -
C:\Windows\SysWOW64\Afjplj32.exeC:\Windows\system32\Afjplj32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1696 -
C:\Windows\SysWOW64\Aflmbj32.exeC:\Windows\system32\Aflmbj32.exe53⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Amfeodoh.exeC:\Windows\system32\Amfeodoh.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2800 -
C:\Windows\SysWOW64\Ahpfoa32.exeC:\Windows\system32\Ahpfoa32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2592 -
C:\Windows\SysWOW64\Anjnllbd.exeC:\Windows\system32\Anjnllbd.exe56⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Ajqoqm32.exeC:\Windows\system32\Ajqoqm32.exe57⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Befcne32.exeC:\Windows\system32\Befcne32.exe58⤵
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\Bhglpqeo.exeC:\Windows\system32\Bhglpqeo.exe59⤵
- Executes dropped EXE
PID:612 -
C:\Windows\SysWOW64\Boadlk32.exeC:\Windows\system32\Boadlk32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:1548 -
C:\Windows\SysWOW64\Bkheal32.exeC:\Windows\system32\Bkheal32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2092 -
C:\Windows\SysWOW64\Bbcjfn32.exeC:\Windows\system32\Bbcjfn32.exe62⤵
- Executes dropped EXE
PID:1052 -
C:\Windows\SysWOW64\Bmhncg32.exeC:\Windows\system32\Bmhncg32.exe63⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Clnkdc32.exeC:\Windows\system32\Clnkdc32.exe64⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Clphjc32.exeC:\Windows\system32\Clphjc32.exe65⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Cidhcg32.exeC:\Windows\system32\Cidhcg32.exe66⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Cdnicemo.exeC:\Windows\system32\Cdnicemo.exe67⤵PID:2664
-
C:\Windows\SysWOW64\Cdpfiekl.exeC:\Windows\system32\Cdpfiekl.exe68⤵PID:3016
-
C:\Windows\SysWOW64\Dpggnfap.exeC:\Windows\system32\Dpggnfap.exe69⤵PID:2404
-
C:\Windows\SysWOW64\Dhnoocab.exeC:\Windows\system32\Dhnoocab.exe70⤵PID:1868
-
C:\Windows\SysWOW64\Dddodd32.exeC:\Windows\system32\Dddodd32.exe71⤵
- Modifies registry class
PID:2828 -
C:\Windows\SysWOW64\Dlpdifda.exeC:\Windows\system32\Dlpdifda.exe72⤵PID:1708
-
C:\Windows\SysWOW64\Dcjleq32.exeC:\Windows\system32\Dcjleq32.exe73⤵PID:2940
-
C:\Windows\SysWOW64\Dghekobe.exeC:\Windows\system32\Dghekobe.exe74⤵PID:2228
-
C:\Windows\SysWOW64\Ehnknfdn.exeC:\Windows\system32\Ehnknfdn.exe75⤵
- Drops file in System32 directory
PID:2072 -
C:\Windows\SysWOW64\Eqklhh32.exeC:\Windows\system32\Eqklhh32.exe76⤵PID:1940
-
C:\Windows\SysWOW64\Ekqqea32.exeC:\Windows\system32\Ekqqea32.exe77⤵PID:1140
-
C:\Windows\SysWOW64\Eqninhmc.exeC:\Windows\system32\Eqninhmc.exe78⤵PID:3004
-
C:\Windows\SysWOW64\Eggajb32.exeC:\Windows\system32\Eggajb32.exe79⤵PID:2912
-
C:\Windows\SysWOW64\Edkbdf32.exeC:\Windows\system32\Edkbdf32.exe80⤵PID:844
-
C:\Windows\SysWOW64\Fjhjlm32.exeC:\Windows\system32\Fjhjlm32.exe81⤵PID:2032
-
C:\Windows\SysWOW64\Fpgpjdnf.exeC:\Windows\system32\Fpgpjdnf.exe82⤵PID:1568
-
C:\Windows\SysWOW64\Fmkpchmp.exeC:\Windows\system32\Fmkpchmp.exe83⤵PID:2504
-
C:\Windows\SysWOW64\Ffcdlncp.exeC:\Windows\system32\Ffcdlncp.exe84⤵PID:3028
-
C:\Windows\SysWOW64\Feiamj32.exeC:\Windows\system32\Feiamj32.exe85⤵
- Drops file in System32 directory
PID:1288 -
C:\Windows\SysWOW64\Fhgnie32.exeC:\Windows\system32\Fhgnie32.exe86⤵PID:2332
-
C:\Windows\SysWOW64\Ghjjoeei.exeC:\Windows\system32\Ghjjoeei.exe87⤵PID:2808
-
C:\Windows\SysWOW64\Genkhidc.exeC:\Windows\system32\Genkhidc.exe88⤵PID:2836
-
C:\Windows\SysWOW64\Gadkmj32.exeC:\Windows\system32\Gadkmj32.exe89⤵PID:960
-
C:\Windows\SysWOW64\Gfadeaho.exeC:\Windows\system32\Gfadeaho.exe90⤵PID:2700
-
C:\Windows\SysWOW64\Gfcqkafl.exeC:\Windows\system32\Gfcqkafl.exe91⤵PID:2104
-
C:\Windows\SysWOW64\Gibmglep.exeC:\Windows\system32\Gibmglep.exe92⤵PID:2916
-
C:\Windows\SysWOW64\Gdgadeee.exeC:\Windows\system32\Gdgadeee.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2232 -
C:\Windows\SysWOW64\Hakani32.exeC:\Windows\system32\Hakani32.exe94⤵PID:772
-
C:\Windows\SysWOW64\Hjdfgojp.exeC:\Windows\system32\Hjdfgojp.exe95⤵PID:2932
-
C:\Windows\SysWOW64\Hiichkog.exeC:\Windows\system32\Hiichkog.exe96⤵
- Drops file in System32 directory
PID:2860 -
C:\Windows\SysWOW64\Hpckee32.exeC:\Windows\system32\Hpckee32.exe97⤵PID:2060
-
C:\Windows\SysWOW64\Hafdbmjp.exeC:\Windows\system32\Hafdbmjp.exe98⤵PID:236
-
C:\Windows\SysWOW64\Hkoikcaq.exeC:\Windows\system32\Hkoikcaq.exe99⤵PID:296
-
C:\Windows\SysWOW64\Ihcidgpj.exeC:\Windows\system32\Ihcidgpj.exe100⤵PID:2380
-
C:\Windows\SysWOW64\Impblnna.exeC:\Windows\system32\Impblnna.exe101⤵PID:1312
-
C:\Windows\SysWOW64\Ikcbfb32.exeC:\Windows\system32\Ikcbfb32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1600 -
C:\Windows\SysWOW64\Idlgohcl.exeC:\Windows\system32\Idlgohcl.exe103⤵PID:1580
-
C:\Windows\SysWOW64\Indkgm32.exeC:\Windows\system32\Indkgm32.exe104⤵PID:2936
-
C:\Windows\SysWOW64\Ipedihgm.exeC:\Windows\system32\Ipedihgm.exe105⤵PID:980
-
C:\Windows\SysWOW64\Igomfb32.exeC:\Windows\system32\Igomfb32.exe106⤵PID:2668
-
C:\Windows\SysWOW64\Jlleni32.exeC:\Windows\system32\Jlleni32.exe107⤵PID:2488
-
C:\Windows\SysWOW64\Jfdigocb.exeC:\Windows\system32\Jfdigocb.exe108⤵PID:2276
-
C:\Windows\SysWOW64\Jakjlpif.exeC:\Windows\system32\Jakjlpif.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2520 -
C:\Windows\SysWOW64\Jlqniihl.exeC:\Windows\system32\Jlqniihl.exe110⤵PID:2132
-
C:\Windows\SysWOW64\Jlckoh32.exeC:\Windows\system32\Jlckoh32.exe111⤵
- Drops file in System32 directory
PID:1992 -
C:\Windows\SysWOW64\Jbpcgo32.exeC:\Windows\system32\Jbpcgo32.exe112⤵PID:360
-
C:\Windows\SysWOW64\Jbbpmo32.exeC:\Windows\system32\Jbbpmo32.exe113⤵PID:1908
-
C:\Windows\SysWOW64\Khlhiijk.exeC:\Windows\system32\Khlhiijk.exe114⤵PID:2220
-
C:\Windows\SysWOW64\Kbdmboqk.exeC:\Windows\system32\Kbdmboqk.exe115⤵
- Drops file in System32 directory
PID:1160 -
C:\Windows\SysWOW64\Kceijg32.exeC:\Windows\system32\Kceijg32.exe116⤵PID:2732
-
C:\Windows\SysWOW64\Kmnnblmj.exeC:\Windows\system32\Kmnnblmj.exe117⤵PID:2464
-
C:\Windows\SysWOW64\Kjbnlqld.exeC:\Windows\system32\Kjbnlqld.exe118⤵PID:616
-
C:\Windows\SysWOW64\Kcjcefbd.exeC:\Windows\system32\Kcjcefbd.exe119⤵PID:1540
-
C:\Windows\SysWOW64\Kigkmmql.exeC:\Windows\system32\Kigkmmql.exe120⤵PID:1100
-
C:\Windows\SysWOW64\Kcmpjfqa.exeC:\Windows\system32\Kcmpjfqa.exe121⤵PID:2788
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-