Analysis
-
max time kernel
113s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19-09-2024 06:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f80de9b1780c03cfd79ca46b26e9accfc88b946234b19f4b7378dd45b2678c01N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
f80de9b1780c03cfd79ca46b26e9accfc88b946234b19f4b7378dd45b2678c01N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
f80de9b1780c03cfd79ca46b26e9accfc88b946234b19f4b7378dd45b2678c01N.exe
-
Size
93KB
-
MD5
fcc932b433ccae54465e46c2befdf820
-
SHA1
055a6866e6bd6a10706473718c946a7d033a2f1f
-
SHA256
f80de9b1780c03cfd79ca46b26e9accfc88b946234b19f4b7378dd45b2678c01
-
SHA512
5ac7d83d5d4b77765598e00b71cf572d5d0af54d7d1462b70f3a9dbe4063937ade555f5bc43abf785056777d9640c3d55cf04b5be973285eb0ebff45af90656f
-
SSDEEP
1536:XMWAAMdD+jnJx5RBjjiWm9si2bJc0LO1VSz9z/YJjaesRQvRkRLJzeLD9N0iQGR4:XMW8QzhiWmNYROqz9zAJ+1evSJdEN0si
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndiomdde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amkbpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dckdio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jifhdphd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Agolpnjl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbnbfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cfghagio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpoejbhe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnflnfbm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjhlnahk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jeblgodb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmjaadjm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Claake32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaffca32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idcqep32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjepaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cffjagko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ddppmclb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hojqjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jgmofbpk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqgngk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dggbgadf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lpbhmiji.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iockhigl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hcpqfgol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dfdngl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehjqif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faikbkhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gfgpgmql.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aljmbknm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iadnon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Liekddkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eokiabjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lbnbfb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkhhie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eqcjaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Onlooh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfmqigba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mfebdm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nilndfgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ifhgcgjq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcmabnhm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggeiooea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgpock32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bebfpm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnacbj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqplqile.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqoocmcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nmggllha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Blaobmkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oddbqhkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lojeda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Celpqbon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bfmlgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ckdpinhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jpnfdbig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nqgngk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdgmbhgh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aijfihip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpinagbm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfppfcmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fefpfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhbjmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oiahnnji.exe -
Executes dropped EXE 64 IoCs
pid Process 2632 Jbcelp32.exe 2096 Jkkjeeke.exe 2692 Jcfoihhp.exe 2664 Jjpgfbom.exe 2544 Jpmooind.exe 2472 Kjepaa32.exe 2908 Kngekdnf.exe 1628 Klkfdi32.exe 2784 Lbgkfbbj.exe 2036 Lonlkcho.exe 264 Lkelpd32.exe 2216 Laaabo32.exe 2772 Lilfgq32.exe 2916 Mpikik32.exe 1264 Mcidkf32.exe 2684 Mhflcm32.exe 1780 Mldeik32.exe 1612 Mnhnfckm.exe 2164 Njnokdaq.exe 2288 Ncgcdi32.exe 2780 Npkdnnfk.exe 1732 Nnodgbed.exe 2748 Njeelc32.exe 1580 Nobndj32.exe 2628 Omfnnnhj.exe 2320 Ofobgc32.exe 2556 Oddphp32.exe 2612 Ooidei32.exe 2304 Oiahnnji.exe 1640 Objmgd32.exe 1096 Okbapi32.exe 1032 Oqojhp32.exe 1968 Pgibdjln.exe 2032 Pncjad32.exe 2052 Pglojj32.exe 2992 Pmhgba32.exe 2312 Pbepkh32.exe 1636 Piohgbng.exe 2996 Pcdldknm.exe 2872 Pefhlcdk.exe 1432 Plpqim32.exe 1572 Pfeeff32.exe 1408 Phgannal.exe 3000 Qnqjkh32.exe 2240 Qekbgbpf.exe 2184 Qldjdlgb.exe 3028 Qbobaf32.exe 3024 Qdpohodn.exe 1588 Anecfgdc.exe 2516 Aeokba32.exe 2972 Ajldkhjh.exe 2128 Apilcoho.exe 904 Bpboinpd.exe 992 Bogljj32.exe 1992 Bojipjcj.exe 1144 Bdfahaaa.exe 468 Befnbd32.exe 1980 Boobki32.exe 2088 Cgjgol32.exe 524 Ccqhdmbc.exe 2524 Clilmbhd.exe 316 Cfaqfh32.exe 1656 Cpgecq32.exe 1908 Cfcmlg32.exe -
Loads dropped DLL 64 IoCs
pid Process 2700 f80de9b1780c03cfd79ca46b26e9accfc88b946234b19f4b7378dd45b2678c01N.exe 2700 f80de9b1780c03cfd79ca46b26e9accfc88b946234b19f4b7378dd45b2678c01N.exe 2632 Jbcelp32.exe 2632 Jbcelp32.exe 2096 Jkkjeeke.exe 2096 Jkkjeeke.exe 2692 Jcfoihhp.exe 2692 Jcfoihhp.exe 2664 Jjpgfbom.exe 2664 Jjpgfbom.exe 2544 Jpmooind.exe 2544 Jpmooind.exe 2472 Kjepaa32.exe 2472 Kjepaa32.exe 2908 Kngekdnf.exe 2908 Kngekdnf.exe 1628 Klkfdi32.exe 1628 Klkfdi32.exe 2784 Lbgkfbbj.exe 2784 Lbgkfbbj.exe 2036 Lonlkcho.exe 2036 Lonlkcho.exe 264 Lkelpd32.exe 264 Lkelpd32.exe 2216 Laaabo32.exe 2216 Laaabo32.exe 2772 Lilfgq32.exe 2772 Lilfgq32.exe 2916 Mpikik32.exe 2916 Mpikik32.exe 1264 Mcidkf32.exe 1264 Mcidkf32.exe 2684 Mhflcm32.exe 2684 Mhflcm32.exe 1780 Mldeik32.exe 1780 Mldeik32.exe 1612 Mnhnfckm.exe 1612 Mnhnfckm.exe 2164 Njnokdaq.exe 2164 Njnokdaq.exe 2288 Ncgcdi32.exe 2288 Ncgcdi32.exe 2780 Npkdnnfk.exe 2780 Npkdnnfk.exe 1732 Nnodgbed.exe 1732 Nnodgbed.exe 2748 Njeelc32.exe 2748 Njeelc32.exe 1580 Nobndj32.exe 1580 Nobndj32.exe 2628 Omfnnnhj.exe 2628 Omfnnnhj.exe 2320 Ofobgc32.exe 2320 Ofobgc32.exe 2556 Oddphp32.exe 2556 Oddphp32.exe 2612 Ooidei32.exe 2612 Ooidei32.exe 2304 Oiahnnji.exe 2304 Oiahnnji.exe 1640 Objmgd32.exe 1640 Objmgd32.exe 1096 Okbapi32.exe 1096 Okbapi32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Hkogpn32.exe Hdeoccgn.exe File created C:\Windows\SysWOW64\Klnkbdan.dll Jkllnn32.exe File created C:\Windows\SysWOW64\Ccbfdf32.dll Ceioieei.exe File created C:\Windows\SysWOW64\Apapcnaf.exe Acnpjj32.exe File opened for modification C:\Windows\SysWOW64\Dfdngl32.exe Domffn32.exe File opened for modification C:\Windows\SysWOW64\Dhekodik.exe Dfdngl32.exe File created C:\Windows\SysWOW64\Ohdglfoj.exe Ogekbchg.exe File created C:\Windows\SysWOW64\Pbhoip32.exe Pqgbah32.exe File opened for modification C:\Windows\SysWOW64\Polobd32.exe Pbhoip32.exe File created C:\Windows\SysWOW64\Hmchfbme.dll Edhbjjhn.exe File opened for modification C:\Windows\SysWOW64\Cffjagko.exe Cpiaipmh.exe File created C:\Windows\SysWOW64\Nlapaapg.exe Nbilhkig.exe File opened for modification C:\Windows\SysWOW64\Akkokc32.exe Acpjga32.exe File opened for modification C:\Windows\SysWOW64\Ehpgha32.exe Dlifcqfl.exe File created C:\Windows\SysWOW64\Jpkihl32.dll Bineidcj.exe File created C:\Windows\SysWOW64\Mdahnmck.exe Lflklaoc.exe File created C:\Windows\SysWOW64\Poacighp.exe Ojdjqp32.exe File created C:\Windows\SysWOW64\Aemmee32.dll Qijdqp32.exe File opened for modification C:\Windows\SysWOW64\Oddbqhkf.exe Occeip32.exe File created C:\Windows\SysWOW64\Idnppjcj.exe Inqhhc32.exe File created C:\Windows\SysWOW64\Bpchof32.dll Klfndn32.exe File created C:\Windows\SysWOW64\Cllmdcej.exe Cinahhff.exe File created C:\Windows\SysWOW64\Mgaqohql.exe Mqhhbn32.exe File created C:\Windows\SysWOW64\Endjeihi.dll Clilmbhd.exe File created C:\Windows\SysWOW64\Mfihml32.exe Mnkfcjqe.exe File opened for modification C:\Windows\SysWOW64\Nilndfgl.exe Ndoelpid.exe File opened for modification C:\Windows\SysWOW64\Phjjkefd.exe Pcmabnhm.exe File created C:\Windows\SysWOW64\Dgpdlk32.dll Mflgkd32.exe File created C:\Windows\SysWOW64\Iecbce32.dll Nlklik32.exe File created C:\Windows\SysWOW64\Ofefqf32.exe Opkndldc.exe File created C:\Windows\SysWOW64\Khqahnpk.dll Dijjgegh.exe File created C:\Windows\SysWOW64\Pcdldknm.exe Piohgbng.exe File created C:\Windows\SysWOW64\Kgkpck32.dll Pdnkanfg.exe File created C:\Windows\SysWOW64\Jmndle32.dll Mbhlgg32.exe File opened for modification C:\Windows\SysWOW64\Ohmljj32.exe Onehadbj.exe File created C:\Windows\SysWOW64\Njdbefnf.exe Nehjmppo.exe File created C:\Windows\SysWOW64\Cgkanomj.exe Cfjdfg32.exe File created C:\Windows\SysWOW64\Iofpmj32.dll Niilmi32.exe File created C:\Windows\SysWOW64\Ncejcg32.exe Nqgngk32.exe File created C:\Windows\SysWOW64\Binikb32.exe Bdaabk32.exe File opened for modification C:\Windows\SysWOW64\Cenmfbml.exe Celpqbon.exe File created C:\Windows\SysWOW64\Jqhdfe32.exe Jkllnn32.exe File created C:\Windows\SysWOW64\Gqcaoghl.exe Fleihi32.exe File opened for modification C:\Windows\SysWOW64\Kjepaa32.exe Jpmooind.exe File created C:\Windows\SysWOW64\Mmkhejmb.dll Geilah32.exe File created C:\Windows\SysWOW64\Agccbenc.exe Ajociq32.exe File opened for modification C:\Windows\SysWOW64\Cihojiok.exe Caqfiloi.exe File created C:\Windows\SysWOW64\Hmgodc32.exe Hhjgll32.exe File created C:\Windows\SysWOW64\Nkmgmf32.dll Pikohg32.exe File created C:\Windows\SysWOW64\Hjmcibej.dll Hkpaoape.exe File opened for modification C:\Windows\SysWOW64\Kfdfdf32.exe Jhqeka32.exe File opened for modification C:\Windows\SysWOW64\Iabcbg32.exe Icnbic32.exe File opened for modification C:\Windows\SysWOW64\Ipgpcc32.exe Ifoljn32.exe File created C:\Windows\SysWOW64\Boegjgoa.dll Gipngg32.exe File opened for modification C:\Windows\SysWOW64\Jmgfgham.exe Jdlacfca.exe File created C:\Windows\SysWOW64\Jflgph32.exe Jldbgb32.exe File created C:\Windows\SysWOW64\Idoqdcmi.dll Abaaoodq.exe File created C:\Windows\SysWOW64\Ihbdhepp.exe Igcgnbim.exe File created C:\Windows\SysWOW64\Feobac32.exe Felekcop.exe File created C:\Windows\SysWOW64\Ajlema32.dll Mkconepp.exe File created C:\Windows\SysWOW64\Flffpf32.dll Binikb32.exe File created C:\Windows\SysWOW64\Bdggbp32.dll Innbde32.exe File opened for modification C:\Windows\SysWOW64\Ggmjkapi.exe Gqcaoghl.exe File opened for modification C:\Windows\SysWOW64\Dnlolhoo.exe Cjngej32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4232 4948 WerFault.exe 802 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpflqfeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfonlg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkdbea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpalfabn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkdbab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbfklolh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdlacfca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nohddd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acpjga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqendf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doqkpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfhgggim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhdqma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpejfjha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnodgbed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iadnon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfhmehji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lchclmla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inqhhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deikhhhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icbkhnan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cihojiok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cealdjcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kihbfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgdfgbhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aakhkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgjcdc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlpbna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jknicnpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcakbjpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Panehkaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neemgp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alhaho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecjgio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqgngk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aljmbknm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlcbfnjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcmdpcle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Holldk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdmfdgbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoomai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Felekcop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbgela32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkpaoape.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Habili32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igcgnbim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgaqohql.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgiplffm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icnbic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmnoll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lilfgq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkgbioee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cenmfbml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcegdnna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihnjmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eagbnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elgioe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdnjaibm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Polobd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jifhdphd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Naokbq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lekjal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpiihgoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilhlan32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qlbnja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hjfbaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mfamko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hlbpme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adndofcl.dll" Mokdja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ohkdfhge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jadlgjjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlalaoic.dll" Gfcopl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Goodpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Akkokc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Boeppomj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lilomj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qghgigkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hlqfqo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pgbejj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kjcedj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Elbmkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klpmek32.dll" Fgqhgjbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hbhagiem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aijfihip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cahmik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cfghagio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bjfpdf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fiedfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phplbpbl.dll" Kmoekf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cadmjo32.dll" Pcqebd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dpflqfeo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jiclnpjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkloip32.dll" Jaffca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jddbpmpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nchipb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gngfjicn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oenpon32.dll" Khmnio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hoipnl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ppgdjqna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Agebam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qekbgbpf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gdnibdmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mddibb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ohkdfhge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbqaie32.dll" Dpflqfeo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hmdldmja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fiopah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qdpohodn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qnpcpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ohmljj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hbafel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ipkgejcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ljpqlqmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Opkndldc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbcgao32.dll" Mbemho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bmdefk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iljakp32.dll" Ljpnch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klhejn32.dll" Paekijkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Knodnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hamgfm32.dll" Mnaiah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eannjf32.dll" Cinahhff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Djemfibq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dlpbna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pnnfkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jbcelp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jkdoci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fqhclqnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acbfcl32.dll" Olimlf32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2700 wrote to memory of 2632 2700 f80de9b1780c03cfd79ca46b26e9accfc88b946234b19f4b7378dd45b2678c01N.exe 30 PID 2700 wrote to memory of 2632 2700 f80de9b1780c03cfd79ca46b26e9accfc88b946234b19f4b7378dd45b2678c01N.exe 30 PID 2700 wrote to memory of 2632 2700 f80de9b1780c03cfd79ca46b26e9accfc88b946234b19f4b7378dd45b2678c01N.exe 30 PID 2700 wrote to memory of 2632 2700 f80de9b1780c03cfd79ca46b26e9accfc88b946234b19f4b7378dd45b2678c01N.exe 30 PID 2632 wrote to memory of 2096 2632 Jbcelp32.exe 31 PID 2632 wrote to memory of 2096 2632 Jbcelp32.exe 31 PID 2632 wrote to memory of 2096 2632 Jbcelp32.exe 31 PID 2632 wrote to memory of 2096 2632 Jbcelp32.exe 31 PID 2096 wrote to memory of 2692 2096 Jkkjeeke.exe 32 PID 2096 wrote to memory of 2692 2096 Jkkjeeke.exe 32 PID 2096 wrote to memory of 2692 2096 Jkkjeeke.exe 32 PID 2096 wrote to memory of 2692 2096 Jkkjeeke.exe 32 PID 2692 wrote to memory of 2664 2692 Jcfoihhp.exe 33 PID 2692 wrote to memory of 2664 2692 Jcfoihhp.exe 33 PID 2692 wrote to memory of 2664 2692 Jcfoihhp.exe 33 PID 2692 wrote to memory of 2664 2692 Jcfoihhp.exe 33 PID 2664 wrote to memory of 2544 2664 Jjpgfbom.exe 34 PID 2664 wrote to memory of 2544 2664 Jjpgfbom.exe 34 PID 2664 wrote to memory of 2544 2664 Jjpgfbom.exe 34 PID 2664 wrote to memory of 2544 2664 Jjpgfbom.exe 34 PID 2544 wrote to memory of 2472 2544 Jpmooind.exe 35 PID 2544 wrote to memory of 2472 2544 Jpmooind.exe 35 PID 2544 wrote to memory of 2472 2544 Jpmooind.exe 35 PID 2544 wrote to memory of 2472 2544 Jpmooind.exe 35 PID 2472 wrote to memory of 2908 2472 Kjepaa32.exe 36 PID 2472 wrote to memory of 2908 2472 Kjepaa32.exe 36 PID 2472 wrote to memory of 2908 2472 Kjepaa32.exe 36 PID 2472 wrote to memory of 2908 2472 Kjepaa32.exe 36 PID 2908 wrote to memory of 1628 2908 Kngekdnf.exe 37 PID 2908 wrote to memory of 1628 2908 Kngekdnf.exe 37 PID 2908 wrote to memory of 1628 2908 Kngekdnf.exe 37 PID 2908 wrote to memory of 1628 2908 Kngekdnf.exe 37 PID 1628 wrote to memory of 2784 1628 Klkfdi32.exe 38 PID 1628 wrote to memory of 2784 1628 Klkfdi32.exe 38 PID 1628 wrote to memory of 2784 1628 Klkfdi32.exe 38 PID 1628 wrote to memory of 2784 1628 Klkfdi32.exe 38 PID 2784 wrote to memory of 2036 2784 Lbgkfbbj.exe 39 PID 2784 wrote to memory of 2036 2784 Lbgkfbbj.exe 39 PID 2784 wrote to memory of 2036 2784 Lbgkfbbj.exe 39 PID 2784 wrote to memory of 2036 2784 Lbgkfbbj.exe 39 PID 2036 wrote to memory of 264 2036 Lonlkcho.exe 40 PID 2036 wrote to memory of 264 2036 Lonlkcho.exe 40 PID 2036 wrote to memory of 264 2036 Lonlkcho.exe 40 PID 2036 wrote to memory of 264 2036 Lonlkcho.exe 40 PID 264 wrote to memory of 2216 264 Lkelpd32.exe 41 PID 264 wrote to memory of 2216 264 Lkelpd32.exe 41 PID 264 wrote to memory of 2216 264 Lkelpd32.exe 41 PID 264 wrote to memory of 2216 264 Lkelpd32.exe 41 PID 2216 wrote to memory of 2772 2216 Laaabo32.exe 42 PID 2216 wrote to memory of 2772 2216 Laaabo32.exe 42 PID 2216 wrote to memory of 2772 2216 Laaabo32.exe 42 PID 2216 wrote to memory of 2772 2216 Laaabo32.exe 42 PID 2772 wrote to memory of 2916 2772 Lilfgq32.exe 43 PID 2772 wrote to memory of 2916 2772 Lilfgq32.exe 43 PID 2772 wrote to memory of 2916 2772 Lilfgq32.exe 43 PID 2772 wrote to memory of 2916 2772 Lilfgq32.exe 43 PID 2916 wrote to memory of 1264 2916 Mpikik32.exe 44 PID 2916 wrote to memory of 1264 2916 Mpikik32.exe 44 PID 2916 wrote to memory of 1264 2916 Mpikik32.exe 44 PID 2916 wrote to memory of 1264 2916 Mpikik32.exe 44 PID 1264 wrote to memory of 2684 1264 Mcidkf32.exe 45 PID 1264 wrote to memory of 2684 1264 Mcidkf32.exe 45 PID 1264 wrote to memory of 2684 1264 Mcidkf32.exe 45 PID 1264 wrote to memory of 2684 1264 Mcidkf32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\f80de9b1780c03cfd79ca46b26e9accfc88b946234b19f4b7378dd45b2678c01N.exe"C:\Users\Admin\AppData\Local\Temp\f80de9b1780c03cfd79ca46b26e9accfc88b946234b19f4b7378dd45b2678c01N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Jbcelp32.exeC:\Windows\system32\Jbcelp32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Jkkjeeke.exeC:\Windows\system32\Jkkjeeke.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\Jcfoihhp.exeC:\Windows\system32\Jcfoihhp.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Jjpgfbom.exeC:\Windows\system32\Jjpgfbom.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Jpmooind.exeC:\Windows\system32\Jpmooind.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Kjepaa32.exeC:\Windows\system32\Kjepaa32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\Kngekdnf.exeC:\Windows\system32\Kngekdnf.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Klkfdi32.exeC:\Windows\system32\Klkfdi32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\Lbgkfbbj.exeC:\Windows\system32\Lbgkfbbj.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Lonlkcho.exeC:\Windows\system32\Lonlkcho.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\Lkelpd32.exeC:\Windows\system32\Lkelpd32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:264 -
C:\Windows\SysWOW64\Laaabo32.exeC:\Windows\system32\Laaabo32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Lilfgq32.exeC:\Windows\system32\Lilfgq32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Mpikik32.exeC:\Windows\system32\Mpikik32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Mcidkf32.exeC:\Windows\system32\Mcidkf32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\SysWOW64\Mhflcm32.exeC:\Windows\system32\Mhflcm32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2684 -
C:\Windows\SysWOW64\Mldeik32.exeC:\Windows\system32\Mldeik32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1780 -
C:\Windows\SysWOW64\Mnhnfckm.exeC:\Windows\system32\Mnhnfckm.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1612 -
C:\Windows\SysWOW64\Njnokdaq.exeC:\Windows\system32\Njnokdaq.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2164 -
C:\Windows\SysWOW64\Ncgcdi32.exeC:\Windows\system32\Ncgcdi32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2288 -
C:\Windows\SysWOW64\Npkdnnfk.exeC:\Windows\system32\Npkdnnfk.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2780 -
C:\Windows\SysWOW64\Nnodgbed.exeC:\Windows\system32\Nnodgbed.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1732 -
C:\Windows\SysWOW64\Njeelc32.exeC:\Windows\system32\Njeelc32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2748 -
C:\Windows\SysWOW64\Nobndj32.exeC:\Windows\system32\Nobndj32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1580 -
C:\Windows\SysWOW64\Omfnnnhj.exeC:\Windows\system32\Omfnnnhj.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2628 -
C:\Windows\SysWOW64\Ofobgc32.exeC:\Windows\system32\Ofobgc32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2320 -
C:\Windows\SysWOW64\Oddphp32.exeC:\Windows\system32\Oddphp32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2556 -
C:\Windows\SysWOW64\Ooidei32.exeC:\Windows\system32\Ooidei32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2612 -
C:\Windows\SysWOW64\Oiahnnji.exeC:\Windows\system32\Oiahnnji.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2304 -
C:\Windows\SysWOW64\Objmgd32.exeC:\Windows\system32\Objmgd32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1640 -
C:\Windows\SysWOW64\Okbapi32.exeC:\Windows\system32\Okbapi32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1096 -
C:\Windows\SysWOW64\Oqojhp32.exeC:\Windows\system32\Oqojhp32.exe33⤵
- Executes dropped EXE
PID:1032 -
C:\Windows\SysWOW64\Pgibdjln.exeC:\Windows\system32\Pgibdjln.exe34⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Pncjad32.exeC:\Windows\system32\Pncjad32.exe35⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Pglojj32.exeC:\Windows\system32\Pglojj32.exe36⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Pmhgba32.exeC:\Windows\system32\Pmhgba32.exe37⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Pbepkh32.exeC:\Windows\system32\Pbepkh32.exe38⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Piohgbng.exeC:\Windows\system32\Piohgbng.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1636 -
C:\Windows\SysWOW64\Pcdldknm.exeC:\Windows\system32\Pcdldknm.exe40⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Pefhlcdk.exeC:\Windows\system32\Pefhlcdk.exe41⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Plpqim32.exeC:\Windows\system32\Plpqim32.exe42⤵
- Executes dropped EXE
PID:1432 -
C:\Windows\SysWOW64\Pfeeff32.exeC:\Windows\system32\Pfeeff32.exe43⤵
- Executes dropped EXE
PID:1572 -
C:\Windows\SysWOW64\Phgannal.exeC:\Windows\system32\Phgannal.exe44⤵
- Executes dropped EXE
PID:1408 -
C:\Windows\SysWOW64\Qnqjkh32.exeC:\Windows\system32\Qnqjkh32.exe45⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Qekbgbpf.exeC:\Windows\system32\Qekbgbpf.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:2240 -
C:\Windows\SysWOW64\Qldjdlgb.exeC:\Windows\system32\Qldjdlgb.exe47⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Qbobaf32.exeC:\Windows\system32\Qbobaf32.exe48⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Qdpohodn.exeC:\Windows\system32\Qdpohodn.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:3024 -
C:\Windows\SysWOW64\Anecfgdc.exeC:\Windows\system32\Anecfgdc.exe50⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Aeokba32.exeC:\Windows\system32\Aeokba32.exe51⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Ajldkhjh.exeC:\Windows\system32\Ajldkhjh.exe52⤵
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Apilcoho.exeC:\Windows\system32\Apilcoho.exe53⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Bpboinpd.exeC:\Windows\system32\Bpboinpd.exe54⤵
- Executes dropped EXE
PID:904 -
C:\Windows\SysWOW64\Bogljj32.exeC:\Windows\system32\Bogljj32.exe55⤵
- Executes dropped EXE
PID:992 -
C:\Windows\SysWOW64\Bojipjcj.exeC:\Windows\system32\Bojipjcj.exe56⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Bdfahaaa.exeC:\Windows\system32\Bdfahaaa.exe57⤵
- Executes dropped EXE
PID:1144 -
C:\Windows\SysWOW64\Befnbd32.exeC:\Windows\system32\Befnbd32.exe58⤵
- Executes dropped EXE
PID:468 -
C:\Windows\SysWOW64\Boobki32.exeC:\Windows\system32\Boobki32.exe59⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Cgjgol32.exeC:\Windows\system32\Cgjgol32.exe60⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Ccqhdmbc.exeC:\Windows\system32\Ccqhdmbc.exe61⤵
- Executes dropped EXE
PID:524 -
C:\Windows\SysWOW64\Clilmbhd.exeC:\Windows\system32\Clilmbhd.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2524 -
C:\Windows\SysWOW64\Cfaqfh32.exeC:\Windows\system32\Cfaqfh32.exe63⤵
- Executes dropped EXE
PID:316 -
C:\Windows\SysWOW64\Cpgecq32.exeC:\Windows\system32\Cpgecq32.exe64⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Cfcmlg32.exeC:\Windows\system32\Cfcmlg32.exe65⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Cpiaipmh.exeC:\Windows\system32\Cpiaipmh.exe66⤵
- Drops file in System32 directory
PID:2848 -
C:\Windows\SysWOW64\Cffjagko.exeC:\Windows\system32\Cffjagko.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2800 -
C:\Windows\SysWOW64\Dlpbna32.exeC:\Windows\system32\Dlpbna32.exe68⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2160 -
C:\Windows\SysWOW64\Dfhgggim.exeC:\Windows\system32\Dfhgggim.exe69⤵
- System Location Discovery: System Language Discovery
PID:588 -
C:\Windows\SysWOW64\Doqkpl32.exeC:\Windows\system32\Doqkpl32.exe70⤵
- System Location Discovery: System Language Discovery
PID:2624 -
C:\Windows\SysWOW64\Ddmchcnd.exeC:\Windows\system32\Ddmchcnd.exe71⤵PID:2740
-
C:\Windows\SysWOW64\Dochelmj.exeC:\Windows\system32\Dochelmj.exe72⤵PID:2548
-
C:\Windows\SysWOW64\Ddppmclb.exeC:\Windows\system32\Ddppmclb.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2968 -
C:\Windows\SysWOW64\Dkjhjm32.exeC:\Windows\system32\Dkjhjm32.exe74⤵PID:2792
-
C:\Windows\SysWOW64\Dgqion32.exeC:\Windows\system32\Dgqion32.exe75⤵PID:2480
-
C:\Windows\SysWOW64\Dmmbge32.exeC:\Windows\system32\Dmmbge32.exe76⤵PID:1156
-
C:\Windows\SysWOW64\Egcfdn32.exeC:\Windows\system32\Egcfdn32.exe77⤵PID:1360
-
C:\Windows\SysWOW64\Ecjgio32.exeC:\Windows\system32\Ecjgio32.exe78⤵
- System Location Discovery: System Language Discovery
PID:2392 -
C:\Windows\SysWOW64\Efjpkj32.exeC:\Windows\system32\Efjpkj32.exe79⤵PID:768
-
C:\Windows\SysWOW64\Ecnpdnho.exeC:\Windows\system32\Ecnpdnho.exe80⤵PID:1952
-
C:\Windows\SysWOW64\Enhaeldn.exeC:\Windows\system32\Enhaeldn.exe81⤵PID:2572
-
C:\Windows\SysWOW64\Einebddd.exeC:\Windows\system32\Einebddd.exe82⤵PID:2064
-
C:\Windows\SysWOW64\Faijggao.exeC:\Windows\system32\Faijggao.exe83⤵PID:1668
-
C:\Windows\SysWOW64\Fjaoplho.exeC:\Windows\system32\Fjaoplho.exe84⤵PID:2152
-
C:\Windows\SysWOW64\Fefcmehe.exeC:\Windows\system32\Fefcmehe.exe85⤵PID:816
-
C:\Windows\SysWOW64\Fmbgageq.exeC:\Windows\system32\Fmbgageq.exe86⤵PID:2428
-
C:\Windows\SysWOW64\Feipbefb.exeC:\Windows\system32\Feipbefb.exe87⤵PID:2888
-
C:\Windows\SysWOW64\Ffmipmjn.exeC:\Windows\system32\Ffmipmjn.exe88⤵PID:2196
-
C:\Windows\SysWOW64\Fdqiiaih.exeC:\Windows\system32\Fdqiiaih.exe89⤵PID:2176
-
C:\Windows\SysWOW64\Gminbfoh.exeC:\Windows\system32\Gminbfoh.exe90⤵PID:2168
-
C:\Windows\SysWOW64\Gipngg32.exeC:\Windows\system32\Gipngg32.exe91⤵
- Drops file in System32 directory
PID:1844 -
C:\Windows\SysWOW64\Gfcopl32.exeC:\Windows\system32\Gfcopl32.exe92⤵
- Modifies registry class
PID:1080 -
C:\Windows\SysWOW64\Ghekhd32.exeC:\Windows\system32\Ghekhd32.exe93⤵PID:844
-
C:\Windows\SysWOW64\Geilah32.exeC:\Windows\system32\Geilah32.exe94⤵
- Drops file in System32 directory
PID:1672 -
C:\Windows\SysWOW64\Gkedjo32.exeC:\Windows\system32\Gkedjo32.exe95⤵PID:1452
-
C:\Windows\SysWOW64\Gdnibdmf.exeC:\Windows\system32\Gdnibdmf.exe96⤵
- Modifies registry class
PID:1856 -
C:\Windows\SysWOW64\Habili32.exeC:\Windows\system32\Habili32.exe97⤵
- System Location Discovery: System Language Discovery
PID:1872 -
C:\Windows\SysWOW64\Hhnnnbaj.exeC:\Windows\system32\Hhnnnbaj.exe98⤵PID:924
-
C:\Windows\SysWOW64\Hipkfkgh.exeC:\Windows\system32\Hipkfkgh.exe99⤵PID:1976
-
C:\Windows\SysWOW64\Hdeoccgn.exeC:\Windows\system32\Hdeoccgn.exe100⤵
- Drops file in System32 directory
PID:2464 -
C:\Windows\SysWOW64\Hkogpn32.exeC:\Windows\system32\Hkogpn32.exe101⤵PID:2072
-
C:\Windows\SysWOW64\Hgfheodo.exeC:\Windows\system32\Hgfheodo.exe102⤵PID:1516
-
C:\Windows\SysWOW64\Hlbpme32.exeC:\Windows\system32\Hlbpme32.exe103⤵
- Modifies registry class
PID:1676 -
C:\Windows\SysWOW64\Hghdjn32.exeC:\Windows\system32\Hghdjn32.exe104⤵PID:2764
-
C:\Windows\SysWOW64\Ipqicdim.exeC:\Windows\system32\Ipqicdim.exe105⤵PID:2492
-
C:\Windows\SysWOW64\Icabeo32.exeC:\Windows\system32\Icabeo32.exe106⤵PID:2260
-
C:\Windows\SysWOW64\Ihnjmf32.exeC:\Windows\system32\Ihnjmf32.exe107⤵
- System Location Discovery: System Language Discovery
PID:2560 -
C:\Windows\SysWOW64\Inkcem32.exeC:\Windows\system32\Inkcem32.exe108⤵PID:2028
-
C:\Windows\SysWOW64\Igcgnbim.exeC:\Windows\system32\Igcgnbim.exe109⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2276 -
C:\Windows\SysWOW64\Ihbdhepp.exeC:\Windows\system32\Ihbdhepp.exe110⤵PID:1984
-
C:\Windows\SysWOW64\Jdidmf32.exeC:\Windows\system32\Jdidmf32.exe111⤵PID:2920
-
C:\Windows\SysWOW64\Jdlacfca.exeC:\Windows\system32\Jdlacfca.exe112⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1724 -
C:\Windows\SysWOW64\Jmgfgham.exeC:\Windows\system32\Jmgfgham.exe113⤵PID:1808
-
C:\Windows\SysWOW64\Jgmjdaqb.exeC:\Windows\system32\Jgmjdaqb.exe114⤵PID:2532
-
C:\Windows\SysWOW64\Kpoejbhe.exeC:\Windows\system32\Kpoejbhe.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2084 -
C:\Windows\SysWOW64\Kabngjla.exeC:\Windows\system32\Kabngjla.exe116⤵PID:2172
-
C:\Windows\SysWOW64\Kccgheib.exeC:\Windows\system32\Kccgheib.exe117⤵PID:2704
-
C:\Windows\SysWOW64\Kmklak32.exeC:\Windows\system32\Kmklak32.exe118⤵PID:2180
-
C:\Windows\SysWOW64\Lfdpjp32.exeC:\Windows\system32\Lfdpjp32.exe119⤵PID:2912
-
C:\Windows\SysWOW64\Lmnhgjmp.exeC:\Windows\system32\Lmnhgjmp.exe120⤵PID:2188
-
C:\Windows\SysWOW64\Ljbipolj.exeC:\Windows\system32\Ljbipolj.exe121⤵PID:708
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-