Analysis
-
max time kernel
21s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17/10/2024, 20:39
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
378b5ab0cb20d886a53f20c726f9a6ef86964d0c7e2accdb27638cb99e3db237.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
378b5ab0cb20d886a53f20c726f9a6ef86964d0c7e2accdb27638cb99e3db237.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
378b5ab0cb20d886a53f20c726f9a6ef86964d0c7e2accdb27638cb99e3db237.exe
-
Size
60KB
-
MD5
10a0af721320f12dc8d3d1c1c4954bad
-
SHA1
57628fb12cfa1b1fb43f2cb2e8cab4054da139c1
-
SHA256
378b5ab0cb20d886a53f20c726f9a6ef86964d0c7e2accdb27638cb99e3db237
-
SHA512
eedcf0e3a6ddf317b4fe1b81bf66ae03bc3a7872b2880242c34c234997cc9351038d97378f509ccaccf0c3cb81f60edcfee3a73f3ed4f4da6e08ea5c0b382250
-
SSDEEP
1536:DNlF/gXoibS3lg7Z4wQULesB4IaB86l1r:NmoibSADesBRaB86l1r
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hekefkig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljplkonl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Felekcop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nklaipbj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Manjaldo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdcnhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cofaog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijopjhfh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcimhpma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbcddlnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkkhmadd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Faijggao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnadkjlc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdpehd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Malmllfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpjklo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmfklepl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kflcok32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fappgflg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdnlcakk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlldmimi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afndjdpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bodhjdcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjboeenh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icbkhnan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfcmlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbcien32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilemce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhklna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmfalg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Golgon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbeqjl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mddibb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbpnkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lchqcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kqokgd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moqgiopk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icoepohq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Keappgmg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpbqcb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffmipmjn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhqhmj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odnobj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcngcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Meffjjln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epcddopf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmqffonj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmlobg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeenapck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahhchk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccnddg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfddkmch.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjmoeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjmoeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igngim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knoaeimg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nahfkigd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjkfqlpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dckcnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqffgapf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfnlcnih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfceom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmacej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioefdpne.exe -
Executes dropped EXE 64 IoCs
pid Process 2688 Cdngip32.exe 2672 Ccqhdmbc.exe 2832 Clilmbhd.exe 1804 Cccdjl32.exe 528 Cfaqfh32.exe 1044 Cgqmpkfg.exe 2860 Cfcmlg32.exe 2980 Cffjagko.exe 2112 Dlpbna32.exe 2940 Dbmkfh32.exe 2816 Ddkgbc32.exe 2600 Dfkclf32.exe 1752 Dhiphb32.exe 2300 Dqddmd32.exe 2232 Dhklna32.exe 952 Dbdagg32.exe 1100 Dcemnopj.exe 2416 Djoeki32.exe 2452 Dqinhcoc.exe 1620 Egcfdn32.exe 1552 Epnkip32.exe 1796 Embkbdce.exe 2732 Epqgopbi.exe 2744 Ebockkal.exe 2576 Ekghcq32.exe 2556 Epcddopf.exe 2616 Eepmlf32.exe 3056 Elieipej.exe 2120 Enhaeldn.exe 1780 Fnjnkkbk.exe 2796 Faijggao.exe 2944 Fjaoplho.exe 2880 Fbhfajia.exe 3048 Fmbgageq.exe 2308 Famcbf32.exe 1972 Fjfhkl32.exe 1280 Fnadkjlc.exe 3016 Fappgflg.exe 1924 Fpbqcb32.exe 1512 Fdnlcakk.exe 3024 Ffmipmjn.exe 1760 Fmfalg32.exe 268 Fpemhb32.exe 1784 Gbcien32.exe 1980 Gjjafkpe.exe 320 Gimaah32.exe 2664 Gllnnc32.exe 2388 Gfabkl32.exe 2712 Gipngg32.exe 408 Glnkcc32.exe 1776 Gpjfcali.exe 1144 Golgon32.exe 2104 Gefolhja.exe 2952 Ghekhd32.exe 3064 Glpgibbn.exe 324 Gampaipe.exe 1792 Geilah32.exe 1152 Gkedjo32.exe 3012 Goapjnoo.exe 2456 Gekhgh32.exe 1800 Gdnibdmf.exe 2220 Gleqdb32.exe 1848 Hocmpm32.exe 2496 Hdpehd32.exe -
Loads dropped DLL 64 IoCs
pid Process 2400 378b5ab0cb20d886a53f20c726f9a6ef86964d0c7e2accdb27638cb99e3db237.exe 2400 378b5ab0cb20d886a53f20c726f9a6ef86964d0c7e2accdb27638cb99e3db237.exe 2688 Cdngip32.exe 2688 Cdngip32.exe 2672 Ccqhdmbc.exe 2672 Ccqhdmbc.exe 2832 Clilmbhd.exe 2832 Clilmbhd.exe 1804 Cccdjl32.exe 1804 Cccdjl32.exe 528 Cfaqfh32.exe 528 Cfaqfh32.exe 1044 Cgqmpkfg.exe 1044 Cgqmpkfg.exe 2860 Cfcmlg32.exe 2860 Cfcmlg32.exe 2980 Cffjagko.exe 2980 Cffjagko.exe 2112 Dlpbna32.exe 2112 Dlpbna32.exe 2940 Dbmkfh32.exe 2940 Dbmkfh32.exe 2816 Ddkgbc32.exe 2816 Ddkgbc32.exe 2600 Dfkclf32.exe 2600 Dfkclf32.exe 1752 Dhiphb32.exe 1752 Dhiphb32.exe 2300 Dqddmd32.exe 2300 Dqddmd32.exe 2232 Dhklna32.exe 2232 Dhklna32.exe 952 Dbdagg32.exe 952 Dbdagg32.exe 1100 Dcemnopj.exe 1100 Dcemnopj.exe 2416 Djoeki32.exe 2416 Djoeki32.exe 2452 Dqinhcoc.exe 2452 Dqinhcoc.exe 1620 Egcfdn32.exe 1620 Egcfdn32.exe 1552 Epnkip32.exe 1552 Epnkip32.exe 1796 Embkbdce.exe 1796 Embkbdce.exe 2732 Epqgopbi.exe 2732 Epqgopbi.exe 2744 Ebockkal.exe 2744 Ebockkal.exe 2576 Ekghcq32.exe 2576 Ekghcq32.exe 2556 Epcddopf.exe 2556 Epcddopf.exe 2616 Eepmlf32.exe 2616 Eepmlf32.exe 3056 Elieipej.exe 3056 Elieipej.exe 2120 Enhaeldn.exe 2120 Enhaeldn.exe 1780 Fnjnkkbk.exe 1780 Fnjnkkbk.exe 2796 Faijggao.exe 2796 Faijggao.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mphajbdq.dll Fnadkjlc.exe File opened for modification C:\Windows\SysWOW64\Ljplkonl.exe Lhapocoi.exe File created C:\Windows\SysWOW64\Hnfncjmm.dll Liibgkoo.exe File opened for modification C:\Windows\SysWOW64\Gjngoj32.exe Ghpkbn32.exe File created C:\Windows\SysWOW64\Kqmnadlk.exe Knoaeimg.exe File opened for modification C:\Windows\SysWOW64\Embkbdce.exe Epnkip32.exe File created C:\Windows\SysWOW64\Glnkcc32.exe Gipngg32.exe File created C:\Windows\SysWOW64\Biqfpb32.exe Bknfeege.exe File opened for modification C:\Windows\SysWOW64\Chofhm32.exe Ceqjla32.exe File opened for modification C:\Windows\SysWOW64\Cpjklo32.exe Cnlnpd32.exe File created C:\Windows\SysWOW64\Ifpjem32.dll Dhleaq32.exe File opened for modification C:\Windows\SysWOW64\Blaobmkq.exe Biccfalm.exe File opened for modification C:\Windows\SysWOW64\Cniajdkg.exe Cofaog32.exe File created C:\Windows\SysWOW64\Neccdc32.dll Jbcgeilh.exe File created C:\Windows\SysWOW64\Hkogpn32.exe Hchoop32.exe File opened for modification C:\Windows\SysWOW64\Icoepohq.exe Ilemce32.exe File opened for modification C:\Windows\SysWOW64\Ljbipolj.exe Lbkaoalg.exe File created C:\Windows\SysWOW64\Naimepkp.exe Nokqidll.exe File created C:\Windows\SysWOW64\Neibanod.exe Nlanhh32.exe File opened for modification C:\Windows\SysWOW64\Enenef32.exe Ekfaij32.exe File created C:\Windows\SysWOW64\Nhnemdbf.exe Neohqicc.exe File created C:\Windows\SysWOW64\Fpkchm32.exe Fmlglb32.exe File created C:\Windows\SysWOW64\Nejfepch.dll Igngim32.exe File created C:\Windows\SysWOW64\Jflgph32.exe Jbakpi32.exe File created C:\Windows\SysWOW64\Kgdiho32.exe Kcimhpma.exe File created C:\Windows\SysWOW64\Fpmpnmck.exe Fmodaadg.exe File created C:\Windows\SysWOW64\Gbcien32.exe Fpemhb32.exe File created C:\Windows\SysWOW64\Dkmbap32.dll Kapaaj32.exe File opened for modification C:\Windows\SysWOW64\Knikfnih.exe Kjmoeo32.exe File created C:\Windows\SysWOW64\Ljplkonl.exe Lhapocoi.exe File opened for modification C:\Windows\SysWOW64\Naimepkp.exe Nokqidll.exe File created C:\Windows\SysWOW64\Apfici32.exe Ailqfooi.exe File created C:\Windows\SysWOW64\Aiqjao32.exe Aeenapck.exe File created C:\Windows\SysWOW64\Faijggao.exe Fnjnkkbk.exe File created C:\Windows\SysWOW64\Gleqdb32.exe Gdnibdmf.exe File created C:\Windows\SysWOW64\Hehhqk32.exe Hdgkicek.exe File created C:\Windows\SysWOW64\Akjfgh32.dll Nhqhmj32.exe File created C:\Windows\SysWOW64\Omnmal32.exe Ojpaeq32.exe File created C:\Windows\SysWOW64\Opbjmj32.dll Knoaeimg.exe File opened for modification C:\Windows\SysWOW64\Mlgdhcmb.exe Mdplfflp.exe File created C:\Windows\SysWOW64\Mpnngi32.exe Malmllfb.exe File opened for modification C:\Windows\SysWOW64\Jdadadkl.exe Jbcgeilh.exe File opened for modification C:\Windows\SysWOW64\Lajmkhai.exe Lpiacp32.exe File created C:\Windows\SysWOW64\Oomjld32.dll Ekghcq32.exe File created C:\Windows\SysWOW64\Bknfeege.exe Bdcnhk32.exe File opened for modification C:\Windows\SysWOW64\Haleefoe.exe Hkbmil32.exe File opened for modification C:\Windows\SysWOW64\Hpicbe32.exe Hnkffi32.exe File created C:\Windows\SysWOW64\Kkggemii.dll Qmepanje.exe File created C:\Windows\SysWOW64\Cdamao32.exe Cabaec32.exe File created C:\Windows\SysWOW64\Dlecmb32.dll Fpbihl32.exe File created C:\Windows\SysWOW64\Kfadkk32.dll Fnjnkkbk.exe File created C:\Windows\SysWOW64\Kegmaomi.dll Odqlhjbi.exe File opened for modification C:\Windows\SysWOW64\Abkkpd32.exe Alaccj32.exe File opened for modification C:\Windows\SysWOW64\Eomdoj32.exe Egflml32.exe File created C:\Windows\SysWOW64\Fcfohlmg.exe Fpkchm32.exe File opened for modification C:\Windows\SysWOW64\Heedqe32.exe Hbghdj32.exe File created C:\Windows\SysWOW64\Dbcgao32.dll Mpimbcnf.exe File created C:\Windows\SysWOW64\Iidbakdl.dll Cdngip32.exe File created C:\Windows\SysWOW64\Ffmaalgf.dll Jgmjdaqb.exe File opened for modification C:\Windows\SysWOW64\Ojdjqp32.exe Obnbpb32.exe File created C:\Windows\SysWOW64\Pqgilnji.exe Pnimpcke.exe File created C:\Windows\SysWOW64\Ekddck32.exe Ehfhgogp.exe File created C:\Windows\SysWOW64\Jknicnpf.exe Jcgqbq32.exe File created C:\Windows\SysWOW64\Lknebaba.exe Kioiffcn.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5568 5668 WerFault.exe 567 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhjpnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngcanq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilemce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neblqoel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmfklepl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keappgmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mldgbcoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opblgehg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdngip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nakikpin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooofcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqhdfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcppgbjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnlnpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Heakefnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnnndl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nacmpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmnhgjmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egflml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igcgnbim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lenffl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mebpakbq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geaofc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nafiej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfaqfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iemalkgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgmoob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmcgmkil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peeabm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abdeoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngencpel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjfhkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knikfnih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhcebj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oomjng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbblkaea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnnfkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Haleefoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iaobkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhklna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meemgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgnchplb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpiacp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gngfjicn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbdagg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmepanje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpjnmlel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgiobadq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mejoei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpjhnfof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmcclolh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgjmoace.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcajceke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Limhpihl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnadkjlc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gampaipe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbeqjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpkjgckc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccnddg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igkjcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqamla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jflgph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lknebaba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apfici32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhlbbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bphkjefo.dll" Ladgkmlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nogmin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehebqm32.dll" Gngfjicn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffffpb32.dll" Hahljg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cobcakeo.dll" Ljgkom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlbkmdah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kaekljjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmpgan32.dll" Peeabm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aeenapck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojeffiih.dll" Bdfjnkne.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olgpff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhogaamj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhfjadim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkedjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilifndlo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkhdnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fphgbn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebockkal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccpqjfnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlecmb32.dll" Fpbihl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlaeab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekddck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbdkhhcq.dll" Glfjgaih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niedol32.dll" Jcckibfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipgfpp32.dll" Amjiln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aankkqfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kacclb32.dll" Biccfalm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjkbpp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnnfkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjnkpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhkhmj32.dll" Fppmcmah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Colojben.dll" Gleqdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckobac32.dll" Hofjem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhfbabeh.dll" Jfmnkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jqnocncd.dll" Kcajceke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkgbcofn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eacehe32.dll" Jkioho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poaamlnm.dll" Hogcil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdldhfli.dll" Hbekojlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nejfepch.dll" Igngim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogepbg32.dll" Jhhfgcgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkhanokh.dll" Ahhchk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkbmil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjhopjqi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffmipmjn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkalcdao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlanhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pohoplja.dll" Abdeoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igpdnlgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgdfgbhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kanafj32.dll" Neohqicc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekghcq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnjnkkbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aackfj32.dll" Hhlaiccm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqodfpah.dll" Jjfmem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imhhea32.dll" Nakikpin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pildgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ainmlomf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmgifa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djoeki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekghcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdnlcakk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjmoammm.dll" Kbkdpnil.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2400 wrote to memory of 2688 2400 378b5ab0cb20d886a53f20c726f9a6ef86964d0c7e2accdb27638cb99e3db237.exe 30 PID 2400 wrote to memory of 2688 2400 378b5ab0cb20d886a53f20c726f9a6ef86964d0c7e2accdb27638cb99e3db237.exe 30 PID 2400 wrote to memory of 2688 2400 378b5ab0cb20d886a53f20c726f9a6ef86964d0c7e2accdb27638cb99e3db237.exe 30 PID 2400 wrote to memory of 2688 2400 378b5ab0cb20d886a53f20c726f9a6ef86964d0c7e2accdb27638cb99e3db237.exe 30 PID 2688 wrote to memory of 2672 2688 Cdngip32.exe 31 PID 2688 wrote to memory of 2672 2688 Cdngip32.exe 31 PID 2688 wrote to memory of 2672 2688 Cdngip32.exe 31 PID 2688 wrote to memory of 2672 2688 Cdngip32.exe 31 PID 2672 wrote to memory of 2832 2672 Ccqhdmbc.exe 32 PID 2672 wrote to memory of 2832 2672 Ccqhdmbc.exe 32 PID 2672 wrote to memory of 2832 2672 Ccqhdmbc.exe 32 PID 2672 wrote to memory of 2832 2672 Ccqhdmbc.exe 32 PID 2832 wrote to memory of 1804 2832 Clilmbhd.exe 33 PID 2832 wrote to memory of 1804 2832 Clilmbhd.exe 33 PID 2832 wrote to memory of 1804 2832 Clilmbhd.exe 33 PID 2832 wrote to memory of 1804 2832 Clilmbhd.exe 33 PID 1804 wrote to memory of 528 1804 Cccdjl32.exe 34 PID 1804 wrote to memory of 528 1804 Cccdjl32.exe 34 PID 1804 wrote to memory of 528 1804 Cccdjl32.exe 34 PID 1804 wrote to memory of 528 1804 Cccdjl32.exe 34 PID 528 wrote to memory of 1044 528 Cfaqfh32.exe 35 PID 528 wrote to memory of 1044 528 Cfaqfh32.exe 35 PID 528 wrote to memory of 1044 528 Cfaqfh32.exe 35 PID 528 wrote to memory of 1044 528 Cfaqfh32.exe 35 PID 1044 wrote to memory of 2860 1044 Cgqmpkfg.exe 36 PID 1044 wrote to memory of 2860 1044 Cgqmpkfg.exe 36 PID 1044 wrote to memory of 2860 1044 Cgqmpkfg.exe 36 PID 1044 wrote to memory of 2860 1044 Cgqmpkfg.exe 36 PID 2860 wrote to memory of 2980 2860 Cfcmlg32.exe 37 PID 2860 wrote to memory of 2980 2860 Cfcmlg32.exe 37 PID 2860 wrote to memory of 2980 2860 Cfcmlg32.exe 37 PID 2860 wrote to memory of 2980 2860 Cfcmlg32.exe 37 PID 2980 wrote to memory of 2112 2980 Cffjagko.exe 38 PID 2980 wrote to memory of 2112 2980 Cffjagko.exe 38 PID 2980 wrote to memory of 2112 2980 Cffjagko.exe 38 PID 2980 wrote to memory of 2112 2980 Cffjagko.exe 38 PID 2112 wrote to memory of 2940 2112 Dlpbna32.exe 39 PID 2112 wrote to memory of 2940 2112 Dlpbna32.exe 39 PID 2112 wrote to memory of 2940 2112 Dlpbna32.exe 39 PID 2112 wrote to memory of 2940 2112 Dlpbna32.exe 39 PID 2940 wrote to memory of 2816 2940 Dbmkfh32.exe 40 PID 2940 wrote to memory of 2816 2940 Dbmkfh32.exe 40 PID 2940 wrote to memory of 2816 2940 Dbmkfh32.exe 40 PID 2940 wrote to memory of 2816 2940 Dbmkfh32.exe 40 PID 2816 wrote to memory of 2600 2816 Ddkgbc32.exe 41 PID 2816 wrote to memory of 2600 2816 Ddkgbc32.exe 41 PID 2816 wrote to memory of 2600 2816 Ddkgbc32.exe 41 PID 2816 wrote to memory of 2600 2816 Ddkgbc32.exe 41 PID 2600 wrote to memory of 1752 2600 Dfkclf32.exe 42 PID 2600 wrote to memory of 1752 2600 Dfkclf32.exe 42 PID 2600 wrote to memory of 1752 2600 Dfkclf32.exe 42 PID 2600 wrote to memory of 1752 2600 Dfkclf32.exe 42 PID 1752 wrote to memory of 2300 1752 Dhiphb32.exe 43 PID 1752 wrote to memory of 2300 1752 Dhiphb32.exe 43 PID 1752 wrote to memory of 2300 1752 Dhiphb32.exe 43 PID 1752 wrote to memory of 2300 1752 Dhiphb32.exe 43 PID 2300 wrote to memory of 2232 2300 Dqddmd32.exe 44 PID 2300 wrote to memory of 2232 2300 Dqddmd32.exe 44 PID 2300 wrote to memory of 2232 2300 Dqddmd32.exe 44 PID 2300 wrote to memory of 2232 2300 Dqddmd32.exe 44 PID 2232 wrote to memory of 952 2232 Dhklna32.exe 45 PID 2232 wrote to memory of 952 2232 Dhklna32.exe 45 PID 2232 wrote to memory of 952 2232 Dhklna32.exe 45 PID 2232 wrote to memory of 952 2232 Dhklna32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\378b5ab0cb20d886a53f20c726f9a6ef86964d0c7e2accdb27638cb99e3db237.exe"C:\Users\Admin\AppData\Local\Temp\378b5ab0cb20d886a53f20c726f9a6ef86964d0c7e2accdb27638cb99e3db237.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\Cdngip32.exeC:\Windows\system32\Cdngip32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Ccqhdmbc.exeC:\Windows\system32\Ccqhdmbc.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Clilmbhd.exeC:\Windows\system32\Clilmbhd.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Cccdjl32.exeC:\Windows\system32\Cccdjl32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\SysWOW64\Cfaqfh32.exeC:\Windows\system32\Cfaqfh32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:528 -
C:\Windows\SysWOW64\Cgqmpkfg.exeC:\Windows\system32\Cgqmpkfg.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\SysWOW64\Cfcmlg32.exeC:\Windows\system32\Cfcmlg32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Cffjagko.exeC:\Windows\system32\Cffjagko.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Dlpbna32.exeC:\Windows\system32\Dlpbna32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\Dbmkfh32.exeC:\Windows\system32\Dbmkfh32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Ddkgbc32.exeC:\Windows\system32\Ddkgbc32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Dfkclf32.exeC:\Windows\system32\Dfkclf32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Dhiphb32.exeC:\Windows\system32\Dhiphb32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\Dqddmd32.exeC:\Windows\system32\Dqddmd32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\Dhklna32.exeC:\Windows\system32\Dhklna32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\Dbdagg32.exeC:\Windows\system32\Dbdagg32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:952 -
C:\Windows\SysWOW64\Dcemnopj.exeC:\Windows\system32\Dcemnopj.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1100 -
C:\Windows\SysWOW64\Djoeki32.exeC:\Windows\system32\Djoeki32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2416 -
C:\Windows\SysWOW64\Dqinhcoc.exeC:\Windows\system32\Dqinhcoc.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2452 -
C:\Windows\SysWOW64\Egcfdn32.exeC:\Windows\system32\Egcfdn32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1620 -
C:\Windows\SysWOW64\Epnkip32.exeC:\Windows\system32\Epnkip32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1552 -
C:\Windows\SysWOW64\Embkbdce.exeC:\Windows\system32\Embkbdce.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1796 -
C:\Windows\SysWOW64\Epqgopbi.exeC:\Windows\system32\Epqgopbi.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2732 -
C:\Windows\SysWOW64\Ebockkal.exeC:\Windows\system32\Ebockkal.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2744 -
C:\Windows\SysWOW64\Ekghcq32.exeC:\Windows\system32\Ekghcq32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2576 -
C:\Windows\SysWOW64\Epcddopf.exeC:\Windows\system32\Epcddopf.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2556 -
C:\Windows\SysWOW64\Eepmlf32.exeC:\Windows\system32\Eepmlf32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2616 -
C:\Windows\SysWOW64\Elieipej.exeC:\Windows\system32\Elieipej.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3056 -
C:\Windows\SysWOW64\Enhaeldn.exeC:\Windows\system32\Enhaeldn.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2120 -
C:\Windows\SysWOW64\Fnjnkkbk.exeC:\Windows\system32\Fnjnkkbk.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1780 -
C:\Windows\SysWOW64\Faijggao.exeC:\Windows\system32\Faijggao.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2796 -
C:\Windows\SysWOW64\Fjaoplho.exeC:\Windows\system32\Fjaoplho.exe33⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Fbhfajia.exeC:\Windows\system32\Fbhfajia.exe34⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Fmbgageq.exeC:\Windows\system32\Fmbgageq.exe35⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Famcbf32.exeC:\Windows\system32\Famcbf32.exe36⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Fjfhkl32.exeC:\Windows\system32\Fjfhkl32.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1972 -
C:\Windows\SysWOW64\Fnadkjlc.exeC:\Windows\system32\Fnadkjlc.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1280 -
C:\Windows\SysWOW64\Fappgflg.exeC:\Windows\system32\Fappgflg.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Fpbqcb32.exeC:\Windows\system32\Fpbqcb32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Fdnlcakk.exeC:\Windows\system32\Fdnlcakk.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1512 -
C:\Windows\SysWOW64\Ffmipmjn.exeC:\Windows\system32\Ffmipmjn.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3024 -
C:\Windows\SysWOW64\Fmfalg32.exeC:\Windows\system32\Fmfalg32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Fpemhb32.exeC:\Windows\system32\Fpemhb32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:268 -
C:\Windows\SysWOW64\Gbcien32.exeC:\Windows\system32\Gbcien32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Gjjafkpe.exeC:\Windows\system32\Gjjafkpe.exe46⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Gimaah32.exeC:\Windows\system32\Gimaah32.exe47⤵
- Executes dropped EXE
PID:320 -
C:\Windows\SysWOW64\Gllnnc32.exeC:\Windows\system32\Gllnnc32.exe48⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Gfabkl32.exeC:\Windows\system32\Gfabkl32.exe49⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Gipngg32.exeC:\Windows\system32\Gipngg32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2712 -
C:\Windows\SysWOW64\Glnkcc32.exeC:\Windows\system32\Glnkcc32.exe51⤵
- Executes dropped EXE
PID:408 -
C:\Windows\SysWOW64\Gpjfcali.exeC:\Windows\system32\Gpjfcali.exe52⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Golgon32.exeC:\Windows\system32\Golgon32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1144 -
C:\Windows\SysWOW64\Gefolhja.exeC:\Windows\system32\Gefolhja.exe54⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Ghekhd32.exeC:\Windows\system32\Ghekhd32.exe55⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Glpgibbn.exeC:\Windows\system32\Glpgibbn.exe56⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Gampaipe.exeC:\Windows\system32\Gampaipe.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:324 -
C:\Windows\SysWOW64\Geilah32.exeC:\Windows\system32\Geilah32.exe58⤵
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\Gkedjo32.exeC:\Windows\system32\Gkedjo32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:1152 -
C:\Windows\SysWOW64\Goapjnoo.exeC:\Windows\system32\Goapjnoo.exe60⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Gekhgh32.exeC:\Windows\system32\Gekhgh32.exe61⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Gdnibdmf.exeC:\Windows\system32\Gdnibdmf.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1800 -
C:\Windows\SysWOW64\Gleqdb32.exeC:\Windows\system32\Gleqdb32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:2220 -
C:\Windows\SysWOW64\Hocmpm32.exeC:\Windows\system32\Hocmpm32.exe64⤵
- Executes dropped EXE
PID:1848 -
C:\Windows\SysWOW64\Hdpehd32.exeC:\Windows\system32\Hdpehd32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Hhlaiccm.exeC:\Windows\system32\Hhlaiccm.exe66⤵
- Modifies registry class
PID:880 -
C:\Windows\SysWOW64\Hofjem32.exeC:\Windows\system32\Hofjem32.exe67⤵
- Modifies registry class
PID:2620 -
C:\Windows\SysWOW64\Hmijajbd.exeC:\Windows\system32\Hmijajbd.exe68⤵PID:2800
-
C:\Windows\SysWOW64\Hpgfmeag.exeC:\Windows\system32\Hpgfmeag.exe69⤵PID:2596
-
C:\Windows\SysWOW64\Hhnnnbaj.exeC:\Windows\system32\Hhnnnbaj.exe70⤵PID:3052
-
C:\Windows\SysWOW64\Hganjo32.exeC:\Windows\system32\Hganjo32.exe71⤵PID:2540
-
C:\Windows\SysWOW64\Hkmjjn32.exeC:\Windows\system32\Hkmjjn32.exe72⤵PID:2068
-
C:\Windows\SysWOW64\Hnkffi32.exeC:\Windows\system32\Hnkffi32.exe73⤵
- Drops file in System32 directory
PID:2420 -
C:\Windows\SysWOW64\Hpicbe32.exeC:\Windows\system32\Hpicbe32.exe74⤵PID:2896
-
C:\Windows\SysWOW64\Hchoop32.exeC:\Windows\system32\Hchoop32.exe75⤵
- Drops file in System32 directory
PID:2884 -
C:\Windows\SysWOW64\Hkogpn32.exeC:\Windows\system32\Hkogpn32.exe76⤵PID:1148
-
C:\Windows\SysWOW64\Hibgkjee.exeC:\Windows\system32\Hibgkjee.exe77⤵PID:588
-
C:\Windows\SysWOW64\Hnmcli32.exeC:\Windows\system32\Hnmcli32.exe78⤵PID:1232
-
C:\Windows\SysWOW64\Hplphd32.exeC:\Windows\system32\Hplphd32.exe79⤵PID:316
-
C:\Windows\SysWOW64\Hdgkicek.exeC:\Windows\system32\Hdgkicek.exe80⤵
- Drops file in System32 directory
PID:2188 -
C:\Windows\SysWOW64\Hehhqk32.exeC:\Windows\system32\Hehhqk32.exe81⤵PID:1524
-
C:\Windows\SysWOW64\Hlbpme32.exeC:\Windows\system32\Hlbpme32.exe82⤵PID:1732
-
C:\Windows\SysWOW64\Hclhjpjc.exeC:\Windows\system32\Hclhjpjc.exe83⤵PID:1676
-
C:\Windows\SysWOW64\Hekefkig.exeC:\Windows\system32\Hekefkig.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2700 -
C:\Windows\SysWOW64\Ijfqfj32.exeC:\Windows\system32\Ijfqfj32.exe85⤵PID:2776
-
C:\Windows\SysWOW64\Ilemce32.exeC:\Windows\system32\Ilemce32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2536 -
C:\Windows\SysWOW64\Icoepohq.exeC:\Windows\system32\Icoepohq.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2384 -
C:\Windows\SysWOW64\Iemalkgd.exeC:\Windows\system32\Iemalkgd.exe88⤵
- System Location Discovery: System Language Discovery
PID:2524 -
C:\Windows\SysWOW64\Iemalkgd.exeC:\Windows\system32\Iemalkgd.exe89⤵PID:2932
-
C:\Windows\SysWOW64\Ijimli32.exeC:\Windows\system32\Ijimli32.exe90⤵PID:2924
-
C:\Windows\SysWOW64\Ilgjhena.exeC:\Windows\system32\Ilgjhena.exe91⤵PID:2376
-
C:\Windows\SysWOW64\Ioefdpne.exeC:\Windows\system32\Ioefdpne.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1476 -
C:\Windows\SysWOW64\Icabeo32.exeC:\Windows\system32\Icabeo32.exe93⤵PID:1844
-
C:\Windows\SysWOW64\Iadbqlmh.exeC:\Windows\system32\Iadbqlmh.exe94⤵PID:1768
-
C:\Windows\SysWOW64\Idbnmgll.exeC:\Windows\system32\Idbnmgll.exe95⤵PID:1416
-
C:\Windows\SysWOW64\Ilifndlo.exeC:\Windows\system32\Ilifndlo.exe96⤵
- Modifies registry class
PID:2412 -
C:\Windows\SysWOW64\Iohbjpkb.exeC:\Windows\system32\Iohbjpkb.exe97⤵PID:1508
-
C:\Windows\SysWOW64\Inkcem32.exeC:\Windows\system32\Inkcem32.exe98⤵PID:2648
-
C:\Windows\SysWOW64\Ifbkgj32.exeC:\Windows\system32\Ifbkgj32.exe99⤵PID:1688
-
C:\Windows\SysWOW64\Ihpgce32.exeC:\Windows\system32\Ihpgce32.exe100⤵PID:2780
-
C:\Windows\SysWOW64\Igcgnbim.exeC:\Windows\system32\Igcgnbim.exe101⤵
- System Location Discovery: System Language Discovery
PID:2552 -
C:\Windows\SysWOW64\Inmpklpj.exeC:\Windows\system32\Inmpklpj.exe102⤵PID:2340
-
C:\Windows\SysWOW64\Iqllghon.exeC:\Windows\system32\Iqllghon.exe103⤵PID:2828
-
C:\Windows\SysWOW64\Igeddb32.exeC:\Windows\system32\Igeddb32.exe104⤵PID:2336
-
C:\Windows\SysWOW64\Ikapdqoc.exeC:\Windows\system32\Ikapdqoc.exe105⤵PID:1348
-
C:\Windows\SysWOW64\Inplqlng.exeC:\Windows\system32\Inplqlng.exe106⤵PID:1320
-
C:\Windows\SysWOW64\Ibkhak32.exeC:\Windows\system32\Ibkhak32.exe107⤵PID:896
-
C:\Windows\SysWOW64\Jqnhmgmk.exeC:\Windows\system32\Jqnhmgmk.exe108⤵PID:856
-
C:\Windows\SysWOW64\Jcleiclo.exeC:\Windows\system32\Jcleiclo.exe109⤵PID:2876
-
C:\Windows\SysWOW64\Jkcmjpma.exeC:\Windows\system32\Jkcmjpma.exe110⤵PID:2740
-
C:\Windows\SysWOW64\Jjfmem32.exeC:\Windows\system32\Jjfmem32.exe111⤵
- Modifies registry class
PID:2444 -
C:\Windows\SysWOW64\Jqpebg32.exeC:\Windows\system32\Jqpebg32.exe112⤵PID:2612
-
C:\Windows\SysWOW64\Jdlacfca.exeC:\Windows\system32\Jdlacfca.exe113⤵PID:2768
-
C:\Windows\SysWOW64\Jgjmoace.exeC:\Windows\system32\Jgjmoace.exe114⤵
- System Location Discovery: System Language Discovery
PID:2640 -
C:\Windows\SysWOW64\Jfmnkn32.exeC:\Windows\system32\Jfmnkn32.exe115⤵
- Modifies registry class
PID:1304 -
C:\Windows\SysWOW64\Jndflk32.exeC:\Windows\system32\Jndflk32.exe116⤵PID:2504
-
C:\Windows\SysWOW64\Jmgfgham.exeC:\Windows\system32\Jmgfgham.exe117⤵PID:3008
-
C:\Windows\SysWOW64\Jcandb32.exeC:\Windows\system32\Jcandb32.exe118⤵PID:1240
-
C:\Windows\SysWOW64\Jgmjdaqb.exeC:\Windows\system32\Jgmjdaqb.exe119⤵
- Drops file in System32 directory
PID:2512 -
C:\Windows\SysWOW64\Jjkfqlpf.exeC:\Windows\system32\Jjkfqlpf.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2236 -
C:\Windows\SysWOW64\Jqeomfgc.exeC:\Windows\system32\Jqeomfgc.exe121⤵PID:2804
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-