Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:36
Static task
static1
Behavioral task
behavioral1
Sample
ac60fa3f1e2e6ca0ce53530385673558d4ab1ef0aeb1e18ea2610b98a980d76b.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
ac60fa3f1e2e6ca0ce53530385673558d4ab1ef0aeb1e18ea2610b98a980d76b.exe
Resource
win10v2004-20241007-en
General
-
Target
ac60fa3f1e2e6ca0ce53530385673558d4ab1ef0aeb1e18ea2610b98a980d76b.exe
-
Size
448KB
-
MD5
ff3be31183d593697d85cf3d5d7feb50
-
SHA1
3578095bfba71501315933bcb60d783a1d99e499
-
SHA256
ac60fa3f1e2e6ca0ce53530385673558d4ab1ef0aeb1e18ea2610b98a980d76b
-
SHA512
e2438f1d2dd35f8e09eb0887c1afc70ecdffe999ae41a97a4ff95311411589fe33b78c11256295a3dd54c7e3f2389adfcad4d52ed459005d51e4dd4bf151ab64
-
SSDEEP
6144:rtiNFKgAGbM2yJT///NR5f7DM2y/JAQ///NR5fLYG3eujE:rINEoM1z/NzDMTx/NcZ9
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Aflaie32.exeAjjjocap.exeJnpfop32.exeDmohno32.exeDbqqkkbo.exeJdfjld32.exeNjinmf32.exeGpelhd32.exeEpjajeqo.exeJhpqaiji.exeLejgch32.exeDomdjj32.exeBddcenpi.exeBknlbhhe.exeOdalmibl.exePfiddm32.exeBdmmeo32.exeBkgeainn.exeCkgohf32.exeGlgcbf32.exeObjpoh32.exeJjlmclqa.exeAknifq32.exeFmmmfj32.exePnkbkk32.exeCidjbmcp.exeBbdhiojo.exeAednci32.exeModgdicm.exeAmhfkopc.exeBdgged32.exeFnnjmbpm.exeGidnkkpc.exeKqnbkl32.exeKqdaadln.exeNpiiffqe.exeDhjckcgi.exeIepaaico.exeJnkldqkc.exeDdnfmqng.exeOgjdmbil.exeKkmioc32.exeBkkple32.exeIbhkfm32.exeIidphgcn.exeMfeeabda.exeKgamnded.exeEppqqn32.exeMnhkbfme.exeNgjbaj32.exeHammhcij.exeKageaj32.exeBlgifbil.exeIfomll32.exeJgbchj32.exeBhblllfo.exeDinmhkke.exeLnjnqh32.exePdmkhgho.exeImkbnf32.exeJpaekqhh.exeNfcabp32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aflaie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajjjocap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnpfop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmohno32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbqqkkbo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdfjld32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njinmf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpelhd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epjajeqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhpqaiji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lejgch32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Domdjj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bddcenpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bknlbhhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odalmibl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfiddm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdmmeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkgeainn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckgohf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glgcbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Objpoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjlmclqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aknifq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmmmfj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnkbkk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cidjbmcp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbdhiojo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aednci32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Modgdicm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amhfkopc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdgged32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnnjmbpm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gidnkkpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kqnbkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kqdaadln.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npiiffqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhjckcgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbdhiojo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iepaaico.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnkldqkc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddnfmqng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogjdmbil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkmioc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkkple32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbqqkkbo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibhkfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iidphgcn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfeeabda.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgamnded.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eppqqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnhkbfme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngjbaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hammhcij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kageaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blgifbil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifomll32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgbchj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhblllfo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dinmhkke.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnjnqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdmkhgho.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imkbnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpaekqhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfcabp32.exe -
Executes dropped EXE 64 IoCs
Processes:
Ahchda32.exeAcilajpk.exeAfghneoo.exeAhfdjanb.exeAjeadd32.exeAmcmpodi.exeAqoiqn32.exeAgiamhdo.exeAflaie32.exeAjhniccb.exeAmfjeobf.exeAodfajaj.exeAcpbbi32.exeAfnnnd32.exeAjjjocap.exeAmhfkopc.exeBogcgj32.exeBcbohigp.exeBfqkddfd.exeBjlgdc32.exeBiogppeg.exeBmkcqn32.exeBoipmj32.exeBgpgng32.exeBjodjb32.exeBiadeoce.exeBqilgmdg.exeBoklbi32.exeBgbdcgld.exeBjaqpbkh.exeBidqko32.exeBqkill32.exeBpnihiio.exeBgeaifia.exeBjcmebie.exeBmbiamhi.exeBppfmigl.exeBggnof32.exeBjfjka32.exeCmdfgm32.exeCgjjdf32.exeCikglnkj.exeCabomkll.exeCcqkigkp.exeCglgjeci.exeCjjcfabm.exeCmipblaq.exeCpglnhad.exeCfadkb32.exeCippgm32.exeCaghhk32.exeCceddf32.exeCfcqpa32.exeCibmlmeb.exeCaienjfd.exeCcgajfeh.exeCffmfadl.exeCidjbmcp.exeDakacjdb.exeDcjnoece.exeDfhjkabi.exeDjdflp32.exeDannij32.exeDpqodfij.exepid process 3112 Ahchda32.exe 3032 Acilajpk.exe 4808 Afghneoo.exe 1384 Ahfdjanb.exe 112 Ajeadd32.exe 2628 Amcmpodi.exe 1140 Aqoiqn32.exe 2612 Agiamhdo.exe 668 Aflaie32.exe 724 Ajhniccb.exe 212 Amfjeobf.exe 3784 Aodfajaj.exe 3888 Acpbbi32.exe 432 Afnnnd32.exe 3424 Ajjjocap.exe 964 Amhfkopc.exe 716 Bogcgj32.exe 5052 Bcbohigp.exe 4000 Bfqkddfd.exe 220 Bjlgdc32.exe 2540 Biogppeg.exe 3256 Bmkcqn32.exe 2528 Boipmj32.exe 3008 Bgpgng32.exe 4420 Bjodjb32.exe 1964 Biadeoce.exe 4164 Bqilgmdg.exe 1484 Boklbi32.exe 3472 Bgbdcgld.exe 2420 Bjaqpbkh.exe 4216 Bidqko32.exe 5100 Bqkill32.exe 3316 Bpnihiio.exe 3420 Bgeaifia.exe 396 Bjcmebie.exe 5032 Bmbiamhi.exe 1932 Bppfmigl.exe 1092 Bggnof32.exe 684 Bjfjka32.exe 2236 Cmdfgm32.exe 4984 Cgjjdf32.exe 3872 Cikglnkj.exe 1032 Cabomkll.exe 3308 Ccqkigkp.exe 4684 Cglgjeci.exe 4324 Cjjcfabm.exe 1500 Cmipblaq.exe 4628 Cpglnhad.exe 4188 Cfadkb32.exe 4728 Cippgm32.exe 4864 Caghhk32.exe 4168 Cceddf32.exe 928 Cfcqpa32.exe 736 Cibmlmeb.exe 4828 Caienjfd.exe 2204 Ccgajfeh.exe 976 Cffmfadl.exe 1644 Cidjbmcp.exe 4380 Dakacjdb.exe 2240 Dcjnoece.exe 4548 Dfhjkabi.exe 3596 Djdflp32.exe 1420 Dannij32.exe 2140 Dpqodfij.exe -
Drops file in System32 directory 64 IoCs
Processes:
Cceddf32.exeJpaleglc.exeNnkpnclp.exeBdickcpo.exePfiddm32.exeEhhpla32.exeEaqdegaj.exeHgiepjga.exeKmaopfjm.exeKqdaadln.exeLgepom32.exeNmbjcljl.exePdhkcb32.exeKkeldnpi.exeAmjbbfgo.exeHaoimcgg.exeLmbhgd32.exeCofnik32.exeBnlhncgi.exeDannij32.exeNmigoagp.exeDkfadkgf.exeEiokinbk.exeGncchb32.exeGpelhd32.exeDpkmal32.exeQadoba32.exeEmkndc32.exeFligqhga.exeDhphmj32.exeIjfnmc32.exeLalnmiia.exeMgobel32.exeJpaekqhh.exeQhhpop32.exeQmeigg32.exeLclpdncg.exeOloahhki.exeGidnkkpc.exeMjbogmdb.exeIlafiihp.exeGemkelcd.exeKnqepc32.exeMgphpe32.exeOpeiadfg.exeCjjcfabm.exeMehcdfch.exeAhqddk32.exeNgjbaj32.exeKgdpni32.exeFpkibf32.exeGnqfcbnj.exeAopemh32.exeKjffdalb.exeLknojl32.exeAaoaic32.exeCoegoe32.exeChnlgjlb.exeKmfhkf32.exeIgjngh32.exeAfgacokc.exeGgahedjn.exedescription ioc process File created C:\Windows\SysWOW64\Cfcqpa32.exe Cceddf32.exe File created C:\Windows\SysWOW64\Jcphab32.exe Jpaleglc.exe File created C:\Windows\SysWOW64\Mhpbkngk.dll Nnkpnclp.exe File created C:\Windows\SysWOW64\Blqllqqa.exe Bdickcpo.exe File opened for modification C:\Windows\SysWOW64\Pnplfj32.exe Pfiddm32.exe File created C:\Windows\SysWOW64\Ehhpla32.exe Ehhpla32.exe File created C:\Windows\SysWOW64\Epcdqd32.exe Eaqdegaj.exe File opened for modification C:\Windows\SysWOW64\Haoimcgg.exe Hgiepjga.exe File opened for modification C:\Windows\SysWOW64\Kdigadjo.exe Kmaopfjm.exe File created C:\Windows\SysWOW64\Kgninn32.exe Kqdaadln.exe File opened for modification C:\Windows\SysWOW64\Ljclki32.exe Lgepom32.exe File created C:\Windows\SysWOW64\Kllfakij.dll Nmbjcljl.exe File created C:\Windows\SysWOW64\Pffgom32.exe Pdhkcb32.exe File created C:\Windows\SysWOW64\Knchpiom.exe Kkeldnpi.exe File created C:\Windows\SysWOW64\Aphnnafb.exe Amjbbfgo.exe File created C:\Windows\SysWOW64\Hpbiip32.exe Haoimcgg.exe File opened for modification C:\Windows\SysWOW64\Ldipha32.exe Lmbhgd32.exe File created C:\Windows\SysWOW64\Cbdjeg32.exe Cofnik32.exe File opened for modification C:\Windows\SysWOW64\Bpkdjofm.exe Bnlhncgi.exe File opened for modification C:\Windows\SysWOW64\Dpqodfij.exe Dannij32.exe File created C:\Windows\SysWOW64\Nccokk32.exe Nmigoagp.exe File opened for modification C:\Windows\SysWOW64\Dndnpf32.exe Dkfadkgf.exe File created C:\Windows\SysWOW64\Eoideh32.exe Eiokinbk.exe File created C:\Windows\SysWOW64\Gbqcnc32.dll Gncchb32.exe File created C:\Windows\SysWOW64\Emcnmpcj.dll Gpelhd32.exe File created C:\Windows\SysWOW64\Dhbebj32.exe Dpkmal32.exe File created C:\Windows\SysWOW64\Flnqig32.dll Qadoba32.exe File created C:\Windows\SysWOW64\Ecefqnel.exe Emkndc32.exe File opened for modification C:\Windows\SysWOW64\Fpdcag32.exe Fligqhga.exe File created C:\Windows\SysWOW64\Dkndie32.exe Dhphmj32.exe File created C:\Windows\SysWOW64\Klkkgm32.dll Ijfnmc32.exe File opened for modification C:\Windows\SysWOW64\Licfngjd.exe Lalnmiia.exe File created C:\Windows\SysWOW64\Dkhkgplb.dll Mgobel32.exe File created C:\Windows\SysWOW64\Bdimkqnb.dll Jpaekqhh.exe File opened for modification C:\Windows\SysWOW64\Qfkqjmdg.exe Qhhpop32.exe File opened for modification C:\Windows\SysWOW64\Qfmmplad.exe Qmeigg32.exe File opened for modification C:\Windows\SysWOW64\Hpbiip32.exe Haoimcgg.exe File created C:\Windows\SysWOW64\Lkchelci.exe Lclpdncg.exe File created C:\Windows\SysWOW64\Emihhjna.dll Oloahhki.exe File opened for modification C:\Windows\SysWOW64\Glbjggof.exe Gidnkkpc.exe File created C:\Windows\SysWOW64\Mnpofk32.dll Dhphmj32.exe File created C:\Windows\SysWOW64\Mehcdfch.exe Mjbogmdb.exe File created C:\Windows\SysWOW64\Fgbdja32.dll Ilafiihp.exe File created C:\Windows\SysWOW64\Glgcbf32.exe Gemkelcd.exe File created C:\Windows\SysWOW64\Mhelik32.dll Knqepc32.exe File created C:\Windows\SysWOW64\Qgnnai32.dll Mgphpe32.exe File opened for modification C:\Windows\SysWOW64\Ohlqcagj.exe Opeiadfg.exe File created C:\Windows\SysWOW64\Cmipblaq.exe Cjjcfabm.exe File created C:\Windows\SysWOW64\Gaplji32.dll Mehcdfch.exe File opened for modification C:\Windows\SysWOW64\Aojlaeei.exe Ahqddk32.exe File opened for modification C:\Windows\SysWOW64\Njinmf32.exe Ngjbaj32.exe File created C:\Windows\SysWOW64\Kjblje32.exe Kgdpni32.exe File opened for modification C:\Windows\SysWOW64\Fnnjmbpm.exe Fpkibf32.exe File created C:\Windows\SysWOW64\Ojmjcf32.dll Gnqfcbnj.exe File created C:\Windows\SysWOW64\Aaoaic32.exe Aopemh32.exe File created C:\Windows\SysWOW64\Ophpeg32.dll Kjffdalb.exe File created C:\Windows\SysWOW64\Jkiocibf.dll Lknojl32.exe File opened for modification C:\Windows\SysWOW64\Bdmmeo32.exe Aaoaic32.exe File opened for modification C:\Windows\SysWOW64\Cpfcfmlp.exe Coegoe32.exe File created C:\Windows\SysWOW64\Cklhcfle.exe Chnlgjlb.exe File opened for modification C:\Windows\SysWOW64\Kdmqmc32.exe Kmfhkf32.exe File created C:\Windows\SysWOW64\Qipkmbib.dll Igjngh32.exe File opened for modification C:\Windows\SysWOW64\Akcjkfij.exe Afgacokc.exe File created C:\Windows\SysWOW64\Hpjmnjqn.exe Ggahedjn.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3144 4684 WerFault.exe Dkqaoe32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Pagbaglh.exeCljobphg.exeJcoaglhk.exeAgiamhdo.exeMbbagk32.exeAnmfbl32.exeBogkmgba.exePkbjjbda.exeGflhoo32.exeMjodla32.exeAhchda32.exeKnflpoqf.exeInnfnl32.exeOanfen32.exeBlqllqqa.exeIqklon32.exeLlhikacp.exeAkamff32.exeKageaj32.exeDigehphc.exeDngjff32.exeEiloco32.exeCpbbch32.exeGnhnaf32.exeHjlkge32.exeAphnnafb.exeCjjcfabm.exeFjmkoeqi.exeDomdjj32.exeOacoqnci.exeCggimh32.exeIkndgg32.exeEmkndc32.exeEidlnd32.exeOhkbbn32.exeMaggnali.exeIgajal32.exeQaalblgi.exeGlbjggof.exeJcanll32.exeNnkpnclp.exeAmhfkopc.exeOlijhmgj.exeNmlddqem.exeLqkqhm32.exeLklbdm32.exeMjkblhfo.exeKnenkbio.exeLldopb32.exeOmegjomb.exeKodnmkap.exePkhjph32.exeBidqko32.exeLnbklm32.exeCkhecmcf.exeQfmmplad.exeBnlhncgi.exeBfngdn32.exeLgqfdnah.exeMgehfkop.exeOmqmop32.exeFpgpgfmh.exeKomhll32.exeMnhkbfme.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pagbaglh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cljobphg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcoaglhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agiamhdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbbagk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anmfbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bogkmgba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkbjjbda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gflhoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjodla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahchda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knflpoqf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Innfnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oanfen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blqllqqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqklon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llhikacp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akamff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kageaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Digehphc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dngjff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiloco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpbbch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnhnaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjlkge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aphnnafb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjjcfabm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjmkoeqi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Domdjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oacoqnci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cggimh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikndgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emkndc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eidlnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohkbbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maggnali.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igajal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qaalblgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glbjggof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcanll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnkpnclp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amhfkopc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olijhmgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmlddqem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqkqhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lklbdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjkblhfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knenkbio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lldopb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omegjomb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kodnmkap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkhjph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bidqko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnbklm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckhecmcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfmmplad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnlhncgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfngdn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgqfdnah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgehfkop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omqmop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpgpgfmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Komhll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnhkbfme.exe -
Modifies registry class 64 IoCs
Processes:
Ajhniccb.exeHoclopne.exeOjhpimhp.exeQpeahb32.exeCcgajfeh.exeKgipcogp.exeLgepom32.exeBlgifbil.exeHplbickp.exeAonhghjl.exePfiddm32.exeAfghneoo.exeEhhpla32.exeQaalblgi.exeFpimlfke.exeJoahqn32.exeAodfajaj.exeEdhjqc32.exeCimmggfl.exeFpejlmcf.exeMgobel32.exeEejeiocj.exeIefgbh32.exeJniood32.exePibdmp32.exeCmmbbejp.exeOnpjichj.exeBdickcpo.exeBlqllqqa.exeJphkkpbp.exeLflbkcll.exePffgom32.exeOhhnbhok.exeNggnadib.exeEfdjgo32.exePllgnl32.exeHpcodihc.exeKmkbfeab.exeOhfami32.exeHjedffig.exeNmigoagp.exeOelolmnd.exeAnobgl32.exeHlglidlo.exeFelbnn32.exeBfqkddfd.exeNklbmllg.exeFmndpq32.exeLjbfpo32.exeIcknfcol.exeNmipdk32.exeBhblllfo.exeDfiildio.exeQodeajbg.exeLqpamb32.exeKgnbdh32.exeLcdciiec.exeLaqhhi32.exeDfefkkqp.exeJnlbojee.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajhniccb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqlhmf32.dll" Hoclopne.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojhpimhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egilaj32.dll" Qpeahb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccgajfeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgipcogp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgepom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfbhmo32.dll" Blgifbil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hplbickp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aonhghjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgjimp32.dll" Pfiddm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afghneoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nggmhj32.dll" Ehhpla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qaalblgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpimlfke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Joahqn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aodfajaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edhjqc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cimmggfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpejlmcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgobel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eejeiocj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkdoio32.dll" Iefgbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doepmnag.dll" Jniood32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfmjef32.dll" Pibdmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmmbbejp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onpjichj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdickcpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chnidloo.dll" Blqllqqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jphkkpbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lflbkcll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pffgom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keldkigj.dll" Ohhnbhok.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nggnadib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efdjgo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pllgnl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpcodihc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmkbfeab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohfami32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjedffig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmigoagp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klplbbaq.dll" Oelolmnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leifdf32.dll" Anobgl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlglidlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebcneqod.dll" Felbnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfqkddfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nklbmllg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmndpq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgepom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anobgl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehhpla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaeaha32.dll" Ljbfpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icknfcol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmipdk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhblllfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmmhebph.dll" Bfqkddfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nklinjmj.dll" Dfiildio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qodeajbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lqpamb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgnbdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipgijcij.dll" Lcdciiec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Laqhhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gakiqbgc.dll" Dfefkkqp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnlbojee.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ac60fa3f1e2e6ca0ce53530385673558d4ab1ef0aeb1e18ea2610b98a980d76b.exeAhchda32.exeAcilajpk.exeAfghneoo.exeAhfdjanb.exeAjeadd32.exeAmcmpodi.exeAqoiqn32.exeAgiamhdo.exeAflaie32.exeAjhniccb.exeAmfjeobf.exeAodfajaj.exeAcpbbi32.exeAfnnnd32.exeAjjjocap.exeAmhfkopc.exeBogcgj32.exeBcbohigp.exeBfqkddfd.exeBjlgdc32.exeBiogppeg.exedescription pid process target process PID 2232 wrote to memory of 3112 2232 ac60fa3f1e2e6ca0ce53530385673558d4ab1ef0aeb1e18ea2610b98a980d76b.exe Ahchda32.exe PID 2232 wrote to memory of 3112 2232 ac60fa3f1e2e6ca0ce53530385673558d4ab1ef0aeb1e18ea2610b98a980d76b.exe Ahchda32.exe PID 2232 wrote to memory of 3112 2232 ac60fa3f1e2e6ca0ce53530385673558d4ab1ef0aeb1e18ea2610b98a980d76b.exe Ahchda32.exe PID 3112 wrote to memory of 3032 3112 Ahchda32.exe Acilajpk.exe PID 3112 wrote to memory of 3032 3112 Ahchda32.exe Acilajpk.exe PID 3112 wrote to memory of 3032 3112 Ahchda32.exe Acilajpk.exe PID 3032 wrote to memory of 4808 3032 Acilajpk.exe Afghneoo.exe PID 3032 wrote to memory of 4808 3032 Acilajpk.exe Afghneoo.exe PID 3032 wrote to memory of 4808 3032 Acilajpk.exe Afghneoo.exe PID 4808 wrote to memory of 1384 4808 Afghneoo.exe Ahfdjanb.exe PID 4808 wrote to memory of 1384 4808 Afghneoo.exe Ahfdjanb.exe PID 4808 wrote to memory of 1384 4808 Afghneoo.exe Ahfdjanb.exe PID 1384 wrote to memory of 112 1384 Ahfdjanb.exe Ajeadd32.exe PID 1384 wrote to memory of 112 1384 Ahfdjanb.exe Ajeadd32.exe PID 1384 wrote to memory of 112 1384 Ahfdjanb.exe Ajeadd32.exe PID 112 wrote to memory of 2628 112 Ajeadd32.exe Amcmpodi.exe PID 112 wrote to memory of 2628 112 Ajeadd32.exe Amcmpodi.exe PID 112 wrote to memory of 2628 112 Ajeadd32.exe Amcmpodi.exe PID 2628 wrote to memory of 1140 2628 Amcmpodi.exe Aqoiqn32.exe PID 2628 wrote to memory of 1140 2628 Amcmpodi.exe Aqoiqn32.exe PID 2628 wrote to memory of 1140 2628 Amcmpodi.exe Aqoiqn32.exe PID 1140 wrote to memory of 2612 1140 Aqoiqn32.exe Agiamhdo.exe PID 1140 wrote to memory of 2612 1140 Aqoiqn32.exe Agiamhdo.exe PID 1140 wrote to memory of 2612 1140 Aqoiqn32.exe Agiamhdo.exe PID 2612 wrote to memory of 668 2612 Agiamhdo.exe Aflaie32.exe PID 2612 wrote to memory of 668 2612 Agiamhdo.exe Aflaie32.exe PID 2612 wrote to memory of 668 2612 Agiamhdo.exe Aflaie32.exe PID 668 wrote to memory of 724 668 Aflaie32.exe Ajhniccb.exe PID 668 wrote to memory of 724 668 Aflaie32.exe Ajhniccb.exe PID 668 wrote to memory of 724 668 Aflaie32.exe Ajhniccb.exe PID 724 wrote to memory of 212 724 Ajhniccb.exe Amfjeobf.exe PID 724 wrote to memory of 212 724 Ajhniccb.exe Amfjeobf.exe PID 724 wrote to memory of 212 724 Ajhniccb.exe Amfjeobf.exe PID 212 wrote to memory of 3784 212 Amfjeobf.exe Aodfajaj.exe PID 212 wrote to memory of 3784 212 Amfjeobf.exe Aodfajaj.exe PID 212 wrote to memory of 3784 212 Amfjeobf.exe Aodfajaj.exe PID 3784 wrote to memory of 3888 3784 Aodfajaj.exe Acpbbi32.exe PID 3784 wrote to memory of 3888 3784 Aodfajaj.exe Acpbbi32.exe PID 3784 wrote to memory of 3888 3784 Aodfajaj.exe Acpbbi32.exe PID 3888 wrote to memory of 432 3888 Acpbbi32.exe Afnnnd32.exe PID 3888 wrote to memory of 432 3888 Acpbbi32.exe Afnnnd32.exe PID 3888 wrote to memory of 432 3888 Acpbbi32.exe Afnnnd32.exe PID 432 wrote to memory of 3424 432 Afnnnd32.exe Ajjjocap.exe PID 432 wrote to memory of 3424 432 Afnnnd32.exe Ajjjocap.exe PID 432 wrote to memory of 3424 432 Afnnnd32.exe Ajjjocap.exe PID 3424 wrote to memory of 964 3424 Ajjjocap.exe Amhfkopc.exe PID 3424 wrote to memory of 964 3424 Ajjjocap.exe Amhfkopc.exe PID 3424 wrote to memory of 964 3424 Ajjjocap.exe Amhfkopc.exe PID 964 wrote to memory of 716 964 Amhfkopc.exe Bogcgj32.exe PID 964 wrote to memory of 716 964 Amhfkopc.exe Bogcgj32.exe PID 964 wrote to memory of 716 964 Amhfkopc.exe Bogcgj32.exe PID 716 wrote to memory of 5052 716 Bogcgj32.exe Bcbohigp.exe PID 716 wrote to memory of 5052 716 Bogcgj32.exe Bcbohigp.exe PID 716 wrote to memory of 5052 716 Bogcgj32.exe Bcbohigp.exe PID 5052 wrote to memory of 4000 5052 Bcbohigp.exe Bfqkddfd.exe PID 5052 wrote to memory of 4000 5052 Bcbohigp.exe Bfqkddfd.exe PID 5052 wrote to memory of 4000 5052 Bcbohigp.exe Bfqkddfd.exe PID 4000 wrote to memory of 220 4000 Bfqkddfd.exe Bjlgdc32.exe PID 4000 wrote to memory of 220 4000 Bfqkddfd.exe Bjlgdc32.exe PID 4000 wrote to memory of 220 4000 Bfqkddfd.exe Bjlgdc32.exe PID 220 wrote to memory of 2540 220 Bjlgdc32.exe Biogppeg.exe PID 220 wrote to memory of 2540 220 Bjlgdc32.exe Biogppeg.exe PID 220 wrote to memory of 2540 220 Bjlgdc32.exe Biogppeg.exe PID 2540 wrote to memory of 3256 2540 Biogppeg.exe Bmkcqn32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac60fa3f1e2e6ca0ce53530385673558d4ab1ef0aeb1e18ea2610b98a980d76b.exe"C:\Users\Admin\AppData\Local\Temp\ac60fa3f1e2e6ca0ce53530385673558d4ab1ef0aeb1e18ea2610b98a980d76b.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\Ahchda32.exeC:\Windows\system32\Ahchda32.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Windows\SysWOW64\Acilajpk.exeC:\Windows\system32\Acilajpk.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\Afghneoo.exeC:\Windows\system32\Afghneoo.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\SysWOW64\Ahfdjanb.exeC:\Windows\system32\Ahfdjanb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\SysWOW64\Ajeadd32.exeC:\Windows\system32\Ajeadd32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:112 -
C:\Windows\SysWOW64\Amcmpodi.exeC:\Windows\system32\Amcmpodi.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Aqoiqn32.exeC:\Windows\system32\Aqoiqn32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\SysWOW64\Agiamhdo.exeC:\Windows\system32\Agiamhdo.exe9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Aflaie32.exeC:\Windows\system32\Aflaie32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:668 -
C:\Windows\SysWOW64\Ajhniccb.exeC:\Windows\system32\Ajhniccb.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:724 -
C:\Windows\SysWOW64\Amfjeobf.exeC:\Windows\system32\Amfjeobf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Windows\SysWOW64\Aodfajaj.exeC:\Windows\system32\Aodfajaj.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3784 -
C:\Windows\SysWOW64\Acpbbi32.exeC:\Windows\system32\Acpbbi32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3888 -
C:\Windows\SysWOW64\Afnnnd32.exeC:\Windows\system32\Afnnnd32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\Ajjjocap.exeC:\Windows\system32\Ajjjocap.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3424 -
C:\Windows\SysWOW64\Amhfkopc.exeC:\Windows\system32\Amhfkopc.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\SysWOW64\Bogcgj32.exeC:\Windows\system32\Bogcgj32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:716 -
C:\Windows\SysWOW64\Bcbohigp.exeC:\Windows\system32\Bcbohigp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\SysWOW64\Bfqkddfd.exeC:\Windows\system32\Bfqkddfd.exe20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4000 -
C:\Windows\SysWOW64\Bjlgdc32.exeC:\Windows\system32\Bjlgdc32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Windows\SysWOW64\Biogppeg.exeC:\Windows\system32\Biogppeg.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Bmkcqn32.exeC:\Windows\system32\Bmkcqn32.exe23⤵
- Executes dropped EXE
PID:3256 -
C:\Windows\SysWOW64\Boipmj32.exeC:\Windows\system32\Boipmj32.exe24⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Bgpgng32.exeC:\Windows\system32\Bgpgng32.exe25⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Bjodjb32.exeC:\Windows\system32\Bjodjb32.exe26⤵
- Executes dropped EXE
PID:4420 -
C:\Windows\SysWOW64\Biadeoce.exeC:\Windows\system32\Biadeoce.exe27⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Bqilgmdg.exeC:\Windows\system32\Bqilgmdg.exe28⤵
- Executes dropped EXE
PID:4164 -
C:\Windows\SysWOW64\Boklbi32.exeC:\Windows\system32\Boklbi32.exe29⤵
- Executes dropped EXE
PID:1484 -
C:\Windows\SysWOW64\Bgbdcgld.exeC:\Windows\system32\Bgbdcgld.exe30⤵
- Executes dropped EXE
PID:3472 -
C:\Windows\SysWOW64\Bjaqpbkh.exeC:\Windows\system32\Bjaqpbkh.exe31⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Bidqko32.exeC:\Windows\system32\Bidqko32.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4216 -
C:\Windows\SysWOW64\Bqkill32.exeC:\Windows\system32\Bqkill32.exe33⤵
- Executes dropped EXE
PID:5100 -
C:\Windows\SysWOW64\Bpnihiio.exeC:\Windows\system32\Bpnihiio.exe34⤵
- Executes dropped EXE
PID:3316 -
C:\Windows\SysWOW64\Bgeaifia.exeC:\Windows\system32\Bgeaifia.exe35⤵
- Executes dropped EXE
PID:3420 -
C:\Windows\SysWOW64\Bjcmebie.exeC:\Windows\system32\Bjcmebie.exe36⤵
- Executes dropped EXE
PID:396 -
C:\Windows\SysWOW64\Bmbiamhi.exeC:\Windows\system32\Bmbiamhi.exe37⤵
- Executes dropped EXE
PID:5032 -
C:\Windows\SysWOW64\Bppfmigl.exeC:\Windows\system32\Bppfmigl.exe38⤵
- Executes dropped EXE
PID:1932 -
C:\Windows\SysWOW64\Bggnof32.exeC:\Windows\system32\Bggnof32.exe39⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Bjfjka32.exeC:\Windows\system32\Bjfjka32.exe40⤵
- Executes dropped EXE
PID:684 -
C:\Windows\SysWOW64\Cmdfgm32.exeC:\Windows\system32\Cmdfgm32.exe41⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Cpbbch32.exeC:\Windows\system32\Cpbbch32.exe42⤵
- System Location Discovery: System Language Discovery
PID:4568 -
C:\Windows\SysWOW64\Cgjjdf32.exeC:\Windows\system32\Cgjjdf32.exe43⤵
- Executes dropped EXE
PID:4984 -
C:\Windows\SysWOW64\Cikglnkj.exeC:\Windows\system32\Cikglnkj.exe44⤵
- Executes dropped EXE
PID:3872 -
C:\Windows\SysWOW64\Cabomkll.exeC:\Windows\system32\Cabomkll.exe45⤵
- Executes dropped EXE
PID:1032 -
C:\Windows\SysWOW64\Ccqkigkp.exeC:\Windows\system32\Ccqkigkp.exe46⤵
- Executes dropped EXE
PID:3308 -
C:\Windows\SysWOW64\Cglgjeci.exeC:\Windows\system32\Cglgjeci.exe47⤵
- Executes dropped EXE
PID:4684 -
C:\Windows\SysWOW64\Cjjcfabm.exeC:\Windows\system32\Cjjcfabm.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4324 -
C:\Windows\SysWOW64\Cmipblaq.exeC:\Windows\system32\Cmipblaq.exe49⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Cpglnhad.exeC:\Windows\system32\Cpglnhad.exe50⤵
- Executes dropped EXE
PID:4628 -
C:\Windows\SysWOW64\Cfadkb32.exeC:\Windows\system32\Cfadkb32.exe51⤵
- Executes dropped EXE
PID:4188 -
C:\Windows\SysWOW64\Cippgm32.exeC:\Windows\system32\Cippgm32.exe52⤵
- Executes dropped EXE
PID:4728 -
C:\Windows\SysWOW64\Caghhk32.exeC:\Windows\system32\Caghhk32.exe53⤵
- Executes dropped EXE
PID:4864 -
C:\Windows\SysWOW64\Cceddf32.exeC:\Windows\system32\Cceddf32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4168 -
C:\Windows\SysWOW64\Cfcqpa32.exeC:\Windows\system32\Cfcqpa32.exe55⤵
- Executes dropped EXE
PID:928 -
C:\Windows\SysWOW64\Cibmlmeb.exeC:\Windows\system32\Cibmlmeb.exe56⤵
- Executes dropped EXE
PID:736 -
C:\Windows\SysWOW64\Caienjfd.exeC:\Windows\system32\Caienjfd.exe57⤵
- Executes dropped EXE
PID:4828 -
C:\Windows\SysWOW64\Ccgajfeh.exeC:\Windows\system32\Ccgajfeh.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2204 -
C:\Windows\SysWOW64\Cffmfadl.exeC:\Windows\system32\Cffmfadl.exe59⤵
- Executes dropped EXE
PID:976 -
C:\Windows\SysWOW64\Cidjbmcp.exeC:\Windows\system32\Cidjbmcp.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Dakacjdb.exeC:\Windows\system32\Dakacjdb.exe61⤵
- Executes dropped EXE
PID:4380 -
C:\Windows\SysWOW64\Dcjnoece.exeC:\Windows\system32\Dcjnoece.exe62⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Dfhjkabi.exeC:\Windows\system32\Dfhjkabi.exe63⤵
- Executes dropped EXE
PID:4548 -
C:\Windows\SysWOW64\Djdflp32.exeC:\Windows\system32\Djdflp32.exe64⤵
- Executes dropped EXE
PID:3596 -
C:\Windows\SysWOW64\Dannij32.exeC:\Windows\system32\Dannij32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1420 -
C:\Windows\SysWOW64\Dpqodfij.exeC:\Windows\system32\Dpqodfij.exe66⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Dhhfedil.exeC:\Windows\system32\Dhhfedil.exe67⤵PID:3520
-
C:\Windows\SysWOW64\Djfcaohp.exeC:\Windows\system32\Djfcaohp.exe68⤵PID:5056
-
C:\Windows\SysWOW64\Dmdonkgc.exeC:\Windows\system32\Dmdonkgc.exe69⤵PID:4448
-
C:\Windows\SysWOW64\Dpckjfgg.exeC:\Windows\system32\Dpckjfgg.exe70⤵PID:2172
-
C:\Windows\SysWOW64\Dhjckcgi.exeC:\Windows\system32\Dhjckcgi.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4896 -
C:\Windows\SysWOW64\Djhpgofm.exeC:\Windows\system32\Djhpgofm.exe72⤵PID:1160
-
C:\Windows\SysWOW64\Dabhdinj.exeC:\Windows\system32\Dabhdinj.exe73⤵PID:1028
-
C:\Windows\SysWOW64\Ddadpdmn.exeC:\Windows\system32\Ddadpdmn.exe74⤵PID:4364
-
C:\Windows\SysWOW64\Dfoplpla.exeC:\Windows\system32\Dfoplpla.exe75⤵PID:4584
-
C:\Windows\SysWOW64\Dinmhkke.exeC:\Windows\system32\Dinmhkke.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2500 -
C:\Windows\SysWOW64\Dmihij32.exeC:\Windows\system32\Dmihij32.exe77⤵PID:4264
-
C:\Windows\SysWOW64\Dpgeee32.exeC:\Windows\system32\Dpgeee32.exe78⤵PID:1688
-
C:\Windows\SysWOW64\Dhomfc32.exeC:\Windows\system32\Dhomfc32.exe79⤵PID:1228
-
C:\Windows\SysWOW64\Djmibn32.exeC:\Windows\system32\Djmibn32.exe80⤵PID:880
-
C:\Windows\SysWOW64\Emlenj32.exeC:\Windows\system32\Emlenj32.exe81⤵PID:3508
-
C:\Windows\SysWOW64\Epjajeqo.exeC:\Windows\system32\Epjajeqo.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1424 -
C:\Windows\SysWOW64\Efdjgo32.exeC:\Windows\system32\Efdjgo32.exe83⤵
- Modifies registry class
PID:3324 -
C:\Windows\SysWOW64\Eibfck32.exeC:\Windows\system32\Eibfck32.exe84⤵PID:4940
-
C:\Windows\SysWOW64\Eaindh32.exeC:\Windows\system32\Eaindh32.exe85⤵PID:1428
-
C:\Windows\SysWOW64\Edhjqc32.exeC:\Windows\system32\Edhjqc32.exe86⤵
- Modifies registry class
PID:2896 -
C:\Windows\SysWOW64\Ehhpla32.exeC:\Windows\system32\Ehhpla32.exe87⤵
- Drops file in System32 directory
- Modifies registry class
PID:5116 -
C:\Windows\SysWOW64\Ehhpla32.exeC:\Windows\system32\Ehhpla32.exe88⤵PID:2228
-
C:\Windows\SysWOW64\Ejflhm32.exeC:\Windows\system32\Ejflhm32.exe89⤵PID:2508
-
C:\Windows\SysWOW64\Eaqdegaj.exeC:\Windows\system32\Eaqdegaj.exe90⤵
- Drops file in System32 directory
PID:4124 -
C:\Windows\SysWOW64\Epcdqd32.exeC:\Windows\system32\Epcdqd32.exe91⤵PID:2148
-
C:\Windows\SysWOW64\Efmmmn32.exeC:\Windows\system32\Efmmmn32.exe92⤵PID:1304
-
C:\Windows\SysWOW64\Facqkg32.exeC:\Windows\system32\Facqkg32.exe93⤵PID:2320
-
C:\Windows\SysWOW64\Ffpicn32.exeC:\Windows\system32\Ffpicn32.exe94⤵PID:1156
-
C:\Windows\SysWOW64\Fhofmq32.exeC:\Windows\system32\Fhofmq32.exe95⤵PID:5012
-
C:\Windows\SysWOW64\Fknbil32.exeC:\Windows\system32\Fknbil32.exe96⤵PID:1100
-
C:\Windows\SysWOW64\Fmlneg32.exeC:\Windows\system32\Fmlneg32.exe97⤵PID:2216
-
C:\Windows\SysWOW64\Fpjjac32.exeC:\Windows\system32\Fpjjac32.exe98⤵PID:5064
-
C:\Windows\SysWOW64\Fdffbake.exeC:\Windows\system32\Fdffbake.exe99⤵PID:1956
-
C:\Windows\SysWOW64\Fkpool32.exeC:\Windows\system32\Fkpool32.exe100⤵PID:1660
-
C:\Windows\SysWOW64\Fmnkkg32.exeC:\Windows\system32\Fmnkkg32.exe101⤵PID:1768
-
C:\Windows\SysWOW64\Fkbkdkpp.exeC:\Windows\system32\Fkbkdkpp.exe102⤵PID:2536
-
C:\Windows\SysWOW64\Fmqgpgoc.exeC:\Windows\system32\Fmqgpgoc.exe103⤵PID:3860
-
C:\Windows\SysWOW64\Fdkpma32.exeC:\Windows\system32\Fdkpma32.exe104⤵PID:2300
-
C:\Windows\SysWOW64\Gigheh32.exeC:\Windows\system32\Gigheh32.exe105⤵PID:2640
-
C:\Windows\SysWOW64\Gpaqbbld.exeC:\Windows\system32\Gpaqbbld.exe106⤵PID:2416
-
C:\Windows\SysWOW64\Ghhhcomg.exeC:\Windows\system32\Ghhhcomg.exe107⤵PID:3036
-
C:\Windows\SysWOW64\Gkgeoklj.exeC:\Windows\system32\Gkgeoklj.exe108⤵PID:4056
-
C:\Windows\SysWOW64\Gijekg32.exeC:\Windows\system32\Gijekg32.exe109⤵PID:5124
-
C:\Windows\SysWOW64\Gdoihpbk.exeC:\Windows\system32\Gdoihpbk.exe110⤵PID:5168
-
C:\Windows\SysWOW64\Ggnedlao.exeC:\Windows\system32\Ggnedlao.exe111⤵PID:5224
-
C:\Windows\SysWOW64\Gnhnaf32.exeC:\Windows\system32\Gnhnaf32.exe112⤵
- System Location Discovery: System Language Discovery
PID:5272 -
C:\Windows\SysWOW64\Gacjadad.exeC:\Windows\system32\Gacjadad.exe113⤵PID:5312
-
C:\Windows\SysWOW64\Gdafnpqh.exeC:\Windows\system32\Gdafnpqh.exe114⤵PID:5364
-
C:\Windows\SysWOW64\Gklnjj32.exeC:\Windows\system32\Gklnjj32.exe115⤵PID:5404
-
C:\Windows\SysWOW64\Ginnfgop.exeC:\Windows\system32\Ginnfgop.exe116⤵PID:5452
-
C:\Windows\SysWOW64\Gddbcp32.exeC:\Windows\system32\Gddbcp32.exe117⤵PID:5504
-
C:\Windows\SysWOW64\Gnlgleef.exeC:\Windows\system32\Gnlgleef.exe118⤵PID:5548
-
C:\Windows\SysWOW64\Gdfoio32.exeC:\Windows\system32\Gdfoio32.exe119⤵PID:5592
-
C:\Windows\SysWOW64\Hgelek32.exeC:\Windows\system32\Hgelek32.exe120⤵PID:5636
-
C:\Windows\SysWOW64\Hjchaf32.exeC:\Windows\system32\Hjchaf32.exe121⤵PID:5680
-
C:\Windows\SysWOW64\Hajpbckl.exeC:\Windows\system32\Hajpbckl.exe122⤵PID:5724
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-