Analysis
-
max time kernel
26s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 01:37
Static task
static1
Behavioral task
behavioral1
Sample
4439543c527c69320587dfe511e8a0322994ad072518c1551b6038f36445dcccN.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
4439543c527c69320587dfe511e8a0322994ad072518c1551b6038f36445dcccN.exe
Resource
win10v2004-20241007-en
General
-
Target
4439543c527c69320587dfe511e8a0322994ad072518c1551b6038f36445dcccN.exe
-
Size
84KB
-
MD5
5fd3b68a4e69d0a7ea3f74edcea96970
-
SHA1
463e17784d99058152e3e35a96939fc319371b8c
-
SHA256
4439543c527c69320587dfe511e8a0322994ad072518c1551b6038f36445dccc
-
SHA512
30c1082ed99b14cb8ec7d36724baef0205e3552fb545534431ab573033dc3caf621932b33406b41f5442b1612e29c9c9896cb5d21312dd18e673094607b7cf34
-
SSDEEP
1536:68G7ykuXdQWrFifXSREXHfVPfMVwNKT1iqWUPGc4T7VLd:688uXRECREXdXNKT1ntPG9pB
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Qiekadkl.exeEgljjmkp.exeIgioiacg.exeDeikhhhe.exeIpameehe.exeLllpclnk.exeNqakim32.exeNmhlnngi.exeAcbieing.exeDbqajk32.exeFqnhcgma.exeKdooij32.exeNdgdpn32.exeMjbiac32.exeMcendc32.exeNmnoll32.exePghjqlmi.exeMkmmpg32.exeBoifinfg.exeFolhio32.exeJfkbqcam.exeKhcdijac.exeBgihjl32.exeMfoqephq.exeMfdjpo32.exePejcab32.exeAkpkok32.exeKkomepon.exeNdnplk32.exeOjnelefl.exeGaajfi32.exeGkiooocb.exeJlhjijpe.exeAdfbbabc.exeDbcnpk32.exeHogddpld.exeQkcbpn32.exeElgioe32.exeBjlnaghp.exeApdminod.exeFgnfpm32.exeLhpmhgbf.exeQlcgmpkp.exeAjghgd32.exeImdjlida.exeKadhen32.exeNgcbie32.exeJoicje32.exeOfefqf32.exeCicggcke.exeIcbldbgi.exeAoakfl32.exeDendcg32.exeJonqfq32.exeKbokda32.exePknakhig.exeCmapna32.exeHigiih32.exeImfgahao.exeEhgmiq32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qiekadkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egljjmkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igioiacg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deikhhhe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipameehe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lllpclnk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqakim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmhlnngi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acbieing.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbqajk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqnhcgma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdooij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lllpclnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndgdpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjbiac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcendc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmnoll32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pghjqlmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkmmpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boifinfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Folhio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfkbqcam.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khcdijac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgihjl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfoqephq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfdjpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pejcab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akpkok32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkomepon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndnplk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojnelefl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gaajfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkiooocb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlhjijpe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adfbbabc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbcnpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hogddpld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qkcbpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elgioe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjlnaghp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apdminod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgnfpm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhpmhgbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlcgmpkp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajghgd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imdjlida.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kadhen32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngcbie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joicje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofefqf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cicggcke.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaajfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icbldbgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfoqephq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aoakfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dendcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jonqfq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbokda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pknakhig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmapna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igioiacg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Higiih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imfgahao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehgmiq32.exe -
Executes dropped EXE 64 IoCs
Processes:
Mbobgfnf.exeNnhobgag.exeNdgdpn32.exeNblaajbd.exeOiifcdhn.exeOohlaj32.exeOkolfkjg.exeOhbmppia.exePghjqlmi.exePkebgj32.exePkholjam.exePccdqloh.exePolakmbi.exeQkcbpn32.exeAoakfl32.exeAnfggicl.exeAgolpnjl.exeAgaifnhi.exeAmnanefa.exeAgcekn32.exeAgebam32.exeBfmlgi32.exeBoeppomj.exeBebiifka.exeBjanfl32.exeCgeopqfp.exeCjfgalcq.exeCmdcngbd.exeCfoellgb.exeDomffn32.exeDlqgob32.exeDeikhhhe.exeDkhpfo32.exeDendcg32.exeEcmhqp32.exeEleliepj.exeElgioe32.exeFljfdd32.exeFhqfie32.exeFhccoe32.exeFqnhcgma.exeFgjmfa32.exeGfpjgn32.exeGohnpcmd.exeGkoodd32.exeGdgcnj32.exeGnphfppi.exeGoodpb32.exeHigiih32.exeHkfeec32.exeHgmfjdbe.exeHminbkql.exeHfbckagm.exeHaggijgb.exeHjplao32.exeHchpjddc.exeImqdcjkd.exeIbmmkaik.exeIpameehe.exeIenfml32.exeIpcjje32.exeIilocklc.exeIecohl32.exeIlmgef32.exepid process 2628 Mbobgfnf.exe 2968 Nnhobgag.exe 2932 Ndgdpn32.exe 2756 Nblaajbd.exe 2744 Oiifcdhn.exe 1668 Oohlaj32.exe 884 Okolfkjg.exe 2548 Ohbmppia.exe 3020 Pghjqlmi.exe 1880 Pkebgj32.exe 2304 Pkholjam.exe 1044 Pccdqloh.exe 2172 Polakmbi.exe 2076 Qkcbpn32.exe 2240 Aoakfl32.exe 756 Anfggicl.exe 696 Agolpnjl.exe 2816 Agaifnhi.exe 1540 Amnanefa.exe 1360 Agcekn32.exe 1280 Agebam32.exe 2420 Bfmlgi32.exe 1020 Boeppomj.exe 1652 Bebiifka.exe 2072 Bjanfl32.exe 1552 Cgeopqfp.exe 2840 Cjfgalcq.exe 2884 Cmdcngbd.exe 2116 Cfoellgb.exe 1796 Domffn32.exe 2852 Dlqgob32.exe 2096 Deikhhhe.exe 1612 Dkhpfo32.exe 2108 Dendcg32.exe 2092 Ecmhqp32.exe 1744 Eleliepj.exe 2720 Elgioe32.exe 1896 Fljfdd32.exe 1472 Fhqfie32.exe 2660 Fhccoe32.exe 1456 Fqnhcgma.exe 1724 Fgjmfa32.exe 2156 Gfpjgn32.exe 2368 Gohnpcmd.exe 1516 Gkoodd32.exe 108 Gdgcnj32.exe 836 Gnphfppi.exe 2200 Goodpb32.exe 2528 Higiih32.exe 3040 Hkfeec32.exe 1696 Hgmfjdbe.exe 2944 Hminbkql.exe 2912 Hfbckagm.exe 2780 Haggijgb.exe 2168 Hjplao32.exe 2688 Hchpjddc.exe 1756 Imqdcjkd.exe 1248 Ibmmkaik.exe 3024 Ipameehe.exe 2292 Ienfml32.exe 816 Ipcjje32.exe 1284 Iilocklc.exe 2272 Iecohl32.exe 2684 Ilmgef32.exe -
Loads dropped DLL 64 IoCs
Processes:
4439543c527c69320587dfe511e8a0322994ad072518c1551b6038f36445dcccN.exeMbobgfnf.exeNnhobgag.exeNdgdpn32.exeNblaajbd.exeOiifcdhn.exeOohlaj32.exeOkolfkjg.exeOhbmppia.exePghjqlmi.exePkebgj32.exePkholjam.exePccdqloh.exePolakmbi.exeQkcbpn32.exeAoakfl32.exeAnfggicl.exeAgolpnjl.exeAgaifnhi.exeAmnanefa.exeAgcekn32.exeAgebam32.exeBfmlgi32.exeBoeppomj.exeBebiifka.exeBjanfl32.exeCgeopqfp.exeCjfgalcq.exeCmdcngbd.exeCfoellgb.exeDomffn32.exeDlqgob32.exepid process 2344 4439543c527c69320587dfe511e8a0322994ad072518c1551b6038f36445dcccN.exe 2344 4439543c527c69320587dfe511e8a0322994ad072518c1551b6038f36445dcccN.exe 2628 Mbobgfnf.exe 2628 Mbobgfnf.exe 2968 Nnhobgag.exe 2968 Nnhobgag.exe 2932 Ndgdpn32.exe 2932 Ndgdpn32.exe 2756 Nblaajbd.exe 2756 Nblaajbd.exe 2744 Oiifcdhn.exe 2744 Oiifcdhn.exe 1668 Oohlaj32.exe 1668 Oohlaj32.exe 884 Okolfkjg.exe 884 Okolfkjg.exe 2548 Ohbmppia.exe 2548 Ohbmppia.exe 3020 Pghjqlmi.exe 3020 Pghjqlmi.exe 1880 Pkebgj32.exe 1880 Pkebgj32.exe 2304 Pkholjam.exe 2304 Pkholjam.exe 1044 Pccdqloh.exe 1044 Pccdqloh.exe 2172 Polakmbi.exe 2172 Polakmbi.exe 2076 Qkcbpn32.exe 2076 Qkcbpn32.exe 2240 Aoakfl32.exe 2240 Aoakfl32.exe 756 Anfggicl.exe 756 Anfggicl.exe 696 Agolpnjl.exe 696 Agolpnjl.exe 2816 Agaifnhi.exe 2816 Agaifnhi.exe 1540 Amnanefa.exe 1540 Amnanefa.exe 1360 Agcekn32.exe 1360 Agcekn32.exe 1280 Agebam32.exe 1280 Agebam32.exe 2420 Bfmlgi32.exe 2420 Bfmlgi32.exe 1020 Boeppomj.exe 1020 Boeppomj.exe 1652 Bebiifka.exe 1652 Bebiifka.exe 2072 Bjanfl32.exe 2072 Bjanfl32.exe 1552 Cgeopqfp.exe 1552 Cgeopqfp.exe 2840 Cjfgalcq.exe 2840 Cjfgalcq.exe 2884 Cmdcngbd.exe 2884 Cmdcngbd.exe 2116 Cfoellgb.exe 2116 Cfoellgb.exe 1796 Domffn32.exe 1796 Domffn32.exe 2852 Dlqgob32.exe 2852 Dlqgob32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Qkpnph32.exeHefibg32.exeKbokda32.exeMfoqephq.exeNpngng32.exeDlqgob32.exeHkfeec32.exeJonqfq32.exeOlgehh32.exeHminbkql.exeJfkbqcam.exeKejahn32.exeMmcbbo32.exeGaajfi32.exeBfmlgi32.exeCjfgalcq.exeEcmhqp32.exeDeikhhhe.exeIpameehe.exeKheaoj32.exeJgmofbpk.exeLgphke32.exeEgljjmkp.exeOhbmppia.exePolakmbi.exeHfbckagm.exeJlhjijpe.exeLhenmm32.exeOelcho32.exeOfefqf32.exeDfgdpj32.exeCfoellgb.exeFqnhcgma.exeEbekej32.exeOmbhgljn.exePccdqloh.exePknakhig.exeNblaajbd.exeHigiih32.exeIiodliep.exeCicggcke.exeFgnfpm32.exeMdeaim32.exePldknmhd.exeAodqok32.exePmjaadjm.exeMkmmpg32.exeHjplao32.exeEhgmiq32.exeKidjfl32.exeQiekadkl.exeLohiob32.exeNgcbie32.exeAkpkok32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Qdhcinme.exe Qkpnph32.exe File created C:\Windows\SysWOW64\Hjcajn32.exe Hefibg32.exe File created C:\Windows\SysWOW64\Lhjcendg.dll Kbokda32.exe File created C:\Windows\SysWOW64\Mjmiknng.exe Mfoqephq.exe File created C:\Windows\SysWOW64\Dpeack32.dll Npngng32.exe File opened for modification C:\Windows\SysWOW64\Deikhhhe.exe Dlqgob32.exe File opened for modification C:\Windows\SysWOW64\Hgmfjdbe.exe Hkfeec32.exe File opened for modification C:\Windows\SysWOW64\Jhfepfme.exe Jonqfq32.exe File opened for modification C:\Windows\SysWOW64\Ohnemidj.exe Olgehh32.exe File opened for modification C:\Windows\SysWOW64\Hfbckagm.exe Hminbkql.exe File opened for modification C:\Windows\SysWOW64\Jlhjijpe.exe Jfkbqcam.exe File created C:\Windows\SysWOW64\Joidfo32.dll Kejahn32.exe File created C:\Windows\SysWOW64\Mflgkd32.exe Mmcbbo32.exe File created C:\Windows\SysWOW64\Llloeb32.dll Gaajfi32.exe File opened for modification C:\Windows\SysWOW64\Boeppomj.exe Bfmlgi32.exe File opened for modification C:\Windows\SysWOW64\Cmdcngbd.exe Cjfgalcq.exe File created C:\Windows\SysWOW64\Hfegfg32.dll Ecmhqp32.exe File created C:\Windows\SysWOW64\Dkhpfo32.exe Deikhhhe.exe File created C:\Windows\SysWOW64\Ienfml32.exe Ipameehe.exe File opened for modification C:\Windows\SysWOW64\Kejahn32.exe Kheaoj32.exe File opened for modification C:\Windows\SysWOW64\Joicje32.exe Jgmofbpk.exe File created C:\Windows\SysWOW64\Pmlhga32.dll Lgphke32.exe File created C:\Windows\SysWOW64\Dlodea32.dll Egljjmkp.exe File opened for modification C:\Windows\SysWOW64\Pghjqlmi.exe Ohbmppia.exe File created C:\Windows\SysWOW64\Qkcbpn32.exe Polakmbi.exe File created C:\Windows\SysWOW64\Haggijgb.exe Hfbckagm.exe File created C:\Windows\SysWOW64\Jgmofbpk.exe Jlhjijpe.exe File created C:\Windows\SysWOW64\Lckbkfbb.exe Lhenmm32.exe File created C:\Windows\SysWOW64\Ofpmegpe.exe Oelcho32.exe File created C:\Windows\SysWOW64\Omonmpcm.exe Ofefqf32.exe File created C:\Windows\SysWOW64\Damhmc32.exe Dfgdpj32.exe File created C:\Windows\SysWOW64\Efnnjm32.dll Cfoellgb.exe File opened for modification C:\Windows\SysWOW64\Fgjmfa32.exe Fqnhcgma.exe File created C:\Windows\SysWOW64\Faconabh.dll Hminbkql.exe File created C:\Windows\SysWOW64\Icnnfilc.dll Ebekej32.exe File opened for modification C:\Windows\SysWOW64\Hjcajn32.exe Hefibg32.exe File created C:\Windows\SysWOW64\Keniknoh.dll Ombhgljn.exe File created C:\Windows\SysWOW64\Polakmbi.exe Pccdqloh.exe File opened for modification C:\Windows\SysWOW64\Pmlngdhk.exe Pknakhig.exe File created C:\Windows\SysWOW64\Ckndieep.dll Nblaajbd.exe File created C:\Windows\SysWOW64\Hkfeec32.exe Higiih32.exe File opened for modification C:\Windows\SysWOW64\Ifceemdj.exe Iiodliep.exe File created C:\Windows\SysWOW64\Jhenkpja.dll Cicggcke.exe File opened for modification C:\Windows\SysWOW64\Flkohc32.exe Fgnfpm32.exe File created C:\Windows\SysWOW64\Mjbiac32.exe Mdeaim32.exe File created C:\Windows\SysWOW64\Paqdgcfl.exe Pldknmhd.exe File opened for modification C:\Windows\SysWOW64\Aenileon.exe Aodqok32.exe File opened for modification C:\Windows\SysWOW64\Pknakhig.exe Pmjaadjm.exe File created C:\Windows\SysWOW64\Oiifcdhn.exe Nblaajbd.exe File created C:\Windows\SysWOW64\Moncmh32.dll Mkmmpg32.exe File created C:\Windows\SysWOW64\Enfbchek.dll Mdeaim32.exe File created C:\Windows\SysWOW64\Khejqp32.dll Hjplao32.exe File created C:\Windows\SysWOW64\Eaoaafli.exe Ehgmiq32.exe File created C:\Windows\SysWOW64\Kghkppbp.exe Kidjfl32.exe File created C:\Windows\SysWOW64\Pknakhig.exe Pmjaadjm.exe File created C:\Windows\SysWOW64\Qgbbec32.dll Pknakhig.exe File opened for modification C:\Windows\SysWOW64\Qlcgmpkp.exe Qiekadkl.exe File created C:\Windows\SysWOW64\Icgpcjpo.dll Lohiob32.exe File created C:\Windows\SysWOW64\Pghjqlmi.exe Ohbmppia.exe File opened for modification C:\Windows\SysWOW64\Mdeaim32.exe Mkmmpg32.exe File created C:\Windows\SysWOW64\Moedaakj.dll Mmcbbo32.exe File opened for modification C:\Windows\SysWOW64\Npngng32.exe Ngcbie32.exe File created C:\Windows\SysWOW64\Ombhgljn.exe Npngng32.exe File created C:\Windows\SysWOW64\Lgpjhf32.dll Akpkok32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3888 3876 WerFault.exe Ohnemidj.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Kidjfl32.exeDeikhhhe.exeLllpclnk.exeMcendc32.exeNmhlnngi.exeApdminod.exeGohnpcmd.exeJgmofbpk.exeMgodjico.exeJinghn32.exeQgdbpi32.exeDfegjknm.exeHkfeec32.exeHfbckagm.exeDlifcqfl.exeHkiknb32.exeEcmhqp32.exeIlmgef32.exeQdhcinme.exeLednal32.exeKpeonkig.exePhklcn32.exeDbqajk32.exeHefibg32.exe4439543c527c69320587dfe511e8a0322994ad072518c1551b6038f36445dcccN.exeQkpnph32.exeKplfmfmf.exeNndhpqma.exeFgnfpm32.exeHgbhibio.exeIiodliep.exeMbmgkp32.exeNkjeod32.exeAgebam32.exeImfgahao.exePmlngdhk.exeCemebcnf.exeKdooij32.exeOmjeba32.exeNmkbfmpf.exeAodqok32.exeBnqcaffa.exeAhmehqna.exeBoifinfg.exeCicggcke.exeAmnanefa.exeHaggijgb.exeFhccoe32.exeMkmmpg32.exeKghkppbp.exeNnfeep32.exePkebgj32.exePccdqloh.exeLckbkfbb.exeFeccqime.exeJdplmflg.exeHigiih32.exeLjpqlqmd.exeKadhen32.exeOiifcdhn.exeKhcdijac.exeLobbpg32.exeBmhmgbif.exeCmmcae32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kidjfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deikhhhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lllpclnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcendc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmhlnngi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apdminod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gohnpcmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgmofbpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgodjico.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jinghn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgdbpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfegjknm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkfeec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfbckagm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlifcqfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkiknb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecmhqp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilmgef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdhcinme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lednal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpeonkig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phklcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbqajk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hefibg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4439543c527c69320587dfe511e8a0322994ad072518c1551b6038f36445dcccN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkpnph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kplfmfmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nndhpqma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgnfpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgbhibio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iiodliep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbmgkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkjeod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agebam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imfgahao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmlngdhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cemebcnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdooij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omjeba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmkbfmpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aodqok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnqcaffa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahmehqna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boifinfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cicggcke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amnanefa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Haggijgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhccoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkmmpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kghkppbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnfeep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkebgj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pccdqloh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lckbkfbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feccqime.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdplmflg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Higiih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljpqlqmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kadhen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiifcdhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khcdijac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lobbpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmhmgbif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmmcae32.exe -
Modifies registry class 64 IoCs
Processes:
Mjbiac32.exeBmhmgbif.exeOmbhgljn.exeBfmlgi32.exeImqdcjkd.exeJfkbqcam.exeJgmofbpk.exeKejahn32.exeAgcekn32.exeIpameehe.exeHgbhibio.exeEkblplgo.exeFhfihd32.exeKihcakpa.exeJinghn32.exeNjdbefnf.exeOjnelefl.exeAodqok32.exeOfklpa32.exeDlqgob32.exeNmhlnngi.exeCmmcae32.exeNgcbie32.exeIgioiacg.exeKkomepon.exeLghgocek.exeNnhobgag.exePkebgj32.exeAgaifnhi.exeEkppjmia.exeGoodpb32.exeJlhjijpe.exeLgphke32.exeLhjghlng.exeOohlaj32.exeKdooij32.exeOmonmpcm.exeEamdlf32.exeLlgllj32.exeQkcbpn32.exeKhcdijac.exeMoloidjl.exeCgeopqfp.exeGdgcnj32.exeMdeaim32.exeCemebcnf.exeOlobcm32.exeIcbldbgi.exeGkiooocb.exeNpngng32.exeGohnpcmd.exeCmapna32.exeOlgehh32.exeFolhio32.exeAoakfl32.exeCjfgalcq.exeIbmmkaik.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjbiac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmhmgbif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ombhgljn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poeepl32.dll" Bfmlgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imqdcjkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfkbqcam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgmofbpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joidfo32.dll" Kejahn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agcekn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipameehe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Allben32.dll" Hgbhibio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekblplgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhfihd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kihcakpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpcqnh32.dll" Jgmofbpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poialihj.dll" Jinghn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okoefg32.dll" Njdbefnf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojnelefl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfqgmn32.dll" Aodqok32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofklpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfoogjlk.dll" Dlqgob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmhlnngi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmmcae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngcbie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igioiacg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkomepon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lghgocek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnhobgag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhaafh.dll" Pkebgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkjgomho.dll" Agaifnhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Licpdaeg.dll" Mjbiac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekppjmia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmaojjod.dll" Cmmcae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkebgj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Goodpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlhjijpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgphke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhjghlng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oohlaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldamppgp.dll" Kdooij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omonmpcm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eamdlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llgllj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qkcbpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khcdijac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Moloidjl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgeopqfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdgcnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdeaim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cemebcnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgbhibio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olobcm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icbldbgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdnkcibn.dll" Olobcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkiooocb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npngng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nigbpkok.dll" Gohnpcmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgofok32.dll" Cmapna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olgehh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Folhio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhfihd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfkfdg32.dll" Aoakfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emomop32.dll" Cjfgalcq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibmmkaik.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
4439543c527c69320587dfe511e8a0322994ad072518c1551b6038f36445dcccN.exeMbobgfnf.exeNnhobgag.exeNdgdpn32.exeNblaajbd.exeOiifcdhn.exeOohlaj32.exeOkolfkjg.exeOhbmppia.exePghjqlmi.exePkebgj32.exePkholjam.exePccdqloh.exePolakmbi.exeQkcbpn32.exeAoakfl32.exedescription pid process target process PID 2344 wrote to memory of 2628 2344 4439543c527c69320587dfe511e8a0322994ad072518c1551b6038f36445dcccN.exe Mbobgfnf.exe PID 2344 wrote to memory of 2628 2344 4439543c527c69320587dfe511e8a0322994ad072518c1551b6038f36445dcccN.exe Mbobgfnf.exe PID 2344 wrote to memory of 2628 2344 4439543c527c69320587dfe511e8a0322994ad072518c1551b6038f36445dcccN.exe Mbobgfnf.exe PID 2344 wrote to memory of 2628 2344 4439543c527c69320587dfe511e8a0322994ad072518c1551b6038f36445dcccN.exe Mbobgfnf.exe PID 2628 wrote to memory of 2968 2628 Mbobgfnf.exe Nnhobgag.exe PID 2628 wrote to memory of 2968 2628 Mbobgfnf.exe Nnhobgag.exe PID 2628 wrote to memory of 2968 2628 Mbobgfnf.exe Nnhobgag.exe PID 2628 wrote to memory of 2968 2628 Mbobgfnf.exe Nnhobgag.exe PID 2968 wrote to memory of 2932 2968 Nnhobgag.exe Ndgdpn32.exe PID 2968 wrote to memory of 2932 2968 Nnhobgag.exe Ndgdpn32.exe PID 2968 wrote to memory of 2932 2968 Nnhobgag.exe Ndgdpn32.exe PID 2968 wrote to memory of 2932 2968 Nnhobgag.exe Ndgdpn32.exe PID 2932 wrote to memory of 2756 2932 Ndgdpn32.exe Nblaajbd.exe PID 2932 wrote to memory of 2756 2932 Ndgdpn32.exe Nblaajbd.exe PID 2932 wrote to memory of 2756 2932 Ndgdpn32.exe Nblaajbd.exe PID 2932 wrote to memory of 2756 2932 Ndgdpn32.exe Nblaajbd.exe PID 2756 wrote to memory of 2744 2756 Nblaajbd.exe Oiifcdhn.exe PID 2756 wrote to memory of 2744 2756 Nblaajbd.exe Oiifcdhn.exe PID 2756 wrote to memory of 2744 2756 Nblaajbd.exe Oiifcdhn.exe PID 2756 wrote to memory of 2744 2756 Nblaajbd.exe Oiifcdhn.exe PID 2744 wrote to memory of 1668 2744 Oiifcdhn.exe Oohlaj32.exe PID 2744 wrote to memory of 1668 2744 Oiifcdhn.exe Oohlaj32.exe PID 2744 wrote to memory of 1668 2744 Oiifcdhn.exe Oohlaj32.exe PID 2744 wrote to memory of 1668 2744 Oiifcdhn.exe Oohlaj32.exe PID 1668 wrote to memory of 884 1668 Oohlaj32.exe Okolfkjg.exe PID 1668 wrote to memory of 884 1668 Oohlaj32.exe Okolfkjg.exe PID 1668 wrote to memory of 884 1668 Oohlaj32.exe Okolfkjg.exe PID 1668 wrote to memory of 884 1668 Oohlaj32.exe Okolfkjg.exe PID 884 wrote to memory of 2548 884 Okolfkjg.exe Ohbmppia.exe PID 884 wrote to memory of 2548 884 Okolfkjg.exe Ohbmppia.exe PID 884 wrote to memory of 2548 884 Okolfkjg.exe Ohbmppia.exe PID 884 wrote to memory of 2548 884 Okolfkjg.exe Ohbmppia.exe PID 2548 wrote to memory of 3020 2548 Ohbmppia.exe Pghjqlmi.exe PID 2548 wrote to memory of 3020 2548 Ohbmppia.exe Pghjqlmi.exe PID 2548 wrote to memory of 3020 2548 Ohbmppia.exe Pghjqlmi.exe PID 2548 wrote to memory of 3020 2548 Ohbmppia.exe Pghjqlmi.exe PID 3020 wrote to memory of 1880 3020 Pghjqlmi.exe Pkebgj32.exe PID 3020 wrote to memory of 1880 3020 Pghjqlmi.exe Pkebgj32.exe PID 3020 wrote to memory of 1880 3020 Pghjqlmi.exe Pkebgj32.exe PID 3020 wrote to memory of 1880 3020 Pghjqlmi.exe Pkebgj32.exe PID 1880 wrote to memory of 2304 1880 Pkebgj32.exe Pkholjam.exe PID 1880 wrote to memory of 2304 1880 Pkebgj32.exe Pkholjam.exe PID 1880 wrote to memory of 2304 1880 Pkebgj32.exe Pkholjam.exe PID 1880 wrote to memory of 2304 1880 Pkebgj32.exe Pkholjam.exe PID 2304 wrote to memory of 1044 2304 Pkholjam.exe Pccdqloh.exe PID 2304 wrote to memory of 1044 2304 Pkholjam.exe Pccdqloh.exe PID 2304 wrote to memory of 1044 2304 Pkholjam.exe Pccdqloh.exe PID 2304 wrote to memory of 1044 2304 Pkholjam.exe Pccdqloh.exe PID 1044 wrote to memory of 2172 1044 Pccdqloh.exe Polakmbi.exe PID 1044 wrote to memory of 2172 1044 Pccdqloh.exe Polakmbi.exe PID 1044 wrote to memory of 2172 1044 Pccdqloh.exe Polakmbi.exe PID 1044 wrote to memory of 2172 1044 Pccdqloh.exe Polakmbi.exe PID 2172 wrote to memory of 2076 2172 Polakmbi.exe Qkcbpn32.exe PID 2172 wrote to memory of 2076 2172 Polakmbi.exe Qkcbpn32.exe PID 2172 wrote to memory of 2076 2172 Polakmbi.exe Qkcbpn32.exe PID 2172 wrote to memory of 2076 2172 Polakmbi.exe Qkcbpn32.exe PID 2076 wrote to memory of 2240 2076 Qkcbpn32.exe Aoakfl32.exe PID 2076 wrote to memory of 2240 2076 Qkcbpn32.exe Aoakfl32.exe PID 2076 wrote to memory of 2240 2076 Qkcbpn32.exe Aoakfl32.exe PID 2076 wrote to memory of 2240 2076 Qkcbpn32.exe Aoakfl32.exe PID 2240 wrote to memory of 756 2240 Aoakfl32.exe Anfggicl.exe PID 2240 wrote to memory of 756 2240 Aoakfl32.exe Anfggicl.exe PID 2240 wrote to memory of 756 2240 Aoakfl32.exe Anfggicl.exe PID 2240 wrote to memory of 756 2240 Aoakfl32.exe Anfggicl.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4439543c527c69320587dfe511e8a0322994ad072518c1551b6038f36445dcccN.exe"C:\Users\Admin\AppData\Local\Temp\4439543c527c69320587dfe511e8a0322994ad072518c1551b6038f36445dcccN.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Mbobgfnf.exeC:\Windows\system32\Mbobgfnf.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Nnhobgag.exeC:\Windows\system32\Nnhobgag.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Ndgdpn32.exeC:\Windows\system32\Ndgdpn32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Nblaajbd.exeC:\Windows\system32\Nblaajbd.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Oiifcdhn.exeC:\Windows\system32\Oiifcdhn.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Oohlaj32.exeC:\Windows\system32\Oohlaj32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\SysWOW64\Okolfkjg.exeC:\Windows\system32\Okolfkjg.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Windows\SysWOW64\Ohbmppia.exeC:\Windows\system32\Ohbmppia.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Pghjqlmi.exeC:\Windows\system32\Pghjqlmi.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\Pkebgj32.exeC:\Windows\system32\Pkebgj32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\SysWOW64\Pkholjam.exeC:\Windows\system32\Pkholjam.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\Pccdqloh.exeC:\Windows\system32\Pccdqloh.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\SysWOW64\Polakmbi.exeC:\Windows\system32\Polakmbi.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\Qkcbpn32.exeC:\Windows\system32\Qkcbpn32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\Aoakfl32.exeC:\Windows\system32\Aoakfl32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Anfggicl.exeC:\Windows\system32\Anfggicl.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:756 -
C:\Windows\SysWOW64\Agolpnjl.exeC:\Windows\system32\Agolpnjl.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:696 -
C:\Windows\SysWOW64\Agaifnhi.exeC:\Windows\system32\Agaifnhi.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2816 -
C:\Windows\SysWOW64\Amnanefa.exeC:\Windows\system32\Amnanefa.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1540 -
C:\Windows\SysWOW64\Agcekn32.exeC:\Windows\system32\Agcekn32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1360 -
C:\Windows\SysWOW64\Agebam32.exeC:\Windows\system32\Agebam32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1280 -
C:\Windows\SysWOW64\Bfmlgi32.exeC:\Windows\system32\Bfmlgi32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2420 -
C:\Windows\SysWOW64\Boeppomj.exeC:\Windows\system32\Boeppomj.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1020 -
C:\Windows\SysWOW64\Bebiifka.exeC:\Windows\system32\Bebiifka.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1652 -
C:\Windows\SysWOW64\Bjanfl32.exeC:\Windows\system32\Bjanfl32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2072 -
C:\Windows\SysWOW64\Cgeopqfp.exeC:\Windows\system32\Cgeopqfp.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1552 -
C:\Windows\SysWOW64\Cjfgalcq.exeC:\Windows\system32\Cjfgalcq.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2840 -
C:\Windows\SysWOW64\Cmdcngbd.exeC:\Windows\system32\Cmdcngbd.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2884 -
C:\Windows\SysWOW64\Cfoellgb.exeC:\Windows\system32\Cfoellgb.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2116 -
C:\Windows\SysWOW64\Domffn32.exeC:\Windows\system32\Domffn32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1796 -
C:\Windows\SysWOW64\Dlqgob32.exeC:\Windows\system32\Dlqgob32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2852 -
C:\Windows\SysWOW64\Deikhhhe.exeC:\Windows\system32\Deikhhhe.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2096 -
C:\Windows\SysWOW64\Dkhpfo32.exeC:\Windows\system32\Dkhpfo32.exe34⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Dendcg32.exeC:\Windows\system32\Dendcg32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Ecmhqp32.exeC:\Windows\system32\Ecmhqp32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2092 -
C:\Windows\SysWOW64\Eleliepj.exeC:\Windows\system32\Eleliepj.exe37⤵
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\Elgioe32.exeC:\Windows\system32\Elgioe32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Fljfdd32.exeC:\Windows\system32\Fljfdd32.exe39⤵
- Executes dropped EXE
PID:1896 -
C:\Windows\SysWOW64\Fhqfie32.exeC:\Windows\system32\Fhqfie32.exe40⤵
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\Fhccoe32.exeC:\Windows\system32\Fhccoe32.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2660 -
C:\Windows\SysWOW64\Fqnhcgma.exeC:\Windows\system32\Fqnhcgma.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1456 -
C:\Windows\SysWOW64\Fgjmfa32.exeC:\Windows\system32\Fgjmfa32.exe43⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Gfpjgn32.exeC:\Windows\system32\Gfpjgn32.exe44⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Gohnpcmd.exeC:\Windows\system32\Gohnpcmd.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2368 -
C:\Windows\SysWOW64\Gkoodd32.exeC:\Windows\system32\Gkoodd32.exe46⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\Gdgcnj32.exeC:\Windows\system32\Gdgcnj32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:108 -
C:\Windows\SysWOW64\Gnphfppi.exeC:\Windows\system32\Gnphfppi.exe48⤵
- Executes dropped EXE
PID:836 -
C:\Windows\SysWOW64\Goodpb32.exeC:\Windows\system32\Goodpb32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:2200 -
C:\Windows\SysWOW64\Higiih32.exeC:\Windows\system32\Higiih32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2528 -
C:\Windows\SysWOW64\Hkfeec32.exeC:\Windows\system32\Hkfeec32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3040 -
C:\Windows\SysWOW64\Hgmfjdbe.exeC:\Windows\system32\Hgmfjdbe.exe52⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Hminbkql.exeC:\Windows\system32\Hminbkql.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2944 -
C:\Windows\SysWOW64\Hfbckagm.exeC:\Windows\system32\Hfbckagm.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2912 -
C:\Windows\SysWOW64\Haggijgb.exeC:\Windows\system32\Haggijgb.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2780 -
C:\Windows\SysWOW64\Hjplao32.exeC:\Windows\system32\Hjplao32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2168 -
C:\Windows\SysWOW64\Hchpjddc.exeC:\Windows\system32\Hchpjddc.exe57⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Imqdcjkd.exeC:\Windows\system32\Imqdcjkd.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:1756 -
C:\Windows\SysWOW64\Ibmmkaik.exeC:\Windows\system32\Ibmmkaik.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:1248 -
C:\Windows\SysWOW64\Ipameehe.exeC:\Windows\system32\Ipameehe.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3024 -
C:\Windows\SysWOW64\Ienfml32.exeC:\Windows\system32\Ienfml32.exe61⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Ipcjje32.exeC:\Windows\system32\Ipcjje32.exe62⤵
- Executes dropped EXE
PID:816 -
C:\Windows\SysWOW64\Iilocklc.exeC:\Windows\system32\Iilocklc.exe63⤵
- Executes dropped EXE
PID:1284 -
C:\Windows\SysWOW64\Iecohl32.exeC:\Windows\system32\Iecohl32.exe64⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Ilmgef32.exeC:\Windows\system32\Ilmgef32.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2684 -
C:\Windows\SysWOW64\Ieelnkpd.exeC:\Windows\system32\Ieelnkpd.exe66⤵PID:1904
-
C:\Windows\SysWOW64\Jonqfq32.exeC:\Windows\system32\Jonqfq32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2224 -
C:\Windows\SysWOW64\Jhfepfme.exeC:\Windows\system32\Jhfepfme.exe68⤵PID:2328
-
C:\Windows\SysWOW64\Jmbnhm32.exeC:\Windows\system32\Jmbnhm32.exe69⤵PID:868
-
C:\Windows\SysWOW64\Jfkbqcam.exeC:\Windows\system32\Jfkbqcam.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2460 -
C:\Windows\SysWOW64\Jlhjijpe.exeC:\Windows\system32\Jlhjijpe.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1600 -
C:\Windows\SysWOW64\Jgmofbpk.exeC:\Windows\system32\Jgmofbpk.exe72⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2848 -
C:\Windows\SysWOW64\Joicje32.exeC:\Windows\system32\Joicje32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2760 -
C:\Windows\SysWOW64\Jinghn32.exeC:\Windows\system32\Jinghn32.exe74⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2120 -
C:\Windows\SysWOW64\Kbflqccl.exeC:\Windows\system32\Kbflqccl.exe75⤵PID:2184
-
C:\Windows\SysWOW64\Khcdijac.exeC:\Windows\system32\Khcdijac.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:980 -
C:\Windows\SysWOW64\Kaliaphd.exeC:\Windows\system32\Kaliaphd.exe77⤵PID:1392
-
C:\Windows\SysWOW64\Kheaoj32.exeC:\Windows\system32\Kheaoj32.exe78⤵
- Drops file in System32 directory
PID:2832 -
C:\Windows\SysWOW64\Kejahn32.exeC:\Windows\system32\Kejahn32.exe79⤵
- Drops file in System32 directory
- Modifies registry class
PID:1528 -
C:\Windows\SysWOW64\Kkfjpemb.exeC:\Windows\system32\Kkfjpemb.exe80⤵PID:2444
-
C:\Windows\SysWOW64\Kdooij32.exeC:\Windows\system32\Kdooij32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2288 -
C:\Windows\SysWOW64\Kpeonkig.exeC:\Windows\system32\Kpeonkig.exe82⤵
- System Location Discovery: System Language Discovery
PID:908 -
C:\Windows\SysWOW64\Lgphke32.exeC:\Windows\system32\Lgphke32.exe83⤵
- Drops file in System32 directory
- Modifies registry class
PID:1852 -
C:\Windows\SysWOW64\Lllpclnk.exeC:\Windows\system32\Lllpclnk.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2340 -
C:\Windows\SysWOW64\Ljpqlqmd.exeC:\Windows\system32\Ljpqlqmd.exe85⤵
- System Location Discovery: System Language Discovery
PID:1792 -
C:\Windows\SysWOW64\Lhenmm32.exeC:\Windows\system32\Lhenmm32.exe86⤵
- Drops file in System32 directory
PID:2680 -
C:\Windows\SysWOW64\Lckbkfbb.exeC:\Windows\system32\Lckbkfbb.exe87⤵
- System Location Discovery: System Language Discovery
PID:1924 -
C:\Windows\SysWOW64\Lobbpg32.exeC:\Windows\system32\Lobbpg32.exe88⤵
- System Location Discovery: System Language Discovery
PID:2876 -
C:\Windows\SysWOW64\Lhjghlng.exeC:\Windows\system32\Lhjghlng.exe89⤵
- Modifies registry class
PID:3004 -
C:\Windows\SysWOW64\Lngpac32.exeC:\Windows\system32\Lngpac32.exe90⤵PID:2904
-
C:\Windows\SysWOW64\Mgodjico.exeC:\Windows\system32\Mgodjico.exe91⤵
- System Location Discovery: System Language Discovery
PID:1876 -
C:\Windows\SysWOW64\Mbehgabe.exeC:\Windows\system32\Mbehgabe.exe92⤵PID:1616
-
C:\Windows\SysWOW64\Mkmmpg32.exeC:\Windows\system32\Mkmmpg32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1808 -
C:\Windows\SysWOW64\Mdeaim32.exeC:\Windows\system32\Mdeaim32.exe94⤵
- Drops file in System32 directory
- Modifies registry class
PID:1520 -
C:\Windows\SysWOW64\Mjbiac32.exeC:\Windows\system32\Mjbiac32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2208 -
C:\Windows\SysWOW64\Mqlbnnej.exeC:\Windows\system32\Mqlbnnej.exe96⤵PID:2436
-
C:\Windows\SysWOW64\Mmcbbo32.exeC:\Windows\system32\Mmcbbo32.exe97⤵
- Drops file in System32 directory
PID:396 -
C:\Windows\SysWOW64\Mflgkd32.exeC:\Windows\system32\Mflgkd32.exe98⤵PID:860
-
C:\Windows\SysWOW64\Nqakim32.exeC:\Windows\system32\Nqakim32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1856 -
C:\Windows\SysWOW64\Nmhlnngi.exeC:\Windows\system32\Nmhlnngi.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2612 -
C:\Windows\SysWOW64\Nbinad32.exeC:\Windows\system32\Nbinad32.exe101⤵PID:2956
-
C:\Windows\SysWOW64\Njdbefnf.exeC:\Windows\system32\Njdbefnf.exe102⤵
- Modifies registry class
PID:2960 -
C:\Windows\SysWOW64\Oelcho32.exeC:\Windows\system32\Oelcho32.exe103⤵
- Drops file in System32 directory
PID:2804 -
C:\Windows\SysWOW64\Ofpmegpe.exeC:\Windows\system32\Ofpmegpe.exe104⤵PID:2784
-
C:\Windows\SysWOW64\Omjeba32.exeC:\Windows\system32\Omjeba32.exe105⤵
- System Location Discovery: System Language Discovery
PID:2228 -
C:\Windows\SysWOW64\Ojnelefl.exeC:\Windows\system32\Ojnelefl.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1824 -
C:\Windows\SysWOW64\Olobcm32.exeC:\Windows\system32\Olobcm32.exe107⤵
- Modifies registry class
PID:1196 -
C:\Windows\SysWOW64\Ofefqf32.exeC:\Windows\system32\Ofefqf32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1784 -
C:\Windows\SysWOW64\Omonmpcm.exeC:\Windows\system32\Omonmpcm.exe109⤵
- Modifies registry class
PID:1320 -
C:\Windows\SysWOW64\Pejcab32.exeC:\Windows\system32\Pejcab32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2600 -
C:\Windows\SysWOW64\Pldknmhd.exeC:\Windows\system32\Pldknmhd.exe111⤵
- Drops file in System32 directory
PID:1480 -
C:\Windows\SysWOW64\Paqdgcfl.exeC:\Windows\system32\Paqdgcfl.exe112⤵PID:2520
-
C:\Windows\SysWOW64\Phklcn32.exeC:\Windows\system32\Phklcn32.exe113⤵
- System Location Discovery: System Language Discovery
PID:2384 -
C:\Windows\SysWOW64\Plheil32.exeC:\Windows\system32\Plheil32.exe114⤵PID:3000
-
C:\Windows\SysWOW64\Pmjaadjm.exeC:\Windows\system32\Pmjaadjm.exe115⤵
- Drops file in System32 directory
PID:2856 -
C:\Windows\SysWOW64\Pknakhig.exeC:\Windows\system32\Pknakhig.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2868 -
C:\Windows\SysWOW64\Pmlngdhk.exeC:\Windows\system32\Pmlngdhk.exe117⤵
- System Location Discovery: System Language Discovery
PID:2320 -
C:\Windows\SysWOW64\Qgdbpi32.exeC:\Windows\system32\Qgdbpi32.exe118⤵
- System Location Discovery: System Language Discovery
PID:588 -
C:\Windows\SysWOW64\Qkpnph32.exeC:\Windows\system32\Qkpnph32.exe119⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1344 -
C:\Windows\SysWOW64\Qdhcinme.exeC:\Windows\system32\Qdhcinme.exe120⤵
- System Location Discovery: System Language Discovery
PID:2820 -
C:\Windows\SysWOW64\Qiekadkl.exeC:\Windows\system32\Qiekadkl.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1868 -
C:\Windows\SysWOW64\Qlcgmpkp.exeC:\Windows\system32\Qlcgmpkp.exe122⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:824
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-