Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:20
Static task
static1
Behavioral task
behavioral1
Sample
40d85fa11f4f945e9e44813594d3409747313fdf32fa66757b4f31217209a667N.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
40d85fa11f4f945e9e44813594d3409747313fdf32fa66757b4f31217209a667N.exe
Resource
win10v2004-20241007-en
General
-
Target
40d85fa11f4f945e9e44813594d3409747313fdf32fa66757b4f31217209a667N.exe
-
Size
95KB
-
MD5
a10418cf8b5b94aee88c2a8905489be0
-
SHA1
105b2166e01bb4d0d38b3edc0a7d5b835a4c5f8b
-
SHA256
40d85fa11f4f945e9e44813594d3409747313fdf32fa66757b4f31217209a667
-
SHA512
6c25d0cac5b307818068ad5e586f99091de67ca7d9bf2dd19642353bf3b3e8e952edb650d4354d58a6ff091d8b40bbe437f2a9dcd9463cdc3c9b9764fdf48614
-
SSDEEP
1536:JS7ny75v54FcB66j6zX3hJTbvgOkOlPoytM1nxb4L2R9DOM6bOLXi8PmCofGV:JSKaIA3fuRxXDDrLXfzoeV
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Kiphjo32.exeNbebbk32.exePedlgbkh.exeGlengm32.exeAdkgje32.exeBnhenj32.exeEbnfbcbc.exeCnaaib32.exeBdcmkgmm.exeIgchfiof.exeQkjgegae.exeIknmla32.exeNndjndbh.exeBheplb32.exeOlbdhn32.exeKenggi32.exeLgcjdd32.exePmlmkn32.exeLopmii32.exePnkbkk32.exeHnnljj32.exeBmggingc.exeIkqqlgem.exeKncaec32.exePplobcpp.exePdjgha32.exeLancko32.exeAfockelf.exeIgjngh32.exeIebngial.exeBgpcliao.exeDpgnjo32.exeGbpedjnb.exeIndfca32.exeCfqmpl32.exeIgbalblk.exeOhmhmh32.exeObnehj32.exeMbighjdd.exePajeam32.exeFbgihaji.exeHidgai32.exeLmbhgd32.exeDfiildio.exeLcimdh32.exeJbiejoaj.exeNihipdhl.exeEkjded32.exeCfcjfk32.exeFffhifdk.exeDflfac32.exeMnhdgpii.exeNqmfdj32.exeBddcenpi.exeDmfeidbe.exePdenmbkk.exeCammjakm.exeEnkmfolf.exeHemmac32.exeFfaong32.exeCdecgbfa.exeKflide32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kiphjo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbebbk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pedlgbkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Glengm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Adkgje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bnhenj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebnfbcbc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnaaib32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdcmkgmm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igchfiof.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkjgegae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iknmla32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nndjndbh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bheplb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Olbdhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kenggi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lgcjdd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmlmkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lopmii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pnkbkk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnnljj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmggingc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikqqlgem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kncaec32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pplobcpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pdjgha32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lancko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afockelf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igjngh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iebngial.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgpcliao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dpgnjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmlmkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbpedjnb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Indfca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfqmpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Igbalblk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ohmhmh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obnehj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbighjdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pajeam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbgihaji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hidgai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmbhgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfiildio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcimdh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbiejoaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nihipdhl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekjded32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfcjfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fffhifdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dflfac32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnhdgpii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqmfdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bddcenpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmfeidbe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdenmbkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cammjakm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enkmfolf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hemmac32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffaong32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdecgbfa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kflide32.exe -
Executes dropped EXE 64 IoCs
Processes:
Giqkkf32.exeGahcmd32.exeHgelek32.exeHkpheidp.exeHajpbckl.exeHpmpnp32.exeHkbdki32.exeHammhcij.exeHdkidohn.exeHhfedm32.exeHjhalefe.exeHaoimcgg.exeHglaej32.exeHjjnae32.exeHpdfnolo.exeHgnoki32.exeHjlkge32.exeHacbhb32.exeHpfcdojl.exeIhnkel32.exeIklgah32.exeIqipio32.exeIgchfiof.exeIjadbdoj.exeIahlcaol.exeIdghpmnp.exeIgedlh32.exeIkqqlgem.exeIqmidndd.exeIhdafkdg.exeIggaah32.exeIbmeoq32.exeIdkbkl32.exeIgjngh32.exeIkejgf32.exeIndfca32.exeIqbbpm32.exeJhijqj32.exeJglklggl.exeJjjghcfp.exeJbaojpgb.exeJhlgfj32.exeJgogbgei.exeJjmcnbdm.exeJbdlop32.exeJhndljll.exeJgadgf32.exeJklphekp.exeJqiipljg.exeJdedak32.exeJjamia32.exeJbiejoaj.exeJdgafjpn.exeJgenbfoa.exeJjdjoane.exeJbkbpoog.exeKqnbkl32.exeKghjhemo.exeKkcfid32.exeKbmoen32.exeKelkaj32.exeKgjgne32.exeKjhcjq32.exeKbpkkn32.exepid Process 1492 Giqkkf32.exe 1776 Gahcmd32.exe 1956 Hgelek32.exe 3368 Hkpheidp.exe 5068 Hajpbckl.exe 2256 Hpmpnp32.exe 2800 Hkbdki32.exe 2024 Hammhcij.exe 4512 Hdkidohn.exe 1012 Hhfedm32.exe 1132 Hjhalefe.exe 4048 Haoimcgg.exe 1952 Hglaej32.exe 2488 Hjjnae32.exe 468 Hpdfnolo.exe 4100 Hgnoki32.exe 4336 Hjlkge32.exe 2516 Hacbhb32.exe 832 Hpfcdojl.exe 2504 Ihnkel32.exe 5080 Iklgah32.exe 4260 Iqipio32.exe 1876 Igchfiof.exe 4808 Ijadbdoj.exe 2860 Iahlcaol.exe 836 Idghpmnp.exe 1076 Igedlh32.exe 876 Ikqqlgem.exe 3748 Iqmidndd.exe 4760 Ihdafkdg.exe 3260 Iggaah32.exe 2260 Ibmeoq32.exe 4920 Idkbkl32.exe 4216 Igjngh32.exe 768 Ikejgf32.exe 1112 Indfca32.exe 216 Iqbbpm32.exe 4396 Jhijqj32.exe 4016 Jglklggl.exe 3064 Jjjghcfp.exe 2568 Jbaojpgb.exe 4012 Jhlgfj32.exe 2224 Jgogbgei.exe 3588 Jjmcnbdm.exe 2712 Jbdlop32.exe 4536 Jhndljll.exe 1140 Jgadgf32.exe 2020 Jklphekp.exe 4788 Jqiipljg.exe 5008 Jdedak32.exe 4568 Jjamia32.exe 3296 Jbiejoaj.exe 2832 Jdgafjpn.exe 1544 Jgenbfoa.exe 1080 Jjdjoane.exe 3324 Jbkbpoog.exe 1856 Kqnbkl32.exe 3080 Kghjhemo.exe 1388 Kkcfid32.exe 4300 Kbmoen32.exe 4160 Kelkaj32.exe 1592 Kgjgne32.exe 3024 Kjhcjq32.exe 4136 Kbpkkn32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Gbfldf32.exeGbeejp32.exeJphkkpbp.exeHpmpnp32.exeGnnccl32.exeGnpphljo.exeChnlgjlb.exeDhdbhifj.exePejkmk32.exeFpggamqc.exeIcknfcol.exeJdmgfedl.exeMcbpjg32.exeFoclgq32.exeMfenglqf.exePimfpc32.exeKkcfid32.exePapfgbmg.exeQcaofebg.exeGfheof32.exeJjoiil32.exeIohejo32.exeMokmdh32.exeKhlklj32.exeNlfelogp.exeGmiclo32.exeHcblpdgg.exeDkfadkgf.exeJbccge32.exeCgklmacf.exeObcceg32.exeHgkkkcbc.exeManmoq32.exeHnbeeiji.exeIbqnkh32.exeMhckcgpj.exePbcncibp.exeKenggi32.exePakllc32.exeDpgnjo32.exeMgobel32.exeAdkgje32.exeIefphb32.exeIhdafkdg.exeGipdap32.exeLjaoeini.exeHlnjbedi.exeIpihpkkd.exeModpib32.exeAfockelf.exeBmofagfp.exeJnhidk32.exeMjokgg32.exeOloahhki.exeMfnoqc32.exeNjmqnobn.exedescription ioc Process File created C:\Windows\SysWOW64\Glaecb32.dll Gbfldf32.exe File opened for modification C:\Windows\SysWOW64\Hedafk32.exe Gbeejp32.exe File opened for modification C:\Windows\SysWOW64\Jcfggkac.exe Jphkkpbp.exe File opened for modification C:\Windows\SysWOW64\Hkbdki32.exe Hpmpnp32.exe File opened for modification C:\Windows\SysWOW64\Galoohke.exe Gnnccl32.exe File created C:\Windows\SysWOW64\Ganldgib.exe Gnpphljo.exe File created C:\Windows\SysWOW64\Biafno32.dll Chnlgjlb.exe File created C:\Windows\SysWOW64\Dkcndeen.exe Dhdbhifj.exe File created C:\Windows\SysWOW64\Pldcjeia.exe Pejkmk32.exe File created C:\Windows\SysWOW64\Pdjpll32.dll Fpggamqc.exe File created C:\Windows\SysWOW64\Okbcgopo.dll Icknfcol.exe File opened for modification C:\Windows\SysWOW64\Jcphab32.exe Jdmgfedl.exe File created C:\Windows\SysWOW64\Mgnlkfal.exe Mcbpjg32.exe File opened for modification C:\Windows\SysWOW64\Fqeioiam.exe Foclgq32.exe File created C:\Windows\SysWOW64\Mhckcgpj.exe Mfenglqf.exe File opened for modification C:\Windows\SysWOW64\Ppgomnai.exe Pimfpc32.exe File created C:\Windows\SysWOW64\Kbmoen32.exe Kkcfid32.exe File created C:\Windows\SysWOW64\Eclbio32.dll File created C:\Windows\SysWOW64\Eaecci32.dll File created C:\Windows\SysWOW64\Pifnhpmi.exe Papfgbmg.exe File created C:\Windows\SysWOW64\Qadoba32.exe Qcaofebg.exe File created C:\Windows\SysWOW64\Glengm32.exe Gfheof32.exe File created C:\Windows\SysWOW64\Jddnfd32.exe Jjoiil32.exe File created C:\Windows\SysWOW64\Iebngial.exe Iohejo32.exe File opened for modification C:\Windows\SysWOW64\Mgbefe32.exe Mokmdh32.exe File opened for modification C:\Windows\SysWOW64\Klggli32.exe Khlklj32.exe File created C:\Windows\SysWOW64\Noeahkfc.exe Nlfelogp.exe File opened for modification C:\Windows\SysWOW64\Glldgljg.exe Gmiclo32.exe File opened for modification C:\Windows\SysWOW64\Ingpmmgm.exe Hcblpdgg.exe File opened for modification C:\Windows\SysWOW64\Dflfac32.exe Dkfadkgf.exe File created C:\Windows\SysWOW64\Pgdhilkd.dll Jbccge32.exe File created C:\Windows\SysWOW64\Dodebo32.dll Cgklmacf.exe File opened for modification C:\Windows\SysWOW64\Oimkbaed.exe Obcceg32.exe File created C:\Windows\SysWOW64\Glldgljg.exe Gmiclo32.exe File created C:\Windows\SysWOW64\Oajpfn32.dll Hgkkkcbc.exe File opened for modification C:\Windows\SysWOW64\Nlcalieg.exe Manmoq32.exe File opened for modification C:\Windows\SysWOW64\Hbnaeh32.exe Hnbeeiji.exe File created C:\Windows\SysWOW64\Iijfhbhl.exe Ibqnkh32.exe File opened for modification C:\Windows\SysWOW64\Mqjbddpl.exe Mhckcgpj.exe File created C:\Windows\SysWOW64\Pnkibcle.dll Pbcncibp.exe File created C:\Windows\SysWOW64\Kijchhbo.exe Kenggi32.exe File created C:\Windows\SysWOW64\Camgolnm.dll File created C:\Windows\SysWOW64\Phedhmhi.exe Pakllc32.exe File created C:\Windows\SysWOW64\Efafgifc.exe Dpgnjo32.exe File created C:\Windows\SysWOW64\Hflkamml.dll Mgobel32.exe File opened for modification C:\Windows\SysWOW64\Ahgcjddh.exe Adkgje32.exe File created C:\Windows\SysWOW64\Iialhaad.exe Iefphb32.exe File created C:\Windows\SysWOW64\Hhdebqbi.dll File created C:\Windows\SysWOW64\Fbaahf32.exe File created C:\Windows\SysWOW64\Iggaah32.exe Ihdafkdg.exe File created C:\Windows\SysWOW64\Egnelfnm.dll File opened for modification C:\Windows\SysWOW64\Hpjmnjqn.exe Gipdap32.exe File created C:\Windows\SysWOW64\Dbdplc32.dll Ljaoeini.exe File created C:\Windows\SysWOW64\Holfoqcm.exe Hlnjbedi.exe File created C:\Windows\SysWOW64\Qgiiak32.dll Ipihpkkd.exe File opened for modification C:\Windows\SysWOW64\Mcoljagj.exe Modpib32.exe File created C:\Windows\SysWOW64\Aimogakj.exe Afockelf.exe File created C:\Windows\SysWOW64\Djojepof.dll File opened for modification C:\Windows\SysWOW64\Bcinna32.exe Bmofagfp.exe File created C:\Windows\SysWOW64\Jdaaaeqg.exe Jnhidk32.exe File created C:\Windows\SysWOW64\Mmnhcb32.exe Mjokgg32.exe File created C:\Windows\SysWOW64\Onnmdcjm.exe Oloahhki.exe File opened for modification C:\Windows\SysWOW64\Mcbpjg32.exe Mfnoqc32.exe File opened for modification C:\Windows\SysWOW64\Nmkmjjaa.exe Njmqnobn.exe -
Program crash 1 IoCs
Processes:
pid pid_target Process procid_target 7836 7828 1178 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Cjgpfk32.exeEciplm32.exeModgdicm.exeLoacdc32.exeHioflcbj.exeNqoloc32.exeIgchfiof.exePifnhpmi.exeIgbalblk.exeIpoopgnf.exeMgehfkop.exeFilapfbo.exeKecabifp.exeHdokdg32.exePajeam32.exeOakbehfe.exeJklphekp.exeNbqmiinl.exeAokkahlo.exeKidben32.exeBkkple32.exeHdhedh32.exeEiahnnph.exeMnhdgpii.exeNmhijd32.exeKlahfp32.exeMehcdfch.exeFllkqn32.exeJddnfd32.exeKclgmq32.exeAolblopj.exeEokqkh32.exeGfmojenc.exePplhhm32.exeBjfogbjb.exeFfclcgfn.exeJjoiil32.exeImnocf32.exeFkjmlaac.exeGaebef32.exeJbccge32.exeOmdieb32.exeCndeii32.exeJohnamkm.exeLkofdbkj.exeOblmdhdo.exePllgnl32.exeDjqblj32.exeMnhkbfme.exeOalipoiq.exeLobjni32.exeKcndbp32.exeKfnfjehl.exeLgbloglj.exeAopemh32.exeEplgeokq.exeIpmbjgpi.exeLenicahg.exePldcjeia.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjgpfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eciplm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Modgdicm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loacdc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hioflcbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqoloc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igchfiof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pifnhpmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igbalblk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipoopgnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgehfkop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Filapfbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kecabifp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdokdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pajeam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oakbehfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jklphekp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbqmiinl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aokkahlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kidben32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkkple32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdhedh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiahnnph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnhdgpii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmhijd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klahfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mehcdfch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fllkqn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jddnfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kclgmq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aolblopj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eokqkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfmojenc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pplhhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjfogbjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffclcgfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjoiil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imnocf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkjmlaac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaebef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbccge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omdieb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cndeii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Johnamkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkofdbkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oblmdhdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pllgnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djqblj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnhkbfme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oalipoiq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lobjni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcndbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfnfjehl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgbloglj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aopemh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eplgeokq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipmbjgpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lenicahg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pldcjeia.exe -
Modifies registry class 64 IoCs
Processes:
Jcdala32.exePpgegd32.exeJppnpjel.exeMcoljagj.exeNoppeaed.exeCgmhcaac.exeNojjcj32.exeAolblopj.exeBlnoga32.exeCbfgkffn.exeAknbkjfh.exeOblmdhdo.exeElgaeolp.exePknqoc32.exeMgnlkfal.exeFkjmlaac.exeHiacacpg.exeLihpif32.exeLjobpiql.exeNlkgmh32.exeChkobkod.exeBdeiqgkj.exeHgfapd32.exeNaecop32.exeNcnofeof.exeNiooqcad.exeJknfcofa.exeDqbcbkab.exeFbgbnkfm.exeIngpmmgm.exeIqmidndd.exeDjelgied.exeElbhjp32.exePjpfjl32.exeBdapehop.exeIgedlh32.exeQobhkjdi.exeFoclgq32.exeLpjjmg32.exeQikbaaml.exeAhjgjj32.exeFfclcgfn.exeHpqldc32.exeIplkpa32.exePhonha32.exeMilidebi.exeCfldelik.exeIpflihfq.exeKclgmq32.exeFbpchb32.exeDdkbmj32.exeGbpedjnb.exeJpbjfjci.exeAanbhp32.exeAfhfaddk.exeNcpeaoih.exeOihagaji.exePlbmokop.exeJihbip32.exeLnpofnhk.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jcdala32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbikhdcm.dll" Ppgegd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jppnpjel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mcoljagj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Noppeaed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lncmdghm.dll" Cgmhcaac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcodim32.dll" Nojjcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aolblopj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qffkpn32.dll" Blnoga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cbfgkffn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmpockdl.dll" Aknbkjfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glgpnm32.dll" Oblmdhdo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Elgaeolp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqhblk32.dll" Pknqoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mgnlkfal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fkjmlaac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inclga32.dll" Hiacacpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnqjcbao.dll" Lihpif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ljobpiql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfookdli.dll" Nlkgmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Chkobkod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bdeiqgkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hgfapd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Naecop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ncnofeof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Niooqcad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jknfcofa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dqbcbkab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fbgbnkfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjeejn32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ingpmmgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iqmidndd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Djelgied.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfmioc32.dll" Elbhjp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ingpmmgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilgonc32.dll" Pjpfjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bdapehop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnmqme32.dll" Igedlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qobhkjdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cidcnbjk.dll" Foclgq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lpjjmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qikbaaml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ahjgjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ffclcgfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apmhinni.dll" Jcdala32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgaclkia.dll" Hpqldc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iplkpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klbjgbff.dll" Phonha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Milidebi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhgebmil.dll" Cfldelik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ipflihfq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kclgmq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahoemi32.dll" Fbpchb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ddkbmj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gbpedjnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jpbjfjci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aanbhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glofjfnn.dll" Afhfaddk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klndfknp.dll" Ncpeaoih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oihagaji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpmehf32.dll" Plbmokop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jihbip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lnpofnhk.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
40d85fa11f4f945e9e44813594d3409747313fdf32fa66757b4f31217209a667N.exeGiqkkf32.exeGahcmd32.exeHgelek32.exeHkpheidp.exeHajpbckl.exeHpmpnp32.exeHkbdki32.exeHammhcij.exeHdkidohn.exeHhfedm32.exeHjhalefe.exeHaoimcgg.exeHglaej32.exeHjjnae32.exeHpdfnolo.exeHgnoki32.exeHjlkge32.exeHacbhb32.exeHpfcdojl.exeIhnkel32.exeIklgah32.exedescription pid Process procid_target PID 1172 wrote to memory of 1492 1172 40d85fa11f4f945e9e44813594d3409747313fdf32fa66757b4f31217209a667N.exe 83 PID 1172 wrote to memory of 1492 1172 40d85fa11f4f945e9e44813594d3409747313fdf32fa66757b4f31217209a667N.exe 83 PID 1172 wrote to memory of 1492 1172 40d85fa11f4f945e9e44813594d3409747313fdf32fa66757b4f31217209a667N.exe 83 PID 1492 wrote to memory of 1776 1492 Giqkkf32.exe 84 PID 1492 wrote to memory of 1776 1492 Giqkkf32.exe 84 PID 1492 wrote to memory of 1776 1492 Giqkkf32.exe 84 PID 1776 wrote to memory of 1956 1776 Gahcmd32.exe 85 PID 1776 wrote to memory of 1956 1776 Gahcmd32.exe 85 PID 1776 wrote to memory of 1956 1776 Gahcmd32.exe 85 PID 1956 wrote to memory of 3368 1956 Hgelek32.exe 86 PID 1956 wrote to memory of 3368 1956 Hgelek32.exe 86 PID 1956 wrote to memory of 3368 1956 Hgelek32.exe 86 PID 3368 wrote to memory of 5068 3368 Hkpheidp.exe 87 PID 3368 wrote to memory of 5068 3368 Hkpheidp.exe 87 PID 3368 wrote to memory of 5068 3368 Hkpheidp.exe 87 PID 5068 wrote to memory of 2256 5068 Hajpbckl.exe 88 PID 5068 wrote to memory of 2256 5068 Hajpbckl.exe 88 PID 5068 wrote to memory of 2256 5068 Hajpbckl.exe 88 PID 2256 wrote to memory of 2800 2256 Hpmpnp32.exe 89 PID 2256 wrote to memory of 2800 2256 Hpmpnp32.exe 89 PID 2256 wrote to memory of 2800 2256 Hpmpnp32.exe 89 PID 2800 wrote to memory of 2024 2800 Hkbdki32.exe 90 PID 2800 wrote to memory of 2024 2800 Hkbdki32.exe 90 PID 2800 wrote to memory of 2024 2800 Hkbdki32.exe 90 PID 2024 wrote to memory of 4512 2024 Hammhcij.exe 92 PID 2024 wrote to memory of 4512 2024 Hammhcij.exe 92 PID 2024 wrote to memory of 4512 2024 Hammhcij.exe 92 PID 4512 wrote to memory of 1012 4512 Hdkidohn.exe 93 PID 4512 wrote to memory of 1012 4512 Hdkidohn.exe 93 PID 4512 wrote to memory of 1012 4512 Hdkidohn.exe 93 PID 1012 wrote to memory of 1132 1012 Hhfedm32.exe 94 PID 1012 wrote to memory of 1132 1012 Hhfedm32.exe 94 PID 1012 wrote to memory of 1132 1012 Hhfedm32.exe 94 PID 1132 wrote to memory of 4048 1132 Hjhalefe.exe 95 PID 1132 wrote to memory of 4048 1132 Hjhalefe.exe 95 PID 1132 wrote to memory of 4048 1132 Hjhalefe.exe 95 PID 4048 wrote to memory of 1952 4048 Haoimcgg.exe 97 PID 4048 wrote to memory of 1952 4048 Haoimcgg.exe 97 PID 4048 wrote to memory of 1952 4048 Haoimcgg.exe 97 PID 1952 wrote to memory of 2488 1952 Hglaej32.exe 98 PID 1952 wrote to memory of 2488 1952 Hglaej32.exe 98 PID 1952 wrote to memory of 2488 1952 Hglaej32.exe 98 PID 2488 wrote to memory of 468 2488 Hjjnae32.exe 99 PID 2488 wrote to memory of 468 2488 Hjjnae32.exe 99 PID 2488 wrote to memory of 468 2488 Hjjnae32.exe 99 PID 468 wrote to memory of 4100 468 Hpdfnolo.exe 100 PID 468 wrote to memory of 4100 468 Hpdfnolo.exe 100 PID 468 wrote to memory of 4100 468 Hpdfnolo.exe 100 PID 4100 wrote to memory of 4336 4100 Hgnoki32.exe 101 PID 4100 wrote to memory of 4336 4100 Hgnoki32.exe 101 PID 4100 wrote to memory of 4336 4100 Hgnoki32.exe 101 PID 4336 wrote to memory of 2516 4336 Hjlkge32.exe 103 PID 4336 wrote to memory of 2516 4336 Hjlkge32.exe 103 PID 4336 wrote to memory of 2516 4336 Hjlkge32.exe 103 PID 2516 wrote to memory of 832 2516 Hacbhb32.exe 104 PID 2516 wrote to memory of 832 2516 Hacbhb32.exe 104 PID 2516 wrote to memory of 832 2516 Hacbhb32.exe 104 PID 832 wrote to memory of 2504 832 Hpfcdojl.exe 105 PID 832 wrote to memory of 2504 832 Hpfcdojl.exe 105 PID 832 wrote to memory of 2504 832 Hpfcdojl.exe 105 PID 2504 wrote to memory of 5080 2504 Ihnkel32.exe 106 PID 2504 wrote to memory of 5080 2504 Ihnkel32.exe 106 PID 2504 wrote to memory of 5080 2504 Ihnkel32.exe 106 PID 5080 wrote to memory of 4260 5080 Iklgah32.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\40d85fa11f4f945e9e44813594d3409747313fdf32fa66757b4f31217209a667N.exe"C:\Users\Admin\AppData\Local\Temp\40d85fa11f4f945e9e44813594d3409747313fdf32fa66757b4f31217209a667N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\SysWOW64\Giqkkf32.exeC:\Windows\system32\Giqkkf32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\Gahcmd32.exeC:\Windows\system32\Gahcmd32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\Hgelek32.exeC:\Windows\system32\Hgelek32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\Hkpheidp.exeC:\Windows\system32\Hkpheidp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3368 -
C:\Windows\SysWOW64\Hajpbckl.exeC:\Windows\system32\Hajpbckl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Windows\SysWOW64\Hpmpnp32.exeC:\Windows\system32\Hpmpnp32.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\Hkbdki32.exeC:\Windows\system32\Hkbdki32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Hammhcij.exeC:\Windows\system32\Hammhcij.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\Hdkidohn.exeC:\Windows\system32\Hdkidohn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\SysWOW64\Hhfedm32.exeC:\Windows\system32\Hhfedm32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Windows\SysWOW64\Hjhalefe.exeC:\Windows\system32\Hjhalefe.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Windows\SysWOW64\Haoimcgg.exeC:\Windows\system32\Haoimcgg.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\Windows\SysWOW64\Hglaej32.exeC:\Windows\system32\Hglaej32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\Hjjnae32.exeC:\Windows\system32\Hjjnae32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\Hpdfnolo.exeC:\Windows\system32\Hpdfnolo.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:468 -
C:\Windows\SysWOW64\Hgnoki32.exeC:\Windows\system32\Hgnoki32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4100 -
C:\Windows\SysWOW64\Hjlkge32.exeC:\Windows\system32\Hjlkge32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Windows\SysWOW64\Hacbhb32.exeC:\Windows\system32\Hacbhb32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\Hpfcdojl.exeC:\Windows\system32\Hpfcdojl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\SysWOW64\Ihnkel32.exeC:\Windows\system32\Ihnkel32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Iklgah32.exeC:\Windows\system32\Iklgah32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Windows\SysWOW64\Iqipio32.exeC:\Windows\system32\Iqipio32.exe23⤵
- Executes dropped EXE
PID:4260 -
C:\Windows\SysWOW64\Igchfiof.exeC:\Windows\system32\Igchfiof.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1876 -
C:\Windows\SysWOW64\Ijadbdoj.exeC:\Windows\system32\Ijadbdoj.exe25⤵
- Executes dropped EXE
PID:4808 -
C:\Windows\SysWOW64\Iahlcaol.exeC:\Windows\system32\Iahlcaol.exe26⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Idghpmnp.exeC:\Windows\system32\Idghpmnp.exe27⤵
- Executes dropped EXE
PID:836 -
C:\Windows\SysWOW64\Igedlh32.exeC:\Windows\system32\Igedlh32.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:1076 -
C:\Windows\SysWOW64\Ikqqlgem.exeC:\Windows\system32\Ikqqlgem.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:876 -
C:\Windows\SysWOW64\Iqmidndd.exeC:\Windows\system32\Iqmidndd.exe30⤵
- Executes dropped EXE
- Modifies registry class
PID:3748 -
C:\Windows\SysWOW64\Ihdafkdg.exeC:\Windows\system32\Ihdafkdg.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4760 -
C:\Windows\SysWOW64\Iggaah32.exeC:\Windows\system32\Iggaah32.exe32⤵
- Executes dropped EXE
PID:3260 -
C:\Windows\SysWOW64\Ibmeoq32.exeC:\Windows\system32\Ibmeoq32.exe33⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Idkbkl32.exeC:\Windows\system32\Idkbkl32.exe34⤵
- Executes dropped EXE
PID:4920 -
C:\Windows\SysWOW64\Igjngh32.exeC:\Windows\system32\Igjngh32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4216 -
C:\Windows\SysWOW64\Ikejgf32.exeC:\Windows\system32\Ikejgf32.exe36⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Indfca32.exeC:\Windows\system32\Indfca32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1112 -
C:\Windows\SysWOW64\Iqbbpm32.exeC:\Windows\system32\Iqbbpm32.exe38⤵
- Executes dropped EXE
PID:216 -
C:\Windows\SysWOW64\Jhijqj32.exeC:\Windows\system32\Jhijqj32.exe39⤵
- Executes dropped EXE
PID:4396 -
C:\Windows\SysWOW64\Jglklggl.exeC:\Windows\system32\Jglklggl.exe40⤵
- Executes dropped EXE
PID:4016 -
C:\Windows\SysWOW64\Jjjghcfp.exeC:\Windows\system32\Jjjghcfp.exe41⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Jbaojpgb.exeC:\Windows\system32\Jbaojpgb.exe42⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Jhlgfj32.exeC:\Windows\system32\Jhlgfj32.exe43⤵
- Executes dropped EXE
PID:4012 -
C:\Windows\SysWOW64\Jgogbgei.exeC:\Windows\system32\Jgogbgei.exe44⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Jjmcnbdm.exeC:\Windows\system32\Jjmcnbdm.exe45⤵
- Executes dropped EXE
PID:3588 -
C:\Windows\SysWOW64\Jbdlop32.exeC:\Windows\system32\Jbdlop32.exe46⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Jhndljll.exeC:\Windows\system32\Jhndljll.exe47⤵
- Executes dropped EXE
PID:4536 -
C:\Windows\SysWOW64\Jgadgf32.exeC:\Windows\system32\Jgadgf32.exe48⤵
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\Jklphekp.exeC:\Windows\system32\Jklphekp.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2020 -
C:\Windows\SysWOW64\Jqiipljg.exeC:\Windows\system32\Jqiipljg.exe50⤵
- Executes dropped EXE
PID:4788 -
C:\Windows\SysWOW64\Jdedak32.exeC:\Windows\system32\Jdedak32.exe51⤵
- Executes dropped EXE
PID:5008 -
C:\Windows\SysWOW64\Jjamia32.exeC:\Windows\system32\Jjamia32.exe52⤵
- Executes dropped EXE
PID:4568 -
C:\Windows\SysWOW64\Jbiejoaj.exeC:\Windows\system32\Jbiejoaj.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3296 -
C:\Windows\SysWOW64\Jdgafjpn.exeC:\Windows\system32\Jdgafjpn.exe54⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Jgenbfoa.exeC:\Windows\system32\Jgenbfoa.exe55⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Jjdjoane.exeC:\Windows\system32\Jjdjoane.exe56⤵
- Executes dropped EXE
PID:1080 -
C:\Windows\SysWOW64\Jbkbpoog.exeC:\Windows\system32\Jbkbpoog.exe57⤵
- Executes dropped EXE
PID:3324 -
C:\Windows\SysWOW64\Kqnbkl32.exeC:\Windows\system32\Kqnbkl32.exe58⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Kghjhemo.exeC:\Windows\system32\Kghjhemo.exe59⤵
- Executes dropped EXE
PID:3080 -
C:\Windows\SysWOW64\Kkcfid32.exeC:\Windows\system32\Kkcfid32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1388 -
C:\Windows\SysWOW64\Kbmoen32.exeC:\Windows\system32\Kbmoen32.exe61⤵
- Executes dropped EXE
PID:4300 -
C:\Windows\SysWOW64\Kelkaj32.exeC:\Windows\system32\Kelkaj32.exe62⤵
- Executes dropped EXE
PID:4160 -
C:\Windows\SysWOW64\Kgjgne32.exeC:\Windows\system32\Kgjgne32.exe63⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Kjhcjq32.exeC:\Windows\system32\Kjhcjq32.exe64⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Kbpkkn32.exeC:\Windows\system32\Kbpkkn32.exe65⤵
- Executes dropped EXE
PID:4136 -
C:\Windows\SysWOW64\Kenggi32.exeC:\Windows\system32\Kenggi32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:320 -
C:\Windows\SysWOW64\Kijchhbo.exeC:\Windows\system32\Kijchhbo.exe67⤵PID:3504
-
C:\Windows\SysWOW64\Kjkpoq32.exeC:\Windows\system32\Kjkpoq32.exe68⤵PID:3276
-
C:\Windows\SysWOW64\Keqdmihc.exeC:\Windows\system32\Keqdmihc.exe69⤵PID:5016
-
C:\Windows\SysWOW64\Kgopidgf.exeC:\Windows\system32\Kgopidgf.exe70⤵PID:1084
-
C:\Windows\SysWOW64\Kjmmepfj.exeC:\Windows\system32\Kjmmepfj.exe71⤵PID:3192
-
C:\Windows\SysWOW64\Kbddfmgl.exeC:\Windows\system32\Kbddfmgl.exe72⤵PID:4952
-
C:\Windows\SysWOW64\Kecabifp.exeC:\Windows\system32\Kecabifp.exe73⤵
- System Location Discovery: System Language Discovery
PID:888 -
C:\Windows\SysWOW64\Kinmcg32.exeC:\Windows\system32\Kinmcg32.exe74⤵PID:5032
-
C:\Windows\SysWOW64\Kkmioc32.exeC:\Windows\system32\Kkmioc32.exe75⤵PID:1708
-
C:\Windows\SysWOW64\Lajagj32.exeC:\Windows\system32\Lajagj32.exe76⤵PID:2956
-
C:\Windows\SysWOW64\Lgcjdd32.exeC:\Windows\system32\Lgcjdd32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4440 -
C:\Windows\SysWOW64\Lkofdbkj.exeC:\Windows\system32\Lkofdbkj.exe78⤵
- System Location Discovery: System Language Discovery
PID:3596 -
C:\Windows\SysWOW64\Lalnmiia.exeC:\Windows\system32\Lalnmiia.exe79⤵PID:1224
-
C:\Windows\SysWOW64\Lgffic32.exeC:\Windows\system32\Lgffic32.exe80⤵PID:4508
-
C:\Windows\SysWOW64\Lnpofnhk.exeC:\Windows\system32\Lnpofnhk.exe81⤵
- Modifies registry class
PID:1824 -
C:\Windows\SysWOW64\Lejgch32.exeC:\Windows\system32\Lejgch32.exe82⤵PID:4768
-
C:\Windows\SysWOW64\Ljgpkonp.exeC:\Windows\system32\Ljgpkonp.exe83⤵PID:1384
-
C:\Windows\SysWOW64\Lbngllob.exeC:\Windows\system32\Lbngllob.exe84⤵PID:868
-
C:\Windows\SysWOW64\Lihpif32.exeC:\Windows\system32\Lihpif32.exe85⤵
- Modifies registry class
PID:3420 -
C:\Windows\SysWOW64\Ljilqnlm.exeC:\Windows\system32\Ljilqnlm.exe86⤵PID:2336
-
C:\Windows\SysWOW64\Lacdmh32.exeC:\Windows\system32\Lacdmh32.exe87⤵PID:2188
-
C:\Windows\SysWOW64\Lhmmjbkf.exeC:\Windows\system32\Lhmmjbkf.exe88⤵PID:2424
-
C:\Windows\SysWOW64\Ljkifn32.exeC:\Windows\system32\Ljkifn32.exe89⤵PID:4296
-
C:\Windows\SysWOW64\Mbbagk32.exeC:\Windows\system32\Mbbagk32.exe90⤵PID:2408
-
C:\Windows\SysWOW64\Milidebi.exeC:\Windows\system32\Milidebi.exe91⤵
- Modifies registry class
PID:2676 -
C:\Windows\SysWOW64\Mjneln32.exeC:\Windows\system32\Mjneln32.exe92⤵PID:1220
-
C:\Windows\SysWOW64\Mbenmk32.exeC:\Windows\system32\Mbenmk32.exe93⤵PID:2388
-
C:\Windows\SysWOW64\Mahnhhod.exeC:\Windows\system32\Mahnhhod.exe94⤵PID:3496
-
C:\Windows\SysWOW64\Mlmbfqoj.exeC:\Windows\system32\Mlmbfqoj.exe95⤵PID:3548
-
C:\Windows\SysWOW64\Mnlnbl32.exeC:\Windows\system32\Mnlnbl32.exe96⤵PID:3452
-
C:\Windows\SysWOW64\Majjng32.exeC:\Windows\system32\Majjng32.exe97⤵PID:5136
-
C:\Windows\SysWOW64\Mlpokp32.exeC:\Windows\system32\Mlpokp32.exe98⤵PID:5180
-
C:\Windows\SysWOW64\Mjbogmdb.exeC:\Windows\system32\Mjbogmdb.exe99⤵PID:5216
-
C:\Windows\SysWOW64\Mbighjdd.exeC:\Windows\system32\Mbighjdd.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5264 -
C:\Windows\SysWOW64\Mehcdfch.exeC:\Windows\system32\Mehcdfch.exe101⤵
- System Location Discovery: System Language Discovery
PID:5304 -
C:\Windows\SysWOW64\Mnphmkji.exeC:\Windows\system32\Mnphmkji.exe102⤵PID:5348
-
C:\Windows\SysWOW64\Maodigil.exeC:\Windows\system32\Maodigil.exe103⤵PID:5384
-
C:\Windows\SysWOW64\Mifljdjo.exeC:\Windows\system32\Mifljdjo.exe104⤵PID:5436
-
C:\Windows\SysWOW64\Mldhfpib.exeC:\Windows\system32\Mldhfpib.exe105⤵PID:5480
-
C:\Windows\SysWOW64\Nobdbkhf.exeC:\Windows\system32\Nobdbkhf.exe106⤵PID:5516
-
C:\Windows\SysWOW64\Nemmoe32.exeC:\Windows\system32\Nemmoe32.exe107⤵PID:5584
-
C:\Windows\SysWOW64\Nihipdhl.exeC:\Windows\system32\Nihipdhl.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5644 -
C:\Windows\SysWOW64\Nlfelogp.exeC:\Windows\system32\Nlfelogp.exe109⤵
- Drops file in System32 directory
PID:5684 -
C:\Windows\SysWOW64\Noeahkfc.exeC:\Windows\system32\Noeahkfc.exe110⤵PID:5740
-
C:\Windows\SysWOW64\Nbqmiinl.exeC:\Windows\system32\Nbqmiinl.exe111⤵
- System Location Discovery: System Language Discovery
PID:5796 -
C:\Windows\SysWOW64\Neoieenp.exeC:\Windows\system32\Neoieenp.exe112⤵PID:5856
-
C:\Windows\SysWOW64\Nijeec32.exeC:\Windows\system32\Nijeec32.exe113⤵PID:5892
-
C:\Windows\SysWOW64\Nhmeapmd.exeC:\Windows\system32\Nhmeapmd.exe114⤵PID:5944
-
C:\Windows\SysWOW64\Nklbmllg.exeC:\Windows\system32\Nklbmllg.exe115⤵PID:5996
-
C:\Windows\SysWOW64\Nognnj32.exeC:\Windows\system32\Nognnj32.exe116⤵PID:6028
-
C:\Windows\SysWOW64\Nbcjnilj.exeC:\Windows\system32\Nbcjnilj.exe117⤵PID:6100
-
C:\Windows\SysWOW64\Neafjdkn.exeC:\Windows\system32\Neafjdkn.exe118⤵PID:5164
-
C:\Windows\SysWOW64\Nhpbfpka.exeC:\Windows\system32\Nhpbfpka.exe119⤵PID:5256
-
C:\Windows\SysWOW64\Nlkngo32.exeC:\Windows\system32\Nlkngo32.exe120⤵PID:5320
-
C:\Windows\SysWOW64\Nojjcj32.exeC:\Windows\system32\Nojjcj32.exe121⤵
- Modifies registry class
PID:5404 -
C:\Windows\SysWOW64\Nbefdijg.exeC:\Windows\system32\Nbefdijg.exe122⤵PID:5476
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-