Analysis
-
max time kernel
94s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:35
Static task
static1
Behavioral task
behavioral1
Sample
cf58de8add2a20e59f5f4bebca6899f6b347e20ca7982762564e9358a86e596aN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
cf58de8add2a20e59f5f4bebca6899f6b347e20ca7982762564e9358a86e596aN.exe
Resource
win10v2004-20241007-en
General
-
Target
cf58de8add2a20e59f5f4bebca6899f6b347e20ca7982762564e9358a86e596aN.exe
-
Size
386KB
-
MD5
b245f8e3182e14a06356e0d1f25cd7a0
-
SHA1
6a7498e6d4aa616b25096b99acf719c74462be87
-
SHA256
cf58de8add2a20e59f5f4bebca6899f6b347e20ca7982762564e9358a86e596a
-
SHA512
a3564aaa13b2b50a29f2fa142c0067287b9a4fa6cb4358742dd4f8b850953d7058465ee25a29c9291ad5f9b40dc63596b6f6048970841db9d2a1f2ee02681424
-
SSDEEP
12288:txp0RwQZ7287xmPFRkfJg9qwQZ7287xmP:zuRZZ/aFKm9qZZ/a
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Pjjahe32.exeGphphj32.exeHienlpel.exeMjodla32.exeIgfkfo32.exeGpcmga32.exeNeoieenp.exeBfendmoc.exeIlmmni32.exeJjafok32.exeOghghb32.exeBoenhgdd.exeCmdfgm32.exeDjklmo32.exeEplnpeol.exeFdkpma32.exeIkejgf32.exeOlbdhn32.exeOjajin32.exeIohjlmeg.exeIfgldfio.exeMpnnle32.exeJkaicd32.exeMniallpq.exeNiooqcad.exeCmhigf32.exeBoihcf32.exeCkgohf32.exePloknb32.exeAjqgidij.exePhdnngdn.exeOcmconhk.exeOcffempp.exePomgjn32.exeBpnihiio.exeGgnedlao.exeNjiegl32.exeNolgijpk.exeAcfhad32.exeHmpcbhji.exeBhhiemoj.exePcpikkge.exeCabomkll.exeFkpool32.exeKecabifp.exeLegjmh32.exeMajjng32.exeKnalji32.exeMjlhgaqp.exeMfeeabda.exeCohkokgj.exeHfcnpn32.exeOhgoaehe.exeOphjiaql.exeEibfck32.exeEmnbdioi.exeIndfca32.exeBfpdin32.exeCjecpkcg.exeGpqjglii.exeOhcegi32.exeFneggdhg.exeKeimof32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjjahe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gphphj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hienlpel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjodla32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igfkfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gpcmga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Neoieenp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bfendmoc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilmmni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjafok32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oghghb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boenhgdd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmdfgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djklmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eplnpeol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdkpma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ikejgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Olbdhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojajin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iohjlmeg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifgldfio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mpnnle32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkaicd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mniallpq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Niooqcad.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmhigf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boihcf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckgohf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ploknb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajqgidij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phdnngdn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocmconhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ocffempp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pomgjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bpnihiio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggnedlao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njiegl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nolgijpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Acfhad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmpcbhji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhhiemoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcpikkge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cabomkll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fkpool32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kecabifp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Legjmh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Majjng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knalji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjlhgaqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mfeeabda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hienlpel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cohkokgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hfcnpn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohgoaehe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ophjiaql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eibfck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Emnbdioi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Indfca32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfpdin32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjecpkcg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpqjglii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohcegi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fneggdhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Keimof32.exe -
Executes dropped EXE 64 IoCs
Processes:
Hocqam32.exeHbbmmi32.exeHhlejcpm.exeHkjafn32.exeHninbj32.exeIohjlmeg.exeInkjhi32.exeIfbbig32.exeIhqoeb32.exeIgcoqocb.exeIokgal32.exeIbicnh32.exeIdgojc32.exeIgfkfo32.exeIkaggmii.exeInpccihl.exeIfgldfio.exeIiehpahb.exeIghhln32.exeIoopml32.exeIbnligoc.exeIfihif32.exeIigdfa32.exeIkfabm32.exeIoambknl.exeIbpiogmp.exeIenekbld.exeIgmagnkg.exeJodjhkkj.exeJfnbdecg.exeJilnqqbj.exeJkkjmlan.exeJnifigpa.exeJfpojead.exeJiokfpph.exeJoiccj32.exeJbgoof32.exeJeekkafl.exeJgdhgmep.exeJnnpdg32.exeJfehed32.exeJicdap32.exeJkaqnk32.exeJnpmjf32.exeJejefqaf.exeJghabl32.exeKppici32.exeKbnepe32.exeKihnmohm.exeKlfjijgq.exeKnefeffd.exeKflnfcgg.exeKijjbofj.exeKlifnj32.exeKngcje32.exeKbbokdlk.exeKimghn32.exeKlkcdj32.exeKnippe32.exeKfqgab32.exeKhbdikip.exeKpiljh32.exeKbghfc32.exeKefdbo32.exepid process 4200 Hocqam32.exe 3052 Hbbmmi32.exe 5112 Hhlejcpm.exe 4480 Hkjafn32.exe 3352 Hninbj32.exe 640 Iohjlmeg.exe 4796 Inkjhi32.exe 1648 Ifbbig32.exe 404 Ihqoeb32.exe 1592 Igcoqocb.exe 4388 Iokgal32.exe 4908 Ibicnh32.exe 952 Idgojc32.exe 3472 Igfkfo32.exe 4128 Ikaggmii.exe 2972 Inpccihl.exe 4692 Ifgldfio.exe 4856 Iiehpahb.exe 2664 Ighhln32.exe 5008 Ioopml32.exe 3336 Ibnligoc.exe 756 Ifihif32.exe 3568 Iigdfa32.exe 3412 Ikfabm32.exe 2984 Ioambknl.exe 3316 Ibpiogmp.exe 4092 Ienekbld.exe 1756 Igmagnkg.exe 2396 Jodjhkkj.exe 4628 Jfnbdecg.exe 4552 Jilnqqbj.exe 3856 Jkkjmlan.exe 1420 Jnifigpa.exe 4528 Jfpojead.exe 312 Jiokfpph.exe 2700 Joiccj32.exe 412 Jbgoof32.exe 1920 Jeekkafl.exe 1032 Jgdhgmep.exe 620 Jnnpdg32.exe 2308 Jfehed32.exe 808 Jicdap32.exe 1220 Jkaqnk32.exe 4076 Jnpmjf32.exe 4688 Jejefqaf.exe 4520 Jghabl32.exe 2576 Kppici32.exe 3156 Kbnepe32.exe 3900 Kihnmohm.exe 3832 Klfjijgq.exe 1012 Knefeffd.exe 948 Kflnfcgg.exe 4152 Kijjbofj.exe 4088 Klifnj32.exe 4132 Kngcje32.exe 3984 Kbbokdlk.exe 4440 Kimghn32.exe 3536 Klkcdj32.exe 3232 Knippe32.exe 3540 Kfqgab32.exe 1904 Khbdikip.exe 3972 Kpiljh32.exe 2960 Kbghfc32.exe 4052 Kefdbo32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Ejbbmnnb.exeNcqlkemc.exeIciaqc32.exeMgeakekd.exeIfgldfio.exeLppbkgcj.exeFkbkdkpp.exeHgiepjga.exeJdbhkk32.exeNheble32.exeFaenpf32.exeQohpkf32.exeLmpkadnm.exeDnmhpg32.exeBhpofl32.exeLehaho32.exeCpihcgoa.exeJhlgfj32.exePakllc32.exeGpqjglii.exeDijbno32.exeLobjni32.exeMpqkad32.exeGaopfe32.exeQofcff32.exeKqbdldnq.exeFpmggb32.exeEiloco32.exeHoeieolb.exeLcnfohmi.exeHninbj32.exeJoiccj32.exeIhbdplfi.exeLgepom32.exeDahmfpap.exeLeadnm32.exeMolelb32.exeNebmekoi.exeHammhcij.exeOhcegi32.exeIomoenej.exeOcgbld32.exeMibijk32.exeNbcqiope.exeOcopdn32.exeKeqdmihc.exeAllpejfe.exeQobhkjdi.execf58de8add2a20e59f5f4bebca6899f6b347e20ca7982762564e9358a86e596aN.exeIbicnh32.exeFmjaphek.exeIjcjmmil.exeKlfaapbl.exeEplnpeol.exePjkmomfn.exeLhfmdj32.exeFkihnmhj.exePejkmk32.exeNpbceggm.exeCpbjkn32.exeLflbkcll.exeOjfcdnjc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Ealkjh32.exe Ejbbmnnb.exe File created C:\Windows\SysWOW64\Nfohgqlg.exe Ncqlkemc.exe File opened for modification C:\Windows\SysWOW64\Ikpjbq32.exe Iciaqc32.exe File created C:\Windows\SysWOW64\Obqhpfck.dll Mgeakekd.exe File created C:\Windows\SysWOW64\Iiehpahb.exe Ifgldfio.exe File created C:\Windows\SysWOW64\Okopkl32.dll Lppbkgcj.exe File created C:\Windows\SysWOW64\Fmqgpgoc.exe Fkbkdkpp.exe File created C:\Windows\SysWOW64\Hjhalefe.exe Hgiepjga.exe File opened for modification C:\Windows\SysWOW64\Jklphekp.exe Jdbhkk32.exe File opened for modification C:\Windows\SysWOW64\Nplkmckj.exe Nheble32.exe File created C:\Windows\SysWOW64\Fdcjlb32.exe Faenpf32.exe File created C:\Windows\SysWOW64\Fjebhadm.dll Qohpkf32.exe File created C:\Windows\SysWOW64\Jkiocibf.dll Lmpkadnm.exe File created C:\Windows\SysWOW64\Dnpdegjp.exe Dnmhpg32.exe File created C:\Windows\SysWOW64\Boihcf32.exe Bhpofl32.exe File created C:\Windows\SysWOW64\Kqbgfn32.dll Lehaho32.exe File created C:\Windows\SysWOW64\Cfcqpa32.exe Cpihcgoa.exe File created C:\Windows\SysWOW64\Jnhpoamf.exe Jhlgfj32.exe File created C:\Windows\SysWOW64\Pkcadhgm.exe Pakllc32.exe File created C:\Windows\SysWOW64\Pofkjd32.dll Gpqjglii.exe File opened for modification C:\Windows\SysWOW64\Eiloco32.exe Dijbno32.exe File created C:\Windows\SysWOW64\Lbmolo32.dll Lobjni32.exe File opened for modification C:\Windows\SysWOW64\Mbognp32.exe Mpqkad32.exe File created C:\Windows\SysWOW64\Qkdbgdbg.dll Gaopfe32.exe File opened for modification C:\Windows\SysWOW64\Hjhalefe.exe Hgiepjga.exe File opened for modification C:\Windows\SysWOW64\Qhngolpo.exe Qofcff32.exe File opened for modification C:\Windows\SysWOW64\Kkgiimng.exe Kqbdldnq.exe File created C:\Windows\SysWOW64\Fhdohp32.exe Fpmggb32.exe File created C:\Windows\SysWOW64\Fqehjpfj.dll Eiloco32.exe File created C:\Windows\SysWOW64\Aqmiic32.dll Hoeieolb.exe File created C:\Windows\SysWOW64\Efmnhl32.dll Lcnfohmi.exe File created C:\Windows\SysWOW64\Iohjlmeg.exe Hninbj32.exe File created C:\Windows\SysWOW64\Aaccdk32.dll Joiccj32.exe File created C:\Windows\SysWOW64\Gdmmbq32.exe Gaopfe32.exe File created C:\Windows\SysWOW64\Ikqqlgem.exe Ihbdplfi.exe File created C:\Windows\SysWOW64\Bdpkjpdi.dll Lgepom32.exe File opened for modification C:\Windows\SysWOW64\Dkqaoe32.exe Dahmfpap.exe File created C:\Windows\SysWOW64\Mhppji32.exe Leadnm32.exe File opened for modification C:\Windows\SysWOW64\Mfcmmp32.exe Molelb32.exe File created C:\Windows\SysWOW64\Niniei32.exe Nebmekoi.exe File opened for modification C:\Windows\SysWOW64\Hpomcp32.exe Hammhcij.exe File created C:\Windows\SysWOW64\Oalipoiq.exe Ohcegi32.exe File created C:\Windows\SysWOW64\Dahcld32.dll Iomoenej.exe File created C:\Windows\SysWOW64\Kofmfi32.dll Ocgbld32.exe File created C:\Windows\SysWOW64\Mlpeff32.exe Mibijk32.exe File created C:\Windows\SysWOW64\Kkkahahf.dll Nbcqiope.exe File created C:\Windows\SysWOW64\Oenlqi32.exe Ocopdn32.exe File opened for modification C:\Windows\SysWOW64\Kniieo32.exe Keqdmihc.exe File created C:\Windows\SysWOW64\Acfhad32.exe Allpejfe.exe File created C:\Windows\SysWOW64\Qmeigg32.exe Qobhkjdi.exe File opened for modification C:\Windows\SysWOW64\Hocqam32.exe cf58de8add2a20e59f5f4bebca6899f6b347e20ca7982762564e9358a86e596aN.exe File created C:\Windows\SysWOW64\Mkjkef32.dll Ibicnh32.exe File opened for modification C:\Windows\SysWOW64\Faenpf32.exe Fmjaphek.exe File created C:\Windows\SysWOW64\Blafme32.dll Ijcjmmil.exe File created C:\Windows\SysWOW64\Fgeaiknl.dll Klfaapbl.exe File opened for modification C:\Windows\SysWOW64\Edhjqc32.exe Eplnpeol.exe File created C:\Windows\SysWOW64\Pmiikh32.exe Pjkmomfn.exe File created C:\Windows\SysWOW64\Lpneegel.exe Lhfmdj32.exe File created C:\Windows\SysWOW64\Filiii32.exe Fkihnmhj.exe File created C:\Windows\SysWOW64\Blciboie.dll Pejkmk32.exe File created C:\Windows\SysWOW64\Dicdcemd.dll Npbceggm.exe File created C:\Windows\SysWOW64\Aqjpajgi.dll Cpbjkn32.exe File created C:\Windows\SysWOW64\Lncjlq32.exe Lflbkcll.exe File created C:\Windows\SysWOW64\Gdmpga32.dll Ojfcdnjc.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3624 5204 WerFault.exe Dkqaoe32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Phhhhc32.exeBcghch32.exeBppfmigl.exeCaienjfd.exeEfmmmn32.exeEjoomhmi.exeFfaong32.exeJkkjmlan.exePanhbfep.exeFiodpl32.exeNcfmno32.exeDjmibn32.exeFmnkkg32.exeGfjkjo32.exeOgekbb32.exeIbicnh32.exeNeoieenp.exePcepkfld.exeBoflmdkk.exeApaadpng.exeJhijqj32.exeNhnlkfpp.exeOlijhmgj.exeFlqdlnde.exeKjblje32.exeQhjmdp32.exeCdimqm32.exeCklhcfle.exeLbchba32.exeLhdqnj32.exeOgmijllo.exeDfjgaq32.exeDihlbf32.exeIgpdfb32.exeMmkkmc32.exeNagpeo32.exeJbgoof32.exeAmlogfel.exePpgegd32.exeDcogje32.exeEibfck32.exeMajjng32.exeFdccbl32.exePejkmk32.exeMnegbp32.exeJnifigpa.exeNhbfff32.exeKeqdmihc.exeBjicdmmd.exeGikdkj32.exePjkmomfn.exePagbaglh.exeNpedmdab.exeJfnbdecg.exeEfhcbodf.exeGgpbjkpl.exeHdmein32.exeOkchnk32.exeIinqbn32.exeOghghb32.exeHhlejcpm.exeMhgfkg32.exeBfjnjcni.exeEbommi32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phhhhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcghch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bppfmigl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caienjfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efmmmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejoomhmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffaong32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkkjmlan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Panhbfep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fiodpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncfmno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djmibn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmnkkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfjkjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogekbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibicnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neoieenp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcepkfld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boflmdkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apaadpng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhijqj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhnlkfpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olijhmgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flqdlnde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjblje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhjmdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdimqm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cklhcfle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbchba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhdqnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogmijllo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfjgaq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dihlbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igpdfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmkkmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nagpeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbgoof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amlogfel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppgegd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcogje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eibfck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Majjng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdccbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pejkmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnegbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnifigpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhbfff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keqdmihc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjicdmmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gikdkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjkmomfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pagbaglh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npedmdab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfnbdecg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efhcbodf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggpbjkpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdmein32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okchnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iinqbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oghghb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhlejcpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhgfkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfjnjcni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebommi32.exe -
Modifies registry class 64 IoCs
Processes:
Hkjafn32.exeInkjhi32.exeBihjfnmm.exeKnqepc32.exeCdpcal32.exeDjcoai32.exeIdfaefkd.exeIggjga32.exeGmimai32.exeOndljl32.exePgkelj32.exeCpihcgoa.exeEagaoh32.exeOlijhmgj.exeMlpeff32.exeIhbdplfi.exeIinqbn32.exeOmpfej32.exeNpchgdcd.exeFimhjl32.exeNmdgikhi.exeNpbceggm.exeOepifi32.exeDjfcaohp.exeGdmmbq32.exeHjedffig.exePopbpqjh.exeMfnoqc32.exeCaienjfd.exeDcjnoece.exeDmihij32.exeGahcmd32.exeGnjjfegi.exeQachgk32.exeKeimof32.exeDpckjfgg.exeGdfoio32.exeMminhceb.exeCdbpgl32.exeLhijijbg.exeMfaqhp32.exeDjmibn32.exeImpliekg.exeOhnebd32.exeHacbhb32.exeMjlhgaqp.exeCgjjdf32.exeEplnpeol.exeCodhnb32.exeBoflmdkk.exeEfepbi32.exeKnippe32.exeOenlqi32.exeOebflhaf.exeQjnkcekm.exeEhailbaa.exeHgghjjid.exeMjjkaabc.exeJgakbm32.exeKhbdikip.exeBciehh32.exeJhijqj32.exeMnnkgl32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hkjafn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Inkjhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Memicmfo.dll" Bihjfnmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhelik32.dll" Knqepc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgncclck.dll" Cdpcal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Djcoai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abakhdbk.dll" Idfaefkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Accailfj.dll" Iggjga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gmimai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ondljl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pgkelj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cpihcgoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahqdnk32.dll" Eagaoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahobhgo.dll" Olijhmgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anoabcka.dll" Mlpeff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ihbdplfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iinqbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ompfej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiqhki32.dll" Npchgdcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhnjoi32.dll" Fimhjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfkcaoef.dll" Nmdgikhi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Npbceggm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikncgkdf.dll" Oepifi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Djfcaohp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gdmmbq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hjedffig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Popbpqjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkncfepb.dll" Mfnoqc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Caienjfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dcjnoece.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpjdachc.dll" Dmihij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gahcmd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gnjjfegi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qachgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Keimof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dpckjfgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gdfoio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmafqb32.dll" Mminhceb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cdbpgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lhijijbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqpnpgeo.dll" Mfaqhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbmcqa32.dll" Djmibn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Impliekg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ohnebd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hacbhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcghdkpf.dll" Impliekg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfjnfknb.dll" Mjlhgaqp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cgjjdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkhimi32.dll" Eplnpeol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngqpijkf.dll" Codhnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlgbnc32.dll" Boflmdkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoong32.dll" Efepbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Knippe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oenlqi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oebflhaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgagmm32.dll" Qjnkcekm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ehailbaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hgghjjid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mjjkaabc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jgakbm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Khbdikip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bciehh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paihbi32.dll" Jhijqj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaplji32.dll" Mnnkgl32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cf58de8add2a20e59f5f4bebca6899f6b347e20ca7982762564e9358a86e596aN.exeHocqam32.exeHbbmmi32.exeHhlejcpm.exeHkjafn32.exeHninbj32.exeIohjlmeg.exeInkjhi32.exeIfbbig32.exeIhqoeb32.exeIgcoqocb.exeIokgal32.exeIbicnh32.exeIdgojc32.exeIgfkfo32.exeIkaggmii.exeInpccihl.exeIfgldfio.exeIiehpahb.exeIghhln32.exeIoopml32.exeIbnligoc.exedescription pid process target process PID 5028 wrote to memory of 4200 5028 cf58de8add2a20e59f5f4bebca6899f6b347e20ca7982762564e9358a86e596aN.exe Hocqam32.exe PID 5028 wrote to memory of 4200 5028 cf58de8add2a20e59f5f4bebca6899f6b347e20ca7982762564e9358a86e596aN.exe Hocqam32.exe PID 5028 wrote to memory of 4200 5028 cf58de8add2a20e59f5f4bebca6899f6b347e20ca7982762564e9358a86e596aN.exe Hocqam32.exe PID 4200 wrote to memory of 3052 4200 Hocqam32.exe Hbbmmi32.exe PID 4200 wrote to memory of 3052 4200 Hocqam32.exe Hbbmmi32.exe PID 4200 wrote to memory of 3052 4200 Hocqam32.exe Hbbmmi32.exe PID 3052 wrote to memory of 5112 3052 Hbbmmi32.exe Hhlejcpm.exe PID 3052 wrote to memory of 5112 3052 Hbbmmi32.exe Hhlejcpm.exe PID 3052 wrote to memory of 5112 3052 Hbbmmi32.exe Hhlejcpm.exe PID 5112 wrote to memory of 4480 5112 Hhlejcpm.exe Hkjafn32.exe PID 5112 wrote to memory of 4480 5112 Hhlejcpm.exe Hkjafn32.exe PID 5112 wrote to memory of 4480 5112 Hhlejcpm.exe Hkjafn32.exe PID 4480 wrote to memory of 3352 4480 Hkjafn32.exe Hninbj32.exe PID 4480 wrote to memory of 3352 4480 Hkjafn32.exe Hninbj32.exe PID 4480 wrote to memory of 3352 4480 Hkjafn32.exe Hninbj32.exe PID 3352 wrote to memory of 640 3352 Hninbj32.exe Iohjlmeg.exe PID 3352 wrote to memory of 640 3352 Hninbj32.exe Iohjlmeg.exe PID 3352 wrote to memory of 640 3352 Hninbj32.exe Iohjlmeg.exe PID 640 wrote to memory of 4796 640 Iohjlmeg.exe Inkjhi32.exe PID 640 wrote to memory of 4796 640 Iohjlmeg.exe Inkjhi32.exe PID 640 wrote to memory of 4796 640 Iohjlmeg.exe Inkjhi32.exe PID 4796 wrote to memory of 1648 4796 Inkjhi32.exe Ifbbig32.exe PID 4796 wrote to memory of 1648 4796 Inkjhi32.exe Ifbbig32.exe PID 4796 wrote to memory of 1648 4796 Inkjhi32.exe Ifbbig32.exe PID 1648 wrote to memory of 404 1648 Ifbbig32.exe Ihqoeb32.exe PID 1648 wrote to memory of 404 1648 Ifbbig32.exe Ihqoeb32.exe PID 1648 wrote to memory of 404 1648 Ifbbig32.exe Ihqoeb32.exe PID 404 wrote to memory of 1592 404 Ihqoeb32.exe Igcoqocb.exe PID 404 wrote to memory of 1592 404 Ihqoeb32.exe Igcoqocb.exe PID 404 wrote to memory of 1592 404 Ihqoeb32.exe Igcoqocb.exe PID 1592 wrote to memory of 4388 1592 Igcoqocb.exe Iokgal32.exe PID 1592 wrote to memory of 4388 1592 Igcoqocb.exe Iokgal32.exe PID 1592 wrote to memory of 4388 1592 Igcoqocb.exe Iokgal32.exe PID 4388 wrote to memory of 4908 4388 Iokgal32.exe Ibicnh32.exe PID 4388 wrote to memory of 4908 4388 Iokgal32.exe Ibicnh32.exe PID 4388 wrote to memory of 4908 4388 Iokgal32.exe Ibicnh32.exe PID 4908 wrote to memory of 952 4908 Ibicnh32.exe Idgojc32.exe PID 4908 wrote to memory of 952 4908 Ibicnh32.exe Idgojc32.exe PID 4908 wrote to memory of 952 4908 Ibicnh32.exe Idgojc32.exe PID 952 wrote to memory of 3472 952 Idgojc32.exe Igfkfo32.exe PID 952 wrote to memory of 3472 952 Idgojc32.exe Igfkfo32.exe PID 952 wrote to memory of 3472 952 Idgojc32.exe Igfkfo32.exe PID 3472 wrote to memory of 4128 3472 Igfkfo32.exe Ikaggmii.exe PID 3472 wrote to memory of 4128 3472 Igfkfo32.exe Ikaggmii.exe PID 3472 wrote to memory of 4128 3472 Igfkfo32.exe Ikaggmii.exe PID 4128 wrote to memory of 2972 4128 Ikaggmii.exe Inpccihl.exe PID 4128 wrote to memory of 2972 4128 Ikaggmii.exe Inpccihl.exe PID 4128 wrote to memory of 2972 4128 Ikaggmii.exe Inpccihl.exe PID 2972 wrote to memory of 4692 2972 Inpccihl.exe Ifgldfio.exe PID 2972 wrote to memory of 4692 2972 Inpccihl.exe Ifgldfio.exe PID 2972 wrote to memory of 4692 2972 Inpccihl.exe Ifgldfio.exe PID 4692 wrote to memory of 4856 4692 Ifgldfio.exe Iiehpahb.exe PID 4692 wrote to memory of 4856 4692 Ifgldfio.exe Iiehpahb.exe PID 4692 wrote to memory of 4856 4692 Ifgldfio.exe Iiehpahb.exe PID 4856 wrote to memory of 2664 4856 Iiehpahb.exe Ighhln32.exe PID 4856 wrote to memory of 2664 4856 Iiehpahb.exe Ighhln32.exe PID 4856 wrote to memory of 2664 4856 Iiehpahb.exe Ighhln32.exe PID 2664 wrote to memory of 5008 2664 Ighhln32.exe Ioopml32.exe PID 2664 wrote to memory of 5008 2664 Ighhln32.exe Ioopml32.exe PID 2664 wrote to memory of 5008 2664 Ighhln32.exe Ioopml32.exe PID 5008 wrote to memory of 3336 5008 Ioopml32.exe Ibnligoc.exe PID 5008 wrote to memory of 3336 5008 Ioopml32.exe Ibnligoc.exe PID 5008 wrote to memory of 3336 5008 Ioopml32.exe Ibnligoc.exe PID 3336 wrote to memory of 756 3336 Ibnligoc.exe Ifihif32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cf58de8add2a20e59f5f4bebca6899f6b347e20ca7982762564e9358a86e596aN.exe"C:\Users\Admin\AppData\Local\Temp\cf58de8add2a20e59f5f4bebca6899f6b347e20ca7982762564e9358a86e596aN.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Windows\SysWOW64\Hocqam32.exeC:\Windows\system32\Hocqam32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4200 -
C:\Windows\SysWOW64\Hbbmmi32.exeC:\Windows\system32\Hbbmmi32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Hhlejcpm.exeC:\Windows\system32\Hhlejcpm.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Windows\SysWOW64\Hkjafn32.exeC:\Windows\system32\Hkjafn32.exe5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Windows\SysWOW64\Hninbj32.exeC:\Windows\system32\Hninbj32.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3352 -
C:\Windows\SysWOW64\Iohjlmeg.exeC:\Windows\system32\Iohjlmeg.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\SysWOW64\Inkjhi32.exeC:\Windows\system32\Inkjhi32.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Windows\SysWOW64\Ifbbig32.exeC:\Windows\system32\Ifbbig32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\Ihqoeb32.exeC:\Windows\system32\Ihqoeb32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Windows\SysWOW64\Igcoqocb.exeC:\Windows\system32\Igcoqocb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\SysWOW64\Iokgal32.exeC:\Windows\system32\Iokgal32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Windows\SysWOW64\Ibicnh32.exeC:\Windows\system32\Ibicnh32.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Windows\SysWOW64\Idgojc32.exeC:\Windows\system32\Idgojc32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\SysWOW64\Igfkfo32.exeC:\Windows\system32\Igfkfo32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Windows\SysWOW64\Ikaggmii.exeC:\Windows\system32\Ikaggmii.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4128 -
C:\Windows\SysWOW64\Inpccihl.exeC:\Windows\system32\Inpccihl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Ifgldfio.exeC:\Windows\system32\Ifgldfio.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Windows\SysWOW64\Iiehpahb.exeC:\Windows\system32\Iiehpahb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\SysWOW64\Ighhln32.exeC:\Windows\system32\Ighhln32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Ioopml32.exeC:\Windows\system32\Ioopml32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Windows\SysWOW64\Ibnligoc.exeC:\Windows\system32\Ibnligoc.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3336 -
C:\Windows\SysWOW64\Ifihif32.exeC:\Windows\system32\Ifihif32.exe23⤵
- Executes dropped EXE
PID:756 -
C:\Windows\SysWOW64\Iigdfa32.exeC:\Windows\system32\Iigdfa32.exe24⤵
- Executes dropped EXE
PID:3568 -
C:\Windows\SysWOW64\Ikfabm32.exeC:\Windows\system32\Ikfabm32.exe25⤵
- Executes dropped EXE
PID:3412 -
C:\Windows\SysWOW64\Ioambknl.exeC:\Windows\system32\Ioambknl.exe26⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Ibpiogmp.exeC:\Windows\system32\Ibpiogmp.exe27⤵
- Executes dropped EXE
PID:3316 -
C:\Windows\SysWOW64\Ienekbld.exeC:\Windows\system32\Ienekbld.exe28⤵
- Executes dropped EXE
PID:4092 -
C:\Windows\SysWOW64\Igmagnkg.exeC:\Windows\system32\Igmagnkg.exe29⤵
- Executes dropped EXE
PID:1756 -
C:\Windows\SysWOW64\Jodjhkkj.exeC:\Windows\system32\Jodjhkkj.exe30⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Jfnbdecg.exeC:\Windows\system32\Jfnbdecg.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4628 -
C:\Windows\SysWOW64\Jilnqqbj.exeC:\Windows\system32\Jilnqqbj.exe32⤵
- Executes dropped EXE
PID:4552 -
C:\Windows\SysWOW64\Jkkjmlan.exeC:\Windows\system32\Jkkjmlan.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3856 -
C:\Windows\SysWOW64\Jnifigpa.exeC:\Windows\system32\Jnifigpa.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1420 -
C:\Windows\SysWOW64\Jfpojead.exeC:\Windows\system32\Jfpojead.exe35⤵
- Executes dropped EXE
PID:4528 -
C:\Windows\SysWOW64\Jiokfpph.exeC:\Windows\system32\Jiokfpph.exe36⤵
- Executes dropped EXE
PID:312 -
C:\Windows\SysWOW64\Jgakbm32.exeC:\Windows\system32\Jgakbm32.exe37⤵
- Modifies registry class
PID:1492 -
C:\Windows\SysWOW64\Joiccj32.exeC:\Windows\system32\Joiccj32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2700 -
C:\Windows\SysWOW64\Jbgoof32.exeC:\Windows\system32\Jbgoof32.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:412 -
C:\Windows\SysWOW64\Jeekkafl.exeC:\Windows\system32\Jeekkafl.exe40⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Jgdhgmep.exeC:\Windows\system32\Jgdhgmep.exe41⤵
- Executes dropped EXE
PID:1032 -
C:\Windows\SysWOW64\Jnnpdg32.exeC:\Windows\system32\Jnnpdg32.exe42⤵
- Executes dropped EXE
PID:620 -
C:\Windows\SysWOW64\Jfehed32.exeC:\Windows\system32\Jfehed32.exe43⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Jicdap32.exeC:\Windows\system32\Jicdap32.exe44⤵
- Executes dropped EXE
PID:808 -
C:\Windows\SysWOW64\Jkaqnk32.exeC:\Windows\system32\Jkaqnk32.exe45⤵
- Executes dropped EXE
PID:1220 -
C:\Windows\SysWOW64\Jnpmjf32.exeC:\Windows\system32\Jnpmjf32.exe46⤵
- Executes dropped EXE
PID:4076 -
C:\Windows\SysWOW64\Jejefqaf.exeC:\Windows\system32\Jejefqaf.exe47⤵
- Executes dropped EXE
PID:4688 -
C:\Windows\SysWOW64\Jghabl32.exeC:\Windows\system32\Jghabl32.exe48⤵
- Executes dropped EXE
PID:4520 -
C:\Windows\SysWOW64\Kppici32.exeC:\Windows\system32\Kppici32.exe49⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Kbnepe32.exeC:\Windows\system32\Kbnepe32.exe50⤵
- Executes dropped EXE
PID:3156 -
C:\Windows\SysWOW64\Kihnmohm.exeC:\Windows\system32\Kihnmohm.exe51⤵
- Executes dropped EXE
PID:3900 -
C:\Windows\SysWOW64\Klfjijgq.exeC:\Windows\system32\Klfjijgq.exe52⤵
- Executes dropped EXE
PID:3832 -
C:\Windows\SysWOW64\Knefeffd.exeC:\Windows\system32\Knefeffd.exe53⤵
- Executes dropped EXE
PID:1012 -
C:\Windows\SysWOW64\Kflnfcgg.exeC:\Windows\system32\Kflnfcgg.exe54⤵
- Executes dropped EXE
PID:948 -
C:\Windows\SysWOW64\Kijjbofj.exeC:\Windows\system32\Kijjbofj.exe55⤵
- Executes dropped EXE
PID:4152 -
C:\Windows\SysWOW64\Klifnj32.exeC:\Windows\system32\Klifnj32.exe56⤵
- Executes dropped EXE
PID:4088 -
C:\Windows\SysWOW64\Kngcje32.exeC:\Windows\system32\Kngcje32.exe57⤵
- Executes dropped EXE
PID:4132 -
C:\Windows\SysWOW64\Kbbokdlk.exeC:\Windows\system32\Kbbokdlk.exe58⤵
- Executes dropped EXE
PID:3984 -
C:\Windows\SysWOW64\Kimghn32.exeC:\Windows\system32\Kimghn32.exe59⤵
- Executes dropped EXE
PID:4440 -
C:\Windows\SysWOW64\Klkcdj32.exeC:\Windows\system32\Klkcdj32.exe60⤵
- Executes dropped EXE
PID:3536 -
C:\Windows\SysWOW64\Knippe32.exeC:\Windows\system32\Knippe32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:3232 -
C:\Windows\SysWOW64\Kfqgab32.exeC:\Windows\system32\Kfqgab32.exe62⤵
- Executes dropped EXE
PID:3540 -
C:\Windows\SysWOW64\Khbdikip.exeC:\Windows\system32\Khbdikip.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:1904 -
C:\Windows\SysWOW64\Kpiljh32.exeC:\Windows\system32\Kpiljh32.exe64⤵
- Executes dropped EXE
PID:3972 -
C:\Windows\SysWOW64\Kbghfc32.exeC:\Windows\system32\Kbghfc32.exe65⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Kefdbo32.exeC:\Windows\system32\Kefdbo32.exe66⤵
- Executes dropped EXE
PID:4052 -
C:\Windows\SysWOW64\Lhdqnj32.exeC:\Windows\system32\Lhdqnj32.exe67⤵
- System Location Discovery: System Language Discovery
PID:5128 -
C:\Windows\SysWOW64\Lpkiph32.exeC:\Windows\system32\Lpkiph32.exe68⤵PID:5168
-
C:\Windows\SysWOW64\Lbjelc32.exeC:\Windows\system32\Lbjelc32.exe69⤵PID:5208
-
C:\Windows\SysWOW64\Lehaho32.exeC:\Windows\system32\Lehaho32.exe70⤵
- Drops file in System32 directory
PID:5244 -
C:\Windows\SysWOW64\Lhfmdj32.exeC:\Windows\system32\Lhfmdj32.exe71⤵
- Drops file in System32 directory
PID:5284 -
C:\Windows\SysWOW64\Lpneegel.exeC:\Windows\system32\Lpneegel.exe72⤵PID:5324
-
C:\Windows\SysWOW64\Lblaabdp.exeC:\Windows\system32\Lblaabdp.exe73⤵PID:5364
-
C:\Windows\SysWOW64\Lejnmncd.exeC:\Windows\system32\Lejnmncd.exe74⤵PID:5404
-
C:\Windows\SysWOW64\Lhijijbg.exeC:\Windows\system32\Lhijijbg.exe75⤵
- Modifies registry class
PID:5444 -
C:\Windows\SysWOW64\Lppbkgcj.exeC:\Windows\system32\Lppbkgcj.exe76⤵
- Drops file in System32 directory
PID:5484 -
C:\Windows\SysWOW64\Lbnngbbn.exeC:\Windows\system32\Lbnngbbn.exe77⤵PID:5524
-
C:\Windows\SysWOW64\Lemkcnaa.exeC:\Windows\system32\Lemkcnaa.exe78⤵PID:5564
-
C:\Windows\SysWOW64\Lhkgoiqe.exeC:\Windows\system32\Lhkgoiqe.exe79⤵PID:5604
-
C:\Windows\SysWOW64\Lpbopfag.exeC:\Windows\system32\Lpbopfag.exe80⤵PID:5644
-
C:\Windows\SysWOW64\Lbqklb32.exeC:\Windows\system32\Lbqklb32.exe81⤵PID:5684
-
C:\Windows\SysWOW64\Leoghn32.exeC:\Windows\system32\Leoghn32.exe82⤵PID:5720
-
C:\Windows\SysWOW64\Lhncdi32.exeC:\Windows\system32\Lhncdi32.exe83⤵PID:5764
-
C:\Windows\SysWOW64\Llipehgk.exeC:\Windows\system32\Llipehgk.exe84⤵PID:5800
-
C:\Windows\SysWOW64\Lbchba32.exeC:\Windows\system32\Lbchba32.exe85⤵
- System Location Discovery: System Language Discovery
PID:5844 -
C:\Windows\SysWOW64\Leadnm32.exeC:\Windows\system32\Leadnm32.exe86⤵
- Drops file in System32 directory
PID:5880 -
C:\Windows\SysWOW64\Mhppji32.exeC:\Windows\system32\Mhppji32.exe87⤵PID:5920
-
C:\Windows\SysWOW64\Mojhgbdl.exeC:\Windows\system32\Mojhgbdl.exe88⤵PID:5960
-
C:\Windows\SysWOW64\Mfaqhp32.exeC:\Windows\system32\Mfaqhp32.exe89⤵
- Modifies registry class
PID:6000 -
C:\Windows\SysWOW64\Miomdk32.exeC:\Windows\system32\Miomdk32.exe90⤵PID:6040
-
C:\Windows\SysWOW64\Mlnipg32.exeC:\Windows\system32\Mlnipg32.exe91⤵PID:6080
-
C:\Windows\SysWOW64\Molelb32.exeC:\Windows\system32\Molelb32.exe92⤵
- Drops file in System32 directory
PID:6120 -
C:\Windows\SysWOW64\Mfcmmp32.exeC:\Windows\system32\Mfcmmp32.exe93⤵PID:4436
-
C:\Windows\SysWOW64\Mibijk32.exeC:\Windows\system32\Mibijk32.exe94⤵
- Drops file in System32 directory
PID:2172 -
C:\Windows\SysWOW64\Mlpeff32.exeC:\Windows\system32\Mlpeff32.exe95⤵
- Modifies registry class
PID:1580 -
C:\Windows\SysWOW64\Mbjnbqhp.exeC:\Windows\system32\Mbjnbqhp.exe96⤵PID:3960
-
C:\Windows\SysWOW64\Mffjcopi.exeC:\Windows\system32\Mffjcopi.exe97⤵PID:5088
-
C:\Windows\SysWOW64\Mhgfkg32.exeC:\Windows\system32\Mhgfkg32.exe98⤵
- System Location Discovery: System Language Discovery
PID:4800 -
C:\Windows\SysWOW64\Mpnnle32.exeC:\Windows\system32\Mpnnle32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3608 -
C:\Windows\SysWOW64\Mblkhq32.exeC:\Windows\system32\Mblkhq32.exe100⤵PID:2564
-
C:\Windows\SysWOW64\Mekgdl32.exeC:\Windows\system32\Mekgdl32.exe101⤵PID:3668
-
C:\Windows\SysWOW64\Mifcejnj.exeC:\Windows\system32\Mifcejnj.exe102⤵PID:4012
-
C:\Windows\SysWOW64\Mpqkad32.exeC:\Windows\system32\Mpqkad32.exe103⤵
- Drops file in System32 directory
PID:5236 -
C:\Windows\SysWOW64\Mbognp32.exeC:\Windows\system32\Mbognp32.exe104⤵PID:5316
-
C:\Windows\SysWOW64\Nemcjk32.exeC:\Windows\system32\Nemcjk32.exe105⤵PID:5388
-
C:\Windows\SysWOW64\Nhlpfgbb.exeC:\Windows\system32\Nhlpfgbb.exe106⤵PID:5436
-
C:\Windows\SysWOW64\Npchgdcd.exeC:\Windows\system32\Npchgdcd.exe107⤵
- Modifies registry class
PID:5520 -
C:\Windows\SysWOW64\Nbadcpbh.exeC:\Windows\system32\Nbadcpbh.exe108⤵PID:5572
-
C:\Windows\SysWOW64\Neppokal.exeC:\Windows\system32\Neppokal.exe109⤵PID:5632
-
C:\Windows\SysWOW64\Nhnlkfpp.exeC:\Windows\system32\Nhnlkfpp.exe110⤵
- System Location Discovery: System Language Discovery
PID:5728 -
C:\Windows\SysWOW64\Npedmdab.exeC:\Windows\system32\Npedmdab.exe111⤵
- System Location Discovery: System Language Discovery
PID:5784 -
C:\Windows\SysWOW64\Nbcqiope.exeC:\Windows\system32\Nbcqiope.exe112⤵
- Drops file in System32 directory
PID:5864 -
C:\Windows\SysWOW64\Nebmekoi.exeC:\Windows\system32\Nebmekoi.exe113⤵
- Drops file in System32 directory
PID:5916 -
C:\Windows\SysWOW64\Niniei32.exeC:\Windows\system32\Niniei32.exe114⤵PID:5988
-
C:\Windows\SysWOW64\Nlleaeff.exeC:\Windows\system32\Nlleaeff.exe115⤵PID:652
-
C:\Windows\SysWOW64\Ncfmno32.exeC:\Windows\system32\Ncfmno32.exe116⤵
- System Location Discovery: System Language Discovery
PID:6108 -
C:\Windows\SysWOW64\Nedjjj32.exeC:\Windows\system32\Nedjjj32.exe117⤵PID:2276
-
C:\Windows\SysWOW64\Nhbfff32.exeC:\Windows\system32\Nhbfff32.exe118⤵
- System Location Discovery: System Language Discovery
PID:4568 -
C:\Windows\SysWOW64\Npjnhc32.exeC:\Windows\system32\Npjnhc32.exe119⤵PID:4204
-
C:\Windows\SysWOW64\Nchjdo32.exeC:\Windows\system32\Nchjdo32.exe120⤵PID:3956
-
C:\Windows\SysWOW64\Neffpj32.exeC:\Windows\system32\Neffpj32.exe121⤵PID:4548
-
C:\Windows\SysWOW64\Nheble32.exeC:\Windows\system32\Nheble32.exe122⤵
- Drops file in System32 directory
PID:1260
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-