Analysis
-
max time kernel
111s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 16:49
Static task
static1
Behavioral task
behavioral1
Sample
991ffa6db5865f3455fe6a433315bdf837c7bffe9c7dee5ff4cf28e68dec7d6fN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
991ffa6db5865f3455fe6a433315bdf837c7bffe9c7dee5ff4cf28e68dec7d6fN.exe
Resource
win10v2004-20241007-en
General
-
Target
991ffa6db5865f3455fe6a433315bdf837c7bffe9c7dee5ff4cf28e68dec7d6fN.exe
-
Size
320KB
-
MD5
2174a9c68b5b0338235fa0bbdc74d850
-
SHA1
631102d566de0f1847e4785bb58d21a2631c9430
-
SHA256
991ffa6db5865f3455fe6a433315bdf837c7bffe9c7dee5ff4cf28e68dec7d6f
-
SHA512
ed7d88f9fc6446cbe4406cccfc31fa8fba270a528f7134862a509c4295ba2f17d108857e6b5ff347d766cf4ae63b121e81c0fdb531b6f298aa9d512d4dbcebb2
-
SSDEEP
3072:ek5MgoK/j3/amHy8/41QUUZm8/41QrAoUZ4pWLB51jozFWLBggS2LHqN:ekSgXLvamtZgZ0Wd/OWdPS2L8
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Kglfcd32.exeCenmfbml.exeIocioq32.exeAbgaeddg.exeCcnddg32.exeCojeomee.exeKjhfjpdd.exeKgocid32.exeOjpaeq32.exeNljhhi32.exeBacefpbg.exeBkkioeig.exeBhdjno32.exeCjhckg32.exeEinebddd.exeHnppaill.exeBfmqigba.exeLbojjq32.exeLofkoamf.exeOmqjgl32.exeAalofa32.exeMhalngad.exeAfpapcnc.exeJkcmjpma.exeJipcbidn.exeKbpnkm32.exeNokqidll.exePofldf32.exeAmglgn32.exeAmjiln32.exeJegdgj32.exeKjkbpp32.exeLkmldbcj.exeMcofid32.exeAlaccj32.exeOcfiif32.exeQfikod32.exeFcichb32.exeKepgmh32.exeOgdaod32.exeBphaglgo.exeClfhml32.exeKbkdpnil.exeLlcehg32.exeBdodmlcm.exeMpcgbhig.exeNanfqo32.exeCapdpcge.exeCbjnqh32.exeDklepmal.exeIadbqlmh.exeLlhocfnb.exeLepclldc.exeMaiqfl32.exeObnbpb32.exeFmfalg32.exeHoalia32.exeJmdiahco.exeLidilk32.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kglfcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cenmfbml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iocioq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abgaeddg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccnddg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cojeomee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjhfjpdd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgocid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojpaeq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nljhhi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bacefpbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkkioeig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhdjno32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjhckg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Einebddd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnppaill.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfmqigba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbojjq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lofkoamf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omqjgl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aalofa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbojjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhalngad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afpapcnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhdjno32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkcmjpma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jipcbidn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbpnkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nokqidll.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pofldf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amglgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amjiln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jegdgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjkbpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkmldbcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcofid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alaccj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocfiif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfikod32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcichb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kepgmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogdaod32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bphaglgo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clfhml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcichb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbkdpnil.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llcehg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdodmlcm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpcgbhig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nanfqo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Capdpcge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbjnqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbjnqh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dklepmal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iadbqlmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llhocfnb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lepclldc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maiqfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obnbpb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmfalg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hoalia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmdiahco.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lidilk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdodmlcm.exe -
Executes dropped EXE 64 IoCs
Processes:
Bhdjno32.exeCjhckg32.exeCdngip32.exeClkicbfa.exeCojeomee.exeCbjnqh32.exeDfhgggim.exeDkgldm32.exeDnhefh32.exeDklepmal.exeEcgjdong.exeEmpomd32.exeEjcofica.exeEpqgopbi.exeEjfllhao.exeEpcddopf.exeEikimeff.exeEnhaeldn.exeEinebddd.exeFbfjkj32.exeFipbhd32.exeFnmjpk32.exeFcichb32.exeFnogfk32.exeFdlpnamm.exeFmddgg32.exeFhjhdp32.exeFmfalg32.exeGfoeel32.exeGllnnc32.exeHmijajbd.exeHkmjjn32.exeHafbghhj.exeHplphd32.exeHnppaill.exeHoalia32.exeIocioq32.exeIemalkgd.exeIadbqlmh.exeIdbnmgll.exeIfbkgj32.exeIgcgnbim.exeIqllghon.exeIkapdqoc.exeJqnhmgmk.exeJkcmjpma.exeJmdiahco.exeJdlacfca.exeJndflk32.exeJinfli32.exeJipcbidn.exeJcfgoadd.exeJegdgj32.exeKmnlhg32.exeKbkdpnil.exeKeiqlihp.exeKkciic32.exeKigibh32.exeKjhfjpdd.exeKbpnkm32.exeKglfcd32.exeKjkbpp32.exeKepgmh32.exeKgocid32.exepid Process 2696 Bhdjno32.exe 320 Cjhckg32.exe 2208 Cdngip32.exe 2536 Clkicbfa.exe 3060 Cojeomee.exe 2072 Cbjnqh32.exe 804 Dfhgggim.exe 2344 Dkgldm32.exe 2336 Dnhefh32.exe 3068 Dklepmal.exe 324 Ecgjdong.exe 536 Empomd32.exe 2380 Ejcofica.exe 1696 Epqgopbi.exe 1592 Ejfllhao.exe 2432 Epcddopf.exe 2220 Eikimeff.exe 1848 Enhaeldn.exe 268 Einebddd.exe 2436 Fbfjkj32.exe 1952 Fipbhd32.exe 1268 Fnmjpk32.exe 3004 Fcichb32.exe 2960 Fnogfk32.exe 2684 Fdlpnamm.exe 2548 Fmddgg32.exe 2356 Fhjhdp32.exe 2912 Fmfalg32.exe 2720 Gfoeel32.exe 2616 Gllnnc32.exe 2840 Hmijajbd.exe 1332 Hkmjjn32.exe 2520 Hafbghhj.exe 2340 Hplphd32.exe 2580 Hnppaill.exe 2856 Hoalia32.exe 2636 Iocioq32.exe 2880 Iemalkgd.exe 2100 Iadbqlmh.exe 3016 Idbnmgll.exe 2152 Ifbkgj32.exe 2324 Igcgnbim.exe 1352 Iqllghon.exe 2036 Ikapdqoc.exe 2476 Jqnhmgmk.exe 2312 Jkcmjpma.exe 336 Jmdiahco.exe 956 Jdlacfca.exe 884 Jndflk32.exe 2748 Jinfli32.exe 1524 Jipcbidn.exe 2768 Jcfgoadd.exe 1284 Jegdgj32.exe 300 Kmnlhg32.exe 2708 Kbkdpnil.exe 2212 Keiqlihp.exe 1780 Kkciic32.exe 1068 Kigibh32.exe 2808 Kjhfjpdd.exe 2128 Kbpnkm32.exe 2272 Kglfcd32.exe 2864 Kjkbpp32.exe 1624 Kepgmh32.exe 2512 Kgocid32.exe -
Loads dropped DLL 64 IoCs
Processes:
991ffa6db5865f3455fe6a433315bdf837c7bffe9c7dee5ff4cf28e68dec7d6fN.exeBhdjno32.exeCjhckg32.exeCdngip32.exeClkicbfa.exeCojeomee.exeCbjnqh32.exeDfhgggim.exeDkgldm32.exeDnhefh32.exeDklepmal.exeEcgjdong.exeEmpomd32.exeEjcofica.exeEpqgopbi.exeEjfllhao.exeEpcddopf.exeEikimeff.exeEnhaeldn.exeEinebddd.exeFbfjkj32.exeFipbhd32.exeFnmjpk32.exeFcichb32.exeFnogfk32.exeFdlpnamm.exeFmddgg32.exeFhjhdp32.exeFmfalg32.exeGfoeel32.exeGllnnc32.exeHmijajbd.exepid Process 2180 991ffa6db5865f3455fe6a433315bdf837c7bffe9c7dee5ff4cf28e68dec7d6fN.exe 2180 991ffa6db5865f3455fe6a433315bdf837c7bffe9c7dee5ff4cf28e68dec7d6fN.exe 2696 Bhdjno32.exe 2696 Bhdjno32.exe 320 Cjhckg32.exe 320 Cjhckg32.exe 2208 Cdngip32.exe 2208 Cdngip32.exe 2536 Clkicbfa.exe 2536 Clkicbfa.exe 3060 Cojeomee.exe 3060 Cojeomee.exe 2072 Cbjnqh32.exe 2072 Cbjnqh32.exe 804 Dfhgggim.exe 804 Dfhgggim.exe 2344 Dkgldm32.exe 2344 Dkgldm32.exe 2336 Dnhefh32.exe 2336 Dnhefh32.exe 3068 Dklepmal.exe 3068 Dklepmal.exe 324 Ecgjdong.exe 324 Ecgjdong.exe 536 Empomd32.exe 536 Empomd32.exe 2380 Ejcofica.exe 2380 Ejcofica.exe 1696 Epqgopbi.exe 1696 Epqgopbi.exe 1592 Ejfllhao.exe 1592 Ejfllhao.exe 2432 Epcddopf.exe 2432 Epcddopf.exe 2220 Eikimeff.exe 2220 Eikimeff.exe 1848 Enhaeldn.exe 1848 Enhaeldn.exe 268 Einebddd.exe 268 Einebddd.exe 2436 Fbfjkj32.exe 2436 Fbfjkj32.exe 1952 Fipbhd32.exe 1952 Fipbhd32.exe 1268 Fnmjpk32.exe 1268 Fnmjpk32.exe 3004 Fcichb32.exe 3004 Fcichb32.exe 2960 Fnogfk32.exe 2960 Fnogfk32.exe 2684 Fdlpnamm.exe 2684 Fdlpnamm.exe 2548 Fmddgg32.exe 2548 Fmddgg32.exe 2356 Fhjhdp32.exe 2356 Fhjhdp32.exe 2912 Fmfalg32.exe 2912 Fmfalg32.exe 2720 Gfoeel32.exe 2720 Gfoeel32.exe 2616 Gllnnc32.exe 2616 Gllnnc32.exe 2840 Hmijajbd.exe 2840 Hmijajbd.exe -
Drops file in System32 directory 64 IoCs
Processes:
Pbpoebgc.exePioamlkk.exeCdngip32.exeEmpomd32.exeEnhaeldn.exeFipbhd32.exeMcofid32.exeBdodmlcm.exeIemalkgd.exeKepgmh32.exeLenffl32.exeAlofnj32.exeMaiqfl32.exeOmqjgl32.exeKbpnkm32.exeLkmldbcj.exeNepokogo.exeBlobmm32.exePkojoghl.exeAmjiln32.exeCjhckg32.exeLaidgi32.exeLlebnfpe.exePodpoffm.exeHmijajbd.exeHplphd32.exeKjkbpp32.exeMokdja32.exeCggcofkf.exeChhpgn32.exeCenmfbml.exeCbjnqh32.exeDkgldm32.exeFbfjkj32.exeBiccfalm.exePofldf32.exeBpmkbl32.exeFnogfk32.exeFdlpnamm.exeHkmjjn32.exeLlcehg32.exeLbmnea32.exeFcichb32.exePijgbl32.exePgodcich.exeJipcbidn.exeKaggbihl.exeFnmjpk32.exeNlanhh32.exeCapdpcge.exeJdlacfca.exeNokqidll.exeOjpaeq32.exeObnbpb32.exeBdcnhk32.exedescription ioc Process File created C:\Windows\SysWOW64\Facqnfnm.dll Pbpoebgc.exe File created C:\Windows\SysWOW64\Pjpmdd32.exe Pioamlkk.exe File opened for modification C:\Windows\SysWOW64\Clkicbfa.exe Cdngip32.exe File created C:\Windows\SysWOW64\Gkbokl32.dll Empomd32.exe File created C:\Windows\SysWOW64\Einebddd.exe Enhaeldn.exe File opened for modification C:\Windows\SysWOW64\Fnmjpk32.exe Fipbhd32.exe File created C:\Windows\SysWOW64\Lgnmdf32.dll Mcofid32.exe File created C:\Windows\SysWOW64\Nalmek32.dll Bdodmlcm.exe File created C:\Windows\SysWOW64\Ihpfbd32.dll Cdngip32.exe File created C:\Windows\SysWOW64\Iadbqlmh.exe Iemalkgd.exe File created C:\Windows\SysWOW64\Dplclg32.dll Kepgmh32.exe File opened for modification C:\Windows\SysWOW64\Llhocfnb.exe Lenffl32.exe File opened for modification C:\Windows\SysWOW64\Abinjdad.exe Alofnj32.exe File opened for modification C:\Windows\SysWOW64\Mdgmbhgh.exe Maiqfl32.exe File created C:\Windows\SysWOW64\Oqlfhjch.exe Omqjgl32.exe File created C:\Windows\SysWOW64\Kglfcd32.exe Kbpnkm32.exe File created C:\Windows\SysWOW64\Jmnpoagb.dll Lkmldbcj.exe File opened for modification C:\Windows\SysWOW64\Nljhhi32.exe Nepokogo.exe File opened for modification C:\Windows\SysWOW64\Bgdfjfmi.exe Blobmm32.exe File opened for modification C:\Windows\SysWOW64\Pnnfkb32.exe Pkojoghl.exe File opened for modification C:\Windows\SysWOW64\Ankedf32.exe Amjiln32.exe File created C:\Windows\SysWOW64\Cdngip32.exe Cjhckg32.exe File created C:\Windows\SysWOW64\Lbkaoalg.exe Laidgi32.exe File opened for modification C:\Windows\SysWOW64\Lbojjq32.exe Llebnfpe.exe File created C:\Windows\SysWOW64\Egqcce32.dll Lenffl32.exe File created C:\Windows\SysWOW64\Pfnhkq32.exe Podpoffm.exe File created C:\Windows\SysWOW64\Jjejnabb.dll Hmijajbd.exe File opened for modification C:\Windows\SysWOW64\Hnppaill.exe Hplphd32.exe File opened for modification C:\Windows\SysWOW64\Kepgmh32.exe Kjkbpp32.exe File created C:\Windows\SysWOW64\Maiqfl32.exe Mokdja32.exe File opened for modification C:\Windows\SysWOW64\Ciepkajj.exe Cggcofkf.exe File opened for modification C:\Windows\SysWOW64\Ccnddg32.exe Chhpgn32.exe File created C:\Windows\SysWOW64\Niienepq.dll Cenmfbml.exe File created C:\Windows\SysWOW64\Qgfhapbi.dll Cbjnqh32.exe File created C:\Windows\SysWOW64\Dnhefh32.exe Dkgldm32.exe File created C:\Windows\SysWOW64\Fipbhd32.exe Fbfjkj32.exe File opened for modification C:\Windows\SysWOW64\Fipbhd32.exe Fbfjkj32.exe File created C:\Windows\SysWOW64\Hjnhlm32.dll Biccfalm.exe File created C:\Windows\SysWOW64\Pecelm32.exe Pofldf32.exe File created C:\Windows\SysWOW64\Dcigjjli.dll Alofnj32.exe File created C:\Windows\SysWOW64\Cggcofkf.exe Bpmkbl32.exe File opened for modification C:\Windows\SysWOW64\Fdlpnamm.exe Fnogfk32.exe File created C:\Windows\SysWOW64\Fmddgg32.exe Fdlpnamm.exe File opened for modification C:\Windows\SysWOW64\Hafbghhj.exe Hkmjjn32.exe File created C:\Windows\SysWOW64\Lbmnea32.exe Llcehg32.exe File created C:\Windows\SysWOW64\Mknlhcol.dll Lbmnea32.exe File created C:\Windows\SysWOW64\Acjpkfcf.dll Fipbhd32.exe File created C:\Windows\SysWOW64\Oaqejn32.dll Fcichb32.exe File created C:\Windows\SysWOW64\Pdkiinlj.dll Pijgbl32.exe File opened for modification C:\Windows\SysWOW64\Pofldf32.exe Pgodcich.exe File created C:\Windows\SysWOW64\Fnmjpk32.exe Fipbhd32.exe File opened for modification C:\Windows\SysWOW64\Jcfgoadd.exe Jipcbidn.exe File created C:\Windows\SysWOW64\Lhapocoi.exe Kaggbihl.exe File opened for modification C:\Windows\SysWOW64\Pecelm32.exe Pofldf32.exe File opened for modification C:\Windows\SysWOW64\Ejcofica.exe Empomd32.exe File opened for modification C:\Windows\SysWOW64\Fcichb32.exe Fnmjpk32.exe File created C:\Windows\SysWOW64\Nnbjpqoa.exe Nlanhh32.exe File created C:\Windows\SysWOW64\Nohefjhb.dll Pioamlkk.exe File created C:\Windows\SysWOW64\Hjlkkhne.dll Capdpcge.exe File opened for modification C:\Windows\SysWOW64\Jndflk32.exe Jdlacfca.exe File created C:\Windows\SysWOW64\Qhnmei32.dll Nokqidll.exe File created C:\Windows\SysWOW64\Mcoomf32.dll Ojpaeq32.exe File created C:\Windows\SysWOW64\Enihha32.dll Obnbpb32.exe File opened for modification C:\Windows\SysWOW64\Bknfeege.exe Bdcnhk32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Ciepkajj.exeChhpgn32.exeIfbkgj32.exePjpmdd32.exePeeabm32.exeNhcebj32.exePbpoebgc.exeAbbhje32.exeBfmqigba.exeBacefpbg.exeCdngip32.exeFmddgg32.exeHmijajbd.exeIadbqlmh.exeMkdbea32.exeCoindgbi.exeMcofid32.exeOpccallb.exeOabplobe.exeOjpaeq32.exePfnhkq32.exeCbjnqh32.exeHafbghhj.exeKkciic32.exeQpaohjkk.exeChofhm32.exeBknfeege.exeCenmfbml.exeMdlfngcc.exeNhqhmj32.exeBdodmlcm.exeLbmnea32.exeOqlfhjch.exeDnhefh32.exeJcfgoadd.exeKigibh32.exeNoagjc32.exeJmdiahco.exeLhapocoi.exeLlhocfnb.exeApfici32.exeBmelpa32.exeKgocid32.exeLkmldbcj.exePioamlkk.exeKaggbihl.exeCkkenikc.exeBhdjno32.exeDklepmal.exeIocioq32.exePijgbl32.exeAmjiln32.exeBdaabk32.exeBphaglgo.exeFdlpnamm.exeJinfli32.exeLenffl32.exePkhdnh32.exePgodcich.exeBgdfjfmi.exeHkmjjn32.exeIqllghon.exeNepokogo.exeNgoleb32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciepkajj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chhpgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifbkgj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjpmdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peeabm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhcebj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbpoebgc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abbhje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfmqigba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bacefpbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdngip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmddgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmijajbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iadbqlmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkdbea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coindgbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcofid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opccallb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oabplobe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojpaeq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfnhkq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbjnqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hafbghhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkciic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpaohjkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chofhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bknfeege.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cenmfbml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdlfngcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhqhmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdodmlcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbmnea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqlfhjch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnhefh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcfgoadd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kigibh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noagjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmdiahco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhapocoi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llhocfnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apfici32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmelpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgocid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkmldbcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pioamlkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaggbihl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckkenikc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhdjno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dklepmal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iocioq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pijgbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amjiln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdaabk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bphaglgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdlpnamm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jinfli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lenffl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkhdnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgodcich.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgdfjfmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkmjjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqllghon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nepokogo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngoleb32.exe -
Modifies registry class 64 IoCs
Processes:
Mgfiocfl.exeCdamao32.exe991ffa6db5865f3455fe6a433315bdf837c7bffe9c7dee5ff4cf28e68dec7d6fN.exeLbkaoalg.exeOpccallb.exeOjkhjabc.exePoacighp.exeBkkioeig.exeBphaglgo.exeJndflk32.exeLhapocoi.exeMhalngad.exeMdoccg32.exeFipbhd32.exeNhcebj32.exeAbbhje32.exeFmfalg32.exeJdlacfca.exeLkmldbcj.exeJcfgoadd.exeJegdgj32.exeCiepkajj.exeKaggbihl.exeOqjibkek.exePijgbl32.exeQpaohjkk.exeCggcofkf.exeCkkenikc.exeBmelpa32.exeEpcddopf.exeHoalia32.exeKgocid32.exeIemalkgd.exeIfbkgj32.exeKglfcd32.exeAnkedf32.exeCbjnqh32.exeIqllghon.exeLaidgi32.exeOqlfhjch.exePmcgmkil.exePbpoebgc.exeGfoeel32.exeAlofnj32.exeJmdiahco.exeLjplkonl.exePeeabm32.exeCojeomee.exeIgcgnbim.exeFdlpnamm.exeFhjhdp32.exeKjkbpp32.exeAmjiln32.exeHplphd32.exeLlcehg32.exeNokqidll.exeCkiiiine.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgfiocfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdamao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 991ffa6db5865f3455fe6a433315bdf837c7bffe9c7dee5ff4cf28e68dec7d6fN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbkaoalg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opccallb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmhonm32.dll" Ojkhjabc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdnipekj.dll" Poacighp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qamnbhdj.dll" Bkkioeig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bphaglgo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jndflk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhapocoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhalngad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdoccg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" 991ffa6db5865f3455fe6a433315bdf837c7bffe9c7dee5ff4cf28e68dec7d6fN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acjpkfcf.dll" Fipbhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdoccg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iinalc32.dll" Nhcebj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abbhje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahnapmie.dll" Fmfalg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhfbabeh.dll" Jdlacfca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkmldbcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmhpkkdp.dll" Jcfgoadd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jegdgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eajkip32.dll" Ciepkajj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkghniol.dll" Kaggbihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mafalppn.dll" Oqjibkek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkiinlj.dll" Pijgbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qpaohjkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cggcofkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khpbbn32.dll" Ckkenikc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Opccallb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmelpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epcddopf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfnfdm32.dll" Hoalia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdlacfca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgocid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iemalkgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifbkgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmpebb32.dll" Kglfcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lecaooal.dll" Ankedf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbjnqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idlmjnop.dll" Iqllghon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kaggbihl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Laidgi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oqlfhjch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcedgp32.dll" Pmcgmkil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Facqnfnm.dll" Pbpoebgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfoeel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alofnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmdiahco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnkgnb32.dll" Ljplkonl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Peeabm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cojeomee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igcgnbim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdlpnamm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlnbgj32.dll" Fhjhdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmlepi32.dll" Kjkbpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgielf32.dll" Qpaohjkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amjiln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hplphd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llcehg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhnmei32.dll" Nokqidll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llpaflnl.dll" Bmelpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckiiiine.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
991ffa6db5865f3455fe6a433315bdf837c7bffe9c7dee5ff4cf28e68dec7d6fN.exeBhdjno32.exeCjhckg32.exeCdngip32.exeClkicbfa.exeCojeomee.exeCbjnqh32.exeDfhgggim.exeDkgldm32.exeDnhefh32.exeDklepmal.exeEcgjdong.exeEmpomd32.exeEjcofica.exeEpqgopbi.exeEjfllhao.exedescription pid Process procid_target PID 2180 wrote to memory of 2696 2180 991ffa6db5865f3455fe6a433315bdf837c7bffe9c7dee5ff4cf28e68dec7d6fN.exe 30 PID 2180 wrote to memory of 2696 2180 991ffa6db5865f3455fe6a433315bdf837c7bffe9c7dee5ff4cf28e68dec7d6fN.exe 30 PID 2180 wrote to memory of 2696 2180 991ffa6db5865f3455fe6a433315bdf837c7bffe9c7dee5ff4cf28e68dec7d6fN.exe 30 PID 2180 wrote to memory of 2696 2180 991ffa6db5865f3455fe6a433315bdf837c7bffe9c7dee5ff4cf28e68dec7d6fN.exe 30 PID 2696 wrote to memory of 320 2696 Bhdjno32.exe 31 PID 2696 wrote to memory of 320 2696 Bhdjno32.exe 31 PID 2696 wrote to memory of 320 2696 Bhdjno32.exe 31 PID 2696 wrote to memory of 320 2696 Bhdjno32.exe 31 PID 320 wrote to memory of 2208 320 Cjhckg32.exe 32 PID 320 wrote to memory of 2208 320 Cjhckg32.exe 32 PID 320 wrote to memory of 2208 320 Cjhckg32.exe 32 PID 320 wrote to memory of 2208 320 Cjhckg32.exe 32 PID 2208 wrote to memory of 2536 2208 Cdngip32.exe 33 PID 2208 wrote to memory of 2536 2208 Cdngip32.exe 33 PID 2208 wrote to memory of 2536 2208 Cdngip32.exe 33 PID 2208 wrote to memory of 2536 2208 Cdngip32.exe 33 PID 2536 wrote to memory of 3060 2536 Clkicbfa.exe 34 PID 2536 wrote to memory of 3060 2536 Clkicbfa.exe 34 PID 2536 wrote to memory of 3060 2536 Clkicbfa.exe 34 PID 2536 wrote to memory of 3060 2536 Clkicbfa.exe 34 PID 3060 wrote to memory of 2072 3060 Cojeomee.exe 35 PID 3060 wrote to memory of 2072 3060 Cojeomee.exe 35 PID 3060 wrote to memory of 2072 3060 Cojeomee.exe 35 PID 3060 wrote to memory of 2072 3060 Cojeomee.exe 35 PID 2072 wrote to memory of 804 2072 Cbjnqh32.exe 36 PID 2072 wrote to memory of 804 2072 Cbjnqh32.exe 36 PID 2072 wrote to memory of 804 2072 Cbjnqh32.exe 36 PID 2072 wrote to memory of 804 2072 Cbjnqh32.exe 36 PID 804 wrote to memory of 2344 804 Dfhgggim.exe 37 PID 804 wrote to memory of 2344 804 Dfhgggim.exe 37 PID 804 wrote to memory of 2344 804 Dfhgggim.exe 37 PID 804 wrote to memory of 2344 804 Dfhgggim.exe 37 PID 2344 wrote to memory of 2336 2344 Dkgldm32.exe 38 PID 2344 wrote to memory of 2336 2344 Dkgldm32.exe 38 PID 2344 wrote to memory of 2336 2344 Dkgldm32.exe 38 PID 2344 wrote to memory of 2336 2344 Dkgldm32.exe 38 PID 2336 wrote to memory of 3068 2336 Dnhefh32.exe 39 PID 2336 wrote to memory of 3068 2336 Dnhefh32.exe 39 PID 2336 wrote to memory of 3068 2336 Dnhefh32.exe 39 PID 2336 wrote to memory of 3068 2336 Dnhefh32.exe 39 PID 3068 wrote to memory of 324 3068 Dklepmal.exe 40 PID 3068 wrote to memory of 324 3068 Dklepmal.exe 40 PID 3068 wrote to memory of 324 3068 Dklepmal.exe 40 PID 3068 wrote to memory of 324 3068 Dklepmal.exe 40 PID 324 wrote to memory of 536 324 Ecgjdong.exe 41 PID 324 wrote to memory of 536 324 Ecgjdong.exe 41 PID 324 wrote to memory of 536 324 Ecgjdong.exe 41 PID 324 wrote to memory of 536 324 Ecgjdong.exe 41 PID 536 wrote to memory of 2380 536 Empomd32.exe 42 PID 536 wrote to memory of 2380 536 Empomd32.exe 42 PID 536 wrote to memory of 2380 536 Empomd32.exe 42 PID 536 wrote to memory of 2380 536 Empomd32.exe 42 PID 2380 wrote to memory of 1696 2380 Ejcofica.exe 43 PID 2380 wrote to memory of 1696 2380 Ejcofica.exe 43 PID 2380 wrote to memory of 1696 2380 Ejcofica.exe 43 PID 2380 wrote to memory of 1696 2380 Ejcofica.exe 43 PID 1696 wrote to memory of 1592 1696 Epqgopbi.exe 44 PID 1696 wrote to memory of 1592 1696 Epqgopbi.exe 44 PID 1696 wrote to memory of 1592 1696 Epqgopbi.exe 44 PID 1696 wrote to memory of 1592 1696 Epqgopbi.exe 44 PID 1592 wrote to memory of 2432 1592 Ejfllhao.exe 45 PID 1592 wrote to memory of 2432 1592 Ejfllhao.exe 45 PID 1592 wrote to memory of 2432 1592 Ejfllhao.exe 45 PID 1592 wrote to memory of 2432 1592 Ejfllhao.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\991ffa6db5865f3455fe6a433315bdf837c7bffe9c7dee5ff4cf28e68dec7d6fN.exe"C:\Users\Admin\AppData\Local\Temp\991ffa6db5865f3455fe6a433315bdf837c7bffe9c7dee5ff4cf28e68dec7d6fN.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Bhdjno32.exeC:\Windows\system32\Bhdjno32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Cjhckg32.exeC:\Windows\system32\Cjhckg32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\SysWOW64\Cdngip32.exeC:\Windows\system32\Cdngip32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Clkicbfa.exeC:\Windows\system32\Clkicbfa.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\Cojeomee.exeC:\Windows\system32\Cojeomee.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\Cbjnqh32.exeC:\Windows\system32\Cbjnqh32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\Dfhgggim.exeC:\Windows\system32\Dfhgggim.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Windows\SysWOW64\Dkgldm32.exeC:\Windows\system32\Dkgldm32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Dnhefh32.exeC:\Windows\system32\Dnhefh32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\Dklepmal.exeC:\Windows\system32\Dklepmal.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\Ecgjdong.exeC:\Windows\system32\Ecgjdong.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:324 -
C:\Windows\SysWOW64\Empomd32.exeC:\Windows\system32\Empomd32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\SysWOW64\Ejcofica.exeC:\Windows\system32\Ejcofica.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Epqgopbi.exeC:\Windows\system32\Epqgopbi.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\Ejfllhao.exeC:\Windows\system32\Ejfllhao.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\SysWOW64\Epcddopf.exeC:\Windows\system32\Epcddopf.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2432 -
C:\Windows\SysWOW64\Eikimeff.exeC:\Windows\system32\Eikimeff.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2220 -
C:\Windows\SysWOW64\Enhaeldn.exeC:\Windows\system32\Enhaeldn.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1848 -
C:\Windows\SysWOW64\Einebddd.exeC:\Windows\system32\Einebddd.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:268 -
C:\Windows\SysWOW64\Fbfjkj32.exeC:\Windows\system32\Fbfjkj32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2436 -
C:\Windows\SysWOW64\Fipbhd32.exeC:\Windows\system32\Fipbhd32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1952 -
C:\Windows\SysWOW64\Fnmjpk32.exeC:\Windows\system32\Fnmjpk32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1268 -
C:\Windows\SysWOW64\Fcichb32.exeC:\Windows\system32\Fcichb32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3004 -
C:\Windows\SysWOW64\Fnogfk32.exeC:\Windows\system32\Fnogfk32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2960 -
C:\Windows\SysWOW64\Fdlpnamm.exeC:\Windows\system32\Fdlpnamm.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2684 -
C:\Windows\SysWOW64\Fmddgg32.exeC:\Windows\system32\Fmddgg32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2548 -
C:\Windows\SysWOW64\Fhjhdp32.exeC:\Windows\system32\Fhjhdp32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2356 -
C:\Windows\SysWOW64\Fmfalg32.exeC:\Windows\system32\Fmfalg32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2912 -
C:\Windows\SysWOW64\Gfoeel32.exeC:\Windows\system32\Gfoeel32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2720 -
C:\Windows\SysWOW64\Gllnnc32.exeC:\Windows\system32\Gllnnc32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2616 -
C:\Windows\SysWOW64\Hmijajbd.exeC:\Windows\system32\Hmijajbd.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2840 -
C:\Windows\SysWOW64\Hkmjjn32.exeC:\Windows\system32\Hkmjjn32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1332 -
C:\Windows\SysWOW64\Hafbghhj.exeC:\Windows\system32\Hafbghhj.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2520 -
C:\Windows\SysWOW64\Hplphd32.exeC:\Windows\system32\Hplphd32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2340 -
C:\Windows\SysWOW64\Hnppaill.exeC:\Windows\system32\Hnppaill.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Hoalia32.exeC:\Windows\system32\Hoalia32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2856 -
C:\Windows\SysWOW64\Iocioq32.exeC:\Windows\system32\Iocioq32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2636 -
C:\Windows\SysWOW64\Iemalkgd.exeC:\Windows\system32\Iemalkgd.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2880 -
C:\Windows\SysWOW64\Iadbqlmh.exeC:\Windows\system32\Iadbqlmh.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2100 -
C:\Windows\SysWOW64\Idbnmgll.exeC:\Windows\system32\Idbnmgll.exe41⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Ifbkgj32.exeC:\Windows\system32\Ifbkgj32.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2152 -
C:\Windows\SysWOW64\Igcgnbim.exeC:\Windows\system32\Igcgnbim.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:2324 -
C:\Windows\SysWOW64\Iqllghon.exeC:\Windows\system32\Iqllghon.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1352 -
C:\Windows\SysWOW64\Ikapdqoc.exeC:\Windows\system32\Ikapdqoc.exe45⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Jqnhmgmk.exeC:\Windows\system32\Jqnhmgmk.exe46⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Jkcmjpma.exeC:\Windows\system32\Jkcmjpma.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Jmdiahco.exeC:\Windows\system32\Jmdiahco.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:336 -
C:\Windows\SysWOW64\Jdlacfca.exeC:\Windows\system32\Jdlacfca.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:956 -
C:\Windows\SysWOW64\Jndflk32.exeC:\Windows\system32\Jndflk32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:884 -
C:\Windows\SysWOW64\Jinfli32.exeC:\Windows\system32\Jinfli32.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2748 -
C:\Windows\SysWOW64\Jipcbidn.exeC:\Windows\system32\Jipcbidn.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1524 -
C:\Windows\SysWOW64\Jcfgoadd.exeC:\Windows\system32\Jcfgoadd.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2768 -
C:\Windows\SysWOW64\Jegdgj32.exeC:\Windows\system32\Jegdgj32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1284 -
C:\Windows\SysWOW64\Kmnlhg32.exeC:\Windows\system32\Kmnlhg32.exe55⤵
- Executes dropped EXE
PID:300 -
C:\Windows\SysWOW64\Kbkdpnil.exeC:\Windows\system32\Kbkdpnil.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Keiqlihp.exeC:\Windows\system32\Keiqlihp.exe57⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Kkciic32.exeC:\Windows\system32\Kkciic32.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1780 -
C:\Windows\SysWOW64\Kigibh32.exeC:\Windows\system32\Kigibh32.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1068 -
C:\Windows\SysWOW64\Kjhfjpdd.exeC:\Windows\system32\Kjhfjpdd.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Kbpnkm32.exeC:\Windows\system32\Kbpnkm32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2128 -
C:\Windows\SysWOW64\Kglfcd32.exeC:\Windows\system32\Kglfcd32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2272 -
C:\Windows\SysWOW64\Kjkbpp32.exeC:\Windows\system32\Kjkbpp32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2864 -
C:\Windows\SysWOW64\Kepgmh32.exeC:\Windows\system32\Kepgmh32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1624 -
C:\Windows\SysWOW64\Kgocid32.exeC:\Windows\system32\Kgocid32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2512 -
C:\Windows\SysWOW64\Knikfnih.exeC:\Windows\system32\Knikfnih.exe66⤵PID:2296
-
C:\Windows\SysWOW64\Kaggbihl.exeC:\Windows\system32\Kaggbihl.exe67⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1552 -
C:\Windows\SysWOW64\Lhapocoi.exeC:\Windows\system32\Lhapocoi.exe68⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1040 -
C:\Windows\SysWOW64\Ljplkonl.exeC:\Windows\system32\Ljplkonl.exe69⤵
- Modifies registry class
PID:2752 -
C:\Windows\SysWOW64\Laidgi32.exeC:\Windows\system32\Laidgi32.exe70⤵
- Drops file in System32 directory
- Modifies registry class
PID:2756 -
C:\Windows\SysWOW64\Lbkaoalg.exeC:\Windows\system32\Lbkaoalg.exe71⤵
- Modifies registry class
PID:3024 -
C:\Windows\SysWOW64\Lidilk32.exeC:\Windows\system32\Lidilk32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2444 -
C:\Windows\SysWOW64\Llcehg32.exeC:\Windows\system32\Llcehg32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1784 -
C:\Windows\SysWOW64\Lbmnea32.exeC:\Windows\system32\Lbmnea32.exe74⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2692 -
C:\Windows\SysWOW64\Lfhiepbn.exeC:\Windows\system32\Lfhiepbn.exe75⤵PID:528
-
C:\Windows\SysWOW64\Llebnfpe.exeC:\Windows\system32\Llebnfpe.exe76⤵
- Drops file in System32 directory
PID:2080 -
C:\Windows\SysWOW64\Lbojjq32.exeC:\Windows\system32\Lbojjq32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2908 -
C:\Windows\SysWOW64\Lenffl32.exeC:\Windows\system32\Lenffl32.exe78⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2320 -
C:\Windows\SysWOW64\Llhocfnb.exeC:\Windows\system32\Llhocfnb.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3040 -
C:\Windows\SysWOW64\Lofkoamf.exeC:\Windows\system32\Lofkoamf.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2132 -
C:\Windows\SysWOW64\Lepclldc.exeC:\Windows\system32\Lepclldc.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2200 -
C:\Windows\SysWOW64\Lkmldbcj.exeC:\Windows\system32\Lkmldbcj.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1924 -
C:\Windows\SysWOW64\Mebpakbq.exeC:\Windows\system32\Mebpakbq.exe83⤵PID:2024
-
C:\Windows\SysWOW64\Mhalngad.exeC:\Windows\system32\Mhalngad.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2276 -
C:\Windows\SysWOW64\Mokdja32.exeC:\Windows\system32\Mokdja32.exe85⤵
- Drops file in System32 directory
PID:556 -
C:\Windows\SysWOW64\Maiqfl32.exeC:\Windows\system32\Maiqfl32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2452 -
C:\Windows\SysWOW64\Mdgmbhgh.exeC:\Windows\system32\Mdgmbhgh.exe87⤵PID:1628
-
C:\Windows\SysWOW64\Mgfiocfl.exeC:\Windows\system32\Mgfiocfl.exe88⤵
- Modifies registry class
PID:2956 -
C:\Windows\SysWOW64\Mmpakm32.exeC:\Windows\system32\Mmpakm32.exe89⤵PID:1164
-
C:\Windows\SysWOW64\Mdjihgef.exeC:\Windows\system32\Mdjihgef.exe90⤵PID:2732
-
C:\Windows\SysWOW64\Mkdbea32.exeC:\Windows\system32\Mkdbea32.exe91⤵
- System Location Discovery: System Language Discovery
PID:2984 -
C:\Windows\SysWOW64\Migbpocm.exeC:\Windows\system32\Migbpocm.exe92⤵PID:1748
-
C:\Windows\SysWOW64\Mdlfngcc.exeC:\Windows\system32\Mdlfngcc.exe93⤵
- System Location Discovery: System Language Discovery
PID:764 -
C:\Windows\SysWOW64\Mcofid32.exeC:\Windows\system32\Mcofid32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2736 -
C:\Windows\SysWOW64\Mpcgbhig.exeC:\Windows\system32\Mpcgbhig.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2556 -
C:\Windows\SysWOW64\Mdoccg32.exeC:\Windows\system32\Mdoccg32.exe96⤵
- Modifies registry class
PID:2192 -
C:\Windows\SysWOW64\Nepokogo.exeC:\Windows\system32\Nepokogo.exe97⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2020 -
C:\Windows\SysWOW64\Nljhhi32.exeC:\Windows\system32\Nljhhi32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2420 -
C:\Windows\SysWOW64\Ngoleb32.exeC:\Windows\system32\Ngoleb32.exe99⤵
- System Location Discovery: System Language Discovery
PID:2112 -
C:\Windows\SysWOW64\Nhqhmj32.exeC:\Windows\system32\Nhqhmj32.exe100⤵
- System Location Discovery: System Language Discovery
PID:2872 -
C:\Windows\SysWOW64\Nokqidll.exeC:\Windows\system32\Nokqidll.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2904 -
C:\Windows\SysWOW64\Ncfmjc32.exeC:\Windows\system32\Ncfmjc32.exe102⤵PID:2480
-
C:\Windows\SysWOW64\Nhcebj32.exeC:\Windows\system32\Nhcebj32.exe103⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2060 -
C:\Windows\SysWOW64\Nommodjj.exeC:\Windows\system32\Nommodjj.exe104⤵PID:580
-
C:\Windows\SysWOW64\Ndjfgkha.exeC:\Windows\system32\Ndjfgkha.exe105⤵PID:1644
-
C:\Windows\SysWOW64\Nlanhh32.exeC:\Windows\system32\Nlanhh32.exe106⤵
- Drops file in System32 directory
PID:1280 -
C:\Windows\SysWOW64\Nnbjpqoa.exeC:\Windows\system32\Nnbjpqoa.exe107⤵PID:1612
-
C:\Windows\SysWOW64\Nanfqo32.exeC:\Windows\system32\Nanfqo32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1904 -
C:\Windows\SysWOW64\Ngjoif32.exeC:\Windows\system32\Ngjoif32.exe109⤵PID:1548
-
C:\Windows\SysWOW64\Noagjc32.exeC:\Windows\system32\Noagjc32.exe110⤵
- System Location Discovery: System Language Discovery
PID:856 -
C:\Windows\SysWOW64\Opccallb.exeC:\Windows\system32\Opccallb.exe111⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2656 -
C:\Windows\SysWOW64\Ohjkcile.exeC:\Windows\system32\Ohjkcile.exe112⤵PID:1156
-
C:\Windows\SysWOW64\Ojkhjabc.exeC:\Windows\system32\Ojkhjabc.exe113⤵
- Modifies registry class
PID:2676 -
C:\Windows\SysWOW64\Oabplobe.exeC:\Windows\system32\Oabplobe.exe114⤵
- System Location Discovery: System Language Discovery
PID:1776 -
C:\Windows\SysWOW64\Odqlhjbi.exeC:\Windows\system32\Odqlhjbi.exe115⤵PID:2996
-
C:\Windows\SysWOW64\Ojndpqpq.exeC:\Windows\system32\Ojndpqpq.exe116⤵PID:2384
-
C:\Windows\SysWOW64\Ocfiif32.exeC:\Windows\system32\Ocfiif32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2824 -
C:\Windows\SysWOW64\Ojpaeq32.exeC:\Windows\system32\Ojpaeq32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2116 -
C:\Windows\SysWOW64\Oqjibkek.exeC:\Windows\system32\Oqjibkek.exe119⤵
- Modifies registry class
PID:3020 -
C:\Windows\SysWOW64\Ogdaod32.exeC:\Windows\system32\Ogdaod32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:564 -
C:\Windows\SysWOW64\Omqjgl32.exeC:\Windows\system32\Omqjgl32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2500 -
C:\Windows\SysWOW64\Oqlfhjch.exeC:\Windows\system32\Oqlfhjch.exe122⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2964
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-