Analysis
-
max time kernel
99s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 17:12
Static task
static1
Behavioral task
behavioral1
Sample
e96a41c2607e4cdacaaaa310a2c12d870e748b3cc09ad9591e5b5d75d1579344N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
e96a41c2607e4cdacaaaa310a2c12d870e748b3cc09ad9591e5b5d75d1579344N.exe
Resource
win10v2004-20241007-en
General
-
Target
e96a41c2607e4cdacaaaa310a2c12d870e748b3cc09ad9591e5b5d75d1579344N.exe
-
Size
395KB
-
MD5
ee4118ab5f4b14254b56026a87d12200
-
SHA1
21ffc7fe91203b942a19fa2271ce8a7902d048e0
-
SHA256
e96a41c2607e4cdacaaaa310a2c12d870e748b3cc09ad9591e5b5d75d1579344
-
SHA512
0583ca708a73ef0c6521c13c0f9e7c2f035743eee5fc092fb6ef9088d43a1ff5d367459f848d9b58df6310e8957939ef69e4538c3be349c3ff32f9f43a32f6dc
-
SSDEEP
6144:OgnMps4y70u4HXs4yr0u490u4Ds4yvW8lM:Z4O0dHc4i0d90dA4X
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Bhjngnod.exeLmkgajnm.exeCkjqog32.exeInmdjjok.exeFqheei32.exeIlblkh32.exeKhhndi32.exeGhqqpd32.exeDmbpaa32.exeFjbfek32.exeOicbma32.exeGjmpfp32.exeEjnqkh32.exeIhgcof32.exeCokqfhpa.exeEamdlf32.exeCbihpbpl.exeNdhlfh32.exeInjlmcib.exeGpbkca32.exeKoogbk32.exeAjoebigm.exeIjphqbpo.exeAlfpab32.exeJhboidoj.exeIefchacp.exeKfnmnojj.exeFbebcp32.exeMidnqh32.exeOcceip32.exeAmcfpl32.exeGoohckob.exeGoodpb32.exeIabcbg32.exeJchobqnc.exeNdfppije.exeJiinmnaa.exeGgkoojip.exeHfpijngn.exeHpbhphie.exeIhooog32.exeBmhmgbif.exeLlagegfb.exeMjfdfcjj.exeMmmpfm32.exeIapjad32.exeFmgcepio.exeKdjenkgh.exePgfnfq32.exeEddeia32.exePqfdlmic.exeMpbfddef.exeJbmdig32.exeLdpbmg32.exeMmgmhngk.exeDplbbndo.exePfjbdn32.exeDglkba32.exeEbghkjjc.exeHmdnme32.exeMeaiia32.exeOoabjbdn.exeAagadh32.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhjngnod.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmkgajnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckjqog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inmdjjok.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqheei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilblkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khhndi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghqqpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmbpaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjbfek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oicbma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjmpfp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejnqkh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihgcof32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cokqfhpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eamdlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbihpbpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndhlfh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Injlmcib.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpbkca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Koogbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajoebigm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijphqbpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alfpab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhboidoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iefchacp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfnmnojj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbebcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Midnqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Occeip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amcfpl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goohckob.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goodpb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iabcbg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jchobqnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndfppije.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jiinmnaa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggkoojip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfpijngn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpbhphie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihooog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmhmgbif.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llagegfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjfdfcjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmmpfm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iapjad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmgcepio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdjenkgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgfnfq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eddeia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pqfdlmic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpbfddef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbmdig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldpbmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmgmhngk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dplbbndo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilblkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfjbdn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dglkba32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebghkjjc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmdnme32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meaiia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ooabjbdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aagadh32.exe -
Executes dropped EXE 64 IoCs
Processes:
Midnqh32.exeMaocekoo.exeMbopon32.exeOeoeplfn.exeOcceip32.exePcqebd32.exePoibmdmh.exePffgonbb.exeAafnpkii.exeAnjojphb.exeAcjdgf32.exeBomhnb32.exeCkhbnb32.exeClnhajlc.exeEchlmh32.exeEfmoib32.exeFmdfppkb.exeFmgcepio.exeGplebjbk.exeGiejkp32.exeHjhchg32.exeHagepa32.exeHplbamdf.exeIlhlan32.exeIainddpg.exeJnpoie32.exeJpcdqpqj.exeJafmngde.exeKoogbk32.exeKkfhglen.exeKjkehhjf.exeLqjfpbmm.exeLmcdkbao.exeLgmekpmn.exeMganfp32.exeMffkgl32.exeMnncii32.exeMcjlap32.exeMpalfabn.exeNbdbml32.exeNdjhpcoe.exeNejdjf32.exeOobiclmh.exeOmgfdhbq.exeOmjbihpn.exeOgbgbn32.exeOcihgo32.exeOlalpdbc.exePanehkaj.exePapank32.exePkifgpeh.exePhmfpddb.exePkmobp32.exePdfdkehc.exeQnnhcknd.exeQjeihl32.exeQoaaqb32.exeAcpjga32.exeAkkokc32.exeAfpchl32.exeAoihaa32.exeAokdga32.exeAgfikc32.exeBghfacem.exepid Process 872 Midnqh32.exe 2912 Maocekoo.exe 2964 Mbopon32.exe 3032 Oeoeplfn.exe 2812 Occeip32.exe 2536 Pcqebd32.exe 3004 Poibmdmh.exe 2260 Pffgonbb.exe 2132 Aafnpkii.exe 432 Anjojphb.exe 2120 Acjdgf32.exe 1028 Bomhnb32.exe 2268 Ckhbnb32.exe 864 Clnhajlc.exe 2284 Echlmh32.exe 1164 Efmoib32.exe 1208 Fmdfppkb.exe 1004 Fmgcepio.exe 2204 Gplebjbk.exe 1204 Giejkp32.exe 576 Hjhchg32.exe 2632 Hagepa32.exe 1940 Hplbamdf.exe 2164 Ilhlan32.exe 2368 Iainddpg.exe 2192 Jnpoie32.exe 3052 Jpcdqpqj.exe 2304 Jafmngde.exe 2832 Koogbk32.exe 2572 Kkfhglen.exe 1552 Kjkehhjf.exe 1040 Lqjfpbmm.exe 1516 Lmcdkbao.exe 2860 Lgmekpmn.exe 2740 Mganfp32.exe 1324 Mffkgl32.exe 696 Mnncii32.exe 1760 Mcjlap32.exe 2656 Mpalfabn.exe 2472 Nbdbml32.exe 2408 Ndjhpcoe.exe 2328 Nejdjf32.exe 768 Oobiclmh.exe 1972 Omgfdhbq.exe 1712 Omjbihpn.exe 2704 Ogbgbn32.exe 1820 Ocihgo32.exe 1816 Olalpdbc.exe 1612 Panehkaj.exe 2004 Papank32.exe 2180 Pkifgpeh.exe 2920 Phmfpddb.exe 2564 Pkmobp32.exe 2788 Pdfdkehc.exe 1192 Qnnhcknd.exe 2792 Qjeihl32.exe 1548 Qoaaqb32.exe 1780 Acpjga32.exe 1340 Akkokc32.exe 2124 Afpchl32.exe 2700 Aoihaa32.exe 1680 Aokdga32.exe 2264 Agfikc32.exe 2440 Bghfacem.exe -
Loads dropped DLL 64 IoCs
Processes:
e96a41c2607e4cdacaaaa310a2c12d870e748b3cc09ad9591e5b5d75d1579344N.exeMidnqh32.exeMaocekoo.exeMbopon32.exeOeoeplfn.exeOcceip32.exePcqebd32.exePoibmdmh.exePffgonbb.exeAafnpkii.exeAnjojphb.exeAcjdgf32.exeBomhnb32.exeCkhbnb32.exeClnhajlc.exeEchlmh32.exeEfmoib32.exeFmdfppkb.exeFmgcepio.exeGplebjbk.exeGiejkp32.exeHjhchg32.exeHagepa32.exeHplbamdf.exeIlhlan32.exeIainddpg.exeJnpoie32.exeJpcdqpqj.exeJafmngde.exeKoogbk32.exeKkfhglen.exeKjkehhjf.exepid Process 1628 e96a41c2607e4cdacaaaa310a2c12d870e748b3cc09ad9591e5b5d75d1579344N.exe 1628 e96a41c2607e4cdacaaaa310a2c12d870e748b3cc09ad9591e5b5d75d1579344N.exe 872 Midnqh32.exe 872 Midnqh32.exe 2912 Maocekoo.exe 2912 Maocekoo.exe 2964 Mbopon32.exe 2964 Mbopon32.exe 3032 Oeoeplfn.exe 3032 Oeoeplfn.exe 2812 Occeip32.exe 2812 Occeip32.exe 2536 Pcqebd32.exe 2536 Pcqebd32.exe 3004 Poibmdmh.exe 3004 Poibmdmh.exe 2260 Pffgonbb.exe 2260 Pffgonbb.exe 2132 Aafnpkii.exe 2132 Aafnpkii.exe 432 Anjojphb.exe 432 Anjojphb.exe 2120 Acjdgf32.exe 2120 Acjdgf32.exe 1028 Bomhnb32.exe 1028 Bomhnb32.exe 2268 Ckhbnb32.exe 2268 Ckhbnb32.exe 864 Clnhajlc.exe 864 Clnhajlc.exe 2284 Echlmh32.exe 2284 Echlmh32.exe 1164 Efmoib32.exe 1164 Efmoib32.exe 1208 Fmdfppkb.exe 1208 Fmdfppkb.exe 1004 Fmgcepio.exe 1004 Fmgcepio.exe 2204 Gplebjbk.exe 2204 Gplebjbk.exe 1204 Giejkp32.exe 1204 Giejkp32.exe 576 Hjhchg32.exe 576 Hjhchg32.exe 2632 Hagepa32.exe 2632 Hagepa32.exe 1940 Hplbamdf.exe 1940 Hplbamdf.exe 2164 Ilhlan32.exe 2164 Ilhlan32.exe 2368 Iainddpg.exe 2368 Iainddpg.exe 2192 Jnpoie32.exe 2192 Jnpoie32.exe 3052 Jpcdqpqj.exe 3052 Jpcdqpqj.exe 2304 Jafmngde.exe 2304 Jafmngde.exe 2832 Koogbk32.exe 2832 Koogbk32.exe 2572 Kkfhglen.exe 2572 Kkfhglen.exe 1552 Kjkehhjf.exe 1552 Kjkehhjf.exe -
Drops file in System32 directory 64 IoCs
Processes:
Ahdkhp32.exePjfdpckc.exeCobkhe32.exeOhofimje.exeFjbfek32.exeCmnjgo32.exeHfdpaqej.exeEbcqicem.exeEfaiobkc.exeFpgmak32.exeLmdnjf32.exeLjjkgfig.exeKiqdmm32.exeFfcdlncp.exeDkfdlclg.exeApgnpo32.exeEmdjbi32.exeNcbfcq32.exeDpenkgfq.exeMdibpn32.exeOckhpgbf.exePcajpjoi.exeOmlahqeo.exePdpcep32.exeAknnil32.exeDijjgegh.exeJcaahofh.exeNajbbepc.exeCpldjajo.exeFbnkha32.exeIiiogoac.exeJelbqg32.exeBmldji32.exeOmhjejai.exeIkibkhla.exeFodljn32.exeDlnjjc32.exeDhggdcgh.exeApdobg32.exeHkifld32.exeJhboidoj.exeOkjoec32.exePpidbidd.exeCboljemb.exeMcjlap32.exeObfiijia.exeJajcaj32.exeJodfilko.exeOgkbmcba.exeIccnmk32.exeIegjnkod.exeJncqlj32.exeKkeqobld.exePhibbk32.exeOpicgenj.exeOlalpdbc.exeDpdpkfga.exeNfeqli32.exeNeohbe32.exeKhlkba32.exeGplebjbk.exeLbhphdab.exeAncdgcab.exeKlbfbg32.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\Bqopmbed.exe Ahdkhp32.exe File opened for modification C:\Windows\SysWOW64\Pikaqppk.exe Pjfdpckc.exe File created C:\Windows\SysWOW64\Ghdjffln.dll Cobkhe32.exe File created C:\Windows\SysWOW64\Igncjolp.dll Ohofimje.exe File opened for modification C:\Windows\SysWOW64\Gfigkljk.exe Fjbfek32.exe File created C:\Windows\SysWOW64\Cpnchjpa.exe Cmnjgo32.exe File created C:\Windows\SysWOW64\Hajdniep.exe Hfdpaqej.exe File opened for modification C:\Windows\SysWOW64\Efaiobkc.exe Ebcqicem.exe File opened for modification C:\Windows\SysWOW64\Ebhjdc32.exe Efaiobkc.exe File created C:\Windows\SysWOW64\Fpijgk32.exe Fpgmak32.exe File created C:\Windows\SysWOW64\Opbcppkf.dll Lmdnjf32.exe File created C:\Windows\SysWOW64\Objdcnnk.dll Ljjkgfig.exe File created C:\Windows\SysWOW64\Kdjenkgh.exe Kiqdmm32.exe File created C:\Windows\SysWOW64\Pkaonifh.dll Ffcdlncp.exe File created C:\Windows\SysWOW64\Dcaiqfib.exe Dkfdlclg.exe File opened for modification C:\Windows\SysWOW64\Ajqoqm32.exe Apgnpo32.exe File created C:\Windows\SysWOW64\Fgjnpb32.exe Emdjbi32.exe File created C:\Windows\SysWOW64\Ndfppije.exe Ncbfcq32.exe File created C:\Windows\SysWOW64\Hobecd32.dll Dpenkgfq.exe File opened for modification C:\Windows\SysWOW64\Nldgdpjf.exe Mdibpn32.exe File created C:\Windows\SysWOW64\Ghqobdnq.dll Ockhpgbf.exe File created C:\Windows\SysWOW64\Oeglfneh.dll Pcajpjoi.exe File created C:\Windows\SysWOW64\Aghalcja.dll Omlahqeo.exe File opened for modification C:\Windows\SysWOW64\Pllhib32.exe Pdpcep32.exe File created C:\Windows\SysWOW64\Jmjmoh32.dll Aknnil32.exe File created C:\Windows\SysWOW64\Oikgjlgb.dll Dijjgegh.exe File opened for modification C:\Windows\SysWOW64\Klmfmacc.exe Jcaahofh.exe File created C:\Windows\SysWOW64\Okbgkk32.exe Najbbepc.exe File created C:\Windows\SysWOW64\Befhpq32.dll Cpldjajo.exe File created C:\Windows\SysWOW64\Gdodjlda.exe Fbnkha32.exe File created C:\Windows\SysWOW64\Ciekbj32.dll Iiiogoac.exe File opened for modification C:\Windows\SysWOW64\Jodfilko.exe Jelbqg32.exe File created C:\Windows\SysWOW64\Bfeibo32.exe Bmldji32.exe File created C:\Windows\SysWOW64\Ebenhifo.dll Omhjejai.exe File opened for modification C:\Windows\SysWOW64\Ingogcke.exe Ikibkhla.exe File opened for modification C:\Windows\SysWOW64\Fgpqnpjh.exe Fodljn32.exe File opened for modification C:\Windows\SysWOW64\Dfdngl32.exe Dlnjjc32.exe File created C:\Windows\SysWOW64\Dhjdjc32.exe Dhggdcgh.exe File created C:\Windows\SysWOW64\Abehcbci.exe Apdobg32.exe File created C:\Windows\SysWOW64\Eqjjhn32.dll Hkifld32.exe File created C:\Windows\SysWOW64\Jajcaj32.exe Jhboidoj.exe File created C:\Windows\SysWOW64\Pcgphlkf.dll Okjoec32.exe File opened for modification C:\Windows\SysWOW64\Ppkahi32.exe Ppidbidd.exe File created C:\Windows\SysWOW64\Ckjqog32.exe Cboljemb.exe File created C:\Windows\SysWOW64\Mpalfabn.exe Mcjlap32.exe File created C:\Windows\SysWOW64\Ckldighd.dll Obfiijia.exe File created C:\Windows\SysWOW64\Dqgdpfeo.dll Jajcaj32.exe File created C:\Windows\SysWOW64\Bamnjpji.dll Jodfilko.exe File created C:\Windows\SysWOW64\Omhjejai.exe Ogkbmcba.exe File opened for modification C:\Windows\SysWOW64\Jcekbk32.exe Iccnmk32.exe File opened for modification C:\Windows\SysWOW64\Iankbldh.exe Iegjnkod.exe File created C:\Windows\SysWOW64\Ildgdpca.dll Jncqlj32.exe File created C:\Windows\SysWOW64\Pidjce32.dll Kkeqobld.exe File opened for modification C:\Windows\SysWOW64\Pfmclold.exe Phibbk32.exe File created C:\Windows\SysWOW64\Ocglmcdp.exe Opicgenj.exe File created C:\Windows\SysWOW64\Nqhblj32.dll Olalpdbc.exe File opened for modification C:\Windows\SysWOW64\Dlkqpg32.exe Dpdpkfga.exe File created C:\Windows\SysWOW64\Ofmgmhgh.exe Nfeqli32.exe File opened for modification C:\Windows\SysWOW64\Naeigf32.exe Neohbe32.exe File opened for modification C:\Windows\SysWOW64\Kaeokg32.exe Khlkba32.exe File opened for modification C:\Windows\SysWOW64\Giejkp32.exe Gplebjbk.exe File created C:\Windows\SysWOW64\Lnopmegg.exe Lbhphdab.exe File created C:\Windows\SysWOW64\Aodqok32.exe Ancdgcab.exe File created C:\Windows\SysWOW64\Kpblne32.exe Klbfbg32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Ilhlan32.exeFnplgl32.exeNcbfcq32.exePpkahi32.exeMganfp32.exeEabeal32.exeOmlahqeo.exeApgnpo32.exeKoacjg32.exeOckhpgbf.exeEmdjbi32.exeOicbma32.exeCkilmfke.exeHplbamdf.exeEjeknelp.exeOkmqlp32.exePikmob32.exeCpldjajo.exeJjhgdqef.exePikaqppk.exeJlleni32.exeQbiamm32.exePppnia32.exeBlpibghg.exeBlklfk32.exeMdqclpgd.exeLhnlqjha.exeEqklhh32.exeKbdmboqk.exeNdnncf32.exeEfmoib32.exeKlbfbg32.exeNcggifep.exePbohmh32.exeLqjfpbmm.exeOobiclmh.exeAlmjcobe.exeDihmae32.exeKjdpcnfi.exePoibmdmh.exeAocgll32.exeBmhmgbif.exeQjofljho.exeFgmmnj32.exeJelbqg32.exeGkancm32.exeDjfagjai.exeEchlmh32.exeNoajmlnj.exeIlpkel32.exeNlmiojla.exeEamdlf32.exeCnpieceq.exeGlgqlkdl.exePobhfl32.exeFglkeaqk.exeBigbmb32.exeEddeia32.exeDpofpg32.exeHpinagbm.exeBipaodah.exeKnckbe32.exeOmfoko32.exeDcgmgh32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilhlan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnplgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncbfcq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppkahi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mganfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eabeal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omlahqeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apgnpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koacjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ockhpgbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emdjbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oicbma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckilmfke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hplbamdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejeknelp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okmqlp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pikmob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpldjajo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjhgdqef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pikaqppk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlleni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qbiamm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pppnia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blpibghg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blklfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdqclpgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhnlqjha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqklhh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbdmboqk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndnncf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efmoib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klbfbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncggifep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbohmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqjfpbmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oobiclmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Almjcobe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dihmae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjdpcnfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poibmdmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aocgll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmhmgbif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjofljho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgmmnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jelbqg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkancm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djfagjai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Echlmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noajmlnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilpkel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlmiojla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eamdlf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnpieceq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glgqlkdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pobhfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fglkeaqk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bigbmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eddeia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpofpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpinagbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bipaodah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knckbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omfoko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcgmgh32.exe -
Modifies registry class 64 IoCs
Processes:
Lgmekpmn.exeGdodjlda.exeHajdniep.exeDifplf32.exeNcggifep.exeMognco32.exeLhiodnob.exeImgjfe32.exeMcjlap32.exeKnaqcabh.exeOfmgmhgh.exeGnjhaj32.exeMjknab32.exeBmldji32.exeFlqmddah.exeGapbbk32.exeHlebog32.exeAkkokc32.exeOpicgenj.exeNldgdpjf.exeDfjcncak.exeEogckqkk.exeJpcdqpqj.exeEagbnh32.exeOiiilm32.exeClpeajjb.exeGnlbnagl.exeMnpbgbdd.exePldnge32.exeLjakkd32.exeNeagan32.exeCpafhpaj.exeFnplgl32.exeGgbljogc.exeNoiiaj32.exeBjbelf32.exeEbcqicem.exePfmclold.exeIapjad32.exeLkahbkgk.exeGaoiol32.exeMheqie32.exeAcjdgf32.exeMmafmo32.exeAmdkam32.exeOkmqlp32.exeKejfio32.exeDpicceon.exeOeoeplfn.exeCikdbhhi.exeGnhkkjbf.exeDfbdje32.exeDieiap32.exeHemggm32.exee96a41c2607e4cdacaaaa310a2c12d870e748b3cc09ad9591e5b5d75d1579344N.exePffgonbb.exeAjelmiag.exeLfmhla32.exeJajcaj32.exePnkhfnea.exePaojeafn.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebeffboh.dll" Lgmekpmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdodjlda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgdqaf32.dll" Hajdniep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Difplf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hacdjlag.dll" Ncggifep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifnheoak.dll" Mognco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhiodnob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imgjfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcjlap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knaqcabh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofmgmhgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cffgqn32.dll" Gnjhaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlqbjokj.dll" Mjknab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkdhdd32.dll" Bmldji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iceohloo.dll" Flqmddah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gapbbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kleoojhm.dll" Hlebog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inmfkm32.dll" Akkokc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaokgm32.dll" Opicgenj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nldgdpjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfjcncak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eogckqkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpcdqpqj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eagbnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gnjhaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oiiilm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Clpeajjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhelfo32.dll" Gnlbnagl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qndhopgo.dll" Mnpbgbdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pldnge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljakkd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Neagan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbnijemn.dll" Cpafhpaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojdciphb.dll" Fnplgl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggbljogc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Clpeajjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chkgnh32.dll" Noiiaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjbelf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgmekpmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebcqicem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfmclold.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iapjad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkahbkgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gaoiol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mheqie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmpqci32.dll" Acjdgf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmafmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mefnjbik.dll" Amdkam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okmqlp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kejfio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqgocpbb.dll" Dpicceon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oeoeplfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cikdbhhi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnhkkjbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfbdje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dieiap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hemggm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 e96a41c2607e4cdacaaaa310a2c12d870e748b3cc09ad9591e5b5d75d1579344N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pffgonbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajelmiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmajfp32.dll" Lfmhla32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jajcaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cickgk32.dll" Pnkhfnea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Paojeafn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
e96a41c2607e4cdacaaaa310a2c12d870e748b3cc09ad9591e5b5d75d1579344N.exeMidnqh32.exeMaocekoo.exeMbopon32.exeOeoeplfn.exeOcceip32.exePcqebd32.exePoibmdmh.exePffgonbb.exeAafnpkii.exeAnjojphb.exeAcjdgf32.exeBomhnb32.exeCkhbnb32.exeClnhajlc.exeEchlmh32.exedescription pid Process procid_target PID 1628 wrote to memory of 872 1628 e96a41c2607e4cdacaaaa310a2c12d870e748b3cc09ad9591e5b5d75d1579344N.exe 30 PID 1628 wrote to memory of 872 1628 e96a41c2607e4cdacaaaa310a2c12d870e748b3cc09ad9591e5b5d75d1579344N.exe 30 PID 1628 wrote to memory of 872 1628 e96a41c2607e4cdacaaaa310a2c12d870e748b3cc09ad9591e5b5d75d1579344N.exe 30 PID 1628 wrote to memory of 872 1628 e96a41c2607e4cdacaaaa310a2c12d870e748b3cc09ad9591e5b5d75d1579344N.exe 30 PID 872 wrote to memory of 2912 872 Midnqh32.exe 31 PID 872 wrote to memory of 2912 872 Midnqh32.exe 31 PID 872 wrote to memory of 2912 872 Midnqh32.exe 31 PID 872 wrote to memory of 2912 872 Midnqh32.exe 31 PID 2912 wrote to memory of 2964 2912 Maocekoo.exe 32 PID 2912 wrote to memory of 2964 2912 Maocekoo.exe 32 PID 2912 wrote to memory of 2964 2912 Maocekoo.exe 32 PID 2912 wrote to memory of 2964 2912 Maocekoo.exe 32 PID 2964 wrote to memory of 3032 2964 Mbopon32.exe 33 PID 2964 wrote to memory of 3032 2964 Mbopon32.exe 33 PID 2964 wrote to memory of 3032 2964 Mbopon32.exe 33 PID 2964 wrote to memory of 3032 2964 Mbopon32.exe 33 PID 3032 wrote to memory of 2812 3032 Oeoeplfn.exe 34 PID 3032 wrote to memory of 2812 3032 Oeoeplfn.exe 34 PID 3032 wrote to memory of 2812 3032 Oeoeplfn.exe 34 PID 3032 wrote to memory of 2812 3032 Oeoeplfn.exe 34 PID 2812 wrote to memory of 2536 2812 Occeip32.exe 35 PID 2812 wrote to memory of 2536 2812 Occeip32.exe 35 PID 2812 wrote to memory of 2536 2812 Occeip32.exe 35 PID 2812 wrote to memory of 2536 2812 Occeip32.exe 35 PID 2536 wrote to memory of 3004 2536 Pcqebd32.exe 36 PID 2536 wrote to memory of 3004 2536 Pcqebd32.exe 36 PID 2536 wrote to memory of 3004 2536 Pcqebd32.exe 36 PID 2536 wrote to memory of 3004 2536 Pcqebd32.exe 36 PID 3004 wrote to memory of 2260 3004 Poibmdmh.exe 37 PID 3004 wrote to memory of 2260 3004 Poibmdmh.exe 37 PID 3004 wrote to memory of 2260 3004 Poibmdmh.exe 37 PID 3004 wrote to memory of 2260 3004 Poibmdmh.exe 37 PID 2260 wrote to memory of 2132 2260 Pffgonbb.exe 38 PID 2260 wrote to memory of 2132 2260 Pffgonbb.exe 38 PID 2260 wrote to memory of 2132 2260 Pffgonbb.exe 38 PID 2260 wrote to memory of 2132 2260 Pffgonbb.exe 38 PID 2132 wrote to memory of 432 2132 Aafnpkii.exe 39 PID 2132 wrote to memory of 432 2132 Aafnpkii.exe 39 PID 2132 wrote to memory of 432 2132 Aafnpkii.exe 39 PID 2132 wrote to memory of 432 2132 Aafnpkii.exe 39 PID 432 wrote to memory of 2120 432 Anjojphb.exe 40 PID 432 wrote to memory of 2120 432 Anjojphb.exe 40 PID 432 wrote to memory of 2120 432 Anjojphb.exe 40 PID 432 wrote to memory of 2120 432 Anjojphb.exe 40 PID 2120 wrote to memory of 1028 2120 Acjdgf32.exe 41 PID 2120 wrote to memory of 1028 2120 Acjdgf32.exe 41 PID 2120 wrote to memory of 1028 2120 Acjdgf32.exe 41 PID 2120 wrote to memory of 1028 2120 Acjdgf32.exe 41 PID 1028 wrote to memory of 2268 1028 Bomhnb32.exe 42 PID 1028 wrote to memory of 2268 1028 Bomhnb32.exe 42 PID 1028 wrote to memory of 2268 1028 Bomhnb32.exe 42 PID 1028 wrote to memory of 2268 1028 Bomhnb32.exe 42 PID 2268 wrote to memory of 864 2268 Ckhbnb32.exe 43 PID 2268 wrote to memory of 864 2268 Ckhbnb32.exe 43 PID 2268 wrote to memory of 864 2268 Ckhbnb32.exe 43 PID 2268 wrote to memory of 864 2268 Ckhbnb32.exe 43 PID 864 wrote to memory of 2284 864 Clnhajlc.exe 44 PID 864 wrote to memory of 2284 864 Clnhajlc.exe 44 PID 864 wrote to memory of 2284 864 Clnhajlc.exe 44 PID 864 wrote to memory of 2284 864 Clnhajlc.exe 44 PID 2284 wrote to memory of 1164 2284 Echlmh32.exe 45 PID 2284 wrote to memory of 1164 2284 Echlmh32.exe 45 PID 2284 wrote to memory of 1164 2284 Echlmh32.exe 45 PID 2284 wrote to memory of 1164 2284 Echlmh32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\e96a41c2607e4cdacaaaa310a2c12d870e748b3cc09ad9591e5b5d75d1579344N.exe"C:\Users\Admin\AppData\Local\Temp\e96a41c2607e4cdacaaaa310a2c12d870e748b3cc09ad9591e5b5d75d1579344N.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\Midnqh32.exeC:\Windows\system32\Midnqh32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\SysWOW64\Maocekoo.exeC:\Windows\system32\Maocekoo.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Mbopon32.exeC:\Windows\system32\Mbopon32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Oeoeplfn.exeC:\Windows\system32\Oeoeplfn.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\Occeip32.exeC:\Windows\system32\Occeip32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Pcqebd32.exeC:\Windows\system32\Pcqebd32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\Poibmdmh.exeC:\Windows\system32\Poibmdmh.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\Pffgonbb.exeC:\Windows\system32\Pffgonbb.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\Aafnpkii.exeC:\Windows\system32\Aafnpkii.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\Anjojphb.exeC:\Windows\system32\Anjojphb.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\Acjdgf32.exeC:\Windows\system32\Acjdgf32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\Bomhnb32.exeC:\Windows\system32\Bomhnb32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\SysWOW64\Ckhbnb32.exeC:\Windows\system32\Ckhbnb32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\Clnhajlc.exeC:\Windows\system32\Clnhajlc.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Windows\SysWOW64\Echlmh32.exeC:\Windows\system32\Echlmh32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\Efmoib32.exeC:\Windows\system32\Efmoib32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1164 -
C:\Windows\SysWOW64\Fmdfppkb.exeC:\Windows\system32\Fmdfppkb.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1208 -
C:\Windows\SysWOW64\Fmgcepio.exeC:\Windows\system32\Fmgcepio.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1004 -
C:\Windows\SysWOW64\Gplebjbk.exeC:\Windows\system32\Gplebjbk.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2204 -
C:\Windows\SysWOW64\Giejkp32.exeC:\Windows\system32\Giejkp32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1204 -
C:\Windows\SysWOW64\Hjhchg32.exeC:\Windows\system32\Hjhchg32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:576 -
C:\Windows\SysWOW64\Hagepa32.exeC:\Windows\system32\Hagepa32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2632 -
C:\Windows\SysWOW64\Hplbamdf.exeC:\Windows\system32\Hplbamdf.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1940 -
C:\Windows\SysWOW64\Ilhlan32.exeC:\Windows\system32\Ilhlan32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2164 -
C:\Windows\SysWOW64\Iainddpg.exeC:\Windows\system32\Iainddpg.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2368 -
C:\Windows\SysWOW64\Jnpoie32.exeC:\Windows\system32\Jnpoie32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2192 -
C:\Windows\SysWOW64\Jpcdqpqj.exeC:\Windows\system32\Jpcdqpqj.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3052 -
C:\Windows\SysWOW64\Jafmngde.exeC:\Windows\system32\Jafmngde.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2304 -
C:\Windows\SysWOW64\Koogbk32.exeC:\Windows\system32\Koogbk32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2832 -
C:\Windows\SysWOW64\Kkfhglen.exeC:\Windows\system32\Kkfhglen.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2572 -
C:\Windows\SysWOW64\Kjkehhjf.exeC:\Windows\system32\Kjkehhjf.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1552 -
C:\Windows\SysWOW64\Lqjfpbmm.exeC:\Windows\system32\Lqjfpbmm.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1040 -
C:\Windows\SysWOW64\Lmcdkbao.exeC:\Windows\system32\Lmcdkbao.exe34⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\Lgmekpmn.exeC:\Windows\system32\Lgmekpmn.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2860 -
C:\Windows\SysWOW64\Mganfp32.exeC:\Windows\system32\Mganfp32.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2740 -
C:\Windows\SysWOW64\Mffkgl32.exeC:\Windows\system32\Mffkgl32.exe37⤵
- Executes dropped EXE
PID:1324 -
C:\Windows\SysWOW64\Mnncii32.exeC:\Windows\system32\Mnncii32.exe38⤵
- Executes dropped EXE
PID:696 -
C:\Windows\SysWOW64\Mcjlap32.exeC:\Windows\system32\Mcjlap32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1760 -
C:\Windows\SysWOW64\Mpalfabn.exeC:\Windows\system32\Mpalfabn.exe40⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Nbdbml32.exeC:\Windows\system32\Nbdbml32.exe41⤵
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\Ndjhpcoe.exeC:\Windows\system32\Ndjhpcoe.exe42⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Nejdjf32.exeC:\Windows\system32\Nejdjf32.exe43⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Oobiclmh.exeC:\Windows\system32\Oobiclmh.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:768 -
C:\Windows\SysWOW64\Omgfdhbq.exeC:\Windows\system32\Omgfdhbq.exe45⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Omjbihpn.exeC:\Windows\system32\Omjbihpn.exe46⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Ogbgbn32.exeC:\Windows\system32\Ogbgbn32.exe47⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Ocihgo32.exeC:\Windows\system32\Ocihgo32.exe48⤵
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\Olalpdbc.exeC:\Windows\system32\Olalpdbc.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1816 -
C:\Windows\SysWOW64\Panehkaj.exeC:\Windows\system32\Panehkaj.exe50⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Papank32.exeC:\Windows\system32\Papank32.exe51⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Pkifgpeh.exeC:\Windows\system32\Pkifgpeh.exe52⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Phmfpddb.exeC:\Windows\system32\Phmfpddb.exe53⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Pkmobp32.exeC:\Windows\system32\Pkmobp32.exe54⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Pdfdkehc.exeC:\Windows\system32\Pdfdkehc.exe55⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Qnnhcknd.exeC:\Windows\system32\Qnnhcknd.exe56⤵
- Executes dropped EXE
PID:1192 -
C:\Windows\SysWOW64\Qjeihl32.exeC:\Windows\system32\Qjeihl32.exe57⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Qoaaqb32.exeC:\Windows\system32\Qoaaqb32.exe58⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Acpjga32.exeC:\Windows\system32\Acpjga32.exe59⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Akkokc32.exeC:\Windows\system32\Akkokc32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:1340 -
C:\Windows\SysWOW64\Afpchl32.exeC:\Windows\system32\Afpchl32.exe61⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Aoihaa32.exeC:\Windows\system32\Aoihaa32.exe62⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Aokdga32.exeC:\Windows\system32\Aokdga32.exe63⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Agfikc32.exeC:\Windows\system32\Agfikc32.exe64⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Bghfacem.exeC:\Windows\system32\Bghfacem.exe65⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Bjgbmoda.exeC:\Windows\system32\Bjgbmoda.exe66⤵PID:2608
-
C:\Windows\SysWOW64\Bfncbp32.exeC:\Windows\system32\Bfncbp32.exe67⤵PID:1808
-
C:\Windows\SysWOW64\Bpfgke32.exeC:\Windows\system32\Bpfgke32.exe68⤵PID:536
-
C:\Windows\SysWOW64\Baecehhh.exeC:\Windows\system32\Baecehhh.exe69⤵PID:2036
-
C:\Windows\SysWOW64\Bmldji32.exeC:\Windows\system32\Bmldji32.exe70⤵
- Drops file in System32 directory
- Modifies registry class
PID:2900 -
C:\Windows\SysWOW64\Bfeibo32.exeC:\Windows\system32\Bfeibo32.exe71⤵PID:2628
-
C:\Windows\SysWOW64\Cejfckie.exeC:\Windows\system32\Cejfckie.exe72⤵PID:2836
-
C:\Windows\SysWOW64\Caqfiloi.exeC:\Windows\system32\Caqfiloi.exe73⤵PID:2880
-
C:\Windows\SysWOW64\Caccnllf.exeC:\Windows\system32\Caccnllf.exe74⤵PID:2380
-
C:\Windows\SysWOW64\Cogdhpkp.exeC:\Windows\system32\Cogdhpkp.exe75⤵PID:2332
-
C:\Windows\SysWOW64\Cmlqimph.exeC:\Windows\system32\Cmlqimph.exe76⤵PID:984
-
C:\Windows\SysWOW64\Dfdeab32.exeC:\Windows\system32\Dfdeab32.exe77⤵PID:2992
-
C:\Windows\SysWOW64\Dggbgadf.exeC:\Windows\system32\Dggbgadf.exe78⤵PID:1152
-
C:\Windows\SysWOW64\Dpofpg32.exeC:\Windows\system32\Dpofpg32.exe79⤵
- System Location Discovery: System Language Discovery
PID:2352 -
C:\Windows\SysWOW64\Dglkba32.exeC:\Windows\system32\Dglkba32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:764 -
C:\Windows\SysWOW64\Dpdpkfga.exeC:\Windows\system32\Dpdpkfga.exe81⤵
- Drops file in System32 directory
PID:2240 -
C:\Windows\SysWOW64\Dlkqpg32.exeC:\Windows\system32\Dlkqpg32.exe82⤵PID:2464
-
C:\Windows\SysWOW64\Egndgdai.exeC:\Windows\system32\Egndgdai.exe83⤵PID:2456
-
C:\Windows\SysWOW64\Fdaephpc.exeC:\Windows\system32\Fdaephpc.exe84⤵PID:912
-
C:\Windows\SysWOW64\Fqheei32.exeC:\Windows\system32\Fqheei32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1540 -
C:\Windows\SysWOW64\Fjcfco32.exeC:\Windows\system32\Fjcfco32.exe86⤵PID:2576
-
C:\Windows\SysWOW64\Fbnkha32.exeC:\Windows\system32\Fbnkha32.exe87⤵
- Drops file in System32 directory
PID:2388 -
C:\Windows\SysWOW64\Gdodjlda.exeC:\Windows\system32\Gdodjlda.exe88⤵
- Modifies registry class
PID:2780 -
C:\Windows\SysWOW64\Gngiba32.exeC:\Windows\system32\Gngiba32.exe89⤵PID:1528
-
C:\Windows\SysWOW64\Gbeaip32.exeC:\Windows\system32\Gbeaip32.exe90⤵PID:2184
-
C:\Windows\SysWOW64\Gnlbnagl.exeC:\Windows\system32\Gnlbnagl.exe91⤵
- Modifies registry class
PID:2392 -
C:\Windows\SysWOW64\Ggdfff32.exeC:\Windows\system32\Ggdfff32.exe92⤵PID:2160
-
C:\Windows\SysWOW64\Gnoocq32.exeC:\Windows\system32\Gnoocq32.exe93⤵PID:2940
-
C:\Windows\SysWOW64\Gppkkikh.exeC:\Windows\system32\Gppkkikh.exe94⤵PID:2828
-
C:\Windows\SysWOW64\Hpbhphie.exeC:\Windows\system32\Hpbhphie.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2548 -
C:\Windows\SysWOW64\Hliieioi.exeC:\Windows\system32\Hliieioi.exe96⤵PID:2824
-
C:\Windows\SysWOW64\Himionmc.exeC:\Windows\system32\Himionmc.exe97⤵PID:1436
-
C:\Windows\SysWOW64\Hfajhblm.exeC:\Windows\system32\Hfajhblm.exe98⤵PID:3024
-
C:\Windows\SysWOW64\Hpinagbm.exeC:\Windows\system32\Hpinagbm.exe99⤵
- System Location Discovery: System Language Discovery
PID:1352 -
C:\Windows\SysWOW64\Hjcoaeol.exeC:\Windows\system32\Hjcoaeol.exe100⤵PID:564
-
C:\Windows\SysWOW64\Ilblkh32.exeC:\Windows\system32\Ilblkh32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2060 -
C:\Windows\SysWOW64\Iaoddodf.exeC:\Windows\system32\Iaoddodf.exe102⤵PID:2232
-
C:\Windows\SysWOW64\Idpmejag.exeC:\Windows\system32\Idpmejag.exe103⤵PID:2200
-
C:\Windows\SysWOW64\Imhanp32.exeC:\Windows\system32\Imhanp32.exe104⤵PID:960
-
C:\Windows\SysWOW64\Iiobcq32.exeC:\Windows\system32\Iiobcq32.exe105⤵PID:2544
-
C:\Windows\SysWOW64\Iefchacp.exeC:\Windows\system32\Iefchacp.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2056 -
C:\Windows\SysWOW64\Ilpkel32.exeC:\Windows\system32\Ilpkel32.exe107⤵
- System Location Discovery: System Language Discovery
PID:612 -
C:\Windows\SysWOW64\Jehpna32.exeC:\Windows\system32\Jehpna32.exe108⤵PID:276
-
C:\Windows\SysWOW64\Jaopcbga.exeC:\Windows\system32\Jaopcbga.exe109⤵PID:2236
-
C:\Windows\SysWOW64\Jhkeelml.exeC:\Windows\system32\Jhkeelml.exe110⤵PID:3064
-
C:\Windows\SysWOW64\Jacjna32.exeC:\Windows\system32\Jacjna32.exe111⤵PID:3044
-
C:\Windows\SysWOW64\Kgelahmn.exeC:\Windows\system32\Kgelahmn.exe112⤵PID:2864
-
C:\Windows\SysWOW64\Klbdiokf.exeC:\Windows\system32\Klbdiokf.exe113⤵PID:1132
-
C:\Windows\SysWOW64\Knaqcabh.exeC:\Windows\system32\Knaqcabh.exe114⤵
- Modifies registry class
PID:2580 -
C:\Windows\SysWOW64\Kgjelg32.exeC:\Windows\system32\Kgjelg32.exe115⤵PID:2136
-
C:\Windows\SysWOW64\Khmnio32.exeC:\Windows\system32\Khmnio32.exe116⤵PID:3008
-
C:\Windows\SysWOW64\Lhpkoo32.exeC:\Windows\system32\Lhpkoo32.exe117⤵PID:2436
-
C:\Windows\SysWOW64\Lbhphdab.exeC:\Windows\system32\Lbhphdab.exe118⤵
- Drops file in System32 directory
PID:2336 -
C:\Windows\SysWOW64\Lnopmegg.exeC:\Windows\system32\Lnopmegg.exe119⤵PID:2480
-
C:\Windows\SysWOW64\Lnambeed.exeC:\Windows\system32\Lnambeed.exe120⤵PID:1600
-
C:\Windows\SysWOW64\Lkemli32.exeC:\Windows\system32\Lkemli32.exe121⤵PID:1656
-
C:\Windows\SysWOW64\Ljjjmeie.exeC:\Windows\system32\Ljjjmeie.exe122⤵PID:2616
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-