Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 19:01
Static task
static1
Behavioral task
behavioral1
Sample
62460d64275df316d8faf59bdc4a77e5eced05f0b7c7fe3d67903a75f2ca0c7e.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
62460d64275df316d8faf59bdc4a77e5eced05f0b7c7fe3d67903a75f2ca0c7e.exe
Resource
win10v2004-20241007-en
General
-
Target
62460d64275df316d8faf59bdc4a77e5eced05f0b7c7fe3d67903a75f2ca0c7e.exe
-
Size
1.1MB
-
MD5
16a12d75fb5ebd0a319af381caea7a4a
-
SHA1
01cd03a13ae3cc8f775930dc63b18d1a5888e245
-
SHA256
62460d64275df316d8faf59bdc4a77e5eced05f0b7c7fe3d67903a75f2ca0c7e
-
SHA512
96178cc8753485db022b6b70af0701f03a9b95adaa1e8cd3b78b0e9335dbc95e01db93a8b1c93cc623e43017831cf781c44b28895b105e8611fb95ed3582e464
-
SSDEEP
12288:11WrQg5Z/+zrWAIAqWim/+zrWAI5KFukEyDucEQX:1grQg5ZmvFimm0HkEyDucEQX
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Pfebnmcj.exeQifnhaho.exeEnenef32.exeLefikg32.exeOlophhjd.exeGkoobhhg.exeOlbogqoe.exeDjocbqpb.exeDleelp32.exeEhjona32.exeJondnnbk.exeCileqlmg.exeBdfooh32.exeBgokfnij.exeBdckobhd.exeBjbqmi32.exeFhjoof32.exeLeammn32.exeEccpoo32.exeJdhifooi.exeIlmlfcel.exeDgnjqe32.exeFihfnp32.exeHhdqma32.exeDaacecfc.exePcljmdmj.exeHkmollme.exeDaofpchf.exeLonibk32.exeOfiopaap.exePkmmigjo.exeMldgbcoe.exeFilgbdfd.exeMngjeamd.exeAkkoig32.exeBgdibkam.exeCiokijfd.exeJoppeeif.exeBkqiek32.exeCkhpejbf.exeFeipbefb.exeJodhdp32.exeObokcqhk.exeIahceq32.exeHlbpme32.exePalbgn32.exePiieicgl.exeAedlhg32.exeHdhbci32.exeKijmbnpo.exeMheeif32.exeEmagacdm.exeNplimbka.exeGgagmjbq.exeOjpaeq32.exePchbmigj.exeJgbmco32.exeIfpnaj32.exeEnbapf32.exeFmlglb32.exeMfqiingf.exeOldpnn32.exeHgpjhn32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfebnmcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qifnhaho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enenef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lefikg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olophhjd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkoobhhg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olbogqoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djocbqpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dleelp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ehjona32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jondnnbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cileqlmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdfooh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgokfnij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdckobhd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjbqmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhjoof32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leammn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eccpoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jdhifooi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilmlfcel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dgnjqe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fihfnp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhdqma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Daacecfc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcljmdmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hkmollme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daofpchf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lonibk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofiopaap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkmmigjo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mldgbcoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Filgbdfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mngjeamd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Akkoig32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgdibkam.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhjoof32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ciokijfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joppeeif.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkqiek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckhpejbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feipbefb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jodhdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Obokcqhk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iahceq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlbpme32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Palbgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Piieicgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aedlhg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdhbci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kijmbnpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mheeif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emagacdm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nplimbka.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggagmjbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojpaeq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pchbmigj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgbmco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ifpnaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enbapf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmlglb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfqiingf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oldpnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hgpjhn32.exe -
Executes dropped EXE 64 IoCs
Processes:
Fqmpni32.exeFkbdkb32.exeGfehan32.exeGmoqnhla.exeHdiejfej.exeIeagbm32.exeIhfjognl.exeIaonhm32.exeKobkpdfa.exeKmobhmnn.exeLmfhil32.exeLeammn32.exeMbeiefff.exeNblpfepo.exeOpifnm32.exeOldpnn32.exePqkobqhd.exePjfpafmb.exePmdmmalf.exeQfonkfqd.exeAipfmane.exeAollokco.exeAbkhkgbb.exeAnahqh32.exeBadnhbce.exeBccjdnbi.exeBjoofhgc.exeBmnlbcfg.exeBfkifhib.exeChlfnp32.exeCafgle32.exeCaidaeak.exeCffljlpc.exeCheido32.exeDdliip32.exeDiibag32.exeDljkcb32.exeDhplhc32.exeDpgcip32.exeDlndnacm.exeDchmkkkj.exeElqaca32.exeEndjaief.exeEhjona32.exeEccpoo32.exeEkjgpm32.exeEpgphcqd.exeFgcejm32.exeFcjeon32.exeFhgnge32.exeFkhgip32.exeFilgbdfd.exeFbdlkj32.exeFindhdcb.exeGkomjo32.exeGnmifk32.exeGqlebf32.exeGqnbhf32.exeGaqomeke.exeGcokiaji.exeGbdhjm32.exeHinqgg32.exeHfbaql32.exeHalbai32.exepid Process 2788 Fqmpni32.exe 2692 Fkbdkb32.exe 2712 Gfehan32.exe 2624 Gmoqnhla.exe 2616 Hdiejfej.exe 2612 Ieagbm32.exe 2212 Ihfjognl.exe 492 Iaonhm32.exe 1612 Kobkpdfa.exe 2912 Kmobhmnn.exe 1740 Lmfhil32.exe 2392 Leammn32.exe 2112 Mbeiefff.exe 2036 Nblpfepo.exe 2092 Opifnm32.exe 1316 Oldpnn32.exe 1476 Pqkobqhd.exe 1364 Pjfpafmb.exe 2368 Pmdmmalf.exe 1300 Qfonkfqd.exe 2292 Aipfmane.exe 872 Aollokco.exe 2720 Abkhkgbb.exe 2608 Anahqh32.exe 2840 Badnhbce.exe 2800 Bccjdnbi.exe 2936 Bjoofhgc.exe 304 Bmnlbcfg.exe 532 Bfkifhib.exe 576 Chlfnp32.exe 2148 Cafgle32.exe 2132 Caidaeak.exe 2888 Cffljlpc.exe 2812 Cheido32.exe 2764 Ddliip32.exe 2064 Diibag32.exe 2956 Dljkcb32.exe 2280 Dhplhc32.exe 2428 Dpgcip32.exe 1504 Dlndnacm.exe 3040 Dchmkkkj.exe 1276 Elqaca32.exe 1548 Endjaief.exe 2416 Ehjona32.exe 2976 Eccpoo32.exe 832 Ekjgpm32.exe 2388 Epgphcqd.exe 2060 Fgcejm32.exe 2932 Fcjeon32.exe 2732 Fhgnge32.exe 1632 Fkhgip32.exe 2576 Filgbdfd.exe 2068 Fbdlkj32.exe 2204 Findhdcb.exe 2436 Gkomjo32.exe 1748 Gnmifk32.exe 1244 Gqlebf32.exe 2632 Gqnbhf32.exe 1372 Gaqomeke.exe 2408 Gcokiaji.exe 1868 Gbdhjm32.exe 2268 Hinqgg32.exe 2948 Hfbaql32.exe 2184 Halbai32.exe -
Loads dropped DLL 64 IoCs
Processes:
62460d64275df316d8faf59bdc4a77e5eced05f0b7c7fe3d67903a75f2ca0c7e.exeFqmpni32.exeFkbdkb32.exeGfehan32.exeGmoqnhla.exeHdiejfej.exeIeagbm32.exeIhfjognl.exeIaonhm32.exeKobkpdfa.exeKmobhmnn.exeLmfhil32.exeLeammn32.exeMbeiefff.exeNblpfepo.exeOpifnm32.exeOldpnn32.exePqkobqhd.exePjfpafmb.exePmdmmalf.exeQfonkfqd.exeAipfmane.exeAollokco.exeAbkhkgbb.exeAnahqh32.exeBadnhbce.exeBccjdnbi.exeBjoofhgc.exeBmnlbcfg.exeBfkifhib.exeChlfnp32.exeCafgle32.exepid Process 2400 62460d64275df316d8faf59bdc4a77e5eced05f0b7c7fe3d67903a75f2ca0c7e.exe 2400 62460d64275df316d8faf59bdc4a77e5eced05f0b7c7fe3d67903a75f2ca0c7e.exe 2788 Fqmpni32.exe 2788 Fqmpni32.exe 2692 Fkbdkb32.exe 2692 Fkbdkb32.exe 2712 Gfehan32.exe 2712 Gfehan32.exe 2624 Gmoqnhla.exe 2624 Gmoqnhla.exe 2616 Hdiejfej.exe 2616 Hdiejfej.exe 2612 Ieagbm32.exe 2612 Ieagbm32.exe 2212 Ihfjognl.exe 2212 Ihfjognl.exe 492 Iaonhm32.exe 492 Iaonhm32.exe 1612 Kobkpdfa.exe 1612 Kobkpdfa.exe 2912 Kmobhmnn.exe 2912 Kmobhmnn.exe 1740 Lmfhil32.exe 1740 Lmfhil32.exe 2392 Leammn32.exe 2392 Leammn32.exe 2112 Mbeiefff.exe 2112 Mbeiefff.exe 2036 Nblpfepo.exe 2036 Nblpfepo.exe 2092 Opifnm32.exe 2092 Opifnm32.exe 1316 Oldpnn32.exe 1316 Oldpnn32.exe 1476 Pqkobqhd.exe 1476 Pqkobqhd.exe 1364 Pjfpafmb.exe 1364 Pjfpafmb.exe 2368 Pmdmmalf.exe 2368 Pmdmmalf.exe 1300 Qfonkfqd.exe 1300 Qfonkfqd.exe 2292 Aipfmane.exe 2292 Aipfmane.exe 872 Aollokco.exe 872 Aollokco.exe 2720 Abkhkgbb.exe 2720 Abkhkgbb.exe 2608 Anahqh32.exe 2608 Anahqh32.exe 2840 Badnhbce.exe 2840 Badnhbce.exe 2800 Bccjdnbi.exe 2800 Bccjdnbi.exe 2936 Bjoofhgc.exe 2936 Bjoofhgc.exe 304 Bmnlbcfg.exe 304 Bmnlbcfg.exe 532 Bfkifhib.exe 532 Bfkifhib.exe 576 Chlfnp32.exe 576 Chlfnp32.exe 2148 Cafgle32.exe 2148 Cafgle32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Olbogqoe.exeLmmfnb32.exeKijmbnpo.exeOdnobj32.exeGihnkejd.exeKkkhmadd.exeNmjmekan.exeMngjeamd.exeClpabm32.exeFnofjfhk.exeNknimnap.exeFhjoof32.exeJmlobg32.exePjbjjc32.exeCdfgmnpa.exeGfehan32.exeAbkhkgbb.exePcljmdmj.exeQifnhaho.exeKdklfe32.exeKenhopmf.exeGckfpc32.exeIemalkgd.exeLofkoamf.exeJfjjkhhg.exeEhmdgp32.exeNplimbka.exeMgmdapml.exeIclbpj32.exeMpnkopeh.exeBihgmdih.exeGoocenaa.exeGfdhck32.exeChlfnp32.exeKlehgh32.exeNpmphinm.exeOffmipej.exeGkmefaan.exeAckmih32.exeGmpcgace.exePpcmfn32.exeIickckcl.exeCogfqe32.exeBdfooh32.exeLaidgi32.exeFmaqgaae.exeAollokco.exeBgblmk32.exeCbepdhgc.exeCbblda32.exeIkjhki32.exeHpcpdfhj.exeLlhocfnb.exeHmeolj32.exeBfncpcoc.exeFkkfgi32.exeKokmmkcm.exeDqinhcoc.exePpkhhjei.exeAldfcpjn.exeOjpaeq32.exeLmhdph32.exeEkjgpm32.exedescription ioc Process File created C:\Windows\SysWOW64\Lffkcfke.dll Olbogqoe.exe File opened for modification C:\Windows\SysWOW64\Llpfjomf.exe Lmmfnb32.exe File created C:\Windows\SysWOW64\Koibpd32.exe Kijmbnpo.exe File created C:\Windows\SysWOW64\Ogmkne32.exe Odnobj32.exe File created C:\Windows\SysWOW64\Oijehm32.dll Gihnkejd.exe File opened for modification C:\Windows\SysWOW64\Lbhmok32.exe Kkkhmadd.exe File opened for modification C:\Windows\SysWOW64\Nianjl32.exe Nmjmekan.exe File created C:\Windows\SysWOW64\Ioiepeog.dll Mngjeamd.exe File opened for modification C:\Windows\SysWOW64\Cicalakk.exe Clpabm32.exe File created C:\Windows\SysWOW64\Ihkcje32.dll Fnofjfhk.exe File created C:\Windows\SysWOW64\Ndfnecgp.exe Nknimnap.exe File opened for modification C:\Windows\SysWOW64\Fbpclofe.exe Fhjoof32.exe File created C:\Windows\SysWOW64\Kolhdbjh.exe Jmlobg32.exe File created C:\Windows\SysWOW64\Palbgn32.exe Pjbjjc32.exe File created C:\Windows\SysWOW64\Ckpoih32.exe Cdfgmnpa.exe File created C:\Windows\SysWOW64\Gmoqnhla.exe Gfehan32.exe File opened for modification C:\Windows\SysWOW64\Anahqh32.exe Abkhkgbb.exe File opened for modification C:\Windows\SysWOW64\Pnbojmmp.exe Pcljmdmj.exe File created C:\Windows\SysWOW64\Qldjdlgb.exe Qifnhaho.exe File opened for modification C:\Windows\SysWOW64\Kncaojfb.exe Kdklfe32.exe File opened for modification C:\Windows\SysWOW64\Kadica32.exe Kenhopmf.exe File opened for modification C:\Windows\SysWOW64\Ggiofa32.exe Gckfpc32.exe File created C:\Windows\SysWOW64\Jmogjn32.dll Iemalkgd.exe File created C:\Windows\SysWOW64\Mdepmh32.exe Lofkoamf.exe File created C:\Windows\SysWOW64\Jdogldmo.exe Jfjjkhhg.exe File created C:\Windows\SysWOW64\Eddeladm.exe Ehmdgp32.exe File created C:\Windows\SysWOW64\Nbmaon32.exe Nplimbka.exe File created C:\Windows\SysWOW64\Modlbmmn.exe Mgmdapml.exe File opened for modification C:\Windows\SysWOW64\Jfjolf32.exe Iclbpj32.exe File created C:\Windows\SysWOW64\Mdldeo32.exe Mpnkopeh.exe File created C:\Windows\SysWOW64\Ophppo32.dll Bihgmdih.exe File created C:\Windows\SysWOW64\Gampaipe.exe Goocenaa.exe File created C:\Windows\SysWOW64\Gajlac32.exe Gfdhck32.exe File created C:\Windows\SysWOW64\Egfpem32.dll Chlfnp32.exe File created C:\Windows\SysWOW64\Pdnldmfb.dll Klehgh32.exe File created C:\Windows\SysWOW64\Qklpempi.dll Npmphinm.exe File created C:\Windows\SysWOW64\Ompefj32.exe Offmipej.exe File created C:\Windows\SysWOW64\Oepbmk32.dll Gkmefaan.exe File opened for modification C:\Windows\SysWOW64\Aodkci32.exe Ackmih32.exe File created C:\Windows\SysWOW64\Gkephn32.exe Gmpcgace.exe File created C:\Windows\SysWOW64\Pjmnfk32.exe Ppcmfn32.exe File created C:\Windows\SysWOW64\Ppkfhg32.dll Iickckcl.exe File opened for modification C:\Windows\SysWOW64\Ciokijfd.exe Cogfqe32.exe File created C:\Windows\SysWOW64\Bhbkpgbf.exe Bdfooh32.exe File created C:\Windows\SysWOW64\Jgnapb32.dll Laidgi32.exe File created C:\Windows\SysWOW64\Lhkhmj32.dll Fmaqgaae.exe File created C:\Windows\SysWOW64\Abkhkgbb.exe Aollokco.exe File created C:\Windows\SysWOW64\Bgdibkam.exe Bgblmk32.exe File opened for modification C:\Windows\SysWOW64\Cpiqmlfm.exe Cbepdhgc.exe File created C:\Windows\SysWOW64\Cmbfdl32.dll Cbblda32.exe File created C:\Windows\SysWOW64\Miqnbfnp.dll Ikjhki32.exe File created C:\Windows\SysWOW64\Hhoeii32.exe Hpcpdfhj.exe File opened for modification C:\Windows\SysWOW64\Lofkoamf.exe Llhocfnb.exe File created C:\Windows\SysWOW64\Ebpdod32.dll Hmeolj32.exe File created C:\Windows\SysWOW64\Golnjpio.dll Bfncpcoc.exe File created C:\Windows\SysWOW64\Ggagmjbq.exe Fkkfgi32.exe File opened for modification C:\Windows\SysWOW64\Llomfpag.exe Kokmmkcm.exe File created C:\Windows\SysWOW64\Fmdpgmhn.dll Mgmdapml.exe File created C:\Windows\SysWOW64\Eqkjmcmq.exe Dqinhcoc.exe File opened for modification C:\Windows\SysWOW64\Palepb32.exe Ppkhhjei.exe File opened for modification C:\Windows\SysWOW64\Bfjkphjd.exe Aldfcpjn.exe File opened for modification C:\Windows\SysWOW64\Ofiopaap.exe Ojpaeq32.exe File created C:\Windows\SysWOW64\Ffmcdhob.dll Lmhdph32.exe File created C:\Windows\SysWOW64\Ajnfie32.dll Ekjgpm32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 4436 1500 WerFault.exe 779 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Jhdlad32.exeBfioia32.exeGojhafnb.exeKipmhc32.exeBgokfnij.exeDpodgocb.exeKggfnoch.exeKobkpdfa.exeLefikg32.exeLeammn32.exeQfonkfqd.exeHnpbjnpo.exeJplkmgol.exeJeclebja.exeLjnqdhga.exeCkfjjqhd.exeGfehan32.exeEnbapf32.exeIfpnaj32.exeCiihklpj.exeEfljhq32.exeOfafgipc.exeHpcpdfhj.exeDnhefh32.exeFipbhd32.exeDljkcb32.exeGiaidnkf.exeIkfdkc32.exeAjnqphhe.exeGqdefddb.exeFkhibino.exeLgingm32.exeHqgddm32.exeMhninb32.exeNhbciaki.exeObecld32.exeNfidjbdg.exeFpbqcb32.exeIojopp32.exeNianjl32.exeFpmbfbgo.exeEknmhk32.exeLqipkhbj.exeMkqqnq32.exePdbdqh32.exeFeiddbbj.exeCiokijfd.exeFlnlkgjq.exeKdefgj32.exeBkqiek32.exeKaekljjo.exeAphehidc.exeImhqbkbm.exeLfkeokjp.exeLjfapjbi.exeBnknoogp.exeDckcnj32.exeIjklknbn.exeCmfmojcb.exeCfnkmi32.exeDphhka32.exeQaapcj32.exeFkecij32.exeJondnnbk.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhdlad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfioia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gojhafnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kipmhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgokfnij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpodgocb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kggfnoch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kobkpdfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lefikg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Leammn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfonkfqd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnpbjnpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jplkmgol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jeclebja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljnqdhga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckfjjqhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfehan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enbapf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifpnaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciihklpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efljhq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofafgipc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpcpdfhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnhefh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fipbhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dljkcb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giaidnkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikfdkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajnqphhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqdefddb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkhibino.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgingm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqgddm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhninb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhbciaki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obecld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfidjbdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpbqcb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iojopp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nianjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpmbfbgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eknmhk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqipkhbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkqqnq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdbdqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feiddbbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciokijfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flnlkgjq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdefgj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkqiek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaekljjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aphehidc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imhqbkbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfkeokjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljfapjbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnknoogp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dckcnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijklknbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmfmojcb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfnkmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dphhka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qaapcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkecij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jondnnbk.exe -
Modifies registry class 64 IoCs
Processes:
Dphmloih.exeIdicbbpi.exeHkmollme.exeQmbqcf32.exeBpmkbl32.exeGlkgcmbg.exeJplkmgol.exeAjnqphhe.exePpkhhjei.exeObokcqhk.exeDlljaj32.exeDjocbqpb.exeKmhhae32.exeLncgollm.exeBgblmk32.exeGhlfjq32.exeKhgkpl32.exeGcppkbia.exeDnhefh32.exeAaimopli.exeObdojcef.exeIdkpganf.exeDkdmfe32.exeFpokjd32.exeQfonkfqd.exeCjbmll32.exeGmkjgfmf.exeJgppmpjp.exeCheido32.exeNgbpehpj.exeIfpnaj32.exeNgoleb32.exeJkdfmoha.exeEinlmkhp.exeCmfkfa32.exeBdaojbjf.exeHfbaql32.exeGlchpp32.exeFkhgip32.exeNmnclmoj.exePpcbgkka.exeGgkibhjf.exeObecld32.exeNmjmekan.exeEkjgpm32.exeOlophhjd.exeKlpdaf32.exeFoolgh32.exeJoppeeif.exeOdnobj32.exeClclhmin.exeIphecepe.exeNedhjj32.exeGojhafnb.exeQifnhaho.exeLlbnnq32.exeIjklknbn.exeCmmcpi32.exeNkclkl32.exeKgjjndeq.exePeqhgmdd.exeCiihklpj.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dphmloih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Idicbbpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Najopl32.dll" Hkmollme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qmbqcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhhdmc32.dll" Bpmkbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Glkgcmbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lofoed32.dll" Jplkmgol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ajnqphhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ppkhhjei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Obokcqhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmmbhhfg.dll" Dlljaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apnmpn32.dll" Djocbqpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bpmkbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kmhhae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lncgollm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bgblmk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ghlfjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Khgkpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdgcbgmg.dll" Gcppkbia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ippdloip.dll" Dnhefh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aaimopli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Obdojcef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnddef32.dll" Idkpganf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dkdmfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fpokjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opknndcg.dll" Qfonkfqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cjbmll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gmkjgfmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jgppmpjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cheido32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jckenobm.dll" Ngbpehpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ifpnaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnjkec32.dll" Ngoleb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jkdfmoha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Einlmkhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cmfkfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekjpaefk.dll" Bdaojbjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hfbaql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Glchpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ghlfjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leoggnnm.dll" Fkhgip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmoogf32.dll" Nmnclmoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hafimk32.dll" Ppcbgkka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jflomd32.dll" Ggkibhjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Obecld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nmjmekan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajnfie32.dll" Ekjgpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohniib32.dll" Olophhjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gobdahei.dll" Klpdaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Foolgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Joppeeif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Odnobj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Clclhmin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iphecepe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeeheknp.dll" Nedhjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gojhafnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bknida32.dll" Qifnhaho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Llbnnq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ijklknbn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cmmcpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nkclkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kgjjndeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Peqhgmdd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ciihklpj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
62460d64275df316d8faf59bdc4a77e5eced05f0b7c7fe3d67903a75f2ca0c7e.exeFqmpni32.exeFkbdkb32.exeGfehan32.exeGmoqnhla.exeHdiejfej.exeIeagbm32.exeIhfjognl.exeIaonhm32.exeKobkpdfa.exeKmobhmnn.exeLmfhil32.exeLeammn32.exeMbeiefff.exeNblpfepo.exeOpifnm32.exedescription pid Process procid_target PID 2400 wrote to memory of 2788 2400 62460d64275df316d8faf59bdc4a77e5eced05f0b7c7fe3d67903a75f2ca0c7e.exe 30 PID 2400 wrote to memory of 2788 2400 62460d64275df316d8faf59bdc4a77e5eced05f0b7c7fe3d67903a75f2ca0c7e.exe 30 PID 2400 wrote to memory of 2788 2400 62460d64275df316d8faf59bdc4a77e5eced05f0b7c7fe3d67903a75f2ca0c7e.exe 30 PID 2400 wrote to memory of 2788 2400 62460d64275df316d8faf59bdc4a77e5eced05f0b7c7fe3d67903a75f2ca0c7e.exe 30 PID 2788 wrote to memory of 2692 2788 Fqmpni32.exe 31 PID 2788 wrote to memory of 2692 2788 Fqmpni32.exe 31 PID 2788 wrote to memory of 2692 2788 Fqmpni32.exe 31 PID 2788 wrote to memory of 2692 2788 Fqmpni32.exe 31 PID 2692 wrote to memory of 2712 2692 Fkbdkb32.exe 32 PID 2692 wrote to memory of 2712 2692 Fkbdkb32.exe 32 PID 2692 wrote to memory of 2712 2692 Fkbdkb32.exe 32 PID 2692 wrote to memory of 2712 2692 Fkbdkb32.exe 32 PID 2712 wrote to memory of 2624 2712 Gfehan32.exe 33 PID 2712 wrote to memory of 2624 2712 Gfehan32.exe 33 PID 2712 wrote to memory of 2624 2712 Gfehan32.exe 33 PID 2712 wrote to memory of 2624 2712 Gfehan32.exe 33 PID 2624 wrote to memory of 2616 2624 Gmoqnhla.exe 34 PID 2624 wrote to memory of 2616 2624 Gmoqnhla.exe 34 PID 2624 wrote to memory of 2616 2624 Gmoqnhla.exe 34 PID 2624 wrote to memory of 2616 2624 Gmoqnhla.exe 34 PID 2616 wrote to memory of 2612 2616 Hdiejfej.exe 35 PID 2616 wrote to memory of 2612 2616 Hdiejfej.exe 35 PID 2616 wrote to memory of 2612 2616 Hdiejfej.exe 35 PID 2616 wrote to memory of 2612 2616 Hdiejfej.exe 35 PID 2612 wrote to memory of 2212 2612 Ieagbm32.exe 36 PID 2612 wrote to memory of 2212 2612 Ieagbm32.exe 36 PID 2612 wrote to memory of 2212 2612 Ieagbm32.exe 36 PID 2612 wrote to memory of 2212 2612 Ieagbm32.exe 36 PID 2212 wrote to memory of 492 2212 Ihfjognl.exe 37 PID 2212 wrote to memory of 492 2212 Ihfjognl.exe 37 PID 2212 wrote to memory of 492 2212 Ihfjognl.exe 37 PID 2212 wrote to memory of 492 2212 Ihfjognl.exe 37 PID 492 wrote to memory of 1612 492 Iaonhm32.exe 38 PID 492 wrote to memory of 1612 492 Iaonhm32.exe 38 PID 492 wrote to memory of 1612 492 Iaonhm32.exe 38 PID 492 wrote to memory of 1612 492 Iaonhm32.exe 38 PID 1612 wrote to memory of 2912 1612 Kobkpdfa.exe 39 PID 1612 wrote to memory of 2912 1612 Kobkpdfa.exe 39 PID 1612 wrote to memory of 2912 1612 Kobkpdfa.exe 39 PID 1612 wrote to memory of 2912 1612 Kobkpdfa.exe 39 PID 2912 wrote to memory of 1740 2912 Kmobhmnn.exe 40 PID 2912 wrote to memory of 1740 2912 Kmobhmnn.exe 40 PID 2912 wrote to memory of 1740 2912 Kmobhmnn.exe 40 PID 2912 wrote to memory of 1740 2912 Kmobhmnn.exe 40 PID 1740 wrote to memory of 2392 1740 Lmfhil32.exe 41 PID 1740 wrote to memory of 2392 1740 Lmfhil32.exe 41 PID 1740 wrote to memory of 2392 1740 Lmfhil32.exe 41 PID 1740 wrote to memory of 2392 1740 Lmfhil32.exe 41 PID 2392 wrote to memory of 2112 2392 Leammn32.exe 42 PID 2392 wrote to memory of 2112 2392 Leammn32.exe 42 PID 2392 wrote to memory of 2112 2392 Leammn32.exe 42 PID 2392 wrote to memory of 2112 2392 Leammn32.exe 42 PID 2112 wrote to memory of 2036 2112 Mbeiefff.exe 43 PID 2112 wrote to memory of 2036 2112 Mbeiefff.exe 43 PID 2112 wrote to memory of 2036 2112 Mbeiefff.exe 43 PID 2112 wrote to memory of 2036 2112 Mbeiefff.exe 43 PID 2036 wrote to memory of 2092 2036 Nblpfepo.exe 44 PID 2036 wrote to memory of 2092 2036 Nblpfepo.exe 44 PID 2036 wrote to memory of 2092 2036 Nblpfepo.exe 44 PID 2036 wrote to memory of 2092 2036 Nblpfepo.exe 44 PID 2092 wrote to memory of 1316 2092 Opifnm32.exe 45 PID 2092 wrote to memory of 1316 2092 Opifnm32.exe 45 PID 2092 wrote to memory of 1316 2092 Opifnm32.exe 45 PID 2092 wrote to memory of 1316 2092 Opifnm32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\62460d64275df316d8faf59bdc4a77e5eced05f0b7c7fe3d67903a75f2ca0c7e.exe"C:\Users\Admin\AppData\Local\Temp\62460d64275df316d8faf59bdc4a77e5eced05f0b7c7fe3d67903a75f2ca0c7e.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\Fqmpni32.exeC:\Windows\system32\Fqmpni32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Fkbdkb32.exeC:\Windows\system32\Fkbdkb32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Gfehan32.exeC:\Windows\system32\Gfehan32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Gmoqnhla.exeC:\Windows\system32\Gmoqnhla.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Hdiejfej.exeC:\Windows\system32\Hdiejfej.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Ieagbm32.exeC:\Windows\system32\Ieagbm32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Ihfjognl.exeC:\Windows\system32\Ihfjognl.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Iaonhm32.exeC:\Windows\system32\Iaonhm32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:492 -
C:\Windows\SysWOW64\Kobkpdfa.exeC:\Windows\system32\Kobkpdfa.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\Kmobhmnn.exeC:\Windows\system32\Kmobhmnn.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Lmfhil32.exeC:\Windows\system32\Lmfhil32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\Leammn32.exeC:\Windows\system32\Leammn32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\Mbeiefff.exeC:\Windows\system32\Mbeiefff.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\Nblpfepo.exeC:\Windows\system32\Nblpfepo.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\Opifnm32.exeC:\Windows\system32\Opifnm32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\Oldpnn32.exeC:\Windows\system32\Oldpnn32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1316 -
C:\Windows\SysWOW64\Pqkobqhd.exeC:\Windows\system32\Pqkobqhd.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1476 -
C:\Windows\SysWOW64\Pjfpafmb.exeC:\Windows\system32\Pjfpafmb.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1364 -
C:\Windows\SysWOW64\Pmdmmalf.exeC:\Windows\system32\Pmdmmalf.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2368 -
C:\Windows\SysWOW64\Qfonkfqd.exeC:\Windows\system32\Qfonkfqd.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1300 -
C:\Windows\SysWOW64\Aipfmane.exeC:\Windows\system32\Aipfmane.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2292 -
C:\Windows\SysWOW64\Aollokco.exeC:\Windows\system32\Aollokco.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:872 -
C:\Windows\SysWOW64\Abkhkgbb.exeC:\Windows\system32\Abkhkgbb.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2720 -
C:\Windows\SysWOW64\Anahqh32.exeC:\Windows\system32\Anahqh32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2608 -
C:\Windows\SysWOW64\Badnhbce.exeC:\Windows\system32\Badnhbce.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2840 -
C:\Windows\SysWOW64\Bccjdnbi.exeC:\Windows\system32\Bccjdnbi.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2800 -
C:\Windows\SysWOW64\Bjoofhgc.exeC:\Windows\system32\Bjoofhgc.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2936 -
C:\Windows\SysWOW64\Bmnlbcfg.exeC:\Windows\system32\Bmnlbcfg.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:304 -
C:\Windows\SysWOW64\Bfkifhib.exeC:\Windows\system32\Bfkifhib.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:532 -
C:\Windows\SysWOW64\Chlfnp32.exeC:\Windows\system32\Chlfnp32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:576 -
C:\Windows\SysWOW64\Cafgle32.exeC:\Windows\system32\Cafgle32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2148 -
C:\Windows\SysWOW64\Caidaeak.exeC:\Windows\system32\Caidaeak.exe33⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Cffljlpc.exeC:\Windows\system32\Cffljlpc.exe34⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Cheido32.exeC:\Windows\system32\Cheido32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2812 -
C:\Windows\SysWOW64\Ddliip32.exeC:\Windows\system32\Ddliip32.exe36⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Diibag32.exeC:\Windows\system32\Diibag32.exe37⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Dljkcb32.exeC:\Windows\system32\Dljkcb32.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2956 -
C:\Windows\SysWOW64\Dhplhc32.exeC:\Windows\system32\Dhplhc32.exe39⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Dpgcip32.exeC:\Windows\system32\Dpgcip32.exe40⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Dlndnacm.exeC:\Windows\system32\Dlndnacm.exe41⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Dchmkkkj.exeC:\Windows\system32\Dchmkkkj.exe42⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Elqaca32.exeC:\Windows\system32\Elqaca32.exe43⤵
- Executes dropped EXE
PID:1276 -
C:\Windows\SysWOW64\Endjaief.exeC:\Windows\system32\Endjaief.exe44⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Ehjona32.exeC:\Windows\system32\Ehjona32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Eccpoo32.exeC:\Windows\system32\Eccpoo32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Ekjgpm32.exeC:\Windows\system32\Ekjgpm32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:832 -
C:\Windows\SysWOW64\Epgphcqd.exeC:\Windows\system32\Epgphcqd.exe48⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Fgcejm32.exeC:\Windows\system32\Fgcejm32.exe49⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Fcjeon32.exeC:\Windows\system32\Fcjeon32.exe50⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Fhgnge32.exeC:\Windows\system32\Fhgnge32.exe51⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Fkhgip32.exeC:\Windows\system32\Fkhgip32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:1632 -
C:\Windows\SysWOW64\Filgbdfd.exeC:\Windows\system32\Filgbdfd.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Fbdlkj32.exeC:\Windows\system32\Fbdlkj32.exe54⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Findhdcb.exeC:\Windows\system32\Findhdcb.exe55⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Gkomjo32.exeC:\Windows\system32\Gkomjo32.exe56⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Gnmifk32.exeC:\Windows\system32\Gnmifk32.exe57⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Gqlebf32.exeC:\Windows\system32\Gqlebf32.exe58⤵
- Executes dropped EXE
PID:1244 -
C:\Windows\SysWOW64\Gqnbhf32.exeC:\Windows\system32\Gqnbhf32.exe59⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Gaqomeke.exeC:\Windows\system32\Gaqomeke.exe60⤵
- Executes dropped EXE
PID:1372 -
C:\Windows\SysWOW64\Gcokiaji.exeC:\Windows\system32\Gcokiaji.exe61⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Gbdhjm32.exeC:\Windows\system32\Gbdhjm32.exe62⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Hinqgg32.exeC:\Windows\system32\Hinqgg32.exe63⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Hfbaql32.exeC:\Windows\system32\Hfbaql32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:2948 -
C:\Windows\SysWOW64\Halbai32.exeC:\Windows\system32\Halbai32.exe65⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Hegnahjo.exeC:\Windows\system32\Hegnahjo.exe66⤵PID:2244
-
C:\Windows\SysWOW64\Hnpbjnpo.exeC:\Windows\system32\Hnpbjnpo.exe67⤵
- System Location Discovery: System Language Discovery
PID:1640 -
C:\Windows\SysWOW64\Hmeolj32.exeC:\Windows\system32\Hmeolj32.exe68⤵
- Drops file in System32 directory
PID:1292 -
C:\Windows\SysWOW64\Helgmg32.exeC:\Windows\system32\Helgmg32.exe69⤵PID:2536
-
C:\Windows\SysWOW64\Ijklknbn.exeC:\Windows\system32\Ijklknbn.exe70⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2496 -
C:\Windows\SysWOW64\Iphecepe.exeC:\Windows\system32\Iphecepe.exe71⤵
- Modifies registry class
PID:1556 -
C:\Windows\SysWOW64\Imleli32.exeC:\Windows\system32\Imleli32.exe72⤵PID:2848
-
C:\Windows\SysWOW64\Ibhndp32.exeC:\Windows\system32\Ibhndp32.exe73⤵PID:2792
-
C:\Windows\SysWOW64\Ieigfk32.exeC:\Windows\system32\Ieigfk32.exe74⤵PID:2572
-
C:\Windows\SysWOW64\Ihhcbf32.exeC:\Windows\system32\Ihhcbf32.exe75⤵PID:1660
-
C:\Windows\SysWOW64\Jodhdp32.exeC:\Windows\system32\Jodhdp32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:568 -
C:\Windows\SysWOW64\Jabdql32.exeC:\Windows\system32\Jabdql32.exe77⤵PID:2296
-
C:\Windows\SysWOW64\Jofejpmc.exeC:\Windows\system32\Jofejpmc.exe78⤵PID:2480
-
C:\Windows\SysWOW64\Jgaiobjn.exeC:\Windows\system32\Jgaiobjn.exe79⤵PID:1996
-
C:\Windows\SysWOW64\Jplkmgol.exeC:\Windows\system32\Jplkmgol.exe80⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2676 -
C:\Windows\SysWOW64\Jckgicnp.exeC:\Windows\system32\Jckgicnp.exe81⤵PID:2088
-
C:\Windows\SysWOW64\Kcmcoblm.exeC:\Windows\system32\Kcmcoblm.exe82⤵PID:1004
-
C:\Windows\SysWOW64\Klehgh32.exeC:\Windows\system32\Klehgh32.exe83⤵
- Drops file in System32 directory
PID:1796 -
C:\Windows\SysWOW64\Koddccaa.exeC:\Windows\system32\Koddccaa.exe84⤵PID:1668
-
C:\Windows\SysWOW64\Kofaicon.exeC:\Windows\system32\Kofaicon.exe85⤵PID:932
-
C:\Windows\SysWOW64\Kcdjoaee.exeC:\Windows\system32\Kcdjoaee.exe86⤵PID:2380
-
C:\Windows\SysWOW64\Kdefgj32.exeC:\Windows\system32\Kdefgj32.exe87⤵
- System Location Discovery: System Language Discovery
PID:1676 -
C:\Windows\SysWOW64\Khcomhbi.exeC:\Windows\system32\Khcomhbi.exe88⤵PID:2580
-
C:\Windows\SysWOW64\Lomgjb32.exeC:\Windows\system32\Lomgjb32.exe89⤵PID:2728
-
C:\Windows\SysWOW64\Lnbdko32.exeC:\Windows\system32\Lnbdko32.exe90⤵PID:2688
-
C:\Windows\SysWOW64\Lcomce32.exeC:\Windows\system32\Lcomce32.exe91⤵PID:1908
-
C:\Windows\SysWOW64\Lgmeid32.exeC:\Windows\system32\Lgmeid32.exe92⤵PID:2100
-
C:\Windows\SysWOW64\Lngnfnji.exeC:\Windows\system32\Lngnfnji.exe93⤵PID:836
-
C:\Windows\SysWOW64\Lqhfhigj.exeC:\Windows\system32\Lqhfhigj.exe94⤵PID:1272
-
C:\Windows\SysWOW64\Lokgcf32.exeC:\Windows\system32\Lokgcf32.exe95⤵PID:1964
-
C:\Windows\SysWOW64\Mkaghg32.exeC:\Windows\system32\Mkaghg32.exe96⤵PID:2236
-
C:\Windows\SysWOW64\Mchoid32.exeC:\Windows\system32\Mchoid32.exe97⤵PID:2276
-
C:\Windows\SysWOW64\Macilmnk.exeC:\Windows\system32\Macilmnk.exe98⤵PID:2412
-
C:\Windows\SysWOW64\Mngjeamd.exeC:\Windows\system32\Mngjeamd.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1672 -
C:\Windows\SysWOW64\Mbbfep32.exeC:\Windows\system32\Mbbfep32.exe100⤵PID:1936
-
C:\Windows\SysWOW64\Mnifja32.exeC:\Windows\system32\Mnifja32.exe101⤵PID:1920
-
C:\Windows\SysWOW64\Nmnclmoj.exeC:\Windows\system32\Nmnclmoj.exe102⤵
- Modifies registry class
PID:2320 -
C:\Windows\SysWOW64\Npmphinm.exeC:\Windows\system32\Npmphinm.exe103⤵
- Drops file in System32 directory
PID:2960 -
C:\Windows\SysWOW64\Nmqpam32.exeC:\Windows\system32\Nmqpam32.exe104⤵PID:2916
-
C:\Windows\SysWOW64\Nfidjbdg.exeC:\Windows\system32\Nfidjbdg.exe105⤵
- System Location Discovery: System Language Discovery
PID:2568 -
C:\Windows\SysWOW64\Nijnln32.exeC:\Windows\system32\Nijnln32.exe106⤵PID:580
-
C:\Windows\SysWOW64\Nmejllia.exeC:\Windows\system32\Nmejllia.exe107⤵PID:1608
-
C:\Windows\SysWOW64\Opfbngfb.exeC:\Windows\system32\Opfbngfb.exe108⤵PID:2644
-
C:\Windows\SysWOW64\Obdojcef.exeC:\Windows\system32\Obdojcef.exe109⤵
- Modifies registry class
PID:1044 -
C:\Windows\SysWOW64\Odhhgkib.exeC:\Windows\system32\Odhhgkib.exe110⤵PID:2352
-
C:\Windows\SysWOW64\Olophhjd.exeC:\Windows\system32\Olophhjd.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3068 -
C:\Windows\SysWOW64\Ohfqmi32.exeC:\Windows\system32\Ohfqmi32.exe112⤵PID:1876
-
C:\Windows\SysWOW64\Opaebkmc.exeC:\Windows\system32\Opaebkmc.exe113⤵PID:1644
-
C:\Windows\SysWOW64\Ohhmcinf.exeC:\Windows\system32\Ohhmcinf.exe114⤵PID:608
-
C:\Windows\SysWOW64\Ppcbgkka.exeC:\Windows\system32\Ppcbgkka.exe115⤵
- Modifies registry class
PID:3052 -
C:\Windows\SysWOW64\Pcdkif32.exeC:\Windows\system32\Pcdkif32.exe116⤵PID:2080
-
C:\Windows\SysWOW64\Pincfpoo.exeC:\Windows\system32\Pincfpoo.exe117⤵PID:2256
-
C:\Windows\SysWOW64\Ppkhhjei.exeC:\Windows\system32\Ppkhhjei.exe118⤵
- Drops file in System32 directory
- Modifies registry class
PID:984 -
C:\Windows\SysWOW64\Palepb32.exeC:\Windows\system32\Palepb32.exe119⤵PID:2104
-
C:\Windows\SysWOW64\Pckajebj.exeC:\Windows\system32\Pckajebj.exe120⤵PID:1720
-
C:\Windows\SysWOW64\Panaeb32.exeC:\Windows\system32\Panaeb32.exe121⤵PID:2552
-
C:\Windows\SysWOW64\Qhjfgl32.exeC:\Windows\system32\Qhjfgl32.exe122⤵PID:2240
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-