Analysis
-
max time kernel
95s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 19:01
Static task
static1
Behavioral task
behavioral1
Sample
62460d64275df316d8faf59bdc4a77e5eced05f0b7c7fe3d67903a75f2ca0c7e.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
62460d64275df316d8faf59bdc4a77e5eced05f0b7c7fe3d67903a75f2ca0c7e.exe
Resource
win10v2004-20241007-en
General
-
Target
62460d64275df316d8faf59bdc4a77e5eced05f0b7c7fe3d67903a75f2ca0c7e.exe
-
Size
1.1MB
-
MD5
16a12d75fb5ebd0a319af381caea7a4a
-
SHA1
01cd03a13ae3cc8f775930dc63b18d1a5888e245
-
SHA256
62460d64275df316d8faf59bdc4a77e5eced05f0b7c7fe3d67903a75f2ca0c7e
-
SHA512
96178cc8753485db022b6b70af0701f03a9b95adaa1e8cd3b78b0e9335dbc95e01db93a8b1c93cc623e43017831cf781c44b28895b105e8611fb95ed3582e464
-
SSDEEP
12288:11WrQg5Z/+zrWAIAqWim/+zrWAI5KFukEyDucEQX:1grQg5ZmvFimm0HkEyDucEQX
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Ejjaqk32.exeOhkkhhmh.exeDdifgk32.exeDjfcaohp.exeKbddfmgl.exeMblcnj32.exeIoolkncg.exeDpmcmf32.exeNpjnhc32.exeGknkpjfb.exeEkodjiol.exeFooclapd.exeLkeekk32.exeQkmdkgob.exeAadghn32.exePgkelj32.exeEmpoiimf.exeLfbped32.exeAphnnafb.exeJlbejloe.exeMcaipa32.exeCkilmcgb.exeGmafajfi.exeJmeede32.exeEkdnei32.exeAagkhd32.exeIlkoim32.exeIlnlom32.exeDikpbl32.exeHgdejd32.exeMbhamajc.exeAbmjqe32.exeQdaniq32.exeQofcff32.exeNmnqjp32.exeDmdonkgc.exeJdgafjpn.exeMfpell32.exeLbpdblmo.exeIpoopgnf.exeGflhoo32.exeIamamcop.exeGnhnaf32.exeHgnoki32.exeDglkoeio.exeEdoencdm.exeKnbbep32.exeQlgpod32.exeAhippdbe.exeJoqafgni.exeOldjcg32.exeIepaaico.exeKfnkkb32.exeJnhidk32.exePidabppl.exeLaqhhi32.exeLcclncbh.exeEnigke32.exeOmpfej32.exeDdnobj32.exeNebmekoi.exeBhkmec32.exeFjocbhbo.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ejjaqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ohkkhhmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddifgk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djfcaohp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kbddfmgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mblcnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ioolkncg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dpmcmf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npjnhc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gknkpjfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ekodjiol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fooclapd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djfcaohp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lkeekk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkmdkgob.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aadghn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgkelj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Empoiimf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfbped32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aphnnafb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlbejloe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcaipa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckilmcgb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmafajfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jmeede32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekdnei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aagkhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ilkoim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ilnlom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dikpbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hgdejd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mbhamajc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abmjqe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdaniq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qofcff32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmnqjp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmdonkgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jdgafjpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mfpell32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lbpdblmo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipoopgnf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gflhoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iamamcop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gnhnaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hgnoki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dglkoeio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edoencdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knbbep32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlgpod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahippdbe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joqafgni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oldjcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iepaaico.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfnkkb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnhidk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pidabppl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Laqhhi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcclncbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Enigke32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ompfej32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddnobj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nebmekoi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhkmec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fjocbhbo.exe -
Executes dropped EXE 64 IoCs
Processes:
Jkaqnk32.exeJblijebc.exeKbpbed32.exeKngcje32.exeKfnkkb32.exeKiodmn32.exeLbjelc32.exeLpneegel.exeLfhnaa32.exeLppbkgcj.exeLoeolc32.exeLbqklb32.exeLikcilhh.exeLhncdi32.exeLpekef32.exeLoglacfo.exeLfodbqfa.exeLeadnm32.exeMhppji32.exeMpghkf32.exeMojhgbdl.exeMfaqhp32.exeMiomdk32.exeMhbmphjm.exeMpieqeko.exeMolelb32.exeMbhamajc.exeMefmimif.exeMhdjehhj.exeMlpeff32.exeMoobbb32.exeMbjnbqhp.exeMehjol32.exeMhgfkg32.exeMpnnle32.exeMoaogand.exeMblkhq32.exeMekgdl32.exeMifcejnj.exeMleoafmn.exeMockmala.exeMbognp32.exeNhlpfgbb.exeNpchgdcd.exeNbadcpbh.exeNgmpcn32.exeNiklpj32.exeNlihle32.exeNohehq32.exeNgomin32.exeNebmekoi.exeNhpiafnm.exeNpgabc32.exeNojanpej.exeNgaionfl.exeNipekiep.exeNhbfff32.exeNpjnhc32.exeNchjdo32.exeNeffpj32.exeNibbqicm.exeNlqomd32.exeNookip32.exeNcjginjn.exepid Process 1540 Jkaqnk32.exe 5008 Jblijebc.exe 4176 Kbpbed32.exe 1692 Kngcje32.exe 4572 Kfnkkb32.exe 4880 Kiodmn32.exe 364 Lbjelc32.exe 2416 Lpneegel.exe 2000 Lfhnaa32.exe 4740 Lppbkgcj.exe 1888 Loeolc32.exe 2768 Lbqklb32.exe 3904 Likcilhh.exe 372 Lhncdi32.exe 5112 Lpekef32.exe 2704 Loglacfo.exe 2276 Lfodbqfa.exe 4432 Leadnm32.exe 2744 Mhppji32.exe 1584 Mpghkf32.exe 872 Mojhgbdl.exe 4224 Mfaqhp32.exe 2724 Miomdk32.exe 2180 Mhbmphjm.exe 4480 Mpieqeko.exe 4288 Molelb32.exe 2608 Mbhamajc.exe 4252 Mefmimif.exe 3912 Mhdjehhj.exe 1748 Mlpeff32.exe 2620 Moobbb32.exe 1680 Mbjnbqhp.exe 1428 Mehjol32.exe 3756 Mhgfkg32.exe 1524 Mpnnle32.exe 1412 Moaogand.exe 700 Mblkhq32.exe 2436 Mekgdl32.exe 3384 Mifcejnj.exe 4264 Mleoafmn.exe 3208 Mockmala.exe 3844 Mbognp32.exe 232 Nhlpfgbb.exe 464 Npchgdcd.exe 1460 Nbadcpbh.exe 4032 Ngmpcn32.exe 2824 Niklpj32.exe 2528 Nlihle32.exe 4072 Nohehq32.exe 2872 Ngomin32.exe 3100 Nebmekoi.exe 3040 Nhpiafnm.exe 1416 Npgabc32.exe 1588 Nojanpej.exe 2232 Ngaionfl.exe 3920 Nipekiep.exe 3428 Nhbfff32.exe 4900 Npjnhc32.exe 4484 Nchjdo32.exe 4088 Neffpj32.exe 1080 Nibbqicm.exe 4400 Nlqomd32.exe 1856 Nookip32.exe 32 Ncjginjn.exe -
Drops file in System32 directory 64 IoCs
Processes:
Eohmkb32.exeOpcqnb32.exeAfelhf32.exeLcnmin32.exeFmhdkknd.exeGflhoo32.exeBmofagfp.exeOmpfej32.exePblajhje.exePhjenbhp.exeAmodep32.exeJmeede32.exeNcmhko32.exeOkchnk32.exeOlicnfco.exeDnbakghm.exeJghpbk32.exeOfhknodl.exeFbbicl32.exeJlikkkhn.exeMblkhq32.exeEfkphnbd.exeCimmggfl.exeFmfgek32.exeJljbeali.exeFgcjfbed.exeMpnnle32.exeGaopfe32.exeBkmmaeap.exePldcjeia.exeIibccgep.exeBklfgo32.exeEkdnei32.exeKegpifod.exeHemmac32.exeIbcjqgnm.exeKdpmbc32.exeDkahilkl.exeEkodjiol.exeIpgbdbqb.exeNmbjcljl.exeMohidbkl.exeCmfclm32.exeLiqihglg.exeHpofii32.exeDijbno32.exeBpfkpp32.exeQapnmopa.exeDgpeha32.exeFphnlcdo.exeHkfglb32.exeKgipcogp.exeOmgmeigd.exeDkcndeen.exeDcphdqmj.exeOgklelna.exeIgqkqiai.exeCbphdn32.exeCoohhlpe.exeDdfbgelh.exeLpneegel.exeDjfcaohp.exeCbbnpg32.exeAhdpjn32.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\Eqiibjlj.exe Eohmkb32.exe File created C:\Windows\SysWOW64\Ocamjm32.exe Opcqnb32.exe File opened for modification C:\Windows\SysWOW64\Amodep32.exe Afelhf32.exe File opened for modification C:\Windows\SysWOW64\Lkeekk32.exe Lcnmin32.exe File created C:\Windows\SysWOW64\Fknajfhe.dll Fmhdkknd.exe File created C:\Windows\SysWOW64\Eklikcef.dll Gflhoo32.exe File created C:\Windows\SysWOW64\Bjbfklei.exe Bmofagfp.exe File created C:\Windows\SysWOW64\Opnbae32.exe Ompfej32.exe File created C:\Windows\SysWOW64\Pjcikejg.exe Pblajhje.exe File created C:\Windows\SysWOW64\Bkhakafh.dll Phjenbhp.exe File created C:\Windows\SysWOW64\Fliabjbh.dll Amodep32.exe File created C:\Windows\SysWOW64\Jofalmmp.exe Jmeede32.exe File opened for modification C:\Windows\SysWOW64\Nijqcf32.exe Ncmhko32.exe File created C:\Windows\SysWOW64\Kalhafbk.dll Okchnk32.exe File opened for modification C:\Windows\SysWOW64\Oogpjbbb.exe Olicnfco.exe File created C:\Windows\SysWOW64\Digehphc.exe Dnbakghm.exe File created C:\Windows\SysWOW64\Jmbhoeid.exe Jghpbk32.exe File created C:\Windows\SysWOW64\Figmglee.dll Ofhknodl.exe File opened for modification C:\Windows\SysWOW64\Fgoakc32.exe Fbbicl32.exe File created C:\Windows\SysWOW64\Amhmnagf.dll Jlikkkhn.exe File created C:\Windows\SysWOW64\Mekgdl32.exe Mblkhq32.exe File created C:\Windows\SysWOW64\Gdbqla32.dll Efkphnbd.exe File created C:\Windows\SysWOW64\Ccbadp32.exe Cimmggfl.exe File created C:\Windows\SysWOW64\Gmiadfmi.dll Fmfgek32.exe File opened for modification C:\Windows\SysWOW64\Johnamkm.exe Jljbeali.exe File created C:\Windows\SysWOW64\Gbiockdj.exe Fgcjfbed.exe File created C:\Windows\SysWOW64\Moaogand.exe Mpnnle32.exe File opened for modification C:\Windows\SysWOW64\Gdmmbq32.exe Gaopfe32.exe File created C:\Windows\SysWOW64\Bcddcbab.exe Bkmmaeap.exe File created C:\Windows\SysWOW64\Qmepam32.exe Pldcjeia.exe File opened for modification C:\Windows\SysWOW64\Ioolkncg.exe Iibccgep.exe File created C:\Windows\SysWOW64\Bnkbcj32.exe Bklfgo32.exe File opened for modification C:\Windows\SysWOW64\Ebnfbcbc.exe Ekdnei32.exe File created C:\Windows\SysWOW64\Hicakqhn.dll Kegpifod.exe File opened for modification C:\Windows\SysWOW64\Ipbaol32.exe Hemmac32.exe File opened for modification C:\Windows\SysWOW64\Ilkoim32.exe Ibcjqgnm.exe File opened for modification C:\Windows\SysWOW64\Knhakh32.exe Kdpmbc32.exe File opened for modification C:\Windows\SysWOW64\Dbkqfe32.exe Dkahilkl.exe File created C:\Windows\SysWOW64\Nkopekaa.dll Ekodjiol.exe File created C:\Windows\SysWOW64\Igajal32.exe Ipgbdbqb.exe File opened for modification C:\Windows\SysWOW64\Nfjola32.exe Nmbjcljl.exe File created C:\Windows\SysWOW64\Jfpqiega.dll Mohidbkl.exe File created C:\Windows\SysWOW64\Hphlgp32.dll Cmfclm32.exe File created C:\Windows\SysWOW64\Bbekbm32.dll Liqihglg.exe File opened for modification C:\Windows\SysWOW64\Hginecde.exe Hpofii32.exe File created C:\Windows\SysWOW64\Dejncidp.dll Dijbno32.exe File created C:\Windows\SysWOW64\Pjllddpj.dll Bpfkpp32.exe File created C:\Windows\SysWOW64\Pafpga32.dll Qapnmopa.exe File created C:\Windows\SysWOW64\Daeifj32.exe Dgpeha32.exe File created C:\Windows\SysWOW64\Kjcejfha.dll Fphnlcdo.exe File created C:\Windows\SysWOW64\Ljeffhcd.dll Hkfglb32.exe File created C:\Windows\SysWOW64\Knchpiom.exe Kgipcogp.exe File created C:\Windows\SysWOW64\Pfoann32.exe Omgmeigd.exe File created C:\Windows\SysWOW64\Damfao32.exe Dkcndeen.exe File created C:\Windows\SysWOW64\Ejjaqk32.exe Dcphdqmj.exe File opened for modification C:\Windows\SysWOW64\Oiihahme.exe Ogklelna.exe File created C:\Windows\SysWOW64\Ijogmdqm.exe Igqkqiai.exe File created C:\Windows\SysWOW64\Ibclmgdb.dll Cbphdn32.exe File opened for modification C:\Windows\SysWOW64\Cfipef32.exe Coohhlpe.exe File created C:\Windows\SysWOW64\Eemeqinf.dll Ddfbgelh.exe File created C:\Windows\SysWOW64\Pbpebh32.dll Lpneegel.exe File created C:\Windows\SysWOW64\Mcpeiqdc.dll Djfcaohp.exe File opened for modification C:\Windows\SysWOW64\Clgbmp32.exe Cbbnpg32.exe File created C:\Windows\SysWOW64\Akblfj32.exe Ahdpjn32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 10044 6264 WerFault.exe 1089 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Mpnnle32.exeObjpoh32.exeNlfnaicd.exeFfnknafg.exeKbpbed32.exeIhdafkdg.exeBmhocd32.exeMjidgkog.exeHacbhb32.exeIpoopgnf.exeDheibpje.exeEbdlangb.exeKoonge32.exeNijqcf32.exeJklinohd.exeJlbejloe.exeCmfclm32.exeGijekg32.exePcobaedj.exeBkobmnka.exeObcceg32.exeAomifecf.exeDflmlj32.exeIdhnkf32.exeMokmdh32.exePedlgbkh.exeOogpjbbb.exeLnoaaaad.exeKlggli32.exeKofdhd32.exeGnlgleef.exeMkohaj32.exeBnkbcj32.exeFmhdkknd.exeEqiibjlj.exeMoobbb32.exeOckdmmoj.exePfagighf.exeOghppm32.exeDdcqedkk.exeFpimlfke.exeLcclncbh.exeMolelb32.exeGaamlecg.exeJjopcb32.exeOidofh32.exeApaadpng.exeKjepjkhf.exeMmnhcb32.exeFclhpo32.exePomgjn32.exeNlqomd32.exeJdgafjpn.exeEkodjiol.exeDahfkimd.exeOjemig32.exePgflqkdd.exeAbmjqe32.exeKnbbep32.exeEkaapi32.exeKegpifod.exeEbaplnie.exeKjmmepfj.exeEhpadhll.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpnnle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Objpoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlfnaicd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffnknafg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbpbed32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihdafkdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmhocd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjidgkog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hacbhb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipoopgnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dheibpje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebdlangb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koonge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nijqcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jklinohd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlbejloe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmfclm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gijekg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcobaedj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkobmnka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obcceg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aomifecf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dflmlj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idhnkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mokmdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pedlgbkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oogpjbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnoaaaad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klggli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kofdhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnlgleef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkohaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnkbcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmhdkknd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqiibjlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Moobbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ockdmmoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfagighf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oghppm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddcqedkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpimlfke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcclncbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Molelb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaamlecg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjopcb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oidofh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apaadpng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjepjkhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmnhcb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fclhpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pomgjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlqomd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdgafjpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekodjiol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dahfkimd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojemig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgflqkdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abmjqe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knbbep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekaapi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kegpifod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebaplnie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjmmepfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehpadhll.exe -
Modifies registry class 64 IoCs
Processes:
Obcceg32.exeGbabigfj.exeAkblfj32.exeGnblnlhl.exeHalhfe32.exeCadlbk32.exeFgbfhmll.exeAogiap32.exeJilfifme.exeDcphdqmj.exeNibbqicm.exeEmlenj32.exeDihlbf32.exeAomifecf.exeFfnknafg.exeEnjfli32.exeIjogmdqm.exeKqnbkl32.exeLcclncbh.exeDaeifj32.exeDdadpdmn.exeDijbno32.exeMgphpe32.exeCalfpk32.exeJhplpl32.exePefhlaie.exeOlicnfco.exeBahkih32.exeGbchdp32.exeBmhocd32.exeCpfmlghd.exeFmqgpgoc.exeLiqihglg.exeGbeejp32.exeDafppp32.exeIjcahd32.exeJdgafjpn.exeCocjiehd.exeOikjkc32.exeOcdjpmac.exeFgjhpcmo.exeKlpakj32.exeOcihgnam.exePbcncibp.exeGfjkjo32.exeDdifgk32.exePadnaq32.exeKbpbed32.exeMockmala.exePhhhhc32.exeNemmoe32.exeMmkdcm32.exeGjfnedho.exeBddjpd32.exeLpepbgbd.exeEaceghcg.exeLeadnm32.exeEjalcgkg.exeFlqdlnde.exeDamfao32.exePimfpc32.exeDfoiaj32.exeEjchhgid.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Obcceg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gbabigfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Akblfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hclkag32.dll" Gnblnlhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjmmpa32.dll" Halhfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddgfdiop.dll" Cadlbk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fgbfhmll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aogiap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifjfmcq.dll" Jilfifme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dcphdqmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nibbqicm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Emlenj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dihlbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aomifecf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ffnknafg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbjbac32.dll" Enjfli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqnmlj32.dll" Ijogmdqm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kqnbkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pabcflhd.dll" Lcclncbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Daeifj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laniklje.dll" Ddadpdmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dijbno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gabfbmnl.dll" Mgphpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dooaccfg.dll" Calfpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkjaaljm.dll" Jhplpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pefhlaie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Olicnfco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bahkih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqdmimbf.dll" Gbchdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ampillfk.dll" Bmhocd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cpfmlghd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmflgn32.dll" Fmqgpgoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ijogmdqm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Liqihglg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gbeejp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekppjn32.dll" Dafppp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iangld32.dll" Ijcahd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jdgafjpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cocjiehd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oikjkc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ocdjpmac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhpapf32.dll" Fgjhpcmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfmlqhcc.dll" Klpakj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gejimf32.dll" Ocihgnam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pbcncibp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gfjkjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ddifgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Padnaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kbpbed32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mockmala.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gafian32.dll" Phhhhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhbhmhpf.dll" Nemmoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mmkdcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocjggbdl.dll" Gjfnedho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bddjpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaeidf32.dll" Lpepbgbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eaceghcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Leadnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhidngmn.dll" Ejalcgkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Flqdlnde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Damfao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojgljk32.dll" Pimfpc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dfoiaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ejchhgid.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
62460d64275df316d8faf59bdc4a77e5eced05f0b7c7fe3d67903a75f2ca0c7e.exeJkaqnk32.exeJblijebc.exeKbpbed32.exeKngcje32.exeKfnkkb32.exeKiodmn32.exeLbjelc32.exeLpneegel.exeLfhnaa32.exeLppbkgcj.exeLoeolc32.exeLbqklb32.exeLikcilhh.exeLhncdi32.exeLpekef32.exeLoglacfo.exeLfodbqfa.exeLeadnm32.exeMhppji32.exeMpghkf32.exeMojhgbdl.exedescription pid Process procid_target PID 3496 wrote to memory of 1540 3496 62460d64275df316d8faf59bdc4a77e5eced05f0b7c7fe3d67903a75f2ca0c7e.exe 83 PID 3496 wrote to memory of 1540 3496 62460d64275df316d8faf59bdc4a77e5eced05f0b7c7fe3d67903a75f2ca0c7e.exe 83 PID 3496 wrote to memory of 1540 3496 62460d64275df316d8faf59bdc4a77e5eced05f0b7c7fe3d67903a75f2ca0c7e.exe 83 PID 1540 wrote to memory of 5008 1540 Jkaqnk32.exe 84 PID 1540 wrote to memory of 5008 1540 Jkaqnk32.exe 84 PID 1540 wrote to memory of 5008 1540 Jkaqnk32.exe 84 PID 5008 wrote to memory of 4176 5008 Jblijebc.exe 85 PID 5008 wrote to memory of 4176 5008 Jblijebc.exe 85 PID 5008 wrote to memory of 4176 5008 Jblijebc.exe 85 PID 4176 wrote to memory of 1692 4176 Kbpbed32.exe 86 PID 4176 wrote to memory of 1692 4176 Kbpbed32.exe 86 PID 4176 wrote to memory of 1692 4176 Kbpbed32.exe 86 PID 1692 wrote to memory of 4572 1692 Kngcje32.exe 87 PID 1692 wrote to memory of 4572 1692 Kngcje32.exe 87 PID 1692 wrote to memory of 4572 1692 Kngcje32.exe 87 PID 4572 wrote to memory of 4880 4572 Kfnkkb32.exe 88 PID 4572 wrote to memory of 4880 4572 Kfnkkb32.exe 88 PID 4572 wrote to memory of 4880 4572 Kfnkkb32.exe 88 PID 4880 wrote to memory of 364 4880 Kiodmn32.exe 89 PID 4880 wrote to memory of 364 4880 Kiodmn32.exe 89 PID 4880 wrote to memory of 364 4880 Kiodmn32.exe 89 PID 364 wrote to memory of 2416 364 Lbjelc32.exe 90 PID 364 wrote to memory of 2416 364 Lbjelc32.exe 90 PID 364 wrote to memory of 2416 364 Lbjelc32.exe 90 PID 2416 wrote to memory of 2000 2416 Lpneegel.exe 91 PID 2416 wrote to memory of 2000 2416 Lpneegel.exe 91 PID 2416 wrote to memory of 2000 2416 Lpneegel.exe 91 PID 2000 wrote to memory of 4740 2000 Lfhnaa32.exe 92 PID 2000 wrote to memory of 4740 2000 Lfhnaa32.exe 92 PID 2000 wrote to memory of 4740 2000 Lfhnaa32.exe 92 PID 4740 wrote to memory of 1888 4740 Lppbkgcj.exe 93 PID 4740 wrote to memory of 1888 4740 Lppbkgcj.exe 93 PID 4740 wrote to memory of 1888 4740 Lppbkgcj.exe 93 PID 1888 wrote to memory of 2768 1888 Loeolc32.exe 94 PID 1888 wrote to memory of 2768 1888 Loeolc32.exe 94 PID 1888 wrote to memory of 2768 1888 Loeolc32.exe 94 PID 2768 wrote to memory of 3904 2768 Lbqklb32.exe 95 PID 2768 wrote to memory of 3904 2768 Lbqklb32.exe 95 PID 2768 wrote to memory of 3904 2768 Lbqklb32.exe 95 PID 3904 wrote to memory of 372 3904 Likcilhh.exe 96 PID 3904 wrote to memory of 372 3904 Likcilhh.exe 96 PID 3904 wrote to memory of 372 3904 Likcilhh.exe 96 PID 372 wrote to memory of 5112 372 Lhncdi32.exe 97 PID 372 wrote to memory of 5112 372 Lhncdi32.exe 97 PID 372 wrote to memory of 5112 372 Lhncdi32.exe 97 PID 5112 wrote to memory of 2704 5112 Lpekef32.exe 98 PID 5112 wrote to memory of 2704 5112 Lpekef32.exe 98 PID 5112 wrote to memory of 2704 5112 Lpekef32.exe 98 PID 2704 wrote to memory of 2276 2704 Loglacfo.exe 99 PID 2704 wrote to memory of 2276 2704 Loglacfo.exe 99 PID 2704 wrote to memory of 2276 2704 Loglacfo.exe 99 PID 2276 wrote to memory of 4432 2276 Lfodbqfa.exe 100 PID 2276 wrote to memory of 4432 2276 Lfodbqfa.exe 100 PID 2276 wrote to memory of 4432 2276 Lfodbqfa.exe 100 PID 4432 wrote to memory of 2744 4432 Leadnm32.exe 101 PID 4432 wrote to memory of 2744 4432 Leadnm32.exe 101 PID 4432 wrote to memory of 2744 4432 Leadnm32.exe 101 PID 2744 wrote to memory of 1584 2744 Mhppji32.exe 102 PID 2744 wrote to memory of 1584 2744 Mhppji32.exe 102 PID 2744 wrote to memory of 1584 2744 Mhppji32.exe 102 PID 1584 wrote to memory of 872 1584 Mpghkf32.exe 103 PID 1584 wrote to memory of 872 1584 Mpghkf32.exe 103 PID 1584 wrote to memory of 872 1584 Mpghkf32.exe 103 PID 872 wrote to memory of 4224 872 Mojhgbdl.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\62460d64275df316d8faf59bdc4a77e5eced05f0b7c7fe3d67903a75f2ca0c7e.exe"C:\Users\Admin\AppData\Local\Temp\62460d64275df316d8faf59bdc4a77e5eced05f0b7c7fe3d67903a75f2ca0c7e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Windows\SysWOW64\Jkaqnk32.exeC:\Windows\system32\Jkaqnk32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\SysWOW64\Jblijebc.exeC:\Windows\system32\Jblijebc.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Windows\SysWOW64\Kbpbed32.exeC:\Windows\system32\Kbpbed32.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4176 -
C:\Windows\SysWOW64\Kngcje32.exeC:\Windows\system32\Kngcje32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\Kfnkkb32.exeC:\Windows\system32\Kfnkkb32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Windows\SysWOW64\Kiodmn32.exeC:\Windows\system32\Kiodmn32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\SysWOW64\Lbjelc32.exeC:\Windows\system32\Lbjelc32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:364 -
C:\Windows\SysWOW64\Lpneegel.exeC:\Windows\system32\Lpneegel.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Lfhnaa32.exeC:\Windows\system32\Lfhnaa32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\Lppbkgcj.exeC:\Windows\system32\Lppbkgcj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\SysWOW64\Loeolc32.exeC:\Windows\system32\Loeolc32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\SysWOW64\Lbqklb32.exeC:\Windows\system32\Lbqklb32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Likcilhh.exeC:\Windows\system32\Likcilhh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Windows\SysWOW64\Lhncdi32.exeC:\Windows\system32\Lhncdi32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Windows\SysWOW64\Lpekef32.exeC:\Windows\system32\Lpekef32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Windows\SysWOW64\Loglacfo.exeC:\Windows\system32\Loglacfo.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Lfodbqfa.exeC:\Windows\system32\Lfodbqfa.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\Leadnm32.exeC:\Windows\system32\Leadnm32.exe19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Windows\SysWOW64\Mhppji32.exeC:\Windows\system32\Mhppji32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Mpghkf32.exeC:\Windows\system32\Mpghkf32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\Mojhgbdl.exeC:\Windows\system32\Mojhgbdl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\SysWOW64\Mfaqhp32.exeC:\Windows\system32\Mfaqhp32.exe23⤵
- Executes dropped EXE
PID:4224 -
C:\Windows\SysWOW64\Miomdk32.exeC:\Windows\system32\Miomdk32.exe24⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Mhbmphjm.exeC:\Windows\system32\Mhbmphjm.exe25⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Mpieqeko.exeC:\Windows\system32\Mpieqeko.exe26⤵
- Executes dropped EXE
PID:4480 -
C:\Windows\SysWOW64\Molelb32.exeC:\Windows\system32\Molelb32.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4288 -
C:\Windows\SysWOW64\Mbhamajc.exeC:\Windows\system32\Mbhamajc.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Mefmimif.exeC:\Windows\system32\Mefmimif.exe29⤵
- Executes dropped EXE
PID:4252 -
C:\Windows\SysWOW64\Mhdjehhj.exeC:\Windows\system32\Mhdjehhj.exe30⤵
- Executes dropped EXE
PID:3912 -
C:\Windows\SysWOW64\Mlpeff32.exeC:\Windows\system32\Mlpeff32.exe31⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Moobbb32.exeC:\Windows\system32\Moobbb32.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2620 -
C:\Windows\SysWOW64\Mbjnbqhp.exeC:\Windows\system32\Mbjnbqhp.exe33⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Mehjol32.exeC:\Windows\system32\Mehjol32.exe34⤵
- Executes dropped EXE
PID:1428 -
C:\Windows\SysWOW64\Mhgfkg32.exeC:\Windows\system32\Mhgfkg32.exe35⤵
- Executes dropped EXE
PID:3756 -
C:\Windows\SysWOW64\Mpnnle32.exeC:\Windows\system32\Mpnnle32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1524 -
C:\Windows\SysWOW64\Moaogand.exeC:\Windows\system32\Moaogand.exe37⤵
- Executes dropped EXE
PID:1412 -
C:\Windows\SysWOW64\Mblkhq32.exeC:\Windows\system32\Mblkhq32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:700 -
C:\Windows\SysWOW64\Mekgdl32.exeC:\Windows\system32\Mekgdl32.exe39⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Mifcejnj.exeC:\Windows\system32\Mifcejnj.exe40⤵
- Executes dropped EXE
PID:3384 -
C:\Windows\SysWOW64\Mleoafmn.exeC:\Windows\system32\Mleoafmn.exe41⤵
- Executes dropped EXE
PID:4264 -
C:\Windows\SysWOW64\Mockmala.exeC:\Windows\system32\Mockmala.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:3208 -
C:\Windows\SysWOW64\Mbognp32.exeC:\Windows\system32\Mbognp32.exe43⤵
- Executes dropped EXE
PID:3844 -
C:\Windows\SysWOW64\Nhlpfgbb.exeC:\Windows\system32\Nhlpfgbb.exe44⤵
- Executes dropped EXE
PID:232 -
C:\Windows\SysWOW64\Npchgdcd.exeC:\Windows\system32\Npchgdcd.exe45⤵
- Executes dropped EXE
PID:464 -
C:\Windows\SysWOW64\Nbadcpbh.exeC:\Windows\system32\Nbadcpbh.exe46⤵
- Executes dropped EXE
PID:1460 -
C:\Windows\SysWOW64\Ngmpcn32.exeC:\Windows\system32\Ngmpcn32.exe47⤵
- Executes dropped EXE
PID:4032 -
C:\Windows\SysWOW64\Niklpj32.exeC:\Windows\system32\Niklpj32.exe48⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Nlihle32.exeC:\Windows\system32\Nlihle32.exe49⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Nohehq32.exeC:\Windows\system32\Nohehq32.exe50⤵
- Executes dropped EXE
PID:4072 -
C:\Windows\SysWOW64\Ngomin32.exeC:\Windows\system32\Ngomin32.exe51⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Nebmekoi.exeC:\Windows\system32\Nebmekoi.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3100 -
C:\Windows\SysWOW64\Nhpiafnm.exeC:\Windows\system32\Nhpiafnm.exe53⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Npgabc32.exeC:\Windows\system32\Npgabc32.exe54⤵
- Executes dropped EXE
PID:1416 -
C:\Windows\SysWOW64\Nojanpej.exeC:\Windows\system32\Nojanpej.exe55⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Ngaionfl.exeC:\Windows\system32\Ngaionfl.exe56⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Nipekiep.exeC:\Windows\system32\Nipekiep.exe57⤵
- Executes dropped EXE
PID:3920 -
C:\Windows\SysWOW64\Nhbfff32.exeC:\Windows\system32\Nhbfff32.exe58⤵
- Executes dropped EXE
PID:3428 -
C:\Windows\SysWOW64\Npjnhc32.exeC:\Windows\system32\Npjnhc32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4900 -
C:\Windows\SysWOW64\Nchjdo32.exeC:\Windows\system32\Nchjdo32.exe60⤵
- Executes dropped EXE
PID:4484 -
C:\Windows\SysWOW64\Neffpj32.exeC:\Windows\system32\Neffpj32.exe61⤵
- Executes dropped EXE
PID:4088 -
C:\Windows\SysWOW64\Nibbqicm.exeC:\Windows\system32\Nibbqicm.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:1080 -
C:\Windows\SysWOW64\Nlqomd32.exeC:\Windows\system32\Nlqomd32.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4400 -
C:\Windows\SysWOW64\Nookip32.exeC:\Windows\system32\Nookip32.exe64⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Ncjginjn.exeC:\Windows\system32\Ncjginjn.exe65⤵
- Executes dropped EXE
PID:32 -
C:\Windows\SysWOW64\Oeicejia.exeC:\Windows\system32\Oeicejia.exe66⤵PID:4368
-
C:\Windows\SysWOW64\Oidofh32.exeC:\Windows\system32\Oidofh32.exe67⤵
- System Location Discovery: System Language Discovery
PID:2692 -
C:\Windows\SysWOW64\Olckbd32.exeC:\Windows\system32\Olckbd32.exe68⤵PID:3556
-
C:\Windows\SysWOW64\Ooagno32.exeC:\Windows\system32\Ooagno32.exe69⤵PID:228
-
C:\Windows\SysWOW64\Oghppm32.exeC:\Windows\system32\Oghppm32.exe70⤵
- System Location Discovery: System Language Discovery
PID:2248 -
C:\Windows\SysWOW64\Oekpkigo.exeC:\Windows\system32\Oekpkigo.exe71⤵PID:2260
-
C:\Windows\SysWOW64\Ohjlgefb.exeC:\Windows\system32\Ohjlgefb.exe72⤵PID:740
-
C:\Windows\SysWOW64\Opadhb32.exeC:\Windows\system32\Opadhb32.exe73⤵PID:1740
-
C:\Windows\SysWOW64\Oocddono.exeC:\Windows\system32\Oocddono.exe74⤵PID:3916
-
C:\Windows\SysWOW64\Ogklelna.exeC:\Windows\system32\Ogklelna.exe75⤵
- Drops file in System32 directory
PID:636 -
C:\Windows\SysWOW64\Oiihahme.exeC:\Windows\system32\Oiihahme.exe76⤵PID:376
-
C:\Windows\SysWOW64\Ohlimd32.exeC:\Windows\system32\Ohlimd32.exe77⤵PID:2648
-
C:\Windows\SysWOW64\Opcqnb32.exeC:\Windows\system32\Opcqnb32.exe78⤵
- Drops file in System32 directory
PID:4768 -
C:\Windows\SysWOW64\Ocamjm32.exeC:\Windows\system32\Ocamjm32.exe79⤵PID:960
-
C:\Windows\SysWOW64\Ogmijllo.exeC:\Windows\system32\Ogmijllo.exe80⤵PID:3696
-
C:\Windows\SysWOW64\Oileggkb.exeC:\Windows\system32\Oileggkb.exe81⤵PID:1532
-
C:\Windows\SysWOW64\Oljaccjf.exeC:\Windows\system32\Oljaccjf.exe82⤵PID:3676
-
C:\Windows\SysWOW64\Oohnonij.exeC:\Windows\system32\Oohnonij.exe83⤵PID:1464
-
C:\Windows\SysWOW64\Ocdjpmac.exeC:\Windows\system32\Ocdjpmac.exe84⤵
- Modifies registry class
PID:3420 -
C:\Windows\SysWOW64\Oebflhaf.exeC:\Windows\system32\Oebflhaf.exe85⤵PID:2172
-
C:\Windows\SysWOW64\Ohqbhdpj.exeC:\Windows\system32\Ohqbhdpj.exe86⤵PID:4100
-
C:\Windows\SysWOW64\Ophjiaql.exeC:\Windows\system32\Ophjiaql.exe87⤵PID:3960
-
C:\Windows\SysWOW64\Ocffempp.exeC:\Windows\system32\Ocffempp.exe88⤵PID:2096
-
C:\Windows\SysWOW64\Pgbbek32.exeC:\Windows\system32\Pgbbek32.exe89⤵PID:2968
-
C:\Windows\SysWOW64\Pjpobg32.exeC:\Windows\system32\Pjpobg32.exe90⤵PID:1528
-
C:\Windows\SysWOW64\Ploknb32.exeC:\Windows\system32\Ploknb32.exe91⤵PID:392
-
C:\Windows\SysWOW64\Pomgjn32.exeC:\Windows\system32\Pomgjn32.exe92⤵
- System Location Discovery: System Language Discovery
PID:732 -
C:\Windows\SysWOW64\Pcicklnn.exeC:\Windows\system32\Pcicklnn.exe93⤵PID:5156
-
C:\Windows\SysWOW64\Pfgogh32.exeC:\Windows\system32\Pfgogh32.exe94⤵PID:5192
-
C:\Windows\SysWOW64\Phelcc32.exeC:\Windows\system32\Phelcc32.exe95⤵PID:5228
-
C:\Windows\SysWOW64\Plagcbdn.exeC:\Windows\system32\Plagcbdn.exe96⤵PID:5264
-
C:\Windows\SysWOW64\Poodpmca.exeC:\Windows\system32\Poodpmca.exe97⤵PID:5304
-
C:\Windows\SysWOW64\Pgflqkdd.exeC:\Windows\system32\Pgflqkdd.exe98⤵
- System Location Discovery: System Language Discovery
PID:5340 -
C:\Windows\SysWOW64\Pjehmfch.exeC:\Windows\system32\Pjehmfch.exe99⤵PID:5372
-
C:\Windows\SysWOW64\Phhhhc32.exeC:\Windows\system32\Phhhhc32.exe100⤵
- Modifies registry class
PID:5408 -
C:\Windows\SysWOW64\Ppopjp32.exeC:\Windows\system32\Ppopjp32.exe101⤵PID:5444
-
C:\Windows\SysWOW64\Pcmlfl32.exeC:\Windows\system32\Pcmlfl32.exe102⤵PID:5480
-
C:\Windows\SysWOW64\Pgihfj32.exeC:\Windows\system32\Pgihfj32.exe103⤵PID:5516
-
C:\Windows\SysWOW64\Pjgebf32.exeC:\Windows\system32\Pjgebf32.exe104⤵PID:5552
-
C:\Windows\SysWOW64\Phjenbhp.exeC:\Windows\system32\Phjenbhp.exe105⤵
- Drops file in System32 directory
PID:5588 -
C:\Windows\SysWOW64\Ppamophb.exeC:\Windows\system32\Ppamophb.exe106⤵PID:5624
-
C:\Windows\SysWOW64\Pcpikkge.exeC:\Windows\system32\Pcpikkge.exe107⤵PID:5660
-
C:\Windows\SysWOW64\Pgkelj32.exeC:\Windows\system32\Pgkelj32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5696 -
C:\Windows\SysWOW64\Pjjahe32.exeC:\Windows\system32\Pjjahe32.exe109⤵PID:5736
-
C:\Windows\SysWOW64\Plhnda32.exeC:\Windows\system32\Plhnda32.exe110⤵PID:5768
-
C:\Windows\SysWOW64\Pqcjepfo.exeC:\Windows\system32\Pqcjepfo.exe111⤵PID:5808
-
C:\Windows\SysWOW64\Qcbfakec.exeC:\Windows\system32\Qcbfakec.exe112⤵PID:5840
-
C:\Windows\SysWOW64\Qfpbmfdf.exeC:\Windows\system32\Qfpbmfdf.exe113⤵PID:5876
-
C:\Windows\SysWOW64\Qjlnnemp.exeC:\Windows\system32\Qjlnnemp.exe114⤵PID:5912
-
C:\Windows\SysWOW64\Qljjjqlc.exeC:\Windows\system32\Qljjjqlc.exe115⤵PID:5948
-
C:\Windows\SysWOW64\Qoifflkg.exeC:\Windows\system32\Qoifflkg.exe116⤵PID:5984
-
C:\Windows\SysWOW64\Qcdbfk32.exeC:\Windows\system32\Qcdbfk32.exe117⤵PID:6020
-
C:\Windows\SysWOW64\Qqhcpo32.exeC:\Windows\system32\Qqhcpo32.exe118⤵PID:4536
-
C:\Windows\SysWOW64\Afelhf32.exeC:\Windows\system32\Afelhf32.exe119⤵
- Drops file in System32 directory
PID:4668 -
C:\Windows\SysWOW64\Amodep32.exeC:\Windows\system32\Amodep32.exe120⤵
- Drops file in System32 directory
PID:5224 -
C:\Windows\SysWOW64\Bihjfnmm.exeC:\Windows\system32\Bihjfnmm.exe121⤵PID:5616
-
C:\Windows\SysWOW64\Cflkpblf.exeC:\Windows\system32\Cflkpblf.exe122⤵PID:5692
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-