Analysis
-
max time kernel
94s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-11-2024 22:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
40e4a99f73b304400064ce013501ac2d5304bba096fd338b58c06e5dbef64ed6.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
40e4a99f73b304400064ce013501ac2d5304bba096fd338b58c06e5dbef64ed6.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
40e4a99f73b304400064ce013501ac2d5304bba096fd338b58c06e5dbef64ed6.exe
-
Size
398KB
-
MD5
e8fb3e3a18adcac87d34bc1acc4c735a
-
SHA1
fe2a26847f429f9f653080de8218e0fc903368e7
-
SHA256
40e4a99f73b304400064ce013501ac2d5304bba096fd338b58c06e5dbef64ed6
-
SHA512
139c78463591c685591599564e5ed5c5c16ac9361f29c3debdba66f78ab0f0609d115aa11d95d71c5ac5bd724c5875df07aebe5ed308e81f9fb12b58296664f7
-
SSDEEP
12288:nJeX6t3XGCByvNv54B9f01ZmHByvNv5imipWf0Aq:nJeX6t3XGpvr4B9f01ZmQvrimipWf0Aq
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Kpiljh32.exeMcpcdg32.exeDngjff32.exeFmkqpkla.exeKofkbk32.exeCdmfllhn.exeBgeaifia.exeEcefqnel.exeKdkdgchl.exeNapjdpcn.exeBcbohigp.exeJhndljll.exeEokqkh32.exeHekgfj32.exeGfmojenc.exeLnadagbm.exeDojqjdbl.exeKfnkkb32.exeQgpogili.exeBgbdcgld.exeQepkbpak.exeLeoghn32.exeMgobel32.exeHpiecd32.exeAhaceo32.exeHbdjchgn.exeNagpeo32.exeBmjkic32.exeQlmgopjq.exeAopmfk32.exePkenjh32.exeOeehkn32.exeBclang32.exeJlgepanl.exeJpaleglc.exeKmaopfjm.exeMkohaj32.exeOmegjomb.exeKnippe32.exeOileggkb.exeEplgeokq.exeIliinc32.exeAaenbd32.exeLhfmdj32.exePjjahe32.exeDcpmen32.exeHedafk32.exeDndnpf32.exeIepaaico.exeNqbpojnp.exeGpcmga32.exeManmoq32.exeDbicpfdk.exeDkahilkl.exeKgflcifg.exeAkpoaj32.exeFibhpbea.exeFflohaij.exeIinjhh32.exeIbfnqmpf.exeNflkbanj.exeOmdppiif.exeBcelmhen.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpiljh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcpcdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dngjff32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmkqpkla.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kofkbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cdmfllhn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgeaifia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ecefqnel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdkdgchl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Napjdpcn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcbohigp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jhndljll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eokqkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hekgfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gfmojenc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnadagbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dojqjdbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfnkkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qgpogili.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgbdcgld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qepkbpak.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leoghn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgobel32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpiecd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ahaceo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbdjchgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nagpeo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmjkic32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlmgopjq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aopmfk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkenjh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeehkn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bclang32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jlgepanl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpaleglc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmaopfjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mkohaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Omegjomb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knippe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oileggkb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhndljll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eplgeokq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iliinc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aaenbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lhfmdj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjjahe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcpmen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hedafk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dndnpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iepaaico.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nqbpojnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gpcmga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Manmoq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbicpfdk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkahilkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kgflcifg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akpoaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fibhpbea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fflohaij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iinjhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ibfnqmpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nflkbanj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Omdppiif.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcelmhen.exe -
Executes dropped EXE 64 IoCs
Processes:
Hdicienl.exeHghoeqmp.exeHkckeo32.exeHhgloc32.exeHnddgjbj.exeHbpphi32.exeHdnldd32.exeHglipp32.exeHocqam32.exeHbbmmi32.exeHfningai.exeHhlejcpm.exeHkjafn32.exeHninbj32.exeHbdjchgn.exeHhnbpb32.exeHkmnln32.exeIohjlmeg.exeIfbbig32.exeIigdfa32.exeIkfabm32.exeIbpiogmp.exeIfleoe32.exeIgmagnkg.exeJbbfdfkn.exeJilnqqbj.exeJkkjmlan.exeJnifigpa.exeJgakbm32.exeJnkcogno.exeJeekkafl.exeJkodhk32.exeJbileede.exeJfehed32.exeJgfdmlcm.exeJpmlnjco.exeJfgdkd32.exeJieagojp.exeKnbiofhg.exeKbnepe32.exeKelalp32.exeKgknhl32.exeKlfjijgq.exeKnefeffd.exeKflnfcgg.exeKlifnj32.exeKngcje32.exeKfnkkb32.exeKimghn32.exeKlkcdj32.exeKnippe32.exeKfqgab32.exeKpiljh32.exeKefdbo32.exeLhdqnj32.exeLnnikdnj.exeLehaho32.exeLhfmdj32.exeLblaabdp.exeLejnmncd.exeLocbfd32.exeLbnngbbn.exeLemkcnaa.exeLhkgoiqe.exepid Process 624 Hdicienl.exe 3728 Hghoeqmp.exe 1688 Hkckeo32.exe 2364 Hhgloc32.exe 2168 Hnddgjbj.exe 2180 Hbpphi32.exe 2876 Hdnldd32.exe 4648 Hglipp32.exe 4244 Hocqam32.exe 4804 Hbbmmi32.exe 4984 Hfningai.exe 232 Hhlejcpm.exe 2448 Hkjafn32.exe 400 Hninbj32.exe 4308 Hbdjchgn.exe 2228 Hhnbpb32.exe 4060 Hkmnln32.exe 1196 Iohjlmeg.exe 3588 Ifbbig32.exe 3384 Iigdfa32.exe 1500 Ikfabm32.exe 4652 Ibpiogmp.exe 3084 Ifleoe32.exe 3572 Igmagnkg.exe 3460 Jbbfdfkn.exe 1304 Jilnqqbj.exe 4720 Jkkjmlan.exe 1216 Jnifigpa.exe 3924 Jgakbm32.exe 1224 Jnkcogno.exe 2904 Jeekkafl.exe 1956 Jkodhk32.exe 2468 Jbileede.exe 1876 Jfehed32.exe 1012 Jgfdmlcm.exe 4372 Jpmlnjco.exe 3804 Jfgdkd32.exe 3324 Jieagojp.exe 1004 Knbiofhg.exe 3424 Kbnepe32.exe 3516 Kelalp32.exe 4028 Kgknhl32.exe 3884 Klfjijgq.exe 4020 Knefeffd.exe 1324 Kflnfcgg.exe 5024 Klifnj32.exe 2568 Kngcje32.exe 4380 Kfnkkb32.exe 1768 Kimghn32.exe 4128 Klkcdj32.exe 4724 Knippe32.exe 672 Kfqgab32.exe 4740 Kpiljh32.exe 1744 Kefdbo32.exe 1332 Lhdqnj32.exe 1860 Lnnikdnj.exe 2072 Lehaho32.exe 1776 Lhfmdj32.exe 3048 Lblaabdp.exe 3020 Lejnmncd.exe 4436 Locbfd32.exe 388 Lbnngbbn.exe 3452 Lemkcnaa.exe 2476 Lhkgoiqe.exe -
Drops file in System32 directory 64 IoCs
Processes:
Eifhdd32.exeEbimgcfi.exeGmfplibd.exeHocqam32.exeIgmagnkg.exeMffjcopi.exeBclang32.exeMlpokp32.exeQljjjqlc.exeEjlbhh32.exeGdaociml.exeNfohgqlg.exeAhofoogd.exeDahmfpap.exeKkfcndce.exeGbdoof32.exeIcnklbmj.exeFfceip32.exeJiiicf32.exeHmkigh32.exeOcaebc32.exeCammjakm.exeBqkill32.exeFmgejhgn.exeMhilfa32.exeQdbdcg32.exeCdecgbfa.exeJqlefl32.exeNeoieenp.exeEmmkiclm.exeNhdlao32.exeCfqmpl32.exePmblagmf.exeAhfmpnql.exeBgpcliao.exeQkjgegae.exeFbfcmhpg.exeGfeaopqo.exePalklf32.exeHbpphi32.exeKjjiej32.exePlkpcfal.exeMfchlbfd.exeHmlpaoaj.exeLjclki32.exeGbeejp32.exeImkbnf32.exeNapjdpcn.exeCleegp32.exeDkfadkgf.exeLbchba32.exeOebflhaf.exeJncoikmp.exeLmdemd32.exeMkohaj32.exeHibjli32.exeBkgeainn.exeJeekkafl.exeLnnikdnj.exeInainbcn.exeMjlhgaqp.exePodmkm32.exeQoifflkg.exeAhchda32.exedescription ioc Process File created C:\Windows\SysWOW64\Koiagakg.dll Eifhdd32.exe File created C:\Windows\SysWOW64\Eehicoel.exe Ebimgcfi.exe File created C:\Windows\SysWOW64\Glipgf32.exe Gmfplibd.exe File created C:\Windows\SysWOW64\Dbikpjdg.dll Hocqam32.exe File opened for modification C:\Windows\SysWOW64\Jbbfdfkn.exe Igmagnkg.exe File created C:\Windows\SysWOW64\Midfokpm.exe Mffjcopi.exe File created C:\Windows\SysWOW64\Mhibfmcl.dll Bclang32.exe File created C:\Windows\SysWOW64\Micoed32.exe Mlpokp32.exe File created C:\Windows\SysWOW64\Hfegkoem.dll Qljjjqlc.exe File created C:\Windows\SysWOW64\Pcijdmpm.dll Ejlbhh32.exe File created C:\Windows\SysWOW64\Gbdoof32.exe Gdaociml.exe File created C:\Windows\SysWOW64\Bgemej32.dll Nfohgqlg.exe File opened for modification C:\Windows\SysWOW64\Aknbkjfh.exe Ahofoogd.exe File opened for modification C:\Windows\SysWOW64\Ddgibkpc.exe Dahmfpap.exe File opened for modification C:\Windows\SysWOW64\Kqbkfkal.exe Kkfcndce.exe File opened for modification C:\Windows\SysWOW64\Gmiclo32.exe Gbdoof32.exe File created C:\Windows\SysWOW64\Ikdcmpnl.exe Icnklbmj.exe File created C:\Windows\SysWOW64\Fiaael32.exe Ffceip32.exe File created C:\Windows\SysWOW64\Jlgepanl.exe Jiiicf32.exe File opened for modification C:\Windows\SysWOW64\Hpiecd32.exe Hmkigh32.exe File created C:\Windows\SysWOW64\Bdlgcp32.dll Ocaebc32.exe File opened for modification C:\Windows\SysWOW64\Chfegk32.exe Cammjakm.exe File created C:\Windows\SysWOW64\Gnknpnlf.dll Bqkill32.exe File created C:\Windows\SysWOW64\Ebafce32.dll Fmgejhgn.exe File opened for modification C:\Windows\SysWOW64\Naaqofgj.exe Mhilfa32.exe File opened for modification C:\Windows\SysWOW64\Qlimed32.exe Qdbdcg32.exe File opened for modification C:\Windows\SysWOW64\Dmlkhofd.exe Cdecgbfa.exe File opened for modification C:\Windows\SysWOW64\Jnpfop32.exe Jqlefl32.exe File opened for modification C:\Windows\SysWOW64\Nliaao32.exe Neoieenp.exe File opened for modification C:\Windows\SysWOW64\Eplgeokq.exe Emmkiclm.exe File opened for modification C:\Windows\SysWOW64\Oondnini.exe Nhdlao32.exe File opened for modification C:\Windows\SysWOW64\Ckmehb32.exe Cfqmpl32.exe File opened for modification C:\Windows\SysWOW64\Ppahmb32.exe Pmblagmf.exe File created C:\Windows\SysWOW64\Qkhnbpne.dll Ahfmpnql.exe File opened for modification C:\Windows\SysWOW64\Bmjkic32.exe Bgpcliao.exe File created C:\Windows\SysWOW64\Qofcff32.exe Qkjgegae.exe File created C:\Windows\SysWOW64\Fjmkoeqi.exe Fbfcmhpg.exe File created C:\Windows\SysWOW64\Aknhkd32.dll Gfeaopqo.exe File created C:\Windows\SysWOW64\Pfiddm32.exe Palklf32.exe File created C:\Windows\SysWOW64\Hdnldd32.exe Hbpphi32.exe File opened for modification C:\Windows\SysWOW64\Knfeeimj.exe Kjjiej32.exe File opened for modification C:\Windows\SysWOW64\Poimpapp.exe Plkpcfal.exe File created C:\Windows\SysWOW64\Gabfbmnl.dll Mfchlbfd.exe File created C:\Windows\SysWOW64\Hdehni32.exe Hmlpaoaj.exe File created C:\Windows\SysWOW64\Lnohlgep.exe Ljclki32.exe File created C:\Windows\SysWOW64\Hedafk32.exe Gbeejp32.exe File created C:\Windows\SysWOW64\Ibhkfm32.exe Imkbnf32.exe File opened for modification C:\Windows\SysWOW64\Nelfeo32.exe Napjdpcn.exe File created C:\Windows\SysWOW64\Cocacl32.exe Cleegp32.exe File opened for modification C:\Windows\SysWOW64\Dndnpf32.exe Dkfadkgf.exe File opened for modification C:\Windows\SysWOW64\Mimpolee.exe Lbchba32.exe File created C:\Windows\SysWOW64\Dofhmq32.dll Oebflhaf.exe File opened for modification C:\Windows\SysWOW64\Jpaleglc.exe Jncoikmp.exe File opened for modification C:\Windows\SysWOW64\Lcnmin32.exe Lmdemd32.exe File created C:\Windows\SysWOW64\Dpglbfpm.dll Mkohaj32.exe File created C:\Windows\SysWOW64\Hlpfhe32.exe Hibjli32.exe File created C:\Windows\SysWOW64\Baannc32.exe Bkgeainn.exe File created C:\Windows\SysWOW64\Ammegk32.dll Jeekkafl.exe File opened for modification C:\Windows\SysWOW64\Lehaho32.exe Lnnikdnj.exe File created C:\Windows\SysWOW64\Alkdoago.dll Inainbcn.exe File created C:\Windows\SysWOW64\Mmkdcm32.exe Mjlhgaqp.exe File opened for modification C:\Windows\SysWOW64\Pgkelj32.exe Podmkm32.exe File opened for modification C:\Windows\SysWOW64\Qgpogili.exe Qoifflkg.exe File created C:\Windows\SysWOW64\Fqhajknb.dll Ahchda32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 5368 6260 WerFault.exe 1030 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Ijcahd32.exeHlhccj32.exeFmkqpkla.exeIgmagnkg.exeQepkbpak.exeHkbmqb32.exeKjhloj32.exeKjjiej32.exeMgobel32.exePaiogf32.exeAfghneoo.exeFhabbp32.exeCodhnb32.exeBogcgj32.exeHgkkkcbc.exeMidfokpm.exePcicklnn.exeLgffic32.exeEjlbhh32.exeAdhdjpjf.exeKlifnj32.exeJhijqj32.exeLjaoeini.exeLnohlgep.exeOalipoiq.exeEfgemb32.exeHiipmhmk.exeMlbbkfoq.exeNcjginjn.exePlhnda32.exeKqbdldnq.exePalbgl32.exeFpkibf32.exeNcqlkemc.exeOclkgccf.exeHghoeqmp.exeHnddgjbj.exeAompak32.exeLnjnqh32.exeFechomko.exeMlnipg32.exeHpchib32.exeOfhknodl.exePlagcbdn.exeNhbfff32.exeFfclcgfn.exeFbbpmb32.exeFiaael32.exeNopfpgip.exeMlkepaam.exeGbeejp32.exeCgcmjd32.exeJnjejjgh.exeJghpbk32.exeMfchlbfd.exeAonhghjl.exeDkqaoe32.exeDmbbhkjf.exeLgcjdd32.exeNagpeo32.exeIbpiogmp.exeBdagpnbk.exeNemcjk32.exeEeelnp32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijcahd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlhccj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmkqpkla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igmagnkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qepkbpak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkbmqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjhloj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjjiej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgobel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paiogf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afghneoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhabbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Codhnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bogcgj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgkkkcbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Midfokpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcicklnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgffic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejlbhh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adhdjpjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klifnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhijqj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljaoeini.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnohlgep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oalipoiq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efgemb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiipmhmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlbbkfoq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncjginjn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plhnda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqbdldnq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Palbgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpkibf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncqlkemc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oclkgccf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hghoeqmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnddgjbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aompak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnjnqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fechomko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlnipg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpchib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofhknodl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plagcbdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhbfff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffclcgfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbbpmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fiaael32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nopfpgip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlkepaam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbeejp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgcmjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnjejjgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jghpbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfchlbfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aonhghjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkqaoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmbbhkjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgcjdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nagpeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibpiogmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdagpnbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nemcjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeelnp32.exe -
Modifies registry class 64 IoCs
Processes:
Lijlof32.exePcmeke32.exeBajqda32.exeLpekef32.exeQjlnnemp.exeLacdmh32.exeDpbdopck.exeJnlbojee.exeKkpbin32.exeCglbhhga.exeJeekkafl.exeOimkbaed.exeJpaleglc.exeBepmoh32.exeJleijb32.exeMimpolee.exeMbhamajc.exePleaoa32.exeHnhghcki.exeIdkbkl32.exeAfkknogn.exeCfqmpl32.exeNmipdk32.exeDhomfc32.exeIloidijb.exeKqbdldnq.exePajeam32.exeKgflcifg.exeLhdqnj32.exeOebflhaf.exeCcqkigkp.exeHgghjjid.exeJnpfop32.exeDikihe32.exeIcdheded.exeHedafk32.exeCqpbglno.exeHdmoohbo.exeJphkkpbp.exeIkfabm32.exeFimodc32.exeCndeii32.exeHfcnpn32.exeAompak32.exeOaompd32.exeEppqqn32.exeDheibpje.exeAfpjel32.exeKgknhl32.exeMicoed32.exeFikbocki.exeFbjmhh32.exeHkbmqb32.exePlmmif32.exeDddllkbf.exeLehaho32.exeAcpbbi32.exeDjfcaohp.exeHkpheidp.exeIndfca32.exeDbndfl32.exeEidlnd32.exeCdmfllhn.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lijlof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pcmeke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bajqda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lpekef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qjlnnemp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inagcf32.dll" Lacdmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dpbdopck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jnlbojee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kkpbin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cglbhhga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jeekkafl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oimkbaed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jpaleglc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hahqkaaa.dll" Bepmoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jleijb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikaqhj32.dll" Mimpolee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjkgopfg.dll" Mbhamajc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pleaoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hnhghcki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qipkmbib.dll" Idkbkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Afkknogn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cfqmpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nmipdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dhomfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iloidijb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gicbkkca.dll" Kqbdldnq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pajeam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kgflcifg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lhdqnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oebflhaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcllei32.dll" Ccqkigkp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hgghjjid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jnpfop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edmpgp32.dll" Dikihe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhmhbpmi.dll" Icdheded.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hedafk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cqpbglno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmemlfol.dll" Hdmoohbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jphkkpbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ikfabm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fimodc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqjoqdcl.dll" Cndeii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hfcnpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aompak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oaompd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eppqqn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dheibpje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oingap32.dll" Afpjel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbkbod32.dll" Kgknhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Micoed32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fikbocki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fbjmhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hkbmqb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Plmmif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dddllkbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lehaho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmidl32.dll" Acpbbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhkjmn32.dll" Djfcaohp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hkpheidp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aokkdnic.dll" Indfca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dbndfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gckdpj32.dll" Eidlnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjlfmfbi.dll" Cdmfllhn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lpekef32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
40e4a99f73b304400064ce013501ac2d5304bba096fd338b58c06e5dbef64ed6.exeHdicienl.exeHghoeqmp.exeHkckeo32.exeHhgloc32.exeHnddgjbj.exeHbpphi32.exeHdnldd32.exeHglipp32.exeHocqam32.exeHbbmmi32.exeHfningai.exeHhlejcpm.exeHkjafn32.exeHninbj32.exeHbdjchgn.exeHhnbpb32.exeHkmnln32.exeIohjlmeg.exeIfbbig32.exeIigdfa32.exeIkfabm32.exedescription pid Process procid_target PID 3580 wrote to memory of 624 3580 40e4a99f73b304400064ce013501ac2d5304bba096fd338b58c06e5dbef64ed6.exe 82 PID 3580 wrote to memory of 624 3580 40e4a99f73b304400064ce013501ac2d5304bba096fd338b58c06e5dbef64ed6.exe 82 PID 3580 wrote to memory of 624 3580 40e4a99f73b304400064ce013501ac2d5304bba096fd338b58c06e5dbef64ed6.exe 82 PID 624 wrote to memory of 3728 624 Hdicienl.exe 83 PID 624 wrote to memory of 3728 624 Hdicienl.exe 83 PID 624 wrote to memory of 3728 624 Hdicienl.exe 83 PID 3728 wrote to memory of 1688 3728 Hghoeqmp.exe 84 PID 3728 wrote to memory of 1688 3728 Hghoeqmp.exe 84 PID 3728 wrote to memory of 1688 3728 Hghoeqmp.exe 84 PID 1688 wrote to memory of 2364 1688 Hkckeo32.exe 85 PID 1688 wrote to memory of 2364 1688 Hkckeo32.exe 85 PID 1688 wrote to memory of 2364 1688 Hkckeo32.exe 85 PID 2364 wrote to memory of 2168 2364 Hhgloc32.exe 86 PID 2364 wrote to memory of 2168 2364 Hhgloc32.exe 86 PID 2364 wrote to memory of 2168 2364 Hhgloc32.exe 86 PID 2168 wrote to memory of 2180 2168 Hnddgjbj.exe 87 PID 2168 wrote to memory of 2180 2168 Hnddgjbj.exe 87 PID 2168 wrote to memory of 2180 2168 Hnddgjbj.exe 87 PID 2180 wrote to memory of 2876 2180 Hbpphi32.exe 88 PID 2180 wrote to memory of 2876 2180 Hbpphi32.exe 88 PID 2180 wrote to memory of 2876 2180 Hbpphi32.exe 88 PID 2876 wrote to memory of 4648 2876 Hdnldd32.exe 89 PID 2876 wrote to memory of 4648 2876 Hdnldd32.exe 89 PID 2876 wrote to memory of 4648 2876 Hdnldd32.exe 89 PID 4648 wrote to memory of 4244 4648 Hglipp32.exe 90 PID 4648 wrote to memory of 4244 4648 Hglipp32.exe 90 PID 4648 wrote to memory of 4244 4648 Hglipp32.exe 90 PID 4244 wrote to memory of 4804 4244 Hocqam32.exe 91 PID 4244 wrote to memory of 4804 4244 Hocqam32.exe 91 PID 4244 wrote to memory of 4804 4244 Hocqam32.exe 91 PID 4804 wrote to memory of 4984 4804 Hbbmmi32.exe 92 PID 4804 wrote to memory of 4984 4804 Hbbmmi32.exe 92 PID 4804 wrote to memory of 4984 4804 Hbbmmi32.exe 92 PID 4984 wrote to memory of 232 4984 Hfningai.exe 93 PID 4984 wrote to memory of 232 4984 Hfningai.exe 93 PID 4984 wrote to memory of 232 4984 Hfningai.exe 93 PID 232 wrote to memory of 2448 232 Hhlejcpm.exe 94 PID 232 wrote to memory of 2448 232 Hhlejcpm.exe 94 PID 232 wrote to memory of 2448 232 Hhlejcpm.exe 94 PID 2448 wrote to memory of 400 2448 Hkjafn32.exe 95 PID 2448 wrote to memory of 400 2448 Hkjafn32.exe 95 PID 2448 wrote to memory of 400 2448 Hkjafn32.exe 95 PID 400 wrote to memory of 4308 400 Hninbj32.exe 96 PID 400 wrote to memory of 4308 400 Hninbj32.exe 96 PID 400 wrote to memory of 4308 400 Hninbj32.exe 96 PID 4308 wrote to memory of 2228 4308 Hbdjchgn.exe 97 PID 4308 wrote to memory of 2228 4308 Hbdjchgn.exe 97 PID 4308 wrote to memory of 2228 4308 Hbdjchgn.exe 97 PID 2228 wrote to memory of 4060 2228 Hhnbpb32.exe 98 PID 2228 wrote to memory of 4060 2228 Hhnbpb32.exe 98 PID 2228 wrote to memory of 4060 2228 Hhnbpb32.exe 98 PID 4060 wrote to memory of 1196 4060 Hkmnln32.exe 99 PID 4060 wrote to memory of 1196 4060 Hkmnln32.exe 99 PID 4060 wrote to memory of 1196 4060 Hkmnln32.exe 99 PID 1196 wrote to memory of 3588 1196 Iohjlmeg.exe 100 PID 1196 wrote to memory of 3588 1196 Iohjlmeg.exe 100 PID 1196 wrote to memory of 3588 1196 Iohjlmeg.exe 100 PID 3588 wrote to memory of 3384 3588 Ifbbig32.exe 101 PID 3588 wrote to memory of 3384 3588 Ifbbig32.exe 101 PID 3588 wrote to memory of 3384 3588 Ifbbig32.exe 101 PID 3384 wrote to memory of 1500 3384 Iigdfa32.exe 102 PID 3384 wrote to memory of 1500 3384 Iigdfa32.exe 102 PID 3384 wrote to memory of 1500 3384 Iigdfa32.exe 102 PID 1500 wrote to memory of 4652 1500 Ikfabm32.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\40e4a99f73b304400064ce013501ac2d5304bba096fd338b58c06e5dbef64ed6.exe"C:\Users\Admin\AppData\Local\Temp\40e4a99f73b304400064ce013501ac2d5304bba096fd338b58c06e5dbef64ed6.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Windows\SysWOW64\Hdicienl.exeC:\Windows\system32\Hdicienl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\SysWOW64\Hghoeqmp.exeC:\Windows\system32\Hghoeqmp.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3728 -
C:\Windows\SysWOW64\Hkckeo32.exeC:\Windows\system32\Hkckeo32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\Hhgloc32.exeC:\Windows\system32\Hhgloc32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\Hnddgjbj.exeC:\Windows\system32\Hnddgjbj.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\Hbpphi32.exeC:\Windows\system32\Hbpphi32.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Hdnldd32.exeC:\Windows\system32\Hdnldd32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Hglipp32.exeC:\Windows\system32\Hglipp32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Windows\SysWOW64\Hocqam32.exeC:\Windows\system32\Hocqam32.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Windows\SysWOW64\Hbbmmi32.exeC:\Windows\system32\Hbbmmi32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Windows\SysWOW64\Hfningai.exeC:\Windows\system32\Hfningai.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Windows\SysWOW64\Hhlejcpm.exeC:\Windows\system32\Hhlejcpm.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:232 -
C:\Windows\SysWOW64\Hkjafn32.exeC:\Windows\system32\Hkjafn32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\Hninbj32.exeC:\Windows\system32\Hninbj32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Windows\SysWOW64\Hbdjchgn.exeC:\Windows\system32\Hbdjchgn.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4308 -
C:\Windows\SysWOW64\Hhnbpb32.exeC:\Windows\system32\Hhnbpb32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\Hkmnln32.exeC:\Windows\system32\Hkmnln32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Windows\SysWOW64\Iohjlmeg.exeC:\Windows\system32\Iohjlmeg.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\SysWOW64\Ifbbig32.exeC:\Windows\system32\Ifbbig32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Windows\SysWOW64\Iigdfa32.exeC:\Windows\system32\Iigdfa32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3384 -
C:\Windows\SysWOW64\Ikfabm32.exeC:\Windows\system32\Ikfabm32.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\SysWOW64\Ibpiogmp.exeC:\Windows\system32\Ibpiogmp.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4652 -
C:\Windows\SysWOW64\Ifleoe32.exeC:\Windows\system32\Ifleoe32.exe24⤵
- Executes dropped EXE
PID:3084 -
C:\Windows\SysWOW64\Igmagnkg.exeC:\Windows\system32\Igmagnkg.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3572 -
C:\Windows\SysWOW64\Jbbfdfkn.exeC:\Windows\system32\Jbbfdfkn.exe26⤵
- Executes dropped EXE
PID:3460 -
C:\Windows\SysWOW64\Jilnqqbj.exeC:\Windows\system32\Jilnqqbj.exe27⤵
- Executes dropped EXE
PID:1304 -
C:\Windows\SysWOW64\Jkkjmlan.exeC:\Windows\system32\Jkkjmlan.exe28⤵
- Executes dropped EXE
PID:4720 -
C:\Windows\SysWOW64\Jnifigpa.exeC:\Windows\system32\Jnifigpa.exe29⤵
- Executes dropped EXE
PID:1216 -
C:\Windows\SysWOW64\Jgakbm32.exeC:\Windows\system32\Jgakbm32.exe30⤵
- Executes dropped EXE
PID:3924 -
C:\Windows\SysWOW64\Jnkcogno.exeC:\Windows\system32\Jnkcogno.exe31⤵
- Executes dropped EXE
PID:1224 -
C:\Windows\SysWOW64\Jeekkafl.exeC:\Windows\system32\Jeekkafl.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2904 -
C:\Windows\SysWOW64\Jkodhk32.exeC:\Windows\system32\Jkodhk32.exe33⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Jbileede.exeC:\Windows\system32\Jbileede.exe34⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Jfehed32.exeC:\Windows\system32\Jfehed32.exe35⤵
- Executes dropped EXE
PID:1876 -
C:\Windows\SysWOW64\Jgfdmlcm.exeC:\Windows\system32\Jgfdmlcm.exe36⤵
- Executes dropped EXE
PID:1012 -
C:\Windows\SysWOW64\Jpmlnjco.exeC:\Windows\system32\Jpmlnjco.exe37⤵
- Executes dropped EXE
PID:4372 -
C:\Windows\SysWOW64\Jfgdkd32.exeC:\Windows\system32\Jfgdkd32.exe38⤵
- Executes dropped EXE
PID:3804 -
C:\Windows\SysWOW64\Jieagojp.exeC:\Windows\system32\Jieagojp.exe39⤵
- Executes dropped EXE
PID:3324 -
C:\Windows\SysWOW64\Knbiofhg.exeC:\Windows\system32\Knbiofhg.exe40⤵
- Executes dropped EXE
PID:1004 -
C:\Windows\SysWOW64\Kbnepe32.exeC:\Windows\system32\Kbnepe32.exe41⤵
- Executes dropped EXE
PID:3424 -
C:\Windows\SysWOW64\Kelalp32.exeC:\Windows\system32\Kelalp32.exe42⤵
- Executes dropped EXE
PID:3516 -
C:\Windows\SysWOW64\Kgknhl32.exeC:\Windows\system32\Kgknhl32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:4028 -
C:\Windows\SysWOW64\Klfjijgq.exeC:\Windows\system32\Klfjijgq.exe44⤵
- Executes dropped EXE
PID:3884 -
C:\Windows\SysWOW64\Knefeffd.exeC:\Windows\system32\Knefeffd.exe45⤵
- Executes dropped EXE
PID:4020 -
C:\Windows\SysWOW64\Kflnfcgg.exeC:\Windows\system32\Kflnfcgg.exe46⤵
- Executes dropped EXE
PID:1324 -
C:\Windows\SysWOW64\Klifnj32.exeC:\Windows\system32\Klifnj32.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5024 -
C:\Windows\SysWOW64\Kngcje32.exeC:\Windows\system32\Kngcje32.exe48⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Kfnkkb32.exeC:\Windows\system32\Kfnkkb32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4380 -
C:\Windows\SysWOW64\Kimghn32.exeC:\Windows\system32\Kimghn32.exe50⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Klkcdj32.exeC:\Windows\system32\Klkcdj32.exe51⤵
- Executes dropped EXE
PID:4128 -
C:\Windows\SysWOW64\Knippe32.exeC:\Windows\system32\Knippe32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4724 -
C:\Windows\SysWOW64\Kfqgab32.exeC:\Windows\system32\Kfqgab32.exe53⤵
- Executes dropped EXE
PID:672 -
C:\Windows\SysWOW64\Kpiljh32.exeC:\Windows\system32\Kpiljh32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4740 -
C:\Windows\SysWOW64\Kefdbo32.exeC:\Windows\system32\Kefdbo32.exe55⤵
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\Lhdqnj32.exeC:\Windows\system32\Lhdqnj32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:1332 -
C:\Windows\SysWOW64\Lnnikdnj.exeC:\Windows\system32\Lnnikdnj.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1860 -
C:\Windows\SysWOW64\Lehaho32.exeC:\Windows\system32\Lehaho32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2072 -
C:\Windows\SysWOW64\Lhfmdj32.exeC:\Windows\system32\Lhfmdj32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Lblaabdp.exeC:\Windows\system32\Lblaabdp.exe60⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Lejnmncd.exeC:\Windows\system32\Lejnmncd.exe61⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Locbfd32.exeC:\Windows\system32\Locbfd32.exe62⤵
- Executes dropped EXE
PID:4436 -
C:\Windows\SysWOW64\Lbnngbbn.exeC:\Windows\system32\Lbnngbbn.exe63⤵
- Executes dropped EXE
PID:388 -
C:\Windows\SysWOW64\Lemkcnaa.exeC:\Windows\system32\Lemkcnaa.exe64⤵
- Executes dropped EXE
PID:3452 -
C:\Windows\SysWOW64\Lhkgoiqe.exeC:\Windows\system32\Lhkgoiqe.exe65⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Lpbopfag.exeC:\Windows\system32\Lpbopfag.exe66⤵PID:3032
-
C:\Windows\SysWOW64\Lbqklb32.exeC:\Windows\system32\Lbqklb32.exe67⤵PID:3292
-
C:\Windows\SysWOW64\Leoghn32.exeC:\Windows\system32\Leoghn32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2136 -
C:\Windows\SysWOW64\Lhncdi32.exeC:\Windows\system32\Lhncdi32.exe69⤵PID:4664
-
C:\Windows\SysWOW64\Lpekef32.exeC:\Windows\system32\Lpekef32.exe70⤵
- Modifies registry class
PID:1904 -
C:\Windows\SysWOW64\Lbchba32.exeC:\Windows\system32\Lbchba32.exe71⤵
- Drops file in System32 directory
PID:4908 -
C:\Windows\SysWOW64\Mimpolee.exeC:\Windows\system32\Mimpolee.exe72⤵
- Modifies registry class
PID:1300 -
C:\Windows\SysWOW64\Mpghkf32.exeC:\Windows\system32\Mpghkf32.exe73⤵PID:2856
-
C:\Windows\SysWOW64\Mbedga32.exeC:\Windows\system32\Mbedga32.exe74⤵PID:1716
-
C:\Windows\SysWOW64\Medqcmki.exeC:\Windows\system32\Medqcmki.exe75⤵PID:4776
-
C:\Windows\SysWOW64\Mhbmphjm.exeC:\Windows\system32\Mhbmphjm.exe76⤵PID:4668
-
C:\Windows\SysWOW64\Mlnipg32.exeC:\Windows\system32\Mlnipg32.exe77⤵
- System Location Discovery: System Language Discovery
PID:468 -
C:\Windows\SysWOW64\Mbhamajc.exeC:\Windows\system32\Mbhamajc.exe78⤵
- Modifies registry class
PID:740 -
C:\Windows\SysWOW64\Mfcmmp32.exeC:\Windows\system32\Mfcmmp32.exe79⤵PID:3480
-
C:\Windows\SysWOW64\Mibijk32.exeC:\Windows\system32\Mibijk32.exe80⤵PID:228
-
C:\Windows\SysWOW64\Mplafeil.exeC:\Windows\system32\Mplafeil.exe81⤵PID:4084
-
C:\Windows\SysWOW64\Mbjnbqhp.exeC:\Windows\system32\Mbjnbqhp.exe82⤵PID:1372
-
C:\Windows\SysWOW64\Mffjcopi.exeC:\Windows\system32\Mffjcopi.exe83⤵
- Drops file in System32 directory
PID:4756 -
C:\Windows\SysWOW64\Midfokpm.exeC:\Windows\system32\Midfokpm.exe84⤵
- System Location Discovery: System Language Discovery
PID:1028 -
C:\Windows\SysWOW64\Mlbbkfoq.exeC:\Windows\system32\Mlbbkfoq.exe85⤵
- System Location Discovery: System Language Discovery
PID:4192 -
C:\Windows\SysWOW64\Moaogand.exeC:\Windows\system32\Moaogand.exe86⤵PID:4288
-
C:\Windows\SysWOW64\Mekgdl32.exeC:\Windows\system32\Mekgdl32.exe87⤵PID:1568
-
C:\Windows\SysWOW64\Mhicpg32.exeC:\Windows\system32\Mhicpg32.exe88⤵PID:1556
-
C:\Windows\SysWOW64\Mockmala.exeC:\Windows\system32\Mockmala.exe89⤵PID:3532
-
C:\Windows\SysWOW64\Nemcjk32.exeC:\Windows\system32\Nemcjk32.exe90⤵
- System Location Discovery: System Language Discovery
PID:3504 -
C:\Windows\SysWOW64\Nhlpfgbb.exeC:\Windows\system32\Nhlpfgbb.exe91⤵PID:2036
-
C:\Windows\SysWOW64\Noehba32.exeC:\Windows\system32\Noehba32.exe92⤵PID:3928
-
C:\Windows\SysWOW64\Ngmpcn32.exeC:\Windows\system32\Ngmpcn32.exe93⤵PID:4596
-
C:\Windows\SysWOW64\Nhnlkfpp.exeC:\Windows\system32\Nhnlkfpp.exe94⤵PID:1712
-
C:\Windows\SysWOW64\Npedmdab.exeC:\Windows\system32\Npedmdab.exe95⤵PID:732
-
C:\Windows\SysWOW64\Nbcqiope.exeC:\Windows\system32\Nbcqiope.exe96⤵PID:2724
-
C:\Windows\SysWOW64\Nebmekoi.exeC:\Windows\system32\Nebmekoi.exe97⤵PID:4796
-
C:\Windows\SysWOW64\Nlleaeff.exeC:\Windows\system32\Nlleaeff.exe98⤵PID:1756
-
C:\Windows\SysWOW64\Nojanpej.exeC:\Windows\system32\Nojanpej.exe99⤵PID:764
-
C:\Windows\SysWOW64\Ncfmno32.exeC:\Windows\system32\Ncfmno32.exe100⤵PID:2128
-
C:\Windows\SysWOW64\Nedjjj32.exeC:\Windows\system32\Nedjjj32.exe101⤵PID:5100
-
C:\Windows\SysWOW64\Nhbfff32.exeC:\Windows\system32\Nhbfff32.exe102⤵
- System Location Discovery: System Language Discovery
PID:3772 -
C:\Windows\SysWOW64\Npjnhc32.exeC:\Windows\system32\Npjnhc32.exe103⤵PID:4468
-
C:\Windows\SysWOW64\Nomncpcg.exeC:\Windows\system32\Nomncpcg.exe104⤵PID:1444
-
C:\Windows\SysWOW64\Neffpj32.exeC:\Windows\system32\Neffpj32.exe105⤵PID:1236
-
C:\Windows\SysWOW64\Nheble32.exeC:\Windows\system32\Nheble32.exe106⤵PID:3680
-
C:\Windows\SysWOW64\Nplkmckj.exeC:\Windows\system32\Nplkmckj.exe107⤵PID:1488
-
C:\Windows\SysWOW64\Ncjginjn.exeC:\Windows\system32\Ncjginjn.exe108⤵
- System Location Discovery: System Language Discovery
PID:796 -
C:\Windows\SysWOW64\Ogfcjm32.exeC:\Windows\system32\Ogfcjm32.exe109⤵PID:216
-
C:\Windows\SysWOW64\Oidofh32.exeC:\Windows\system32\Oidofh32.exe110⤵PID:1792
-
C:\Windows\SysWOW64\Olckbd32.exeC:\Windows\system32\Olckbd32.exe111⤵PID:4620
-
C:\Windows\SysWOW64\Opogbbig.exeC:\Windows\system32\Opogbbig.exe112⤵PID:4404
-
C:\Windows\SysWOW64\Ocmconhk.exeC:\Windows\system32\Ocmconhk.exe113⤵PID:4052
-
C:\Windows\SysWOW64\Oghppm32.exeC:\Windows\system32\Oghppm32.exe114⤵PID:436
-
C:\Windows\SysWOW64\Oigllh32.exeC:\Windows\system32\Oigllh32.exe115⤵PID:1572
-
C:\Windows\SysWOW64\Ohjlgefb.exeC:\Windows\system32\Ohjlgefb.exe116⤵PID:2864
-
C:\Windows\SysWOW64\Opadhb32.exeC:\Windows\system32\Opadhb32.exe117⤵PID:2660
-
C:\Windows\SysWOW64\Oocddono.exeC:\Windows\system32\Oocddono.exe118⤵PID:1040
-
C:\Windows\SysWOW64\Ogklelna.exeC:\Windows\system32\Ogklelna.exe119⤵PID:3672
-
C:\Windows\SysWOW64\Oiihahme.exeC:\Windows\system32\Oiihahme.exe120⤵PID:1368
-
C:\Windows\SysWOW64\Ohlimd32.exeC:\Windows\system32\Ohlimd32.exe121⤵PID:5128
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-