Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20-11-2024 22:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
42ba1864fe2dd7344d8aa87ce3ab7c1c68790ff2291d50b7aa3016b92346df72.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
42ba1864fe2dd7344d8aa87ce3ab7c1c68790ff2291d50b7aa3016b92346df72.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
42ba1864fe2dd7344d8aa87ce3ab7c1c68790ff2291d50b7aa3016b92346df72.exe
-
Size
188KB
-
MD5
baa7b153702f5d64936b1dd421abc31b
-
SHA1
c9fb50fefd899742c2ec38a473ebd69f3eb4564b
-
SHA256
42ba1864fe2dd7344d8aa87ce3ab7c1c68790ff2291d50b7aa3016b92346df72
-
SHA512
b9bcba9f06dffcd7ff4fd4f911f443cc3cffac33d6665b99472736c8b9e441a92fcacb210aec0ad4a40a547737bbd65c820ab6b69506f2048b399cddf5800274
-
SSDEEP
3072:epBnkz6Mfu6uLUv1AerDtsr3vhqhEN4MAH+mbPepZBC8qzNJSKrDco:KnkzaLUv1AelhEN4MujGJoSoDco
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Nkkmgncb.exeOdkgec32.exePopgboae.exeAognbnkm.exeMciabmlo.exeKmimcbja.exeKdbepm32.exeHfbcidmk.exeImodkadq.exeIegeonpc.exeKpgionie.exeIpjdameg.exeOfqmcj32.exeGiolnomh.exeIakino32.exeQaapcj32.exeNqjaeeog.exeNjgpij32.exePnchhllf.exePmhejhao.exePlmbkd32.exePlpopddd.exeLaleof32.exeLlpfjomf.exeFkefbcmf.exeIeibdnnp.exeJlhkgm32.exeOlmela32.exeOefjdgjk.exeBjjaikoa.exeCkbpqe32.exeDfhdnn32.exeMflgih32.exeOjeobm32.exeAhmefdcp.exeBbjpil32.exeCncmcm32.exeJdflqo32.exeJpmmfp32.exeCglalbbi.exeKljdkpfl.exeCkpckece.exeCidddj32.exeGpggei32.exeHcepqh32.exeCgnnab32.exeJnmiag32.exeNjeccjcd.exeOpfegp32.exeQdompf32.exeBfcodkcb.exeBdkhjgeh.exeIkqnlh32.exeJcciqi32.exeKlcgpkhh.exeLkdjglfo.exeBlkjkflb.exeBolcma32.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkkmgncb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odkgec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Popgboae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aognbnkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mciabmlo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmimcbja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdbepm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfbcidmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Imodkadq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iegeonpc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpgionie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipjdameg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofqmcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Giolnomh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iakino32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qaapcj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqjaeeog.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njgpij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pnchhllf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmhejhao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plmbkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Plpopddd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Laleof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kdbepm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llpfjomf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkefbcmf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieibdnnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jlhkgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Olmela32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oefjdgjk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjjaikoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckbpqe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfhdnn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mflgih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojeobm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plpopddd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahmefdcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bbjpil32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cncmcm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdflqo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpmmfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmhejhao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cglalbbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kljdkpfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckpckece.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cidddj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpggei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcepqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cgnnab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jnmiag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njeccjcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Opfegp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qdompf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjjaikoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bfcodkcb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdkhjgeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njeccjcd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikqnlh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcciqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Klcgpkhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lkdjglfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nkkmgncb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Blkjkflb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bolcma32.exe -
Executes dropped EXE 64 IoCs
Processes:
Hcdgmimg.exeHfbcidmk.exeHdecea32.exeHfepod32.exeHiclkp32.exeHaqnea32.exeImgnjb32.exeIeofkp32.exeIfbphh32.exeIpjdameg.exeImodkadq.exeIbkmchbh.exeInbnhihl.exeJigbebhb.exeJlhkgm32.exeJoggci32.exeJoidhh32.exeJdflqo32.exeJokqnhpa.exeJpmmfp32.exeKmqmod32.exeKpojkp32.exeKkdnhi32.exeKlfjpa32.exeKgkonj32.exeKpdcfoph.exeKljdkpfl.exeKechdf32.exeKhadpa32.exeKajiigba.exeLkbmbl32.exeLaleof32.exeLkdjglfo.exeLncfcgeb.exeLdmopa32.exeLkggmldl.exeLpcoeb32.exeLkicbk32.exeLdahkaij.exeLfbdci32.exeMcfemmna.exeMfeaiime.exeMciabmlo.exeMhfjjdjf.exeMopbgn32.exeMbnocipg.exeMmccqbpm.exeMobomnoq.exeMflgih32.exeMdogedmh.exeMnglnj32.exeMdadjd32.exeNkkmgncb.exeNqhepeai.exeNgbmlo32.exeNnleiipc.exeNqjaeeog.exeNfgjml32.exeNmabjfek.exeNppofado.exeNjeccjcd.exeNcmglp32.exeNjgpij32.exeNmflee32.exepid Process 2184 Hcdgmimg.exe 2756 Hfbcidmk.exe 2812 Hdecea32.exe 2332 Hfepod32.exe 2584 Hiclkp32.exe 2044 Haqnea32.exe 2856 Imgnjb32.exe 2388 Ieofkp32.exe 2120 Ifbphh32.exe 1664 Ipjdameg.exe 1748 Imodkadq.exe 536 Ibkmchbh.exe 1816 Inbnhihl.exe 2912 Jigbebhb.exe 448 Jlhkgm32.exe 2516 Joggci32.exe 1568 Joidhh32.exe 872 Jdflqo32.exe 296 Jokqnhpa.exe 1304 Jpmmfp32.exe 2872 Kmqmod32.exe 1636 Kpojkp32.exe 1736 Kkdnhi32.exe 868 Klfjpa32.exe 3060 Kgkonj32.exe 1572 Kpdcfoph.exe 2564 Kljdkpfl.exe 2536 Kechdf32.exe 2792 Khadpa32.exe 2708 Kajiigba.exe 2216 Lkbmbl32.exe 2960 Laleof32.exe 2188 Lkdjglfo.exe 1400 Lncfcgeb.exe 2352 Ldmopa32.exe 1300 Lkggmldl.exe 1624 Lpcoeb32.exe 1716 Lkicbk32.exe 2088 Ldahkaij.exe 2416 Lfbdci32.exe 1336 Mcfemmna.exe 1640 Mfeaiime.exe 896 Mciabmlo.exe 2484 Mhfjjdjf.exe 2928 Mopbgn32.exe 1708 Mbnocipg.exe 2276 Mmccqbpm.exe 2624 Mobomnoq.exe 2320 Mflgih32.exe 2312 Mdogedmh.exe 292 Mnglnj32.exe 2892 Mdadjd32.exe 2664 Nkkmgncb.exe 3016 Nqhepeai.exe 2032 Ngbmlo32.exe 2280 Nnleiipc.exe 2840 Nqjaeeog.exe 1152 Nfgjml32.exe 1600 Nmabjfek.exe 1632 Nppofado.exe 2496 Njeccjcd.exe 300 Ncmglp32.exe 1680 Njgpij32.exe 1960 Nmflee32.exe -
Loads dropped DLL 64 IoCs
Processes:
42ba1864fe2dd7344d8aa87ce3ab7c1c68790ff2291d50b7aa3016b92346df72.exeHcdgmimg.exeHfbcidmk.exeHdecea32.exeHfepod32.exeHiclkp32.exeHaqnea32.exeImgnjb32.exeIeofkp32.exeIfbphh32.exeIpjdameg.exeImodkadq.exeIbkmchbh.exeInbnhihl.exeJigbebhb.exeJlhkgm32.exeJoggci32.exeJoidhh32.exeJdflqo32.exeJokqnhpa.exeJpmmfp32.exeKmqmod32.exeKpojkp32.exeKkdnhi32.exeKlfjpa32.exeKgkonj32.exeKpdcfoph.exeKljdkpfl.exeKechdf32.exeKhadpa32.exeKajiigba.exeLkbmbl32.exepid Process 3024 42ba1864fe2dd7344d8aa87ce3ab7c1c68790ff2291d50b7aa3016b92346df72.exe 3024 42ba1864fe2dd7344d8aa87ce3ab7c1c68790ff2291d50b7aa3016b92346df72.exe 2184 Hcdgmimg.exe 2184 Hcdgmimg.exe 2756 Hfbcidmk.exe 2756 Hfbcidmk.exe 2812 Hdecea32.exe 2812 Hdecea32.exe 2332 Hfepod32.exe 2332 Hfepod32.exe 2584 Hiclkp32.exe 2584 Hiclkp32.exe 2044 Haqnea32.exe 2044 Haqnea32.exe 2856 Imgnjb32.exe 2856 Imgnjb32.exe 2388 Ieofkp32.exe 2388 Ieofkp32.exe 2120 Ifbphh32.exe 2120 Ifbphh32.exe 1664 Ipjdameg.exe 1664 Ipjdameg.exe 1748 Imodkadq.exe 1748 Imodkadq.exe 536 Ibkmchbh.exe 536 Ibkmchbh.exe 1816 Inbnhihl.exe 1816 Inbnhihl.exe 2912 Jigbebhb.exe 2912 Jigbebhb.exe 448 Jlhkgm32.exe 448 Jlhkgm32.exe 2516 Joggci32.exe 2516 Joggci32.exe 1568 Joidhh32.exe 1568 Joidhh32.exe 872 Jdflqo32.exe 872 Jdflqo32.exe 296 Jokqnhpa.exe 296 Jokqnhpa.exe 1304 Jpmmfp32.exe 1304 Jpmmfp32.exe 2872 Kmqmod32.exe 2872 Kmqmod32.exe 1636 Kpojkp32.exe 1636 Kpojkp32.exe 1736 Kkdnhi32.exe 1736 Kkdnhi32.exe 868 Klfjpa32.exe 868 Klfjpa32.exe 3060 Kgkonj32.exe 3060 Kgkonj32.exe 1572 Kpdcfoph.exe 1572 Kpdcfoph.exe 2564 Kljdkpfl.exe 2564 Kljdkpfl.exe 2536 Kechdf32.exe 2536 Kechdf32.exe 2792 Khadpa32.exe 2792 Khadpa32.exe 2708 Kajiigba.exe 2708 Kajiigba.exe 2216 Lkbmbl32.exe 2216 Lkbmbl32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Fijbco32.exeHjohmbpd.exeInojhc32.exeJfmkbebl.exeJnofgg32.exeHiclkp32.exeFefqdl32.exeKpdcfoph.exeLaleof32.exeNppofado.exeOdkgec32.exePhklaacg.exeHdecea32.exeIeofkp32.exeJnmiag32.exeCoicfd32.exeGcgqgd32.exeEimcjl32.exeKgcnahoo.exeLdmopa32.exeAhmefdcp.exeEknpadcn.exeGaagcpdl.exeAaejojjq.exeAjehnk32.exeOmhhke32.exeEogolc32.exeFdgdji32.exeFgocmc32.exeIakino32.exeJcqlkjae.exeHaqnea32.exeKhadpa32.exeKlecfkff.exeBlfapfpg.exeEemnnn32.exeFolhgbid.exeGcjmmdbf.exeGamnhq32.exeIbkmchbh.exeInbnhihl.exeNgbmlo32.exeNmflee32.exePlmbkd32.exeQaapcj32.exeFhgifgnb.exeImodkadq.exeMcfemmna.exeJikhnaao.exeKkdnhi32.exeOfqmcj32.exeQldhkc32.exeCqdfehii.exeDadbdkld.exeIfbphh32.exeJokqnhpa.exeHcepqh32.exeBjedmo32.exeCglalbbi.exedescription ioc Process File created C:\Windows\SysWOW64\Fliook32.exe Fijbco32.exe File created C:\Windows\SysWOW64\Hmmdin32.exe Hjohmbpd.exe File created C:\Windows\SysWOW64\Ieibdnnp.exe Inojhc32.exe File created C:\Windows\SysWOW64\Qmeedp32.dll Jfmkbebl.exe File created C:\Windows\SysWOW64\Kidjdpie.exe Jnofgg32.exe File created C:\Windows\SysWOW64\Oqelhkhc.dll Hiclkp32.exe File created C:\Windows\SysWOW64\Bmblbf32.dll Fefqdl32.exe File created C:\Windows\SysWOW64\Nhbcdh32.dll Kpdcfoph.exe File created C:\Windows\SysWOW64\Dnhgdb32.dll Laleof32.exe File created C:\Windows\SysWOW64\Njeccjcd.exe Nppofado.exe File created C:\Windows\SysWOW64\Ojeobm32.exe Odkgec32.exe File opened for modification C:\Windows\SysWOW64\Pmhejhao.exe Phklaacg.exe File created C:\Windows\SysWOW64\Fgglcg32.dll Phklaacg.exe File created C:\Windows\SysWOW64\Fejcohho.dll Hdecea32.exe File created C:\Windows\SysWOW64\Bndlbd32.dll Ieofkp32.exe File opened for modification C:\Windows\SysWOW64\Jefbnacn.exe Jnmiag32.exe File created C:\Windows\SysWOW64\Eadbpdla.dll Coicfd32.exe File created C:\Windows\SysWOW64\Gefmcp32.exe Gcgqgd32.exe File created C:\Windows\SysWOW64\Fkgfqf32.dll Eimcjl32.exe File created C:\Windows\SysWOW64\Pigckoki.dll Kgcnahoo.exe File created C:\Windows\SysWOW64\Pebncn32.dll Ldmopa32.exe File created C:\Windows\SysWOW64\Pcfahenq.dll Ahmefdcp.exe File opened for modification C:\Windows\SysWOW64\Fahhnn32.exe Eknpadcn.exe File created C:\Windows\SysWOW64\Opjqff32.dll Gaagcpdl.exe File created C:\Windows\SysWOW64\Ahpbkd32.exe Aaejojjq.exe File created C:\Windows\SysWOW64\Phoogg32.dll Ajehnk32.exe File opened for modification C:\Windows\SysWOW64\Opfegp32.exe Omhhke32.exe File created C:\Windows\SysWOW64\Eafkhn32.exe Eogolc32.exe File opened for modification C:\Windows\SysWOW64\Folhgbid.exe Fdgdji32.exe File created C:\Windows\SysWOW64\Gmhkin32.exe Fgocmc32.exe File created C:\Windows\SysWOW64\Aekabb32.dll Iakino32.exe File opened for modification C:\Windows\SysWOW64\Jfohgepi.exe Jcqlkjae.exe File created C:\Windows\SysWOW64\Nhgofhlp.dll Haqnea32.exe File created C:\Windows\SysWOW64\Fdekpjbk.dll Khadpa32.exe File opened for modification C:\Windows\SysWOW64\Kocpbfei.exe Klecfkff.exe File opened for modification C:\Windows\SysWOW64\Bacihmoo.exe Blfapfpg.exe File created C:\Windows\SysWOW64\Iampng32.dll Eemnnn32.exe File opened for modification C:\Windows\SysWOW64\Fefqdl32.exe Folhgbid.exe File opened for modification C:\Windows\SysWOW64\Gamnhq32.exe Gcjmmdbf.exe File created C:\Windows\SysWOW64\Nhpfip32.dll Gamnhq32.exe File opened for modification C:\Windows\SysWOW64\Inbnhihl.exe Ibkmchbh.exe File created C:\Windows\SysWOW64\Bjkeingq.dll Inbnhihl.exe File created C:\Windows\SysWOW64\Nkgcpnbh.dll Ngbmlo32.exe File created C:\Windows\SysWOW64\Obbdml32.exe Nmflee32.exe File created C:\Windows\SysWOW64\Peefcjlg.exe Plmbkd32.exe File created C:\Windows\SysWOW64\Codebccd.dll Qaapcj32.exe File created C:\Windows\SysWOW64\Fkefbcmf.exe Fhgifgnb.exe File created C:\Windows\SysWOW64\Iegeonpc.exe Iakino32.exe File opened for modification C:\Windows\SysWOW64\Ibkmchbh.exe Imodkadq.exe File opened for modification C:\Windows\SysWOW64\Mfeaiime.exe Mcfemmna.exe File opened for modification C:\Windows\SysWOW64\Jcqlkjae.exe Jikhnaao.exe File created C:\Windows\SysWOW64\Aiomcb32.dll Jnofgg32.exe File opened for modification C:\Windows\SysWOW64\Klfjpa32.exe Kkdnhi32.exe File created C:\Windows\SysWOW64\Olmela32.exe Ofqmcj32.exe File created C:\Windows\SysWOW64\Qaapcj32.exe Qldhkc32.exe File created C:\Windows\SysWOW64\Cgnnab32.exe Cqdfehii.exe File created C:\Windows\SysWOW64\Dgnjqe32.exe Dadbdkld.exe File created C:\Windows\SysWOW64\Fmaeho32.exe Fefqdl32.exe File opened for modification C:\Windows\SysWOW64\Ipjdameg.exe Ifbphh32.exe File created C:\Windows\SysWOW64\Ajdmngfm.dll Jokqnhpa.exe File created C:\Windows\SysWOW64\Hjohmbpd.exe Hcepqh32.exe File opened for modification C:\Windows\SysWOW64\Bnapnm32.exe Bjedmo32.exe File created C:\Windows\SysWOW64\Cnfdih32.dll Cglalbbi.exe File created C:\Windows\SysWOW64\Cfckcoen.exe Coicfd32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 4052 3916 WerFault.exe 291 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Jfaeme32.exeBkknac32.exeHmmdin32.exeCoicfd32.exeHcjilgdb.exePhklaacg.exeAaejojjq.exeNqjaeeog.exeFmaeho32.exeIaimipjl.exeJfmkbebl.exeLncfcgeb.exeMmccqbpm.exeEbqngb32.exeOmhhke32.exeEakhdj32.exeJllqplnp.exeKmimcbja.exeJokqnhpa.exeNnleiipc.exeGhdiokbq.exeHifbdnbi.exeIebldo32.exeJfohgepi.exeLkggmldl.exeBbjpil32.exeIkqnlh32.exeKapohbfp.exeLpcoeb32.exeOhdfqbio.exeInmmbc32.exeNjeccjcd.exePehcij32.exeIocgfhhc.exeIegeonpc.exeCbjlhpkb.exeEogolc32.exeBoifga32.exeBdkhjgeh.exeFdnjkh32.exeJefbnacn.exeIbkmchbh.exeQkielpdf.exeBolcma32.exeDaaenlng.exeEfedga32.exeEppefg32.exeGaagcpdl.exeHcdgmimg.exeMciabmlo.exeBfcodkcb.exeCdmepgce.exeEknpadcn.exeGefmcp32.exeHjohmbpd.exeMcfemmna.exeNmflee32.exeHqkmplen.exeKdeaelok.exeLbjofi32.exeMnglnj32.exeGcjmmdbf.exeCglalbbi.exeFhgifgnb.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfaeme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkknac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmmdin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coicfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcjilgdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phklaacg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaejojjq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqjaeeog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmaeho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iaimipjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfmkbebl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lncfcgeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmccqbpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebqngb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omhhke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eakhdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jllqplnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmimcbja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jokqnhpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnleiipc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghdiokbq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hifbdnbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iebldo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfohgepi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkggmldl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbjpil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikqnlh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kapohbfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpcoeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohdfqbio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inmmbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njeccjcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pehcij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iocgfhhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iegeonpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbjlhpkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eogolc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boifga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdkhjgeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdnjkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jefbnacn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibkmchbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkielpdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bolcma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daaenlng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efedga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eppefg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaagcpdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcdgmimg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mciabmlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfcodkcb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdmepgce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eknpadcn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gefmcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjohmbpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcfemmna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmflee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqkmplen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdeaelok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbjofi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnglnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcjmmdbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cglalbbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhgifgnb.exe -
Modifies registry class 64 IoCs
Processes:
Mopbgn32.exeNcmglp32.exePeefcjlg.exe42ba1864fe2dd7344d8aa87ce3ab7c1c68790ff2291d50b7aa3016b92346df72.exeHfbcidmk.exeKlfjpa32.exeLfbdci32.exeMhfjjdjf.exeBjjaikoa.exeEblelb32.exeFliook32.exeJmdgipkk.exeIogpag32.exeInojhc32.exeLkggmldl.exeOpfegp32.exeBhbkpgbf.exeGhdiokbq.exeHjmlhbbg.exeKdbepm32.exeKgcnahoo.exeKljdkpfl.exeBnapnm32.exeCglalbbi.exeFdnjkh32.exeKkjpggkn.exeHqkmplen.exeLlpfjomf.exeMdadjd32.exeBbjpil32.exeCkbpqe32.exeDfhdnn32.exeFkefbcmf.exeKlcgpkhh.exeLdahkaij.exeNnleiipc.exeBfcodkcb.exeGockgdeh.exeJfohgepi.exeJlqjkk32.exeQmhahkdj.exeAhpbkd32.exeFolhgbid.exeIakino32.exeJnmiag32.exeOefjdgjk.exeBlfapfpg.exeCbjlhpkb.exeJigbebhb.exeLkbmbl32.exeOnlahm32.exeKmkihbho.exeDaaenlng.exeEimcjl32.exeGhibjjnk.exeHgciff32.exeKpgionie.exeGcjmmdbf.exeJcqlkjae.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mopbgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ncmglp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Peefcjlg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 42ba1864fe2dd7344d8aa87ce3ab7c1c68790ff2291d50b7aa3016b92346df72.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnkiqi32.dll" Hfbcidmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Klfjpa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lfbdci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mhfjjdjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bjjaikoa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eblelb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bieepc32.dll" Eblelb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebfkilbo.dll" Fliook32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgngaoal.dll" Jmdgipkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iogpag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbbngc32.dll" Inojhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lkggmldl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Opfegp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bhbkpgbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ghdiokbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hjmlhbbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kdbepm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kgcnahoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kljdkpfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bnapnm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cglalbbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikedjg32.dll" Fdnjkh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kkjpggkn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hqkmplen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipafocdg.dll" Llpfjomf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mdadjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Canipj32.dll" Bbjpil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ckbpqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abgacn32.dll" Dfhdnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odifibfn.dll" Fkefbcmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Klcgpkhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jamgla32.dll" Ldahkaij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nnleiipc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bfcodkcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gockgdeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jfohgepi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jlqjkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aemgfj32.dll" Qmhahkdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaoobkci.dll" Ahpbkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjdjiqp.dll" Folhgbid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iakino32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmnfciac.dll" Jnmiag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oefjdgjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Blfapfpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cbjlhpkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inmnap32.dll" 42ba1864fe2dd7344d8aa87ce3ab7c1c68790ff2291d50b7aa3016b92346df72.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Looghene.dll" Jigbebhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lkbmbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kioljfll.dll" Ncmglp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Onlahm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kmkihbho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njmokcbh.dll" Daaenlng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eimcjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ghibjjnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqacnpdp.dll" Hgciff32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kpgionie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lfbdci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ahpbkd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gcjmmdbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jcqlkjae.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
42ba1864fe2dd7344d8aa87ce3ab7c1c68790ff2291d50b7aa3016b92346df72.exeHcdgmimg.exeHfbcidmk.exeHdecea32.exeHfepod32.exeHiclkp32.exeHaqnea32.exeImgnjb32.exeIeofkp32.exeIfbphh32.exeIpjdameg.exeImodkadq.exeIbkmchbh.exeInbnhihl.exeJigbebhb.exeJlhkgm32.exedescription pid Process procid_target PID 3024 wrote to memory of 2184 3024 42ba1864fe2dd7344d8aa87ce3ab7c1c68790ff2291d50b7aa3016b92346df72.exe 31 PID 3024 wrote to memory of 2184 3024 42ba1864fe2dd7344d8aa87ce3ab7c1c68790ff2291d50b7aa3016b92346df72.exe 31 PID 3024 wrote to memory of 2184 3024 42ba1864fe2dd7344d8aa87ce3ab7c1c68790ff2291d50b7aa3016b92346df72.exe 31 PID 3024 wrote to memory of 2184 3024 42ba1864fe2dd7344d8aa87ce3ab7c1c68790ff2291d50b7aa3016b92346df72.exe 31 PID 2184 wrote to memory of 2756 2184 Hcdgmimg.exe 32 PID 2184 wrote to memory of 2756 2184 Hcdgmimg.exe 32 PID 2184 wrote to memory of 2756 2184 Hcdgmimg.exe 32 PID 2184 wrote to memory of 2756 2184 Hcdgmimg.exe 32 PID 2756 wrote to memory of 2812 2756 Hfbcidmk.exe 33 PID 2756 wrote to memory of 2812 2756 Hfbcidmk.exe 33 PID 2756 wrote to memory of 2812 2756 Hfbcidmk.exe 33 PID 2756 wrote to memory of 2812 2756 Hfbcidmk.exe 33 PID 2812 wrote to memory of 2332 2812 Hdecea32.exe 34 PID 2812 wrote to memory of 2332 2812 Hdecea32.exe 34 PID 2812 wrote to memory of 2332 2812 Hdecea32.exe 34 PID 2812 wrote to memory of 2332 2812 Hdecea32.exe 34 PID 2332 wrote to memory of 2584 2332 Hfepod32.exe 35 PID 2332 wrote to memory of 2584 2332 Hfepod32.exe 35 PID 2332 wrote to memory of 2584 2332 Hfepod32.exe 35 PID 2332 wrote to memory of 2584 2332 Hfepod32.exe 35 PID 2584 wrote to memory of 2044 2584 Hiclkp32.exe 36 PID 2584 wrote to memory of 2044 2584 Hiclkp32.exe 36 PID 2584 wrote to memory of 2044 2584 Hiclkp32.exe 36 PID 2584 wrote to memory of 2044 2584 Hiclkp32.exe 36 PID 2044 wrote to memory of 2856 2044 Haqnea32.exe 37 PID 2044 wrote to memory of 2856 2044 Haqnea32.exe 37 PID 2044 wrote to memory of 2856 2044 Haqnea32.exe 37 PID 2044 wrote to memory of 2856 2044 Haqnea32.exe 37 PID 2856 wrote to memory of 2388 2856 Imgnjb32.exe 38 PID 2856 wrote to memory of 2388 2856 Imgnjb32.exe 38 PID 2856 wrote to memory of 2388 2856 Imgnjb32.exe 38 PID 2856 wrote to memory of 2388 2856 Imgnjb32.exe 38 PID 2388 wrote to memory of 2120 2388 Ieofkp32.exe 39 PID 2388 wrote to memory of 2120 2388 Ieofkp32.exe 39 PID 2388 wrote to memory of 2120 2388 Ieofkp32.exe 39 PID 2388 wrote to memory of 2120 2388 Ieofkp32.exe 39 PID 2120 wrote to memory of 1664 2120 Ifbphh32.exe 40 PID 2120 wrote to memory of 1664 2120 Ifbphh32.exe 40 PID 2120 wrote to memory of 1664 2120 Ifbphh32.exe 40 PID 2120 wrote to memory of 1664 2120 Ifbphh32.exe 40 PID 1664 wrote to memory of 1748 1664 Ipjdameg.exe 41 PID 1664 wrote to memory of 1748 1664 Ipjdameg.exe 41 PID 1664 wrote to memory of 1748 1664 Ipjdameg.exe 41 PID 1664 wrote to memory of 1748 1664 Ipjdameg.exe 41 PID 1748 wrote to memory of 536 1748 Imodkadq.exe 42 PID 1748 wrote to memory of 536 1748 Imodkadq.exe 42 PID 1748 wrote to memory of 536 1748 Imodkadq.exe 42 PID 1748 wrote to memory of 536 1748 Imodkadq.exe 42 PID 536 wrote to memory of 1816 536 Ibkmchbh.exe 43 PID 536 wrote to memory of 1816 536 Ibkmchbh.exe 43 PID 536 wrote to memory of 1816 536 Ibkmchbh.exe 43 PID 536 wrote to memory of 1816 536 Ibkmchbh.exe 43 PID 1816 wrote to memory of 2912 1816 Inbnhihl.exe 44 PID 1816 wrote to memory of 2912 1816 Inbnhihl.exe 44 PID 1816 wrote to memory of 2912 1816 Inbnhihl.exe 44 PID 1816 wrote to memory of 2912 1816 Inbnhihl.exe 44 PID 2912 wrote to memory of 448 2912 Jigbebhb.exe 45 PID 2912 wrote to memory of 448 2912 Jigbebhb.exe 45 PID 2912 wrote to memory of 448 2912 Jigbebhb.exe 45 PID 2912 wrote to memory of 448 2912 Jigbebhb.exe 45 PID 448 wrote to memory of 2516 448 Jlhkgm32.exe 46 PID 448 wrote to memory of 2516 448 Jlhkgm32.exe 46 PID 448 wrote to memory of 2516 448 Jlhkgm32.exe 46 PID 448 wrote to memory of 2516 448 Jlhkgm32.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\42ba1864fe2dd7344d8aa87ce3ab7c1c68790ff2291d50b7aa3016b92346df72.exe"C:\Users\Admin\AppData\Local\Temp\42ba1864fe2dd7344d8aa87ce3ab7c1c68790ff2291d50b7aa3016b92346df72.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\Hcdgmimg.exeC:\Windows\system32\Hcdgmimg.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Hfbcidmk.exeC:\Windows\system32\Hfbcidmk.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Hdecea32.exeC:\Windows\system32\Hdecea32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Hfepod32.exeC:\Windows\system32\Hfepod32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\Hiclkp32.exeC:\Windows\system32\Hiclkp32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Haqnea32.exeC:\Windows\system32\Haqnea32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\Imgnjb32.exeC:\Windows\system32\Imgnjb32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Ieofkp32.exeC:\Windows\system32\Ieofkp32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\Ifbphh32.exeC:\Windows\system32\Ifbphh32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\Ipjdameg.exeC:\Windows\system32\Ipjdameg.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\Imodkadq.exeC:\Windows\system32\Imodkadq.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\Ibkmchbh.exeC:\Windows\system32\Ibkmchbh.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\SysWOW64\Inbnhihl.exeC:\Windows\system32\Inbnhihl.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\Jigbebhb.exeC:\Windows\system32\Jigbebhb.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Jlhkgm32.exeC:\Windows\system32\Jlhkgm32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Windows\SysWOW64\Joggci32.exeC:\Windows\system32\Joggci32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2516 -
C:\Windows\SysWOW64\Joidhh32.exeC:\Windows\system32\Joidhh32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1568 -
C:\Windows\SysWOW64\Jdflqo32.exeC:\Windows\system32\Jdflqo32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:872 -
C:\Windows\SysWOW64\Jokqnhpa.exeC:\Windows\system32\Jokqnhpa.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:296 -
C:\Windows\SysWOW64\Jpmmfp32.exeC:\Windows\system32\Jpmmfp32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1304 -
C:\Windows\SysWOW64\Kmqmod32.exeC:\Windows\system32\Kmqmod32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2872 -
C:\Windows\SysWOW64\Kpojkp32.exeC:\Windows\system32\Kpojkp32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1636 -
C:\Windows\SysWOW64\Kkdnhi32.exeC:\Windows\system32\Kkdnhi32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1736 -
C:\Windows\SysWOW64\Klfjpa32.exeC:\Windows\system32\Klfjpa32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:868 -
C:\Windows\SysWOW64\Kgkonj32.exeC:\Windows\system32\Kgkonj32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3060 -
C:\Windows\SysWOW64\Kpdcfoph.exeC:\Windows\system32\Kpdcfoph.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1572 -
C:\Windows\SysWOW64\Kljdkpfl.exeC:\Windows\system32\Kljdkpfl.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2564 -
C:\Windows\SysWOW64\Kechdf32.exeC:\Windows\system32\Kechdf32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2536 -
C:\Windows\SysWOW64\Khadpa32.exeC:\Windows\system32\Khadpa32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2792 -
C:\Windows\SysWOW64\Kajiigba.exeC:\Windows\system32\Kajiigba.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2708 -
C:\Windows\SysWOW64\Lkbmbl32.exeC:\Windows\system32\Lkbmbl32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2216 -
C:\Windows\SysWOW64\Laleof32.exeC:\Windows\system32\Laleof32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2960 -
C:\Windows\SysWOW64\Lkdjglfo.exeC:\Windows\system32\Lkdjglfo.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Lncfcgeb.exeC:\Windows\system32\Lncfcgeb.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1400 -
C:\Windows\SysWOW64\Ldmopa32.exeC:\Windows\system32\Ldmopa32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2352 -
C:\Windows\SysWOW64\Lkggmldl.exeC:\Windows\system32\Lkggmldl.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1300 -
C:\Windows\SysWOW64\Lpcoeb32.exeC:\Windows\system32\Lpcoeb32.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1624 -
C:\Windows\SysWOW64\Lkicbk32.exeC:\Windows\system32\Lkicbk32.exe39⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Ldahkaij.exeC:\Windows\system32\Ldahkaij.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2088 -
C:\Windows\SysWOW64\Lfbdci32.exeC:\Windows\system32\Lfbdci32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:2416 -
C:\Windows\SysWOW64\Mcfemmna.exeC:\Windows\system32\Mcfemmna.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1336 -
C:\Windows\SysWOW64\Mfeaiime.exeC:\Windows\system32\Mfeaiime.exe43⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Mciabmlo.exeC:\Windows\system32\Mciabmlo.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:896 -
C:\Windows\SysWOW64\Mhfjjdjf.exeC:\Windows\system32\Mhfjjdjf.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:2484 -
C:\Windows\SysWOW64\Mopbgn32.exeC:\Windows\system32\Mopbgn32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:2928 -
C:\Windows\SysWOW64\Mbnocipg.exeC:\Windows\system32\Mbnocipg.exe47⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Mmccqbpm.exeC:\Windows\system32\Mmccqbpm.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2276 -
C:\Windows\SysWOW64\Mobomnoq.exeC:\Windows\system32\Mobomnoq.exe49⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Mflgih32.exeC:\Windows\system32\Mflgih32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Mdogedmh.exeC:\Windows\system32\Mdogedmh.exe51⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Mgmdapml.exeC:\Windows\system32\Mgmdapml.exe52⤵PID:3012
-
C:\Windows\SysWOW64\Mnglnj32.exeC:\Windows\system32\Mnglnj32.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:292 -
C:\Windows\SysWOW64\Mdadjd32.exeC:\Windows\system32\Mdadjd32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2892 -
C:\Windows\SysWOW64\Nkkmgncb.exeC:\Windows\system32\Nkkmgncb.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Nqhepeai.exeC:\Windows\system32\Nqhepeai.exe56⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Ngbmlo32.exeC:\Windows\system32\Ngbmlo32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2032 -
C:\Windows\SysWOW64\Nnleiipc.exeC:\Windows\system32\Nnleiipc.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2280 -
C:\Windows\SysWOW64\Nqjaeeog.exeC:\Windows\system32\Nqjaeeog.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2840 -
C:\Windows\SysWOW64\Nfgjml32.exeC:\Windows\system32\Nfgjml32.exe60⤵
- Executes dropped EXE
PID:1152 -
C:\Windows\SysWOW64\Nmabjfek.exeC:\Windows\system32\Nmabjfek.exe61⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Nppofado.exeC:\Windows\system32\Nppofado.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1632 -
C:\Windows\SysWOW64\Njeccjcd.exeC:\Windows\system32\Njeccjcd.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2496 -
C:\Windows\SysWOW64\Ncmglp32.exeC:\Windows\system32\Ncmglp32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:300 -
C:\Windows\SysWOW64\Njgpij32.exeC:\Windows\system32\Njgpij32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Nmflee32.exeC:\Windows\system32\Nmflee32.exe66⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1960 -
C:\Windows\SysWOW64\Obbdml32.exeC:\Windows\system32\Obbdml32.exe67⤵PID:1940
-
C:\Windows\SysWOW64\Oimmjffj.exeC:\Windows\system32\Oimmjffj.exe68⤵PID:2820
-
C:\Windows\SysWOW64\Omhhke32.exeC:\Windows\system32\Omhhke32.exe69⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2700 -
C:\Windows\SysWOW64\Opfegp32.exeC:\Windows\system32\Opfegp32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2636 -
C:\Windows\SysWOW64\Ofqmcj32.exeC:\Windows\system32\Ofqmcj32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2648 -
C:\Windows\SysWOW64\Olmela32.exeC:\Windows\system32\Olmela32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2712 -
C:\Windows\SysWOW64\Onlahm32.exeC:\Windows\system32\Onlahm32.exe73⤵
- Modifies registry class
PID:1800 -
C:\Windows\SysWOW64\Oefjdgjk.exeC:\Windows\system32\Oefjdgjk.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:272 -
C:\Windows\SysWOW64\Ohdfqbio.exeC:\Windows\system32\Ohdfqbio.exe75⤵
- System Location Discovery: System Language Discovery
PID:1324 -
C:\Windows\SysWOW64\Onnnml32.exeC:\Windows\system32\Onnnml32.exe76⤵PID:2076
-
C:\Windows\SysWOW64\Objjnkie.exeC:\Windows\system32\Objjnkie.exe77⤵PID:1980
-
C:\Windows\SysWOW64\Odkgec32.exeC:\Windows\system32\Odkgec32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1952 -
C:\Windows\SysWOW64\Ojeobm32.exeC:\Windows\system32\Ojeobm32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1368 -
C:\Windows\SysWOW64\Odmckcmq.exeC:\Windows\system32\Odmckcmq.exe80⤵PID:2372
-
C:\Windows\SysWOW64\Pnchhllf.exeC:\Windows\system32\Pnchhllf.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2144 -
C:\Windows\SysWOW64\Paaddgkj.exeC:\Windows\system32\Paaddgkj.exe82⤵PID:1544
-
C:\Windows\SysWOW64\Phklaacg.exeC:\Windows\system32\Phklaacg.exe83⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:704 -
C:\Windows\SysWOW64\Pmhejhao.exeC:\Windows\system32\Pmhejhao.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:988 -
C:\Windows\SysWOW64\Pdbmfb32.exeC:\Windows\system32\Pdbmfb32.exe85⤵PID:2472
-
C:\Windows\SysWOW64\Pfpibn32.exeC:\Windows\system32\Pfpibn32.exe86⤵PID:1772
-
C:\Windows\SysWOW64\Pmjaohol.exeC:\Windows\system32\Pmjaohol.exe87⤵PID:2880
-
C:\Windows\SysWOW64\Plmbkd32.exeC:\Windows\system32\Plmbkd32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2592 -
C:\Windows\SysWOW64\Peefcjlg.exeC:\Windows\system32\Peefcjlg.exe89⤵
- Modifies registry class
PID:2580 -
C:\Windows\SysWOW64\Plpopddd.exeC:\Windows\system32\Plpopddd.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1768 -
C:\Windows\SysWOW64\Pehcij32.exeC:\Windows\system32\Pehcij32.exe91⤵
- System Location Discovery: System Language Discovery
PID:1620 -
C:\Windows\SysWOW64\Plbkfdba.exeC:\Windows\system32\Plbkfdba.exe92⤵PID:2056
-
C:\Windows\SysWOW64\Popgboae.exeC:\Windows\system32\Popgboae.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:348 -
C:\Windows\SysWOW64\Qejpoi32.exeC:\Windows\system32\Qejpoi32.exe94⤵PID:2924
-
C:\Windows\SysWOW64\Qldhkc32.exeC:\Windows\system32\Qldhkc32.exe95⤵
- Drops file in System32 directory
PID:2124 -
C:\Windows\SysWOW64\Qaapcj32.exeC:\Windows\system32\Qaapcj32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2060 -
C:\Windows\SysWOW64\Qdompf32.exeC:\Windows\system32\Qdompf32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1564 -
C:\Windows\SysWOW64\Qkielpdf.exeC:\Windows\system32\Qkielpdf.exe98⤵
- System Location Discovery: System Language Discovery
PID:1536 -
C:\Windows\SysWOW64\Qmhahkdj.exeC:\Windows\system32\Qmhahkdj.exe99⤵
- Modifies registry class
PID:2744 -
C:\Windows\SysWOW64\Ahmefdcp.exeC:\Windows\system32\Ahmefdcp.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2680 -
C:\Windows\SysWOW64\Aognbnkm.exeC:\Windows\system32\Aognbnkm.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2728 -
C:\Windows\SysWOW64\Aaejojjq.exeC:\Windows\system32\Aaejojjq.exe102⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2980 -
C:\Windows\SysWOW64\Ahpbkd32.exeC:\Windows\system32\Ahpbkd32.exe103⤵
- Modifies registry class
PID:2420 -
C:\Windows\SysWOW64\Anljck32.exeC:\Windows\system32\Anljck32.exe104⤵PID:1788
-
C:\Windows\SysWOW64\Apkgpf32.exeC:\Windows\system32\Apkgpf32.exe105⤵PID:1264
-
C:\Windows\SysWOW64\Akpkmo32.exeC:\Windows\system32\Akpkmo32.exe106⤵PID:2836
-
C:\Windows\SysWOW64\Ajckilei.exeC:\Windows\system32\Ajckilei.exe107⤵PID:2264
-
C:\Windows\SysWOW64\Adipfd32.exeC:\Windows\system32\Adipfd32.exe108⤵PID:1132
-
C:\Windows\SysWOW64\Agglbp32.exeC:\Windows\system32\Agglbp32.exe109⤵PID:816
-
C:\Windows\SysWOW64\Ajehnk32.exeC:\Windows\system32\Ajehnk32.exe110⤵
- Drops file in System32 directory
PID:2160 -
C:\Windows\SysWOW64\Apppkekc.exeC:\Windows\system32\Apppkekc.exe111⤵PID:2384
-
C:\Windows\SysWOW64\Afliclij.exeC:\Windows\system32\Afliclij.exe112⤵PID:2672
-
C:\Windows\SysWOW64\Blfapfpg.exeC:\Windows\system32\Blfapfpg.exe113⤵
- Drops file in System32 directory
- Modifies registry class
PID:1852 -
C:\Windows\SysWOW64\Bacihmoo.exeC:\Windows\system32\Bacihmoo.exe114⤵PID:1944
-
C:\Windows\SysWOW64\Bjjaikoa.exeC:\Windows\system32\Bjjaikoa.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1344 -
C:\Windows\SysWOW64\Bkknac32.exeC:\Windows\system32\Bkknac32.exe116⤵
- System Location Discovery: System Language Discovery
PID:2724 -
C:\Windows\SysWOW64\Baefnmml.exeC:\Windows\system32\Baefnmml.exe117⤵PID:1508
-
C:\Windows\SysWOW64\Blkjkflb.exeC:\Windows\system32\Blkjkflb.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1208 -
C:\Windows\SysWOW64\Boifga32.exeC:\Windows\system32\Boifga32.exe119⤵
- System Location Discovery: System Language Discovery
PID:1196 -
C:\Windows\SysWOW64\Bfcodkcb.exeC:\Windows\system32\Bfcodkcb.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3028 -
C:\Windows\SysWOW64\Bhbkpgbf.exeC:\Windows\system32\Bhbkpgbf.exe121⤵
- Modifies registry class
PID:2192
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-