Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-11-2024 19:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
acce7c8b59c3bfe3978295cb0588a283fa48c703b309f003d49def98497dfdd0.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
acce7c8b59c3bfe3978295cb0588a283fa48c703b309f003d49def98497dfdd0.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
acce7c8b59c3bfe3978295cb0588a283fa48c703b309f003d49def98497dfdd0.exe
-
Size
320KB
-
MD5
c5c3ea8429a3e0f2932ff88009155da9
-
SHA1
45fc97647c8d8224455bf6939c4da0f6a562e891
-
SHA256
acce7c8b59c3bfe3978295cb0588a283fa48c703b309f003d49def98497dfdd0
-
SHA512
2482008f01c5e936141ef8747482d1f440645845af19fdd7404443b89b512638240b07412bcaa6182b16c45009fd292a9cb24540dad9692f5b23baecff2ba899
-
SSDEEP
6144:E9NArGKsVQ///NR5fLvQ///NREQ///NR5fLYG3euj7:EsAw/Nq/NZ/NcZa
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Egohdegl.exeLcclncbh.exeCmbgdl32.exeCcdihbgg.exeDmfeidbe.exeJqknkedi.exePcbkml32.exeIdahjg32.exeEejeiocj.exeFmkqpkla.exeFinnef32.exeMjpbam32.exeAlcfei32.exeHipmfjee.exeMfqlfb32.exeGfheof32.exeIljpij32.exeOfmdio32.exePhonha32.exeDgeenfog.exeKlbnajqc.exeBfaigclq.exeHhfedm32.exeJglklggl.exeCkhecmcf.exeFmhdkknd.exeKpoalo32.exeMhjhmhhd.exeBiiobo32.exeCpfmlghd.exeLicfngjd.exeGpnmbl32.exeMhdckaeo.exeNjmhhefi.exeOmgcpokp.exePahilmoc.exeDbnmke32.exeFfqhcq32.exeLlmhaold.exeDbcmakpl.exeNndjndbh.exeNagpeo32.exePpolhcnm.exeIialhaad.exeJhgiim32.exeMokfja32.exeCljobphg.exeDoaneiop.exeCammjakm.exePdmkhgho.exeLebijnak.exeBckkca32.exeDpphjp32.exeLgepom32.exeOnpjichj.exeGnepna32.exeKcmmhj32.exeQjiipk32.exeBgbpaipl.exeCkbemgcp.exeChfegk32.exeDdifgk32.exePmphaaln.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egohdegl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcclncbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmbgdl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccdihbgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmfeidbe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqknkedi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcbkml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idahjg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eejeiocj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmkqpkla.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Finnef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjpbam32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alcfei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hipmfjee.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfqlfb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfheof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iljpij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofmdio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phonha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgeenfog.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klbnajqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfaigclq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhfedm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jglklggl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckhecmcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmhdkknd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpoalo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofmdio32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhjhmhhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Biiobo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpfmlghd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Licfngjd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpnmbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhdckaeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njmhhefi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omgcpokp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pahilmoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbnmke32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffqhcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llmhaold.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbcmakpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nndjndbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nagpeo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppolhcnm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iialhaad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhgiim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mokfja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cljobphg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doaneiop.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cammjakm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdmkhgho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lebijnak.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bckkca32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpphjp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgepom32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onpjichj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnepna32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcmmhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qjiipk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgbpaipl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckbemgcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chfegk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddifgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmphaaln.exe -
Executes dropped EXE 64 IoCs
Processes:
Fibojhim.exeFielph32.exeGgilil32.exeGdmmbq32.exeGgkiol32.exeGdafnpqh.exeGgpbjkpl.exeGinnfgop.exeGnjjfegi.exeHpmpnp32.exeHpomcp32.exeHhfedm32.exeHhiajmod.exeHkgnfhnh.exeHnhghcki.exeIqipio32.exeIqklon32.exeIgedlh32.exeIdieem32.exeIjfnmc32.exeIhgnkkbd.exeJglklggl.exeJdpkflfe.exeJnhpoamf.exeJbfheo32.exeJkomneim.exeJdgafjpn.exeKqnbkl32.exeKkcfid32.exeKelkaj32.exeKqbkfkal.exeKjkpoq32.exeKilpmh32.exeKjmmepfj.exeKageaj32.exeKinmcg32.exeLajagj32.exeLiqihglg.exeLnnbqnjn.exeLicfngjd.exeLankbigo.exeLejgch32.exeLelchgne.exeLlflea32.exeLeopnglc.exeLlhikacp.exeMniallpq.exeMhafeb32.exeMjpbam32.exeMeefofek.exeMhdckaeo.exeMbighjdd.exeMicoed32.exeMaodigil.exeMhilfa32.exeNobdbkhf.exeNhkikq32.exeNoeahkfc.exeNklbmllg.exeNeafjdkn.exeNhpbfpka.exeNeccpd32.exeNkqkhk32.exeNbgcih32.exepid Process 2584 Fibojhim.exe 412 Fielph32.exe 4232 Ggilil32.exe 2100 Gdmmbq32.exe 4956 Ggkiol32.exe 2232 Gdafnpqh.exe 728 Ggpbjkpl.exe 3608 Ginnfgop.exe 3764 Gnjjfegi.exe 224 Hpmpnp32.exe 4364 Hpomcp32.exe 4748 Hhfedm32.exe 5060 Hhiajmod.exe 4888 Hkgnfhnh.exe 3152 Hnhghcki.exe 2692 Iqipio32.exe 3172 Iqklon32.exe 4576 Igedlh32.exe 376 Idieem32.exe 3640 Ijfnmc32.exe 4488 Ihgnkkbd.exe 4052 Jglklggl.exe 5020 Jdpkflfe.exe 3036 Jnhpoamf.exe 1008 Jbfheo32.exe 4620 Jkomneim.exe 2844 Jdgafjpn.exe 4500 Kqnbkl32.exe 1412 Kkcfid32.exe 3004 Kelkaj32.exe 3672 Kqbkfkal.exe 3528 Kjkpoq32.exe 5084 Kilpmh32.exe 3408 Kjmmepfj.exe 2256 Kageaj32.exe 3088 Kinmcg32.exe 3140 Lajagj32.exe 3076 Liqihglg.exe 4736 Lnnbqnjn.exe 2104 Licfngjd.exe 1992 Lankbigo.exe 4372 Lejgch32.exe 5004 Lelchgne.exe 4060 Llflea32.exe 4420 Leopnglc.exe 1172 Llhikacp.exe 3016 Mniallpq.exe 860 Mhafeb32.exe 3184 Mjpbam32.exe 3052 Meefofek.exe 2644 Mhdckaeo.exe 4144 Mbighjdd.exe 1876 Micoed32.exe 4088 Maodigil.exe 2800 Mhilfa32.exe 4100 Nobdbkhf.exe 3196 Nhkikq32.exe 1124 Noeahkfc.exe 1660 Nklbmllg.exe 1696 Neafjdkn.exe 1564 Nhpbfpka.exe 1488 Neccpd32.exe 772 Nkqkhk32.exe 2924 Nbgcih32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Gaebef32.exeIpdndloi.exeLpjjmg32.exeQlgpod32.exeFmfgek32.exeCocjiehd.exeFkofga32.exeOifppdpd.exeLicfngjd.exeMjokgg32.exeNenbjo32.exeLcfidb32.exeFlngfn32.exePimfpc32.exeMcqjon32.exeKageaj32.exeGbofcghl.exeGmiclo32.exeGifkpknp.exeDoagjc32.exeIcfekc32.exeLcnmin32.exeBgbpaipl.exeCpfcfmlp.exeJpcapp32.exeIeojgc32.exeIlphdlqh.exeCpacqg32.exeIqipio32.exeIdkkpf32.exeMlofcf32.exeQjiipk32.exeJlikkkhn.exeMapppn32.exeCkidcpjl.exeGgpbjkpl.exeBkmmaeap.exeEmkndc32.exeOelolmnd.exePbhgoh32.exeEiloco32.exeMmmqhl32.exeFilapfbo.exeBboffejp.exePapfgbmg.exeLddgmbpb.exeLqkgbcff.exeDomdjj32.exeIloidijb.exeCgiohbfi.exeOcgkan32.exeApggckbf.exePojcjh32.exeJngbjd32.exeOfmdio32.exeMhafeb32.exePahilmoc.exeKgkfnh32.exeBiiobo32.exeHdhedh32.exeNaecop32.exedescription ioc Process File created C:\Windows\SysWOW64\Ghojbq32.exe Gaebef32.exe File opened for modification C:\Windows\SysWOW64\Iafkld32.exe Ipdndloi.exe File created C:\Windows\SysWOW64\Legben32.exe Lpjjmg32.exe File created C:\Windows\SysWOW64\Qachgk32.exe Qlgpod32.exe File created C:\Windows\SysWOW64\Ffnknafg.exe Fmfgek32.exe File created C:\Windows\SysWOW64\Cpdgqmnb.exe Cocjiehd.exe File created C:\Windows\SysWOW64\Ggfglb32.exe Fkofga32.exe File opened for modification C:\Windows\SysWOW64\Ofjqihnn.exe Oifppdpd.exe File created C:\Windows\SysWOW64\Bchace32.dll Licfngjd.exe File created C:\Windows\SysWOW64\Oeedjegm.dll Mjokgg32.exe File created C:\Windows\SysWOW64\Nlhkgi32.exe Nenbjo32.exe File created C:\Windows\SysWOW64\Lhcali32.exe Lcfidb32.exe File created C:\Windows\SysWOW64\Ejhmqp32.dll Flngfn32.exe File opened for modification C:\Windows\SysWOW64\Pcbkml32.exe Pimfpc32.exe File created C:\Windows\SysWOW64\Obnbpa32.dll Mcqjon32.exe File created C:\Windows\SysWOW64\Kinmcg32.exe Kageaj32.exe File opened for modification C:\Windows\SysWOW64\Giinpa32.exe Gbofcghl.exe File created C:\Windows\SysWOW64\Gipdap32.exe Gmiclo32.exe File created C:\Windows\SysWOW64\Pfnmog32.dll Gifkpknp.exe File opened for modification C:\Windows\SysWOW64\Dqbcbkab.exe Doagjc32.exe File created C:\Windows\SysWOW64\Iknmla32.exe Icfekc32.exe File created C:\Windows\SysWOW64\Ljhefhha.exe Lcnmin32.exe File created C:\Windows\SysWOW64\Bnlhncgi.exe Bgbpaipl.exe File created C:\Windows\SysWOW64\Jhijep32.dll Cpfcfmlp.exe File created C:\Windows\SysWOW64\Jngbjd32.exe Jpcapp32.exe File created C:\Windows\SysWOW64\Ipdndloi.exe Ieojgc32.exe File created C:\Windows\SysWOW64\Ihjoke32.dll Ilphdlqh.exe File opened for modification C:\Windows\SysWOW64\Ciihjmcj.exe Cpacqg32.exe File created C:\Windows\SysWOW64\Meickkqm.dll Iqipio32.exe File opened for modification C:\Windows\SysWOW64\Ikdcmpnl.exe Idkkpf32.exe File opened for modification C:\Windows\SysWOW64\Nciopppp.exe Mlofcf32.exe File created C:\Windows\SysWOW64\Aogbfi32.exe Qjiipk32.exe File opened for modification C:\Windows\SysWOW64\Jafdcbge.exe Jlikkkhn.exe File created C:\Windows\SysWOW64\Iankhggi.dll Mapppn32.exe File created C:\Windows\SysWOW64\Lljoca32.dll Ckidcpjl.exe File opened for modification C:\Windows\SysWOW64\Ginnfgop.exe Ggpbjkpl.exe File created C:\Windows\SysWOW64\Capqggce.dll Bkmmaeap.exe File created C:\Windows\SysWOW64\Oenqhaga.dll Emkndc32.exe File opened for modification C:\Windows\SysWOW64\Ohkkhhmh.exe Oelolmnd.exe File opened for modification C:\Windows\SysWOW64\Mjmoag32.exe Mcqjon32.exe File created C:\Windows\SysWOW64\Nciopppp.exe Mlofcf32.exe File created C:\Windows\SysWOW64\Hlhmjl32.dll Pbhgoh32.exe File created C:\Windows\SysWOW64\Ekkkoj32.exe Eiloco32.exe File opened for modification C:\Windows\SysWOW64\Mmpmnl32.exe Mmmqhl32.exe File created C:\Windows\SysWOW64\Plgdqf32.dll Filapfbo.exe File created C:\Windows\SysWOW64\Eknphfld.dll Bboffejp.exe File created C:\Windows\SysWOW64\Idjnmo32.dll Papfgbmg.exe File created C:\Windows\SysWOW64\Lknojl32.exe Lddgmbpb.exe File created C:\Windows\SysWOW64\Lcjcnoej.exe Lqkgbcff.exe File created C:\Windows\SysWOW64\Dheibpje.exe Domdjj32.exe File created C:\Windows\SysWOW64\Igdnabjh.exe Iloidijb.exe File created C:\Windows\SysWOW64\Dcjdilmf.dll Cgiohbfi.exe File created C:\Windows\SysWOW64\Dkjfaikb.dll Ocgkan32.exe File created C:\Windows\SysWOW64\Ajbfciej.dll Apggckbf.exe File opened for modification C:\Windows\SysWOW64\Pedlgbkh.exe Pojcjh32.exe File opened for modification C:\Windows\SysWOW64\Elnoopdj.exe Emkndc32.exe File created C:\Windows\SysWOW64\Jcdjbk32.exe Jngbjd32.exe File created C:\Windows\SysWOW64\Dhhmleng.dll Ofmdio32.exe File created C:\Windows\SysWOW64\Kjmqinmi.dll Mhafeb32.exe File created C:\Windows\SysWOW64\Plmmif32.exe Pahilmoc.exe File created C:\Windows\SysWOW64\Almoijfo.dll Kgkfnh32.exe File opened for modification C:\Windows\SysWOW64\Bpcgpihi.exe Biiobo32.exe File opened for modification C:\Windows\SysWOW64\Hgfapd32.exe Hdhedh32.exe File opened for modification C:\Windows\SysWOW64\Nhokljge.exe Naecop32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 11464 2328 WerFault.exe 728 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Jjpode32.exeIafkld32.exeIpgkjlmg.exeOjhiogdd.exeFdnhih32.exeMcoljagj.exeFpbmfn32.exeGmbmkpie.exeOldjcg32.exeJpcapp32.exePdenmbkk.exePffgom32.exeObqanjdb.exeOkjnnj32.exeEmkndc32.exeNnfgcd32.exeNnkpnclp.exeAdhdjpjf.exeDnmaea32.exeOloahhki.exeBojomm32.exeMokfja32.exeGgpbjkpl.exeQpcecb32.exeEppjfgcp.exeMmkdcm32.exeJhgiim32.exeNobdbkhf.exeNklbmllg.exePabblb32.exeHmechmip.exeKmdlffhj.exeMjdebfnd.exeOihmedma.exeQjiipk32.exeLpjjmg32.exeCaqpkjcl.exeAkoqpg32.exeOnpjichj.exeIehmmb32.exeLegben32.exeQbajeg32.exeGdmmbq32.exeIhgnkkbd.exeMnmdme32.exeLjceqb32.exeDnajppda.exePbhgoh32.exeOmpfej32.exePpolhcnm.exeLlhikacp.exeMicoed32.exeJkimho32.exeIplkpa32.exeJllokajf.exeKpanan32.exeAogbfi32.exeCammjakm.exeDpiplm32.exeFajbjh32.exeGnjjfegi.exeNeafjdkn.exeElnoopdj.exeKjblje32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjpode32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iafkld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipgkjlmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojhiogdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdnhih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcoljagj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpbmfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmbmkpie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oldjcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpcapp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdenmbkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pffgom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obqanjdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okjnnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emkndc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnfgcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnkpnclp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adhdjpjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnmaea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oloahhki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bojomm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mokfja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggpbjkpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpcecb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eppjfgcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmkdcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhgiim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nobdbkhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nklbmllg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pabblb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmechmip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmdlffhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjdebfnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oihmedma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjiipk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpjjmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caqpkjcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akoqpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onpjichj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iehmmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Legben32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qbajeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdmmbq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihgnkkbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnmdme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljceqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnajppda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbhgoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ompfej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppolhcnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llhikacp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Micoed32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkimho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iplkpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jllokajf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpanan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aogbfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cammjakm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpiplm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fajbjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnjjfegi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neafjdkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elnoopdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjblje32.exe -
Modifies registry class 64 IoCs
Processes:
Oloahhki.exeJlgoek32.exeIcknfcol.exeJddnfd32.exeNndjndbh.exeHbjoeojc.exeCcgjopal.exeFkmjaa32.exeGpaihooo.exeMapppn32.exeBpjmph32.exeKqnbkl32.exeLgepom32.exeHfjdqmng.exeNqmfdj32.exeKcmmhj32.exeLopmii32.exeMlljnf32.exeKqbkfkal.exeIbhkfm32.exeKcoccc32.exeBkmmaeap.exeKofdhd32.exeLpjjmg32.exeAdgmoigj.exeDbcmakpl.exeAalmimfd.exeLlhikacp.exeAhjgjj32.exeLlodgnja.exeCocjiehd.exeNqaiecjd.exeAbfdpfaj.exePhganm32.exeEcbjkngo.exePocpfphe.exeQfkqjmdg.exeBboffejp.exeCfnqklgh.exeGipdap32.exeJnelok32.exeEdplhjhi.exeOeokal32.exeOhpkmn32.exeAmjillkj.exeEppjfgcp.exeOfmdio32.exeCammjakm.exeCpdgqmnb.exeCoegoe32.exePafkgphl.exeHkgnfhnh.exeBckkca32.exeKclgmq32.exeNlcalieg.exeLeopnglc.exeQfmmplad.exeMicoed32.exeAdfnofpd.exeHppeim32.exeMbighjdd.exeHlcjhkdp.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oloahhki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlgoek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Accailfj.dll" Icknfcol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgfnoiid.dll" Jddnfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkldkg32.dll" Nndjndbh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbjoeojc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccgjopal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlhbih32.dll" Fkmjaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbfecjhc.dll" Gpaihooo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mapppn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpjmph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kqnbkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgepom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfjdqmng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndqojdee.dll" Nqmfdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekoglqie.dll" Kcmmhj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lopmii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlljnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kqbkfkal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkdoio32.dll" Ibhkfm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcoccc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkmmaeap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kofdhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpjjmg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adgmoigj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncgjgp32.dll" Dbcmakpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aalmimfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llhikacp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahjgjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llodgnja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cocjiehd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqaiecjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhjgbbnj.dll" Abfdpfaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiilcp32.dll" Phganm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oghdfilo.dll" Ecbjkngo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pocpfphe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qfkqjmdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bboffejp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anfjipgp.dll" Cfnqklgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gipdap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnelok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhkilook.dll" Edplhjhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fechok32.dll" Oeokal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohpkmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idllbp32.dll" Amjillkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eppjfgcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofmdio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cammjakm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmamhbhe.dll" Cpdgqmnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fomnhddq.dll" Coegoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pafkgphl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phmgghbe.dll" Hkgnfhnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhaimehd.dll" Bckkca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhohnk32.dll" Kclgmq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjibekmc.dll" Nlcalieg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Leopnglc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kclgmq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qfmmplad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Micoed32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adfnofpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqmfdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hppeim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbighjdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dokmlmhl.dll" Hlcjhkdp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
acce7c8b59c3bfe3978295cb0588a283fa48c703b309f003d49def98497dfdd0.exeFibojhim.exeFielph32.exeGgilil32.exeGdmmbq32.exeGgkiol32.exeGdafnpqh.exeGgpbjkpl.exeGinnfgop.exeGnjjfegi.exeHpmpnp32.exeHpomcp32.exeHhfedm32.exeHhiajmod.exeHkgnfhnh.exeHnhghcki.exeIqipio32.exeIqklon32.exeIgedlh32.exeIdieem32.exeIjfnmc32.exeIhgnkkbd.exedescription pid Process procid_target PID 2292 wrote to memory of 2584 2292 acce7c8b59c3bfe3978295cb0588a283fa48c703b309f003d49def98497dfdd0.exe 83 PID 2292 wrote to memory of 2584 2292 acce7c8b59c3bfe3978295cb0588a283fa48c703b309f003d49def98497dfdd0.exe 83 PID 2292 wrote to memory of 2584 2292 acce7c8b59c3bfe3978295cb0588a283fa48c703b309f003d49def98497dfdd0.exe 83 PID 2584 wrote to memory of 412 2584 Fibojhim.exe 84 PID 2584 wrote to memory of 412 2584 Fibojhim.exe 84 PID 2584 wrote to memory of 412 2584 Fibojhim.exe 84 PID 412 wrote to memory of 4232 412 Fielph32.exe 85 PID 412 wrote to memory of 4232 412 Fielph32.exe 85 PID 412 wrote to memory of 4232 412 Fielph32.exe 85 PID 4232 wrote to memory of 2100 4232 Ggilil32.exe 86 PID 4232 wrote to memory of 2100 4232 Ggilil32.exe 86 PID 4232 wrote to memory of 2100 4232 Ggilil32.exe 86 PID 2100 wrote to memory of 4956 2100 Gdmmbq32.exe 87 PID 2100 wrote to memory of 4956 2100 Gdmmbq32.exe 87 PID 2100 wrote to memory of 4956 2100 Gdmmbq32.exe 87 PID 4956 wrote to memory of 2232 4956 Ggkiol32.exe 88 PID 4956 wrote to memory of 2232 4956 Ggkiol32.exe 88 PID 4956 wrote to memory of 2232 4956 Ggkiol32.exe 88 PID 2232 wrote to memory of 728 2232 Gdafnpqh.exe 89 PID 2232 wrote to memory of 728 2232 Gdafnpqh.exe 89 PID 2232 wrote to memory of 728 2232 Gdafnpqh.exe 89 PID 728 wrote to memory of 3608 728 Ggpbjkpl.exe 90 PID 728 wrote to memory of 3608 728 Ggpbjkpl.exe 90 PID 728 wrote to memory of 3608 728 Ggpbjkpl.exe 90 PID 3608 wrote to memory of 3764 3608 Ginnfgop.exe 91 PID 3608 wrote to memory of 3764 3608 Ginnfgop.exe 91 PID 3608 wrote to memory of 3764 3608 Ginnfgop.exe 91 PID 3764 wrote to memory of 224 3764 Gnjjfegi.exe 92 PID 3764 wrote to memory of 224 3764 Gnjjfegi.exe 92 PID 3764 wrote to memory of 224 3764 Gnjjfegi.exe 92 PID 224 wrote to memory of 4364 224 Hpmpnp32.exe 93 PID 224 wrote to memory of 4364 224 Hpmpnp32.exe 93 PID 224 wrote to memory of 4364 224 Hpmpnp32.exe 93 PID 4364 wrote to memory of 4748 4364 Hpomcp32.exe 94 PID 4364 wrote to memory of 4748 4364 Hpomcp32.exe 94 PID 4364 wrote to memory of 4748 4364 Hpomcp32.exe 94 PID 4748 wrote to memory of 5060 4748 Hhfedm32.exe 95 PID 4748 wrote to memory of 5060 4748 Hhfedm32.exe 95 PID 4748 wrote to memory of 5060 4748 Hhfedm32.exe 95 PID 5060 wrote to memory of 4888 5060 Hhiajmod.exe 96 PID 5060 wrote to memory of 4888 5060 Hhiajmod.exe 96 PID 5060 wrote to memory of 4888 5060 Hhiajmod.exe 96 PID 4888 wrote to memory of 3152 4888 Hkgnfhnh.exe 97 PID 4888 wrote to memory of 3152 4888 Hkgnfhnh.exe 97 PID 4888 wrote to memory of 3152 4888 Hkgnfhnh.exe 97 PID 3152 wrote to memory of 2692 3152 Hnhghcki.exe 98 PID 3152 wrote to memory of 2692 3152 Hnhghcki.exe 98 PID 3152 wrote to memory of 2692 3152 Hnhghcki.exe 98 PID 2692 wrote to memory of 3172 2692 Iqipio32.exe 99 PID 2692 wrote to memory of 3172 2692 Iqipio32.exe 99 PID 2692 wrote to memory of 3172 2692 Iqipio32.exe 99 PID 3172 wrote to memory of 4576 3172 Iqklon32.exe 100 PID 3172 wrote to memory of 4576 3172 Iqklon32.exe 100 PID 3172 wrote to memory of 4576 3172 Iqklon32.exe 100 PID 4576 wrote to memory of 376 4576 Igedlh32.exe 101 PID 4576 wrote to memory of 376 4576 Igedlh32.exe 101 PID 4576 wrote to memory of 376 4576 Igedlh32.exe 101 PID 376 wrote to memory of 3640 376 Idieem32.exe 102 PID 376 wrote to memory of 3640 376 Idieem32.exe 102 PID 376 wrote to memory of 3640 376 Idieem32.exe 102 PID 3640 wrote to memory of 4488 3640 Ijfnmc32.exe 103 PID 3640 wrote to memory of 4488 3640 Ijfnmc32.exe 103 PID 3640 wrote to memory of 4488 3640 Ijfnmc32.exe 103 PID 4488 wrote to memory of 4052 4488 Ihgnkkbd.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\acce7c8b59c3bfe3978295cb0588a283fa48c703b309f003d49def98497dfdd0.exe"C:\Users\Admin\AppData\Local\Temp\acce7c8b59c3bfe3978295cb0588a283fa48c703b309f003d49def98497dfdd0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\Fibojhim.exeC:\Windows\system32\Fibojhim.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Fielph32.exeC:\Windows\system32\Fielph32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:412 -
C:\Windows\SysWOW64\Ggilil32.exeC:\Windows\system32\Ggilil32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4232 -
C:\Windows\SysWOW64\Gdmmbq32.exeC:\Windows\system32\Gdmmbq32.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Ggkiol32.exeC:\Windows\system32\Ggkiol32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Windows\SysWOW64\Gdafnpqh.exeC:\Windows\system32\Gdafnpqh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\Ggpbjkpl.exeC:\Windows\system32\Ggpbjkpl.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:728 -
C:\Windows\SysWOW64\Ginnfgop.exeC:\Windows\system32\Ginnfgop.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Windows\SysWOW64\Gnjjfegi.exeC:\Windows\system32\Gnjjfegi.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3764 -
C:\Windows\SysWOW64\Hpmpnp32.exeC:\Windows\system32\Hpmpnp32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\SysWOW64\Hpomcp32.exeC:\Windows\system32\Hpomcp32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Windows\SysWOW64\Hhfedm32.exeC:\Windows\system32\Hhfedm32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Windows\SysWOW64\Hhiajmod.exeC:\Windows\system32\Hhiajmod.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\SysWOW64\Hkgnfhnh.exeC:\Windows\system32\Hkgnfhnh.exe15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\SysWOW64\Hnhghcki.exeC:\Windows\system32\Hnhghcki.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Windows\SysWOW64\Iqipio32.exeC:\Windows\system32\Iqipio32.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Iqklon32.exeC:\Windows\system32\Iqklon32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Windows\SysWOW64\Igedlh32.exeC:\Windows\system32\Igedlh32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Windows\SysWOW64\Idieem32.exeC:\Windows\system32\Idieem32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:376 -
C:\Windows\SysWOW64\Ijfnmc32.exeC:\Windows\system32\Ijfnmc32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3640 -
C:\Windows\SysWOW64\Ihgnkkbd.exeC:\Windows\system32\Ihgnkkbd.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Windows\SysWOW64\Jglklggl.exeC:\Windows\system32\Jglklggl.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4052 -
C:\Windows\SysWOW64\Jdpkflfe.exeC:\Windows\system32\Jdpkflfe.exe24⤵
- Executes dropped EXE
PID:5020 -
C:\Windows\SysWOW64\Jnhpoamf.exeC:\Windows\system32\Jnhpoamf.exe25⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Jbfheo32.exeC:\Windows\system32\Jbfheo32.exe26⤵
- Executes dropped EXE
PID:1008 -
C:\Windows\SysWOW64\Jkomneim.exeC:\Windows\system32\Jkomneim.exe27⤵
- Executes dropped EXE
PID:4620 -
C:\Windows\SysWOW64\Jdgafjpn.exeC:\Windows\system32\Jdgafjpn.exe28⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Kqnbkl32.exeC:\Windows\system32\Kqnbkl32.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:4500 -
C:\Windows\SysWOW64\Kkcfid32.exeC:\Windows\system32\Kkcfid32.exe30⤵
- Executes dropped EXE
PID:1412 -
C:\Windows\SysWOW64\Kelkaj32.exeC:\Windows\system32\Kelkaj32.exe31⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Kqbkfkal.exeC:\Windows\system32\Kqbkfkal.exe32⤵
- Executes dropped EXE
- Modifies registry class
PID:3672 -
C:\Windows\SysWOW64\Kjkpoq32.exeC:\Windows\system32\Kjkpoq32.exe33⤵
- Executes dropped EXE
PID:3528 -
C:\Windows\SysWOW64\Kilpmh32.exeC:\Windows\system32\Kilpmh32.exe34⤵
- Executes dropped EXE
PID:5084 -
C:\Windows\SysWOW64\Kjmmepfj.exeC:\Windows\system32\Kjmmepfj.exe35⤵
- Executes dropped EXE
PID:3408 -
C:\Windows\SysWOW64\Kageaj32.exeC:\Windows\system32\Kageaj32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2256 -
C:\Windows\SysWOW64\Kinmcg32.exeC:\Windows\system32\Kinmcg32.exe37⤵
- Executes dropped EXE
PID:3088 -
C:\Windows\SysWOW64\Lajagj32.exeC:\Windows\system32\Lajagj32.exe38⤵
- Executes dropped EXE
PID:3140 -
C:\Windows\SysWOW64\Liqihglg.exeC:\Windows\system32\Liqihglg.exe39⤵
- Executes dropped EXE
PID:3076 -
C:\Windows\SysWOW64\Lnnbqnjn.exeC:\Windows\system32\Lnnbqnjn.exe40⤵
- Executes dropped EXE
PID:4736 -
C:\Windows\SysWOW64\Licfngjd.exeC:\Windows\system32\Licfngjd.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2104 -
C:\Windows\SysWOW64\Lankbigo.exeC:\Windows\system32\Lankbigo.exe42⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Lejgch32.exeC:\Windows\system32\Lejgch32.exe43⤵
- Executes dropped EXE
PID:4372 -
C:\Windows\SysWOW64\Lelchgne.exeC:\Windows\system32\Lelchgne.exe44⤵
- Executes dropped EXE
PID:5004 -
C:\Windows\SysWOW64\Llflea32.exeC:\Windows\system32\Llflea32.exe45⤵
- Executes dropped EXE
PID:4060 -
C:\Windows\SysWOW64\Leopnglc.exeC:\Windows\system32\Leopnglc.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:4420 -
C:\Windows\SysWOW64\Llhikacp.exeC:\Windows\system32\Llhikacp.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1172 -
C:\Windows\SysWOW64\Mniallpq.exeC:\Windows\system32\Mniallpq.exe48⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Mhafeb32.exeC:\Windows\system32\Mhafeb32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:860 -
C:\Windows\SysWOW64\Mjpbam32.exeC:\Windows\system32\Mjpbam32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3184 -
C:\Windows\SysWOW64\Meefofek.exeC:\Windows\system32\Meefofek.exe51⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Mhdckaeo.exeC:\Windows\system32\Mhdckaeo.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Mbighjdd.exeC:\Windows\system32\Mbighjdd.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:4144 -
C:\Windows\SysWOW64\Micoed32.exeC:\Windows\system32\Micoed32.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1876 -
C:\Windows\SysWOW64\Maodigil.exeC:\Windows\system32\Maodigil.exe55⤵
- Executes dropped EXE
PID:4088 -
C:\Windows\SysWOW64\Mhilfa32.exeC:\Windows\system32\Mhilfa32.exe56⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Nobdbkhf.exeC:\Windows\system32\Nobdbkhf.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4100 -
C:\Windows\SysWOW64\Nhkikq32.exeC:\Windows\system32\Nhkikq32.exe58⤵
- Executes dropped EXE
PID:3196 -
C:\Windows\SysWOW64\Noeahkfc.exeC:\Windows\system32\Noeahkfc.exe59⤵
- Executes dropped EXE
PID:1124 -
C:\Windows\SysWOW64\Nklbmllg.exeC:\Windows\system32\Nklbmllg.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1660 -
C:\Windows\SysWOW64\Neafjdkn.exeC:\Windows\system32\Neafjdkn.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1696 -
C:\Windows\SysWOW64\Nhpbfpka.exeC:\Windows\system32\Nhpbfpka.exe62⤵
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\Neccpd32.exeC:\Windows\system32\Neccpd32.exe63⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Nkqkhk32.exeC:\Windows\system32\Nkqkhk32.exe64⤵
- Executes dropped EXE
PID:772 -
C:\Windows\SysWOW64\Nbgcih32.exeC:\Windows\system32\Nbgcih32.exe65⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Nefped32.exeC:\Windows\system32\Nefped32.exe66⤵PID:4896
-
C:\Windows\SysWOW64\Oondnini.exeC:\Windows\system32\Oondnini.exe67⤵PID:2756
-
C:\Windows\SysWOW64\Oehlkc32.exeC:\Windows\system32\Oehlkc32.exe68⤵PID:2344
-
C:\Windows\SysWOW64\Olbdhn32.exeC:\Windows\system32\Olbdhn32.exe69⤵PID:3168
-
C:\Windows\SysWOW64\Ooqqdi32.exeC:\Windows\system32\Ooqqdi32.exe70⤵PID:1724
-
C:\Windows\SysWOW64\Ohiemobf.exeC:\Windows\system32\Ohiemobf.exe71⤵PID:2240
-
C:\Windows\SysWOW64\Oocmii32.exeC:\Windows\system32\Oocmii32.exe72⤵PID:3936
-
C:\Windows\SysWOW64\Oemefcap.exeC:\Windows\system32\Oemefcap.exe73⤵PID:4680
-
C:\Windows\SysWOW64\Okjnnj32.exeC:\Windows\system32\Okjnnj32.exe74⤵
- System Location Discovery: System Language Discovery
PID:4524 -
C:\Windows\SysWOW64\Oiknlagg.exeC:\Windows\system32\Oiknlagg.exe75⤵PID:864
-
C:\Windows\SysWOW64\Olijhmgj.exeC:\Windows\system32\Olijhmgj.exe76⤵PID:1744
-
C:\Windows\SysWOW64\Oafcqcea.exeC:\Windows\system32\Oafcqcea.exe77⤵PID:3644
-
C:\Windows\SysWOW64\Ohpkmn32.exeC:\Windows\system32\Ohpkmn32.exe78⤵
- Modifies registry class
PID:1712 -
C:\Windows\SysWOW64\Pojcjh32.exeC:\Windows\system32\Pojcjh32.exe79⤵
- Drops file in System32 directory
PID:2364 -
C:\Windows\SysWOW64\Pedlgbkh.exeC:\Windows\system32\Pedlgbkh.exe80⤵PID:2012
-
C:\Windows\SysWOW64\Phbhcmjl.exeC:\Windows\system32\Phbhcmjl.exe81⤵PID:3492
-
C:\Windows\SysWOW64\Pibdmp32.exeC:\Windows\system32\Pibdmp32.exe82⤵PID:4616
-
C:\Windows\SysWOW64\Plpqil32.exeC:\Windows\system32\Plpqil32.exe83⤵PID:4704
-
C:\Windows\SysWOW64\Phganm32.exeC:\Windows\system32\Phganm32.exe84⤵
- Modifies registry class
PID:640 -
C:\Windows\SysWOW64\Papfgbmg.exeC:\Windows\system32\Papfgbmg.exe85⤵
- Drops file in System32 directory
PID:4872 -
C:\Windows\SysWOW64\Pkhjph32.exeC:\Windows\system32\Pkhjph32.exe86⤵PID:4624
-
C:\Windows\SysWOW64\Pabblb32.exeC:\Windows\system32\Pabblb32.exe87⤵
- System Location Discovery: System Language Discovery
PID:3460 -
C:\Windows\SysWOW64\Qkjgegae.exeC:\Windows\system32\Qkjgegae.exe88⤵PID:4380
-
C:\Windows\SysWOW64\Qaflgago.exeC:\Windows\system32\Qaflgago.exe89⤵PID:3516
-
C:\Windows\SysWOW64\Akoqpg32.exeC:\Windows\system32\Akoqpg32.exe90⤵
- System Location Discovery: System Language Discovery
PID:4612 -
C:\Windows\SysWOW64\Ajpqnneo.exeC:\Windows\system32\Ajpqnneo.exe91⤵PID:2932
-
C:\Windows\SysWOW64\Alnmjjdb.exeC:\Windows\system32\Alnmjjdb.exe92⤵PID:2156
-
C:\Windows\SysWOW64\Achegd32.exeC:\Windows\system32\Achegd32.exe93⤵PID:1264
-
C:\Windows\SysWOW64\Ahenokjf.exeC:\Windows\system32\Ahenokjf.exe94⤵PID:544
-
C:\Windows\SysWOW64\Ackbmcjl.exeC:\Windows\system32\Ackbmcjl.exe95⤵PID:1808
-
C:\Windows\SysWOW64\Aanbhp32.exeC:\Windows\system32\Aanbhp32.exe96⤵PID:4004
-
C:\Windows\SysWOW64\Ajdjin32.exeC:\Windows\system32\Ajdjin32.exe97⤵PID:1464
-
C:\Windows\SysWOW64\Alcfei32.exeC:\Windows\system32\Alcfei32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4572 -
C:\Windows\SysWOW64\Abponp32.exeC:\Windows\system32\Abponp32.exe99⤵PID:2700
-
C:\Windows\SysWOW64\Ahjgjj32.exeC:\Windows\system32\Ahjgjj32.exe100⤵
- Modifies registry class
PID:744 -
C:\Windows\SysWOW64\Akhcfe32.exeC:\Windows\system32\Akhcfe32.exe101⤵PID:1136
-
C:\Windows\SysWOW64\Acokhc32.exeC:\Windows\system32\Acokhc32.exe102⤵PID:5144
-
C:\Windows\SysWOW64\Bjicdmmd.exeC:\Windows\system32\Bjicdmmd.exe103⤵PID:5188
-
C:\Windows\SysWOW64\Boflmdkk.exeC:\Windows\system32\Boflmdkk.exe104⤵PID:5232
-
C:\Windows\SysWOW64\Bjlpjm32.exeC:\Windows\system32\Bjlpjm32.exe105⤵PID:5276
-
C:\Windows\SysWOW64\Bkmmaeap.exeC:\Windows\system32\Bkmmaeap.exe106⤵
- Drops file in System32 directory
- Modifies registry class
PID:5320 -
C:\Windows\SysWOW64\Bohibc32.exeC:\Windows\system32\Bohibc32.exe107⤵PID:5364
-
C:\Windows\SysWOW64\Bfbaonae.exeC:\Windows\system32\Bfbaonae.exe108⤵PID:5408
-
C:\Windows\SysWOW64\Bmlilh32.exeC:\Windows\system32\Bmlilh32.exe109⤵PID:5452
-
C:\Windows\SysWOW64\Bcfahbpo.exeC:\Windows\system32\Bcfahbpo.exe110⤵PID:5496
-
C:\Windows\SysWOW64\Bblnindg.exeC:\Windows\system32\Bblnindg.exe111⤵PID:5540
-
C:\Windows\SysWOW64\Bfgjjm32.exeC:\Windows\system32\Bfgjjm32.exe112⤵PID:5584
-
C:\Windows\SysWOW64\Bheffh32.exeC:\Windows\system32\Bheffh32.exe113⤵PID:5628
-
C:\Windows\SysWOW64\Bckkca32.exeC:\Windows\system32\Bckkca32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5672 -
C:\Windows\SysWOW64\Cfigpm32.exeC:\Windows\system32\Cfigpm32.exe115⤵PID:5712
-
C:\Windows\SysWOW64\Cihclh32.exeC:\Windows\system32\Cihclh32.exe116⤵PID:5756
-
C:\Windows\SysWOW64\Cmflbf32.exeC:\Windows\system32\Cmflbf32.exe117⤵PID:5808
-
C:\Windows\SysWOW64\Codhnb32.exeC:\Windows\system32\Codhnb32.exe118⤵PID:5852
-
C:\Windows\SysWOW64\Cfnqklgh.exeC:\Windows\system32\Cfnqklgh.exe119⤵
- Modifies registry class
PID:5904 -
C:\Windows\SysWOW64\Cimmggfl.exeC:\Windows\system32\Cimmggfl.exe120⤵PID:5964
-
C:\Windows\SysWOW64\Ckkiccep.exeC:\Windows\system32\Ckkiccep.exe121⤵PID:6004
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-