Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20-11-2024 19:38
Static task
static1
Behavioral task
behavioral1
Sample
071c0a76ebe3608b9800a63e23d6155b7f371758c34f604ac2d0e4aee257d288.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
071c0a76ebe3608b9800a63e23d6155b7f371758c34f604ac2d0e4aee257d288.exe
Resource
win10v2004-20241007-en
General
-
Target
071c0a76ebe3608b9800a63e23d6155b7f371758c34f604ac2d0e4aee257d288.exe
-
Size
295KB
-
MD5
d04b1eab160eec5858e6ee4fbe12d82a
-
SHA1
4ff5dc98bcab6ed564225d24cea112ece17e014d
-
SHA256
071c0a76ebe3608b9800a63e23d6155b7f371758c34f604ac2d0e4aee257d288
-
SHA512
519aafa280fff7da5f3ed7712ff3849a5e4b9396cc251682c89e4d044b33fd73c619003514fbec98590845cdf6843210cbf4c317ecae77801cf5bc710912fe41
-
SSDEEP
3072:trMHZ8ny/YIVgvo232fQ1UkY1UkVHe1rUtst76UtoUtFVgtRQ2c+tlB5xpWJLM75:tgHvolG41PY1PRe19V+tbFOLM77OLY
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Hpdbmooo.exeKlmqapci.exeLifcib32.exeFejfmk32.exeDgfpni32.exeOqepgk32.exeAalofa32.exeLlbnnq32.exeMpngmb32.exeIifghk32.exeOmfnnnhj.exeAphehidc.exeDjjeedhp.exeHhlaiccm.exeMeemgk32.exeOniebmda.exeCcgklc32.exeIjaaae32.exeMclqqeaq.exeJgmjdaqb.exeLhoohgdg.exeGihnkejd.exeMhhgpc32.exeLdgnklmi.exeGodaakic.exeHiqoeplo.exeBpbmqe32.exeLofkoamf.exeJhahanie.exeNghpjn32.exeAohgfm32.exeBlaobmkq.exeHfebhmbm.exeNladco32.exeFckhhgcf.exeBnlphh32.exePmhgba32.exeGefolhja.exeKbeqjl32.exeMbjfcnkg.exeFhhbif32.exeCjjpag32.exeFbhfajia.exeFnogfk32.exeMaanab32.exeKkalcdao.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpdbmooo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klmqapci.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lifcib32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fejfmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dgfpni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oqepgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aalofa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llbnnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mpngmb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iifghk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Omfnnnhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aphehidc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djjeedhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hhlaiccm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meemgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oniebmda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ccgklc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijaaae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mclqqeaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgmjdaqb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhoohgdg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gihnkejd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mhhgpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ldgnklmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Godaakic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiqoeplo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bpbmqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lofkoamf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhahanie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nghpjn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aohgfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Blaobmkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hfebhmbm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nladco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fckhhgcf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnlphh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmhgba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gefolhja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djjeedhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kbeqjl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbjfcnkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhhbif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjjpag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbhfajia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fnogfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maanab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkalcdao.exe -
Executes dropped EXE 64 IoCs
Processes:
Eabepp32.exeEmifeqid.exeFibcoalf.exeFckhhgcf.exeFoahmh32.exeFodebh32.exeFlhflleb.exeGhofam32.exeGhacfmic.exeGnnlocgk.exeGdhdkn32.exeGghmmilh.exeGodaakic.exeHjlbdc32.exeHiqoeplo.exeHegpjaac.exeHnbaif32.exeHeliepmn.exeIgmbgk32.exeIngkdeak.exeIjnkifgp.exeImlhebfc.exeIbipmiek.exeIbkmchbh.exeJelfdc32.exeJacfidem.exeJijokbfp.exeJlhkgm32.exeJagpdd32.exeJhahanie.exeJhdegn32.exeJkbaci32.exeKmcjedcg.exeKdmban32.exeKgkonj32.exeKbbobkol.exeKeqkofno.exeKilgoe32.exeKoipglep.exeKindeddf.exeKlmqapci.exeKajiigba.exeLdheebad.exeLegaoehg.exeLpabpcdf.exeLhhkapeh.exeLngpog32.exeLdahkaij.exeLlmmpcfe.exeMgbaml32.exeMjqmig32.exeMomfan32.exeMfgnnhkc.exeMhfjjdjf.exeMopbgn32.exeMhhgpc32.exeMkfclo32.exeMneohj32.exeMflgih32.exeMkipao32.exeNgpqfp32.exeNnjicjbf.exeNbeedh32.exeNdcapd32.exepid process 2440 Eabepp32.exe 2140 Emifeqid.exe 2740 Fibcoalf.exe 2664 Fckhhgcf.exe 2808 Foahmh32.exe 2572 Fodebh32.exe 376 Flhflleb.exe 300 Ghofam32.exe 2860 Ghacfmic.exe 2744 Gnnlocgk.exe 2840 Gdhdkn32.exe 2016 Gghmmilh.exe 2480 Godaakic.exe 1140 Hjlbdc32.exe 2088 Hiqoeplo.exe 748 Hegpjaac.exe 1264 Hnbaif32.exe 3016 Heliepmn.exe 1800 Igmbgk32.exe 2968 Ingkdeak.exe 1604 Ijnkifgp.exe 1816 Imlhebfc.exe 2448 Ibipmiek.exe 700 Ibkmchbh.exe 2600 Jelfdc32.exe 2624 Jacfidem.exe 2768 Jijokbfp.exe 2108 Jlhkgm32.exe 1696 Jagpdd32.exe 2528 Jhahanie.exe 2548 Jhdegn32.exe 2024 Jkbaci32.exe 2620 Kmcjedcg.exe 1120 Kdmban32.exe 1368 Kgkonj32.exe 1232 Kbbobkol.exe 2092 Keqkofno.exe 2468 Kilgoe32.exe 3056 Koipglep.exe 1952 Kindeddf.exe 912 Klmqapci.exe 2992 Kajiigba.exe 1536 Ldheebad.exe 2372 Legaoehg.exe 2972 Lpabpcdf.exe 2380 Lhhkapeh.exe 1680 Lngpog32.exe 2216 Ldahkaij.exe 2212 Llmmpcfe.exe 2180 Mgbaml32.exe 2660 Mjqmig32.exe 2788 Momfan32.exe 2640 Mfgnnhkc.exe 1044 Mhfjjdjf.exe 2040 Mopbgn32.exe 2616 Mhhgpc32.exe 2556 Mkfclo32.exe 1496 Mneohj32.exe 2944 Mflgih32.exe 3000 Mkipao32.exe 1736 Ngpqfp32.exe 1740 Nnjicjbf.exe 1420 Nbeedh32.exe 2964 Ndcapd32.exe -
Loads dropped DLL 64 IoCs
Processes:
071c0a76ebe3608b9800a63e23d6155b7f371758c34f604ac2d0e4aee257d288.exeEabepp32.exeEmifeqid.exeFibcoalf.exeFckhhgcf.exeFoahmh32.exeFodebh32.exeFlhflleb.exeGhofam32.exeGhacfmic.exeGnnlocgk.exeGdhdkn32.exeGghmmilh.exeGodaakic.exeHjlbdc32.exeHiqoeplo.exeHegpjaac.exeHnbaif32.exeHeliepmn.exeIgmbgk32.exeIngkdeak.exeIjnkifgp.exeImlhebfc.exeIbipmiek.exeIbkmchbh.exeJelfdc32.exeJacfidem.exeJijokbfp.exeJlhkgm32.exeJagpdd32.exeJhahanie.exeJhdegn32.exepid process 2460 071c0a76ebe3608b9800a63e23d6155b7f371758c34f604ac2d0e4aee257d288.exe 2460 071c0a76ebe3608b9800a63e23d6155b7f371758c34f604ac2d0e4aee257d288.exe 2440 Eabepp32.exe 2440 Eabepp32.exe 2140 Emifeqid.exe 2140 Emifeqid.exe 2740 Fibcoalf.exe 2740 Fibcoalf.exe 2664 Fckhhgcf.exe 2664 Fckhhgcf.exe 2808 Foahmh32.exe 2808 Foahmh32.exe 2572 Fodebh32.exe 2572 Fodebh32.exe 376 Flhflleb.exe 376 Flhflleb.exe 300 Ghofam32.exe 300 Ghofam32.exe 2860 Ghacfmic.exe 2860 Ghacfmic.exe 2744 Gnnlocgk.exe 2744 Gnnlocgk.exe 2840 Gdhdkn32.exe 2840 Gdhdkn32.exe 2016 Gghmmilh.exe 2016 Gghmmilh.exe 2480 Godaakic.exe 2480 Godaakic.exe 1140 Hjlbdc32.exe 1140 Hjlbdc32.exe 2088 Hiqoeplo.exe 2088 Hiqoeplo.exe 748 Hegpjaac.exe 748 Hegpjaac.exe 1264 Hnbaif32.exe 1264 Hnbaif32.exe 3016 Heliepmn.exe 3016 Heliepmn.exe 1800 Igmbgk32.exe 1800 Igmbgk32.exe 2968 Ingkdeak.exe 2968 Ingkdeak.exe 1604 Ijnkifgp.exe 1604 Ijnkifgp.exe 1816 Imlhebfc.exe 1816 Imlhebfc.exe 2448 Ibipmiek.exe 2448 Ibipmiek.exe 700 Ibkmchbh.exe 700 Ibkmchbh.exe 2600 Jelfdc32.exe 2600 Jelfdc32.exe 2624 Jacfidem.exe 2624 Jacfidem.exe 2768 Jijokbfp.exe 2768 Jijokbfp.exe 2108 Jlhkgm32.exe 2108 Jlhkgm32.exe 1696 Jagpdd32.exe 1696 Jagpdd32.exe 2528 Jhahanie.exe 2528 Jhahanie.exe 2548 Jhdegn32.exe 2548 Jhdegn32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Ojglhm32.exeFigocipe.exeHbpbck32.exeLfkfkopk.exeCcpeld32.exeCbpbgk32.exeHdbbnd32.exePilbocej.exeAmafgc32.exeCjboeenh.exeDcmnja32.exeCdngip32.exeDljngoea.exeGhacfmic.exeOfnpnkgf.exeJcoanb32.exeNkjdcp32.exeNgbmlo32.exeBhkeohhn.exeGdcfoq32.exeLdjmidcj.exeHechkfkc.exeIijfoh32.exeDdbmcb32.exeHjddaj32.exeJndflk32.exeKolhdbjh.exeEmifeqid.exeAbnopj32.exeBknmok32.exeGahpkd32.exeLhhkapeh.exeOkpdjjil.exeDglpdomh.exeOmnkicen.exeAiknnf32.exeJgmaog32.exeJibnop32.exeOffpbi32.exeBlipno32.exeAknngo32.exeKflcok32.exeLifcib32.exePfflql32.exeAoaill32.exeKindeddf.exeHgeelf32.exeBeogaenl.exeHocmpm32.exeLidilk32.exeLkifkdjm.exedescription ioc process File created C:\Windows\SysWOW64\Nhcedjfb.dll File created C:\Windows\SysWOW64\Phklaacg.exe Ojglhm32.exe File created C:\Windows\SysWOW64\Eecgon32.dll Figocipe.exe File created C:\Windows\SysWOW64\Heonpf32.exe Hbpbck32.exe File created C:\Windows\SysWOW64\Fhihab32.dll Lfkfkopk.exe File created C:\Windows\SysWOW64\Enlhahnp.dll File created C:\Windows\SysWOW64\Pkgjak32.dll File created C:\Windows\SysWOW64\Npepbkgb.dll Ccpeld32.exe File created C:\Windows\SysWOW64\Cdnncfoe.exe Cbpbgk32.exe File created C:\Windows\SysWOW64\Hkmjjn32.exe Hdbbnd32.exe File created C:\Windows\SysWOW64\Komjmk32.exe File created C:\Windows\SysWOW64\Pjmnfk32.exe Pilbocej.exe File created C:\Windows\SysWOW64\Jkkcdb32.dll Amafgc32.exe File created C:\Windows\SysWOW64\Dajgfboj.exe Cjboeenh.exe File created C:\Windows\SysWOW64\Bedpgc32.dll Dcmnja32.exe File created C:\Windows\SysWOW64\Iidbakdl.dll Cdngip32.exe File created C:\Windows\SysWOW64\Hgfcop32.dll Dljngoea.exe File opened for modification C:\Windows\SysWOW64\Gnnlocgk.exe Ghacfmic.exe File opened for modification C:\Windows\SysWOW64\Oimmjffj.exe Ofnpnkgf.exe File created C:\Windows\SysWOW64\Jndflk32.exe Jcoanb32.exe File opened for modification C:\Windows\SysWOW64\Noepdo32.exe Nkjdcp32.exe File created C:\Windows\SysWOW64\Oaecdo32.dll File opened for modification C:\Windows\SysWOW64\Qgiibp32.exe File created C:\Windows\SysWOW64\Gbcknkna.dll Ngbmlo32.exe File created C:\Windows\SysWOW64\Bpbmqe32.exe Bhkeohhn.exe File created C:\Windows\SysWOW64\Ecllkodg.dll Gdcfoq32.exe File opened for modification C:\Windows\SysWOW64\Ejfnda32.exe File created C:\Windows\SysWOW64\Alggph32.dll File created C:\Windows\SysWOW64\Lmbabj32.exe Ldjmidcj.exe File opened for modification C:\Windows\SysWOW64\Hlmphp32.exe Hechkfkc.exe File opened for modification C:\Windows\SysWOW64\Idokma32.exe Iijfoh32.exe File opened for modification C:\Windows\SysWOW64\Dgqion32.exe Ddbmcb32.exe File created C:\Windows\SysWOW64\Hpnlndkp.exe Hjddaj32.exe File created C:\Windows\SysWOW64\Ennlbjle.dll Jndflk32.exe File created C:\Windows\SysWOW64\Kffqqm32.exe Kolhdbjh.exe File created C:\Windows\SysWOW64\Opfmmcec.dll Emifeqid.exe File opened for modification C:\Windows\SysWOW64\Bihgmdih.exe Abnopj32.exe File created C:\Windows\SysWOW64\Bahelebm.exe Bknmok32.exe File opened for modification C:\Windows\SysWOW64\Gdflgo32.exe Gahpkd32.exe File opened for modification C:\Windows\SysWOW64\Lngpog32.exe Lhhkapeh.exe File created C:\Windows\SysWOW64\Oqmmbqgd.exe Okpdjjil.exe File created C:\Windows\SysWOW64\Aoqbnfda.dll Dglpdomh.exe File opened for modification C:\Windows\SysWOW64\Ochcem32.exe Omnkicen.exe File created C:\Windows\SysWOW64\Aohgfm32.exe Aiknnf32.exe File created C:\Windows\SysWOW64\Kckido32.dll Jgmaog32.exe File created C:\Windows\SysWOW64\Jlqjkk32.exe Jibnop32.exe File created C:\Windows\SysWOW64\Ahojng32.dll Offpbi32.exe File created C:\Windows\SysWOW64\Mhnkcm32.dll Blipno32.exe File created C:\Windows\SysWOW64\Fjjdbf32.dll Aknngo32.exe File created C:\Windows\SysWOW64\Jaamhjgm.dll Kflcok32.exe File created C:\Windows\SysWOW64\Lchclmla.exe File created C:\Windows\SysWOW64\Dpdpkfga.exe File created C:\Windows\SysWOW64\Lpqlemaj.exe Lifcib32.exe File created C:\Windows\SysWOW64\Pmpdmfff.exe Pfflql32.exe File opened for modification C:\Windows\SysWOW64\Ncnlnaim.exe File opened for modification C:\Windows\SysWOW64\Bpcfcddp.exe Aoaill32.exe File created C:\Windows\SysWOW64\Fckkff32.dll Kindeddf.exe File created C:\Windows\SysWOW64\Hifbdnbi.exe Hgeelf32.exe File created C:\Windows\SysWOW64\Odfofhic.exe File opened for modification C:\Windows\SysWOW64\Baajji32.exe File created C:\Windows\SysWOW64\Blipno32.exe Beogaenl.exe File opened for modification C:\Windows\SysWOW64\Hmfmkjdf.exe Hocmpm32.exe File opened for modification C:\Windows\SysWOW64\Lmpeljkm.exe Lidilk32.exe File created C:\Windows\SysWOW64\Njdfnb32.dll Lkifkdjm.exe -
Program crash 1 IoCs
Processes:
pid pid_target process target process 6904 5320 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Hnbaif32.exePmkdhq32.exeCpgecq32.exeHclhjpjc.exeAhfgbkpl.exeFnejdiep.exeNnjicjbf.exeNjeccjcd.exeOfafgipc.exeCbpbgk32.exeHjddaj32.exeNchipb32.exeAmoibc32.exeDfhgggim.exeEnenef32.exeDgfpni32.exeLlgljn32.exeFhhbif32.exeJgkdigfa.exeIhnjmf32.exeNmofdf32.exeKiofnm32.exeOdacbpee.exeOggeokoq.exeEbicee32.exeLamjph32.exeFpmpnmck.exeKeqkofno.exePaiche32.exePpipdl32.exeCjoilfek.exeQcmkhi32.exeBhjpnj32.exeHnmacpfj.exeFhglop32.exeDnhbmpkn.exeIgceej32.exeFkkhpadq.exeGbcien32.exeHljaigmo.exeKimjhnnl.exeCppobaeb.exeNanfqo32.exeFefqdl32.exeJfekec32.exeBobleeef.exeHonnki32.exeJnagmc32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnbaif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmkdhq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpgecq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hclhjpjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahfgbkpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnejdiep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnjicjbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njeccjcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofafgipc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbpbgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjddaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nchipb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amoibc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfhgggim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enenef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgfpni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llgljn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhhbif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgkdigfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihnjmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmofdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiofnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odacbpee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oggeokoq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebicee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lamjph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpmpnmck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keqkofno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paiche32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppipdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjoilfek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcmkhi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhjpnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnmacpfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhglop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnhbmpkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igceej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkkhpadq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbcien32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hljaigmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kimjhnnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cppobaeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nanfqo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fefqdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfekec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bobleeef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Honnki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnagmc32.exe -
Modifies registry class 64 IoCs
Processes:
Mndhnd32.exeEjfbfo32.exeLknebaba.exeJgnchplb.exeMainndaq.exeBkkgfm32.exeElieipej.exeHmfmkjdf.exePbgefa32.exeEikfdl32.exeCjjpag32.exeBldpiifb.exeGkmefaan.exeAjdcofop.exeOqepgk32.exeOfnpnkgf.exeChggdoee.exeIlgjhena.exeNaimepkp.exeAadobccg.exeFjaoplho.exeFbhfajia.exeIngkdeak.exePepfnd32.exeBlgcio32.exeAaejojjq.exeLpqlemaj.exeGjpddigo.exeIifghk32.exeEfppqoil.exeKnikfnih.exeMfceom32.exeQlfdac32.exePiieicgl.exeAbfoll32.exeDgiaefgg.exeJacibm32.exeHiqoeplo.exeNojnql32.exeMhkfnlme.exeMigbpocm.exeJedehaea.exeDfhgggim.exeIjfqfj32.exeDemaoj32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mokhho32.dll" Mndhnd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ejfbfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmieogma.dll" Lknebaba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jgnchplb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mainndaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmdjijco.dll" Bkkgfm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Elieipej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hmfmkjdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmpgan32.dll" Pbgefa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbiahjpi.dll" Eikfdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cjjpag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkhanokh.dll" Bldpiifb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gkmefaan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ajdcofop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oqepgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efabjb32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ofnpnkgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdohpb32.dll" Chggdoee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akkiob32.dll" Ilgjhena.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Naimepkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aadobccg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fjaoplho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enjoliob.dll" Fbhfajia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofoabofe.dll" Ingkdeak.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pepfnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imcplf32.dll" Blgcio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfifa32.dll" Aaejojjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lpqlemaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gjpddigo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iifghk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hmfmkjdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Holgkalp.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmjkle32.dll" Efppqoil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Knikfnih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfndae32.dll" Mfceom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmofak32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qlfdac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nclgkc32.dll" Piieicgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpccle32.dll" Abfoll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elcmpi32.dll" Dgiaefgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jacibm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hiqoeplo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nojnql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ompjookk.dll" Mhkfnlme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Migbpocm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hapbpm32.dll" Jedehaea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dfhgggim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfnhec32.dll" Ijfqfj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqahpi32.dll" Demaoj32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
071c0a76ebe3608b9800a63e23d6155b7f371758c34f604ac2d0e4aee257d288.exeEabepp32.exeEmifeqid.exeFibcoalf.exeFckhhgcf.exeFoahmh32.exeFodebh32.exeFlhflleb.exeGhofam32.exeGhacfmic.exeGnnlocgk.exeGdhdkn32.exeGghmmilh.exeGodaakic.exeHjlbdc32.exeHiqoeplo.exedescription pid process target process PID 2460 wrote to memory of 2440 2460 071c0a76ebe3608b9800a63e23d6155b7f371758c34f604ac2d0e4aee257d288.exe Eabepp32.exe PID 2460 wrote to memory of 2440 2460 071c0a76ebe3608b9800a63e23d6155b7f371758c34f604ac2d0e4aee257d288.exe Eabepp32.exe PID 2460 wrote to memory of 2440 2460 071c0a76ebe3608b9800a63e23d6155b7f371758c34f604ac2d0e4aee257d288.exe Eabepp32.exe PID 2460 wrote to memory of 2440 2460 071c0a76ebe3608b9800a63e23d6155b7f371758c34f604ac2d0e4aee257d288.exe Eabepp32.exe PID 2440 wrote to memory of 2140 2440 Eabepp32.exe Emifeqid.exe PID 2440 wrote to memory of 2140 2440 Eabepp32.exe Emifeqid.exe PID 2440 wrote to memory of 2140 2440 Eabepp32.exe Emifeqid.exe PID 2440 wrote to memory of 2140 2440 Eabepp32.exe Emifeqid.exe PID 2140 wrote to memory of 2740 2140 Emifeqid.exe Fibcoalf.exe PID 2140 wrote to memory of 2740 2140 Emifeqid.exe Fibcoalf.exe PID 2140 wrote to memory of 2740 2140 Emifeqid.exe Fibcoalf.exe PID 2140 wrote to memory of 2740 2140 Emifeqid.exe Fibcoalf.exe PID 2740 wrote to memory of 2664 2740 Fibcoalf.exe Fckhhgcf.exe PID 2740 wrote to memory of 2664 2740 Fibcoalf.exe Fckhhgcf.exe PID 2740 wrote to memory of 2664 2740 Fibcoalf.exe Fckhhgcf.exe PID 2740 wrote to memory of 2664 2740 Fibcoalf.exe Fckhhgcf.exe PID 2664 wrote to memory of 2808 2664 Fckhhgcf.exe Foahmh32.exe PID 2664 wrote to memory of 2808 2664 Fckhhgcf.exe Foahmh32.exe PID 2664 wrote to memory of 2808 2664 Fckhhgcf.exe Foahmh32.exe PID 2664 wrote to memory of 2808 2664 Fckhhgcf.exe Foahmh32.exe PID 2808 wrote to memory of 2572 2808 Foahmh32.exe Fodebh32.exe PID 2808 wrote to memory of 2572 2808 Foahmh32.exe Fodebh32.exe PID 2808 wrote to memory of 2572 2808 Foahmh32.exe Fodebh32.exe PID 2808 wrote to memory of 2572 2808 Foahmh32.exe Fodebh32.exe PID 2572 wrote to memory of 376 2572 Fodebh32.exe Flhflleb.exe PID 2572 wrote to memory of 376 2572 Fodebh32.exe Flhflleb.exe PID 2572 wrote to memory of 376 2572 Fodebh32.exe Flhflleb.exe PID 2572 wrote to memory of 376 2572 Fodebh32.exe Flhflleb.exe PID 376 wrote to memory of 300 376 Flhflleb.exe Ghofam32.exe PID 376 wrote to memory of 300 376 Flhflleb.exe Ghofam32.exe PID 376 wrote to memory of 300 376 Flhflleb.exe Ghofam32.exe PID 376 wrote to memory of 300 376 Flhflleb.exe Ghofam32.exe PID 300 wrote to memory of 2860 300 Ghofam32.exe Ghacfmic.exe PID 300 wrote to memory of 2860 300 Ghofam32.exe Ghacfmic.exe PID 300 wrote to memory of 2860 300 Ghofam32.exe Ghacfmic.exe PID 300 wrote to memory of 2860 300 Ghofam32.exe Ghacfmic.exe PID 2860 wrote to memory of 2744 2860 Ghacfmic.exe Gnnlocgk.exe PID 2860 wrote to memory of 2744 2860 Ghacfmic.exe Gnnlocgk.exe PID 2860 wrote to memory of 2744 2860 Ghacfmic.exe Gnnlocgk.exe PID 2860 wrote to memory of 2744 2860 Ghacfmic.exe Gnnlocgk.exe PID 2744 wrote to memory of 2840 2744 Gnnlocgk.exe Gdhdkn32.exe PID 2744 wrote to memory of 2840 2744 Gnnlocgk.exe Gdhdkn32.exe PID 2744 wrote to memory of 2840 2744 Gnnlocgk.exe Gdhdkn32.exe PID 2744 wrote to memory of 2840 2744 Gnnlocgk.exe Gdhdkn32.exe PID 2840 wrote to memory of 2016 2840 Gdhdkn32.exe Gghmmilh.exe PID 2840 wrote to memory of 2016 2840 Gdhdkn32.exe Gghmmilh.exe PID 2840 wrote to memory of 2016 2840 Gdhdkn32.exe Gghmmilh.exe PID 2840 wrote to memory of 2016 2840 Gdhdkn32.exe Gghmmilh.exe PID 2016 wrote to memory of 2480 2016 Gghmmilh.exe Godaakic.exe PID 2016 wrote to memory of 2480 2016 Gghmmilh.exe Godaakic.exe PID 2016 wrote to memory of 2480 2016 Gghmmilh.exe Godaakic.exe PID 2016 wrote to memory of 2480 2016 Gghmmilh.exe Godaakic.exe PID 2480 wrote to memory of 1140 2480 Godaakic.exe Hjlbdc32.exe PID 2480 wrote to memory of 1140 2480 Godaakic.exe Hjlbdc32.exe PID 2480 wrote to memory of 1140 2480 Godaakic.exe Hjlbdc32.exe PID 2480 wrote to memory of 1140 2480 Godaakic.exe Hjlbdc32.exe PID 1140 wrote to memory of 2088 1140 Hjlbdc32.exe Hiqoeplo.exe PID 1140 wrote to memory of 2088 1140 Hjlbdc32.exe Hiqoeplo.exe PID 1140 wrote to memory of 2088 1140 Hjlbdc32.exe Hiqoeplo.exe PID 1140 wrote to memory of 2088 1140 Hjlbdc32.exe Hiqoeplo.exe PID 2088 wrote to memory of 748 2088 Hiqoeplo.exe Hegpjaac.exe PID 2088 wrote to memory of 748 2088 Hiqoeplo.exe Hegpjaac.exe PID 2088 wrote to memory of 748 2088 Hiqoeplo.exe Hegpjaac.exe PID 2088 wrote to memory of 748 2088 Hiqoeplo.exe Hegpjaac.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\071c0a76ebe3608b9800a63e23d6155b7f371758c34f604ac2d0e4aee257d288.exe"C:\Users\Admin\AppData\Local\Temp\071c0a76ebe3608b9800a63e23d6155b7f371758c34f604ac2d0e4aee257d288.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\Eabepp32.exeC:\Windows\system32\Eabepp32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\Emifeqid.exeC:\Windows\system32\Emifeqid.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\Fibcoalf.exeC:\Windows\system32\Fibcoalf.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Fckhhgcf.exeC:\Windows\system32\Fckhhgcf.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Foahmh32.exeC:\Windows\system32\Foahmh32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Fodebh32.exeC:\Windows\system32\Fodebh32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Flhflleb.exeC:\Windows\system32\Flhflleb.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:376 -
C:\Windows\SysWOW64\Ghofam32.exeC:\Windows\system32\Ghofam32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:300 -
C:\Windows\SysWOW64\Ghacfmic.exeC:\Windows\system32\Ghacfmic.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Gnnlocgk.exeC:\Windows\system32\Gnnlocgk.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Gdhdkn32.exeC:\Windows\system32\Gdhdkn32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Gghmmilh.exeC:\Windows\system32\Gghmmilh.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Godaakic.exeC:\Windows\system32\Godaakic.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Hjlbdc32.exeC:\Windows\system32\Hjlbdc32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\SysWOW64\Hiqoeplo.exeC:\Windows\system32\Hiqoeplo.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Hegpjaac.exeC:\Windows\system32\Hegpjaac.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:748 -
C:\Windows\SysWOW64\Hnbaif32.exeC:\Windows\system32\Hnbaif32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1264 -
C:\Windows\SysWOW64\Heliepmn.exeC:\Windows\system32\Heliepmn.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3016 -
C:\Windows\SysWOW64\Igmbgk32.exeC:\Windows\system32\Igmbgk32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1800 -
C:\Windows\SysWOW64\Ingkdeak.exeC:\Windows\system32\Ingkdeak.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2968 -
C:\Windows\SysWOW64\Ijnkifgp.exeC:\Windows\system32\Ijnkifgp.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1604 -
C:\Windows\SysWOW64\Imlhebfc.exeC:\Windows\system32\Imlhebfc.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1816 -
C:\Windows\SysWOW64\Ibipmiek.exeC:\Windows\system32\Ibipmiek.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2448 -
C:\Windows\SysWOW64\Ibkmchbh.exeC:\Windows\system32\Ibkmchbh.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:700 -
C:\Windows\SysWOW64\Jelfdc32.exeC:\Windows\system32\Jelfdc32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2600 -
C:\Windows\SysWOW64\Jacfidem.exeC:\Windows\system32\Jacfidem.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2624 -
C:\Windows\SysWOW64\Jijokbfp.exeC:\Windows\system32\Jijokbfp.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2768 -
C:\Windows\SysWOW64\Jlhkgm32.exeC:\Windows\system32\Jlhkgm32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2108 -
C:\Windows\SysWOW64\Jagpdd32.exeC:\Windows\system32\Jagpdd32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1696 -
C:\Windows\SysWOW64\Jhahanie.exeC:\Windows\system32\Jhahanie.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2528 -
C:\Windows\SysWOW64\Jhdegn32.exeC:\Windows\system32\Jhdegn32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2548 -
C:\Windows\SysWOW64\Jkbaci32.exeC:\Windows\system32\Jkbaci32.exe33⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Kmcjedcg.exeC:\Windows\system32\Kmcjedcg.exe34⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Kdmban32.exeC:\Windows\system32\Kdmban32.exe35⤵
- Executes dropped EXE
PID:1120 -
C:\Windows\SysWOW64\Kgkonj32.exeC:\Windows\system32\Kgkonj32.exe36⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\Kbbobkol.exeC:\Windows\system32\Kbbobkol.exe37⤵
- Executes dropped EXE
PID:1232 -
C:\Windows\SysWOW64\Keqkofno.exeC:\Windows\system32\Keqkofno.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2092 -
C:\Windows\SysWOW64\Kilgoe32.exeC:\Windows\system32\Kilgoe32.exe39⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Koipglep.exeC:\Windows\system32\Koipglep.exe40⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Kindeddf.exeC:\Windows\system32\Kindeddf.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1952 -
C:\Windows\SysWOW64\Klmqapci.exeC:\Windows\system32\Klmqapci.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:912 -
C:\Windows\SysWOW64\Kajiigba.exeC:\Windows\system32\Kajiigba.exe43⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Ldheebad.exeC:\Windows\system32\Ldheebad.exe44⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Legaoehg.exeC:\Windows\system32\Legaoehg.exe45⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Lpabpcdf.exeC:\Windows\system32\Lpabpcdf.exe46⤵
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Lhhkapeh.exeC:\Windows\system32\Lhhkapeh.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2380 -
C:\Windows\SysWOW64\Lngpog32.exeC:\Windows\system32\Lngpog32.exe48⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Ldahkaij.exeC:\Windows\system32\Ldahkaij.exe49⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Llmmpcfe.exeC:\Windows\system32\Llmmpcfe.exe50⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Mgbaml32.exeC:\Windows\system32\Mgbaml32.exe51⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Mjqmig32.exeC:\Windows\system32\Mjqmig32.exe52⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Momfan32.exeC:\Windows\system32\Momfan32.exe53⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Mfgnnhkc.exeC:\Windows\system32\Mfgnnhkc.exe54⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Mhfjjdjf.exeC:\Windows\system32\Mhfjjdjf.exe55⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Mopbgn32.exeC:\Windows\system32\Mopbgn32.exe56⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Mhhgpc32.exeC:\Windows\system32\Mhhgpc32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Mkfclo32.exeC:\Windows\system32\Mkfclo32.exe58⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Mneohj32.exeC:\Windows\system32\Mneohj32.exe59⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Mflgih32.exeC:\Windows\system32\Mflgih32.exe60⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Mkipao32.exeC:\Windows\system32\Mkipao32.exe61⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Ngpqfp32.exeC:\Windows\system32\Ngpqfp32.exe62⤵
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Nnjicjbf.exeC:\Windows\system32\Nnjicjbf.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1740 -
C:\Windows\SysWOW64\Nbeedh32.exeC:\Windows\system32\Nbeedh32.exe64⤵
- Executes dropped EXE
PID:1420 -
C:\Windows\SysWOW64\Ndcapd32.exeC:\Windows\system32\Ndcapd32.exe65⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Ngbmlo32.exeC:\Windows\system32\Ngbmlo32.exe66⤵
- Drops file in System32 directory
PID:832 -
C:\Windows\SysWOW64\Njpihk32.exeC:\Windows\system32\Njpihk32.exe67⤵PID:1592
-
C:\Windows\SysWOW64\Nmofdf32.exeC:\Windows\system32\Nmofdf32.exe68⤵
- System Location Discovery: System Language Discovery
PID:2456 -
C:\Windows\SysWOW64\Ncinap32.exeC:\Windows\system32\Ncinap32.exe69⤵PID:2720
-
C:\Windows\SysWOW64\Ngdjaofc.exeC:\Windows\system32\Ngdjaofc.exe70⤵PID:1036
-
C:\Windows\SysWOW64\Nmabjfek.exeC:\Windows\system32\Nmabjfek.exe71⤵PID:2540
-
C:\Windows\SysWOW64\Nppofado.exeC:\Windows\system32\Nppofado.exe72⤵PID:2252
-
C:\Windows\SysWOW64\Nggggoda.exeC:\Windows\system32\Nggggoda.exe73⤵PID:2772
-
C:\Windows\SysWOW64\Njeccjcd.exeC:\Windows\system32\Njeccjcd.exe74⤵
- System Location Discovery: System Language Discovery
PID:3024 -
C:\Windows\SysWOW64\Nmcopebh.exeC:\Windows\system32\Nmcopebh.exe75⤵PID:2036
-
C:\Windows\SysWOW64\Ncmglp32.exeC:\Windows\system32\Ncmglp32.exe76⤵PID:864
-
C:\Windows\SysWOW64\Nijpdfhm.exeC:\Windows\system32\Nijpdfhm.exe77⤵PID:1168
-
C:\Windows\SysWOW64\Nlilqbgp.exeC:\Windows\system32\Nlilqbgp.exe78⤵PID:2940
-
C:\Windows\SysWOW64\Ofnpnkgf.exeC:\Windows\system32\Ofnpnkgf.exe79⤵
- Drops file in System32 directory
- Modifies registry class
PID:1564 -
C:\Windows\SysWOW64\Oimmjffj.exeC:\Windows\system32\Oimmjffj.exe80⤵PID:2396
-
C:\Windows\SysWOW64\Oniebmda.exeC:\Windows\system32\Oniebmda.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1744 -
C:\Windows\SysWOW64\Ofqmcj32.exeC:\Windows\system32\Ofqmcj32.exe82⤵PID:2280
-
C:\Windows\SysWOW64\Olmela32.exeC:\Windows\system32\Olmela32.exe83⤵PID:1076
-
C:\Windows\SysWOW64\Onlahm32.exeC:\Windows\system32\Onlahm32.exe84⤵PID:1964
-
C:\Windows\SysWOW64\Oefjdgjk.exeC:\Windows\system32\Oefjdgjk.exe85⤵PID:2672
-
C:\Windows\SysWOW64\Ojbbmnhc.exeC:\Windows\system32\Ojbbmnhc.exe86⤵PID:2560
-
C:\Windows\SysWOW64\Objjnkie.exeC:\Windows\system32\Objjnkie.exe87⤵PID:1840
-
C:\Windows\SysWOW64\Oehgjfhi.exeC:\Windows\system32\Oehgjfhi.exe88⤵PID:2320
-
C:\Windows\SysWOW64\Olbogqoe.exeC:\Windows\system32\Olbogqoe.exe89⤵PID:2584
-
C:\Windows\SysWOW64\Onqkclni.exeC:\Windows\system32\Onqkclni.exe90⤵PID:1476
-
C:\Windows\SysWOW64\Oaogognm.exeC:\Windows\system32\Oaogognm.exe91⤵PID:988
-
C:\Windows\SysWOW64\Odmckcmq.exeC:\Windows\system32\Odmckcmq.exe92⤵PID:632
-
C:\Windows\SysWOW64\Ojglhm32.exeC:\Windows\system32\Ojglhm32.exe93⤵
- Drops file in System32 directory
PID:3004 -
C:\Windows\SysWOW64\Phklaacg.exeC:\Windows\system32\Phklaacg.exe94⤵PID:2188
-
C:\Windows\SysWOW64\Pmhejhao.exeC:\Windows\system32\Pmhejhao.exe95⤵PID:2420
-
C:\Windows\SysWOW64\Pfpibn32.exeC:\Windows\system32\Pfpibn32.exe96⤵PID:2244
-
C:\Windows\SysWOW64\Plmbkd32.exeC:\Windows\system32\Plmbkd32.exe97⤵PID:2956
-
C:\Windows\SysWOW64\Pfbfhm32.exeC:\Windows\system32\Pfbfhm32.exe98⤵PID:1424
-
C:\Windows\SysWOW64\Piabdiep.exeC:\Windows\system32\Piabdiep.exe99⤵PID:2524
-
C:\Windows\SysWOW64\Ponklpcg.exeC:\Windows\system32\Ponklpcg.exe100⤵PID:2784
-
C:\Windows\SysWOW64\Phfoee32.exeC:\Windows\system32\Phfoee32.exe101⤵PID:1180
-
C:\Windows\SysWOW64\Popgboae.exeC:\Windows\system32\Popgboae.exe102⤵PID:2536
-
C:\Windows\SysWOW64\Paocnkph.exeC:\Windows\system32\Paocnkph.exe103⤵PID:1200
-
C:\Windows\SysWOW64\Qhilkege.exeC:\Windows\system32\Qhilkege.exe104⤵PID:492
-
C:\Windows\SysWOW64\Qkghgpfi.exeC:\Windows\system32\Qkghgpfi.exe105⤵PID:2868
-
C:\Windows\SysWOW64\Qbnphngk.exeC:\Windows\system32\Qbnphngk.exe106⤵PID:2504
-
C:\Windows\SysWOW64\Qemldifo.exeC:\Windows\system32\Qemldifo.exe107⤵PID:2100
-
C:\Windows\SysWOW64\Qlfdac32.exeC:\Windows\system32\Qlfdac32.exe108⤵
- Modifies registry class
PID:1048 -
C:\Windows\SysWOW64\Qoeamo32.exeC:\Windows\system32\Qoeamo32.exe109⤵PID:940
-
C:\Windows\SysWOW64\Aeoijidl.exeC:\Windows\system32\Aeoijidl.exe110⤵PID:1384
-
C:\Windows\SysWOW64\Agpeaa32.exeC:\Windows\system32\Agpeaa32.exe111⤵PID:888
-
C:\Windows\SysWOW64\Anjnnk32.exeC:\Windows\system32\Anjnnk32.exe112⤵PID:2308
-
C:\Windows\SysWOW64\Aaejojjq.exeC:\Windows\system32\Aaejojjq.exe113⤵
- Modifies registry class
PID:1072 -
C:\Windows\SysWOW64\Agbbgqhh.exeC:\Windows\system32\Agbbgqhh.exe114⤵PID:2732
-
C:\Windows\SysWOW64\Aknngo32.exeC:\Windows\system32\Aknngo32.exe115⤵
- Drops file in System32 directory
PID:2796 -
C:\Windows\SysWOW64\Aahfdihn.exeC:\Windows\system32\Aahfdihn.exe116⤵PID:3028
-
C:\Windows\SysWOW64\Akpkmo32.exeC:\Windows\system32\Akpkmo32.exe117⤵PID:772
-
C:\Windows\SysWOW64\Alageg32.exeC:\Windows\system32\Alageg32.exe118⤵PID:848
-
C:\Windows\SysWOW64\Adipfd32.exeC:\Windows\system32\Adipfd32.exe119⤵PID:1956
-
C:\Windows\SysWOW64\Agglbp32.exeC:\Windows\system32\Agglbp32.exe120⤵PID:2348
-
C:\Windows\SysWOW64\Anadojlo.exeC:\Windows\system32\Anadojlo.exe121⤵PID:2120
-
C:\Windows\SysWOW64\Apppkekc.exeC:\Windows\system32\Apppkekc.exe122⤵PID:444
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-