Analysis
-
max time kernel
95s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-11-2024 01:00
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
770f203f1419ca439c07ee6678c54aaeb9b0ea491c632ec3bcffab7465711736.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
770f203f1419ca439c07ee6678c54aaeb9b0ea491c632ec3bcffab7465711736.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
770f203f1419ca439c07ee6678c54aaeb9b0ea491c632ec3bcffab7465711736.exe
-
Size
59KB
-
MD5
498989eb55d9f18709caad116368f90c
-
SHA1
a804f9fa136017c329232542059ecdcedd740f8c
-
SHA256
770f203f1419ca439c07ee6678c54aaeb9b0ea491c632ec3bcffab7465711736
-
SHA512
dd09b5eaaeebead2274783b4a9dfee4fde574a5c6fcd467fd2fda8392282b884a951bc4c59198c23e4b8c5103cf74fc350cf7b31a6d52192aa97a3e2ca012c68
-
SSDEEP
768:XD3NK4f4xv8WDmXZnKqdcwC/AuWcAmOLh2p/1H5j2+tPXdnhfXaXdnh:XD3o4f4xUWi5KWczBO92L0+LO
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Ffceip32.exeJmbhoeid.exeNfldgk32.exeJbiejoaj.exeJjdjoane.exeBjnmpl32.exeGigaka32.exeEpmmqheb.exeGojiiafp.exeIgfclkdj.exeJllokajf.exeHkfglb32.exeAaohcj32.exeHhdcmp32.exeLljdai32.exeOpnbae32.exePplobcpp.exeHlblcn32.exeKbhmbdle.exeDbndfl32.exeJlobkg32.exeAkglloai.exeMokmdh32.exeNbnlaldg.exeObqanjdb.exePcpnhl32.exeFacqkg32.exeJjmcnbdm.exeHildmn32.exeEnpmld32.exeNcnofeof.exeOqhoeb32.exePfccogfc.exeAmikgpcc.exeFmjaphek.exeJjamia32.exeBckkca32.exeKgnbdh32.exeFjohde32.exeGpelhd32.exeHbohpn32.exeFgoakc32.exeKelkaj32.exeNobdbkhf.exeCjnffjkl.exeBpqjjjjl.exeHhbkinel.exeKjffdalb.exeBhldpj32.exeAcccdj32.exeHacbhb32.exeBmlilh32.exeDimenegi.exeFplpll32.exeFdcjlb32.exeGkgeoklj.exeGgnedlao.exeCbkfbcpb.exeGgahedjn.exeKpmdfonj.exeEqiibjlj.exeNhegig32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffceip32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmbhoeid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfldgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbiejoaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjdjoane.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjnmpl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gigaka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epmmqheb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gojiiafp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igfclkdj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jllokajf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkfglb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaohcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhdcmp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lljdai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opnbae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pplobcpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlblcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbhmbdle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbndfl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlobkg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akglloai.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mokmdh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbnlaldg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obqanjdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcpnhl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Facqkg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjmcnbdm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hildmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enpmld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncnofeof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqhoeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfccogfc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amikgpcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmjaphek.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjamia32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bckkca32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgnbdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjohde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpelhd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbohpn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgoakc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbiejoaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kelkaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nobdbkhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjnffjkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpqjjjjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhbkinel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjffdalb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhldpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acccdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hacbhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmlilh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dimenegi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fplpll32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdcjlb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkgeoklj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkgeoklj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggnedlao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbkfbcpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggahedjn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpmdfonj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqiibjlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhegig32.exe -
Executes dropped EXE 64 IoCs
Processes:
Edjgfcec.exeEigonjcj.exeEpagkd32.exeEhhpla32.exeEmehdh32.exeEhjlaaig.exeFkihnmhj.exeFacqkg32.exeFfpicn32.exeFmjaphek.exeFdcjlb32.exeFipbdikp.exeFdffbake.exeFkpool32.exeFajgkfio.exeFhdohp32.exeFmqgpgoc.exeFdkpma32.exeGgilil32.exeGmcdffmq.exeGkgeoklj.exeGaamlecg.exeGgnedlao.exeGacjadad.exeGklnjj32.exeGphgbafl.exeGiqkkf32.exeHhbkinel.exeHpmpnp32.exeHgghjjid.exeHammhcij.exeHhfedm32.exeHjhalefe.exeHglaej32.exeHaafcb32.exeHhknpmma.exeHacbhb32.exeIjogmdqm.exeIhphkl32.exeIhbdplfi.exeIkqqlgem.exeIakiia32.exeIggaah32.exeIbmeoq32.exeIjhjcchb.exeJhijqj32.exeJbaojpgb.exeJjmcnbdm.exeJqglkmlj.exeJklphekp.exeJnkldqkc.exeJdedak32.exeJkomneim.exeJjamia32.exeJbiejoaj.exeJgenbfoa.exeJjdjoane.exeKqnbkl32.exeKghjhemo.exeKjffdalb.exeKqpoakco.exeKelkaj32.exeKgjgne32.exeKndojobi.exepid Process 4504 Edjgfcec.exe 4732 Eigonjcj.exe 832 Epagkd32.exe 4884 Ehhpla32.exe 2672 Emehdh32.exe 2000 Ehjlaaig.exe 4556 Fkihnmhj.exe 3036 Facqkg32.exe 1896 Ffpicn32.exe 2728 Fmjaphek.exe 1112 Fdcjlb32.exe 3764 Fipbdikp.exe 2228 Fdffbake.exe 956 Fkpool32.exe 2192 Fajgkfio.exe 3696 Fhdohp32.exe 3196 Fmqgpgoc.exe 2144 Fdkpma32.exe 748 Ggilil32.exe 2744 Gmcdffmq.exe 5032 Gkgeoklj.exe 3664 Gaamlecg.exe 4488 Ggnedlao.exe 1592 Gacjadad.exe 1304 Gklnjj32.exe 2852 Gphgbafl.exe 4492 Giqkkf32.exe 5012 Hhbkinel.exe 1364 Hpmpnp32.exe 1948 Hgghjjid.exe 2284 Hammhcij.exe 4948 Hhfedm32.exe 5108 Hjhalefe.exe 4052 Hglaej32.exe 3560 Haafcb32.exe 3544 Hhknpmma.exe 1244 Hacbhb32.exe 4788 Ijogmdqm.exe 4908 Ihphkl32.exe 3796 Ihbdplfi.exe 632 Ikqqlgem.exe 1196 Iakiia32.exe 2912 Iggaah32.exe 1724 Ibmeoq32.exe 4188 Ijhjcchb.exe 4936 Jhijqj32.exe 3064 Jbaojpgb.exe 2052 Jjmcnbdm.exe 4296 Jqglkmlj.exe 1668 Jklphekp.exe 4968 Jnkldqkc.exe 3536 Jdedak32.exe 1712 Jkomneim.exe 3420 Jjamia32.exe 2716 Jbiejoaj.exe 3032 Jgenbfoa.exe 856 Jjdjoane.exe 3424 Kqnbkl32.exe 1192 Kghjhemo.exe 3128 Kjffdalb.exe 1900 Kqpoakco.exe 620 Kelkaj32.exe 3232 Kgjgne32.exe 2956 Kndojobi.exe -
Drops file in System32 directory 64 IoCs
Processes:
Gklnjj32.exeGdaociml.exeBebjdgmj.exeMhckcgpj.exeHdjbiheb.exeIjcjmmil.exeLgepom32.exeKbhmbdle.exeCmpjoloh.exeKpjgaoqm.exeMcpcdg32.exeDgcihgaj.exeBjlpjm32.exeJpaekqhh.exeJebfng32.exeDknnoofg.exeLlcghg32.exeCacmpj32.exeMjellmbp.exeGbmingjo.exeFbbicl32.exeMbibfm32.exeFpggamqc.exeJlobkg32.exeGbfldf32.exeLckiihok.exeGgkqgaol.exeIlnlom32.exePafkgphl.exeFacqkg32.exeHhfedm32.exeIkbfgppo.exeOihmedma.exeNmgjia32.exeBoldhf32.exeNqcejcha.exeBjhkmbho.exeIjhjcchb.exeJpaleglc.exeBheplb32.exeJcoaglhk.exeCdbpgl32.exeLafmjp32.exeJoekag32.exeKlpakj32.exePeieba32.exeGgahedjn.exeMnmdme32.exeEkdnei32.exeIlqoobdd.exeBoenhgdd.exePcbkml32.exeKcpjnjii.exeLgdidgjg.exeEhhpla32.exeAomifecf.exeGjfnedho.exeIcnklbmj.exePefabkej.exeDnpdegjp.exeMapppn32.exeNoblkqca.exeOqhoeb32.exeFbhpch32.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\Gphgbafl.exe Gklnjj32.exe File created C:\Windows\SysWOW64\Gingkqkd.exe Gdaociml.exe File opened for modification C:\Windows\SysWOW64\Bojomm32.exe Bebjdgmj.exe File created C:\Windows\SysWOW64\Momcpa32.exe Mhckcgpj.exe File opened for modification C:\Windows\SysWOW64\Hkdjfb32.exe Hdjbiheb.exe File created C:\Windows\SysWOW64\Hhcmlj32.dll Ijcjmmil.exe File opened for modification C:\Windows\SysWOW64\Lnohlgep.exe Lgepom32.exe File created C:\Windows\SysWOW64\Klpakj32.exe Kbhmbdle.exe File created C:\Windows\SysWOW64\Qecffhdo.dll Cmpjoloh.exe File opened for modification C:\Windows\SysWOW64\Kgdpni32.exe Kpjgaoqm.exe File created C:\Windows\SysWOW64\Mqdcnl32.exe Mcpcdg32.exe File created C:\Windows\SysWOW64\Dhbebj32.exe Dgcihgaj.exe File opened for modification C:\Windows\SysWOW64\Bohibc32.exe Bjlpjm32.exe File opened for modification C:\Windows\SysWOW64\Jcoaglhk.exe Jpaekqhh.exe File created C:\Windows\SysWOW64\Olieecnn.dll Jebfng32.exe File opened for modification C:\Windows\SysWOW64\Diqnjl32.exe Dknnoofg.exe File created C:\Windows\SysWOW64\Mapppn32.exe Llcghg32.exe File created C:\Windows\SysWOW64\Dccfme32.dll Cacmpj32.exe File created C:\Windows\SysWOW64\Mifljdjo.exe Mjellmbp.exe File created C:\Windows\SysWOW64\Gigaka32.exe Gbmingjo.exe File opened for modification C:\Windows\SysWOW64\Feqeog32.exe Fbbicl32.exe File created C:\Windows\SysWOW64\Mhckcgpj.exe Mbibfm32.exe File created C:\Windows\SysWOW64\Pdjpll32.dll Fpggamqc.exe File created C:\Windows\SysWOW64\Qgngnj32.dll Jlobkg32.exe File created C:\Windows\SysWOW64\Pbmmao32.dll Gbfldf32.exe File created C:\Windows\SysWOW64\Ngidlo32.dll Lckiihok.exe File opened for modification C:\Windows\SysWOW64\Gndick32.exe Ggkqgaol.exe File created C:\Windows\SysWOW64\Iajdgcab.exe Ilnlom32.exe File created C:\Windows\SysWOW64\Onnnbnbp.dll Pafkgphl.exe File created C:\Windows\SysWOW64\Ffpicn32.exe Facqkg32.exe File created C:\Windows\SysWOW64\Hjhalefe.exe Hhfedm32.exe File opened for modification C:\Windows\SysWOW64\Ilccoh32.exe Ikbfgppo.exe File created C:\Windows\SysWOW64\Obqanjdb.exe Oihmedma.exe File created C:\Windows\SysWOW64\Ncabfkqo.exe Nmgjia32.exe File opened for modification C:\Windows\SysWOW64\Cdimqm32.exe Boldhf32.exe File created C:\Windows\SysWOW64\Aadafn32.dll Nqcejcha.exe File opened for modification C:\Windows\SysWOW64\Bpedeiff.exe Bjhkmbho.exe File created C:\Windows\SysWOW64\Mlmlcjoo.dll Ijhjcchb.exe File opened for modification C:\Windows\SysWOW64\Jnelok32.exe Jpaleglc.exe File opened for modification C:\Windows\SysWOW64\Blqllqqa.exe Bheplb32.exe File created C:\Windows\SysWOW64\Gkjcgjio.dll Jcoaglhk.exe File opened for modification C:\Windows\SysWOW64\Cklhcfle.exe Cdbpgl32.exe File opened for modification C:\Windows\SysWOW64\Lllagh32.exe Lafmjp32.exe File opened for modification C:\Windows\SysWOW64\Jeocna32.exe Joekag32.exe File created C:\Windows\SysWOW64\Koonge32.exe Klpakj32.exe File opened for modification C:\Windows\SysWOW64\Poajkgnc.exe Peieba32.exe File created C:\Windows\SysWOW64\Hmlpaoaj.exe Ggahedjn.exe File created C:\Windows\SysWOW64\Hmhkgijk.dll Mnmdme32.exe File created C:\Windows\SysWOW64\Pigbqakg.dll Ekdnei32.exe File created C:\Windows\SysWOW64\Ioolkncg.exe Ilqoobdd.exe File created C:\Windows\SysWOW64\Bpfkpp32.exe Boenhgdd.exe File created C:\Windows\SysWOW64\Piocecgj.exe Pcbkml32.exe File created C:\Windows\SysWOW64\Bohgljdl.dll Kcpjnjii.exe File opened for modification C:\Windows\SysWOW64\Lnoaaaad.exe Lgdidgjg.exe File created C:\Windows\SysWOW64\Nabbod32.dll Ehhpla32.exe File opened for modification C:\Windows\SysWOW64\Alqjpi32.exe Aomifecf.exe File created C:\Windows\SysWOW64\Lnnlhc32.dll Gjfnedho.exe File created C:\Windows\SysWOW64\Djiiimel.dll Icnklbmj.exe File opened for modification C:\Windows\SysWOW64\Plpjoe32.exe Pefabkej.exe File created C:\Windows\SysWOW64\Faeghb32.dll Dnpdegjp.exe File opened for modification C:\Windows\SysWOW64\Mjggal32.exe Mapppn32.exe File created C:\Windows\SysWOW64\Nfldgk32.exe Noblkqca.exe File opened for modification C:\Windows\SysWOW64\Ojqcnhkl.exe Oqhoeb32.exe File opened for modification C:\Windows\SysWOW64\Fjohde32.exe Fbhpch32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 13688 2428 WerFault.exe 850 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Fbhpch32.exeHkfglb32.exeDbkqfe32.exeIgfclkdj.exeJcmdaljn.exeJmeede32.exeBoenhgdd.exeGgnedlao.exeDmlkhofd.exeGmfplibd.exeGlkmmefl.exeGnblnlhl.exeKapfiqoj.exeDmdhcddh.exeNhahaiec.exeHidgai32.exePhajna32.exeOfckhj32.exeDmjmekgn.exeJllokajf.exeKndojobi.exeFdglmkeg.exeHkdjfb32.exeMaggnali.exeBakgoh32.exeCofnik32.exeEoideh32.exeMgbefe32.exeNfcabp32.exeDgcihgaj.exeHejqldci.exePiapkbeg.exeDknnoofg.exeHifcgion.exeHglaej32.exeIhphkl32.exeNlkngo32.exeOaompd32.exeDkdliame.exeBlielbfi.exeEiloco32.exeCdhffg32.exeIakiia32.exeBjnmpl32.exeBhcjqinf.exeDiccgfpd.exeJlolpq32.exeLlmhaold.exeOblhcj32.exeMifljdjo.exeAlkijdci.exeHioflcbj.exeNbnlaldg.exeBbiado32.exePecellgl.exeEgened32.exeBboffejp.exeBojomm32.exeHpnoncim.exeJcoaglhk.exeNbebbk32.exeOmalpc32.exeNhegig32.exeMccfdmmo.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbhpch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkfglb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbkqfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igfclkdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcmdaljn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmeede32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boenhgdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggnedlao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmlkhofd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmfplibd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glkmmefl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnblnlhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kapfiqoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmdhcddh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhahaiec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hidgai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phajna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofckhj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmjmekgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jllokajf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kndojobi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdglmkeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkdjfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maggnali.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bakgoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cofnik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoideh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgbefe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfcabp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgcihgaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hejqldci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piapkbeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dknnoofg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hifcgion.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hglaej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihphkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlkngo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaompd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkdliame.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blielbfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiloco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdhffg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iakiia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjnmpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhcjqinf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Diccgfpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlolpq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llmhaold.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oblhcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mifljdjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alkijdci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hioflcbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbnlaldg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbiado32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pecellgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egened32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bboffejp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bojomm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpnoncim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcoaglhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbebbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omalpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhegig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mccfdmmo.exe -
Modifies registry class 64 IoCs
Processes:
Eifaim32.exeEppjfgcp.exeJmeede32.exeNcnofeof.exeGiecfejd.exeBpqjjjjl.exeAaohcj32.exeLlqjbhdc.exeAalmimfd.exeGbabigfj.exeEkaapi32.exeBgdemb32.exeChlflabp.exeDhclmp32.exeFpdcag32.exeApeknk32.exeMbbagk32.exeIhphkl32.exeIlccoh32.exePmoiqneg.exeOjqcnhkl.exeAmfobp32.exeFfpicn32.exeAbbkcpma.exeEleepoob.exeIloidijb.exeGfodeohd.exePmpolgoi.exeHhbkinel.exeNnfpinmi.exeCcmgiaig.exeOqhoeb32.exeIlibdmgp.exeNhbolp32.exeFdglmkeg.exeKofkbk32.exeJhijqj32.exeFeqeog32.exeDfoiaj32.exeIgdnabjh.exeMnkggfkb.exeCpbjkn32.exeJklphekp.exePefabkej.exeCgifbhid.exeJhgiim32.exeKdbjhbbd.exeCmflbf32.exeBckkca32.exeIoolkncg.exeLqkqhm32.exePopbpqjh.exeIcnklbmj.exeGflhoo32.exeBobabg32.exeBhpofl32.exeEqgmmk32.exeIlfennic.exeLegben32.exeCmhigf32.exeLqbncb32.exeOjdnid32.exeQmepam32.exeAdikdfna.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eifaim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cocopa32.dll" Eppjfgcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anhejhfp.dll" Jmeede32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncnofeof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdhbbnba.dll" Giecfejd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpqjjjjl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aaohcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncbegn32.dll" Llqjbhdc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aalmimfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbabigfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekaapi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Labnlj32.dll" Bgdemb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Micgbemj.dll" Chlflabp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhclmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmiadfmi.dll" Fpdcag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apeknk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbbagk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jklaah32.dll" Ihphkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilccoh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmoiqneg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojqcnhkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khihgadg.dll" Amfobp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llelopkl.dll" Ffpicn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abbkcpma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eleepoob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iloidijb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfodeohd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmpolgoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpabql32.dll" Hhbkinel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnfpinmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccmgiaig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oqhoeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcgckb32.dll" Ilibdmgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhbolp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdglmkeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kofkbk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhijqj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgkeml32.dll" Feqeog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfoiaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igdnabjh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnkggfkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpbjkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jklphekp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pefabkej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgifbhid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhgiim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfghnikc.dll" Kdbjhbbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmflbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bckkca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kiodpebj.dll" Ioolkncg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lqkqhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hffpdd32.dll" Popbpqjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icnklbmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gflhoo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bobabg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhpofl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eqgmmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlhcmpgk.dll" Ilfennic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Legben32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdbpmock.dll" Cmhigf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lqbncb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojdnid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qmepam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adikdfna.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
770f203f1419ca439c07ee6678c54aaeb9b0ea491c632ec3bcffab7465711736.exeEdjgfcec.exeEigonjcj.exeEpagkd32.exeEhhpla32.exeEmehdh32.exeEhjlaaig.exeFkihnmhj.exeFacqkg32.exeFfpicn32.exeFmjaphek.exeFdcjlb32.exeFipbdikp.exeFdffbake.exeFkpool32.exeFajgkfio.exeFhdohp32.exeFmqgpgoc.exeFdkpma32.exeGgilil32.exeGmcdffmq.exeGkgeoklj.exedescription pid Process procid_target PID 2152 wrote to memory of 4504 2152 770f203f1419ca439c07ee6678c54aaeb9b0ea491c632ec3bcffab7465711736.exe 82 PID 2152 wrote to memory of 4504 2152 770f203f1419ca439c07ee6678c54aaeb9b0ea491c632ec3bcffab7465711736.exe 82 PID 2152 wrote to memory of 4504 2152 770f203f1419ca439c07ee6678c54aaeb9b0ea491c632ec3bcffab7465711736.exe 82 PID 4504 wrote to memory of 4732 4504 Edjgfcec.exe 83 PID 4504 wrote to memory of 4732 4504 Edjgfcec.exe 83 PID 4504 wrote to memory of 4732 4504 Edjgfcec.exe 83 PID 4732 wrote to memory of 832 4732 Eigonjcj.exe 84 PID 4732 wrote to memory of 832 4732 Eigonjcj.exe 84 PID 4732 wrote to memory of 832 4732 Eigonjcj.exe 84 PID 832 wrote to memory of 4884 832 Epagkd32.exe 85 PID 832 wrote to memory of 4884 832 Epagkd32.exe 85 PID 832 wrote to memory of 4884 832 Epagkd32.exe 85 PID 4884 wrote to memory of 2672 4884 Ehhpla32.exe 86 PID 4884 wrote to memory of 2672 4884 Ehhpla32.exe 86 PID 4884 wrote to memory of 2672 4884 Ehhpla32.exe 86 PID 2672 wrote to memory of 2000 2672 Emehdh32.exe 87 PID 2672 wrote to memory of 2000 2672 Emehdh32.exe 87 PID 2672 wrote to memory of 2000 2672 Emehdh32.exe 87 PID 2000 wrote to memory of 4556 2000 Ehjlaaig.exe 88 PID 2000 wrote to memory of 4556 2000 Ehjlaaig.exe 88 PID 2000 wrote to memory of 4556 2000 Ehjlaaig.exe 88 PID 4556 wrote to memory of 3036 4556 Fkihnmhj.exe 89 PID 4556 wrote to memory of 3036 4556 Fkihnmhj.exe 89 PID 4556 wrote to memory of 3036 4556 Fkihnmhj.exe 89 PID 3036 wrote to memory of 1896 3036 Facqkg32.exe 90 PID 3036 wrote to memory of 1896 3036 Facqkg32.exe 90 PID 3036 wrote to memory of 1896 3036 Facqkg32.exe 90 PID 1896 wrote to memory of 2728 1896 Ffpicn32.exe 91 PID 1896 wrote to memory of 2728 1896 Ffpicn32.exe 91 PID 1896 wrote to memory of 2728 1896 Ffpicn32.exe 91 PID 2728 wrote to memory of 1112 2728 Fmjaphek.exe 92 PID 2728 wrote to memory of 1112 2728 Fmjaphek.exe 92 PID 2728 wrote to memory of 1112 2728 Fmjaphek.exe 92 PID 1112 wrote to memory of 3764 1112 Fdcjlb32.exe 93 PID 1112 wrote to memory of 3764 1112 Fdcjlb32.exe 93 PID 1112 wrote to memory of 3764 1112 Fdcjlb32.exe 93 PID 3764 wrote to memory of 2228 3764 Fipbdikp.exe 94 PID 3764 wrote to memory of 2228 3764 Fipbdikp.exe 94 PID 3764 wrote to memory of 2228 3764 Fipbdikp.exe 94 PID 2228 wrote to memory of 956 2228 Fdffbake.exe 95 PID 2228 wrote to memory of 956 2228 Fdffbake.exe 95 PID 2228 wrote to memory of 956 2228 Fdffbake.exe 95 PID 956 wrote to memory of 2192 956 Fkpool32.exe 96 PID 956 wrote to memory of 2192 956 Fkpool32.exe 96 PID 956 wrote to memory of 2192 956 Fkpool32.exe 96 PID 2192 wrote to memory of 3696 2192 Fajgkfio.exe 97 PID 2192 wrote to memory of 3696 2192 Fajgkfio.exe 97 PID 2192 wrote to memory of 3696 2192 Fajgkfio.exe 97 PID 3696 wrote to memory of 3196 3696 Fhdohp32.exe 98 PID 3696 wrote to memory of 3196 3696 Fhdohp32.exe 98 PID 3696 wrote to memory of 3196 3696 Fhdohp32.exe 98 PID 3196 wrote to memory of 2144 3196 Fmqgpgoc.exe 99 PID 3196 wrote to memory of 2144 3196 Fmqgpgoc.exe 99 PID 3196 wrote to memory of 2144 3196 Fmqgpgoc.exe 99 PID 2144 wrote to memory of 748 2144 Fdkpma32.exe 100 PID 2144 wrote to memory of 748 2144 Fdkpma32.exe 100 PID 2144 wrote to memory of 748 2144 Fdkpma32.exe 100 PID 748 wrote to memory of 2744 748 Ggilil32.exe 101 PID 748 wrote to memory of 2744 748 Ggilil32.exe 101 PID 748 wrote to memory of 2744 748 Ggilil32.exe 101 PID 2744 wrote to memory of 5032 2744 Gmcdffmq.exe 102 PID 2744 wrote to memory of 5032 2744 Gmcdffmq.exe 102 PID 2744 wrote to memory of 5032 2744 Gmcdffmq.exe 102 PID 5032 wrote to memory of 3664 5032 Gkgeoklj.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\770f203f1419ca439c07ee6678c54aaeb9b0ea491c632ec3bcffab7465711736.exe"C:\Users\Admin\AppData\Local\Temp\770f203f1419ca439c07ee6678c54aaeb9b0ea491c632ec3bcffab7465711736.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\Edjgfcec.exeC:\Windows\system32\Edjgfcec.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Windows\SysWOW64\Eigonjcj.exeC:\Windows\system32\Eigonjcj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Windows\SysWOW64\Epagkd32.exeC:\Windows\system32\Epagkd32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\SysWOW64\Ehhpla32.exeC:\Windows\system32\Ehhpla32.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Windows\SysWOW64\Emehdh32.exeC:\Windows\system32\Emehdh32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Ehjlaaig.exeC:\Windows\system32\Ehjlaaig.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\Fkihnmhj.exeC:\Windows\system32\Fkihnmhj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Windows\SysWOW64\Facqkg32.exeC:\Windows\system32\Facqkg32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\Ffpicn32.exeC:\Windows\system32\Ffpicn32.exe10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\Fmjaphek.exeC:\Windows\system32\Fmjaphek.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Fdcjlb32.exeC:\Windows\system32\Fdcjlb32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Windows\SysWOW64\Fipbdikp.exeC:\Windows\system32\Fipbdikp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3764 -
C:\Windows\SysWOW64\Fdffbake.exeC:\Windows\system32\Fdffbake.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\Fkpool32.exeC:\Windows\system32\Fkpool32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\SysWOW64\Fajgkfio.exeC:\Windows\system32\Fajgkfio.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Fhdohp32.exeC:\Windows\system32\Fhdohp32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3696 -
C:\Windows\SysWOW64\Fmqgpgoc.exeC:\Windows\system32\Fmqgpgoc.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3196 -
C:\Windows\SysWOW64\Fdkpma32.exeC:\Windows\system32\Fdkpma32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\Ggilil32.exeC:\Windows\system32\Ggilil32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\SysWOW64\Gmcdffmq.exeC:\Windows\system32\Gmcdffmq.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Gkgeoklj.exeC:\Windows\system32\Gkgeoklj.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\SysWOW64\Gaamlecg.exeC:\Windows\system32\Gaamlecg.exe23⤵
- Executes dropped EXE
PID:3664 -
C:\Windows\SysWOW64\Ggnedlao.exeC:\Windows\system32\Ggnedlao.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4488 -
C:\Windows\SysWOW64\Gacjadad.exeC:\Windows\system32\Gacjadad.exe25⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Gklnjj32.exeC:\Windows\system32\Gklnjj32.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1304 -
C:\Windows\SysWOW64\Gphgbafl.exeC:\Windows\system32\Gphgbafl.exe27⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Giqkkf32.exeC:\Windows\system32\Giqkkf32.exe28⤵
- Executes dropped EXE
PID:4492 -
C:\Windows\SysWOW64\Hhbkinel.exeC:\Windows\system32\Hhbkinel.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:5012 -
C:\Windows\SysWOW64\Hpmpnp32.exeC:\Windows\system32\Hpmpnp32.exe30⤵
- Executes dropped EXE
PID:1364 -
C:\Windows\SysWOW64\Hgghjjid.exeC:\Windows\system32\Hgghjjid.exe31⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Hammhcij.exeC:\Windows\system32\Hammhcij.exe32⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Hhfedm32.exeC:\Windows\system32\Hhfedm32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4948 -
C:\Windows\SysWOW64\Hjhalefe.exeC:\Windows\system32\Hjhalefe.exe34⤵
- Executes dropped EXE
PID:5108 -
C:\Windows\SysWOW64\Hglaej32.exeC:\Windows\system32\Hglaej32.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4052 -
C:\Windows\SysWOW64\Haafcb32.exeC:\Windows\system32\Haafcb32.exe36⤵
- Executes dropped EXE
PID:3560 -
C:\Windows\SysWOW64\Hhknpmma.exeC:\Windows\system32\Hhknpmma.exe37⤵
- Executes dropped EXE
PID:3544 -
C:\Windows\SysWOW64\Hacbhb32.exeC:\Windows\system32\Hacbhb32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1244 -
C:\Windows\SysWOW64\Ijogmdqm.exeC:\Windows\system32\Ijogmdqm.exe39⤵
- Executes dropped EXE
PID:4788 -
C:\Windows\SysWOW64\Ihphkl32.exeC:\Windows\system32\Ihphkl32.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4908 -
C:\Windows\SysWOW64\Ihbdplfi.exeC:\Windows\system32\Ihbdplfi.exe41⤵
- Executes dropped EXE
PID:3796 -
C:\Windows\SysWOW64\Ikqqlgem.exeC:\Windows\system32\Ikqqlgem.exe42⤵
- Executes dropped EXE
PID:632 -
C:\Windows\SysWOW64\Iakiia32.exeC:\Windows\system32\Iakiia32.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1196 -
C:\Windows\SysWOW64\Iggaah32.exeC:\Windows\system32\Iggaah32.exe44⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Ibmeoq32.exeC:\Windows\system32\Ibmeoq32.exe45⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Ijhjcchb.exeC:\Windows\system32\Ijhjcchb.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4188 -
C:\Windows\SysWOW64\Jhijqj32.exeC:\Windows\system32\Jhijqj32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:4936 -
C:\Windows\SysWOW64\Jbaojpgb.exeC:\Windows\system32\Jbaojpgb.exe48⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Jjmcnbdm.exeC:\Windows\system32\Jjmcnbdm.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Jqglkmlj.exeC:\Windows\system32\Jqglkmlj.exe50⤵
- Executes dropped EXE
PID:4296 -
C:\Windows\SysWOW64\Jklphekp.exeC:\Windows\system32\Jklphekp.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:1668 -
C:\Windows\SysWOW64\Jnkldqkc.exeC:\Windows\system32\Jnkldqkc.exe52⤵
- Executes dropped EXE
PID:4968 -
C:\Windows\SysWOW64\Jdedak32.exeC:\Windows\system32\Jdedak32.exe53⤵
- Executes dropped EXE
PID:3536 -
C:\Windows\SysWOW64\Jkomneim.exeC:\Windows\system32\Jkomneim.exe54⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Jjamia32.exeC:\Windows\system32\Jjamia32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3420 -
C:\Windows\SysWOW64\Jbiejoaj.exeC:\Windows\system32\Jbiejoaj.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Jgenbfoa.exeC:\Windows\system32\Jgenbfoa.exe57⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Jjdjoane.exeC:\Windows\system32\Jjdjoane.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:856 -
C:\Windows\SysWOW64\Kqnbkl32.exeC:\Windows\system32\Kqnbkl32.exe59⤵
- Executes dropped EXE
PID:3424 -
C:\Windows\SysWOW64\Kghjhemo.exeC:\Windows\system32\Kghjhemo.exe60⤵
- Executes dropped EXE
PID:1192 -
C:\Windows\SysWOW64\Kjffdalb.exeC:\Windows\system32\Kjffdalb.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3128 -
C:\Windows\SysWOW64\Kqpoakco.exeC:\Windows\system32\Kqpoakco.exe62⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Kelkaj32.exeC:\Windows\system32\Kelkaj32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:620 -
C:\Windows\SysWOW64\Kgjgne32.exeC:\Windows\system32\Kgjgne32.exe64⤵
- Executes dropped EXE
PID:3232 -
C:\Windows\SysWOW64\Kndojobi.exeC:\Windows\system32\Kndojobi.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2956 -
C:\Windows\SysWOW64\Knflpoqf.exeC:\Windows\system32\Knflpoqf.exe66⤵PID:4200
-
C:\Windows\SysWOW64\Kniieo32.exeC:\Windows\system32\Kniieo32.exe67⤵PID:1704
-
C:\Windows\SysWOW64\Kinmcg32.exeC:\Windows\system32\Kinmcg32.exe68⤵PID:428
-
C:\Windows\SysWOW64\Lbgalmej.exeC:\Windows\system32\Lbgalmej.exe69⤵PID:4528
-
C:\Windows\SysWOW64\Lgcjdd32.exeC:\Windows\system32\Lgcjdd32.exe70⤵PID:4900
-
C:\Windows\SysWOW64\Licfngjd.exeC:\Windows\system32\Licfngjd.exe71⤵PID:4036
-
C:\Windows\SysWOW64\Lnpofnhk.exeC:\Windows\system32\Lnpofnhk.exe72⤵PID:4724
-
C:\Windows\SysWOW64\Lieccf32.exeC:\Windows\system32\Lieccf32.exe73⤵PID:4104
-
C:\Windows\SysWOW64\Lbngllob.exeC:\Windows\system32\Lbngllob.exe74⤵PID:4420
-
C:\Windows\SysWOW64\Lihpif32.exeC:\Windows\system32\Lihpif32.exe75⤵PID:3812
-
C:\Windows\SysWOW64\Lndham32.exeC:\Windows\system32\Lndham32.exe76⤵PID:3436
-
C:\Windows\SysWOW64\Lijlof32.exeC:\Windows\system32\Lijlof32.exe77⤵PID:4544
-
C:\Windows\SysWOW64\Llhikacp.exeC:\Windows\system32\Llhikacp.exe78⤵PID:3580
-
C:\Windows\SysWOW64\Mbbagk32.exeC:\Windows\system32\Mbbagk32.exe79⤵
- Modifies registry class
PID:3908 -
C:\Windows\SysWOW64\Mbenmk32.exeC:\Windows\system32\Mbenmk32.exe80⤵PID:2204
-
C:\Windows\SysWOW64\Mlmbfqoj.exeC:\Windows\system32\Mlmbfqoj.exe81⤵PID:684
-
C:\Windows\SysWOW64\Majjng32.exeC:\Windows\system32\Majjng32.exe82⤵PID:3928
-
C:\Windows\SysWOW64\Mlpokp32.exeC:\Windows\system32\Mlpokp32.exe83⤵PID:4932
-
C:\Windows\SysWOW64\Mehcdfch.exeC:\Windows\system32\Mehcdfch.exe84⤵PID:2676
-
C:\Windows\SysWOW64\Mjellmbp.exeC:\Windows\system32\Mjellmbp.exe85⤵
- Drops file in System32 directory
PID:4128 -
C:\Windows\SysWOW64\Mifljdjo.exeC:\Windows\system32\Mifljdjo.exe86⤵
- System Location Discovery: System Language Discovery
PID:3400 -
C:\Windows\SysWOW64\Nobdbkhf.exeC:\Windows\system32\Nobdbkhf.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3484 -
C:\Windows\SysWOW64\Nbqmiinl.exeC:\Windows\system32\Nbqmiinl.exe88⤵PID:1000
-
C:\Windows\SysWOW64\Nliaao32.exeC:\Windows\system32\Nliaao32.exe89⤵PID:60
-
C:\Windows\SysWOW64\Nognnj32.exeC:\Windows\system32\Nognnj32.exe90⤵PID:1952
-
C:\Windows\SysWOW64\Nbcjnilj.exeC:\Windows\system32\Nbcjnilj.exe91⤵PID:4636
-
C:\Windows\SysWOW64\Nlkngo32.exeC:\Windows\system32\Nlkngo32.exe92⤵
- System Location Discovery: System Language Discovery
PID:536 -
C:\Windows\SysWOW64\Neccpd32.exeC:\Windows\system32\Neccpd32.exe93⤵PID:216
-
C:\Windows\SysWOW64\Nhbolp32.exeC:\Windows\system32\Nhbolp32.exe94⤵
- Modifies registry class
PID:2348 -
C:\Windows\SysWOW64\Nefped32.exeC:\Windows\system32\Nefped32.exe95⤵PID:4312
-
C:\Windows\SysWOW64\Objpoh32.exeC:\Windows\system32\Objpoh32.exe96⤵PID:4192
-
C:\Windows\SysWOW64\Okedcjcm.exeC:\Windows\system32\Okedcjcm.exe97⤵PID:116
-
C:\Windows\SysWOW64\Oblmdhdo.exeC:\Windows\system32\Oblmdhdo.exe98⤵PID:4648
-
C:\Windows\SysWOW64\Oaompd32.exeC:\Windows\system32\Oaompd32.exe99⤵
- System Location Discovery: System Language Discovery
PID:4692 -
C:\Windows\SysWOW64\Okgaijaj.exeC:\Windows\system32\Okgaijaj.exe100⤵PID:3972
-
C:\Windows\SysWOW64\Olgncmim.exeC:\Windows\system32\Olgncmim.exe101⤵PID:3412
-
C:\Windows\SysWOW64\Oadfkdgd.exeC:\Windows\system32\Oadfkdgd.exe102⤵PID:2712
-
C:\Windows\SysWOW64\Ohnohn32.exeC:\Windows\system32\Ohnohn32.exe103⤵PID:4536
-
C:\Windows\SysWOW64\Oklkdi32.exeC:\Windows\system32\Oklkdi32.exe104⤵PID:4588
-
C:\Windows\SysWOW64\Oeaoab32.exeC:\Windows\system32\Oeaoab32.exe105⤵PID:3404
-
C:\Windows\SysWOW64\Oimkbaed.exeC:\Windows\system32\Oimkbaed.exe106⤵PID:1028
-
C:\Windows\SysWOW64\Pcepkfld.exeC:\Windows\system32\Pcepkfld.exe107⤵PID:912
-
C:\Windows\SysWOW64\Phbhcmjl.exeC:\Windows\system32\Phbhcmjl.exe108⤵PID:4976
-
C:\Windows\SysWOW64\Polppg32.exeC:\Windows\system32\Polppg32.exe109⤵PID:4960
-
C:\Windows\SysWOW64\Pakllc32.exeC:\Windows\system32\Pakllc32.exe110⤵PID:3136
-
C:\Windows\SysWOW64\Pibdmp32.exeC:\Windows\system32\Pibdmp32.exe111⤵PID:4916
-
C:\Windows\SysWOW64\Peieba32.exeC:\Windows\system32\Peieba32.exe112⤵
- Drops file in System32 directory
PID:3680 -
C:\Windows\SysWOW64\Poajkgnc.exeC:\Windows\system32\Poajkgnc.exe113⤵PID:5016
-
C:\Windows\SysWOW64\Papfgbmg.exeC:\Windows\system32\Papfgbmg.exe114⤵PID:4652
-
C:\Windows\SysWOW64\Pifnhpmi.exeC:\Windows\system32\Pifnhpmi.exe115⤵PID:3852
-
C:\Windows\SysWOW64\Pkhjph32.exeC:\Windows\system32\Pkhjph32.exe116⤵PID:3100
-
C:\Windows\SysWOW64\Pcobaedj.exeC:\Windows\system32\Pcobaedj.exe117⤵PID:4284
-
C:\Windows\SysWOW64\Qofcff32.exeC:\Windows\system32\Qofcff32.exe118⤵PID:2108
-
C:\Windows\SysWOW64\Qhngolpo.exeC:\Windows\system32\Qhngolpo.exe119⤵PID:2808
-
C:\Windows\SysWOW64\Qebhhp32.exeC:\Windows\system32\Qebhhp32.exe120⤵PID:4980
-
C:\Windows\SysWOW64\Aaiimadl.exeC:\Windows\system32\Aaiimadl.exe121⤵PID:5128
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-