Analysis
-
max time kernel
77s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
22-11-2024 01:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
85546d08114f624af0be649d4e494f0cbc5bb9a7e2e6126cc6b43fc559c8b874.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
85546d08114f624af0be649d4e494f0cbc5bb9a7e2e6126cc6b43fc559c8b874.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
85546d08114f624af0be649d4e494f0cbc5bb9a7e2e6126cc6b43fc559c8b874.exe
-
Size
960KB
-
MD5
db52a3c744573d1bf24007bed5be57cc
-
SHA1
e90bb8d7ebe0f759467dd30c41edd97697cdd4f2
-
SHA256
85546d08114f624af0be649d4e494f0cbc5bb9a7e2e6126cc6b43fc559c8b874
-
SHA512
bbdf75b557aae5277e8ceb1e63eea53757fc729076cb1f939d82cda9c1a201849ba36fc4b5d02ed5374938624878362384e0ca0bb38fb9abf53442c37e1977a0
-
SSDEEP
6144:WX5wSdLwib/4rQD85k/OQO+zrWnAdqjsqwHlGrh/tObQO+zrWnAdb:670rQg5Z/+zrWAIAqWim/+zrWAJ
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Jhdegn32.exePaaddgkj.exeMgmmfjip.exeJhahanie.exeEalbcngg.exeAdblnnbk.exeMmccqbpm.exeGlpgibbn.exeNoojdc32.exeHpphhp32.exeFlclam32.exeLkelpd32.exeJddqgdii.exeLamjph32.exeBghfacem.exeDmbcen32.exeAblbjj32.exeFaijggao.exeDjghpd32.exeMjlejl32.exeCmfnjnin.exeKkdnhi32.exeJoidhh32.exeNdfnecgp.exeEgfjdchi.exeNhqhmj32.exeDammoahg.exeIpjdameg.exeNidmfh32.exeFijbco32.exeHijjpeha.exeKlbdiokf.exeIdkpganf.exeLpckce32.exeOqepgk32.exePoibmdmh.exeAmjkefmd.exeNknkeg32.exeHehafe32.exeKobmkj32.exeLcedne32.exeKeioca32.exeMopdpg32.exeMeljbqna.exeCapmemci.exeEgchmfnd.exeChkoef32.exeOdmckcmq.exeQiioon32.exeOlbogqoe.exeQhincn32.exePofldf32.exeJpigma32.exeKjjnnbfj.exeGhdiokbq.exeKoflgf32.exeMacjgadf.exeIhiabfhk.exeCofaog32.exeFfboohnm.exePjblcl32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jhdegn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Paaddgkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mgmmfjip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhahanie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ealbcngg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Adblnnbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmccqbpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Glpgibbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Noojdc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpphhp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flclam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkelpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lkelpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noojdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jddqgdii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lamjph32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bghfacem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmbcen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ablbjj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faijggao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djghpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjlejl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmfnjnin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkdnhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Joidhh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndfnecgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Egfjdchi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhqhmj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dammoahg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ipjdameg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nidmfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fijbco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hijjpeha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klbdiokf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Idkpganf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lpckce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oqepgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Poibmdmh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amjkefmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nknkeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hehafe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kobmkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lcedne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keioca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mopdpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Meljbqna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Capmemci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Egchmfnd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chkoef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odmckcmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qiioon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olbogqoe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhincn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pofldf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jpigma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjjnnbfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ghdiokbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Koflgf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Macjgadf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ihiabfhk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cofaog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffboohnm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjblcl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idkpganf.exe -
Executes dropped EXE 64 IoCs
Processes:
Dklddhka.exeDmmmfc32.exeEoepnk32.exeFmkilb32.exeGbadjg32.exeHqfaldbo.exeHpphhp32.exeIdkpganf.exeJpigma32.exeLlbqfe32.exeLdpbpgoh.exeNnmlcp32.exeNidmfh32.exePiicpk32.exePepcelel.exePidfdofi.exePcljmdmj.exeQppkfhlc.exeQiioon32.exeQcachc32.exeAlihaioe.exeAebmjo32.exeAojabdlf.exeAhbekjcf.exeAakjdo32.exeAoojnc32.exeAhgofi32.exeAbpcooea.exeBgllgedi.exeBccmmf32.exeBmlael32.exeBmnnkl32.exeBqlfaj32.exeBjdkjpkb.exeCoacbfii.exeCiihklpj.exeCfmhdpnc.exeCnimiblo.exeCinafkkd.exeCnkjnb32.exeCchbgi32.exeCegoqlof.exeDmbcen32.exeDhhhbg32.exeDmepkn32.exeDbaice32.exeDpeiligo.exeEbklic32.exeEaphjp32.exeEmgioakg.exeEdcnakpa.exeFgdgcfmb.exeFlclam32.exeFelajbpg.exeFabaocfl.exeFlhflleb.exeFadndbci.exeGgagmjbq.exeGpjkeoha.exeGqlhkofn.exeGlchpp32.exeGmeeepjp.exeGmhbkohm.exeHkmollme.exepid Process 2536 Dklddhka.exe 2836 Dmmmfc32.exe 1976 Eoepnk32.exe 2188 Fmkilb32.exe 2776 Gbadjg32.exe 2740 Hqfaldbo.exe 2652 Hpphhp32.exe 1676 Idkpganf.exe 1700 Jpigma32.exe 1152 Llbqfe32.exe 1608 Ldpbpgoh.exe 1148 Nnmlcp32.exe 3052 Nidmfh32.exe 2748 Piicpk32.exe 436 Pepcelel.exe 2544 Pidfdofi.exe 960 Pcljmdmj.exe 3012 Qppkfhlc.exe 1688 Qiioon32.exe 1520 Qcachc32.exe 2236 Alihaioe.exe 2288 Aebmjo32.exe 308 Aojabdlf.exe 2576 Ahbekjcf.exe 3068 Aakjdo32.exe 1564 Aoojnc32.exe 832 Ahgofi32.exe 2600 Abpcooea.exe 2532 Bgllgedi.exe 2028 Bccmmf32.exe 2520 Bmlael32.exe 2920 Bmnnkl32.exe 2980 Bqlfaj32.exe 2220 Bjdkjpkb.exe 2968 Coacbfii.exe 2676 Ciihklpj.exe 2724 Cfmhdpnc.exe 1804 Cnimiblo.exe 2892 Cinafkkd.exe 1256 Cnkjnb32.exe 2080 Cchbgi32.exe 2000 Cegoqlof.exe 1376 Dmbcen32.exe 3020 Dhhhbg32.exe 852 Dmepkn32.exe 2332 Dbaice32.exe 2172 Dpeiligo.exe 1788 Ebklic32.exe 2624 Eaphjp32.exe 2140 Emgioakg.exe 1504 Edcnakpa.exe 760 Fgdgcfmb.exe 2300 Flclam32.exe 2304 Felajbpg.exe 2036 Fabaocfl.exe 2584 Flhflleb.exe 2508 Fadndbci.exe 2088 Ggagmjbq.exe 2496 Gpjkeoha.exe 2796 Gqlhkofn.exe 2248 Glchpp32.exe 2680 Gmeeepjp.exe 2484 Gmhbkohm.exe 2616 Hkmollme.exe -
Loads dropped DLL 64 IoCs
Processes:
85546d08114f624af0be649d4e494f0cbc5bb9a7e2e6126cc6b43fc559c8b874.exeDklddhka.exeDmmmfc32.exeEoepnk32.exeFmkilb32.exeGbadjg32.exeHqfaldbo.exeHpphhp32.exeIdkpganf.exeJpigma32.exeLlbqfe32.exeLdpbpgoh.exeNnmlcp32.exeNidmfh32.exePiicpk32.exePepcelel.exePidfdofi.exePcljmdmj.exeQppkfhlc.exeQiioon32.exeQcachc32.exeAlihaioe.exeAebmjo32.exeAojabdlf.exeAhbekjcf.exeAakjdo32.exeAoojnc32.exeAhgofi32.exeAbpcooea.exeBgllgedi.exeBccmmf32.exeBmlael32.exepid Process 2356 85546d08114f624af0be649d4e494f0cbc5bb9a7e2e6126cc6b43fc559c8b874.exe 2356 85546d08114f624af0be649d4e494f0cbc5bb9a7e2e6126cc6b43fc559c8b874.exe 2536 Dklddhka.exe 2536 Dklddhka.exe 2836 Dmmmfc32.exe 2836 Dmmmfc32.exe 1976 Eoepnk32.exe 1976 Eoepnk32.exe 2188 Fmkilb32.exe 2188 Fmkilb32.exe 2776 Gbadjg32.exe 2776 Gbadjg32.exe 2740 Hqfaldbo.exe 2740 Hqfaldbo.exe 2652 Hpphhp32.exe 2652 Hpphhp32.exe 1676 Idkpganf.exe 1676 Idkpganf.exe 1700 Jpigma32.exe 1700 Jpigma32.exe 1152 Llbqfe32.exe 1152 Llbqfe32.exe 1608 Ldpbpgoh.exe 1608 Ldpbpgoh.exe 1148 Nnmlcp32.exe 1148 Nnmlcp32.exe 3052 Nidmfh32.exe 3052 Nidmfh32.exe 2748 Piicpk32.exe 2748 Piicpk32.exe 436 Pepcelel.exe 436 Pepcelel.exe 2544 Pidfdofi.exe 2544 Pidfdofi.exe 960 Pcljmdmj.exe 960 Pcljmdmj.exe 3012 Qppkfhlc.exe 3012 Qppkfhlc.exe 1688 Qiioon32.exe 1688 Qiioon32.exe 1520 Qcachc32.exe 1520 Qcachc32.exe 2236 Alihaioe.exe 2236 Alihaioe.exe 2288 Aebmjo32.exe 2288 Aebmjo32.exe 308 Aojabdlf.exe 308 Aojabdlf.exe 2576 Ahbekjcf.exe 2576 Ahbekjcf.exe 3068 Aakjdo32.exe 3068 Aakjdo32.exe 1564 Aoojnc32.exe 1564 Aoojnc32.exe 832 Ahgofi32.exe 832 Ahgofi32.exe 2600 Abpcooea.exe 2600 Abpcooea.exe 2532 Bgllgedi.exe 2532 Bgllgedi.exe 2028 Bccmmf32.exe 2028 Bccmmf32.exe 2520 Bmlael32.exe 2520 Bmlael32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Kalipcmb.exeLjigih32.exeElgfkhpi.exeNommodjj.exeAlihaioe.exeGlchpp32.exeOgmkne32.exeIonehnbm.exeHpphhp32.exeIdkpganf.exeNdfnecgp.exePaggce32.exeKlmbjh32.exeBbikig32.exeFpcblkje.exeNcbkenba.exePcljmdmj.exeCiihklpj.exeBakaaepk.exeDmepkn32.exeFdnjkh32.exePcpbik32.exeEebibf32.exeLmnhgjmp.exeGngiba32.exeKoaclfgl.exeOpaqpn32.exeDgknkf32.exeFlfkoeoh.exeJjnjqb32.exeCcqhdmbc.exeBhmmcjjd.exeAcbnggjo.exeJndjmifj.exeKobmkj32.exeAepbmhpl.exeIohbjpkb.exeEokgij32.exeIdgjqook.exeEaphjp32.exeCofaog32.exeLmhdph32.exeCapmemci.exeHibidc32.exeEldbkbop.exeGfcopl32.exeOahbjmjp.exeDlchfp32.exeBdaojbjf.exePofldf32.exeDdpbfl32.exeIabhdefo.exeBmlael32.exeLhcafa32.exeGlklejoo.exeGlnkcc32.exeNoojdc32.exeAfndjdpe.exeGpmllpef.exedescription ioc Process File created C:\Windows\SysWOW64\Kkdnhi32.exe Kalipcmb.exe File created C:\Windows\SysWOW64\Hbiooq32.dll Ljigih32.exe File created C:\Windows\SysWOW64\Kqdodila.dll Elgfkhpi.exe File created C:\Windows\SysWOW64\Nlanhh32.exe Nommodjj.exe File created C:\Windows\SysWOW64\Khpjqgjc.dll Alihaioe.exe File created C:\Windows\SysWOW64\Gmeeepjp.exe Glchpp32.exe File opened for modification C:\Windows\SysWOW64\Oqepgk32.exe Ogmkne32.exe File opened for modification C:\Windows\SysWOW64\Jaonji32.exe Ionehnbm.exe File created C:\Windows\SysWOW64\Idkpganf.exe Hpphhp32.exe File created C:\Windows\SysWOW64\Jpigma32.exe Idkpganf.exe File created C:\Windows\SysWOW64\Njbfnjeg.exe Ndfnecgp.exe File created C:\Windows\SysWOW64\Olqhfa32.dll Paggce32.exe File created C:\Windows\SysWOW64\Nanhfpff.dll Klmbjh32.exe File created C:\Windows\SysWOW64\Cobhdhha.exe Bbikig32.exe File opened for modification C:\Windows\SysWOW64\Fjhgidjk.exe Fpcblkje.exe File created C:\Windows\SysWOW64\Emljdpkp.dll Ncbkenba.exe File created C:\Windows\SysWOW64\Kbdjfk32.dll Pcljmdmj.exe File created C:\Windows\SysWOW64\Cfmhdpnc.exe Ciihklpj.exe File created C:\Windows\SysWOW64\Ckecpjdh.exe Bakaaepk.exe File created C:\Windows\SysWOW64\Dbaice32.exe Dmepkn32.exe File created C:\Windows\SysWOW64\Fijbco32.exe Fdnjkh32.exe File created C:\Windows\SysWOW64\Fkfcmj32.dll Pcpbik32.exe File created C:\Windows\SysWOW64\Kfadkk32.dll Eebibf32.exe File created C:\Windows\SysWOW64\Pdleiobf.dll Lmnhgjmp.exe File created C:\Windows\SysWOW64\Akmbepcb.dll Fpcblkje.exe File created C:\Windows\SysWOW64\Hqoaim32.dll Gngiba32.exe File created C:\Windows\SysWOW64\Kjpndcho.dll Koaclfgl.exe File opened for modification C:\Windows\SysWOW64\Ppcmfn32.exe Opaqpn32.exe File created C:\Windows\SysWOW64\Dcbnpgkh.exe Dgknkf32.exe File created C:\Windows\SysWOW64\Gmidlmcd.exe Flfkoeoh.exe File created C:\Windows\SysWOW64\Jpmooind.exe Jjnjqb32.exe File created C:\Windows\SysWOW64\Cfaqfh32.exe Ccqhdmbc.exe File opened for modification C:\Windows\SysWOW64\Biqfpb32.exe Bhmmcjjd.exe File created C:\Windows\SysWOW64\Bijnecld.dll Acbnggjo.exe File opened for modification C:\Windows\SysWOW64\Qppkfhlc.exe Pcljmdmj.exe File created C:\Windows\SysWOW64\Jbbccgmp.exe Jndjmifj.exe File opened for modification C:\Windows\SysWOW64\Kjjnnbfj.exe Kobmkj32.exe File created C:\Windows\SysWOW64\Aebobgmi.exe Aepbmhpl.exe File created C:\Windows\SysWOW64\Iqllghon.exe Iohbjpkb.exe File created C:\Windows\SysWOW64\Mpefbfgo.dll Eokgij32.exe File opened for modification C:\Windows\SysWOW64\Jidbifmb.exe Idgjqook.exe File created C:\Windows\SysWOW64\Neniei32.dll Dmepkn32.exe File created C:\Windows\SysWOW64\Emgioakg.exe Eaphjp32.exe File created C:\Windows\SysWOW64\Ceqjla32.exe Cofaog32.exe File created C:\Windows\SysWOW64\Mjlejl32.exe Lmhdph32.exe File created C:\Windows\SysWOW64\Opqcibco.dll Capmemci.exe File created C:\Windows\SysWOW64\Fphepgbl.dll Hibidc32.exe File opened for modification C:\Windows\SysWOW64\Ecogodlk.exe Eldbkbop.exe File opened for modification C:\Windows\SysWOW64\Glpgibbn.exe Gfcopl32.exe File opened for modification C:\Windows\SysWOW64\Onocon32.exe Oahbjmjp.exe File created C:\Windows\SysWOW64\Biqfpb32.exe Bhmmcjjd.exe File created C:\Windows\SysWOW64\Djghpd32.exe Dlchfp32.exe File created C:\Windows\SysWOW64\Eeomnifk.dll Bdaojbjf.exe File created C:\Windows\SysWOW64\Pjpmdd32.exe Pofldf32.exe File created C:\Windows\SysWOW64\Nohefjhb.dll Pofldf32.exe File created C:\Windows\SysWOW64\Epkglngn.dll Ddpbfl32.exe File created C:\Windows\SysWOW64\Eoldfbid.dll Iabhdefo.exe File opened for modification C:\Windows\SysWOW64\Bmnnkl32.exe Bmlael32.exe File created C:\Windows\SysWOW64\Knpbpo32.dll Lhcafa32.exe File opened for modification C:\Windows\SysWOW64\Gecpnp32.exe Glklejoo.exe File created C:\Windows\SysWOW64\Boegjgoa.dll Glnkcc32.exe File created C:\Windows\SysWOW64\Ogmkne32.exe Noojdc32.exe File created C:\Windows\SysWOW64\Eiibij32.dll Afndjdpe.exe File opened for modification C:\Windows\SysWOW64\Gpoibp32.exe Gpmllpef.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Anbmbi32.exeDbdham32.exeKpdeoh32.exeNknkeg32.exeFgdgcfmb.exeGpjkeoha.exeIocgfhhc.exeNoojdc32.exeEoajgh32.exeLdfldpqf.exeMjlejl32.exeClaake32.exeIddfqi32.exeJaffca32.exeNjbfnjeg.exeCchdpbog.exeDfhgggim.exeNlocka32.exeFadndbci.exePcpbik32.exeDkbnhq32.exeBmlael32.exeEmgioakg.exeMgmmfjip.exeMomapqgn.exeOqepgk32.exeIijfoh32.exeEgkgad32.exeBepjjn32.exeFjdnne32.exeImmkiodb.exeCinafkkd.exeLonlkcho.exeOgpjmn32.exeOipcnieb.exeJhdegn32.exeEloipb32.exeMacjgadf.exeAgdlfd32.exeGlchpp32.exeGmeeepjp.exeJndjmifj.exeMkcplien.exeApkihofl.exeGddobpbe.exeGpoibp32.exeLmhdph32.exeIpjdameg.exeMphiqbon.exeJikhnaao.exePjoklkie.exeDbbklnpj.exeOekehomj.exeDjjeedhp.exeFfeldglk.exeLlbnnq32.exeAhgofi32.exeFlclam32.exeEfljhq32.exeBkhjamcf.exeBdaojbjf.exeFjnignob.exeJjnjqb32.exeOgmkne32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anbmbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbdham32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpdeoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nknkeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgdgcfmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpjkeoha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iocgfhhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noojdc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoajgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldfldpqf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjlejl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Claake32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iddfqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaffca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njbfnjeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cchdpbog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfhgggim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlocka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fadndbci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcpbik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkbnhq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmlael32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emgioakg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgmmfjip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Momapqgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqepgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iijfoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egkgad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bepjjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjdnne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Immkiodb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cinafkkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lonlkcho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogpjmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oipcnieb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhdegn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eloipb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Macjgadf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agdlfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glchpp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmeeepjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jndjmifj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkcplien.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apkihofl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gddobpbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpoibp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmhdph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipjdameg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mphiqbon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jikhnaao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjoklkie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbbklnpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oekehomj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djjeedhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffeldglk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llbnnq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahgofi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flclam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efljhq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkhjamcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdaojbjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjnignob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjnjqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogmkne32.exe -
Modifies registry class 64 IoCs
Processes:
Fmacpj32.exePepcelel.exeCegoqlof.exeLkdjglfo.exePjoklkie.exeEgfjdchi.exePfeeff32.exeDkbnhq32.exeJaopcbga.exeKogffida.exeJkopndcb.exeAfndjdpe.exeOahbjmjp.exeHibidc32.exeOlopjddf.exeNidmfh32.exeAebmjo32.exeKechdf32.exeLhnmoo32.exeOekehomj.exePfqlkfoc.exeAaflgb32.exeIhkifi32.exeJllakpdk.exeGbadjg32.exeLjldnhid.exeJjnjqb32.exeAldfcpjn.exeJqfhqe32.exeDpgckm32.exeHffjng32.exeHcndag32.exePaaddgkj.exeDcghkf32.exeQcjoci32.exeEhclbpic.exeOlkjaflh.exeAglmbfdk.exeHfajhblm.exeOophlpag.exeKokmmkcm.exeDbbklnpj.exeEldbkbop.exeLkelpd32.exeOikapk32.exeCmfnjnin.exeLgabgl32.exeHnnkbd32.exeDdmofeam.exeDklddhka.exeGgagmjbq.exeJpmooind.exeEjfllhao.exeLlcehg32.exeDapjdq32.exeLmnkpc32.exePidfdofi.exeDpeiligo.exeEcogodlk.exeMlmoilni.exeOgmkne32.exeOipcnieb.exeJndjmifj.exeDdppmclb.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkoafg32.dll" Fmacpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pepcelel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fikbiheg.dll" Cegoqlof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lkdjglfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pjoklkie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfpgeall.dll" Egfjdchi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pfeeff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dkbnhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdmeekeb.dll" Jaopcbga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnhngnf.dll" Kogffida.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jkopndcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiibij32.dll" Afndjdpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oahbjmjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hibidc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Olopjddf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nidmfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khoqme32.dll" Aebmjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfimpm32.dll" Kechdf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lhnmoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oekehomj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pfqlkfoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egfdjljo.dll" Aaflgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ihkifi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jllakpdk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gbadjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ljldnhid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kggedf32.dll" Jjnjqb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aldfcpjn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jqfhqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kekjepjd.dll" Dpgckm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlelkn32.dll" Hffjng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Docappbm.dll" Hcndag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Paaddgkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Licpomcb.dll" Dcghkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qcjoci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ehclbpic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Olkjaflh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aglmbfdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdakeeob.dll" Hfajhblm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oophlpag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kokmmkcm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dbbklnpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iiicagla.dll" Eldbkbop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogcgmi32.dll" Lkelpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oikapk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cmfnjnin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lgabgl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hnnkbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ddmofeam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmhadf32.dll" Dklddhka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgojdj32.dll" Ggagmjbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohlhijgh.dll" Jpmooind.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ejfllhao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Colldggd.dll" Llcehg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dapjdq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lmnkpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ameaio32.dll" Pidfdofi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glffke32.dll" Dpeiligo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ecogodlk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mlmoilni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njhhcpnk.dll" Ogmkne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oipcnieb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jndjmifj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oamcoejo.dll" Ddppmclb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
85546d08114f624af0be649d4e494f0cbc5bb9a7e2e6126cc6b43fc559c8b874.exeDklddhka.exeDmmmfc32.exeEoepnk32.exeFmkilb32.exeGbadjg32.exeHqfaldbo.exeHpphhp32.exeIdkpganf.exeJpigma32.exeLlbqfe32.exeLdpbpgoh.exeNnmlcp32.exeNidmfh32.exePiicpk32.exePepcelel.exedescription pid Process procid_target PID 2356 wrote to memory of 2536 2356 85546d08114f624af0be649d4e494f0cbc5bb9a7e2e6126cc6b43fc559c8b874.exe 30 PID 2356 wrote to memory of 2536 2356 85546d08114f624af0be649d4e494f0cbc5bb9a7e2e6126cc6b43fc559c8b874.exe 30 PID 2356 wrote to memory of 2536 2356 85546d08114f624af0be649d4e494f0cbc5bb9a7e2e6126cc6b43fc559c8b874.exe 30 PID 2356 wrote to memory of 2536 2356 85546d08114f624af0be649d4e494f0cbc5bb9a7e2e6126cc6b43fc559c8b874.exe 30 PID 2536 wrote to memory of 2836 2536 Dklddhka.exe 31 PID 2536 wrote to memory of 2836 2536 Dklddhka.exe 31 PID 2536 wrote to memory of 2836 2536 Dklddhka.exe 31 PID 2536 wrote to memory of 2836 2536 Dklddhka.exe 31 PID 2836 wrote to memory of 1976 2836 Dmmmfc32.exe 32 PID 2836 wrote to memory of 1976 2836 Dmmmfc32.exe 32 PID 2836 wrote to memory of 1976 2836 Dmmmfc32.exe 32 PID 2836 wrote to memory of 1976 2836 Dmmmfc32.exe 32 PID 1976 wrote to memory of 2188 1976 Eoepnk32.exe 33 PID 1976 wrote to memory of 2188 1976 Eoepnk32.exe 33 PID 1976 wrote to memory of 2188 1976 Eoepnk32.exe 33 PID 1976 wrote to memory of 2188 1976 Eoepnk32.exe 33 PID 2188 wrote to memory of 2776 2188 Fmkilb32.exe 34 PID 2188 wrote to memory of 2776 2188 Fmkilb32.exe 34 PID 2188 wrote to memory of 2776 2188 Fmkilb32.exe 34 PID 2188 wrote to memory of 2776 2188 Fmkilb32.exe 34 PID 2776 wrote to memory of 2740 2776 Gbadjg32.exe 35 PID 2776 wrote to memory of 2740 2776 Gbadjg32.exe 35 PID 2776 wrote to memory of 2740 2776 Gbadjg32.exe 35 PID 2776 wrote to memory of 2740 2776 Gbadjg32.exe 35 PID 2740 wrote to memory of 2652 2740 Hqfaldbo.exe 36 PID 2740 wrote to memory of 2652 2740 Hqfaldbo.exe 36 PID 2740 wrote to memory of 2652 2740 Hqfaldbo.exe 36 PID 2740 wrote to memory of 2652 2740 Hqfaldbo.exe 36 PID 2652 wrote to memory of 1676 2652 Hpphhp32.exe 37 PID 2652 wrote to memory of 1676 2652 Hpphhp32.exe 37 PID 2652 wrote to memory of 1676 2652 Hpphhp32.exe 37 PID 2652 wrote to memory of 1676 2652 Hpphhp32.exe 37 PID 1676 wrote to memory of 1700 1676 Idkpganf.exe 38 PID 1676 wrote to memory of 1700 1676 Idkpganf.exe 38 PID 1676 wrote to memory of 1700 1676 Idkpganf.exe 38 PID 1676 wrote to memory of 1700 1676 Idkpganf.exe 38 PID 1700 wrote to memory of 1152 1700 Jpigma32.exe 39 PID 1700 wrote to memory of 1152 1700 Jpigma32.exe 39 PID 1700 wrote to memory of 1152 1700 Jpigma32.exe 39 PID 1700 wrote to memory of 1152 1700 Jpigma32.exe 39 PID 1152 wrote to memory of 1608 1152 Llbqfe32.exe 40 PID 1152 wrote to memory of 1608 1152 Llbqfe32.exe 40 PID 1152 wrote to memory of 1608 1152 Llbqfe32.exe 40 PID 1152 wrote to memory of 1608 1152 Llbqfe32.exe 40 PID 1608 wrote to memory of 1148 1608 Ldpbpgoh.exe 41 PID 1608 wrote to memory of 1148 1608 Ldpbpgoh.exe 41 PID 1608 wrote to memory of 1148 1608 Ldpbpgoh.exe 41 PID 1608 wrote to memory of 1148 1608 Ldpbpgoh.exe 41 PID 1148 wrote to memory of 3052 1148 Nnmlcp32.exe 42 PID 1148 wrote to memory of 3052 1148 Nnmlcp32.exe 42 PID 1148 wrote to memory of 3052 1148 Nnmlcp32.exe 42 PID 1148 wrote to memory of 3052 1148 Nnmlcp32.exe 42 PID 3052 wrote to memory of 2748 3052 Nidmfh32.exe 43 PID 3052 wrote to memory of 2748 3052 Nidmfh32.exe 43 PID 3052 wrote to memory of 2748 3052 Nidmfh32.exe 43 PID 3052 wrote to memory of 2748 3052 Nidmfh32.exe 43 PID 2748 wrote to memory of 436 2748 Piicpk32.exe 44 PID 2748 wrote to memory of 436 2748 Piicpk32.exe 44 PID 2748 wrote to memory of 436 2748 Piicpk32.exe 44 PID 2748 wrote to memory of 436 2748 Piicpk32.exe 44 PID 436 wrote to memory of 2544 436 Pepcelel.exe 45 PID 436 wrote to memory of 2544 436 Pepcelel.exe 45 PID 436 wrote to memory of 2544 436 Pepcelel.exe 45 PID 436 wrote to memory of 2544 436 Pepcelel.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\85546d08114f624af0be649d4e494f0cbc5bb9a7e2e6126cc6b43fc559c8b874.exe"C:\Users\Admin\AppData\Local\Temp\85546d08114f624af0be649d4e494f0cbc5bb9a7e2e6126cc6b43fc559c8b874.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\Dklddhka.exeC:\Windows\system32\Dklddhka.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\Dmmmfc32.exeC:\Windows\system32\Dmmmfc32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Eoepnk32.exeC:\Windows\system32\Eoepnk32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\Fmkilb32.exeC:\Windows\system32\Fmkilb32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Gbadjg32.exeC:\Windows\system32\Gbadjg32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Hqfaldbo.exeC:\Windows\system32\Hqfaldbo.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Hpphhp32.exeC:\Windows\system32\Hpphhp32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Idkpganf.exeC:\Windows\system32\Idkpganf.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\Jpigma32.exeC:\Windows\system32\Jpigma32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\Llbqfe32.exeC:\Windows\system32\Llbqfe32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\SysWOW64\Ldpbpgoh.exeC:\Windows\system32\Ldpbpgoh.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\SysWOW64\Nnmlcp32.exeC:\Windows\system32\Nnmlcp32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\Nidmfh32.exeC:\Windows\system32\Nidmfh32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Piicpk32.exeC:\Windows\system32\Piicpk32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Pepcelel.exeC:\Windows\system32\Pepcelel.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Windows\SysWOW64\Pidfdofi.exeC:\Windows\system32\Pidfdofi.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2544 -
C:\Windows\SysWOW64\Pcljmdmj.exeC:\Windows\system32\Pcljmdmj.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:960 -
C:\Windows\SysWOW64\Qppkfhlc.exeC:\Windows\system32\Qppkfhlc.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3012 -
C:\Windows\SysWOW64\Qiioon32.exeC:\Windows\system32\Qiioon32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1688 -
C:\Windows\SysWOW64\Qcachc32.exeC:\Windows\system32\Qcachc32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1520 -
C:\Windows\SysWOW64\Alihaioe.exeC:\Windows\system32\Alihaioe.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2236 -
C:\Windows\SysWOW64\Aebmjo32.exeC:\Windows\system32\Aebmjo32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2288 -
C:\Windows\SysWOW64\Aojabdlf.exeC:\Windows\system32\Aojabdlf.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:308 -
C:\Windows\SysWOW64\Ahbekjcf.exeC:\Windows\system32\Ahbekjcf.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2576 -
C:\Windows\SysWOW64\Aakjdo32.exeC:\Windows\system32\Aakjdo32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3068 -
C:\Windows\SysWOW64\Aoojnc32.exeC:\Windows\system32\Aoojnc32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1564 -
C:\Windows\SysWOW64\Ahgofi32.exeC:\Windows\system32\Ahgofi32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:832 -
C:\Windows\SysWOW64\Abpcooea.exeC:\Windows\system32\Abpcooea.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2600 -
C:\Windows\SysWOW64\Bgllgedi.exeC:\Windows\system32\Bgllgedi.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2532 -
C:\Windows\SysWOW64\Bccmmf32.exeC:\Windows\system32\Bccmmf32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2028 -
C:\Windows\SysWOW64\Bmlael32.exeC:\Windows\system32\Bmlael32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2520 -
C:\Windows\SysWOW64\Bmnnkl32.exeC:\Windows\system32\Bmnnkl32.exe33⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Bqlfaj32.exeC:\Windows\system32\Bqlfaj32.exe34⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Bjdkjpkb.exeC:\Windows\system32\Bjdkjpkb.exe35⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Coacbfii.exeC:\Windows\system32\Coacbfii.exe36⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Ciihklpj.exeC:\Windows\system32\Ciihklpj.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2676 -
C:\Windows\SysWOW64\Cfmhdpnc.exeC:\Windows\system32\Cfmhdpnc.exe38⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Cnimiblo.exeC:\Windows\system32\Cnimiblo.exe39⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Cinafkkd.exeC:\Windows\system32\Cinafkkd.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2892 -
C:\Windows\SysWOW64\Cnkjnb32.exeC:\Windows\system32\Cnkjnb32.exe41⤵
- Executes dropped EXE
PID:1256 -
C:\Windows\SysWOW64\Cchbgi32.exeC:\Windows\system32\Cchbgi32.exe42⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Cegoqlof.exeC:\Windows\system32\Cegoqlof.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:2000 -
C:\Windows\SysWOW64\Dmbcen32.exeC:\Windows\system32\Dmbcen32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1376 -
C:\Windows\SysWOW64\Dhhhbg32.exeC:\Windows\system32\Dhhhbg32.exe45⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Dmepkn32.exeC:\Windows\system32\Dmepkn32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:852 -
C:\Windows\SysWOW64\Dbaice32.exeC:\Windows\system32\Dbaice32.exe47⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Dpeiligo.exeC:\Windows\system32\Dpeiligo.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:2172 -
C:\Windows\SysWOW64\Ebklic32.exeC:\Windows\system32\Ebklic32.exe49⤵
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\Eaphjp32.exeC:\Windows\system32\Eaphjp32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2624 -
C:\Windows\SysWOW64\Emgioakg.exeC:\Windows\system32\Emgioakg.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2140 -
C:\Windows\SysWOW64\Edcnakpa.exeC:\Windows\system32\Edcnakpa.exe52⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Fgdgcfmb.exeC:\Windows\system32\Fgdgcfmb.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:760 -
C:\Windows\SysWOW64\Flclam32.exeC:\Windows\system32\Flclam32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2300 -
C:\Windows\SysWOW64\Felajbpg.exeC:\Windows\system32\Felajbpg.exe55⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Fabaocfl.exeC:\Windows\system32\Fabaocfl.exe56⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Flhflleb.exeC:\Windows\system32\Flhflleb.exe57⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Fadndbci.exeC:\Windows\system32\Fadndbci.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2508 -
C:\Windows\SysWOW64\Ggagmjbq.exeC:\Windows\system32\Ggagmjbq.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2088 -
C:\Windows\SysWOW64\Gpjkeoha.exeC:\Windows\system32\Gpjkeoha.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2496 -
C:\Windows\SysWOW64\Gqlhkofn.exeC:\Windows\system32\Gqlhkofn.exe61⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Glchpp32.exeC:\Windows\system32\Glchpp32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2248 -
C:\Windows\SysWOW64\Gmeeepjp.exeC:\Windows\system32\Gmeeepjp.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2680 -
C:\Windows\SysWOW64\Gmhbkohm.exeC:\Windows\system32\Gmhbkohm.exe64⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Hkmollme.exeC:\Windows\system32\Hkmollme.exe65⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Hkolakkb.exeC:\Windows\system32\Hkolakkb.exe66⤵PID:884
-
C:\Windows\SysWOW64\Hkahgk32.exeC:\Windows\system32\Hkahgk32.exe67⤵PID:556
-
C:\Windows\SysWOW64\Hieiqo32.exeC:\Windows\system32\Hieiqo32.exe68⤵PID:272
-
C:\Windows\SysWOW64\Heliepmn.exeC:\Windows\system32\Heliepmn.exe69⤵PID:1656
-
C:\Windows\SysWOW64\Icafgmbe.exeC:\Windows\system32\Icafgmbe.exe70⤵PID:2752
-
C:\Windows\SysWOW64\Icdcllpc.exeC:\Windows\system32\Icdcllpc.exe71⤵PID:1956
-
C:\Windows\SysWOW64\Ipjdameg.exeC:\Windows\system32\Ipjdameg.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2888 -
C:\Windows\SysWOW64\Iladfn32.exeC:\Windows\system32\Iladfn32.exe73⤵PID:2396
-
C:\Windows\SysWOW64\Imaapa32.exeC:\Windows\system32\Imaapa32.exe74⤵PID:1124
-
C:\Windows\SysWOW64\Jndjmifj.exeC:\Windows\system32\Jndjmifj.exe75⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2008 -
C:\Windows\SysWOW64\Jbbccgmp.exeC:\Windows\system32\Jbbccgmp.exe76⤵PID:2556
-
C:\Windows\SysWOW64\Joidhh32.exeC:\Windows\system32\Joidhh32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1556 -
C:\Windows\SysWOW64\Jhahanie.exeC:\Windows\system32\Jhahanie.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:924 -
C:\Windows\SysWOW64\Jmnqje32.exeC:\Windows\system32\Jmnqje32.exe79⤵PID:1708
-
C:\Windows\SysWOW64\Jhdegn32.exeC:\Windows\system32\Jhdegn32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1740 -
C:\Windows\SysWOW64\Kalipcmb.exeC:\Windows\system32\Kalipcmb.exe81⤵
- Drops file in System32 directory
PID:1576 -
C:\Windows\SysWOW64\Kkdnhi32.exeC:\Windows\system32\Kkdnhi32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1268 -
C:\Windows\SysWOW64\Kgkonj32.exeC:\Windows\system32\Kgkonj32.exe83⤵PID:1980
-
C:\Windows\SysWOW64\Klhgfq32.exeC:\Windows\system32\Klhgfq32.exe84⤵PID:2760
-
C:\Windows\SysWOW64\Kgnkci32.exeC:\Windows\system32\Kgnkci32.exe85⤵PID:2156
-
C:\Windows\SysWOW64\Kechdf32.exeC:\Windows\system32\Kechdf32.exe86⤵
- Modifies registry class
PID:1736 -
C:\Windows\SysWOW64\Kokmmkcm.exeC:\Windows\system32\Kokmmkcm.exe87⤵
- Modifies registry class
PID:2668 -
C:\Windows\SysWOW64\Lhcafa32.exeC:\Windows\system32\Lhcafa32.exe88⤵
- Drops file in System32 directory
PID:1604 -
C:\Windows\SysWOW64\Lnqjnhge.exeC:\Windows\system32\Lnqjnhge.exe89⤵PID:1020
-
C:\Windows\SysWOW64\Lkdjglfo.exeC:\Windows\system32\Lkdjglfo.exe90⤵
- Modifies registry class
PID:2720 -
C:\Windows\SysWOW64\Ldmopa32.exeC:\Windows\system32\Ldmopa32.exe91⤵PID:2092
-
C:\Windows\SysWOW64\Ljigih32.exeC:\Windows\system32\Ljigih32.exe92⤵
- Drops file in System32 directory
PID:1484 -
C:\Windows\SysWOW64\Ldokfakl.exeC:\Windows\system32\Ldokfakl.exe93⤵PID:1028
-
C:\Windows\SysWOW64\Ljldnhid.exeC:\Windows\system32\Ljldnhid.exe94⤵
- Modifies registry class
PID:1476 -
C:\Windows\SysWOW64\Lgpdglhn.exeC:\Windows\system32\Lgpdglhn.exe95⤵PID:1836
-
C:\Windows\SysWOW64\Mphiqbon.exeC:\Windows\system32\Mphiqbon.exe96⤵
- System Location Discovery: System Language Discovery
PID:2904 -
C:\Windows\SysWOW64\Mfeaiime.exeC:\Windows\system32\Mfeaiime.exe97⤵PID:1728
-
C:\Windows\SysWOW64\Momfan32.exeC:\Windows\system32\Momfan32.exe98⤵PID:1248
-
C:\Windows\SysWOW64\Mjcjog32.exeC:\Windows\system32\Mjcjog32.exe99⤵PID:276
-
C:\Windows\SysWOW64\Mfjkdh32.exeC:\Windows\system32\Mfjkdh32.exe100⤵PID:1960
-
C:\Windows\SysWOW64\Mmccqbpm.exeC:\Windows\system32\Mmccqbpm.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2868 -
C:\Windows\SysWOW64\Mneohj32.exeC:\Windows\system32\Mneohj32.exe102⤵PID:1328
-
C:\Windows\SysWOW64\Mgmdapml.exeC:\Windows\system32\Mgmdapml.exe103⤵PID:2916
-
C:\Windows\SysWOW64\Mqehjecl.exeC:\Windows\system32\Mqehjecl.exe104⤵PID:3040
-
C:\Windows\SysWOW64\Nkkmgncb.exeC:\Windows\system32\Nkkmgncb.exe105⤵PID:3056
-
C:\Windows\SysWOW64\Ndcapd32.exeC:\Windows\system32\Ndcapd32.exe106⤵PID:2840
-
C:\Windows\SysWOW64\Njpihk32.exeC:\Windows\system32\Njpihk32.exe107⤵PID:2632
-
C:\Windows\SysWOW64\Ndfnecgp.exeC:\Windows\system32\Ndfnecgp.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1040 -
C:\Windows\SysWOW64\Njbfnjeg.exeC:\Windows\system32\Njbfnjeg.exe109⤵
- System Location Discovery: System Language Discovery
PID:1952 -
C:\Windows\SysWOW64\Nppofado.exeC:\Windows\system32\Nppofado.exe110⤵PID:2480
-
C:\Windows\SysWOW64\Njeccjcd.exeC:\Windows\system32\Njeccjcd.exe111⤵PID:2164
-
C:\Windows\SysWOW64\Olbogqoe.exeC:\Windows\system32\Olbogqoe.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1692 -
C:\Windows\SysWOW64\Odmckcmq.exeC:\Windows\system32\Odmckcmq.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1392 -
C:\Windows\SysWOW64\Paaddgkj.exeC:\Windows\system32\Paaddgkj.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1144 -
C:\Windows\SysWOW64\Pfnmmn32.exeC:\Windows\system32\Pfnmmn32.exe115⤵PID:2504
-
C:\Windows\SysWOW64\Pdbmfb32.exeC:\Windows\system32\Pdbmfb32.exe116⤵PID:1732
-
C:\Windows\SysWOW64\Plmbkd32.exeC:\Windows\system32\Plmbkd32.exe117⤵PID:2132
-
C:\Windows\SysWOW64\Qmhahkdj.exeC:\Windows\system32\Qmhahkdj.exe118⤵PID:2264
-
C:\Windows\SysWOW64\Bqmpdioa.exeC:\Windows\system32\Bqmpdioa.exe119⤵PID:2620
-
C:\Windows\SysWOW64\Bdkhjgeh.exeC:\Windows\system32\Bdkhjgeh.exe120⤵PID:2516
-
C:\Windows\SysWOW64\Cmmcpi32.exeC:\Windows\system32\Cmmcpi32.exe121⤵PID:2004
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-