Analysis
-
max time kernel
126s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
22-11-2024 03:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b90970049ed84352875b6588d336ffc7fa72c913878eaca119dea6a1eb0b3c52.exe
Resource
win7-20241010-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
b90970049ed84352875b6588d336ffc7fa72c913878eaca119dea6a1eb0b3c52.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
b90970049ed84352875b6588d336ffc7fa72c913878eaca119dea6a1eb0b3c52.exe
-
Size
320KB
-
MD5
7d5356ac62f75297dee9e9f6c0749c88
-
SHA1
970fbaccc8db9f2ad210413a41c41e4385a8681f
-
SHA256
b90970049ed84352875b6588d336ffc7fa72c913878eaca119dea6a1eb0b3c52
-
SHA512
d9d5068919786ee694297777e2f8fa6a576dc589d4ee07a53e7db7ee82de30943e13f4c8139304eef6d18542e7c26fec2747def49ecca1e8c885c184f7f77141
-
SSDEEP
3072:o/HsprsRNgA6IsY6U4wS/A4MK0FzJG/AMBxjUSmkCMQ/9h/NR5f0m:o/Hsp7/h64V/Ah1G/AcQ///NR5fn
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Jfpndkel.exeMbkkepio.exeIecohl32.exeGpjilj32.exeGgmjkapi.exeGielchpp.exeNodnmb32.exeNnndin32.exeJficbn32.exeBlgeahoo.exeBfkobj32.exeKgibeklf.exeBjehlldb.exeClinfk32.exeAnlkakqa.exeKnmjmodm.exeOabafcek.exeCoknmp32.exeLkolmk32.exeNkfnln32.exeNoffadai.exeOpaeok32.exePqhkdg32.exeLglnajjb.exeKebgea32.exeOhgnoeii.exeFikgda32.exeDfdeab32.exeOgnobcqo.exeMhpeem32.exeMohhea32.exeBfeibo32.exeFnbhmlkk.exePcahga32.exeIcidlf32.exeJdfqomom.exeDjahmk32.exeIdbgbahq.exeFmjkbfnh.exeFgffck32.exeLpiqel32.exeMejoei32.exeQgiibp32.exeMcendc32.exeCdgdlnop.exeGhaeaaki.exePhmkaf32.exeLepfoe32.exeGnabcf32.exeKhcdijac.exeEbekej32.exeLdjmkq32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfpndkel.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbkkepio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iecohl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpjilj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggmjkapi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gielchpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nodnmb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnndin32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jficbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blgeahoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfkobj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgibeklf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjehlldb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clinfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anlkakqa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knmjmodm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oabafcek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coknmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkolmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkfnln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Noffadai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opaeok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqhkdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lglnajjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kebgea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohgnoeii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fikgda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfdeab32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ognobcqo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhpeem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mohhea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfeibo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnbhmlkk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcahga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icidlf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdfqomom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djahmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idbgbahq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmjkbfnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgffck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpiqel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mejoei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgiibp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcendc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdgdlnop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghaeaaki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phmkaf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lepfoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnabcf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khcdijac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebekej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldjmkq32.exe -
Executes dropped EXE 64 IoCs
Processes:
Eiilge32.exeFipbhd32.exeFjaoplho.exeGdcfoq32.exeGlpgibbn.exeGhghnc32.exeHnmcli32.exeHlbpme32.exeIfbkgj32.exeIhbdhepp.exeJoebccpp.exeJcckibfg.exeKjmoeo32.exeLhapocoi.exeLbkaoalg.exeMohhea32.exeMdoccg32.exeNipefmkb.exeNnbjpqoa.exeNndgeplo.exeOjkhjabc.exeOmnmal32.exeOgdaod32.exePmecbkgj.exePbblkaea.exePqgilnji.exePkojoghl.exeQjdgpcmd.exeAphehidc.exeAiqjao32.exeAegkfpah.exeBmelpa32.exeBodhjdcc.exeBphaglgo.exeBlobmm32.exeCeickb32.exeCobhdhha.exeCdamao32.exeCeqjla32.exeDajgfboj.exeDdhcbnnn.exeDgildi32.exeDncdqcbl.exeDfniee32.exeDlhaaogd.exeDkmncl32.exeDfbbpd32.exeEnngdgim.exeEdhpaa32.exeEgflml32.exeEblpke32.exeEnbapf32.exeEkfaij32.exeEfpbih32.exeFfboohnm.exeGhmnmo32.exeGlkgcmbg.exeGdihmo32.exeGamifcmi.exeGmcikd32.exeHbpbck32.exeHpdbmooo.exeHilgfe32.exeHoipnl32.exepid Process 2820 Eiilge32.exe 2112 Fipbhd32.exe 2712 Fjaoplho.exe 1276 Gdcfoq32.exe 3020 Glpgibbn.exe 2116 Ghghnc32.exe 2564 Hnmcli32.exe 2188 Hlbpme32.exe 2396 Ifbkgj32.exe 3060 Ihbdhepp.exe 2452 Joebccpp.exe 1508 Jcckibfg.exe 2384 Kjmoeo32.exe 1440 Lhapocoi.exe 1720 Lbkaoalg.exe 2616 Mohhea32.exe 2620 Mdoccg32.exe 1264 Nipefmkb.exe 2036 Nnbjpqoa.exe 1288 Nndgeplo.exe 2340 Ojkhjabc.exe 2984 Omnmal32.exe 2276 Ogdaod32.exe 2248 Pmecbkgj.exe 2904 Pbblkaea.exe 2852 Pqgilnji.exe 2828 Pkojoghl.exe 2892 Qjdgpcmd.exe 2716 Aphehidc.exe 1212 Aiqjao32.exe 1952 Aegkfpah.exe 2844 Bmelpa32.exe 2472 Bodhjdcc.exe 2304 Bphaglgo.exe 2312 Blobmm32.exe 2200 Ceickb32.exe 2344 Cobhdhha.exe 916 Cdamao32.exe 2460 Ceqjla32.exe 2128 Dajgfboj.exe 2052 Ddhcbnnn.exe 1376 Dgildi32.exe 1848 Dncdqcbl.exe 1960 Dfniee32.exe 1568 Dlhaaogd.exe 1912 Dkmncl32.exe 1672 Dfbbpd32.exe 2912 Enngdgim.exe 1808 Edhpaa32.exe 2792 Egflml32.exe 2920 Eblpke32.exe 2500 Enbapf32.exe 2744 Ekfaij32.exe 2644 Efpbih32.exe 1092 Ffboohnm.exe 1816 Ghmnmo32.exe 2400 Glkgcmbg.exe 3056 Gdihmo32.exe 1104 Gamifcmi.exe 1944 Gmcikd32.exe 2428 Hbpbck32.exe 980 Hpdbmooo.exe 2648 Hilgfe32.exe 1776 Hoipnl32.exe -
Loads dropped DLL 64 IoCs
Processes:
b90970049ed84352875b6588d336ffc7fa72c913878eaca119dea6a1eb0b3c52.exeEiilge32.exeFipbhd32.exeFjaoplho.exeGdcfoq32.exeGlpgibbn.exeGhghnc32.exeHnmcli32.exeHlbpme32.exeIfbkgj32.exeIhbdhepp.exeJoebccpp.exeJcckibfg.exeKjmoeo32.exeLhapocoi.exeLbkaoalg.exeMohhea32.exeMdoccg32.exeNipefmkb.exeNnbjpqoa.exeNndgeplo.exeOjkhjabc.exeOmnmal32.exeOgdaod32.exePmecbkgj.exePbblkaea.exePqgilnji.exePkojoghl.exeQjdgpcmd.exeAphehidc.exeAiqjao32.exeAegkfpah.exepid Process 2880 b90970049ed84352875b6588d336ffc7fa72c913878eaca119dea6a1eb0b3c52.exe 2880 b90970049ed84352875b6588d336ffc7fa72c913878eaca119dea6a1eb0b3c52.exe 2820 Eiilge32.exe 2820 Eiilge32.exe 2112 Fipbhd32.exe 2112 Fipbhd32.exe 2712 Fjaoplho.exe 2712 Fjaoplho.exe 1276 Gdcfoq32.exe 1276 Gdcfoq32.exe 3020 Glpgibbn.exe 3020 Glpgibbn.exe 2116 Ghghnc32.exe 2116 Ghghnc32.exe 2564 Hnmcli32.exe 2564 Hnmcli32.exe 2188 Hlbpme32.exe 2188 Hlbpme32.exe 2396 Ifbkgj32.exe 2396 Ifbkgj32.exe 3060 Ihbdhepp.exe 3060 Ihbdhepp.exe 2452 Joebccpp.exe 2452 Joebccpp.exe 1508 Jcckibfg.exe 1508 Jcckibfg.exe 2384 Kjmoeo32.exe 2384 Kjmoeo32.exe 1440 Lhapocoi.exe 1440 Lhapocoi.exe 1720 Lbkaoalg.exe 1720 Lbkaoalg.exe 2616 Mohhea32.exe 2616 Mohhea32.exe 2620 Mdoccg32.exe 2620 Mdoccg32.exe 1264 Nipefmkb.exe 1264 Nipefmkb.exe 2036 Nnbjpqoa.exe 2036 Nnbjpqoa.exe 1288 Nndgeplo.exe 1288 Nndgeplo.exe 2340 Ojkhjabc.exe 2340 Ojkhjabc.exe 2984 Omnmal32.exe 2984 Omnmal32.exe 2276 Ogdaod32.exe 2276 Ogdaod32.exe 2248 Pmecbkgj.exe 2248 Pmecbkgj.exe 2904 Pbblkaea.exe 2904 Pbblkaea.exe 2852 Pqgilnji.exe 2852 Pqgilnji.exe 2828 Pkojoghl.exe 2828 Pkojoghl.exe 2892 Qjdgpcmd.exe 2892 Qjdgpcmd.exe 2716 Aphehidc.exe 2716 Aphehidc.exe 1212 Aiqjao32.exe 1212 Aiqjao32.exe 1952 Aegkfpah.exe 1952 Aegkfpah.exe -
Drops file in System32 directory 64 IoCs
Processes:
Pghjqlmi.exeMhegckpd.exeCglfndaa.exeDibhjokm.exeGpfggeai.exeDbcnpk32.exeDhhhphmc.exeHoflpbmo.exeOcfkaone.exeKkljfj32.exeBoncej32.exeApjbpemb.exeDpgckm32.exeCbagdq32.exeAofhcmig.exeFkgpaf32.exePhmkaf32.exeCopobe32.exeAiqjao32.exeHliieioi.exeFlnnfllf.exeDkmncl32.exeGfogneop.exeCihojiok.exeEmlhfb32.exeMnkfcjqe.exeBkghjq32.exeNhookh32.exeEgflml32.exeKkkhmadd.exeNmacej32.exeEdhbjjhn.exeIadnon32.exeHilgfe32.exeLbbiii32.exeOddmokoo.exeBhdmahpn.exeNkhhie32.exeBofbih32.exeKhkmba32.exeOgadkajl.exeJiinmnaa.exeGnabcf32.exeAnlkakqa.exeGfcqkafl.exeIlneef32.exedescription ioc Process File created C:\Windows\SysWOW64\Mnoadiak.dll Pghjqlmi.exe File created C:\Windows\SysWOW64\Nanlla32.exe Mhegckpd.exe File created C:\Windows\SysWOW64\Clinfk32.exe Cglfndaa.exe File created C:\Windows\SysWOW64\Deiipp32.exe Dibhjokm.exe File created C:\Windows\SysWOW64\Kgmcedhg.dll File opened for modification C:\Windows\SysWOW64\Gjolpkhj.exe Gpfggeai.exe File created C:\Windows\SysWOW64\Ckpdej32.exe File created C:\Windows\SysWOW64\Gigllafc.exe File created C:\Windows\SysWOW64\Cgjbbnaj.dll Dbcnpk32.exe File created C:\Windows\SysWOW64\Iencoc32.dll Dhhhphmc.exe File created C:\Windows\SysWOW64\Mbnleo32.dll Hoflpbmo.exe File created C:\Windows\SysWOW64\Gccogijj.dll File opened for modification C:\Windows\SysWOW64\Olopjddf.exe Ocfkaone.exe File created C:\Windows\SysWOW64\Igiqqgkc.dll Kkljfj32.exe File opened for modification C:\Windows\SysWOW64\Bdklnq32.exe Boncej32.exe File created C:\Windows\SysWOW64\Gpfeadne.dll Apjbpemb.exe File opened for modification C:\Windows\SysWOW64\Egbaelej.exe File created C:\Windows\SysWOW64\Ngkqedlp.dll File created C:\Windows\SysWOW64\Oacqlicg.dll File opened for modification C:\Windows\SysWOW64\Minika32.exe File opened for modification C:\Windows\SysWOW64\Dgalhgpg.exe Dpgckm32.exe File created C:\Windows\SysWOW64\Coehnecn.exe Cbagdq32.exe File opened for modification C:\Windows\SysWOW64\Afamgpga.exe Aofhcmig.exe File created C:\Windows\SysWOW64\Opghmjfg.exe File created C:\Windows\SysWOW64\Pfehna32.dll Fkgpaf32.exe File opened for modification C:\Windows\SysWOW64\Pngcnpkg.exe Phmkaf32.exe File created C:\Windows\SysWOW64\Cbagdq32.exe Copobe32.exe File created C:\Windows\SysWOW64\Imqkokae.dll File created C:\Windows\SysWOW64\Fbgaahgl.exe File created C:\Windows\SysWOW64\Klkjbf32.exe File created C:\Windows\SysWOW64\Aegkfpah.exe Aiqjao32.exe File opened for modification C:\Windows\SysWOW64\Hbcabc32.exe Hliieioi.exe File created C:\Windows\SysWOW64\Hlpcgm32.dll Flnnfllf.exe File opened for modification C:\Windows\SysWOW64\Aghidl32.exe File opened for modification C:\Windows\SysWOW64\Dfbbpd32.exe Dkmncl32.exe File opened for modification C:\Windows\SysWOW64\Geddoa32.exe Gfogneop.exe File created C:\Windows\SysWOW64\Caccnllf.exe Cihojiok.exe File created C:\Windows\SysWOW64\Ejpipf32.exe Emlhfb32.exe File created C:\Windows\SysWOW64\Ajbnaedb.dll Mnkfcjqe.exe File created C:\Windows\SysWOW64\Pehblofm.dll Bkghjq32.exe File created C:\Windows\SysWOW64\Dmnicmpm.dll Nhookh32.exe File opened for modification C:\Windows\SysWOW64\Eblpke32.exe Egflml32.exe File opened for modification C:\Windows\SysWOW64\Liaeleak.exe Kkkhmadd.exe File created C:\Windows\SysWOW64\Bdmhhh32.dll Nmacej32.exe File created C:\Windows\SysWOW64\Bpcoppdl.dll Edhbjjhn.exe File created C:\Windows\SysWOW64\Mlloeemo.dll Iadnon32.exe File created C:\Windows\SysWOW64\Kddobk32.dll File created C:\Windows\SysWOW64\Jqkelimm.dll Hilgfe32.exe File created C:\Windows\SysWOW64\Mbdfni32.exe Lbbiii32.exe File created C:\Windows\SysWOW64\Nnpbpemn.dll Oddmokoo.exe File created C:\Windows\SysWOW64\Fbdalg32.dll File opened for modification C:\Windows\SysWOW64\Bonenbgj.exe Bhdmahpn.exe File opened for modification C:\Windows\SysWOW64\Apjdin32.exe File opened for modification C:\Windows\SysWOW64\Nkjeod32.exe Nkhhie32.exe File opened for modification C:\Windows\SysWOW64\Bbdoec32.exe Bofbih32.exe File opened for modification C:\Windows\SysWOW64\Koeeoljm.exe Khkmba32.exe File opened for modification C:\Windows\SysWOW64\Obfiijia.exe Ogadkajl.exe File created C:\Windows\SysWOW64\Jgmofbpk.exe Jiinmnaa.exe File created C:\Windows\SysWOW64\Hgfnbp32.dll File created C:\Windows\SysWOW64\Hndoifdp.exe Gnabcf32.exe File created C:\Windows\SysWOW64\Ahiimj32.dll Anlkakqa.exe File created C:\Windows\SysWOW64\Debmplbf.dll Gfcqkafl.exe File created C:\Windows\SysWOW64\Alfbmoql.dll Ilneef32.exe File opened for modification C:\Windows\SysWOW64\Hndoifdp.exe Gnabcf32.exe -
Program crash 1 IoCs
Processes:
pid pid_target Process procid_target 1532 2692 1615 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Eeiggk32.exeFnbhmlkk.exeGpfggeai.exeKiifjd32.exeHaohel32.exeNpneeocq.exeQggoeilh.exeAbgeiaaf.exeMdfejn32.exeLhapocoi.exeJkgelh32.exeFdjddf32.exeLldkem32.exeIlneef32.exeClinfk32.exeGmhmdc32.exeBjehlldb.exePgdcjjom.exeBodhjdcc.exeHqbnnj32.exeIbmmkaik.exeQdieaf32.exeIpmeej32.exeJaahgd32.exeEhpgha32.exeGmkjjbhg.exeMohhea32.exePdajpf32.exeKikpgk32.exeDhmchljg.exeImkbeqem.exeKiaiooja.exeEgflml32.exeMlgdhcmb.exeFkgpaf32.exeMbkkepio.exeJbbenlof.exeCihojiok.exePfobjdoe.exeNhookh32.exeFfoihepa.exeFqbbig32.exeLbkaoalg.exeNmacej32.exeFlnnfllf.exeGeehcoaf.exeBbhfgj32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeiggk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnbhmlkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpfggeai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiifjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Haohel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npneeocq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qggoeilh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abgeiaaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdfejn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhapocoi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkgelh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdjddf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lldkem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilneef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clinfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmhmdc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjehlldb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgdcjjom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bodhjdcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqbnnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibmmkaik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdieaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipmeej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaahgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehpgha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmkjjbhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mohhea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdajpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kikpgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhmchljg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imkbeqem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiaiooja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egflml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlgdhcmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkgpaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbkkepio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbbenlof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cihojiok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfobjdoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhookh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffoihepa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqbbig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbkaoalg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmacej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flnnfllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geehcoaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbhfgj32.exe -
Modifies registry class 64 IoCs
Processes:
Gnoocq32.exePcagkmaj.exeBigpdjpm.exeCondfo32.exeKjakhcne.exeNkhhie32.exeGpkckneh.exeAodqok32.exeDfgpnm32.exePmeemp32.exeJhikhefb.exeApjpglfn.exeIihgadhl.exeAnjojphb.exeLijepc32.exeGikpjk32.exePkojoghl.exeJhmpbc32.exeLdgikklb.exePkmobp32.exeGgphji32.exeJadnoc32.exeBabbpc32.exeJnppei32.exePlfjme32.exeGpjilj32.exeKdnlpaln.exeJhchjgoh.exeOmhhma32.exeKkomepon.exeJjbgok32.exeOfcnmh32.exePdkgcd32.exeLdkeoo32.exeHcnfjpib.exeAnnpaq32.exeIpabfcdm.exeGimmpj32.exeFcfojhhh.exeAnlkakqa.exeBdpjjaiq.exeNmgiga32.exeFjfjcdln.exeGbfklolh.exeInaliedk.exeHcdihn32.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgklh32.dll" Gnoocq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkmgmf32.dll" Pcagkmaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bigpdjpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhgdkh32.dll" Condfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fikkpd32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjakhcne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iknkfi32.dll" Nkhhie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alnndlmh.dll" Gpkckneh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aodqok32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfgpnm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmeemp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhikhefb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdcnhqfk.dll" Apjpglfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iihgadhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anjojphb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfbokqlp.dll" Lijepc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdjelc32.dll" Gikpjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbdalg32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkojoghl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgokbo32.dll" Jhmpbc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldgikklb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkmobp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggphji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdopmade.dll" Jadnoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhgglopo.dll" Babbpc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnppei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plfjme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpacon32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpjilj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdnlpaln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhchjgoh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omhhma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feedfo32.dll" Kkomepon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjbgok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofcnmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdkgcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjfgfajf.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldkeoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfmmge32.dll" Hcnfjpib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Annpaq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhbmjp32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipabfcdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gimmpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fcfojhhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anlkakqa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkpmkopd.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdpjjaiq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmgiga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofnkap32.dll" Fjfjcdln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbfklolh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldingm32.dll" Inaliedk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iefbpdca.dll" Hcdihn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njfekk32.dll" -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b90970049ed84352875b6588d336ffc7fa72c913878eaca119dea6a1eb0b3c52.exeEiilge32.exeFipbhd32.exeFjaoplho.exeGdcfoq32.exeGlpgibbn.exeGhghnc32.exeHnmcli32.exeHlbpme32.exeIfbkgj32.exeIhbdhepp.exeJoebccpp.exeJcckibfg.exeKjmoeo32.exeLhapocoi.exeLbkaoalg.exedescription pid Process procid_target PID 2880 wrote to memory of 2820 2880 b90970049ed84352875b6588d336ffc7fa72c913878eaca119dea6a1eb0b3c52.exe 30 PID 2880 wrote to memory of 2820 2880 b90970049ed84352875b6588d336ffc7fa72c913878eaca119dea6a1eb0b3c52.exe 30 PID 2880 wrote to memory of 2820 2880 b90970049ed84352875b6588d336ffc7fa72c913878eaca119dea6a1eb0b3c52.exe 30 PID 2880 wrote to memory of 2820 2880 b90970049ed84352875b6588d336ffc7fa72c913878eaca119dea6a1eb0b3c52.exe 30 PID 2820 wrote to memory of 2112 2820 Eiilge32.exe 31 PID 2820 wrote to memory of 2112 2820 Eiilge32.exe 31 PID 2820 wrote to memory of 2112 2820 Eiilge32.exe 31 PID 2820 wrote to memory of 2112 2820 Eiilge32.exe 31 PID 2112 wrote to memory of 2712 2112 Fipbhd32.exe 32 PID 2112 wrote to memory of 2712 2112 Fipbhd32.exe 32 PID 2112 wrote to memory of 2712 2112 Fipbhd32.exe 32 PID 2112 wrote to memory of 2712 2112 Fipbhd32.exe 32 PID 2712 wrote to memory of 1276 2712 Fjaoplho.exe 33 PID 2712 wrote to memory of 1276 2712 Fjaoplho.exe 33 PID 2712 wrote to memory of 1276 2712 Fjaoplho.exe 33 PID 2712 wrote to memory of 1276 2712 Fjaoplho.exe 33 PID 1276 wrote to memory of 3020 1276 Gdcfoq32.exe 34 PID 1276 wrote to memory of 3020 1276 Gdcfoq32.exe 34 PID 1276 wrote to memory of 3020 1276 Gdcfoq32.exe 34 PID 1276 wrote to memory of 3020 1276 Gdcfoq32.exe 34 PID 3020 wrote to memory of 2116 3020 Glpgibbn.exe 35 PID 3020 wrote to memory of 2116 3020 Glpgibbn.exe 35 PID 3020 wrote to memory of 2116 3020 Glpgibbn.exe 35 PID 3020 wrote to memory of 2116 3020 Glpgibbn.exe 35 PID 2116 wrote to memory of 2564 2116 Ghghnc32.exe 36 PID 2116 wrote to memory of 2564 2116 Ghghnc32.exe 36 PID 2116 wrote to memory of 2564 2116 Ghghnc32.exe 36 PID 2116 wrote to memory of 2564 2116 Ghghnc32.exe 36 PID 2564 wrote to memory of 2188 2564 Hnmcli32.exe 37 PID 2564 wrote to memory of 2188 2564 Hnmcli32.exe 37 PID 2564 wrote to memory of 2188 2564 Hnmcli32.exe 37 PID 2564 wrote to memory of 2188 2564 Hnmcli32.exe 37 PID 2188 wrote to memory of 2396 2188 Hlbpme32.exe 38 PID 2188 wrote to memory of 2396 2188 Hlbpme32.exe 38 PID 2188 wrote to memory of 2396 2188 Hlbpme32.exe 38 PID 2188 wrote to memory of 2396 2188 Hlbpme32.exe 38 PID 2396 wrote to memory of 3060 2396 Ifbkgj32.exe 39 PID 2396 wrote to memory of 3060 2396 Ifbkgj32.exe 39 PID 2396 wrote to memory of 3060 2396 Ifbkgj32.exe 39 PID 2396 wrote to memory of 3060 2396 Ifbkgj32.exe 39 PID 3060 wrote to memory of 2452 3060 Ihbdhepp.exe 40 PID 3060 wrote to memory of 2452 3060 Ihbdhepp.exe 40 PID 3060 wrote to memory of 2452 3060 Ihbdhepp.exe 40 PID 3060 wrote to memory of 2452 3060 Ihbdhepp.exe 40 PID 2452 wrote to memory of 1508 2452 Joebccpp.exe 41 PID 2452 wrote to memory of 1508 2452 Joebccpp.exe 41 PID 2452 wrote to memory of 1508 2452 Joebccpp.exe 41 PID 2452 wrote to memory of 1508 2452 Joebccpp.exe 41 PID 1508 wrote to memory of 2384 1508 Jcckibfg.exe 42 PID 1508 wrote to memory of 2384 1508 Jcckibfg.exe 42 PID 1508 wrote to memory of 2384 1508 Jcckibfg.exe 42 PID 1508 wrote to memory of 2384 1508 Jcckibfg.exe 42 PID 2384 wrote to memory of 1440 2384 Kjmoeo32.exe 43 PID 2384 wrote to memory of 1440 2384 Kjmoeo32.exe 43 PID 2384 wrote to memory of 1440 2384 Kjmoeo32.exe 43 PID 2384 wrote to memory of 1440 2384 Kjmoeo32.exe 43 PID 1440 wrote to memory of 1720 1440 Lhapocoi.exe 44 PID 1440 wrote to memory of 1720 1440 Lhapocoi.exe 44 PID 1440 wrote to memory of 1720 1440 Lhapocoi.exe 44 PID 1440 wrote to memory of 1720 1440 Lhapocoi.exe 44 PID 1720 wrote to memory of 2616 1720 Lbkaoalg.exe 45 PID 1720 wrote to memory of 2616 1720 Lbkaoalg.exe 45 PID 1720 wrote to memory of 2616 1720 Lbkaoalg.exe 45 PID 1720 wrote to memory of 2616 1720 Lbkaoalg.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\b90970049ed84352875b6588d336ffc7fa72c913878eaca119dea6a1eb0b3c52.exe"C:\Users\Admin\AppData\Local\Temp\b90970049ed84352875b6588d336ffc7fa72c913878eaca119dea6a1eb0b3c52.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Eiilge32.exeC:\Windows\system32\Eiilge32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Fipbhd32.exeC:\Windows\system32\Fipbhd32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\Fjaoplho.exeC:\Windows\system32\Fjaoplho.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Gdcfoq32.exeC:\Windows\system32\Gdcfoq32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Windows\SysWOW64\Glpgibbn.exeC:\Windows\system32\Glpgibbn.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\Ghghnc32.exeC:\Windows\system32\Ghghnc32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\Hnmcli32.exeC:\Windows\system32\Hnmcli32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\Hlbpme32.exeC:\Windows\system32\Hlbpme32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Ifbkgj32.exeC:\Windows\system32\Ifbkgj32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\Ihbdhepp.exeC:\Windows\system32\Ihbdhepp.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\Joebccpp.exeC:\Windows\system32\Joebccpp.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\Jcckibfg.exeC:\Windows\system32\Jcckibfg.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\Kjmoeo32.exeC:\Windows\system32\Kjmoeo32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Lhapocoi.exeC:\Windows\system32\Lhapocoi.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\SysWOW64\Lbkaoalg.exeC:\Windows\system32\Lbkaoalg.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\Mohhea32.exeC:\Windows\system32\Mohhea32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2616 -
C:\Windows\SysWOW64\Mdoccg32.exeC:\Windows\system32\Mdoccg32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2620 -
C:\Windows\SysWOW64\Nipefmkb.exeC:\Windows\system32\Nipefmkb.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1264 -
C:\Windows\SysWOW64\Nnbjpqoa.exeC:\Windows\system32\Nnbjpqoa.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2036 -
C:\Windows\SysWOW64\Nndgeplo.exeC:\Windows\system32\Nndgeplo.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1288 -
C:\Windows\SysWOW64\Ojkhjabc.exeC:\Windows\system32\Ojkhjabc.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2340 -
C:\Windows\SysWOW64\Omnmal32.exeC:\Windows\system32\Omnmal32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2984 -
C:\Windows\SysWOW64\Ogdaod32.exeC:\Windows\system32\Ogdaod32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2276 -
C:\Windows\SysWOW64\Pmecbkgj.exeC:\Windows\system32\Pmecbkgj.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2248 -
C:\Windows\SysWOW64\Pbblkaea.exeC:\Windows\system32\Pbblkaea.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2904 -
C:\Windows\SysWOW64\Pqgilnji.exeC:\Windows\system32\Pqgilnji.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2852 -
C:\Windows\SysWOW64\Pkojoghl.exeC:\Windows\system32\Pkojoghl.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2828 -
C:\Windows\SysWOW64\Qjdgpcmd.exeC:\Windows\system32\Qjdgpcmd.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2892 -
C:\Windows\SysWOW64\Aphehidc.exeC:\Windows\system32\Aphehidc.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2716 -
C:\Windows\SysWOW64\Aiqjao32.exeC:\Windows\system32\Aiqjao32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1212 -
C:\Windows\SysWOW64\Aegkfpah.exeC:\Windows\system32\Aegkfpah.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1952 -
C:\Windows\SysWOW64\Bmelpa32.exeC:\Windows\system32\Bmelpa32.exe33⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Bodhjdcc.exeC:\Windows\system32\Bodhjdcc.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2472 -
C:\Windows\SysWOW64\Bphaglgo.exeC:\Windows\system32\Bphaglgo.exe35⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Blobmm32.exeC:\Windows\system32\Blobmm32.exe36⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Ceickb32.exeC:\Windows\system32\Ceickb32.exe37⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Cobhdhha.exeC:\Windows\system32\Cobhdhha.exe38⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Cdamao32.exeC:\Windows\system32\Cdamao32.exe39⤵
- Executes dropped EXE
PID:916 -
C:\Windows\SysWOW64\Ceqjla32.exeC:\Windows\system32\Ceqjla32.exe40⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Dajgfboj.exeC:\Windows\system32\Dajgfboj.exe41⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Ddhcbnnn.exeC:\Windows\system32\Ddhcbnnn.exe42⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Dgildi32.exeC:\Windows\system32\Dgildi32.exe43⤵
- Executes dropped EXE
PID:1376 -
C:\Windows\SysWOW64\Dncdqcbl.exeC:\Windows\system32\Dncdqcbl.exe44⤵
- Executes dropped EXE
PID:1848 -
C:\Windows\SysWOW64\Dfniee32.exeC:\Windows\system32\Dfniee32.exe45⤵
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Dlhaaogd.exeC:\Windows\system32\Dlhaaogd.exe46⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Dkmncl32.exeC:\Windows\system32\Dkmncl32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1912 -
C:\Windows\SysWOW64\Dfbbpd32.exeC:\Windows\system32\Dfbbpd32.exe48⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Enngdgim.exeC:\Windows\system32\Enngdgim.exe49⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Edhpaa32.exeC:\Windows\system32\Edhpaa32.exe50⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Egflml32.exeC:\Windows\system32\Egflml32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2792 -
C:\Windows\SysWOW64\Eblpke32.exeC:\Windows\system32\Eblpke32.exe52⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Enbapf32.exeC:\Windows\system32\Enbapf32.exe53⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Ekfaij32.exeC:\Windows\system32\Ekfaij32.exe54⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Efpbih32.exeC:\Windows\system32\Efpbih32.exe55⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Ffboohnm.exeC:\Windows\system32\Ffboohnm.exe56⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Ghmnmo32.exeC:\Windows\system32\Ghmnmo32.exe57⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Glkgcmbg.exeC:\Windows\system32\Glkgcmbg.exe58⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Gdihmo32.exeC:\Windows\system32\Gdihmo32.exe59⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Gamifcmi.exeC:\Windows\system32\Gamifcmi.exe60⤵
- Executes dropped EXE
PID:1104 -
C:\Windows\SysWOW64\Gmcikd32.exeC:\Windows\system32\Gmcikd32.exe61⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Hbpbck32.exeC:\Windows\system32\Hbpbck32.exe62⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Hpdbmooo.exeC:\Windows\system32\Hpdbmooo.exe63⤵
- Executes dropped EXE
PID:980 -
C:\Windows\SysWOW64\Hilgfe32.exeC:\Windows\system32\Hilgfe32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2648 -
C:\Windows\SysWOW64\Hoipnl32.exeC:\Windows\system32\Hoipnl32.exe65⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Hhadgakg.exeC:\Windows\system32\Hhadgakg.exe66⤵PID:1260
-
C:\Windows\SysWOW64\Hlpmmpam.exeC:\Windows\system32\Hlpmmpam.exe67⤵PID:2364
-
C:\Windows\SysWOW64\Hmqieh32.exeC:\Windows\system32\Hmqieh32.exe68⤵PID:1028
-
C:\Windows\SysWOW64\Hginnmml.exeC:\Windows\system32\Hginnmml.exe69⤵PID:2120
-
C:\Windows\SysWOW64\Ipabfcdm.exeC:\Windows\system32\Ipabfcdm.exe70⤵
- Modifies registry class
PID:2692 -
C:\Windows\SysWOW64\Iaaoqf32.exeC:\Windows\system32\Iaaoqf32.exe71⤵PID:2688
-
C:\Windows\SysWOW64\Igngim32.exeC:\Windows\system32\Igngim32.exe72⤵PID:2732
-
C:\Windows\SysWOW64\Idbgbahq.exeC:\Windows\system32\Idbgbahq.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1804 -
C:\Windows\SysWOW64\Iokhcodo.exeC:\Windows\system32\Iokhcodo.exe74⤵PID:1800
-
C:\Windows\SysWOW64\Ijampgde.exeC:\Windows\system32\Ijampgde.exe75⤵PID:2608
-
C:\Windows\SysWOW64\Ialadj32.exeC:\Windows\system32\Ialadj32.exe76⤵PID:2768
-
C:\Windows\SysWOW64\Jopbnn32.exeC:\Windows\system32\Jopbnn32.exe77⤵PID:2252
-
C:\Windows\SysWOW64\Jhhfgcgj.exeC:\Windows\system32\Jhhfgcgj.exe78⤵PID:1544
-
C:\Windows\SysWOW64\Jdogldmo.exeC:\Windows\system32\Jdogldmo.exe79⤵PID:1152
-
C:\Windows\SysWOW64\Jgnchplb.exeC:\Windows\system32\Jgnchplb.exe80⤵PID:1316
-
C:\Windows\SysWOW64\Jhmpbc32.exeC:\Windows\system32\Jhmpbc32.exe81⤵
- Modifies registry class
PID:620 -
C:\Windows\SysWOW64\Jbedkhie.exeC:\Windows\system32\Jbedkhie.exe82⤵PID:2348
-
C:\Windows\SysWOW64\Jgbmco32.exeC:\Windows\system32\Jgbmco32.exe83⤵PID:2596
-
C:\Windows\SysWOW64\Kopnma32.exeC:\Windows\system32\Kopnma32.exe84⤵PID:1596
-
C:\Windows\SysWOW64\Kqokgd32.exeC:\Windows\system32\Kqokgd32.exe85⤵PID:1740
-
C:\Windows\SysWOW64\Kkkhmadd.exeC:\Windows\system32\Kkkhmadd.exe86⤵
- Drops file in System32 directory
PID:2328 -
C:\Windows\SysWOW64\Liaeleak.exeC:\Windows\system32\Liaeleak.exe87⤵PID:2020
-
C:\Windows\SysWOW64\Lggbmbfc.exeC:\Windows\system32\Lggbmbfc.exe88⤵PID:2544
-
C:\Windows\SysWOW64\Lcncbc32.exeC:\Windows\system32\Lcncbc32.exe89⤵PID:2292
-
C:\Windows\SysWOW64\Lpddgd32.exeC:\Windows\system32\Lpddgd32.exe90⤵PID:3064
-
C:\Windows\SysWOW64\Ljjhdm32.exeC:\Windows\system32\Ljjhdm32.exe91⤵PID:2104
-
C:\Windows\SysWOW64\Mlmaad32.exeC:\Windows\system32\Mlmaad32.exe92⤵PID:2668
-
C:\Windows\SysWOW64\Mmmnkglp.exeC:\Windows\system32\Mmmnkglp.exe93⤵PID:2408
-
C:\Windows\SysWOW64\Mpngmb32.exeC:\Windows\system32\Mpngmb32.exe94⤵PID:1856
-
C:\Windows\SysWOW64\Mejoei32.exeC:\Windows\system32\Mejoei32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:896 -
C:\Windows\SysWOW64\Mlgdhcmb.exeC:\Windows\system32\Mlgdhcmb.exe96⤵
- System Location Discovery: System Language Discovery
PID:1584 -
C:\Windows\SysWOW64\Nacmpj32.exeC:\Windows\system32\Nacmpj32.exe97⤵PID:2192
-
C:\Windows\SysWOW64\Nklaipbj.exeC:\Windows\system32\Nklaipbj.exe98⤵PID:3068
-
C:\Windows\SysWOW64\Nianjl32.exeC:\Windows\system32\Nianjl32.exe99⤵PID:944
-
C:\Windows\SysWOW64\Nkqjdo32.exeC:\Windows\system32\Nkqjdo32.exe100⤵PID:1408
-
C:\Windows\SysWOW64\Nmacej32.exeC:\Windows\system32\Nmacej32.exe101⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2420 -
C:\Windows\SysWOW64\Ooemcb32.exeC:\Windows\system32\Ooemcb32.exe102⤵PID:2812
-
C:\Windows\SysWOW64\Olimlf32.exeC:\Windows\system32\Olimlf32.exe103⤵PID:1660
-
C:\Windows\SysWOW64\Oahbjmjp.exeC:\Windows\system32\Oahbjmjp.exe104⤵PID:1636
-
C:\Windows\SysWOW64\Pibgfjdh.exeC:\Windows\system32\Pibgfjdh.exe105⤵PID:1684
-
C:\Windows\SysWOW64\Pffgonbb.exeC:\Windows\system32\Pffgonbb.exe106⤵PID:2464
-
C:\Windows\SysWOW64\Qbmhdp32.exeC:\Windows\system32\Qbmhdp32.exe107⤵PID:1576
-
C:\Windows\SysWOW64\Qnciiq32.exeC:\Windows\system32\Qnciiq32.exe108⤵PID:1608
-
C:\Windows\SysWOW64\Anfeop32.exeC:\Windows\system32\Anfeop32.exe109⤵PID:2756
-
C:\Windows\SysWOW64\Acbnggjo.exeC:\Windows\system32\Acbnggjo.exe110⤵PID:2532
-
C:\Windows\SysWOW64\Aebjaj32.exeC:\Windows\system32\Aebjaj32.exe111⤵PID:868
-
C:\Windows\SysWOW64\Anjojphb.exeC:\Windows\system32\Anjojphb.exe112⤵
- Modifies registry class
PID:1872 -
C:\Windows\SysWOW64\Ajapoqmf.exeC:\Windows\system32\Ajapoqmf.exe113⤵PID:2216
-
C:\Windows\SysWOW64\Abldccka.exeC:\Windows\system32\Abldccka.exe114⤵PID:2960
-
C:\Windows\SysWOW64\Aiflpm32.exeC:\Windows\system32\Aiflpm32.exe115⤵PID:1392
-
C:\Windows\SysWOW64\Blgeahoo.exeC:\Windows\system32\Blgeahoo.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2080 -
C:\Windows\SysWOW64\Bepjjn32.exeC:\Windows\system32\Bepjjn32.exe117⤵PID:332
-
C:\Windows\SysWOW64\Bafkookd.exeC:\Windows\system32\Bafkookd.exe118⤵PID:904
-
C:\Windows\SysWOW64\Bojkib32.exeC:\Windows\system32\Bojkib32.exe119⤵PID:1624
-
C:\Windows\SysWOW64\Bjalndpb.exeC:\Windows\system32\Bjalndpb.exe120⤵PID:1736
-
C:\Windows\SysWOW64\Bdipfi32.exeC:\Windows\system32\Bdipfi32.exe121⤵PID:2932
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-