Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
22-11-2024 03:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ba56fac89b9b088b70bb5f7cc7925d9e41e7d6712e749e0fdda43a2786898094.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
ba56fac89b9b088b70bb5f7cc7925d9e41e7d6712e749e0fdda43a2786898094.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
ba56fac89b9b088b70bb5f7cc7925d9e41e7d6712e749e0fdda43a2786898094.exe
-
Size
448KB
-
MD5
f345f24413851962546b173e50352010
-
SHA1
452381c26f569ab32fb0150a256bdf3f7ccc8ed9
-
SHA256
ba56fac89b9b088b70bb5f7cc7925d9e41e7d6712e749e0fdda43a2786898094
-
SHA512
07d9245e973b3ca48e4b7268a3f18d119d38c8f8d63d426f314c4b49f01b128c246ed4861dcc92b8f2c5e2708f3bd37c57014f2d2dcd0bc003af90c8a05d3aad
-
SSDEEP
6144:GfwRpzp0xiLUmKyIxLDXXoq9FJZCUmKyIxL:VJK832XXf9Do3
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Hgfooe32.exeHalcmn32.exeJkkjeeke.exeIbfmmb32.exeCchdpbog.exeGagmbkik.exeElieipej.exeJpbcek32.exeAlaqjaaa.exeFfbmfo32.exeOiokholk.exeJjhgbd32.exeMdendpbg.exeEnbogmnc.exePmkdhq32.exeCnabffeo.exeDklepmal.exeOfaolcmh.exeCjoilfek.exeHjmlhbbg.exeOepjoa32.exeIomcpe32.exeQifnhaho.exeAldfcpjn.exeDdbmcb32.exeEcgjdong.exeHqiqjlga.exeLmalgq32.exeOmfnnnhj.exeEqngcc32.exeFkefbcmf.exeLcadghnk.exeFegjgkla.exeMghckj32.exeNkobpmlo.exeEogolc32.exeHcepqh32.exeMhcfjnhm.exeGkmefaan.exeImhqbkbm.exeMejmmqpd.exePimkbbpi.exeApmcefmf.exeEmaijk32.exePilbocej.exeNphghn32.exeOjeakfnd.exeMnmbme32.exeQjfalj32.exeKiofnm32.exeAbhlak32.exeGkbnap32.exeNfjildbp.exeCnflae32.exeDnhefh32.exeDihmpinj.exeEblelb32.exeMneaacno.exeHbofmcij.exeIkldqile.exeNnahgh32.exePfchqf32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hgfooe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Halcmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jkkjeeke.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibfmmb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cchdpbog.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gagmbkik.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkkjeeke.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elieipej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jpbcek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alaqjaaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffbmfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oiokholk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjhgbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdendpbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Enbogmnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmkdhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnabffeo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dklepmal.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofaolcmh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjoilfek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjmlhbbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oepjoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iomcpe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qifnhaho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aldfcpjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddbmcb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecgjdong.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqiqjlga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmalgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Omfnnnhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eqngcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fkefbcmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lcadghnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fegjgkla.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mghckj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkobpmlo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eogolc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcepqh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhcfjnhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gkmefaan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Imhqbkbm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mejmmqpd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pimkbbpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Apmcefmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Emaijk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pilbocej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nphghn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojeakfnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mnmbme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qjfalj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiofnm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abhlak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkbnap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nfjildbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnflae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dnhefh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dihmpinj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eblelb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pilbocej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mneaacno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbofmcij.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikldqile.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnahgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfchqf32.exe -
Executes dropped EXE 64 IoCs
Processes:
Apmcefmf.exeAejlnmkm.exeAcnlgajg.exeBhkeohhn.exeBcpimq32.exeBlinefnd.exeBaefnmml.exeBlkjkflb.exeBfcodkcb.exeBkpglbaj.exeBdhleh32.exeBnapnm32.exeCcnifd32.exeCmfmojcb.exeCglalbbi.exeCqdfehii.exeCgnnab32.exeCbgobp32.exeCmmcpi32.exeCfehhn32.exeDnqlmq32.exeDekdikhc.exeDncibp32.exeDihmpinj.exeDbabho32.exeDjlfma32.exeDafoikjb.exeDjocbqpb.exeDpklkgoj.exeEicpcm32.exeEblelb32.exeEmaijk32.exeEfjmbaba.exeEoebgcol.exeEikfdl32.exeEogolc32.exeEhpcehcj.exeFahhnn32.exeFkqlgc32.exeFdiqpigl.exeFamaimfe.exeFkefbcmf.exeFdnjkh32.exeFmfocnjg.exeFeachqgb.exeGojhafnb.exeGhbljk32.exeGefmcp32.exeGcjmmdbf.exeGkebafoa.exeGdnfjl32.exeGaagcpdl.exeHjmlhbbg.exeHcepqh32.exeHqiqjlga.exeHffibceh.exeHcjilgdb.exeHmbndmkb.exeHbofmcij.exeIkgkei32.exeIfmocb32.exeInhdgdmk.exeIkldqile.exeIbfmmb32.exepid Process 2612 Apmcefmf.exe 2732 Aejlnmkm.exe 2840 Acnlgajg.exe 2844 Bhkeohhn.exe 2572 Bcpimq32.exe 3044 Blinefnd.exe 1264 Baefnmml.exe 2868 Blkjkflb.exe 2860 Bfcodkcb.exe 2856 Bkpglbaj.exe 2396 Bdhleh32.exe 1384 Bnapnm32.exe 2992 Ccnifd32.exe 2248 Cmfmojcb.exe 2896 Cglalbbi.exe 1356 Cqdfehii.exe 1544 Cgnnab32.exe 2468 Cbgobp32.exe 1764 Cmmcpi32.exe 1584 Cfehhn32.exe 3012 Dnqlmq32.exe 2272 Dekdikhc.exe 876 Dncibp32.exe 3068 Dihmpinj.exe 2716 Dbabho32.exe 2700 Djlfma32.exe 2924 Dafoikjb.exe 2144 Djocbqpb.exe 2740 Dpklkgoj.exe 2712 Eicpcm32.exe 2652 Eblelb32.exe 2388 Emaijk32.exe 2152 Efjmbaba.exe 2240 Eoebgcol.exe 596 Eikfdl32.exe 2540 Eogolc32.exe 1752 Ehpcehcj.exe 2336 Fahhnn32.exe 2428 Fkqlgc32.exe 2456 Fdiqpigl.exe 2744 Famaimfe.exe 2340 Fkefbcmf.exe 2268 Fdnjkh32.exe 2980 Fmfocnjg.exe 3024 Feachqgb.exe 1788 Gojhafnb.exe 736 Ghbljk32.exe 2584 Gefmcp32.exe 980 Gcjmmdbf.exe 2480 Gkebafoa.exe 1960 Gdnfjl32.exe 2260 Gaagcpdl.exe 2768 Hjmlhbbg.exe 2812 Hcepqh32.exe 2608 Hqiqjlga.exe 2384 Hffibceh.exe 1980 Hcjilgdb.exe 2412 Hmbndmkb.exe 2536 Hbofmcij.exe 3040 Ikgkei32.exe 1128 Ifmocb32.exe 2920 Inhdgdmk.exe 1472 Ikldqile.exe 664 Ibfmmb32.exe -
Loads dropped DLL 64 IoCs
Processes:
ba56fac89b9b088b70bb5f7cc7925d9e41e7d6712e749e0fdda43a2786898094.exeApmcefmf.exeAejlnmkm.exeAcnlgajg.exeBhkeohhn.exeBcpimq32.exeBlinefnd.exeBaefnmml.exeBlkjkflb.exeBfcodkcb.exeBkpglbaj.exeBdhleh32.exeBnapnm32.exeCcnifd32.exeCmfmojcb.exeCglalbbi.exeCqdfehii.exeCgnnab32.exeCbgobp32.exeCmmcpi32.exeCfehhn32.exeDnqlmq32.exeDekdikhc.exeDncibp32.exeDihmpinj.exeDbabho32.exeDjlfma32.exeDafoikjb.exeDjocbqpb.exeDpklkgoj.exeEicpcm32.exeEblelb32.exepid Process 1956 ba56fac89b9b088b70bb5f7cc7925d9e41e7d6712e749e0fdda43a2786898094.exe 1956 ba56fac89b9b088b70bb5f7cc7925d9e41e7d6712e749e0fdda43a2786898094.exe 2612 Apmcefmf.exe 2612 Apmcefmf.exe 2732 Aejlnmkm.exe 2732 Aejlnmkm.exe 2840 Acnlgajg.exe 2840 Acnlgajg.exe 2844 Bhkeohhn.exe 2844 Bhkeohhn.exe 2572 Bcpimq32.exe 2572 Bcpimq32.exe 3044 Blinefnd.exe 3044 Blinefnd.exe 1264 Baefnmml.exe 1264 Baefnmml.exe 2868 Blkjkflb.exe 2868 Blkjkflb.exe 2860 Bfcodkcb.exe 2860 Bfcodkcb.exe 2856 Bkpglbaj.exe 2856 Bkpglbaj.exe 2396 Bdhleh32.exe 2396 Bdhleh32.exe 1384 Bnapnm32.exe 1384 Bnapnm32.exe 2992 Ccnifd32.exe 2992 Ccnifd32.exe 2248 Cmfmojcb.exe 2248 Cmfmojcb.exe 2896 Cglalbbi.exe 2896 Cglalbbi.exe 1356 Cqdfehii.exe 1356 Cqdfehii.exe 1544 Cgnnab32.exe 1544 Cgnnab32.exe 2468 Cbgobp32.exe 2468 Cbgobp32.exe 1764 Cmmcpi32.exe 1764 Cmmcpi32.exe 1584 Cfehhn32.exe 1584 Cfehhn32.exe 3012 Dnqlmq32.exe 3012 Dnqlmq32.exe 2272 Dekdikhc.exe 2272 Dekdikhc.exe 876 Dncibp32.exe 876 Dncibp32.exe 3068 Dihmpinj.exe 3068 Dihmpinj.exe 2716 Dbabho32.exe 2716 Dbabho32.exe 2700 Djlfma32.exe 2700 Djlfma32.exe 2924 Dafoikjb.exe 2924 Dafoikjb.exe 2144 Djocbqpb.exe 2144 Djocbqpb.exe 2740 Dpklkgoj.exe 2740 Dpklkgoj.exe 2712 Eicpcm32.exe 2712 Eicpcm32.exe 2652 Eblelb32.exe 2652 Eblelb32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Jecnnk32.exeAjamfh32.exeFeachqgb.exeLdgnklmi.exeAlaqjaaa.exeDfkjgm32.exeNggipg32.exeCmmcpi32.exeLcadghnk.exeChocodch.exeMkibjgli.exeQaablcej.exeDnhefh32.exeIkgkei32.exeLibjncnc.exeEpfhde32.exeFfgfancd.exeNpfjbn32.exePflbpg32.exeJpbcek32.exeMnmbme32.exeHlmnogkl.exeMlmoilni.exeCnipak32.exePbglpg32.exeKflafbak.exeOnldqejb.exeAcnlgajg.exeHqiqjlga.exeIgceej32.exeHfebhmbm.exeNigldq32.exeOplgeoea.exeImhqbkbm.exeDboglhna.exeEqngcc32.exeJabponba.exeNkobpmlo.exeOepjoa32.exeJbclgf32.exeJibnop32.exeLlpoohik.exeAadobccg.exeAinkcf32.exeDcmnja32.exePilbocej.exeEmgkhj32.exeFapgblob.exeEqkjmcmq.exeFbngfo32.exePimkbbpi.exeHffibceh.exeMgcjpkak.exeAaipghcn.exeBjbqmi32.exeBcflko32.exeQjgjpi32.exeAldfcpjn.exeDklepmal.exeKidjdpie.exedescription ioc Process File created C:\Windows\SysWOW64\Jmocbnop.exe Jecnnk32.exe File opened for modification C:\Windows\SysWOW64\Adiaommc.exe Ajamfh32.exe File created C:\Windows\SysWOW64\Gojhafnb.exe Feachqgb.exe File created C:\Windows\SysWOW64\Mcohhj32.dll Ldgnklmi.exe File opened for modification C:\Windows\SysWOW64\Aanibhoh.exe Alaqjaaa.exe File created C:\Windows\SysWOW64\Qgnonqai.dll Dfkjgm32.exe File opened for modification C:\Windows\SysWOW64\Nfjildbp.exe Nggipg32.exe File opened for modification C:\Windows\SysWOW64\Cfehhn32.exe Cmmcpi32.exe File created C:\Windows\SysWOW64\Ldbaopdj.exe Lcadghnk.exe File opened for modification C:\Windows\SysWOW64\Ckmpkpbl.exe Chocodch.exe File created C:\Windows\SysWOW64\Honlnbae.dll Mkibjgli.exe File created C:\Windows\SysWOW64\Qlggjlep.exe Qaablcej.exe File opened for modification C:\Windows\SysWOW64\Ddbmcb32.exe Dnhefh32.exe File opened for modification C:\Windows\SysWOW64\Ifmocb32.exe Ikgkei32.exe File created C:\Windows\SysWOW64\Cbamip32.dll Libjncnc.exe File created C:\Windows\SysWOW64\Iajpndmp.dll Epfhde32.exe File created C:\Windows\SysWOW64\Flcojeak.exe Ffgfancd.exe File opened for modification C:\Windows\SysWOW64\Ngpcohbm.exe Npfjbn32.exe File created C:\Windows\SysWOW64\Afiganaa.dll Pflbpg32.exe File opened for modification C:\Windows\SysWOW64\Jjhgbd32.exe Jpbcek32.exe File created C:\Windows\SysWOW64\Mploiq32.exe Mnmbme32.exe File opened for modification C:\Windows\SysWOW64\Hfebhmbm.exe Hlmnogkl.exe File created C:\Windows\SysWOW64\Mokkegmm.exe Mlmoilni.exe File opened for modification C:\Windows\SysWOW64\Chocodch.exe Cnipak32.exe File created C:\Windows\SysWOW64\Pfchqf32.exe Pbglpg32.exe File created C:\Windows\SysWOW64\Klhioioc.exe Kflafbak.exe File created C:\Windows\SysWOW64\Oqkpmaif.exe Onldqejb.exe File created C:\Windows\SysWOW64\Bhkeohhn.exe Acnlgajg.exe File created C:\Windows\SysWOW64\Lcepfhka.dll Hqiqjlga.exe File created C:\Windows\SysWOW64\Icifjk32.exe Igceej32.exe File opened for modification C:\Windows\SysWOW64\Hgfooe32.exe Hfebhmbm.exe File opened for modification C:\Windows\SysWOW64\Nbpqmfmd.exe Nigldq32.exe File opened for modification C:\Windows\SysWOW64\Oielnd32.exe Oplgeoea.exe File created C:\Windows\SysWOW64\Ifpelq32.exe Imhqbkbm.exe File created C:\Windows\SysWOW64\Npfjbn32.exe Mkibjgli.exe File opened for modification C:\Windows\SysWOW64\Dglpdomh.exe Dboglhna.exe File opened for modification C:\Windows\SysWOW64\Efjpkj32.exe Eqngcc32.exe File created C:\Windows\SysWOW64\Jbclgf32.exe Jabponba.exe File opened for modification C:\Windows\SysWOW64\Ndggib32.exe Nkobpmlo.exe File created C:\Windows\SysWOW64\Kcnhjgln.dll Nkobpmlo.exe File opened for modification C:\Windows\SysWOW64\Omlncc32.exe Oepjoa32.exe File created C:\Windows\SysWOW64\Dglpdomh.exe Dboglhna.exe File created C:\Windows\SysWOW64\Khljoh32.dll Jbclgf32.exe File created C:\Windows\SysWOW64\Kidjdpie.exe Jibnop32.exe File opened for modification C:\Windows\SysWOW64\Lmalgq32.exe Llpoohik.exe File created C:\Windows\SysWOW64\Ahngomkd.exe Aadobccg.exe File created C:\Windows\SysWOW64\Cfafhc32.dll Ainkcf32.exe File created C:\Windows\SysWOW64\Dfkjgm32.exe Dcmnja32.exe File created C:\Windows\SysWOW64\Fdibkoon.dll Jecnnk32.exe File created C:\Windows\SysWOW64\Bniipnpc.dll Pilbocej.exe File opened for modification C:\Windows\SysWOW64\Epfhde32.exe Emgkhj32.exe File opened for modification C:\Windows\SysWOW64\Fbpclofe.exe Fapgblob.exe File opened for modification C:\Windows\SysWOW64\Ejcofica.exe Eqkjmcmq.exe File created C:\Windows\SysWOW64\Fapgblob.exe Fbngfo32.exe File created C:\Windows\SysWOW64\Lldpji32.dll Pimkbbpi.exe File created C:\Windows\SysWOW64\Hcjilgdb.exe Hffibceh.exe File created C:\Windows\SysWOW64\Ocoadgfn.dll Mgcjpkak.exe File created C:\Windows\SysWOW64\Pcdbhb32.dll Aaipghcn.exe File created C:\Windows\SysWOW64\Mdiejlgm.dll Bjbqmi32.exe File created C:\Windows\SysWOW64\Dlmfbm32.dll Bcflko32.exe File created C:\Windows\SysWOW64\Qaablcej.exe Qjgjpi32.exe File created C:\Windows\SysWOW64\Bemkle32.exe Aldfcpjn.exe File created C:\Windows\SysWOW64\Eddjhb32.exe Dklepmal.exe File created C:\Windows\SysWOW64\Kfodfh32.exe Kidjdpie.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 4224 4176 WerFault.exe 381 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Efmlqigc.exeDncibp32.exeEblelb32.exeMghckj32.exeCbghhj32.exeDmgoif32.exeCojeomee.exeCglalbbi.exeIkldqile.exeIclbpj32.exeKflafbak.exePnnmeh32.exeGpogiglp.exeImhqbkbm.exeCmfmojcb.exeEicpcm32.exeHqiqjlga.exeKfodfh32.exeBjbqmi32.exeEhhfjcff.exePfqlkfoc.exeBogljj32.exeAjamfh32.exeFahhnn32.exeOplgeoea.exeEnbogmnc.exeLophacfl.exeNnodgbed.exePpgcol32.exeGaagcpdl.exePnfnajed.exePllkpn32.exeNflfad32.exeMdendpbg.exeMnpobefe.exeAaipghcn.exeOiokholk.exeLeikbd32.exeObmpgjbb.exeEpfhde32.exeHlhddh32.exeLhimji32.exeLlpoohik.exeMneaacno.exeAcnlgajg.exeEoebgcol.exeGojhafnb.exePhobjp32.exeGkmefaan.exeKiofnm32.exePflbpg32.exeCjoilfek.exeDglpdomh.exeFkefbcmf.exePdhpdq32.exeQdofep32.exeEiciig32.exeMejmmqpd.exeQlggjlep.exeDbabho32.exeNghpjn32.exePaggce32.exeQjfalj32.exeEloipb32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efmlqigc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dncibp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eblelb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mghckj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbghhj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmgoif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cojeomee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cglalbbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikldqile.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iclbpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kflafbak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnnmeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpogiglp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imhqbkbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmfmojcb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eicpcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqiqjlga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfodfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjbqmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehhfjcff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfqlkfoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bogljj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajamfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fahhnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oplgeoea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enbogmnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lophacfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnodgbed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppgcol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaagcpdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnfnajed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pllkpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nflfad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdendpbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnpobefe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaipghcn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiokholk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Leikbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obmpgjbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epfhde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlhddh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhimji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llpoohik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mneaacno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acnlgajg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoebgcol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gojhafnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phobjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkmefaan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiofnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pflbpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjoilfek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dglpdomh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkefbcmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdhpdq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdofep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiciig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mejmmqpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlggjlep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbabho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nghpjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paggce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjfalj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eloipb32.exe -
Modifies registry class 64 IoCs
Processes:
Mnpobefe.exeLbbnjgik.exeClkicbfa.exeDnfhqi32.exeCqdfehii.exeJpbcek32.exeEddjhb32.exeFdfmpc32.exeIgpaec32.exeEoebgcol.exeDmgoif32.exeGkmefaan.exePmfjmake.exeAhngomkd.exeBknmok32.exeba56fac89b9b088b70bb5f7cc7925d9e41e7d6712e749e0fdda43a2786898094.exeBlinefnd.exeFpgnoo32.exeGibbgmfe.exeBhpqcpkm.exeDoqkpl32.exeOiokholk.exeBikcbc32.exeGmidlmcd.exeLhimji32.exePfqlkfoc.exeAdiaommc.exeBlniinac.exeDbabho32.exeDpklkgoj.exeOjeakfnd.exeDgnminke.exeEnmnahnm.exeHbofmcij.exePhobjp32.exeAbhlak32.exeBlqmid32.exeDeeqch32.exeCjoilfek.exePhledp32.exeAljjjb32.exePilbocej.exePdhpdq32.exeHmbndmkb.exeNflfad32.exeKlhioioc.exeNgpcohbm.exeApmcefmf.exeIgceej32.exeNbpqmfmd.exePpgcol32.exeEmdhhdqb.exeOgabql32.exeGagmbkik.exeHalcmn32.exeAiaqle32.exeInhdgdmk.exeGpogiglp.exeGkbnap32.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mnpobefe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lbbnjgik.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Clkicbfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dnfhqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npepblac.dll" Cqdfehii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jpbcek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eddjhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fdfmpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Igpaec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eoebgcol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dmgoif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fodkno32.dll" Gkmefaan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gipjkn32.dll" Pmfjmake.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ahngomkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bknmok32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 ba56fac89b9b088b70bb5f7cc7925d9e41e7d6712e749e0fdda43a2786898094.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Blinefnd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fpgnoo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gibbgmfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bhpqcpkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Doqkpl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID ba56fac89b9b088b70bb5f7cc7925d9e41e7d6712e749e0fdda43a2786898094.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oiokholk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bikcbc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gmidlmcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lhimji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pfqlkfoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Adiaommc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Blniinac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dbabho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dpklkgoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ojeakfnd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dgnminke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jacgio32.dll" Enmnahnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dpklkgoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hbofmcij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Phobjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfdcidn.dll" Abhlak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nckpfbjj.dll" Blqmid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Deeqch32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cjoilfek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dbabho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gagolf32.dll" Phledp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qaejidpg.dll" Aljjjb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pilbocej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pdhpdq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hmbndmkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nflfad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aggpokfi.dll" Klhioioc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ngpcohbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Apmcefmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Igceej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deankpkm.dll" Nbpqmfmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkfcmj32.dll" Ppgcol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Emdhhdqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jofkdh32.dll" Ogabql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgdkfk32.dll" Gagmbkik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keigbd32.dll" Halcmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcqik32.dll" Aiaqle32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Inhdgdmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccboal32.dll" Gpogiglp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nflfad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} ba56fac89b9b088b70bb5f7cc7925d9e41e7d6712e749e0fdda43a2786898094.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfjpjn32.dll" Gkbnap32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ba56fac89b9b088b70bb5f7cc7925d9e41e7d6712e749e0fdda43a2786898094.exeApmcefmf.exeAejlnmkm.exeAcnlgajg.exeBhkeohhn.exeBcpimq32.exeBlinefnd.exeBaefnmml.exeBlkjkflb.exeBfcodkcb.exeBkpglbaj.exeBdhleh32.exeBnapnm32.exeCcnifd32.exeCmfmojcb.exeCglalbbi.exedescription pid Process procid_target PID 1956 wrote to memory of 2612 1956 ba56fac89b9b088b70bb5f7cc7925d9e41e7d6712e749e0fdda43a2786898094.exe 30 PID 1956 wrote to memory of 2612 1956 ba56fac89b9b088b70bb5f7cc7925d9e41e7d6712e749e0fdda43a2786898094.exe 30 PID 1956 wrote to memory of 2612 1956 ba56fac89b9b088b70bb5f7cc7925d9e41e7d6712e749e0fdda43a2786898094.exe 30 PID 1956 wrote to memory of 2612 1956 ba56fac89b9b088b70bb5f7cc7925d9e41e7d6712e749e0fdda43a2786898094.exe 30 PID 2612 wrote to memory of 2732 2612 Apmcefmf.exe 31 PID 2612 wrote to memory of 2732 2612 Apmcefmf.exe 31 PID 2612 wrote to memory of 2732 2612 Apmcefmf.exe 31 PID 2612 wrote to memory of 2732 2612 Apmcefmf.exe 31 PID 2732 wrote to memory of 2840 2732 Aejlnmkm.exe 32 PID 2732 wrote to memory of 2840 2732 Aejlnmkm.exe 32 PID 2732 wrote to memory of 2840 2732 Aejlnmkm.exe 32 PID 2732 wrote to memory of 2840 2732 Aejlnmkm.exe 32 PID 2840 wrote to memory of 2844 2840 Acnlgajg.exe 33 PID 2840 wrote to memory of 2844 2840 Acnlgajg.exe 33 PID 2840 wrote to memory of 2844 2840 Acnlgajg.exe 33 PID 2840 wrote to memory of 2844 2840 Acnlgajg.exe 33 PID 2844 wrote to memory of 2572 2844 Bhkeohhn.exe 34 PID 2844 wrote to memory of 2572 2844 Bhkeohhn.exe 34 PID 2844 wrote to memory of 2572 2844 Bhkeohhn.exe 34 PID 2844 wrote to memory of 2572 2844 Bhkeohhn.exe 34 PID 2572 wrote to memory of 3044 2572 Bcpimq32.exe 35 PID 2572 wrote to memory of 3044 2572 Bcpimq32.exe 35 PID 2572 wrote to memory of 3044 2572 Bcpimq32.exe 35 PID 2572 wrote to memory of 3044 2572 Bcpimq32.exe 35 PID 3044 wrote to memory of 1264 3044 Blinefnd.exe 36 PID 3044 wrote to memory of 1264 3044 Blinefnd.exe 36 PID 3044 wrote to memory of 1264 3044 Blinefnd.exe 36 PID 3044 wrote to memory of 1264 3044 Blinefnd.exe 36 PID 1264 wrote to memory of 2868 1264 Baefnmml.exe 37 PID 1264 wrote to memory of 2868 1264 Baefnmml.exe 37 PID 1264 wrote to memory of 2868 1264 Baefnmml.exe 37 PID 1264 wrote to memory of 2868 1264 Baefnmml.exe 37 PID 2868 wrote to memory of 2860 2868 Blkjkflb.exe 38 PID 2868 wrote to memory of 2860 2868 Blkjkflb.exe 38 PID 2868 wrote to memory of 2860 2868 Blkjkflb.exe 38 PID 2868 wrote to memory of 2860 2868 Blkjkflb.exe 38 PID 2860 wrote to memory of 2856 2860 Bfcodkcb.exe 39 PID 2860 wrote to memory of 2856 2860 Bfcodkcb.exe 39 PID 2860 wrote to memory of 2856 2860 Bfcodkcb.exe 39 PID 2860 wrote to memory of 2856 2860 Bfcodkcb.exe 39 PID 2856 wrote to memory of 2396 2856 Bkpglbaj.exe 40 PID 2856 wrote to memory of 2396 2856 Bkpglbaj.exe 40 PID 2856 wrote to memory of 2396 2856 Bkpglbaj.exe 40 PID 2856 wrote to memory of 2396 2856 Bkpglbaj.exe 40 PID 2396 wrote to memory of 1384 2396 Bdhleh32.exe 41 PID 2396 wrote to memory of 1384 2396 Bdhleh32.exe 41 PID 2396 wrote to memory of 1384 2396 Bdhleh32.exe 41 PID 2396 wrote to memory of 1384 2396 Bdhleh32.exe 41 PID 1384 wrote to memory of 2992 1384 Bnapnm32.exe 42 PID 1384 wrote to memory of 2992 1384 Bnapnm32.exe 42 PID 1384 wrote to memory of 2992 1384 Bnapnm32.exe 42 PID 1384 wrote to memory of 2992 1384 Bnapnm32.exe 42 PID 2992 wrote to memory of 2248 2992 Ccnifd32.exe 43 PID 2992 wrote to memory of 2248 2992 Ccnifd32.exe 43 PID 2992 wrote to memory of 2248 2992 Ccnifd32.exe 43 PID 2992 wrote to memory of 2248 2992 Ccnifd32.exe 43 PID 2248 wrote to memory of 2896 2248 Cmfmojcb.exe 44 PID 2248 wrote to memory of 2896 2248 Cmfmojcb.exe 44 PID 2248 wrote to memory of 2896 2248 Cmfmojcb.exe 44 PID 2248 wrote to memory of 2896 2248 Cmfmojcb.exe 44 PID 2896 wrote to memory of 1356 2896 Cglalbbi.exe 45 PID 2896 wrote to memory of 1356 2896 Cglalbbi.exe 45 PID 2896 wrote to memory of 1356 2896 Cglalbbi.exe 45 PID 2896 wrote to memory of 1356 2896 Cglalbbi.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\ba56fac89b9b088b70bb5f7cc7925d9e41e7d6712e749e0fdda43a2786898094.exe"C:\Users\Admin\AppData\Local\Temp\ba56fac89b9b088b70bb5f7cc7925d9e41e7d6712e749e0fdda43a2786898094.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\Apmcefmf.exeC:\Windows\system32\Apmcefmf.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Aejlnmkm.exeC:\Windows\system32\Aejlnmkm.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Acnlgajg.exeC:\Windows\system32\Acnlgajg.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Bhkeohhn.exeC:\Windows\system32\Bhkeohhn.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Bcpimq32.exeC:\Windows\system32\Bcpimq32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Blinefnd.exeC:\Windows\system32\Blinefnd.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Baefnmml.exeC:\Windows\system32\Baefnmml.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\SysWOW64\Blkjkflb.exeC:\Windows\system32\Blkjkflb.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Bfcodkcb.exeC:\Windows\system32\Bfcodkcb.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Bkpglbaj.exeC:\Windows\system32\Bkpglbaj.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Bdhleh32.exeC:\Windows\system32\Bdhleh32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\Bnapnm32.exeC:\Windows\system32\Bnapnm32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\SysWOW64\Ccnifd32.exeC:\Windows\system32\Ccnifd32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\Cmfmojcb.exeC:\Windows\system32\Cmfmojcb.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\Cglalbbi.exeC:\Windows\system32\Cglalbbi.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Cqdfehii.exeC:\Windows\system32\Cqdfehii.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1356 -
C:\Windows\SysWOW64\Cgnnab32.exeC:\Windows\system32\Cgnnab32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1544 -
C:\Windows\SysWOW64\Cbgobp32.exeC:\Windows\system32\Cbgobp32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2468 -
C:\Windows\SysWOW64\Cmmcpi32.exeC:\Windows\system32\Cmmcpi32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1764 -
C:\Windows\SysWOW64\Cfehhn32.exeC:\Windows\system32\Cfehhn32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1584 -
C:\Windows\SysWOW64\Dnqlmq32.exeC:\Windows\system32\Dnqlmq32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3012 -
C:\Windows\SysWOW64\Dekdikhc.exeC:\Windows\system32\Dekdikhc.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2272 -
C:\Windows\SysWOW64\Dncibp32.exeC:\Windows\system32\Dncibp32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:876 -
C:\Windows\SysWOW64\Dihmpinj.exeC:\Windows\system32\Dihmpinj.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:3068 -
C:\Windows\SysWOW64\Dbabho32.exeC:\Windows\system32\Dbabho32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2716 -
C:\Windows\SysWOW64\Djlfma32.exeC:\Windows\system32\Djlfma32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2700 -
C:\Windows\SysWOW64\Dafoikjb.exeC:\Windows\system32\Dafoikjb.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2924 -
C:\Windows\SysWOW64\Djocbqpb.exeC:\Windows\system32\Djocbqpb.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2144 -
C:\Windows\SysWOW64\Dpklkgoj.exeC:\Windows\system32\Dpklkgoj.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2740 -
C:\Windows\SysWOW64\Eicpcm32.exeC:\Windows\system32\Eicpcm32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2712 -
C:\Windows\SysWOW64\Eblelb32.exeC:\Windows\system32\Eblelb32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2652 -
C:\Windows\SysWOW64\Emaijk32.exeC:\Windows\system32\Emaijk32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Efjmbaba.exeC:\Windows\system32\Efjmbaba.exe34⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Eoebgcol.exeC:\Windows\system32\Eoebgcol.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2240 -
C:\Windows\SysWOW64\Eikfdl32.exeC:\Windows\system32\Eikfdl32.exe36⤵
- Executes dropped EXE
PID:596 -
C:\Windows\SysWOW64\Eogolc32.exeC:\Windows\system32\Eogolc32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Ehpcehcj.exeC:\Windows\system32\Ehpcehcj.exe38⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Fahhnn32.exeC:\Windows\system32\Fahhnn32.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2336 -
C:\Windows\SysWOW64\Fkqlgc32.exeC:\Windows\system32\Fkqlgc32.exe40⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Fdiqpigl.exeC:\Windows\system32\Fdiqpigl.exe41⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Famaimfe.exeC:\Windows\system32\Famaimfe.exe42⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Fkefbcmf.exeC:\Windows\system32\Fkefbcmf.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2340 -
C:\Windows\SysWOW64\Fdnjkh32.exeC:\Windows\system32\Fdnjkh32.exe44⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Fmfocnjg.exeC:\Windows\system32\Fmfocnjg.exe45⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Feachqgb.exeC:\Windows\system32\Feachqgb.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3024 -
C:\Windows\SysWOW64\Gojhafnb.exeC:\Windows\system32\Gojhafnb.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1788 -
C:\Windows\SysWOW64\Ghbljk32.exeC:\Windows\system32\Ghbljk32.exe48⤵
- Executes dropped EXE
PID:736 -
C:\Windows\SysWOW64\Gefmcp32.exeC:\Windows\system32\Gefmcp32.exe49⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Gcjmmdbf.exeC:\Windows\system32\Gcjmmdbf.exe50⤵
- Executes dropped EXE
PID:980 -
C:\Windows\SysWOW64\Gkebafoa.exeC:\Windows\system32\Gkebafoa.exe51⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Gdnfjl32.exeC:\Windows\system32\Gdnfjl32.exe52⤵
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Gaagcpdl.exeC:\Windows\system32\Gaagcpdl.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2260 -
C:\Windows\SysWOW64\Hjmlhbbg.exeC:\Windows\system32\Hjmlhbbg.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Hcepqh32.exeC:\Windows\system32\Hcepqh32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Hqiqjlga.exeC:\Windows\system32\Hqiqjlga.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2608 -
C:\Windows\SysWOW64\Hffibceh.exeC:\Windows\system32\Hffibceh.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2384 -
C:\Windows\SysWOW64\Hcjilgdb.exeC:\Windows\system32\Hcjilgdb.exe58⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Hmbndmkb.exeC:\Windows\system32\Hmbndmkb.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2412 -
C:\Windows\SysWOW64\Hbofmcij.exeC:\Windows\system32\Hbofmcij.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2536 -
C:\Windows\SysWOW64\Ikgkei32.exeC:\Windows\system32\Ikgkei32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3040 -
C:\Windows\SysWOW64\Ifmocb32.exeC:\Windows\system32\Ifmocb32.exe62⤵
- Executes dropped EXE
PID:1128 -
C:\Windows\SysWOW64\Inhdgdmk.exeC:\Windows\system32\Inhdgdmk.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:2920 -
C:\Windows\SysWOW64\Ikldqile.exeC:\Windows\system32\Ikldqile.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1472 -
C:\Windows\SysWOW64\Ibfmmb32.exeC:\Windows\system32\Ibfmmb32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:664 -
C:\Windows\SysWOW64\Igceej32.exeC:\Windows\system32\Igceej32.exe66⤵
- Drops file in System32 directory
- Modifies registry class
PID:2788 -
C:\Windows\SysWOW64\Icifjk32.exeC:\Windows\system32\Icifjk32.exe67⤵PID:1740
-
C:\Windows\SysWOW64\Iclbpj32.exeC:\Windows\system32\Iclbpj32.exe68⤵
- System Location Discovery: System Language Discovery
PID:2872 -
C:\Windows\SysWOW64\Jpbcek32.exeC:\Windows\system32\Jpbcek32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1824 -
C:\Windows\SysWOW64\Jjhgbd32.exeC:\Windows\system32\Jjhgbd32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2112 -
C:\Windows\SysWOW64\Jabponba.exeC:\Windows\system32\Jabponba.exe71⤵
- Drops file in System32 directory
PID:1648 -
C:\Windows\SysWOW64\Jbclgf32.exeC:\Windows\system32\Jbclgf32.exe72⤵
- Drops file in System32 directory
PID:984 -
C:\Windows\SysWOW64\Jpgmpk32.exeC:\Windows\system32\Jpgmpk32.exe73⤵PID:2044
-
C:\Windows\SysWOW64\Jlnmel32.exeC:\Windows\system32\Jlnmel32.exe74⤵PID:2644
-
C:\Windows\SysWOW64\Jibnop32.exeC:\Windows\system32\Jibnop32.exe75⤵
- Drops file in System32 directory
PID:2476 -
C:\Windows\SysWOW64\Kidjdpie.exeC:\Windows\system32\Kidjdpie.exe76⤵
- Drops file in System32 directory
PID:1148 -
C:\Windows\SysWOW64\Kfodfh32.exeC:\Windows\system32\Kfodfh32.exe77⤵
- System Location Discovery: System Language Discovery
PID:2828 -
C:\Windows\SysWOW64\Kdbepm32.exeC:\Windows\system32\Kdbepm32.exe78⤵PID:2164
-
C:\Windows\SysWOW64\Kipmhc32.exeC:\Windows\system32\Kipmhc32.exe79⤵PID:2096
-
C:\Windows\SysWOW64\Kdeaelok.exeC:\Windows\system32\Kdeaelok.exe80⤵PID:2520
-
C:\Windows\SysWOW64\Libjncnc.exeC:\Windows\system32\Libjncnc.exe81⤵
- Drops file in System32 directory
PID:1724 -
C:\Windows\SysWOW64\Ldgnklmi.exeC:\Windows\system32\Ldgnklmi.exe82⤵
- Drops file in System32 directory
PID:1984 -
C:\Windows\SysWOW64\Leikbd32.exeC:\Windows\system32\Leikbd32.exe83⤵
- System Location Discovery: System Language Discovery
PID:1784 -
C:\Windows\SysWOW64\Lpnopm32.exeC:\Windows\system32\Lpnopm32.exe84⤵PID:1592
-
C:\Windows\SysWOW64\Lghgmg32.exeC:\Windows\system32\Lghgmg32.exe85⤵PID:2216
-
C:\Windows\SysWOW64\Llepen32.exeC:\Windows\system32\Llepen32.exe86⤵PID:2564
-
C:\Windows\SysWOW64\Laahme32.exeC:\Windows\system32\Laahme32.exe87⤵PID:2060
-
C:\Windows\SysWOW64\Llgljn32.exeC:\Windows\system32\Llgljn32.exe88⤵PID:2132
-
C:\Windows\SysWOW64\Lcadghnk.exeC:\Windows\system32\Lcadghnk.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2328 -
C:\Windows\SysWOW64\Ldbaopdj.exeC:\Windows\system32\Ldbaopdj.exe90⤵PID:2680
-
C:\Windows\SysWOW64\Lohelidp.exeC:\Windows\system32\Lohelidp.exe91⤵PID:1096
-
C:\Windows\SysWOW64\Mdendpbg.exeC:\Windows\system32\Mdendpbg.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1324 -
C:\Windows\SysWOW64\Mgcjpkak.exeC:\Windows\system32\Mgcjpkak.exe93⤵
- Drops file in System32 directory
PID:2676 -
C:\Windows\SysWOW64\Mnmbme32.exeC:\Windows\system32\Mnmbme32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1716 -
C:\Windows\SysWOW64\Mploiq32.exeC:\Windows\system32\Mploiq32.exe95⤵PID:1924
-
C:\Windows\SysWOW64\Mhcfjnhm.exeC:\Windows\system32\Mhcfjnhm.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1684 -
C:\Windows\SysWOW64\Mnpobefe.exeC:\Windows\system32\Mnpobefe.exe97⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2764 -
C:\Windows\SysWOW64\Mghckj32.exeC:\Windows\system32\Mghckj32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1000 -
C:\Windows\SysWOW64\Mlelda32.exeC:\Windows\system32\Mlelda32.exe99⤵PID:1600
-
C:\Windows\SysWOW64\Mgjpaj32.exeC:\Windows\system32\Mgjpaj32.exe100⤵PID:2016
-
C:\Windows\SysWOW64\Mlgiiaij.exeC:\Windows\system32\Mlgiiaij.exe101⤵PID:2596
-
C:\Windows\SysWOW64\Mcaafk32.exeC:\Windows\system32\Mcaafk32.exe102⤵PID:2172
-
C:\Windows\SysWOW64\Mhninb32.exeC:\Windows\system32\Mhninb32.exe103⤵PID:2656
-
C:\Windows\SysWOW64\Nkobpmlo.exeC:\Windows\system32\Nkobpmlo.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2136 -
C:\Windows\SysWOW64\Ndggib32.exeC:\Windows\system32\Ndggib32.exe105⤵PID:2624
-
C:\Windows\SysWOW64\Nbkgbg32.exeC:\Windows\system32\Nbkgbg32.exe106⤵PID:1484
-
C:\Windows\SysWOW64\Nghpjn32.exeC:\Windows\system32\Nghpjn32.exe107⤵
- System Location Discovery: System Language Discovery
PID:2512 -
C:\Windows\SysWOW64\Nnahgh32.exeC:\Windows\system32\Nnahgh32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:336 -
C:\Windows\SysWOW64\Nigldq32.exeC:\Windows\system32\Nigldq32.exe109⤵
- Drops file in System32 directory
PID:2124 -
C:\Windows\SysWOW64\Nbpqmfmd.exeC:\Windows\system32\Nbpqmfmd.exe110⤵
- Modifies registry class
PID:2372 -
C:\Windows\SysWOW64\Ncamen32.exeC:\Windows\system32\Ncamen32.exe111⤵PID:1952
-
C:\Windows\SysWOW64\Oepjoa32.exeC:\Windows\system32\Oepjoa32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:752 -
C:\Windows\SysWOW64\Omlncc32.exeC:\Windows\system32\Omlncc32.exe113⤵PID:2724
-
C:\Windows\SysWOW64\Opjkpo32.exeC:\Windows\system32\Opjkpo32.exe114⤵PID:2648
-
C:\Windows\SysWOW64\Ogabql32.exeC:\Windows\system32\Ogabql32.exe115⤵
- Modifies registry class
PID:2888 -
C:\Windows\SysWOW64\Oplgeoea.exeC:\Windows\system32\Oplgeoea.exe116⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:836 -
C:\Windows\SysWOW64\Oielnd32.exeC:\Windows\system32\Oielnd32.exe117⤵PID:1672
-
C:\Windows\SysWOW64\Obmpgjbb.exeC:\Windows\system32\Obmpgjbb.exe118⤵
- System Location Discovery: System Language Discovery
PID:2348 -
C:\Windows\SysWOW64\Pndalkgf.exeC:\Windows\system32\Pndalkgf.exe119⤵PID:2076
-
C:\Windows\SysWOW64\Phledp32.exeC:\Windows\system32\Phledp32.exe120⤵
- Modifies registry class
PID:2184 -
C:\Windows\SysWOW64\Pnfnajed.exeC:\Windows\system32\Pnfnajed.exe121⤵
- System Location Discovery: System Language Discovery
PID:1892
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-