Analysis
-
max time kernel
100s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
22-11-2024 08:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d8018db586ab7ee409d75dedfb265df4cecbc5ad2c80d8074d1cda681c044a09N.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
d8018db586ab7ee409d75dedfb265df4cecbc5ad2c80d8074d1cda681c044a09N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
d8018db586ab7ee409d75dedfb265df4cecbc5ad2c80d8074d1cda681c044a09N.exe
-
Size
395KB
-
MD5
713b1cc93ad25200990ecc5b4aa479e0
-
SHA1
0a9e97589e3e2dba7decf4f2daac894a4745d2a2
-
SHA256
d8018db586ab7ee409d75dedfb265df4cecbc5ad2c80d8074d1cda681c044a09
-
SHA512
9143788f6cfc0ab9969ead37d13c9e3ae5b8a264947704916db9484aa4e535945c99e13abfa7a2a59773304a79eb6f1c849739a9d838df464b28d0e3f283db60
-
SSDEEP
6144:IVt/pmyvFOis4y70u4HXs4yr0u490u4Ds4yvW8lM:6t/UkE4O0dHc4i0d90dA4X
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Hkqgkcpp.exeEpkgkfmd.exeGmflmfpe.exeKolcdahb.exeQnkgnj32.exeCjdmee32.exeIhinkn32.exeInpchbdl.exeCheoma32.exeDkfdlclg.exeDfoplkel.exeDbjjll32.exeFnglekch.exeMfpdim32.exeFejomjgg.exeNjobpa32.exeKniaap32.exeQiqpmp32.exeLeflapab.exeFpoleilj.exeIlfbpk32.exeMmgoqg32.exeCojlfckj.exeEehbgj32.exeMekfmp32.exeBncboo32.exeGemhpq32.exeJedgnjon.exeKdhgkk32.exeAnebhh32.exeHpmhhcjk.exeImbakfcc.exeEdljfd32.exeHfgbbb32.exeFmjfbe32.exeBdhjfc32.exeHjjknfin.exeHqplhi32.exeCbhcankf.exeDehdpnok.exeFokqae32.exeMkqnghfk.exeCbjbof32.exeCocpjf32.exeOnplmp32.exeGpfbfh32.exeHjeacf32.exeBcoafcjk.exeApdobg32.exePdlmnm32.exeBgemal32.exeIikneggd.exeDgabomfl.exeOnacgf32.exeJkcllmhb.exeHiohob32.exeKpohplpf.exeGbhpidak.exeLlpajmkq.exeDoflofbf.exeIejnna32.exeFdicfbpl.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkqgkcpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epkgkfmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmflmfpe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kolcdahb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qnkgnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjdmee32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihinkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inpchbdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cheoma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkfdlclg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfoplkel.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbjjll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnglekch.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfpdim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fejomjgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njobpa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kniaap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qiqpmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfpdim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Leflapab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpoleilj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilfbpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmgoqg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cojlfckj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eehbgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mekfmp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bncboo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gemhpq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jedgnjon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdhgkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anebhh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpmhhcjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imbakfcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edljfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfgbbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmjfbe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdhjfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjjknfin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqplhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbhcankf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dehdpnok.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fokqae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbjjll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkqnghfk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbjbof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cocpjf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onplmp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpfbfh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjeacf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcoafcjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apdobg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdlmnm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgemal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iikneggd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgabomfl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onacgf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkcllmhb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiohob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpohplpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbhpidak.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llpajmkq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doflofbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iejnna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdicfbpl.exe -
Executes dropped EXE 64 IoCs
Processes:
Kkajkoml.exeKppohf32.exeKihcakpa.exeMglpjc32.exeMbkkepio.exeNqdaal32.exeNnhakp32.exeNjobpa32.exeNidoamch.exePdllci32.exePdnihiad.exeAlcqcjgd.exeAchlch32.exeBgfdjfkh.exeCjdmee32.exeCfpgee32.exeDfdqpdja.exeDgjfbllj.exeEmilqb32.exeEfifjg32.exeEleobngo.exeFlhkhnel.exeFhaibnim.exeGilhpe32.exeGgphji32.exeHhhkbqea.exeHappkf32.exeHcdihn32.exeHchbcmlh.exeIoochn32.exeIbeeeijg.exeJehklc32.exeJijqeg32.exeJjimpj32.exeJpfehq32.exeKkglim32.exeLkkfdmpq.exeLpkkbcle.exeLejppj32.exeLihifhoq.exeMdajff32.exeMognco32.exeMnlkdk32.exeMjcljlea.exeMlcekgbb.exeNlfaag32.exeNgkfnp32.exeNfqbol32.exeNbgcdmjb.exeNokdnail.exeNkbdbbop.exeOifelfni.exeOemfahcn.exeOqcffi32.exeOjlkonpb.exeOgpkhb32.exeOcglmcdp.exePmoqfi32.exePmamliin.exePihnqj32.exePeooek32.exePjlgna32.exePmmppm32.exeQfedhb32.exepid Process 2892 Kkajkoml.exe 2820 Kppohf32.exe 2844 Kihcakpa.exe 2848 Mglpjc32.exe 2732 Mbkkepio.exe 2264 Nqdaal32.exe 2612 Nnhakp32.exe 832 Njobpa32.exe 2500 Nidoamch.exe 3060 Pdllci32.exe 2152 Pdnihiad.exe 584 Alcqcjgd.exe 1108 Achlch32.exe 2076 Bgfdjfkh.exe 2684 Cjdmee32.exe 1124 Cfpgee32.exe 972 Dfdqpdja.exe 1932 Dgjfbllj.exe 112 Emilqb32.exe 1640 Efifjg32.exe 2008 Eleobngo.exe 472 Flhkhnel.exe 2376 Fhaibnim.exe 876 Gilhpe32.exe 2124 Ggphji32.exe 1708 Hhhkbqea.exe 2456 Happkf32.exe 2336 Hcdihn32.exe 2928 Hchbcmlh.exe 2728 Ioochn32.exe 2772 Ibeeeijg.exe 2252 Jehklc32.exe 2692 Jijqeg32.exe 1916 Jjimpj32.exe 2172 Jpfehq32.exe 1144 Kkglim32.exe 2900 Lkkfdmpq.exe 1744 Lpkkbcle.exe 1728 Lejppj32.exe 1160 Lihifhoq.exe 2212 Mdajff32.exe 848 Mognco32.exe 2516 Mnlkdk32.exe 2032 Mjcljlea.exe 1944 Mlcekgbb.exe 2524 Nlfaag32.exe 1988 Ngkfnp32.exe 920 Nfqbol32.exe 2648 Nbgcdmjb.exe 2256 Nokdnail.exe 2852 Nkbdbbop.exe 2380 Oifelfni.exe 2736 Oemfahcn.exe 2760 Oqcffi32.exe 2196 Ojlkonpb.exe 1168 Ogpkhb32.exe 900 Ocglmcdp.exe 2952 Pmoqfi32.exe 1296 Pmamliin.exe 1804 Pihnqj32.exe 1524 Peooek32.exe 2072 Pjlgna32.exe 2156 Pmmppm32.exe 2548 Qfedhb32.exe -
Loads dropped DLL 64 IoCs
Processes:
d8018db586ab7ee409d75dedfb265df4cecbc5ad2c80d8074d1cda681c044a09N.exeKkajkoml.exeKppohf32.exeKihcakpa.exeMglpjc32.exeMbkkepio.exeNqdaal32.exeNnhakp32.exeNjobpa32.exeNidoamch.exePdllci32.exePdnihiad.exeAlcqcjgd.exeAchlch32.exeBgfdjfkh.exeCjdmee32.exeCfpgee32.exeDfdqpdja.exeDgjfbllj.exeEmilqb32.exeEfifjg32.exeEleobngo.exeFlhkhnel.exeFhaibnim.exeGilhpe32.exeGgphji32.exeHhhkbqea.exeHappkf32.exeHcdihn32.exeHchbcmlh.exeIoochn32.exeIbeeeijg.exepid Process 392 d8018db586ab7ee409d75dedfb265df4cecbc5ad2c80d8074d1cda681c044a09N.exe 392 d8018db586ab7ee409d75dedfb265df4cecbc5ad2c80d8074d1cda681c044a09N.exe 2892 Kkajkoml.exe 2892 Kkajkoml.exe 2820 Kppohf32.exe 2820 Kppohf32.exe 2844 Kihcakpa.exe 2844 Kihcakpa.exe 2848 Mglpjc32.exe 2848 Mglpjc32.exe 2732 Mbkkepio.exe 2732 Mbkkepio.exe 2264 Nqdaal32.exe 2264 Nqdaal32.exe 2612 Nnhakp32.exe 2612 Nnhakp32.exe 832 Njobpa32.exe 832 Njobpa32.exe 2500 Nidoamch.exe 2500 Nidoamch.exe 3060 Pdllci32.exe 3060 Pdllci32.exe 2152 Pdnihiad.exe 2152 Pdnihiad.exe 584 Alcqcjgd.exe 584 Alcqcjgd.exe 1108 Achlch32.exe 1108 Achlch32.exe 2076 Bgfdjfkh.exe 2076 Bgfdjfkh.exe 2684 Cjdmee32.exe 2684 Cjdmee32.exe 1124 Cfpgee32.exe 1124 Cfpgee32.exe 972 Dfdqpdja.exe 972 Dfdqpdja.exe 1932 Dgjfbllj.exe 1932 Dgjfbllj.exe 112 Emilqb32.exe 112 Emilqb32.exe 1640 Efifjg32.exe 1640 Efifjg32.exe 2008 Eleobngo.exe 2008 Eleobngo.exe 472 Flhkhnel.exe 472 Flhkhnel.exe 2376 Fhaibnim.exe 2376 Fhaibnim.exe 876 Gilhpe32.exe 876 Gilhpe32.exe 2124 Ggphji32.exe 2124 Ggphji32.exe 1708 Hhhkbqea.exe 1708 Hhhkbqea.exe 2456 Happkf32.exe 2456 Happkf32.exe 2336 Hcdihn32.exe 2336 Hcdihn32.exe 2928 Hchbcmlh.exe 2928 Hchbcmlh.exe 2728 Ioochn32.exe 2728 Ioochn32.exe 2772 Ibeeeijg.exe 2772 Ibeeeijg.exe -
Drops file in System32 directory 64 IoCs
Processes:
Lkkfdmpq.exeDpkpie32.exeGbhpidak.exeGgmlffbo.exeHcolgenf.exeAcqpdgni.exeNlfaag32.exeFdefgimi.exeEpkgkfmd.exePbjoaibo.exeIlbknd32.exePoldnf32.exePcljjd32.exeNjnkggfe.exeBncboo32.exeHldpfnij.exeMmgmhngk.exePaagkq32.exeAkldhi32.exeJgjkhi32.exeOihacbfh.exeNmjknb32.exeBnmmjd32.exeMabfaqca.exePbhepfbq.exeGpebhd32.exeDblcnngi.exeNgdgkf32.exeCmappn32.exeBlmlnd32.exeFejomjgg.exeBnjipn32.exeFieiephm.exeIfckaodd.exeObiiacpe.exeJjimpj32.exeJadnoc32.exeHfhjfp32.exeFdicfbpl.exeHabnkkld.exeIkiedq32.exeAlbpef32.exeAdjkol32.exeAfkcqg32.exeEcmlomgk.exeAcnqen32.exeNlfmoidh.exeGlpbiaqg.exeEkcpdi32.exeOadjjfga.exeLcbngf32.exeNajbbepc.exeJfdigocb.exeEebnqcjl.exeKamooe32.exeCnlegj32.exeOglgji32.exeEmilqb32.exeHhkjpi32.exeNojljcjf.exeFcipaien.exeNfoinj32.exeAncfbhdh.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\Lpkkbcle.exe Lkkfdmpq.exe File opened for modification C:\Windows\SysWOW64\Dlbanfbo.exe Dpkpie32.exe File created C:\Windows\SysWOW64\Kmfehcia.dll Gbhpidak.exe File created C:\Windows\SysWOW64\Ghlhpiia.exe Ggmlffbo.exe File created C:\Windows\SysWOW64\Hnimgcjd.exe Hcolgenf.exe File opened for modification C:\Windows\SysWOW64\Akldhi32.exe Acqpdgni.exe File opened for modification C:\Windows\SysWOW64\Ngkfnp32.exe Nlfaag32.exe File created C:\Windows\SysWOW64\Fehodaqd.exe Fdefgimi.exe File opened for modification C:\Windows\SysWOW64\Echpaecj.exe Epkgkfmd.exe File created C:\Windows\SysWOW64\Pblkgh32.exe Pbjoaibo.exe File opened for modification C:\Windows\SysWOW64\Ihhlbegd.exe Ilbknd32.exe File created C:\Windows\SysWOW64\Phdiglap.exe Poldnf32.exe File opened for modification C:\Windows\SysWOW64\Paagkq32.exe Pcljjd32.exe File opened for modification C:\Windows\SysWOW64\Omodibcg.exe Njnkggfe.exe File created C:\Windows\SysWOW64\Oeiakl32.dll Bncboo32.exe File created C:\Windows\SysWOW64\Hadged32.dll Hldpfnij.exe File opened for modification C:\Windows\SysWOW64\Mjknab32.exe Mmgmhngk.exe File created C:\Windows\SysWOW64\Fooomg32.dll Paagkq32.exe File created C:\Windows\SysWOW64\Aipebm32.exe Akldhi32.exe File created C:\Windows\SysWOW64\Jdnkamhm.exe Jgjkhi32.exe File opened for modification C:\Windows\SysWOW64\Ohmneokp.exe Oihacbfh.exe File created C:\Windows\SysWOW64\Njnkggfe.exe Nmjknb32.exe File created C:\Windows\SysWOW64\Lhcbfdbh.dll Bnmmjd32.exe File created C:\Windows\SysWOW64\Niiapeka.dll Mabfaqca.exe File opened for modification C:\Windows\SysWOW64\Pmnino32.exe Pbhepfbq.exe File created C:\Windows\SysWOW64\Gingqjgd.exe Gpebhd32.exe File created C:\Windows\SysWOW64\Enfkfc32.dll Dblcnngi.exe File created C:\Windows\SysWOW64\Olapcm32.exe Ngdgkf32.exe File created C:\Windows\SysWOW64\Gojpmapo.dll Cmappn32.exe File created C:\Windows\SysWOW64\Bgbqlm32.exe Blmlnd32.exe File created C:\Windows\SysWOW64\Lgcmmb32.dll Fejomjgg.exe File created C:\Windows\SysWOW64\Mbomgjkh.dll Bnjipn32.exe File opened for modification C:\Windows\SysWOW64\Fobamgfd.exe Fieiephm.exe File created C:\Windows\SysWOW64\Oeakadfd.dll Ifckaodd.exe File created C:\Windows\SysWOW64\Aibonhfb.dll Obiiacpe.exe File created C:\Windows\SysWOW64\Bdajepnn.dll Jjimpj32.exe File created C:\Windows\SysWOW64\Cokdcc32.dll Jadnoc32.exe File created C:\Windows\SysWOW64\Hpqoofhg.exe Hfhjfp32.exe File opened for modification C:\Windows\SysWOW64\Gfippego.exe Fdicfbpl.exe File created C:\Windows\SysWOW64\Cpaegofj.dll Habnkkld.exe File created C:\Windows\SysWOW64\Ihmene32.exe Ikiedq32.exe File opened for modification C:\Windows\SysWOW64\Aclhap32.exe Albpef32.exe File opened for modification C:\Windows\SysWOW64\Ambohapm.exe Adjkol32.exe File created C:\Windows\SysWOW64\Ahlphpmk.exe Afkcqg32.exe File created C:\Windows\SysWOW64\Elhacpef.exe Ecmlomgk.exe File opened for modification C:\Windows\SysWOW64\Aikine32.exe Acnqen32.exe File created C:\Windows\SysWOW64\Ngonpgqg.exe Nlfmoidh.exe File created C:\Windows\SysWOW64\Fdomqo32.dll Glpbiaqg.exe File opened for modification C:\Windows\SysWOW64\Fpphlp32.exe Ekcpdi32.exe File created C:\Windows\SysWOW64\Pbefbn32.exe Oadjjfga.exe File opened for modification C:\Windows\SysWOW64\Lnlohdhc.exe Lcbngf32.exe File created C:\Windows\SysWOW64\Onacgf32.exe Najbbepc.exe File opened for modification C:\Windows\SysWOW64\Jakjlpif.exe Jfdigocb.exe File opened for modification C:\Windows\SysWOW64\Ellfmm32.exe Eebnqcjl.exe File created C:\Windows\SysWOW64\Cljfipga.dll Kamooe32.exe File created C:\Windows\SysWOW64\Ckpeqn32.exe Cnlegj32.exe File created C:\Windows\SysWOW64\Anklmjnm.dll Oglgji32.exe File opened for modification C:\Windows\SysWOW64\Efifjg32.exe Emilqb32.exe File created C:\Windows\SysWOW64\Eqjjhn32.dll Hhkjpi32.exe File opened for modification C:\Windows\SysWOW64\Nkqlodpk.exe Nojljcjf.exe File opened for modification C:\Windows\SysWOW64\Gdimlllq.exe Fcipaien.exe File created C:\Windows\SysWOW64\Lfamaphn.dll Nfoinj32.exe File created C:\Windows\SysWOW64\Ahijpa32.exe Ancfbhdh.exe File created C:\Windows\SysWOW64\Mjknab32.exe Mmgmhngk.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Jkbhjo32.exeIaqljman.exeNocfdhfi.exeNmiccl32.exeNbfllc32.exeGhhanbek.exeMlqakaqi.exeJhpbcdqm.exeAqnjml32.exeDpnogmbl.exeEdljfd32.exeHmnmil32.exeCidhcg32.exePlmdqmpd.exeFfbkkkcb.exeAofhcmig.exeCobkhe32.exeOmdbfo32.exeEhnieaoj.exeGifgml32.exeMfbnfcli.exeOnplmp32.exeHilbfc32.exeIhclmp32.exeIfckaodd.exeJmlfjn32.exeNgonpgqg.exeAcbigfii.exePildih32.exeKboill32.exeOpghmjfg.exeHbdfoiki.exeBoboknnf.exeMglpjc32.exeNknmplji.exeKeadoe32.exeBgedlbfj.exePfadke32.exeIcdllk32.exeJpfehq32.exeBehnkm32.exeIbaago32.exeKjopnh32.exeDiqabd32.exeEloimcca.exeNnenmfbd.exeJjibkl32.exePapogbef.exeHhkjpi32.exeHjeacf32.exeNlbncmih.exeBohejibe.exeDgabomfl.exeJfdigocb.exeMlcekgbb.exeNnghjm32.exeInpchbdl.exeFbeimf32.exeIhehbpel.exeIdabbpgj.exeGgekhhle.exeGpfbfh32.exeFbflfomj.exeKjngjj32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkbhjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iaqljman.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nocfdhfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmiccl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbfllc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghhanbek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlqakaqi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhpbcdqm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqnjml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpnogmbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edljfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmnmil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cidhcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plmdqmpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffbkkkcb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aofhcmig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cobkhe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omdbfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehnieaoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gifgml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfbnfcli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onplmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hilbfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihclmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifckaodd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmlfjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngonpgqg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acbigfii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pildih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kboill32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opghmjfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbdfoiki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boboknnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mglpjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nknmplji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keadoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgedlbfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfadke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icdllk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpfehq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Behnkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibaago32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjopnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Diqabd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eloimcca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnenmfbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjibkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Papogbef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhkjpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjeacf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlbncmih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bohejibe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgabomfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfdigocb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlcekgbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnghjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inpchbdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbeimf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihehbpel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idabbpgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggekhhle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpfbfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbflfomj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjngjj32.exe -
Modifies registry class 64 IoCs
Processes:
Hpmhhcjk.exeChccfe32.exeHejaon32.exeHmheai32.exeKfiajj32.exeEehbgj32.exeBncboo32.exeDfecim32.exeFehjcc32.exeOhifch32.exeCclkcdpl.exeJennjblp.exeNgonpgqg.exeImenpfap.exeFdockgqp.exeMnhgga32.exeBgfdjfkh.exeIbeeeijg.exeLlpajmkq.exePdhdcnng.exeMjlbcd32.exeFogmaoib.exeDbpplglj.exeIoochn32.exePbienj32.exeDohnfc32.exePkjnmo32.exeAkldhi32.exeNmjknb32.exeAlifee32.exeBgndnd32.exeEelinm32.exeIlfbpk32.exeNaqkki32.exeKhfdcgmp.exeKmfpjb32.exeLgfpfi32.exeQilgneen.exeNjobpa32.exeDdfjak32.exePjfghl32.exeOgiqffhl.exeOpaeok32.exeIhinkn32.exeOdlpfblm.exeOdnmkb32.exeAlcqcjgd.exeFjjeid32.exeDlgjie32.exeNlfmoidh.exePapmnj32.exeJjibkl32.exeImbakfcc.exeOaecne32.exeIhfmdm32.exeGmflmfpe.exeOefqlmpq.exeDdeammok.exeKlniao32.exeKlflfi32.exeFlgdod32.exeDmnkgddc.exeFdadbd32.exeGmjehe32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oahlaoof.dll" Hpmhhcjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmglh32.dll" Chccfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hejaon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmheai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfiajj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eehbgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeiakl32.dll" Bncboo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfecim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fehjcc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohifch32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cclkcdpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jennjblp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngonpgqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imenpfap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdockgqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmkihfem.dll" Mnhgga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgfdjfkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibeeeijg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llpajmkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bomnnc32.dll" Pdhdcnng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjlbcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiecfgfc.dll" Fogmaoib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbpplglj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgagfk32.dll" Ioochn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbienj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dohnfc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkjnmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akldhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmjknb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alifee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgndnd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eelinm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgjoaane.dll" Ilfbpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Naqkki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khfdcgmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmfpjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jleele32.dll" Lgfpfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qilgneen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njobpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqfgcf32.dll" Ddfjak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiacmfbb.dll" Pjfghl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogiqffhl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Opaeok32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihinkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odlpfblm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odnmkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alcqcjgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfakne32.dll" Fjjeid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlgjie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlfmoidh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Papmnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hogdmb32.dll" Jjibkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imbakfcc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oaecne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihfmdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhlfolad.dll" Gmflmfpe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oefqlmpq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghkabpbh.dll" Ddeammok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klniao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klflfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flgdod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aljomhjp.dll" Dmnkgddc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdadbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmjehe32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
d8018db586ab7ee409d75dedfb265df4cecbc5ad2c80d8074d1cda681c044a09N.exeKkajkoml.exeKppohf32.exeKihcakpa.exeMglpjc32.exeMbkkepio.exeNqdaal32.exeNnhakp32.exeNjobpa32.exeNidoamch.exePdllci32.exePdnihiad.exeAlcqcjgd.exeAchlch32.exeBgfdjfkh.exeCjdmee32.exedescription pid Process procid_target PID 392 wrote to memory of 2892 392 d8018db586ab7ee409d75dedfb265df4cecbc5ad2c80d8074d1cda681c044a09N.exe 29 PID 392 wrote to memory of 2892 392 d8018db586ab7ee409d75dedfb265df4cecbc5ad2c80d8074d1cda681c044a09N.exe 29 PID 392 wrote to memory of 2892 392 d8018db586ab7ee409d75dedfb265df4cecbc5ad2c80d8074d1cda681c044a09N.exe 29 PID 392 wrote to memory of 2892 392 d8018db586ab7ee409d75dedfb265df4cecbc5ad2c80d8074d1cda681c044a09N.exe 29 PID 2892 wrote to memory of 2820 2892 Kkajkoml.exe 30 PID 2892 wrote to memory of 2820 2892 Kkajkoml.exe 30 PID 2892 wrote to memory of 2820 2892 Kkajkoml.exe 30 PID 2892 wrote to memory of 2820 2892 Kkajkoml.exe 30 PID 2820 wrote to memory of 2844 2820 Kppohf32.exe 31 PID 2820 wrote to memory of 2844 2820 Kppohf32.exe 31 PID 2820 wrote to memory of 2844 2820 Kppohf32.exe 31 PID 2820 wrote to memory of 2844 2820 Kppohf32.exe 31 PID 2844 wrote to memory of 2848 2844 Kihcakpa.exe 32 PID 2844 wrote to memory of 2848 2844 Kihcakpa.exe 32 PID 2844 wrote to memory of 2848 2844 Kihcakpa.exe 32 PID 2844 wrote to memory of 2848 2844 Kihcakpa.exe 32 PID 2848 wrote to memory of 2732 2848 Mglpjc32.exe 33 PID 2848 wrote to memory of 2732 2848 Mglpjc32.exe 33 PID 2848 wrote to memory of 2732 2848 Mglpjc32.exe 33 PID 2848 wrote to memory of 2732 2848 Mglpjc32.exe 33 PID 2732 wrote to memory of 2264 2732 Mbkkepio.exe 34 PID 2732 wrote to memory of 2264 2732 Mbkkepio.exe 34 PID 2732 wrote to memory of 2264 2732 Mbkkepio.exe 34 PID 2732 wrote to memory of 2264 2732 Mbkkepio.exe 34 PID 2264 wrote to memory of 2612 2264 Nqdaal32.exe 35 PID 2264 wrote to memory of 2612 2264 Nqdaal32.exe 35 PID 2264 wrote to memory of 2612 2264 Nqdaal32.exe 35 PID 2264 wrote to memory of 2612 2264 Nqdaal32.exe 35 PID 2612 wrote to memory of 832 2612 Nnhakp32.exe 36 PID 2612 wrote to memory of 832 2612 Nnhakp32.exe 36 PID 2612 wrote to memory of 832 2612 Nnhakp32.exe 36 PID 2612 wrote to memory of 832 2612 Nnhakp32.exe 36 PID 832 wrote to memory of 2500 832 Njobpa32.exe 37 PID 832 wrote to memory of 2500 832 Njobpa32.exe 37 PID 832 wrote to memory of 2500 832 Njobpa32.exe 37 PID 832 wrote to memory of 2500 832 Njobpa32.exe 37 PID 2500 wrote to memory of 3060 2500 Nidoamch.exe 38 PID 2500 wrote to memory of 3060 2500 Nidoamch.exe 38 PID 2500 wrote to memory of 3060 2500 Nidoamch.exe 38 PID 2500 wrote to memory of 3060 2500 Nidoamch.exe 38 PID 3060 wrote to memory of 2152 3060 Pdllci32.exe 39 PID 3060 wrote to memory of 2152 3060 Pdllci32.exe 39 PID 3060 wrote to memory of 2152 3060 Pdllci32.exe 39 PID 3060 wrote to memory of 2152 3060 Pdllci32.exe 39 PID 2152 wrote to memory of 584 2152 Pdnihiad.exe 40 PID 2152 wrote to memory of 584 2152 Pdnihiad.exe 40 PID 2152 wrote to memory of 584 2152 Pdnihiad.exe 40 PID 2152 wrote to memory of 584 2152 Pdnihiad.exe 40 PID 584 wrote to memory of 1108 584 Alcqcjgd.exe 41 PID 584 wrote to memory of 1108 584 Alcqcjgd.exe 41 PID 584 wrote to memory of 1108 584 Alcqcjgd.exe 41 PID 584 wrote to memory of 1108 584 Alcqcjgd.exe 41 PID 1108 wrote to memory of 2076 1108 Achlch32.exe 42 PID 1108 wrote to memory of 2076 1108 Achlch32.exe 42 PID 1108 wrote to memory of 2076 1108 Achlch32.exe 42 PID 1108 wrote to memory of 2076 1108 Achlch32.exe 42 PID 2076 wrote to memory of 2684 2076 Bgfdjfkh.exe 43 PID 2076 wrote to memory of 2684 2076 Bgfdjfkh.exe 43 PID 2076 wrote to memory of 2684 2076 Bgfdjfkh.exe 43 PID 2076 wrote to memory of 2684 2076 Bgfdjfkh.exe 43 PID 2684 wrote to memory of 1124 2684 Cjdmee32.exe 44 PID 2684 wrote to memory of 1124 2684 Cjdmee32.exe 44 PID 2684 wrote to memory of 1124 2684 Cjdmee32.exe 44 PID 2684 wrote to memory of 1124 2684 Cjdmee32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\d8018db586ab7ee409d75dedfb265df4cecbc5ad2c80d8074d1cda681c044a09N.exe"C:\Users\Admin\AppData\Local\Temp\d8018db586ab7ee409d75dedfb265df4cecbc5ad2c80d8074d1cda681c044a09N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Windows\SysWOW64\Kkajkoml.exeC:\Windows\system32\Kkajkoml.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Kppohf32.exeC:\Windows\system32\Kppohf32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Kihcakpa.exeC:\Windows\system32\Kihcakpa.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Mglpjc32.exeC:\Windows\system32\Mglpjc32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Mbkkepio.exeC:\Windows\system32\Mbkkepio.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Nqdaal32.exeC:\Windows\system32\Nqdaal32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\Nnhakp32.exeC:\Windows\system32\Nnhakp32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Njobpa32.exeC:\Windows\system32\Njobpa32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\SysWOW64\Nidoamch.exeC:\Windows\system32\Nidoamch.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\Pdllci32.exeC:\Windows\system32\Pdllci32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\Pdnihiad.exeC:\Windows\system32\Pdnihiad.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\Alcqcjgd.exeC:\Windows\system32\Alcqcjgd.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\SysWOW64\Achlch32.exeC:\Windows\system32\Achlch32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\SysWOW64\Bgfdjfkh.exeC:\Windows\system32\Bgfdjfkh.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\Cjdmee32.exeC:\Windows\system32\Cjdmee32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Cfpgee32.exeC:\Windows\system32\Cfpgee32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1124 -
C:\Windows\SysWOW64\Dfdqpdja.exeC:\Windows\system32\Dfdqpdja.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:972 -
C:\Windows\SysWOW64\Dgjfbllj.exeC:\Windows\system32\Dgjfbllj.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1932 -
C:\Windows\SysWOW64\Emilqb32.exeC:\Windows\system32\Emilqb32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:112 -
C:\Windows\SysWOW64\Efifjg32.exeC:\Windows\system32\Efifjg32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1640 -
C:\Windows\SysWOW64\Eleobngo.exeC:\Windows\system32\Eleobngo.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2008 -
C:\Windows\SysWOW64\Flhkhnel.exeC:\Windows\system32\Flhkhnel.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:472 -
C:\Windows\SysWOW64\Fhaibnim.exeC:\Windows\system32\Fhaibnim.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2376 -
C:\Windows\SysWOW64\Gilhpe32.exeC:\Windows\system32\Gilhpe32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:876 -
C:\Windows\SysWOW64\Ggphji32.exeC:\Windows\system32\Ggphji32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2124 -
C:\Windows\SysWOW64\Hhhkbqea.exeC:\Windows\system32\Hhhkbqea.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1708 -
C:\Windows\SysWOW64\Happkf32.exeC:\Windows\system32\Happkf32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2456 -
C:\Windows\SysWOW64\Hcdihn32.exeC:\Windows\system32\Hcdihn32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2336 -
C:\Windows\SysWOW64\Hchbcmlh.exeC:\Windows\system32\Hchbcmlh.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2928 -
C:\Windows\SysWOW64\Ioochn32.exeC:\Windows\system32\Ioochn32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2728 -
C:\Windows\SysWOW64\Ibeeeijg.exeC:\Windows\system32\Ibeeeijg.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2772 -
C:\Windows\SysWOW64\Jehklc32.exeC:\Windows\system32\Jehklc32.exe33⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Jijqeg32.exeC:\Windows\system32\Jijqeg32.exe34⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Jjimpj32.exeC:\Windows\system32\Jjimpj32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1916 -
C:\Windows\SysWOW64\Jpfehq32.exeC:\Windows\system32\Jpfehq32.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2172 -
C:\Windows\SysWOW64\Kkglim32.exeC:\Windows\system32\Kkglim32.exe37⤵
- Executes dropped EXE
PID:1144 -
C:\Windows\SysWOW64\Lkkfdmpq.exeC:\Windows\system32\Lkkfdmpq.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2900 -
C:\Windows\SysWOW64\Lpkkbcle.exeC:\Windows\system32\Lpkkbcle.exe39⤵
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\Lejppj32.exeC:\Windows\system32\Lejppj32.exe40⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Lihifhoq.exeC:\Windows\system32\Lihifhoq.exe41⤵
- Executes dropped EXE
PID:1160 -
C:\Windows\SysWOW64\Mdajff32.exeC:\Windows\system32\Mdajff32.exe42⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Mognco32.exeC:\Windows\system32\Mognco32.exe43⤵
- Executes dropped EXE
PID:848 -
C:\Windows\SysWOW64\Mnlkdk32.exeC:\Windows\system32\Mnlkdk32.exe44⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Mjcljlea.exeC:\Windows\system32\Mjcljlea.exe45⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Mlcekgbb.exeC:\Windows\system32\Mlcekgbb.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1944 -
C:\Windows\SysWOW64\Nlfaag32.exeC:\Windows\system32\Nlfaag32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2524 -
C:\Windows\SysWOW64\Ngkfnp32.exeC:\Windows\system32\Ngkfnp32.exe48⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Nfqbol32.exeC:\Windows\system32\Nfqbol32.exe49⤵
- Executes dropped EXE
PID:920 -
C:\Windows\SysWOW64\Nbgcdmjb.exeC:\Windows\system32\Nbgcdmjb.exe50⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Nokdnail.exeC:\Windows\system32\Nokdnail.exe51⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Nkbdbbop.exeC:\Windows\system32\Nkbdbbop.exe52⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Oifelfni.exeC:\Windows\system32\Oifelfni.exe53⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Oemfahcn.exeC:\Windows\system32\Oemfahcn.exe54⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Oqcffi32.exeC:\Windows\system32\Oqcffi32.exe55⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Ojlkonpb.exeC:\Windows\system32\Ojlkonpb.exe56⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Ogpkhb32.exeC:\Windows\system32\Ogpkhb32.exe57⤵
- Executes dropped EXE
PID:1168 -
C:\Windows\SysWOW64\Ocglmcdp.exeC:\Windows\system32\Ocglmcdp.exe58⤵
- Executes dropped EXE
PID:900 -
C:\Windows\SysWOW64\Pmoqfi32.exeC:\Windows\system32\Pmoqfi32.exe59⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Pmamliin.exeC:\Windows\system32\Pmamliin.exe60⤵
- Executes dropped EXE
PID:1296 -
C:\Windows\SysWOW64\Pihnqj32.exeC:\Windows\system32\Pihnqj32.exe61⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Peooek32.exeC:\Windows\system32\Peooek32.exe62⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Pjlgna32.exeC:\Windows\system32\Pjlgna32.exe63⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Pmmppm32.exeC:\Windows\system32\Pmmppm32.exe64⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Qfedhb32.exeC:\Windows\system32\Qfedhb32.exe65⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Qfganb32.exeC:\Windows\system32\Qfganb32.exe66⤵PID:456
-
C:\Windows\SysWOW64\Amaiklki.exeC:\Windows\system32\Amaiklki.exe67⤵PID:1372
-
C:\Windows\SysWOW64\Alfflhpa.exeC:\Windows\system32\Alfflhpa.exe68⤵PID:572
-
C:\Windows\SysWOW64\Apdobg32.exeC:\Windows\system32\Apdobg32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1636 -
C:\Windows\SysWOW64\Ahpdficc.exeC:\Windows\system32\Ahpdficc.exe70⤵PID:3008
-
C:\Windows\SysWOW64\Ahbqliap.exeC:\Windows\system32\Ahbqliap.exe71⤵PID:1600
-
C:\Windows\SysWOW64\Abgeiaaf.exeC:\Windows\system32\Abgeiaaf.exe72⤵PID:2864
-
C:\Windows\SysWOW64\Behnkm32.exeC:\Windows\system32\Behnkm32.exe73⤵
- System Location Discovery: System Language Discovery
PID:2860 -
C:\Windows\SysWOW64\Bncboo32.exeC:\Windows\system32\Bncboo32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2408 -
C:\Windows\SysWOW64\Bnfodojp.exeC:\Windows\system32\Bnfodojp.exe75⤵PID:2924
-
C:\Windows\SysWOW64\Bgndnd32.exeC:\Windows\system32\Bgndnd32.exe76⤵
- Modifies registry class
PID:2148 -
C:\Windows\SysWOW64\Bnjipn32.exeC:\Windows\system32\Bnjipn32.exe77⤵
- Drops file in System32 directory
PID:2780 -
C:\Windows\SysWOW64\Ccgahe32.exeC:\Windows\system32\Ccgahe32.exe78⤵PID:2304
-
C:\Windows\SysWOW64\Cjcfjoil.exeC:\Windows\system32\Cjcfjoil.exe79⤵PID:1688
-
C:\Windows\SysWOW64\Cclkcdpl.exeC:\Windows\system32\Cclkcdpl.exe80⤵
- Modifies registry class
PID:2180 -
C:\Windows\SysWOW64\Cobkhe32.exeC:\Windows\system32\Cobkhe32.exe81⤵
- System Location Discovery: System Language Discovery
PID:540 -
C:\Windows\SysWOW64\Cnhhia32.exeC:\Windows\system32\Cnhhia32.exe82⤵PID:2248
-
C:\Windows\SysWOW64\Djoinbpm.exeC:\Windows\system32\Djoinbpm.exe83⤵PID:1616
-
C:\Windows\SysWOW64\Dqiakm32.exeC:\Windows\system32\Dqiakm32.exe84⤵PID:2272
-
C:\Windows\SysWOW64\Ddfjak32.exeC:\Windows\system32\Ddfjak32.exe85⤵
- Modifies registry class
PID:2432 -
C:\Windows\SysWOW64\Fjjeid32.exeC:\Windows\system32\Fjjeid32.exe86⤵
- Modifies registry class
PID:2216 -
C:\Windows\SysWOW64\Fbeimf32.exeC:\Windows\system32\Fbeimf32.exe87⤵
- System Location Discovery: System Language Discovery
PID:2412 -
C:\Windows\SysWOW64\Fdefgimi.exeC:\Windows\system32\Fdefgimi.exe88⤵
- Drops file in System32 directory
PID:680 -
C:\Windows\SysWOW64\Fehodaqd.exeC:\Windows\system32\Fehodaqd.exe89⤵PID:2000
-
C:\Windows\SysWOW64\Foacmg32.exeC:\Windows\system32\Foacmg32.exe90⤵PID:1528
-
C:\Windows\SysWOW64\Gemhpq32.exeC:\Windows\system32\Gemhpq32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2060 -
C:\Windows\SysWOW64\Goemhfco.exeC:\Windows\system32\Goemhfco.exe92⤵PID:884
-
C:\Windows\SysWOW64\Ghpngkhm.exeC:\Windows\system32\Ghpngkhm.exe93⤵PID:1740
-
C:\Windows\SysWOW64\Ggekhhle.exeC:\Windows\system32\Ggekhhle.exe94⤵
- System Location Discovery: System Language Discovery
PID:2184 -
C:\Windows\SysWOW64\Hghhngjb.exeC:\Windows\system32\Hghhngjb.exe95⤵PID:2948
-
C:\Windows\SysWOW64\Hldpfnij.exeC:\Windows\system32\Hldpfnij.exe96⤵
- Drops file in System32 directory
PID:2880 -
C:\Windows\SysWOW64\Hjhaob32.exeC:\Windows\system32\Hjhaob32.exe97⤵PID:2588
-
C:\Windows\SysWOW64\Hkljljko.exeC:\Windows\system32\Hkljljko.exe98⤵PID:1584
-
C:\Windows\SysWOW64\Hojbbiae.exeC:\Windows\system32\Hojbbiae.exe99⤵PID:2104
-
C:\Windows\SysWOW64\Hfdkoc32.exeC:\Windows\system32\Hfdkoc32.exe100⤵PID:2700
-
C:\Windows\SysWOW64\Ikcpmieg.exeC:\Windows\system32\Ikcpmieg.exe101⤵PID:1984
-
C:\Windows\SysWOW64\Iqpiepcn.exeC:\Windows\system32\Iqpiepcn.exe102⤵PID:1312
-
C:\Windows\SysWOW64\Iglngj32.exeC:\Windows\system32\Iglngj32.exe103⤵PID:2188
-
C:\Windows\SysWOW64\Igojmjgf.exeC:\Windows\system32\Igojmjgf.exe104⤵PID:2404
-
C:\Windows\SysWOW64\Iojoalda.exeC:\Windows\system32\Iojoalda.exe105⤵PID:1220
-
C:\Windows\SysWOW64\Jkqpfmje.exeC:\Windows\system32\Jkqpfmje.exe106⤵PID:2012
-
C:\Windows\SysWOW64\Jkcllmhb.exeC:\Windows\system32\Jkcllmhb.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2284 -
C:\Windows\SysWOW64\Jfhqiegh.exeC:\Windows\system32\Jfhqiegh.exe108⤵PID:1464
-
C:\Windows\SysWOW64\Jennjblp.exeC:\Windows\system32\Jennjblp.exe109⤵
- Modifies registry class
PID:1780 -
C:\Windows\SysWOW64\Jadnoc32.exeC:\Windows\system32\Jadnoc32.exe110⤵
- Drops file in System32 directory
PID:2460 -
C:\Windows\SysWOW64\Kagkebpb.exeC:\Windows\system32\Kagkebpb.exe111⤵PID:2268
-
C:\Windows\SysWOW64\Kjopnh32.exeC:\Windows\system32\Kjopnh32.exe112⤵
- System Location Discovery: System Language Discovery
PID:2872 -
C:\Windows\SysWOW64\Kgcpgl32.exeC:\Windows\system32\Kgcpgl32.exe113⤵PID:2324
-
C:\Windows\SysWOW64\Kcjqlm32.exeC:\Windows\system32\Kcjqlm32.exe114⤵PID:2712
-
C:\Windows\SysWOW64\Kiifjd32.exeC:\Windows\system32\Kiifjd32.exe115⤵PID:2600
-
C:\Windows\SysWOW64\Kpcngnob.exeC:\Windows\system32\Kpcngnob.exe116⤵PID:2396
-
C:\Windows\SysWOW64\Lohkhjcj.exeC:\Windows\system32\Lohkhjcj.exe117⤵PID:3064
-
C:\Windows\SysWOW64\Lhqpqp32.exeC:\Windows\system32\Lhqpqp32.exe118⤵PID:1096
-
C:\Windows\SysWOW64\Lhclfphg.exeC:\Windows\system32\Lhclfphg.exe119⤵PID:2332
-
C:\Windows\SysWOW64\Lakqoe32.exeC:\Windows\system32\Lakqoe32.exe120⤵PID:2908
-
C:\Windows\SysWOW64\Lpqnpacp.exeC:\Windows\system32\Lpqnpacp.exe121⤵PID:2052
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-