Analysis
-
max time kernel
82s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
22-11-2024 09:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
abf8a4305142a12f4e4245789223a4b7b6deefd409f18930ed671d44cf98b14b.exe
Resource
win7-20241010-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
abf8a4305142a12f4e4245789223a4b7b6deefd409f18930ed671d44cf98b14b.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
abf8a4305142a12f4e4245789223a4b7b6deefd409f18930ed671d44cf98b14b.exe
-
Size
350KB
-
MD5
394ee320866e6124545b3fada9541f7d
-
SHA1
9647c3e46f03e17c12a94a15c1989550ecd5e41d
-
SHA256
abf8a4305142a12f4e4245789223a4b7b6deefd409f18930ed671d44cf98b14b
-
SHA512
94c1bcc4412ad5ecf38e882e95cd5b43d4661021e2108198e548a1e516789756215f01a090233f22b38a0a604061acbe863cb63b602ccc16756958a707bb19d7
-
SSDEEP
6144:l61IqKpSJtpHVILifyeYVDcfflXpX6LRifyeYVDcP:l0nHyefyeYCdXpXZfyeYI
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Ciggap32.exeEhbcnajn.exeAimkeb32.exeMiphjf32.exeAjibeg32.exeOmbjpd32.exeKkpekjie.exeHiffbl32.exeDamhmc32.exeJephgi32.exeOeobfgak.exeCldolj32.exeLlomhllh.exeNbgcdmjb.exeLekeak32.exeNcbilimn.exeBchmolkm.exePefmkpbl.exePqfdlmic.exeGocnjn32.exeKoelibnh.exeJmhile32.exeIlcfjkgj.exeBibagmhk.exeIpqmgbbf.exeGffmqq32.exeIgjckcbo.exeMmepboin.exeMdcbjhme.exeFpkdca32.exeMhbflj32.exeBdbfpafn.exeDlpdifda.exeBkjpncii.exeOfcnmh32.exeGhndjd32.exeIfkecl32.exeOgnakk32.exeMgjpcf32.exeNjjbjk32.exeLaacmc32.exeIdaimfjf.exeEebnqcjl.exeIopqoi32.exeNqgngk32.exeGocpcfeb.exeIqbekpal.exeAihenoef.exeKfknpj32.exeKmjhjndm.exePnkhfnea.exeQmpafnld.exeFjpbeecn.exeFmabaf32.exeNppemgjd.exeNlgfbh32.exeFomndhng.exeOnejjm32.exeGdpkdf32.exeGadkmj32.exeNgikaijm.exeGlmecbbj.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ciggap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehbcnajn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aimkeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Miphjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajibeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ombjpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkpekjie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hiffbl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Damhmc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jephgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oeobfgak.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cldolj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llomhllh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbgcdmjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lekeak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncbilimn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bchmolkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pefmkpbl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqfdlmic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gocnjn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koelibnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmhile32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilcfjkgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bibagmhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipqmgbbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gffmqq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igjckcbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmepboin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdcbjhme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpkdca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhbflj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdbfpafn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlpdifda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkjpncii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofcnmh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghndjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifkecl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ognakk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jephgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgjpcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njjbjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Laacmc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idaimfjf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eebnqcjl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iopqoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqgngk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gocpcfeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqbekpal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aihenoef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfknpj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmjhjndm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnkhfnea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmpafnld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjpbeecn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmabaf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nppemgjd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlgfbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fomndhng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onejjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdpkdf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gadkmj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilcfjkgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngikaijm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glmecbbj.exe -
Executes dropped EXE 64 IoCs
Processes:
Bnkmakbb.exeBgcbja32.exeCpemob32.exeCcceeqfl.exeDhekodik.exeDanohi32.exeDgoakpjn.exeEgfglocf.exeEcodfogg.exeFnkblm32.exeFqqdigko.exeGmjbchnq.exeGhqchi32.exeGcfgfack.exeHchpjddc.exeIfiilp32.exeIecohl32.exeIeelnkpd.exeJdobjgqg.exeJpfcohfk.exeKokppd32.exeKdjenkgh.exeKejahn32.exeKgmkef32.exeLnipgp32.exeLlomhllh.exeLjbmbpkb.exeLcmopepp.exeMbbkabdh.exeMdcdcmai.exeMjbiac32.exeMjeffc32.exeMjgclcjh.exeNpdkdjhp.exeNehjmppo.exeNbljfdoh.exeOmekgakg.exeOmhhma32.exeOddmokoo.exeOpkndldc.exePlaoim32.exePbnckg32.exePihlhagn.exePkkeeikj.exePaemac32.exePdffcn32.exeQpmgho32.exeAellfe32.exeAlfdcp32.exeAjjeld32.exeAogmdk32.exeAlknnodh.exeAlmjcobe.exeAfeold32.exeBnqcaffa.exeBdklnq32.exeBjgdfg32.exeBqambacb.exeBjjakg32.exeBqciha32.exeBoifinfg.exeCemebcnf.exeCgmndokg.exeDgbgon32.exepid Process 2236 Bnkmakbb.exe 3012 Bgcbja32.exe 3024 Cpemob32.exe 2896 Ccceeqfl.exe 2712 Dhekodik.exe 2256 Danohi32.exe 2688 Dgoakpjn.exe 2816 Egfglocf.exe 2916 Ecodfogg.exe 2416 Fnkblm32.exe 2664 Fqqdigko.exe 1084 Gmjbchnq.exe 2140 Ghqchi32.exe 2052 Gcfgfack.exe 316 Hchpjddc.exe 808 Ifiilp32.exe 1600 Iecohl32.exe 2528 Ieelnkpd.exe 1916 Jdobjgqg.exe 2644 Jpfcohfk.exe 1288 Kokppd32.exe 2012 Kdjenkgh.exe 2796 Kejahn32.exe 520 Kgmkef32.exe 2380 Lnipgp32.exe 1564 Llomhllh.exe 2860 Ljbmbpkb.exe 2072 Lcmopepp.exe 1184 Mbbkabdh.exe 2716 Mdcdcmai.exe 2828 Mjbiac32.exe 2772 Mjeffc32.exe 2180 Mjgclcjh.exe 2776 Npdkdjhp.exe 3036 Nehjmppo.exe 1704 Nbljfdoh.exe 2676 Omekgakg.exe 2208 Omhhma32.exe 2192 Oddmokoo.exe 1824 Opkndldc.exe 2328 Plaoim32.exe 2556 Pbnckg32.exe 560 Pihlhagn.exe 2692 Pkkeeikj.exe 932 Paemac32.exe 1548 Pdffcn32.exe 2800 Qpmgho32.exe 956 Aellfe32.exe 2388 Alfdcp32.exe 264 Ajjeld32.exe 1092 Aogmdk32.exe 1668 Alknnodh.exe 2840 Almjcobe.exe 3028 Afeold32.exe 2172 Bnqcaffa.exe 2148 Bdklnq32.exe 2632 Bjgdfg32.exe 2568 Bqambacb.exe 2176 Bjjakg32.exe 1796 Bqciha32.exe 2108 Boifinfg.exe 2200 Cemebcnf.exe 580 Cgmndokg.exe 2672 Dgbgon32.exe -
Loads dropped DLL 64 IoCs
Processes:
abf8a4305142a12f4e4245789223a4b7b6deefd409f18930ed671d44cf98b14b.exeBnkmakbb.exeBgcbja32.exeCpemob32.exeCcceeqfl.exeDhekodik.exeDanohi32.exeDgoakpjn.exeEgfglocf.exeEcodfogg.exeFnkblm32.exeFqqdigko.exeGmjbchnq.exeGhqchi32.exeGcfgfack.exeHchpjddc.exeIfiilp32.exeIecohl32.exeIeelnkpd.exeJdobjgqg.exeJpfcohfk.exeKokppd32.exeKdjenkgh.exeKejahn32.exeKgmkef32.exeLnipgp32.exeLlomhllh.exeLjbmbpkb.exeLcmopepp.exeMbbkabdh.exeMdcdcmai.exeMjbiac32.exepid Process 2536 abf8a4305142a12f4e4245789223a4b7b6deefd409f18930ed671d44cf98b14b.exe 2536 abf8a4305142a12f4e4245789223a4b7b6deefd409f18930ed671d44cf98b14b.exe 2236 Bnkmakbb.exe 2236 Bnkmakbb.exe 3012 Bgcbja32.exe 3012 Bgcbja32.exe 3024 Cpemob32.exe 3024 Cpemob32.exe 2896 Ccceeqfl.exe 2896 Ccceeqfl.exe 2712 Dhekodik.exe 2712 Dhekodik.exe 2256 Danohi32.exe 2256 Danohi32.exe 2688 Dgoakpjn.exe 2688 Dgoakpjn.exe 2816 Egfglocf.exe 2816 Egfglocf.exe 2916 Ecodfogg.exe 2916 Ecodfogg.exe 2416 Fnkblm32.exe 2416 Fnkblm32.exe 2664 Fqqdigko.exe 2664 Fqqdigko.exe 1084 Gmjbchnq.exe 1084 Gmjbchnq.exe 2140 Ghqchi32.exe 2140 Ghqchi32.exe 2052 Gcfgfack.exe 2052 Gcfgfack.exe 316 Hchpjddc.exe 316 Hchpjddc.exe 808 Ifiilp32.exe 808 Ifiilp32.exe 1600 Iecohl32.exe 1600 Iecohl32.exe 2528 Ieelnkpd.exe 2528 Ieelnkpd.exe 1916 Jdobjgqg.exe 1916 Jdobjgqg.exe 2644 Jpfcohfk.exe 2644 Jpfcohfk.exe 1288 Kokppd32.exe 1288 Kokppd32.exe 2012 Kdjenkgh.exe 2012 Kdjenkgh.exe 2796 Kejahn32.exe 2796 Kejahn32.exe 520 Kgmkef32.exe 520 Kgmkef32.exe 2380 Lnipgp32.exe 2380 Lnipgp32.exe 1564 Llomhllh.exe 1564 Llomhllh.exe 2860 Ljbmbpkb.exe 2860 Ljbmbpkb.exe 2072 Lcmopepp.exe 2072 Lcmopepp.exe 1184 Mbbkabdh.exe 1184 Mbbkabdh.exe 2716 Mdcdcmai.exe 2716 Mdcdcmai.exe 2828 Mjbiac32.exe 2828 Mjbiac32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Cemebcnf.exeJpgaohej.exeEojbii32.exeKmjfae32.exeKfbjjjci.exeGhndjd32.exeMdcbjhme.exeJlbjcd32.exePdnihiad.exeKmjhjndm.exeImpblnna.exeDpdbdo32.exeOfehiocd.exeLekeak32.exeJngfei32.exeGocnjn32.exeJflfbdqe.exeBlcacnhh.exeDkojjgfg.exeDamhmc32.exeBkjpncii.exeJjmchhhe.exeMeaiia32.exeDcdlpklh.exePlbbmjhf.exeKmpfgklo.exeCgjjdijo.exeEpgoio32.exeFbdpjgjf.exeFimedaoe.exeIpecndab.exeAimkeb32.exePfhghgie.exeAlknnodh.exeOgpkhb32.exeAlqplmlb.exeCoidpiac.exeKniaap32.exeKdjenkgh.exeFcbjon32.exeHiphmf32.exeAieihpgi.exeHiffbl32.exeAcfpilmp.exeAlfdcp32.exeDiklpn32.exeIcmlnmgb.exeLkfbmj32.exeCcoplcii.exeMooppe32.exeKfcadq32.exeGeeekf32.exeOgiegc32.exeGgqamh32.exeMmigdend.exePgfpoimj.exeCgnkkjgd.exeAfolpb32.exeNqgngk32.exeDegqka32.exeMcjihk32.exeAmfcfk32.exeKfmfchfo.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\Cgmndokg.exe Cemebcnf.exe File opened for modification C:\Windows\SysWOW64\Jhbfcj32.exe Jpgaohej.exe File created C:\Windows\SysWOW64\Egegnk32.exe Eojbii32.exe File created C:\Windows\SysWOW64\Cdmdnmic.dll Kmjfae32.exe File created C:\Windows\SysWOW64\Khdgabih.exe Kfbjjjci.exe File opened for modification C:\Windows\SysWOW64\Gpihog32.exe Ghndjd32.exe File opened for modification C:\Windows\SysWOW64\Mipjbokm.exe Mdcbjhme.exe File created C:\Windows\SysWOW64\Jifkmh32.exe Jlbjcd32.exe File created C:\Windows\SysWOW64\Pdqfnhpa.exe Pdnihiad.exe File created C:\Windows\SysWOW64\Kkpekjie.exe Kmjhjndm.exe File created C:\Windows\SysWOW64\Ajjcmj32.dll Impblnna.exe File opened for modification C:\Windows\SysWOW64\Deajlf32.exe Dpdbdo32.exe File created C:\Windows\SysWOW64\Plbaafak.exe Ofehiocd.exe File created C:\Windows\SysWOW64\Mboekp32.exe Lekeak32.exe File created C:\Windows\SysWOW64\Gongob32.dll Jngfei32.exe File created C:\Windows\SysWOW64\Lijfkjba.dll Gocnjn32.exe File opened for modification C:\Windows\SysWOW64\Jodkkj32.exe Jflfbdqe.exe File opened for modification C:\Windows\SysWOW64\Bbnjphpe.exe Blcacnhh.exe File created C:\Windows\SysWOW64\Ddgnbl32.exe Dkojjgfg.exe File created C:\Windows\SysWOW64\Dpbenpqh.exe Damhmc32.exe File created C:\Windows\SysWOW64\Hfjbkm32.dll Bkjpncii.exe File created C:\Windows\SysWOW64\Lbkcpa32.dll Jjmchhhe.exe File created C:\Windows\SysWOW64\Mknaahhn.exe Meaiia32.exe File created C:\Windows\SysWOW64\Dokmel32.exe Dcdlpklh.exe File opened for modification C:\Windows\SysWOW64\Pkgonf32.exe Plbbmjhf.exe File created C:\Windows\SysWOW64\Pppnpb32.dll Kmpfgklo.exe File created C:\Windows\SysWOW64\Pomihp32.dll Cgjjdijo.exe File created C:\Windows\SysWOW64\Dpolmb32.dll Epgoio32.exe File opened for modification C:\Windows\SysWOW64\Fmnakege.exe Fbdpjgjf.exe File opened for modification C:\Windows\SysWOW64\Fianpp32.exe Fimedaoe.exe File created C:\Windows\SysWOW64\Ifahpnfl.exe Ipecndab.exe File created C:\Windows\SysWOW64\Apjpglfn.exe Aimkeb32.exe File created C:\Windows\SysWOW64\Pifcdbhi.exe Pfhghgie.exe File created C:\Windows\SysWOW64\Jhbfcj32.exe Jpgaohej.exe File created C:\Windows\SysWOW64\Jmjmoh32.dll Alknnodh.exe File opened for modification C:\Windows\SysWOW64\Oiahpkdj.exe Ogpkhb32.exe File opened for modification C:\Windows\SysWOW64\Bjdqfajl.exe Alqplmlb.exe File created C:\Windows\SysWOW64\Jobgmokc.dll Coidpiac.exe File created C:\Windows\SysWOW64\Fqcocg32.dll Kniaap32.exe File opened for modification C:\Windows\SysWOW64\Kejahn32.exe Kdjenkgh.exe File created C:\Windows\SysWOW64\Fhbaqhmq.dll Fcbjon32.exe File created C:\Windows\SysWOW64\Hgeenb32.exe Hiphmf32.exe File created C:\Windows\SysWOW64\Dfmcdb32.dll Aieihpgi.exe File created C:\Windows\SysWOW64\Mnokki32.dll Hiffbl32.exe File created C:\Windows\SysWOW64\Bchmolkm.exe Acfpilmp.exe File created C:\Windows\SysWOW64\Bmnqaanm.dll Alfdcp32.exe File created C:\Windows\SysWOW64\Efolib32.exe Diklpn32.exe File created C:\Windows\SysWOW64\Ieaekdkn.exe Icmlnmgb.exe File opened for modification C:\Windows\SysWOW64\Mcafbm32.exe Lkfbmj32.exe File created C:\Windows\SysWOW64\Ccamabgg.exe Ccoplcii.exe File created C:\Windows\SysWOW64\Dckjlopo.dll Mooppe32.exe File created C:\Windows\SysWOW64\Kbjbibli.exe Kfcadq32.exe File created C:\Windows\SysWOW64\Egkfbg32.dll Geeekf32.exe File opened for modification C:\Windows\SysWOW64\Onejjm32.exe Ogiegc32.exe File created C:\Windows\SysWOW64\Keedfp32.dll Ggqamh32.exe File created C:\Windows\SysWOW64\Gdmnphna.dll Mmigdend.exe File opened for modification C:\Windows\SysWOW64\Pqodho32.exe Pgfpoimj.exe File created C:\Windows\SysWOW64\Dcdlpklh.exe Cgnkkjgd.exe File created C:\Windows\SysWOW64\Bmiimabd.dll Afolpb32.exe File created C:\Windows\SysWOW64\Cjqigm32.dll Nqgngk32.exe File created C:\Windows\SysWOW64\Dieiap32.exe Degqka32.exe File created C:\Windows\SysWOW64\Nkfnln32.exe Mcjihk32.exe File created C:\Windows\SysWOW64\Jqbpkhba.dll Amfcfk32.exe File created C:\Windows\SysWOW64\Apgkaakf.dll Kfmfchfo.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 2104 3656 WerFault.exe 699 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Glefpd32.exeJngfei32.exeOjakdd32.exeFomndhng.exeCnfnlk32.exeEdieng32.exeJnqanbcj.exeLfehpobj.exeGkclcm32.exeOpkndldc.exeEefdgeig.exeJckkhplq.exeOcjfgo32.exeKmbgnl32.exeOofbph32.exeJgleep32.exeBnafjo32.exeJkklpk32.exeNcbilimn.exeBamdcf32.exeJjmchhhe.exeCcamabgg.exePdlmnm32.exeBpdnjb32.exeFpkdca32.exeDlfbck32.exeKldlmqml.exeFjpggb32.exeFhfdffll.exeJhjldiln.exeKokppd32.exeBjgdfg32.exeJennjblp.exeKclmbm32.exeGadkmj32.exePamnpahp.exeGkehhlef.exeLcmopepp.exeKmgekh32.exePhmkaf32.exeHifdjcif.exeGmjbchnq.exeMhbflj32.exeHgpgae32.exeAifpcfjd.exeLfanep32.exeAfolpb32.exeJpfcohfk.exeEpdncb32.exePbqbioeb.exeNbmhfdnh.exeDdgljced.exeFbgaahgl.exeKgienc32.exeNpdkdjhp.exeNqgngk32.exeKhdgabih.exeGeqnho32.exeGocpcfeb.exeIdqpjg32.exeDanohi32.exeEpgoio32.exeEaoaafli.exeMgdpnqfn.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glefpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jngfei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojakdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fomndhng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnfnlk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edieng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnqanbcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfehpobj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkclcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opkndldc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eefdgeig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jckkhplq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocjfgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmbgnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oofbph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgleep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnafjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkklpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncbilimn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bamdcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjmchhhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccamabgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdlmnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpdnjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpkdca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlfbck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kldlmqml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjpggb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhfdffll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhjldiln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kokppd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjgdfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jennjblp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kclmbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gadkmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pamnpahp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkehhlef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcmopepp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmgekh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phmkaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hifdjcif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmjbchnq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhbflj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgpgae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aifpcfjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfanep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afolpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpfcohfk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epdncb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbqbioeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbmhfdnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddgljced.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbgaahgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgienc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npdkdjhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqgngk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khdgabih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geqnho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gocpcfeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idqpjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Danohi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epgoio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaoaafli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgdpnqfn.exe -
Modifies registry class 64 IoCs
Processes:
Ghqchi32.exeOpohil32.exeEebnqcjl.exeGlmecbbj.exeJahflj32.exeBoifinfg.exePfhghgie.exeLgekdh32.exeNimaic32.exePdffcn32.exeJmhile32.exeJgbpfhpc.exeJennjblp.exeLfeegfkf.exeNibcgb32.exeKokppd32.exeMdcdcmai.exeLilehl32.exeIjbjpg32.exeGfpkbbmo.exeCiggap32.exeGmjbchnq.exeEpgoio32.exeGpihog32.exeMfpaqdnk.exeDkdjol32.exeBimdka32.exeMgbcha32.exeKfkjnh32.exeKkbbqjgb.exePkgonf32.exeLlomhllh.exeCmjoaofc.exeNokdnail.exeNnfgnibb.exeGnfajgbg.exeFclmem32.exeKejdqffo.exeKceganoe.exeInopce32.exeIqbekpal.exeMkqnghfk.exeJhbfcj32.exeAcfpilmp.exeMjbiac32.exeAjjeld32.exeDcijmhdj.exeClqjblij.exeOgcaaahi.exePncllifp.exeIpqmgbbf.exeHcdihn32.exeHqjfgb32.exeNpecjdaf.exePdnihiad.exeNchiao32.exeCialng32.exeOljbil32.exeEjeglg32.exeGaahmd32.exeOnkjocjd.exeIeaekdkn.exeJnnehb32.exeAihenoef.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lecegc32.dll" Ghqchi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Opohil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eebnqcjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cobaapkk.dll" Glmecbbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jahflj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Boifinfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfhghgie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgekdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhhfncqb.dll" Nimaic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdffcn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmhile32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgbpfhpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jennjblp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfeegfkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nibcgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajodkofo.dll" Kokppd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdcdcmai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lilehl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijbjpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfpkbbmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ciggap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmjbchnq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpolmb32.dll" Epgoio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpihog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fimebgei.dll" Mfpaqdnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oafmnb32.dll" Dkdjol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icpijl32.dll" Bimdka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgbcha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfkjnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkbbqjgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eemgmgcg.dll" Pkgonf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llomhllh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmjoaofc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogphdb32.dll" Nokdnail.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqfige32.dll" Nnfgnibb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eijpll32.dll" Gnfajgbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpmjno32.dll" Fclmem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kejdqffo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kceganoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Inopce32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iqbekpal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oajpci32.dll" Mkqnghfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhbfcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acfpilmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekqjiiel.dll" Mjbiac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnbkca32.dll" Ajjeld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjaocifl.dll" Dcijmhdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Clqjblij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogcaaahi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pncllifp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpjlca32.dll" Ipqmgbbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcdihn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hqjfgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddhfnf32.dll" Npecjdaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mchjjo32.dll" Pdnihiad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elcpkl32.dll" Nchiao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cialng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oljbil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbjcegko.dll" Ejeglg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gaahmd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onkjocjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ieaekdkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjoef32.dll" Jnnehb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmoaniqh.dll" Aihenoef.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
abf8a4305142a12f4e4245789223a4b7b6deefd409f18930ed671d44cf98b14b.exeBnkmakbb.exeBgcbja32.exeCpemob32.exeCcceeqfl.exeDhekodik.exeDanohi32.exeDgoakpjn.exeEgfglocf.exeEcodfogg.exeFnkblm32.exeFqqdigko.exeGmjbchnq.exeGhqchi32.exeGcfgfack.exeHchpjddc.exedescription pid Process procid_target PID 2536 wrote to memory of 2236 2536 abf8a4305142a12f4e4245789223a4b7b6deefd409f18930ed671d44cf98b14b.exe 29 PID 2536 wrote to memory of 2236 2536 abf8a4305142a12f4e4245789223a4b7b6deefd409f18930ed671d44cf98b14b.exe 29 PID 2536 wrote to memory of 2236 2536 abf8a4305142a12f4e4245789223a4b7b6deefd409f18930ed671d44cf98b14b.exe 29 PID 2536 wrote to memory of 2236 2536 abf8a4305142a12f4e4245789223a4b7b6deefd409f18930ed671d44cf98b14b.exe 29 PID 2236 wrote to memory of 3012 2236 Bnkmakbb.exe 30 PID 2236 wrote to memory of 3012 2236 Bnkmakbb.exe 30 PID 2236 wrote to memory of 3012 2236 Bnkmakbb.exe 30 PID 2236 wrote to memory of 3012 2236 Bnkmakbb.exe 30 PID 3012 wrote to memory of 3024 3012 Bgcbja32.exe 31 PID 3012 wrote to memory of 3024 3012 Bgcbja32.exe 31 PID 3012 wrote to memory of 3024 3012 Bgcbja32.exe 31 PID 3012 wrote to memory of 3024 3012 Bgcbja32.exe 31 PID 3024 wrote to memory of 2896 3024 Cpemob32.exe 32 PID 3024 wrote to memory of 2896 3024 Cpemob32.exe 32 PID 3024 wrote to memory of 2896 3024 Cpemob32.exe 32 PID 3024 wrote to memory of 2896 3024 Cpemob32.exe 32 PID 2896 wrote to memory of 2712 2896 Ccceeqfl.exe 33 PID 2896 wrote to memory of 2712 2896 Ccceeqfl.exe 33 PID 2896 wrote to memory of 2712 2896 Ccceeqfl.exe 33 PID 2896 wrote to memory of 2712 2896 Ccceeqfl.exe 33 PID 2712 wrote to memory of 2256 2712 Dhekodik.exe 34 PID 2712 wrote to memory of 2256 2712 Dhekodik.exe 34 PID 2712 wrote to memory of 2256 2712 Dhekodik.exe 34 PID 2712 wrote to memory of 2256 2712 Dhekodik.exe 34 PID 2256 wrote to memory of 2688 2256 Danohi32.exe 35 PID 2256 wrote to memory of 2688 2256 Danohi32.exe 35 PID 2256 wrote to memory of 2688 2256 Danohi32.exe 35 PID 2256 wrote to memory of 2688 2256 Danohi32.exe 35 PID 2688 wrote to memory of 2816 2688 Dgoakpjn.exe 36 PID 2688 wrote to memory of 2816 2688 Dgoakpjn.exe 36 PID 2688 wrote to memory of 2816 2688 Dgoakpjn.exe 36 PID 2688 wrote to memory of 2816 2688 Dgoakpjn.exe 36 PID 2816 wrote to memory of 2916 2816 Egfglocf.exe 37 PID 2816 wrote to memory of 2916 2816 Egfglocf.exe 37 PID 2816 wrote to memory of 2916 2816 Egfglocf.exe 37 PID 2816 wrote to memory of 2916 2816 Egfglocf.exe 37 PID 2916 wrote to memory of 2416 2916 Ecodfogg.exe 38 PID 2916 wrote to memory of 2416 2916 Ecodfogg.exe 38 PID 2916 wrote to memory of 2416 2916 Ecodfogg.exe 38 PID 2916 wrote to memory of 2416 2916 Ecodfogg.exe 38 PID 2416 wrote to memory of 2664 2416 Fnkblm32.exe 39 PID 2416 wrote to memory of 2664 2416 Fnkblm32.exe 39 PID 2416 wrote to memory of 2664 2416 Fnkblm32.exe 39 PID 2416 wrote to memory of 2664 2416 Fnkblm32.exe 39 PID 2664 wrote to memory of 1084 2664 Fqqdigko.exe 40 PID 2664 wrote to memory of 1084 2664 Fqqdigko.exe 40 PID 2664 wrote to memory of 1084 2664 Fqqdigko.exe 40 PID 2664 wrote to memory of 1084 2664 Fqqdigko.exe 40 PID 1084 wrote to memory of 2140 1084 Gmjbchnq.exe 41 PID 1084 wrote to memory of 2140 1084 Gmjbchnq.exe 41 PID 1084 wrote to memory of 2140 1084 Gmjbchnq.exe 41 PID 1084 wrote to memory of 2140 1084 Gmjbchnq.exe 41 PID 2140 wrote to memory of 2052 2140 Ghqchi32.exe 42 PID 2140 wrote to memory of 2052 2140 Ghqchi32.exe 42 PID 2140 wrote to memory of 2052 2140 Ghqchi32.exe 42 PID 2140 wrote to memory of 2052 2140 Ghqchi32.exe 42 PID 2052 wrote to memory of 316 2052 Gcfgfack.exe 43 PID 2052 wrote to memory of 316 2052 Gcfgfack.exe 43 PID 2052 wrote to memory of 316 2052 Gcfgfack.exe 43 PID 2052 wrote to memory of 316 2052 Gcfgfack.exe 43 PID 316 wrote to memory of 808 316 Hchpjddc.exe 44 PID 316 wrote to memory of 808 316 Hchpjddc.exe 44 PID 316 wrote to memory of 808 316 Hchpjddc.exe 44 PID 316 wrote to memory of 808 316 Hchpjddc.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\abf8a4305142a12f4e4245789223a4b7b6deefd409f18930ed671d44cf98b14b.exe"C:\Users\Admin\AppData\Local\Temp\abf8a4305142a12f4e4245789223a4b7b6deefd409f18930ed671d44cf98b14b.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\Bnkmakbb.exeC:\Windows\system32\Bnkmakbb.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Bgcbja32.exeC:\Windows\system32\Bgcbja32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\Cpemob32.exeC:\Windows\system32\Cpemob32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\Ccceeqfl.exeC:\Windows\system32\Ccceeqfl.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Dhekodik.exeC:\Windows\system32\Dhekodik.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Danohi32.exeC:\Windows\system32\Danohi32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\Dgoakpjn.exeC:\Windows\system32\Dgoakpjn.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Egfglocf.exeC:\Windows\system32\Egfglocf.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Ecodfogg.exeC:\Windows\system32\Ecodfogg.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Fnkblm32.exeC:\Windows\system32\Fnkblm32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Fqqdigko.exeC:\Windows\system32\Fqqdigko.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Gmjbchnq.exeC:\Windows\system32\Gmjbchnq.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\Ghqchi32.exeC:\Windows\system32\Ghqchi32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\Gcfgfack.exeC:\Windows\system32\Gcfgfack.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\Hchpjddc.exeC:\Windows\system32\Hchpjddc.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\SysWOW64\Ifiilp32.exeC:\Windows\system32\Ifiilp32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:808 -
C:\Windows\SysWOW64\Iecohl32.exeC:\Windows\system32\Iecohl32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1600 -
C:\Windows\SysWOW64\Ieelnkpd.exeC:\Windows\system32\Ieelnkpd.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2528 -
C:\Windows\SysWOW64\Jdobjgqg.exeC:\Windows\system32\Jdobjgqg.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1916 -
C:\Windows\SysWOW64\Jpfcohfk.exeC:\Windows\system32\Jpfcohfk.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2644 -
C:\Windows\SysWOW64\Kokppd32.exeC:\Windows\system32\Kokppd32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1288 -
C:\Windows\SysWOW64\Kdjenkgh.exeC:\Windows\system32\Kdjenkgh.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2012 -
C:\Windows\SysWOW64\Kejahn32.exeC:\Windows\system32\Kejahn32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2796 -
C:\Windows\SysWOW64\Kgmkef32.exeC:\Windows\system32\Kgmkef32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:520 -
C:\Windows\SysWOW64\Lnipgp32.exeC:\Windows\system32\Lnipgp32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2380 -
C:\Windows\SysWOW64\Llomhllh.exeC:\Windows\system32\Llomhllh.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1564 -
C:\Windows\SysWOW64\Ljbmbpkb.exeC:\Windows\system32\Ljbmbpkb.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2860 -
C:\Windows\SysWOW64\Lcmopepp.exeC:\Windows\system32\Lcmopepp.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2072 -
C:\Windows\SysWOW64\Mbbkabdh.exeC:\Windows\system32\Mbbkabdh.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1184 -
C:\Windows\SysWOW64\Mdcdcmai.exeC:\Windows\system32\Mdcdcmai.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2716 -
C:\Windows\SysWOW64\Mjbiac32.exeC:\Windows\system32\Mjbiac32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2828 -
C:\Windows\SysWOW64\Mjeffc32.exeC:\Windows\system32\Mjeffc32.exe33⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Mjgclcjh.exeC:\Windows\system32\Mjgclcjh.exe34⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Npdkdjhp.exeC:\Windows\system32\Npdkdjhp.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2776 -
C:\Windows\SysWOW64\Nehjmppo.exeC:\Windows\system32\Nehjmppo.exe36⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Nbljfdoh.exeC:\Windows\system32\Nbljfdoh.exe37⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Omekgakg.exeC:\Windows\system32\Omekgakg.exe38⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Omhhma32.exeC:\Windows\system32\Omhhma32.exe39⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Oddmokoo.exeC:\Windows\system32\Oddmokoo.exe40⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Opkndldc.exeC:\Windows\system32\Opkndldc.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1824 -
C:\Windows\SysWOW64\Plaoim32.exeC:\Windows\system32\Plaoim32.exe42⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Pbnckg32.exeC:\Windows\system32\Pbnckg32.exe43⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Pihlhagn.exeC:\Windows\system32\Pihlhagn.exe44⤵
- Executes dropped EXE
PID:560 -
C:\Windows\SysWOW64\Pkkeeikj.exeC:\Windows\system32\Pkkeeikj.exe45⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Paemac32.exeC:\Windows\system32\Paemac32.exe46⤵
- Executes dropped EXE
PID:932 -
C:\Windows\SysWOW64\Pdffcn32.exeC:\Windows\system32\Pdffcn32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:1548 -
C:\Windows\SysWOW64\Qpmgho32.exeC:\Windows\system32\Qpmgho32.exe48⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Aellfe32.exeC:\Windows\system32\Aellfe32.exe49⤵
- Executes dropped EXE
PID:956 -
C:\Windows\SysWOW64\Alfdcp32.exeC:\Windows\system32\Alfdcp32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2388 -
C:\Windows\SysWOW64\Ajjeld32.exeC:\Windows\system32\Ajjeld32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:264 -
C:\Windows\SysWOW64\Aogmdk32.exeC:\Windows\system32\Aogmdk32.exe52⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Alknnodh.exeC:\Windows\system32\Alknnodh.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1668 -
C:\Windows\SysWOW64\Almjcobe.exeC:\Windows\system32\Almjcobe.exe54⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Afeold32.exeC:\Windows\system32\Afeold32.exe55⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Bnqcaffa.exeC:\Windows\system32\Bnqcaffa.exe56⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Bdklnq32.exeC:\Windows\system32\Bdklnq32.exe57⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Bjgdfg32.exeC:\Windows\system32\Bjgdfg32.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2632 -
C:\Windows\SysWOW64\Bqambacb.exeC:\Windows\system32\Bqambacb.exe59⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Bjjakg32.exeC:\Windows\system32\Bjjakg32.exe60⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Bqciha32.exeC:\Windows\system32\Bqciha32.exe61⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Boifinfg.exeC:\Windows\system32\Boifinfg.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:2108 -
C:\Windows\SysWOW64\Cemebcnf.exeC:\Windows\system32\Cemebcnf.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2200 -
C:\Windows\SysWOW64\Cgmndokg.exeC:\Windows\system32\Cgmndokg.exe64⤵
- Executes dropped EXE
PID:580 -
C:\Windows\SysWOW64\Dgbgon32.exeC:\Windows\system32\Dgbgon32.exe65⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Dajlhc32.exeC:\Windows\system32\Dajlhc32.exe66⤵PID:1516
-
C:\Windows\SysWOW64\Dfgdpj32.exeC:\Windows\system32\Dfgdpj32.exe67⤵PID:1020
-
C:\Windows\SysWOW64\Damhmc32.exeC:\Windows\system32\Damhmc32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1384 -
C:\Windows\SysWOW64\Dpbenpqh.exeC:\Windows\system32\Dpbenpqh.exe69⤵PID:1588
-
C:\Windows\SysWOW64\Dpdbdo32.exeC:\Windows\system32\Dpdbdo32.exe70⤵
- Drops file in System32 directory
PID:2304 -
C:\Windows\SysWOW64\Deajlf32.exeC:\Windows\system32\Deajlf32.exe71⤵PID:2988
-
C:\Windows\SysWOW64\Epgoio32.exeC:\Windows\system32\Epgoio32.exe72⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2264 -
C:\Windows\SysWOW64\Ehbcnajn.exeC:\Windows\system32\Ehbcnajn.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1128 -
C:\Windows\SysWOW64\Eefdgeig.exeC:\Windows\system32\Eefdgeig.exe74⤵
- System Location Discovery: System Language Discovery
PID:1580 -
C:\Windows\SysWOW64\Eamdlf32.exeC:\Windows\system32\Eamdlf32.exe75⤵PID:2100
-
C:\Windows\SysWOW64\Edkahbmo.exeC:\Windows\system32\Edkahbmo.exe76⤵PID:2932
-
C:\Windows\SysWOW64\Eaoaafli.exeC:\Windows\system32\Eaoaafli.exe77⤵
- System Location Discovery: System Language Discovery
PID:2908 -
C:\Windows\SysWOW64\Edmnnakm.exeC:\Windows\system32\Edmnnakm.exe78⤵PID:2224
-
C:\Windows\SysWOW64\Epdncb32.exeC:\Windows\system32\Epdncb32.exe79⤵
- System Location Discovery: System Language Discovery
PID:2464 -
C:\Windows\SysWOW64\Fcbjon32.exeC:\Windows\system32\Fcbjon32.exe80⤵
- Drops file in System32 directory
PID:2332 -
C:\Windows\SysWOW64\Fpfkhbon.exeC:\Windows\system32\Fpfkhbon.exe81⤵PID:2364
-
C:\Windows\SysWOW64\Flmlmc32.exeC:\Windows\system32\Flmlmc32.exe82⤵PID:2512
-
C:\Windows\SysWOW64\Fialggcl.exeC:\Windows\system32\Fialggcl.exe83⤵PID:1512
-
C:\Windows\SysWOW64\Fpkdca32.exeC:\Windows\system32\Fpkdca32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1652 -
C:\Windows\SysWOW64\Fehmlh32.exeC:\Windows\system32\Fehmlh32.exe85⤵PID:1676
-
C:\Windows\SysWOW64\Fclmem32.exeC:\Windows\system32\Fclmem32.exe86⤵
- Modifies registry class
PID:688 -
C:\Windows\SysWOW64\Gocnjn32.exeC:\Windows\system32\Gocnjn32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2652 -
C:\Windows\SysWOW64\Gemfghek.exeC:\Windows\system32\Gemfghek.exe88⤵PID:1568
-
C:\Windows\SysWOW64\Gacgli32.exeC:\Windows\system32\Gacgli32.exe89⤵PID:2436
-
C:\Windows\SysWOW64\Gklkdn32.exeC:\Windows\system32\Gklkdn32.exe90⤵PID:2752
-
C:\Windows\SysWOW64\Gnjhaj32.exeC:\Windows\system32\Gnjhaj32.exe91⤵PID:1720
-
C:\Windows\SysWOW64\Gddpndhp.exeC:\Windows\system32\Gddpndhp.exe92⤵PID:2732
-
C:\Windows\SysWOW64\Gjahfkfg.exeC:\Windows\system32\Gjahfkfg.exe93⤵PID:2308
-
C:\Windows\SysWOW64\Gdfmccfm.exeC:\Windows\system32\Gdfmccfm.exe94⤵PID:828
-
C:\Windows\SysWOW64\Gnoaliln.exeC:\Windows\system32\Gnoaliln.exe95⤵PID:2472
-
C:\Windows\SysWOW64\Gopnca32.exeC:\Windows\system32\Gopnca32.exe96⤵PID:1132
-
C:\Windows\SysWOW64\Hfjfpkji.exeC:\Windows\system32\Hfjfpkji.exe97⤵PID:2596
-
C:\Windows\SysWOW64\Hhhblgim.exeC:\Windows\system32\Hhhblgim.exe98⤵PID:1872
-
C:\Windows\SysWOW64\Hcnfjpib.exeC:\Windows\system32\Hcnfjpib.exe99⤵PID:1428
-
C:\Windows\SysWOW64\Hmighemp.exeC:\Windows\system32\Hmighemp.exe100⤵PID:2468
-
C:\Windows\SysWOW64\Hiphmf32.exeC:\Windows\system32\Hiphmf32.exe101⤵
- Drops file in System32 directory
PID:1012 -
C:\Windows\SysWOW64\Hgeenb32.exeC:\Windows\system32\Hgeenb32.exe102⤵PID:912
-
C:\Windows\SysWOW64\Iapfmg32.exeC:\Windows\system32\Iapfmg32.exe103⤵PID:2640
-
C:\Windows\SysWOW64\Ipecndab.exeC:\Windows\system32\Ipecndab.exe104⤵
- Drops file in System32 directory
PID:2996 -
C:\Windows\SysWOW64\Ifahpnfl.exeC:\Windows\system32\Ifahpnfl.exe105⤵PID:2868
-
C:\Windows\SysWOW64\Ibhieo32.exeC:\Windows\system32\Ibhieo32.exe106⤵PID:2560
-
C:\Windows\SysWOW64\Jlpmndba.exeC:\Windows\system32\Jlpmndba.exe107⤵PID:3016
-
C:\Windows\SysWOW64\Jlbjcd32.exeC:\Windows\system32\Jlbjcd32.exe108⤵
- Drops file in System32 directory
PID:2964 -
C:\Windows\SysWOW64\Jifkmh32.exeC:\Windows\system32\Jifkmh32.exe109⤵PID:2948
-
C:\Windows\SysWOW64\Jjjdjp32.exeC:\Windows\system32\Jjjdjp32.exe110⤵PID:972
-
C:\Windows\SysWOW64\Jephgi32.exeC:\Windows\system32\Jephgi32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1792 -
C:\Windows\SysWOW64\Kfcadq32.exeC:\Windows\system32\Kfcadq32.exe112⤵
- Drops file in System32 directory
PID:2292 -
C:\Windows\SysWOW64\Kbjbibli.exeC:\Windows\system32\Kbjbibli.exe113⤵PID:1688
-
C:\Windows\SysWOW64\Kmpfgklo.exeC:\Windows\system32\Kmpfgklo.exe114⤵
- Drops file in System32 directory
PID:2612 -
C:\Windows\SysWOW64\Kocodbpk.exeC:\Windows\system32\Kocodbpk.exe115⤵PID:2684
-
C:\Windows\SysWOW64\Khkdmh32.exeC:\Windows\system32\Khkdmh32.exe116⤵PID:2412
-
C:\Windows\SysWOW64\Koelibnh.exeC:\Windows\system32\Koelibnh.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1660 -
C:\Windows\SysWOW64\Lhbjmg32.exeC:\Windows\system32\Lhbjmg32.exe118⤵PID:692
-
C:\Windows\SysWOW64\Mcendc32.exeC:\Windows\system32\Mcendc32.exe119⤵PID:1076
-
C:\Windows\SysWOW64\Mhbflj32.exeC:\Windows\system32\Mhbflj32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2976 -
C:\Windows\SysWOW64\Mchjjc32.exeC:\Windows\system32\Mchjjc32.exe121⤵PID:2872
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-