Analysis
-
max time kernel
124s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
22-11-2024 09:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
abf8a4305142a12f4e4245789223a4b7b6deefd409f18930ed671d44cf98b14b.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
abf8a4305142a12f4e4245789223a4b7b6deefd409f18930ed671d44cf98b14b.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
abf8a4305142a12f4e4245789223a4b7b6deefd409f18930ed671d44cf98b14b.exe
-
Size
350KB
-
MD5
394ee320866e6124545b3fada9541f7d
-
SHA1
9647c3e46f03e17c12a94a15c1989550ecd5e41d
-
SHA256
abf8a4305142a12f4e4245789223a4b7b6deefd409f18930ed671d44cf98b14b
-
SHA512
94c1bcc4412ad5ecf38e882e95cd5b43d4661021e2108198e548a1e516789756215f01a090233f22b38a0a604061acbe863cb63b602ccc16756958a707bb19d7
-
SSDEEP
6144:l61IqKpSJtpHVILifyeYVDcfflXpX6LRifyeYVDcP:l0nHyefyeYCdXpXZfyeYI
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Lbbiii32.exeIeligmho.exePhckglbq.exeHflpmb32.exePikohg32.exeMmmpdp32.exeFlkohc32.exeFimgmj32.exeGebflaga.exeFihcdkom.exeNbddfe32.exeHhfcnb32.exeHembfo32.exeIqhhin32.exeBcoffd32.exeCinahhff.exePieobaiq.exeFokaoh32.exeMdajff32.exeMjcljlea.exeCqfdem32.exeKnapen32.exeKojihjbi.exeCcolja32.exeNnndin32.exeOfaaghom.exeOenngb32.exeEgmhjm32.exeKcebpqcn.exeJgmnhojl.exeDhehfk32.exeIdqpjg32.exePgfbhb32.exeQjleem32.exeAcbieing.exeKdcinjpo.exeGefjlg32.exeKiaiooja.exeHohhfbkl.exeHejcggee.exeNaokbq32.exeKpkali32.exeNdnplk32.exeKebgea32.exeMpmfoodb.exePfjdmggb.exeKbefen32.exeabf8a4305142a12f4e4245789223a4b7b6deefd409f18930ed671d44cf98b14b.exeAekelo32.exeLodbhp32.exePqgbah32.exeDodlfmlb.exeKkdnke32.exeOhqbbi32.exeNecandjo.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbbiii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieligmho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phckglbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hflpmb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pikohg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmmpdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flkohc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fimgmj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gebflaga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fihcdkom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbddfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhfcnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hembfo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqhhin32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcoffd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cinahhff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pieobaiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fokaoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdajff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjcljlea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cqfdem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knapen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kojihjbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccolja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnndin32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofaaghom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oenngb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egmhjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcebpqcn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgmnhojl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhehfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idqpjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgfbhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qjleem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acbieing.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdcinjpo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gefjlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiaiooja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hohhfbkl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hejcggee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Naokbq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpkali32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndnplk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kebgea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpmfoodb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfjdmggb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbefen32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad abf8a4305142a12f4e4245789223a4b7b6deefd409f18930ed671d44cf98b14b.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aekelo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lodbhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pqgbah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dodlfmlb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkdnke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohqbbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Necandjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" -
Executes dropped EXE 64 IoCs
Processes:
Mkggnp32.exeMemlki32.exeNlbgkgcc.exeOcqhcqgk.exeOlkjaflh.exePkepnalk.exePqgbah32.exeQbmhdp32.exeAgnjge32.exeAcejlfhl.exeAfecna32.exeBikfklni.exeBllomg32.exeBlnkbg32.exeChblqlcj.exeDhehfk32.exeEnkdda32.exeEjdaoa32.exeEoecbheg.exeFohphgce.exeFbiijb32.exeFmdfppkb.exeFfmkhe32.exeGjkcod32.exeGegaeabe.exeGdnkkmej.exeHnflnfbm.exeHfaqbh32.exeHidfjckg.exeIencdc32.exeIofhmi32.exeIkoehj32.exeIhcfan32.exeJcmgal32.exeJcocgkbp.exeJpcdqpqj.exeJafmngde.exeKhcbpa32.exeKqqdjceh.exeKqcqpc32.exeKninog32.exeLqjfpbmm.exeLkcgapjl.exeLfilnh32.exeLfkhch32.exeLbbiii32.exeMnijnjbh.exeMganfp32.exeMffkgl32.exeMpoppadq.exeMmcpjfcj.exeMpalfabn.exeMiiaogio.exeNpcika32.exeNpffaq32.exeNejdjf32.exeOhjmlaci.exeOdanqb32.exeOingii32.exeOipcnieb.exeOcihgo32.exeOpmhqc32.exePeiaij32.exePapank32.exepid Process 2596 Mkggnp32.exe 2948 Memlki32.exe 2960 Nlbgkgcc.exe 3044 Ocqhcqgk.exe 1804 Olkjaflh.exe 2928 Pkepnalk.exe 1552 Pqgbah32.exe 1132 Qbmhdp32.exe 1516 Agnjge32.exe 668 Acejlfhl.exe 1496 Afecna32.exe 2028 Bikfklni.exe 588 Bllomg32.exe 2052 Blnkbg32.exe 2412 Chblqlcj.exe 624 Dhehfk32.exe 2700 Enkdda32.exe 1320 Ejdaoa32.exe 1564 Eoecbheg.exe 2520 Fohphgce.exe 632 Fbiijb32.exe 576 Fmdfppkb.exe 1020 Ffmkhe32.exe 2592 Gjkcod32.exe 2432 Gegaeabe.exe 2424 Gdnkkmej.exe 1620 Hnflnfbm.exe 3012 Hfaqbh32.exe 1740 Hidfjckg.exe 2848 Iencdc32.exe 2872 Iofhmi32.exe 2548 Ikoehj32.exe 940 Ihcfan32.exe 1444 Jcmgal32.exe 2276 Jcocgkbp.exe 1832 Jpcdqpqj.exe 840 Jafmngde.exe 1352 Khcbpa32.exe 2060 Kqqdjceh.exe 1304 Kqcqpc32.exe 580 Kninog32.exe 1716 Lqjfpbmm.exe 856 Lkcgapjl.exe 1868 Lfilnh32.exe 1364 Lfkhch32.exe 2204 Lbbiii32.exe 2604 Mnijnjbh.exe 276 Mganfp32.exe 1828 Mffkgl32.exe 1256 Mpoppadq.exe 2192 Mmcpjfcj.exe 584 Mpalfabn.exe 2932 Miiaogio.exe 2828 Npcika32.exe 1968 Npffaq32.exe 2984 Nejdjf32.exe 2136 Ohjmlaci.exe 2344 Odanqb32.exe 2216 Oingii32.exe 904 Oipcnieb.exe 520 Ocihgo32.exe 2228 Opmhqc32.exe 960 Peiaij32.exe 1356 Papank32.exe -
Loads dropped DLL 64 IoCs
Processes:
abf8a4305142a12f4e4245789223a4b7b6deefd409f18930ed671d44cf98b14b.exeMkggnp32.exeMemlki32.exeNlbgkgcc.exeOcqhcqgk.exeOlkjaflh.exePkepnalk.exePqgbah32.exeQbmhdp32.exeAgnjge32.exeAcejlfhl.exeAfecna32.exeBikfklni.exeBllomg32.exeBlnkbg32.exeChblqlcj.exeDhehfk32.exeEnkdda32.exeEjdaoa32.exeEoecbheg.exeFohphgce.exeFbiijb32.exeFmdfppkb.exeFfmkhe32.exeGjkcod32.exeGbkaneao.exeGdnkkmej.exeHnflnfbm.exeHfaqbh32.exeHidfjckg.exeIencdc32.exeIofhmi32.exepid Process 2116 abf8a4305142a12f4e4245789223a4b7b6deefd409f18930ed671d44cf98b14b.exe 2116 abf8a4305142a12f4e4245789223a4b7b6deefd409f18930ed671d44cf98b14b.exe 2596 Mkggnp32.exe 2596 Mkggnp32.exe 2948 Memlki32.exe 2948 Memlki32.exe 2960 Nlbgkgcc.exe 2960 Nlbgkgcc.exe 3044 Ocqhcqgk.exe 3044 Ocqhcqgk.exe 1804 Olkjaflh.exe 1804 Olkjaflh.exe 2928 Pkepnalk.exe 2928 Pkepnalk.exe 1552 Pqgbah32.exe 1552 Pqgbah32.exe 1132 Qbmhdp32.exe 1132 Qbmhdp32.exe 1516 Agnjge32.exe 1516 Agnjge32.exe 668 Acejlfhl.exe 668 Acejlfhl.exe 1496 Afecna32.exe 1496 Afecna32.exe 2028 Bikfklni.exe 2028 Bikfklni.exe 588 Bllomg32.exe 588 Bllomg32.exe 2052 Blnkbg32.exe 2052 Blnkbg32.exe 2412 Chblqlcj.exe 2412 Chblqlcj.exe 624 Dhehfk32.exe 624 Dhehfk32.exe 2700 Enkdda32.exe 2700 Enkdda32.exe 1320 Ejdaoa32.exe 1320 Ejdaoa32.exe 1564 Eoecbheg.exe 1564 Eoecbheg.exe 2520 Fohphgce.exe 2520 Fohphgce.exe 632 Fbiijb32.exe 632 Fbiijb32.exe 576 Fmdfppkb.exe 576 Fmdfppkb.exe 1020 Ffmkhe32.exe 1020 Ffmkhe32.exe 2592 Gjkcod32.exe 2592 Gjkcod32.exe 2212 Gbkaneao.exe 2212 Gbkaneao.exe 2424 Gdnkkmej.exe 2424 Gdnkkmej.exe 1620 Hnflnfbm.exe 1620 Hnflnfbm.exe 3012 Hfaqbh32.exe 3012 Hfaqbh32.exe 1740 Hidfjckg.exe 1740 Hidfjckg.exe 2848 Iencdc32.exe 2848 Iencdc32.exe 2872 Iofhmi32.exe 2872 Iofhmi32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Hjcajn32.exeIfoncgpc.exeJboanfmm.exeIpmeej32.exeEgndgdai.exeBcgoolln.exeCoqaknog.exePnnlfd32.exeIkiedq32.exeBcqlcj32.exeBimnqk32.exeIencdc32.exeGjnbmlmj.exeMqqolfik.exeDajkjphd.exeJmelfeqn.exeKhkmba32.exeAofhcmig.exeQakkncmi.exeGmipmlan.exeOcbnqfln.exeCpbiolnl.exeNqgngk32.exeEgmeadbk.exeKlmghfio.exeAmjmpk32.exeLfilnh32.exeMpalfabn.exeCcolja32.exeHpodbo32.exeHiphmf32.exeMpkehbjm.exeKiaiooja.exeIjnbpm32.exePmpcoabe.exeBdbfpafn.exeEnkdda32.exeCnogmk32.exeBdmklico.exeIqdbqp32.exeHbagaa32.exeDmcidqlf.exePjfdpckc.exeOqnfqcjk.exeGdobqgpn.exeKgffpk32.exeJlhjijpe.exeDjemfibq.exeOdkkdqmd.exeOingii32.exeEffidg32.exeBineidcj.exeBnhljnhm.exeHoeigi32.exeHnmcne32.exeKiccle32.exeOoccap32.exeIdaimfjf.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\Ipecndab.exe Hjcajn32.exe File created C:\Windows\SysWOW64\Iqdbqp32.exe Ifoncgpc.exe File created C:\Windows\SysWOW64\Jjjfbikh.exe Jboanfmm.exe File created C:\Windows\SysWOW64\Ihhjjm32.exe Ipmeej32.exe File opened for modification C:\Windows\SysWOW64\Fcdele32.exe Egndgdai.exe File created C:\Windows\SysWOW64\Gpqlke32.dll Bcgoolln.exe File created C:\Windows\SysWOW64\Cekihh32.exe Coqaknog.exe File opened for modification C:\Windows\SysWOW64\Pkalph32.exe Pnnlfd32.exe File created C:\Windows\SysWOW64\Idaimfjf.exe Ikiedq32.exe File opened for modification C:\Windows\SysWOW64\Badlln32.exe Bcqlcj32.exe File created C:\Windows\SysWOW64\Cecnflpd.exe Bimnqk32.exe File created C:\Windows\SysWOW64\Iofhmi32.exe Iencdc32.exe File created C:\Windows\SysWOW64\Lecegc32.dll Gjnbmlmj.exe File created C:\Windows\SysWOW64\Mpflmbnc.exe Mqqolfik.exe File opened for modification C:\Windows\SysWOW64\Dlppgihj.exe Dajkjphd.exe File opened for modification C:\Windows\SysWOW64\Njnkggfe.exe File created C:\Windows\SysWOW64\Kfbjjjci.exe Jmelfeqn.exe File created C:\Windows\SysWOW64\Lpfagd32.exe Khkmba32.exe File created C:\Windows\SysWOW64\Bnielf32.dll Aofhcmig.exe File opened for modification C:\Windows\SysWOW64\Afhcgjkq.exe Qakkncmi.exe File opened for modification C:\Windows\SysWOW64\Gjmpfp32.exe Gmipmlan.exe File opened for modification C:\Windows\SysWOW64\Oljbil32.exe Ocbnqfln.exe File created C:\Windows\SysWOW64\Fpclcb32.dll File created C:\Windows\SysWOW64\Jmdoefnl.dll Cpbiolnl.exe File created C:\Windows\SysWOW64\Nplkhh32.exe Nqgngk32.exe File opened for modification C:\Windows\SysWOW64\Egobfdpi.exe Egmeadbk.exe File created C:\Windows\SysWOW64\Gaepopoj.dll Klmghfio.exe File created C:\Windows\SysWOW64\Mflnoine.dll Amjmpk32.exe File opened for modification C:\Windows\SysWOW64\Lfkhch32.exe Lfilnh32.exe File opened for modification C:\Windows\SysWOW64\Miiaogio.exe Mpalfabn.exe File created C:\Windows\SysWOW64\Cbcikn32.exe Ccolja32.exe File opened for modification C:\Windows\SysWOW64\Hfiloiik.exe Hpodbo32.exe File created C:\Windows\SysWOW64\Hjcajn32.exe Hiphmf32.exe File created C:\Windows\SysWOW64\Benolo32.dll Mpkehbjm.exe File created C:\Windows\SysWOW64\Kpkali32.exe Kiaiooja.exe File created C:\Windows\SysWOW64\Iehcajjc.exe Ijnbpm32.exe File created C:\Windows\SysWOW64\Pfhghgie.exe Pmpcoabe.exe File created C:\Windows\SysWOW64\Clnkdc32.exe Bdbfpafn.exe File created C:\Windows\SysWOW64\Dfbjll32.dll Enkdda32.exe File created C:\Windows\SysWOW64\Djcdmp32.dll Cnogmk32.exe File opened for modification C:\Windows\SysWOW64\Bnhljnhm.exe Bdmklico.exe File created C:\Windows\SysWOW64\Khedkiag.dll Iqdbqp32.exe File created C:\Windows\SysWOW64\Mbnleo32.dll Hbagaa32.exe File created C:\Windows\SysWOW64\Dglmmf32.exe Dmcidqlf.exe File created C:\Windows\SysWOW64\Engebqqm.dll Pjfdpckc.exe File created C:\Windows\SysWOW64\Ooccap32.exe Oqnfqcjk.exe File created C:\Windows\SysWOW64\Gmhfjm32.exe Gdobqgpn.exe File created C:\Windows\SysWOW64\Knqnmeff.exe Kgffpk32.exe File created C:\Windows\SysWOW64\Fajmoa32.dll File opened for modification C:\Windows\SysWOW64\Jljgni32.exe Jlhjijpe.exe File created C:\Windows\SysWOW64\Deonff32.exe Djemfibq.exe File opened for modification C:\Windows\SysWOW64\Oqaliabh.exe Odkkdqmd.exe File created C:\Windows\SysWOW64\Oipcnieb.exe Oingii32.exe File opened for modification C:\Windows\SysWOW64\Pmamne32.exe File created C:\Windows\SysWOW64\Elcbmn32.exe Effidg32.exe File created C:\Windows\SysWOW64\Hqholphh.dll File opened for modification C:\Windows\SysWOW64\Bbfibj32.exe Bineidcj.exe File created C:\Windows\SysWOW64\Colegflh.exe Bnhljnhm.exe File opened for modification C:\Windows\SysWOW64\Hlijan32.exe Hoeigi32.exe File created C:\Windows\SysWOW64\Gffppc32.dll Hnmcne32.exe File created C:\Windows\SysWOW64\Knbgec32.dll File created C:\Windows\SysWOW64\Emaejfgn.dll Kiccle32.exe File opened for modification C:\Windows\SysWOW64\Oofpgolq.exe Ooccap32.exe File created C:\Windows\SysWOW64\Qhfgnc32.dll Idaimfjf.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Nadpdg32.exeAikkgnnc.exeHbjmodph.exeFdjfmolo.exeNcpjnahm.exeDjnbdlla.exeEclqhfpp.exeHfaqbh32.exeOdanqb32.exeBigpdjpm.exeJeiekgfq.exeOenmkngi.exeBdmklico.exeMnijnjbh.exeCobjmq32.exeHbafel32.exeLkoidcaj.exeHpjgdf32.exeIobdopna.exePojgnf32.exeIijdfc32.exeFlqmddah.exeKhonbhch.exeMmcpjfcj.exeGcfgfack.exeOfnppgbh.exeGcljdpke.exeHbomdjoo.exeCdkfco32.exeEcidbfbb.exeLpkkbcle.exePlfjme32.exeBaeanl32.exeIoonfaed.exeEmeejpjc.exeIldjlmfb.exeEkppjmia.exeBbpdmp32.exeMddidnqa.exeAflmbj32.exeNpcika32.exeIkhlaaif.exeLfanep32.exeBiikne32.exeQakkncmi.exeQiclcp32.exeLifqbjpk.exeAcdfki32.exeEpamlegl.exeKnapen32.exeJpkgggnh.exeOlgboogb.exeKpcbhlki.exeCkgogfmg.exeMpcjfa32.exeIjnbpm32.exeAcejlfhl.exeCiebdj32.exeDckdio32.exeEgaoldnf.exeIapghlbe.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nadpdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aikkgnnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbjmodph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdjfmolo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncpjnahm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djnbdlla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eclqhfpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfaqbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odanqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bigpdjpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jeiekgfq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oenmkngi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdmklico.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnijnjbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cobjmq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbafel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkoidcaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpjgdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iobdopna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pojgnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iijdfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flqmddah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khonbhch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmcpjfcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcfgfack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofnppgbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcljdpke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbomdjoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdkfco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecidbfbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpkkbcle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plfjme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baeanl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioonfaed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emeejpjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ildjlmfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekppjmia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbpdmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mddidnqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aflmbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npcika32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikhlaaif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfanep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biikne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qakkncmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qiclcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lifqbjpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acdfki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epamlegl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knapen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpkgggnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olgboogb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpcbhlki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckgogfmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpcjfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijnbpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acejlfhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciebdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dckdio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egaoldnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iapghlbe.exe -
Modifies registry class 64 IoCs
Processes:
Aoakfl32.exeCnnpdaeb.exePabncj32.exeAieihpgi.exeCplfcj32.exeJgjman32.exeNifmqm32.exeLfanep32.exeMmcpjfcj.exeOqnfqcjk.exeKhonbhch.exeCadfbi32.exeBbfibj32.exeCjdmee32.exeKjngjj32.exeJbpfpd32.exeAlhaho32.exeFhfihd32.exeLkccob32.exeJjbbmmih.exeEkppjmia.exePbcahgjd.exePgionbbl.exeGjjoob32.exeHfbckagm.exeFqbbig32.exeFniikj32.exeKfhmhi32.exeOfaaghom.exeJiphpf32.exeFhpoalho.exeNjammhei.exeOmekgakg.exeOfmiea32.exePeaibajp.exeAjcbpbkn.exeDcpagg32.exeQicoleno.exeHkidclbb.exeMebpchmb.exeAkhopj32.exeKhcbpa32.exeGocpcfeb.exeKpdlfn32.exeQhehmkqn.exePjndca32.exeLpkkbcle.exeBmnbjill.exeQklhifhi.exeBehinlkh.exePjfdpckc.exeBdknfiea.exeJpjpmqjl.exeNejdjf32.exeMlfebcnd.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idcfam32.dll" Aoakfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aelkhbii.dll" Cnnpdaeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pabncj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiilfa32.dll" Aieihpgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iiblgb32.dll" Cplfcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgjman32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncepanci.dll" Nifmqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfanep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgaabajd.dll" Mmcpjfcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oqnfqcjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khonbhch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cadfbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbfibj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbdagfkc.dll" Cjdmee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjngjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjdbckib.dll" Jbpfpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alhaho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhfihd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giiinjlg.dll" Lkccob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjbbmmih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekppjmia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbcahgjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iofgdqkl.dll" Pgionbbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjjoob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfbckagm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fqbbig32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fniikj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfhmhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofaaghom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jiphpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kikkdlge.dll" Fhpoalho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njammhei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omekgakg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjkegjeg.dll" Ofmiea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Peaibajp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geejln32.dll" Ajcbpbkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcpagg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcddnkhf.dll" Qicoleno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkidclbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Monilb32.dll" Mebpchmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lemlao32.dll" Akhopj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhmbnh32.dll" Khcbpa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gocpcfeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpdlfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qhehmkqn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjndca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khcbpa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpkkbcle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmnbjill.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qklhifhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Behinlkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjfdpckc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acnhhp32.dll" Bdknfiea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpjghg32.dll" Jpjpmqjl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nejdjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlfebcnd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
abf8a4305142a12f4e4245789223a4b7b6deefd409f18930ed671d44cf98b14b.exeMkggnp32.exeMemlki32.exeNlbgkgcc.exeOcqhcqgk.exeOlkjaflh.exePkepnalk.exePqgbah32.exeQbmhdp32.exeAgnjge32.exeAcejlfhl.exeAfecna32.exeBikfklni.exeBllomg32.exeBlnkbg32.exeChblqlcj.exedescription pid Process procid_target PID 2116 wrote to memory of 2596 2116 abf8a4305142a12f4e4245789223a4b7b6deefd409f18930ed671d44cf98b14b.exe 30 PID 2116 wrote to memory of 2596 2116 abf8a4305142a12f4e4245789223a4b7b6deefd409f18930ed671d44cf98b14b.exe 30 PID 2116 wrote to memory of 2596 2116 abf8a4305142a12f4e4245789223a4b7b6deefd409f18930ed671d44cf98b14b.exe 30 PID 2116 wrote to memory of 2596 2116 abf8a4305142a12f4e4245789223a4b7b6deefd409f18930ed671d44cf98b14b.exe 30 PID 2596 wrote to memory of 2948 2596 Mkggnp32.exe 31 PID 2596 wrote to memory of 2948 2596 Mkggnp32.exe 31 PID 2596 wrote to memory of 2948 2596 Mkggnp32.exe 31 PID 2596 wrote to memory of 2948 2596 Mkggnp32.exe 31 PID 2948 wrote to memory of 2960 2948 Memlki32.exe 32 PID 2948 wrote to memory of 2960 2948 Memlki32.exe 32 PID 2948 wrote to memory of 2960 2948 Memlki32.exe 32 PID 2948 wrote to memory of 2960 2948 Memlki32.exe 32 PID 2960 wrote to memory of 3044 2960 Nlbgkgcc.exe 33 PID 2960 wrote to memory of 3044 2960 Nlbgkgcc.exe 33 PID 2960 wrote to memory of 3044 2960 Nlbgkgcc.exe 33 PID 2960 wrote to memory of 3044 2960 Nlbgkgcc.exe 33 PID 3044 wrote to memory of 1804 3044 Ocqhcqgk.exe 34 PID 3044 wrote to memory of 1804 3044 Ocqhcqgk.exe 34 PID 3044 wrote to memory of 1804 3044 Ocqhcqgk.exe 34 PID 3044 wrote to memory of 1804 3044 Ocqhcqgk.exe 34 PID 1804 wrote to memory of 2928 1804 Olkjaflh.exe 35 PID 1804 wrote to memory of 2928 1804 Olkjaflh.exe 35 PID 1804 wrote to memory of 2928 1804 Olkjaflh.exe 35 PID 1804 wrote to memory of 2928 1804 Olkjaflh.exe 35 PID 2928 wrote to memory of 1552 2928 Pkepnalk.exe 36 PID 2928 wrote to memory of 1552 2928 Pkepnalk.exe 36 PID 2928 wrote to memory of 1552 2928 Pkepnalk.exe 36 PID 2928 wrote to memory of 1552 2928 Pkepnalk.exe 36 PID 1552 wrote to memory of 1132 1552 Pqgbah32.exe 37 PID 1552 wrote to memory of 1132 1552 Pqgbah32.exe 37 PID 1552 wrote to memory of 1132 1552 Pqgbah32.exe 37 PID 1552 wrote to memory of 1132 1552 Pqgbah32.exe 37 PID 1132 wrote to memory of 1516 1132 Qbmhdp32.exe 38 PID 1132 wrote to memory of 1516 1132 Qbmhdp32.exe 38 PID 1132 wrote to memory of 1516 1132 Qbmhdp32.exe 38 PID 1132 wrote to memory of 1516 1132 Qbmhdp32.exe 38 PID 1516 wrote to memory of 668 1516 Agnjge32.exe 39 PID 1516 wrote to memory of 668 1516 Agnjge32.exe 39 PID 1516 wrote to memory of 668 1516 Agnjge32.exe 39 PID 1516 wrote to memory of 668 1516 Agnjge32.exe 39 PID 668 wrote to memory of 1496 668 Acejlfhl.exe 40 PID 668 wrote to memory of 1496 668 Acejlfhl.exe 40 PID 668 wrote to memory of 1496 668 Acejlfhl.exe 40 PID 668 wrote to memory of 1496 668 Acejlfhl.exe 40 PID 1496 wrote to memory of 2028 1496 Afecna32.exe 41 PID 1496 wrote to memory of 2028 1496 Afecna32.exe 41 PID 1496 wrote to memory of 2028 1496 Afecna32.exe 41 PID 1496 wrote to memory of 2028 1496 Afecna32.exe 41 PID 2028 wrote to memory of 588 2028 Bikfklni.exe 42 PID 2028 wrote to memory of 588 2028 Bikfklni.exe 42 PID 2028 wrote to memory of 588 2028 Bikfklni.exe 42 PID 2028 wrote to memory of 588 2028 Bikfklni.exe 42 PID 588 wrote to memory of 2052 588 Bllomg32.exe 43 PID 588 wrote to memory of 2052 588 Bllomg32.exe 43 PID 588 wrote to memory of 2052 588 Bllomg32.exe 43 PID 588 wrote to memory of 2052 588 Bllomg32.exe 43 PID 2052 wrote to memory of 2412 2052 Blnkbg32.exe 44 PID 2052 wrote to memory of 2412 2052 Blnkbg32.exe 44 PID 2052 wrote to memory of 2412 2052 Blnkbg32.exe 44 PID 2052 wrote to memory of 2412 2052 Blnkbg32.exe 44 PID 2412 wrote to memory of 624 2412 Chblqlcj.exe 45 PID 2412 wrote to memory of 624 2412 Chblqlcj.exe 45 PID 2412 wrote to memory of 624 2412 Chblqlcj.exe 45 PID 2412 wrote to memory of 624 2412 Chblqlcj.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\abf8a4305142a12f4e4245789223a4b7b6deefd409f18930ed671d44cf98b14b.exe"C:\Users\Admin\AppData\Local\Temp\abf8a4305142a12f4e4245789223a4b7b6deefd409f18930ed671d44cf98b14b.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\Mkggnp32.exeC:\Windows\system32\Mkggnp32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Memlki32.exeC:\Windows\system32\Memlki32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Nlbgkgcc.exeC:\Windows\system32\Nlbgkgcc.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Ocqhcqgk.exeC:\Windows\system32\Ocqhcqgk.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Olkjaflh.exeC:\Windows\system32\Olkjaflh.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\SysWOW64\Pkepnalk.exeC:\Windows\system32\Pkepnalk.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Pqgbah32.exeC:\Windows\system32\Pqgbah32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Windows\SysWOW64\Qbmhdp32.exeC:\Windows\system32\Qbmhdp32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Windows\SysWOW64\Agnjge32.exeC:\Windows\system32\Agnjge32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\Acejlfhl.exeC:\Windows\system32\Acejlfhl.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:668 -
C:\Windows\SysWOW64\Afecna32.exeC:\Windows\system32\Afecna32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\SysWOW64\Bikfklni.exeC:\Windows\system32\Bikfklni.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Bllomg32.exeC:\Windows\system32\Bllomg32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:588 -
C:\Windows\SysWOW64\Blnkbg32.exeC:\Windows\system32\Blnkbg32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\Chblqlcj.exeC:\Windows\system32\Chblqlcj.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Dhehfk32.exeC:\Windows\system32\Dhehfk32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:624 -
C:\Windows\SysWOW64\Enkdda32.exeC:\Windows\system32\Enkdda32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2700 -
C:\Windows\SysWOW64\Ejdaoa32.exeC:\Windows\system32\Ejdaoa32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1320 -
C:\Windows\SysWOW64\Eoecbheg.exeC:\Windows\system32\Eoecbheg.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1564 -
C:\Windows\SysWOW64\Fohphgce.exeC:\Windows\system32\Fohphgce.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2520 -
C:\Windows\SysWOW64\Fbiijb32.exeC:\Windows\system32\Fbiijb32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:632 -
C:\Windows\SysWOW64\Fmdfppkb.exeC:\Windows\system32\Fmdfppkb.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:576 -
C:\Windows\SysWOW64\Ffmkhe32.exeC:\Windows\system32\Ffmkhe32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1020 -
C:\Windows\SysWOW64\Gjkcod32.exeC:\Windows\system32\Gjkcod32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2592 -
C:\Windows\SysWOW64\Gegaeabe.exeC:\Windows\system32\Gegaeabe.exe26⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Gbkaneao.exeC:\Windows\system32\Gbkaneao.exe27⤵
- Loads dropped DLL
PID:2212 -
C:\Windows\SysWOW64\Gdnkkmej.exeC:\Windows\system32\Gdnkkmej.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2424 -
C:\Windows\SysWOW64\Hnflnfbm.exeC:\Windows\system32\Hnflnfbm.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1620 -
C:\Windows\SysWOW64\Hfaqbh32.exeC:\Windows\system32\Hfaqbh32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3012 -
C:\Windows\SysWOW64\Hidfjckg.exeC:\Windows\system32\Hidfjckg.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1740 -
C:\Windows\SysWOW64\Iencdc32.exeC:\Windows\system32\Iencdc32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2848 -
C:\Windows\SysWOW64\Iofhmi32.exeC:\Windows\system32\Iofhmi32.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2872 -
C:\Windows\SysWOW64\Ikoehj32.exeC:\Windows\system32\Ikoehj32.exe34⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Ihcfan32.exeC:\Windows\system32\Ihcfan32.exe35⤵
- Executes dropped EXE
PID:940 -
C:\Windows\SysWOW64\Jcmgal32.exeC:\Windows\system32\Jcmgal32.exe36⤵
- Executes dropped EXE
PID:1444 -
C:\Windows\SysWOW64\Jcocgkbp.exeC:\Windows\system32\Jcocgkbp.exe37⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Jpcdqpqj.exeC:\Windows\system32\Jpcdqpqj.exe38⤵
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\Jafmngde.exeC:\Windows\system32\Jafmngde.exe39⤵
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\Khcbpa32.exeC:\Windows\system32\Khcbpa32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:1352 -
C:\Windows\SysWOW64\Kqqdjceh.exeC:\Windows\system32\Kqqdjceh.exe41⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Kqcqpc32.exeC:\Windows\system32\Kqcqpc32.exe42⤵
- Executes dropped EXE
PID:1304 -
C:\Windows\SysWOW64\Kninog32.exeC:\Windows\system32\Kninog32.exe43⤵
- Executes dropped EXE
PID:580 -
C:\Windows\SysWOW64\Lqjfpbmm.exeC:\Windows\system32\Lqjfpbmm.exe44⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Lkcgapjl.exeC:\Windows\system32\Lkcgapjl.exe45⤵
- Executes dropped EXE
PID:856 -
C:\Windows\SysWOW64\Lfilnh32.exeC:\Windows\system32\Lfilnh32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1868 -
C:\Windows\SysWOW64\Lfkhch32.exeC:\Windows\system32\Lfkhch32.exe47⤵
- Executes dropped EXE
PID:1364 -
C:\Windows\SysWOW64\Lbbiii32.exeC:\Windows\system32\Lbbiii32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Mnijnjbh.exeC:\Windows\system32\Mnijnjbh.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2604 -
C:\Windows\SysWOW64\Mganfp32.exeC:\Windows\system32\Mganfp32.exe50⤵
- Executes dropped EXE
PID:276 -
C:\Windows\SysWOW64\Mffkgl32.exeC:\Windows\system32\Mffkgl32.exe51⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Mpoppadq.exeC:\Windows\system32\Mpoppadq.exe52⤵
- Executes dropped EXE
PID:1256 -
C:\Windows\SysWOW64\Mmcpjfcj.exeC:\Windows\system32\Mmcpjfcj.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2192 -
C:\Windows\SysWOW64\Mpalfabn.exeC:\Windows\system32\Mpalfabn.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:584 -
C:\Windows\SysWOW64\Miiaogio.exeC:\Windows\system32\Miiaogio.exe55⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Npcika32.exeC:\Windows\system32\Npcika32.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2828 -
C:\Windows\SysWOW64\Npffaq32.exeC:\Windows\system32\Npffaq32.exe57⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Nejdjf32.exeC:\Windows\system32\Nejdjf32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2984 -
C:\Windows\SysWOW64\Ohjmlaci.exeC:\Windows\system32\Ohjmlaci.exe59⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Odanqb32.exeC:\Windows\system32\Odanqb32.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2344 -
C:\Windows\SysWOW64\Oingii32.exeC:\Windows\system32\Oingii32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2216 -
C:\Windows\SysWOW64\Oipcnieb.exeC:\Windows\system32\Oipcnieb.exe62⤵
- Executes dropped EXE
PID:904 -
C:\Windows\SysWOW64\Ocihgo32.exeC:\Windows\system32\Ocihgo32.exe63⤵
- Executes dropped EXE
PID:520 -
C:\Windows\SysWOW64\Opmhqc32.exeC:\Windows\system32\Opmhqc32.exe64⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Peiaij32.exeC:\Windows\system32\Peiaij32.exe65⤵
- Executes dropped EXE
PID:960 -
C:\Windows\SysWOW64\Papank32.exeC:\Windows\system32\Papank32.exe66⤵
- Executes dropped EXE
PID:1356 -
C:\Windows\SysWOW64\Pabncj32.exeC:\Windows\system32\Pabncj32.exe67⤵
- Modifies registry class
PID:1308 -
C:\Windows\SysWOW64\Pofomolo.exeC:\Windows\system32\Pofomolo.exe68⤵PID:2388
-
C:\Windows\SysWOW64\Pgacaaij.exeC:\Windows\system32\Pgacaaij.exe69⤵PID:1816
-
C:\Windows\SysWOW64\Pqjhjf32.exeC:\Windows\system32\Pqjhjf32.exe70⤵PID:2364
-
C:\Windows\SysWOW64\Pkplgoop.exeC:\Windows\system32\Pkplgoop.exe71⤵PID:1236
-
C:\Windows\SysWOW64\Qdhqpe32.exeC:\Windows\system32\Qdhqpe32.exe72⤵PID:2836
-
C:\Windows\SysWOW64\Qfimhmlo.exeC:\Windows\system32\Qfimhmlo.exe73⤵PID:3068
-
C:\Windows\SysWOW64\Qgiibp32.exeC:\Windows\system32\Qgiibp32.exe74⤵PID:2852
-
C:\Windows\SysWOW64\Aodnfbpm.exeC:\Windows\system32\Aodnfbpm.exe75⤵PID:2880
-
C:\Windows\SysWOW64\Ailboh32.exeC:\Windows\system32\Ailboh32.exe76⤵PID:1040
-
C:\Windows\SysWOW64\Abeghmmn.exeC:\Windows\system32\Abeghmmn.exe77⤵PID:1652
-
C:\Windows\SysWOW64\Amjkefmd.exeC:\Windows\system32\Amjkefmd.exe78⤵PID:2860
-
C:\Windows\SysWOW64\Agdlfd32.exeC:\Windows\system32\Agdlfd32.exe79⤵PID:1780
-
C:\Windows\SysWOW64\Abiqcm32.exeC:\Windows\system32\Abiqcm32.exe80⤵PID:2240
-
C:\Windows\SysWOW64\Ajdego32.exeC:\Windows\system32\Ajdego32.exe81⤵PID:2124
-
C:\Windows\SysWOW64\Bjgbmoda.exeC:\Windows\system32\Bjgbmoda.exe82⤵PID:900
-
C:\Windows\SysWOW64\Bcoffd32.exeC:\Windows\system32\Bcoffd32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1572 -
C:\Windows\SysWOW64\Bacgohjk.exeC:\Windows\system32\Bacgohjk.exe84⤵PID:1080
-
C:\Windows\SysWOW64\Bjlkhn32.exeC:\Windows\system32\Bjlkhn32.exe85⤵PID:608
-
C:\Windows\SysWOW64\Bcdpacgl.exeC:\Windows\system32\Bcdpacgl.exe86⤵PID:1544
-
C:\Windows\SysWOW64\Blodefdg.exeC:\Windows\system32\Blodefdg.exe87⤵PID:1808
-
C:\Windows\SysWOW64\Behinlkh.exeC:\Windows\system32\Behinlkh.exe88⤵
- Modifies registry class
PID:2128 -
C:\Windows\SysWOW64\Cbljgpja.exeC:\Windows\system32\Cbljgpja.exe89⤵PID:3032
-
C:\Windows\SysWOW64\Ciebdj32.exeC:\Windows\system32\Ciebdj32.exe90⤵
- System Location Discovery: System Language Discovery
PID:1616 -
C:\Windows\SysWOW64\Cobjmq32.exeC:\Windows\system32\Cobjmq32.exe91⤵
- System Location Discovery: System Language Discovery
PID:264 -
C:\Windows\SysWOW64\Cihojiok.exeC:\Windows\system32\Cihojiok.exe92⤵PID:2316
-
C:\Windows\SysWOW64\Ceoooj32.exeC:\Windows\system32\Ceoooj32.exe93⤵PID:1400
-
C:\Windows\SysWOW64\Cogdhpkp.exeC:\Windows\system32\Cogdhpkp.exe94⤵PID:1956
-
C:\Windows\SysWOW64\Cfbhlb32.exeC:\Windows\system32\Cfbhlb32.exe95⤵PID:2476
-
C:\Windows\SysWOW64\Cmlqimph.exeC:\Windows\system32\Cmlqimph.exe96⤵PID:1960
-
C:\Windows\SysWOW64\Dkpabqoa.exeC:\Windows\system32\Dkpabqoa.exe97⤵PID:1996
-
C:\Windows\SysWOW64\Ddhekfeb.exeC:\Windows\system32\Ddhekfeb.exe98⤵PID:1744
-
C:\Windows\SysWOW64\Dbnblb32.exeC:\Windows\system32\Dbnblb32.exe99⤵PID:1768
-
C:\Windows\SysWOW64\Deahcneh.exeC:\Windows\system32\Deahcneh.exe100⤵PID:892
-
C:\Windows\SysWOW64\Ehfkphnd.exeC:\Windows\system32\Ehfkphnd.exe101⤵PID:888
-
C:\Windows\SysWOW64\Eaalom32.exeC:\Windows\system32\Eaalom32.exe102⤵PID:2912
-
C:\Windows\SysWOW64\Egndgdai.exeC:\Windows\system32\Egndgdai.exe103⤵
- Drops file in System32 directory
PID:2976 -
C:\Windows\SysWOW64\Fcdele32.exeC:\Windows\system32\Fcdele32.exe104⤵PID:2864
-
C:\Windows\SysWOW64\Fnjiin32.exeC:\Windows\system32\Fnjiin32.exe105⤵PID:2924
-
C:\Windows\SysWOW64\Fonbff32.exeC:\Windows\system32\Fonbff32.exe106⤵PID:1492
-
C:\Windows\SysWOW64\Fkdckgpc.exeC:\Windows\system32\Fkdckgpc.exe107⤵PID:1248
-
C:\Windows\SysWOW64\Fihcdkom.exeC:\Windows\system32\Fihcdkom.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1324 -
C:\Windows\SysWOW64\Godhgedg.exeC:\Windows\system32\Godhgedg.exe109⤵PID:2556
-
C:\Windows\SysWOW64\Gnjehaio.exeC:\Windows\system32\Gnjehaio.exe110⤵PID:1348
-
C:\Windows\SysWOW64\Gjqfmb32.exeC:\Windows\system32\Gjqfmb32.exe111⤵PID:1760
-
C:\Windows\SysWOW64\Gjccbb32.exeC:\Windows\system32\Gjccbb32.exe112⤵PID:972
-
C:\Windows\SysWOW64\Gamkol32.exeC:\Windows\system32\Gamkol32.exe113⤵PID:912
-
C:\Windows\SysWOW64\Hflpmb32.exeC:\Windows\system32\Hflpmb32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2584 -
C:\Windows\SysWOW64\Hbcabc32.exeC:\Windows\system32\Hbcabc32.exe115⤵PID:1232
-
C:\Windows\SysWOW64\Hnjagdlj.exeC:\Windows\system32\Hnjagdlj.exe116⤵PID:1204
-
C:\Windows\SysWOW64\Hnlnmd32.exeC:\Windows\system32\Hnlnmd32.exe117⤵PID:760
-
C:\Windows\SysWOW64\Ihgpkinf.exeC:\Windows\system32\Ihgpkinf.exe118⤵PID:872
-
C:\Windows\SysWOW64\Ihilqi32.exeC:\Windows\system32\Ihilqi32.exe119⤵PID:1632
-
C:\Windows\SysWOW64\Idpmejag.exeC:\Windows\system32\Idpmejag.exe120⤵PID:2536
-
C:\Windows\SysWOW64\Iadnon32.exeC:\Windows\system32\Iadnon32.exe121⤵PID:2868
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-