Analysis
-
max time kernel
43s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-11-2024 09:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3faa1b32b65257db91d55eaae7fcc2df3beceb2dd0519170f77a4aa03160f05b.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
3faa1b32b65257db91d55eaae7fcc2df3beceb2dd0519170f77a4aa03160f05b.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
3faa1b32b65257db91d55eaae7fcc2df3beceb2dd0519170f77a4aa03160f05b.exe
-
Size
395KB
-
MD5
795d45073bf92790c24e227e3995bbdd
-
SHA1
6b2e36d8269e0229d429487c506e2a7a858181ef
-
SHA256
3faa1b32b65257db91d55eaae7fcc2df3beceb2dd0519170f77a4aa03160f05b
-
SHA512
ac5c47d313912d242912cfba159cc6d426dfe94a1734b4e4c165ea83744ff66f66c241f6ff9dc7310e18ba660b6a6906d6c27ecf8b4e2014cec64e3dd0ad8ec1
-
SSDEEP
6144:IVt/pmyvFOis4y70u4HXs4yr0u490u4Ds4yvW8lM:6t/UkE4O0dHc4i0d90dA4n
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Gfmgelil.exeQfljkp32.exeModlbmmn.exePicojhcm.exeLlepen32.exeEaphjp32.exeEkhmcelc.exeMjaddn32.exeIlcalnii.exeDadbdkld.exeEhjona32.exeGjpqpl32.exeKhjgel32.exeOonldcih.exeKfibhjlj.exeBccmmf32.exeEakhdj32.exeBefmfpbi.exeDphmloih.exeKgcnahoo.exeNppofado.exePiliii32.exeLkakicam.exeJhdlad32.exeApppkekc.exeHoqjqhjf.exeGnmifk32.exeKkoncdcp.exeBckjhl32.exeHgpjhn32.exeOdebolpe.exeMeoell32.exeOlbfagca.exeBjkhdacm.exeDfphcj32.exeEcnoijbd.exeIafnjg32.exeCgaaah32.exeIbfaopoi.exeKcamjb32.exeQobbofgn.exePkmlmbcd.exeEgjbdo32.exeMgmahg32.exeDlgnmb32.exeCkolek32.exeElfcbo32.exeFleifl32.exeGmhkin32.exeQiioon32.exeBniajoic.exeDaacecfc.exeMbhlek32.exeGmhbkohm.exeLnqjnhge.exeMimemp32.exeKhcomhbi.exeCopjdhib.exeIhpfgalh.exeBigkel32.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfmgelil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qfljkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Modlbmmn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Picojhcm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llepen32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eaphjp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekhmcelc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjaddn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilcalnii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dadbdkld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehjona32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjpqpl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khjgel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oonldcih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfibhjlj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bccmmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eakhdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Befmfpbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dphmloih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgcnahoo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nppofado.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piliii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkakicam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dphmloih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhdlad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apppkekc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eakhdj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoqjqhjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnmifk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkoncdcp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bckjhl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgpjhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odebolpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Meoell32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olbfagca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjkhdacm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfphcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecnoijbd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iafnjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgaaah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibfaopoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcamjb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qobbofgn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkmlmbcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egjbdo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgmahg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlgnmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckolek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elfcbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fleifl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmhkin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qiioon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bniajoic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qobbofgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Daacecfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgpjhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbhlek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmhbkohm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnqjnhge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mimemp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khcomhbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Copjdhib.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihpfgalh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bigkel32.exe -
Executes dropped EXE 64 IoCs
Processes:
Lobgoh32.exeLpgajgeg.exeMcifdj32.exeMhgoji32.exeMimemp32.exeNoljjglk.exeNamclbil.exeNkegeg32.exeNemhhpmp.exeOdebolpe.exeOhidmoaa.exeOcohkh32.exePkacpihj.exePggdejno.exeAccnekon.exeAffdle32.exeAboaff32.exeAkhfoldn.exeBjoofhgc.exeBmnlbcfg.exeBpnddn32.exeBfkifhib.exeCkolek32.exeCaidaeak.exeDkfbfjdf.exeDlgnmb32.exeDpgcip32.exeDaipqhdg.exeEgjbdo32.exeEndjaief.exeEhjona32.exeEniclh32.exeFjbafi32.exeFqlicclo.exeFoccjood.exeFbbofjnh.exeFgohna32.exeFqglggcp.exeGjpqpl32.exeGcheib32.exeGnmifk32.exeGgfnopfg.exeGpcoib32.exeGfmgelil.exeGljpncgc.exeHebdfind.exeHphidanj.exeHfbaql32.exeHpjeialg.exeHbiaemkk.exeHegnahjo.exeHbknkl32.exeHeikgh32.exeHlccdboi.exeHnbopmnm.exeHdoghdmd.exeHjipenda.exeIdadnd32.exeIjklknbn.exeIphecepe.exeIbfaopoi.exeIjmipn32.exeIfdjeoep.exeImnbbi32.exepid Process 2684 Lobgoh32.exe 2896 Lpgajgeg.exe 2816 Mcifdj32.exe 2824 Mhgoji32.exe 1624 Mimemp32.exe 576 Noljjglk.exe 1840 Namclbil.exe 2064 Nkegeg32.exe 2460 Nemhhpmp.exe 1380 Odebolpe.exe 2040 Ohidmoaa.exe 2344 Ocohkh32.exe 2732 Pkacpihj.exe 2208 Pggdejno.exe 864 Accnekon.exe 548 Affdle32.exe 1324 Aboaff32.exe 1780 Akhfoldn.exe 2068 Bjoofhgc.exe 2272 Bmnlbcfg.exe 2212 Bpnddn32.exe 1736 Bfkifhib.exe 2368 Ckolek32.exe 1704 Caidaeak.exe 1576 Dkfbfjdf.exe 2812 Dlgnmb32.exe 2672 Dpgcip32.exe 2668 Daipqhdg.exe 2560 Egjbdo32.exe 1224 Endjaief.exe 880 Ehjona32.exe 1040 Eniclh32.exe 2188 Fjbafi32.exe 2788 Fqlicclo.exe 2772 Foccjood.exe 2428 Fbbofjnh.exe 1912 Fgohna32.exe 1740 Fqglggcp.exe 1316 Gjpqpl32.exe 2124 Gcheib32.exe 1096 Gnmifk32.exe 444 Ggfnopfg.exe 1720 Gpcoib32.exe 904 Gfmgelil.exe 960 Gljpncgc.exe 1632 Hebdfind.exe 2328 Hphidanj.exe 2268 Hfbaql32.exe 1588 Hpjeialg.exe 2988 Hbiaemkk.exe 2764 Hegnahjo.exe 1476 Hbknkl32.exe 2156 Heikgh32.exe 2184 Hlccdboi.exe 2624 Hnbopmnm.exe 2876 Hdoghdmd.exe 1916 Hjipenda.exe 1572 Idadnd32.exe 1772 Ijklknbn.exe 2536 Iphecepe.exe 1300 Ibfaopoi.exe 1604 Ijmipn32.exe 608 Ifdjeoep.exe 2008 Imnbbi32.exe -
Loads dropped DLL 64 IoCs
Processes:
3faa1b32b65257db91d55eaae7fcc2df3beceb2dd0519170f77a4aa03160f05b.exeLobgoh32.exeLpgajgeg.exeMcifdj32.exeMhgoji32.exeMimemp32.exeNoljjglk.exeNamclbil.exeNkegeg32.exeNemhhpmp.exeOdebolpe.exeOhidmoaa.exeOcohkh32.exePkacpihj.exePggdejno.exeAccnekon.exeAffdle32.exeAboaff32.exeAkhfoldn.exeBjoofhgc.exeBmnlbcfg.exeBpnddn32.exeBfkifhib.exeCkolek32.exeCaidaeak.exeDkfbfjdf.exeDlgnmb32.exeDpgcip32.exeDaipqhdg.exeEgjbdo32.exeEndjaief.exeEhjona32.exepid Process 2216 3faa1b32b65257db91d55eaae7fcc2df3beceb2dd0519170f77a4aa03160f05b.exe 2216 3faa1b32b65257db91d55eaae7fcc2df3beceb2dd0519170f77a4aa03160f05b.exe 2684 Lobgoh32.exe 2684 Lobgoh32.exe 2896 Lpgajgeg.exe 2896 Lpgajgeg.exe 2816 Mcifdj32.exe 2816 Mcifdj32.exe 2824 Mhgoji32.exe 2824 Mhgoji32.exe 1624 Mimemp32.exe 1624 Mimemp32.exe 576 Noljjglk.exe 576 Noljjglk.exe 1840 Namclbil.exe 1840 Namclbil.exe 2064 Nkegeg32.exe 2064 Nkegeg32.exe 2460 Nemhhpmp.exe 2460 Nemhhpmp.exe 1380 Odebolpe.exe 1380 Odebolpe.exe 2040 Ohidmoaa.exe 2040 Ohidmoaa.exe 2344 Ocohkh32.exe 2344 Ocohkh32.exe 2732 Pkacpihj.exe 2732 Pkacpihj.exe 2208 Pggdejno.exe 2208 Pggdejno.exe 864 Accnekon.exe 864 Accnekon.exe 548 Affdle32.exe 548 Affdle32.exe 1324 Aboaff32.exe 1324 Aboaff32.exe 1780 Akhfoldn.exe 1780 Akhfoldn.exe 2068 Bjoofhgc.exe 2068 Bjoofhgc.exe 2272 Bmnlbcfg.exe 2272 Bmnlbcfg.exe 2212 Bpnddn32.exe 2212 Bpnddn32.exe 1736 Bfkifhib.exe 1736 Bfkifhib.exe 2368 Ckolek32.exe 2368 Ckolek32.exe 1704 Caidaeak.exe 1704 Caidaeak.exe 1576 Dkfbfjdf.exe 1576 Dkfbfjdf.exe 2812 Dlgnmb32.exe 2812 Dlgnmb32.exe 2672 Dpgcip32.exe 2672 Dpgcip32.exe 2668 Daipqhdg.exe 2668 Daipqhdg.exe 2560 Egjbdo32.exe 2560 Egjbdo32.exe 1224 Endjaief.exe 1224 Endjaief.exe 880 Ehjona32.exe 880 Ehjona32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Fleifl32.exeMgmahg32.exeHblgnkdh.exeIhdpbq32.exeKklkcn32.exeKlpdaf32.exeOdgamdef.exeFjbafi32.exeFqlicclo.exeMlafkb32.exeMhgoji32.exeEaphjp32.exeKglehp32.exeBjbndpmd.exeGmhbkohm.exeLdgnklmi.exeGnmifk32.exeNallalep.exeAcfdnihk.exeFahhnn32.exeGekfnoog.exeKhjgel32.exeNemhhpmp.exeJpogbgmi.exeLpabpcdf.exeOejcpf32.exeGdkjdl32.exePincfpoo.exeFpmbfbgo.exeKeqkofno.exeHlccdboi.exeNbpeoc32.exePmgbao32.exeJnkakl32.exeOhojmjep.exeHbkqdepm.exeKllnhg32.exeAkiobk32.exeNijpdfhm.exeEgajnfoe.exeEiekpd32.exeDmijfmfi.exeLddlkg32.exeOippjl32.exeLhcafa32.exePpmgfb32.exeEfedga32.exeIfmocb32.exeKpcqnf32.exeObdojcef.exeKhadpa32.exeCceogcfj.exeCicalakk.exeIlcalnii.exeFdkklp32.exeGghmmilh.exeCebeem32.exeFodebh32.exeHpbdmo32.exeIihiphln.exeLdokfakl.exeLgfjggll.exeLpgajgeg.exeDmhdkdlg.exedescription ioc Process File created C:\Windows\SysWOW64\Fodebh32.exe Fleifl32.exe File opened for modification C:\Windows\SysWOW64\Mbbfep32.exe Mgmahg32.exe File opened for modification C:\Windows\SysWOW64\Hpphhp32.exe Hblgnkdh.exe File created C:\Windows\SysWOW64\Imahkg32.exe Ihdpbq32.exe File opened for modification C:\Windows\SysWOW64\Knkgpi32.exe Kklkcn32.exe File created C:\Windows\SysWOW64\Lfhhjklc.exe Klpdaf32.exe File created C:\Windows\SysWOW64\Olbfagca.exe Odgamdef.exe File created C:\Windows\SysWOW64\Efcjeo32.dll Fjbafi32.exe File created C:\Windows\SysWOW64\Ekbkpe32.dll Fqlicclo.exe File opened for modification C:\Windows\SysWOW64\Mbnocipg.exe Mlafkb32.exe File created C:\Windows\SysWOW64\Jfbcinlm.dll Mhgoji32.exe File created C:\Windows\SysWOW64\Bpoggldm.dll Eaphjp32.exe File opened for modification C:\Windows\SysWOW64\Kocmim32.exe Kglehp32.exe File created C:\Windows\SysWOW64\Hiablm32.dll Bjbndpmd.exe File created C:\Windows\SysWOW64\Hcajhi32.exe Gmhbkohm.exe File opened for modification C:\Windows\SysWOW64\Lgfjggll.exe Ldgnklmi.exe File opened for modification C:\Windows\SysWOW64\Ggfnopfg.exe Gnmifk32.exe File created C:\Windows\SysWOW64\Nfidjbdg.exe Nallalep.exe File opened for modification C:\Windows\SysWOW64\Agbpnh32.exe Acfdnihk.exe File created C:\Windows\SysWOW64\Fdgdji32.exe Fahhnn32.exe File created C:\Windows\SysWOW64\Gglbfg32.exe Gekfnoog.exe File created C:\Windows\SysWOW64\Jpnghhmn.dll Khjgel32.exe File created C:\Windows\SysWOW64\Odebolpe.exe Nemhhpmp.exe File created C:\Windows\SysWOW64\Hpomfdnk.dll Jpogbgmi.exe File created C:\Windows\SysWOW64\Lkggmldl.exe Lpabpcdf.exe File created C:\Windows\SysWOW64\Epaqjmil.dll Oejcpf32.exe File opened for modification C:\Windows\SysWOW64\Gekfnoog.exe Gdkjdl32.exe File created C:\Windows\SysWOW64\Jnnoic32.dll Pincfpoo.exe File created C:\Windows\SysWOW64\Fhdjgoha.exe Fpmbfbgo.exe File created C:\Windows\SysWOW64\Koipglep.exe Keqkofno.exe File created C:\Windows\SysWOW64\Ibebjn32.dll Hlccdboi.exe File created C:\Windows\SysWOW64\Hefhqhka.dll Nbpeoc32.exe File created C:\Windows\SysWOW64\Hafimk32.dll Pmgbao32.exe File opened for modification C:\Windows\SysWOW64\Jnnnalph.exe Jnkakl32.exe File opened for modification C:\Windows\SysWOW64\Obdojcef.exe Ohojmjep.exe File created C:\Windows\SysWOW64\Eldhjg32.dll Hbkqdepm.exe File opened for modification C:\Windows\SysWOW64\Kkoncdcp.exe Kllnhg32.exe File created C:\Windows\SysWOW64\Bmhkmm32.exe Akiobk32.exe File created C:\Windows\SysWOW64\Fdpojm32.dll Nijpdfhm.exe File opened for modification C:\Windows\SysWOW64\Fpjofl32.exe Egajnfoe.exe File created C:\Windows\SysWOW64\Ecnoijbd.exe Eiekpd32.exe File created C:\Windows\SysWOW64\Dfbnoc32.exe Dmijfmfi.exe File opened for modification C:\Windows\SysWOW64\Mjaddn32.exe Lddlkg32.exe File opened for modification C:\Windows\SysWOW64\Obhdcanc.exe Oippjl32.exe File created C:\Windows\SysWOW64\Lnqjnhge.exe Lhcafa32.exe File opened for modification C:\Windows\SysWOW64\Qejpoi32.exe Ppmgfb32.exe File created C:\Windows\SysWOW64\Apnmpn32.dll Efedga32.exe File opened for modification C:\Windows\SysWOW64\Ieponofk.exe Ifmocb32.exe File opened for modification C:\Windows\SysWOW64\Kcamjb32.exe Kpcqnf32.exe File created C:\Windows\SysWOW64\Oioggmmc.exe Obdojcef.exe File created C:\Windows\SysWOW64\Jmgfca32.dll Khadpa32.exe File opened for modification C:\Windows\SysWOW64\Cjogcm32.exe Cceogcfj.exe File opened for modification C:\Windows\SysWOW64\Copjdhib.exe Cicalakk.exe File created C:\Windows\SysWOW64\Nfmcog32.dll Ilcalnii.exe File opened for modification C:\Windows\SysWOW64\Fjhcegll.exe Fdkklp32.exe File created C:\Windows\SysWOW64\Njmoipaq.dll Gghmmilh.exe File opened for modification C:\Windows\SysWOW64\Cgaaah32.exe Cebeem32.exe File created C:\Windows\SysWOW64\Fhljkm32.exe Fodebh32.exe File opened for modification C:\Windows\SysWOW64\Ieomef32.exe Hpbdmo32.exe File created C:\Windows\SysWOW64\Jhhamo32.dll Iihiphln.exe File created C:\Windows\SysWOW64\Bbcafk32.dll Ldokfakl.exe File opened for modification C:\Windows\SysWOW64\Loaokjjg.exe Lgfjggll.exe File created C:\Windows\SysWOW64\Mcifdj32.exe Lpgajgeg.exe File created C:\Windows\SysWOW64\Gfhnop32.dll Dmhdkdlg.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 896 2972 WerFault.exe 641 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Ggfnopfg.exeLqcmmjko.exeCjlheehe.exeLkggmldl.exeFdiqpigl.exeObgkpb32.exeDgeaoinb.exeHpbdmo32.exeFelajbpg.exeJcciqi32.exeKpcqnf32.exeQgmfchei.exeAmohfo32.exeHfegij32.exeMggabaea.exeAoojnc32.exeBpnddn32.exeGfmgelil.exeKkmand32.exeBiolanld.exeGhdgfbkl.exeAjckilei.exeCogfqe32.exeEfedga32.exeDkfbfjdf.exeDlgnmb32.exeOlpilg32.exePpinkcnp.exeOhfqmi32.exeGbadjg32.exeMqehjecl.exeOejcpf32.exeApkgpf32.exeGdkjdl32.exeOhncbdbd.exeJabponba.exeHphidanj.exeKgclio32.exeAkfkbd32.exeNkkmgncb.exeFooembgb.exeFodebh32.exeDboeco32.exeKdeaelok.exeDnqlmq32.exeBgblmk32.exeBefmfpbi.exeIgoomk32.exeIcfpbl32.exeOaogognm.exeCfmhdpnc.exeNmofdf32.exeAgglbp32.exeAgihgp32.exeLcadghnk.exeNemhhpmp.exeLmljgj32.exeNoffdd32.exeGjdldd32.exeLcohahpn.exeBniajoic.exeLopfhk32.exeAffdle32.exeHmdhad32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggfnopfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqcmmjko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjlheehe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkggmldl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdiqpigl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obgkpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgeaoinb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpbdmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Felajbpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcciqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpcqnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgmfchei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amohfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfegij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mggabaea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoojnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpnddn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfmgelil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkmand32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biolanld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghdgfbkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajckilei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cogfqe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efedga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkfbfjdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlgnmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olpilg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppinkcnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohfqmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbadjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqehjecl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oejcpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apkgpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdkjdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohncbdbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jabponba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hphidanj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgclio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akfkbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkkmgncb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fooembgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fodebh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dboeco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdeaelok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnqlmq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgblmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Befmfpbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igoomk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icfpbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaogognm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfmhdpnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmofdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agglbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agihgp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcadghnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nemhhpmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmljgj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noffdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjdldd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcohahpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bniajoic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lopfhk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Affdle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmdhad32.exe -
Modifies registry class 64 IoCs
Processes:
Micklk32.exeNeiaeiii.exeDnqlmq32.exeJlelhe32.exeJmnqje32.exeGgfnopfg.exeCicalakk.exeOfcqcp32.exeObgnhkkh.exeCfoaho32.exeDpgcip32.exeCjjkpe32.exeNfdddm32.exeFdiqpigl.exeHgeelf32.exeIbfaopoi.exeQobbofgn.exePkmlmbcd.exeCnejim32.exeEafkhn32.exeGajqbakc.exeAboaff32.exeIlcalnii.exeIkqnlh32.exeHnbopmnm.exeJnnnalph.exeAihfap32.exeDhpemm32.exeAbpjjeim.exeEaeipfei.exeKocmim32.exeEibgpnjk.exePioeoi32.exeFdgdji32.exeFaonom32.exeMeoell32.exeQngopb32.exeMhhgpc32.exeEakhdj32.exeKdphjm32.exeMlfacfpc.exeBjbndpmd.exeIcfpbl32.exeIafnjg32.exeMnomjl32.exeNnafnopi.exeEgajnfoe.exeAddfkeid.exeFoccjood.exeOonldcih.exeQgmpibam.exeOaogognm.exeLgfjggll.exeCacclpae.exeCpiqmlfm.exeGgagmjbq.exeApkgpf32.exeLngpog32.exeGljpncgc.exeJieaofmp.exePopeif32.exePdeqfhjd.exeGghmmilh.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Micklk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Neiaeiii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnqlmq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlelhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klihnmmj.dll" Jmnqje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggfnopfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inoaljog.dll" Cicalakk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pghaaidm.dll" Ofcqcp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obgnhkkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfoaho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpgcip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hekbgfpm.dll" Cjjkpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjbklf32.dll" Nfdddm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdiqpigl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhehaf32.dll" Hgeelf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibfaopoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qobbofgn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkmlmbcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnejim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eafkhn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gajqbakc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Didlfg32.dll" Aboaff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfmcog32.dll" Ilcalnii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikqnlh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnbopmnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhjijha.dll" Jnnnalph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aihfap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cicalakk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhpemm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abpjjeim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eaeipfei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kocmim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eibgpnjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pioeoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljdpbj32.dll" Fdgdji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Faonom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Meoell32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qngopb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klkpdn32.dll" Mhhgpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eakhdj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdphjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlfacfpc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjbndpmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iblkei32.dll" Icfpbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iafnjg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnomjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnafnopi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egajnfoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qofpqofd.dll" Addfkeid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Foccjood.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohniib32.dll" Oonldcih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qgmpibam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oaogognm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgfjggll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cacclpae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amponajh.dll" Cpiqmlfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggagmjbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inajahoe.dll" Apkgpf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lngpog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjddiflm.dll" Gljpncgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnllhjif.dll" Jieaofmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Popeif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdeqfhjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gghmmilh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
3faa1b32b65257db91d55eaae7fcc2df3beceb2dd0519170f77a4aa03160f05b.exeLobgoh32.exeLpgajgeg.exeMcifdj32.exeMhgoji32.exeMimemp32.exeNoljjglk.exeNamclbil.exeNkegeg32.exeNemhhpmp.exeOdebolpe.exeOhidmoaa.exeOcohkh32.exePkacpihj.exePggdejno.exeAccnekon.exedescription pid Process procid_target PID 2216 wrote to memory of 2684 2216 3faa1b32b65257db91d55eaae7fcc2df3beceb2dd0519170f77a4aa03160f05b.exe 30 PID 2216 wrote to memory of 2684 2216 3faa1b32b65257db91d55eaae7fcc2df3beceb2dd0519170f77a4aa03160f05b.exe 30 PID 2216 wrote to memory of 2684 2216 3faa1b32b65257db91d55eaae7fcc2df3beceb2dd0519170f77a4aa03160f05b.exe 30 PID 2216 wrote to memory of 2684 2216 3faa1b32b65257db91d55eaae7fcc2df3beceb2dd0519170f77a4aa03160f05b.exe 30 PID 2684 wrote to memory of 2896 2684 Lobgoh32.exe 31 PID 2684 wrote to memory of 2896 2684 Lobgoh32.exe 31 PID 2684 wrote to memory of 2896 2684 Lobgoh32.exe 31 PID 2684 wrote to memory of 2896 2684 Lobgoh32.exe 31 PID 2896 wrote to memory of 2816 2896 Lpgajgeg.exe 32 PID 2896 wrote to memory of 2816 2896 Lpgajgeg.exe 32 PID 2896 wrote to memory of 2816 2896 Lpgajgeg.exe 32 PID 2896 wrote to memory of 2816 2896 Lpgajgeg.exe 32 PID 2816 wrote to memory of 2824 2816 Mcifdj32.exe 33 PID 2816 wrote to memory of 2824 2816 Mcifdj32.exe 33 PID 2816 wrote to memory of 2824 2816 Mcifdj32.exe 33 PID 2816 wrote to memory of 2824 2816 Mcifdj32.exe 33 PID 2824 wrote to memory of 1624 2824 Mhgoji32.exe 34 PID 2824 wrote to memory of 1624 2824 Mhgoji32.exe 34 PID 2824 wrote to memory of 1624 2824 Mhgoji32.exe 34 PID 2824 wrote to memory of 1624 2824 Mhgoji32.exe 34 PID 1624 wrote to memory of 576 1624 Mimemp32.exe 35 PID 1624 wrote to memory of 576 1624 Mimemp32.exe 35 PID 1624 wrote to memory of 576 1624 Mimemp32.exe 35 PID 1624 wrote to memory of 576 1624 Mimemp32.exe 35 PID 576 wrote to memory of 1840 576 Noljjglk.exe 36 PID 576 wrote to memory of 1840 576 Noljjglk.exe 36 PID 576 wrote to memory of 1840 576 Noljjglk.exe 36 PID 576 wrote to memory of 1840 576 Noljjglk.exe 36 PID 1840 wrote to memory of 2064 1840 Namclbil.exe 37 PID 1840 wrote to memory of 2064 1840 Namclbil.exe 37 PID 1840 wrote to memory of 2064 1840 Namclbil.exe 37 PID 1840 wrote to memory of 2064 1840 Namclbil.exe 37 PID 2064 wrote to memory of 2460 2064 Nkegeg32.exe 38 PID 2064 wrote to memory of 2460 2064 Nkegeg32.exe 38 PID 2064 wrote to memory of 2460 2064 Nkegeg32.exe 38 PID 2064 wrote to memory of 2460 2064 Nkegeg32.exe 38 PID 2460 wrote to memory of 1380 2460 Nemhhpmp.exe 39 PID 2460 wrote to memory of 1380 2460 Nemhhpmp.exe 39 PID 2460 wrote to memory of 1380 2460 Nemhhpmp.exe 39 PID 2460 wrote to memory of 1380 2460 Nemhhpmp.exe 39 PID 1380 wrote to memory of 2040 1380 Odebolpe.exe 40 PID 1380 wrote to memory of 2040 1380 Odebolpe.exe 40 PID 1380 wrote to memory of 2040 1380 Odebolpe.exe 40 PID 1380 wrote to memory of 2040 1380 Odebolpe.exe 40 PID 2040 wrote to memory of 2344 2040 Ohidmoaa.exe 41 PID 2040 wrote to memory of 2344 2040 Ohidmoaa.exe 41 PID 2040 wrote to memory of 2344 2040 Ohidmoaa.exe 41 PID 2040 wrote to memory of 2344 2040 Ohidmoaa.exe 41 PID 2344 wrote to memory of 2732 2344 Ocohkh32.exe 42 PID 2344 wrote to memory of 2732 2344 Ocohkh32.exe 42 PID 2344 wrote to memory of 2732 2344 Ocohkh32.exe 42 PID 2344 wrote to memory of 2732 2344 Ocohkh32.exe 42 PID 2732 wrote to memory of 2208 2732 Pkacpihj.exe 43 PID 2732 wrote to memory of 2208 2732 Pkacpihj.exe 43 PID 2732 wrote to memory of 2208 2732 Pkacpihj.exe 43 PID 2732 wrote to memory of 2208 2732 Pkacpihj.exe 43 PID 2208 wrote to memory of 864 2208 Pggdejno.exe 44 PID 2208 wrote to memory of 864 2208 Pggdejno.exe 44 PID 2208 wrote to memory of 864 2208 Pggdejno.exe 44 PID 2208 wrote to memory of 864 2208 Pggdejno.exe 44 PID 864 wrote to memory of 548 864 Accnekon.exe 45 PID 864 wrote to memory of 548 864 Accnekon.exe 45 PID 864 wrote to memory of 548 864 Accnekon.exe 45 PID 864 wrote to memory of 548 864 Accnekon.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\3faa1b32b65257db91d55eaae7fcc2df3beceb2dd0519170f77a4aa03160f05b.exe"C:\Users\Admin\AppData\Local\Temp\3faa1b32b65257db91d55eaae7fcc2df3beceb2dd0519170f77a4aa03160f05b.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Lobgoh32.exeC:\Windows\system32\Lobgoh32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Lpgajgeg.exeC:\Windows\system32\Lpgajgeg.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Mcifdj32.exeC:\Windows\system32\Mcifdj32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Mhgoji32.exeC:\Windows\system32\Mhgoji32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Mimemp32.exeC:\Windows\system32\Mimemp32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\Noljjglk.exeC:\Windows\system32\Noljjglk.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Windows\SysWOW64\Namclbil.exeC:\Windows\system32\Namclbil.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Windows\SysWOW64\Nkegeg32.exeC:\Windows\system32\Nkegeg32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\Nemhhpmp.exeC:\Windows\system32\Nemhhpmp.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\Odebolpe.exeC:\Windows\system32\Odebolpe.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\SysWOW64\Ohidmoaa.exeC:\Windows\system32\Ohidmoaa.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\Ocohkh32.exeC:\Windows\system32\Ocohkh32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Pkacpihj.exeC:\Windows\system32\Pkacpihj.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Pggdejno.exeC:\Windows\system32\Pggdejno.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Accnekon.exeC:\Windows\system32\Accnekon.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Windows\SysWOW64\Affdle32.exeC:\Windows\system32\Affdle32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:548 -
C:\Windows\SysWOW64\Aboaff32.exeC:\Windows\system32\Aboaff32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1324 -
C:\Windows\SysWOW64\Akhfoldn.exeC:\Windows\system32\Akhfoldn.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1780 -
C:\Windows\SysWOW64\Bjoofhgc.exeC:\Windows\system32\Bjoofhgc.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2068 -
C:\Windows\SysWOW64\Bmnlbcfg.exeC:\Windows\system32\Bmnlbcfg.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2272 -
C:\Windows\SysWOW64\Bpnddn32.exeC:\Windows\system32\Bpnddn32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2212 -
C:\Windows\SysWOW64\Bfkifhib.exeC:\Windows\system32\Bfkifhib.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1736 -
C:\Windows\SysWOW64\Ckolek32.exeC:\Windows\system32\Ckolek32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2368 -
C:\Windows\SysWOW64\Caidaeak.exeC:\Windows\system32\Caidaeak.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1704 -
C:\Windows\SysWOW64\Dkfbfjdf.exeC:\Windows\system32\Dkfbfjdf.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1576 -
C:\Windows\SysWOW64\Dlgnmb32.exeC:\Windows\system32\Dlgnmb32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2812 -
C:\Windows\SysWOW64\Dpgcip32.exeC:\Windows\system32\Dpgcip32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2672 -
C:\Windows\SysWOW64\Daipqhdg.exeC:\Windows\system32\Daipqhdg.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2668 -
C:\Windows\SysWOW64\Egjbdo32.exeC:\Windows\system32\Egjbdo32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2560 -
C:\Windows\SysWOW64\Endjaief.exeC:\Windows\system32\Endjaief.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1224 -
C:\Windows\SysWOW64\Ehjona32.exeC:\Windows\system32\Ehjona32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:880 -
C:\Windows\SysWOW64\Eniclh32.exeC:\Windows\system32\Eniclh32.exe33⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Fjbafi32.exeC:\Windows\system32\Fjbafi32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2188 -
C:\Windows\SysWOW64\Fqlicclo.exeC:\Windows\system32\Fqlicclo.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2788 -
C:\Windows\SysWOW64\Foccjood.exeC:\Windows\system32\Foccjood.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2772 -
C:\Windows\SysWOW64\Fbbofjnh.exeC:\Windows\system32\Fbbofjnh.exe37⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Fgohna32.exeC:\Windows\system32\Fgohna32.exe38⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Fqglggcp.exeC:\Windows\system32\Fqglggcp.exe39⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Gjpqpl32.exeC:\Windows\system32\Gjpqpl32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\Gcheib32.exeC:\Windows\system32\Gcheib32.exe41⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Gnmifk32.exeC:\Windows\system32\Gnmifk32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1096 -
C:\Windows\SysWOW64\Ggfnopfg.exeC:\Windows\system32\Ggfnopfg.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:444 -
C:\Windows\SysWOW64\Gpcoib32.exeC:\Windows\system32\Gpcoib32.exe44⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Gfmgelil.exeC:\Windows\system32\Gfmgelil.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:904 -
C:\Windows\SysWOW64\Gljpncgc.exeC:\Windows\system32\Gljpncgc.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:960 -
C:\Windows\SysWOW64\Hebdfind.exeC:\Windows\system32\Hebdfind.exe47⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Hphidanj.exeC:\Windows\system32\Hphidanj.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2328 -
C:\Windows\SysWOW64\Hfbaql32.exeC:\Windows\system32\Hfbaql32.exe49⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Hpjeialg.exeC:\Windows\system32\Hpjeialg.exe50⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Hbiaemkk.exeC:\Windows\system32\Hbiaemkk.exe51⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Hegnahjo.exeC:\Windows\system32\Hegnahjo.exe52⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Hbknkl32.exeC:\Windows\system32\Hbknkl32.exe53⤵
- Executes dropped EXE
PID:1476 -
C:\Windows\SysWOW64\Heikgh32.exeC:\Windows\system32\Heikgh32.exe54⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Hlccdboi.exeC:\Windows\system32\Hlccdboi.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2184 -
C:\Windows\SysWOW64\Hnbopmnm.exeC:\Windows\system32\Hnbopmnm.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2624 -
C:\Windows\SysWOW64\Hdoghdmd.exeC:\Windows\system32\Hdoghdmd.exe57⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Hjipenda.exeC:\Windows\system32\Hjipenda.exe58⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\Idadnd32.exeC:\Windows\system32\Idadnd32.exe59⤵
- Executes dropped EXE
PID:1572 -
C:\Windows\SysWOW64\Ijklknbn.exeC:\Windows\system32\Ijklknbn.exe60⤵
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Iphecepe.exeC:\Windows\system32\Iphecepe.exe61⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Ibfaopoi.exeC:\Windows\system32\Ibfaopoi.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1300 -
C:\Windows\SysWOW64\Ijmipn32.exeC:\Windows\system32\Ijmipn32.exe63⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Ifdjeoep.exeC:\Windows\system32\Ifdjeoep.exe64⤵
- Executes dropped EXE
PID:608 -
C:\Windows\SysWOW64\Imnbbi32.exeC:\Windows\system32\Imnbbi32.exe65⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Iplnnd32.exeC:\Windows\system32\Iplnnd32.exe66⤵PID:1760
-
C:\Windows\SysWOW64\Ieigfk32.exeC:\Windows\system32\Ieigfk32.exe67⤵PID:2936
-
C:\Windows\SysWOW64\Iigpli32.exeC:\Windows\system32\Iigpli32.exe68⤵PID:1252
-
C:\Windows\SysWOW64\Jlelhe32.exeC:\Windows\system32\Jlelhe32.exe69⤵
- Modifies registry class
PID:896 -
C:\Windows\SysWOW64\Jenpajfb.exeC:\Windows\system32\Jenpajfb.exe70⤵PID:1584
-
C:\Windows\SysWOW64\Jofejpmc.exeC:\Windows\system32\Jofejpmc.exe71⤵PID:2752
-
C:\Windows\SysWOW64\Jhoice32.exeC:\Windows\system32\Jhoice32.exe72⤵PID:2744
-
C:\Windows\SysWOW64\Jnkakl32.exeC:\Windows\system32\Jnkakl32.exe73⤵
- Drops file in System32 directory
PID:2740 -
C:\Windows\SysWOW64\Jnnnalph.exeC:\Windows\system32\Jnnnalph.exe74⤵
- Modifies registry class
PID:2968 -
C:\Windows\SysWOW64\Jkbojpna.exeC:\Windows\system32\Jkbojpna.exe75⤵PID:2972
-
C:\Windows\SysWOW64\Jpogbgmi.exeC:\Windows\system32\Jpogbgmi.exe76⤵
- Drops file in System32 directory
PID:2160 -
C:\Windows\SysWOW64\Kcmcoblm.exeC:\Windows\system32\Kcmcoblm.exe77⤵PID:2456
-
C:\Windows\SysWOW64\Kpadhg32.exeC:\Windows\system32\Kpadhg32.exe78⤵PID:2224
-
C:\Windows\SysWOW64\Kcopdb32.exeC:\Windows\system32\Kcopdb32.exe79⤵PID:1728
-
C:\Windows\SysWOW64\Kpcqnf32.exeC:\Windows\system32\Kpcqnf32.exe80⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2244 -
C:\Windows\SysWOW64\Kcamjb32.exeC:\Windows\system32\Kcamjb32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1968 -
C:\Windows\SysWOW64\Kkmand32.exeC:\Windows\system32\Kkmand32.exe82⤵
- System Location Discovery: System Language Discovery
PID:532 -
C:\Windows\SysWOW64\Kcdjoaee.exeC:\Windows\system32\Kcdjoaee.exe83⤵PID:2280
-
C:\Windows\SysWOW64\Kllnhg32.exeC:\Windows\system32\Kllnhg32.exe84⤵
- Drops file in System32 directory
PID:2372 -
C:\Windows\SysWOW64\Kkoncdcp.exeC:\Windows\system32\Kkoncdcp.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1848 -
C:\Windows\SysWOW64\Khcomhbi.exeC:\Windows\system32\Khcomhbi.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1684 -
C:\Windows\SysWOW64\Lkakicam.exeC:\Windows\system32\Lkakicam.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1424 -
C:\Windows\SysWOW64\Lqncaj32.exeC:\Windows\system32\Lqncaj32.exe88⤵PID:1692
-
C:\Windows\SysWOW64\Lhelbh32.exeC:\Windows\system32\Lhelbh32.exe89⤵PID:1716
-
C:\Windows\SysWOW64\Lqqpgj32.exeC:\Windows\system32\Lqqpgj32.exe90⤵PID:580
-
C:\Windows\SysWOW64\Lgkhdddo.exeC:\Windows\system32\Lgkhdddo.exe91⤵PID:2408
-
C:\Windows\SysWOW64\Lqcmmjko.exeC:\Windows\system32\Lqcmmjko.exe92⤵
- System Location Discovery: System Language Discovery
PID:1492 -
C:\Windows\SysWOW64\Ljkaeo32.exeC:\Windows\system32\Ljkaeo32.exe93⤵PID:2784
-
C:\Windows\SysWOW64\Lmjnak32.exeC:\Windows\system32\Lmjnak32.exe94⤵PID:2832
-
C:\Windows\SysWOW64\Lohjnf32.exeC:\Windows\system32\Lohjnf32.exe95⤵PID:2716
-
C:\Windows\SysWOW64\Lmljgj32.exeC:\Windows\system32\Lmljgj32.exe96⤵
- System Location Discovery: System Language Discovery
PID:2692 -
C:\Windows\SysWOW64\Lokgcf32.exeC:\Windows\system32\Lokgcf32.exe97⤵PID:2320
-
C:\Windows\SysWOW64\Micklk32.exeC:\Windows\system32\Micklk32.exe98⤵
- Modifies registry class
PID:1836 -
C:\Windows\SysWOW64\Mkaghg32.exeC:\Windows\system32\Mkaghg32.exe99⤵PID:1844
-
C:\Windows\SysWOW64\Miehak32.exeC:\Windows\system32\Miehak32.exe100⤵PID:2544
-
C:\Windows\SysWOW64\Mpopnejo.exeC:\Windows\system32\Mpopnejo.exe101⤵PID:2092
-
C:\Windows\SysWOW64\Melifl32.exeC:\Windows\system32\Melifl32.exe102⤵PID:2388
-
C:\Windows\SysWOW64\Mlfacfpc.exeC:\Windows\system32\Mlfacfpc.exe103⤵
- Modifies registry class
PID:1032 -
C:\Windows\SysWOW64\Meoell32.exeC:\Windows\system32\Meoell32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:572 -
C:\Windows\SysWOW64\Mgmahg32.exeC:\Windows\system32\Mgmahg32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1784 -
C:\Windows\SysWOW64\Mbbfep32.exeC:\Windows\system32\Mbbfep32.exe106⤵PID:2148
-
C:\Windows\SysWOW64\Mhonngce.exeC:\Windows\system32\Mhonngce.exe107⤵PID:1528
-
C:\Windows\SysWOW64\Nmlgfnal.exeC:\Windows\system32\Nmlgfnal.exe108⤵PID:2488
-
C:\Windows\SysWOW64\Ncfoch32.exeC:\Windows\system32\Ncfoch32.exe109⤵PID:2932
-
C:\Windows\SysWOW64\Nmnclmoj.exeC:\Windows\system32\Nmnclmoj.exe110⤵PID:2128
-
C:\Windows\SysWOW64\Najpll32.exeC:\Windows\system32\Najpll32.exe111⤵PID:1688
-
C:\Windows\SysWOW64\Njbdea32.exeC:\Windows\system32\Njbdea32.exe112⤵PID:3048
-
C:\Windows\SysWOW64\Nallalep.exeC:\Windows\system32\Nallalep.exe113⤵
- Drops file in System32 directory
PID:2700 -
C:\Windows\SysWOW64\Nfidjbdg.exeC:\Windows\system32\Nfidjbdg.exe114⤵PID:2992
-
C:\Windows\SysWOW64\Nmcmgm32.exeC:\Windows\system32\Nmcmgm32.exe115⤵PID:2172
-
C:\Windows\SysWOW64\Nbpeoc32.exeC:\Windows\system32\Nbpeoc32.exe116⤵
- Drops file in System32 directory
PID:2400 -
C:\Windows\SysWOW64\Nijnln32.exeC:\Windows\system32\Nijnln32.exe117⤵PID:1960
-
C:\Windows\SysWOW64\Noffdd32.exeC:\Windows\system32\Noffdd32.exe118⤵
- System Location Discovery: System Language Discovery
PID:264 -
C:\Windows\SysWOW64\Ohojmjep.exeC:\Windows\system32\Ohojmjep.exe119⤵
- Drops file in System32 directory
PID:2252 -
C:\Windows\SysWOW64\Obdojcef.exeC:\Windows\system32\Obdojcef.exe120⤵
- Drops file in System32 directory
PID:2108 -
C:\Windows\SysWOW64\Oioggmmc.exeC:\Windows\system32\Oioggmmc.exe121⤵PID:2220
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-