Analysis
-
max time kernel
60s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
21/08/2024, 13:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f5628253e78d5b1bd62567862e67a5f0N.exe
Resource
win7-20240729-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
f5628253e78d5b1bd62567862e67a5f0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
f5628253e78d5b1bd62567862e67a5f0N.exe
-
Size
256KB
-
MD5
f5628253e78d5b1bd62567862e67a5f0
-
SHA1
1c95279e741573f8053bbe434a25ca6a4ca1965b
-
SHA256
a0bf24d50f566c29f7f52b185564de923312666565240a38dec7b680a122a7c1
-
SHA512
4967762cbf089730f66952bb1cf81eef1d796a05854d2e500779985652312536741686b00ffbead0643998667af3b4676b19b63edf69297bc0e634dade9f9342
-
SSDEEP
3072:UgFBuslCrlaM/BZhYinvW0OF3kremwc/gHq/Wp+YmKfxgQdxvzSTsXXoT2971qqg:UgRKbZDIF3/fc/UmKyIxLDXXoq9FJZCX
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipecndab.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eganqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kokppd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dijjgegh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnafop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jemkai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lddagi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lppkgi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnbelong.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibbffq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfmhfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Plaoim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aglhph32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dndoof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjdnmi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjdkllec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnaokn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qkcdigpa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbigao32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdooij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kejahn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqopmbed.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phgfko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jonqfq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njdbefnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Onmgeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Edkahbmo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gocnjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iceiibef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dieiap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Imqdcjkd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojgokflc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccjehkek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pkihpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mogene32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Icbldbgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Onkjocjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Giikkehc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jiinmnaa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiniaboi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kaliaphd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fillabde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hqpjndio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ccjehkek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebmjihqn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bedene32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gnmdfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdigakic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbihpbpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Foqadnpq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfhikl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkelcenm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojakdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fofhdidp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmegodpi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lklmoccl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dbqajk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lndlamke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmpobi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfkakbpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Necqbp32.exe -
Executes dropped EXE 64 IoCs
pid Process 3000 Jhfljm32.exe 2680 Jblpge32.exe 2724 Jemiiqmh.exe 2828 Jeofnpke.exe 2684 Jnjjcbiq.exe 2692 Jpigonhd.exe 2584 Kpkcdn32.exe 2496 Kcllfi32.exe 2764 Kldaon32.exe 2996 Kcqfahom.exe 2080 Klijjnen.exe 2276 Lddoopbi.exe 2016 Lkngkj32.exe 1708 Lhbhdnio.exe 2144 Lnopmegg.exe 2408 Lbmicc32.exe 2472 Lcneklck.exe 1456 Lglnajjb.exe 3044 Mnffnd32.exe 1532 Mogcelgm.exe 1636 Mfakbf32.exe 496 Mcekkkmc.exe 1840 Mjodhe32.exe 1624 Mbjhlg32.exe 816 Meidib32.exe 1644 Mfhabe32.exe 2780 Mifmoa32.exe 2792 Memncbmj.exe 2832 Nlgfqldf.exe 2944 Nbaomf32.exe 2600 Nhngem32.exe 1072 Njopgh32.exe 948 Nmmlccfp.exe 1008 Nhbqqlfe.exe 952 Nmpiicdm.exe 1168 Npneeocq.exe 2488 Njcibgcf.exe 2308 Odlnkmjg.exe 2412 Oemjbe32.exe 2428 Ofmgmhgh.exe 2120 Ohncdp32.exe 2364 Oohlaj32.exe 2176 Oebdndlp.exe 2100 Oimpnc32.exe 536 Okolfkjg.exe 1132 Obfdgiji.exe 916 Oedqcdim.exe 2036 Olnipn32.exe 1928 Omoehf32.exe 648 Oefmid32.exe 2356 Odimdqne.exe 2676 Pkcfak32.exe 2840 Pamnnemo.exe 2856 Phgfko32.exe 2580 Pkebgj32.exe 2500 Pmdocf32.exe 1076 Pdngpp32.exe 2112 Pkholjam.exe 2912 Pnfkheap.exe 1664 Plildb32.exe 1260 Pccdqloh.exe 2552 Pgopak32.exe 308 Pnihneon.exe 1052 Pllhib32.exe -
Loads dropped DLL 64 IoCs
pid Process 2012 f5628253e78d5b1bd62567862e67a5f0N.exe 2012 f5628253e78d5b1bd62567862e67a5f0N.exe 3000 Jhfljm32.exe 3000 Jhfljm32.exe 2680 Jblpge32.exe 2680 Jblpge32.exe 2724 Jemiiqmh.exe 2724 Jemiiqmh.exe 2828 Jeofnpke.exe 2828 Jeofnpke.exe 2684 Jnjjcbiq.exe 2684 Jnjjcbiq.exe 2692 Jpigonhd.exe 2692 Jpigonhd.exe 2584 Kpkcdn32.exe 2584 Kpkcdn32.exe 2496 Kcllfi32.exe 2496 Kcllfi32.exe 2764 Kldaon32.exe 2764 Kldaon32.exe 2996 Kcqfahom.exe 2996 Kcqfahom.exe 2080 Klijjnen.exe 2080 Klijjnen.exe 2276 Lddoopbi.exe 2276 Lddoopbi.exe 2016 Lkngkj32.exe 2016 Lkngkj32.exe 1708 Lhbhdnio.exe 1708 Lhbhdnio.exe 2144 Lnopmegg.exe 2144 Lnopmegg.exe 2408 Lbmicc32.exe 2408 Lbmicc32.exe 2472 Lcneklck.exe 2472 Lcneklck.exe 1456 Lglnajjb.exe 1456 Lglnajjb.exe 3044 Mnffnd32.exe 3044 Mnffnd32.exe 1532 Mogcelgm.exe 1532 Mogcelgm.exe 1636 Mfakbf32.exe 1636 Mfakbf32.exe 496 Mcekkkmc.exe 496 Mcekkkmc.exe 1840 Mjodhe32.exe 1840 Mjodhe32.exe 1624 Mbjhlg32.exe 1624 Mbjhlg32.exe 816 Meidib32.exe 816 Meidib32.exe 1644 Mfhabe32.exe 1644 Mfhabe32.exe 2780 Mifmoa32.exe 2780 Mifmoa32.exe 2792 Memncbmj.exe 2792 Memncbmj.exe 2832 Nlgfqldf.exe 2832 Nlgfqldf.exe 2944 Nbaomf32.exe 2944 Nbaomf32.exe 2600 Nhngem32.exe 2600 Nhngem32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Oicbma32.exe Oegflcbj.exe File created C:\Windows\SysWOW64\Blejgm32.exe Bhjngnod.exe File opened for modification C:\Windows\SysWOW64\Cklpml32.exe Cmjoaofc.exe File created C:\Windows\SysWOW64\Amnanefa.exe Aklefm32.exe File opened for modification C:\Windows\SysWOW64\Onehadbj.exe Ojilqf32.exe File created C:\Windows\SysWOW64\Ojnelefl.exe Ophanl32.exe File created C:\Windows\SysWOW64\Engebqqm.dll Ppcmhj32.exe File created C:\Windows\SysWOW64\Cfpgee32.exe Cbdkdffm.exe File created C:\Windows\SysWOW64\Bjnhce32.dll Ilhnjfmi.exe File created C:\Windows\SysWOW64\Hhcheobh.dll Process not Found File created C:\Windows\SysWOW64\Ehpgha32.exe Dimfmeef.exe File created C:\Windows\SysWOW64\Mmmmoqep.dll Jhgnbehe.exe File created C:\Windows\SysWOW64\Jhjillah.dll Jlgcncli.exe File created C:\Windows\SysWOW64\Mhdcbjal.exe Mdigakic.exe File opened for modification C:\Windows\SysWOW64\Faljqcmk.exe Fmpnpe32.exe File opened for modification C:\Windows\SysWOW64\Pbppqf32.exe Poddphee.exe File created C:\Windows\SysWOW64\Jmjmoh32.dll Ahancp32.exe File created C:\Windows\SysWOW64\Lgjcdc32.exe Ldlghhde.exe File created C:\Windows\SysWOW64\Dqnkig32.dll Ijhkembk.exe File opened for modification C:\Windows\SysWOW64\Cjdmee32.exe Ckamihfm.exe File created C:\Windows\SysWOW64\Hbdagfkc.dll Cqneaodd.exe File created C:\Windows\SysWOW64\Pfgcff32.exe Pbkgegad.exe File created C:\Windows\SysWOW64\Njobpa32.exe Ngafdepl.exe File created C:\Windows\SysWOW64\Ahlnmjkf.exe Apeflmjc.exe File opened for modification C:\Windows\SysWOW64\Fhaibnim.exe Fdemap32.exe File created C:\Windows\SysWOW64\Odlnkmjg.exe Njcibgcf.exe File created C:\Windows\SysWOW64\Cmimif32.exe Cfoellgb.exe File created C:\Windows\SysWOW64\Oljagk32.dll Kpiihgoh.exe File created C:\Windows\SysWOW64\Pdllci32.exe Ppqqbjkm.exe File opened for modification C:\Windows\SysWOW64\Ajpgkb32.exe Akmgoehg.exe File created C:\Windows\SysWOW64\Inofameg.dll Process not Found File created C:\Windows\SysWOW64\Hdcedhee.dll Alknnodh.exe File opened for modification C:\Windows\SysWOW64\Hefibg32.exe Hqkmahpp.exe File opened for modification C:\Windows\SysWOW64\Jhlgnd32.exe Jdplmflg.exe File created C:\Windows\SysWOW64\Gcfmolmc.dll Blgfml32.exe File created C:\Windows\SysWOW64\Pcojjn32.dll Fhnjdfcl.exe File created C:\Windows\SysWOW64\Ffofoi32.dll Cicggcke.exe File created C:\Windows\SysWOW64\Flbehbqm.exe Ficilgai.exe File opened for modification C:\Windows\SysWOW64\Cjifpdib.exe Cfmjoe32.exe File created C:\Windows\SysWOW64\Hcnfjpib.exe Hobjia32.exe File created C:\Windows\SysWOW64\Dpjhcj32.exe Dkolblkk.exe File created C:\Windows\SysWOW64\Jbpcbe32.dll Kcllfi32.exe File created C:\Windows\SysWOW64\Mjodhe32.exe Mcekkkmc.exe File created C:\Windows\SysWOW64\Hndaao32.exe Hgjieedg.exe File opened for modification C:\Windows\SysWOW64\Dbneekan.exe Dckdio32.exe File created C:\Windows\SysWOW64\Mclmgema.dll Gnenfjdh.exe File created C:\Windows\SysWOW64\Mdigakic.exe Mffgfo32.exe File opened for modification C:\Windows\SysWOW64\Iljkofkg.exe Ieqbbl32.exe File created C:\Windows\SysWOW64\Ooilcc32.dll Lbpolb32.exe File created C:\Windows\SysWOW64\Cabpoe32.dll Llfcik32.exe File opened for modification C:\Windows\SysWOW64\Bfieec32.exe Bcjhig32.exe File created C:\Windows\SysWOW64\Cofdbh32.dll Ckopch32.exe File created C:\Windows\SysWOW64\Oelcho32.exe Onbkle32.exe File opened for modification C:\Windows\SysWOW64\Mhgpgjoj.exe Mfhcknpf.exe File created C:\Windows\SysWOW64\Figoefkf.exe Figoefkf.exe File created C:\Windows\SysWOW64\Jokjjgme.dll Bgcbja32.exe File created C:\Windows\SysWOW64\Jkenbb32.dll Hndaao32.exe File opened for modification C:\Windows\SysWOW64\Plaoim32.exe Oicbma32.exe File opened for modification C:\Windows\SysWOW64\Dmgokcja.exe Dndoof32.exe File opened for modification C:\Windows\SysWOW64\Meidib32.exe Mbjhlg32.exe File opened for modification C:\Windows\SysWOW64\Joicje32.exe Jmggcmgg.exe File created C:\Windows\SysWOW64\Npceanij.dll Qnoklc32.exe File created C:\Windows\SysWOW64\Gopnca32.exe Gqmmhdka.exe File opened for modification C:\Windows\SysWOW64\Pdqfnhpa.exe Pljnmkoo.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 10296 10272 Process not Found 1106 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhgaan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnpieceq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkaihkih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epdncb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgeenb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikbndqnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oenmkngi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cconcjae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anhdmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqffna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehdpcahk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcimop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onbkle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnoklc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcljdpke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgejidgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obdjjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbaomf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edidcb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdpfbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkiooocb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhhblgim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kghkppbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lllihf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhfbmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmgddcnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cedbmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oepianef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eponmmaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klijjnen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edfqclni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Foidii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpeonkig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgkeol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdophn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfkkam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgmfjdbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boifinfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpihnbmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqendf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccjehkek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciknhb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gklkdn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipecndab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndbjgjqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anfggicl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfbckagm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkihpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfqaph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlklik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pahjgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aapikqel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeijpdbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnfkheap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgcbja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhlcnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfamko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkcfak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dapnfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmnhnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehpgha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klimcf32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ipoqofjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpaihe32.dll" Mnneabff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kfcadq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hfookk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cllmdcej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbbfhefe.dll" Omddmkhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cqneaodd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cohlnkeg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ojgokflc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geiicell.dll" Mhpigk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Blejgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ieiegf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ieligmho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gcimop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jhikhefb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiihgc32.dll" Koelibnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeecd32.dll" Mlkegimk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dmalmdcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ahgdbk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fdemap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hjbhgolp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecdofe32.dll" Bgnaekil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oemjbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fkdlaplh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpncbi32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jeofnpke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moonqphf.dll" Necqbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jljkakol.dll" Jehbfjia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnnkcdka.dll" Lbmicc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dabkla32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cllmdcej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eenabkfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Icponb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkfdpa32.dll" Moloidjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jepoao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fpihnbmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ghkbccdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kplfmfmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cifdmbib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ddcadd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfnleh32.dll" Boncej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ncjcnfcn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qdlialfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cpcpjbah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fgjmfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjpajqqn.dll" Egimdmmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdkqbd32.dll" Aabfqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egkfbg32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njjbga32.dll" Lhhjcmpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klpjgbfb.dll" Dmcibdad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hccllbjf.dll" Kaliaphd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bblpae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fdbgia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gddfepbh.dll" Jephgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eannjf32.dll" Cmimif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ihlbih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lhenmm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oejgbonl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Odaqikaa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qgdbpi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gkaljdaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mkconepp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fmnakege.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhldob32.dll" Jbdokceo.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2012 wrote to memory of 3000 2012 f5628253e78d5b1bd62567862e67a5f0N.exe 30 PID 2012 wrote to memory of 3000 2012 f5628253e78d5b1bd62567862e67a5f0N.exe 30 PID 2012 wrote to memory of 3000 2012 f5628253e78d5b1bd62567862e67a5f0N.exe 30 PID 2012 wrote to memory of 3000 2012 f5628253e78d5b1bd62567862e67a5f0N.exe 30 PID 3000 wrote to memory of 2680 3000 Jhfljm32.exe 31 PID 3000 wrote to memory of 2680 3000 Jhfljm32.exe 31 PID 3000 wrote to memory of 2680 3000 Jhfljm32.exe 31 PID 3000 wrote to memory of 2680 3000 Jhfljm32.exe 31 PID 2680 wrote to memory of 2724 2680 Jblpge32.exe 32 PID 2680 wrote to memory of 2724 2680 Jblpge32.exe 32 PID 2680 wrote to memory of 2724 2680 Jblpge32.exe 32 PID 2680 wrote to memory of 2724 2680 Jblpge32.exe 32 PID 2724 wrote to memory of 2828 2724 Jemiiqmh.exe 33 PID 2724 wrote to memory of 2828 2724 Jemiiqmh.exe 33 PID 2724 wrote to memory of 2828 2724 Jemiiqmh.exe 33 PID 2724 wrote to memory of 2828 2724 Jemiiqmh.exe 33 PID 2828 wrote to memory of 2684 2828 Jeofnpke.exe 34 PID 2828 wrote to memory of 2684 2828 Jeofnpke.exe 34 PID 2828 wrote to memory of 2684 2828 Jeofnpke.exe 34 PID 2828 wrote to memory of 2684 2828 Jeofnpke.exe 34 PID 2684 wrote to memory of 2692 2684 Jnjjcbiq.exe 35 PID 2684 wrote to memory of 2692 2684 Jnjjcbiq.exe 35 PID 2684 wrote to memory of 2692 2684 Jnjjcbiq.exe 35 PID 2684 wrote to memory of 2692 2684 Jnjjcbiq.exe 35 PID 2692 wrote to memory of 2584 2692 Jpigonhd.exe 36 PID 2692 wrote to memory of 2584 2692 Jpigonhd.exe 36 PID 2692 wrote to memory of 2584 2692 Jpigonhd.exe 36 PID 2692 wrote to memory of 2584 2692 Jpigonhd.exe 36 PID 2584 wrote to memory of 2496 2584 Kpkcdn32.exe 37 PID 2584 wrote to memory of 2496 2584 Kpkcdn32.exe 37 PID 2584 wrote to memory of 2496 2584 Kpkcdn32.exe 37 PID 2584 wrote to memory of 2496 2584 Kpkcdn32.exe 37 PID 2496 wrote to memory of 2764 2496 Kcllfi32.exe 38 PID 2496 wrote to memory of 2764 2496 Kcllfi32.exe 38 PID 2496 wrote to memory of 2764 2496 Kcllfi32.exe 38 PID 2496 wrote to memory of 2764 2496 Kcllfi32.exe 38 PID 2764 wrote to memory of 2996 2764 Kldaon32.exe 39 PID 2764 wrote to memory of 2996 2764 Kldaon32.exe 39 PID 2764 wrote to memory of 2996 2764 Kldaon32.exe 39 PID 2764 wrote to memory of 2996 2764 Kldaon32.exe 39 PID 2996 wrote to memory of 2080 2996 Kcqfahom.exe 40 PID 2996 wrote to memory of 2080 2996 Kcqfahom.exe 40 PID 2996 wrote to memory of 2080 2996 Kcqfahom.exe 40 PID 2996 wrote to memory of 2080 2996 Kcqfahom.exe 40 PID 2080 wrote to memory of 2276 2080 Klijjnen.exe 41 PID 2080 wrote to memory of 2276 2080 Klijjnen.exe 41 PID 2080 wrote to memory of 2276 2080 Klijjnen.exe 41 PID 2080 wrote to memory of 2276 2080 Klijjnen.exe 41 PID 2276 wrote to memory of 2016 2276 Lddoopbi.exe 42 PID 2276 wrote to memory of 2016 2276 Lddoopbi.exe 42 PID 2276 wrote to memory of 2016 2276 Lddoopbi.exe 42 PID 2276 wrote to memory of 2016 2276 Lddoopbi.exe 42 PID 2016 wrote to memory of 1708 2016 Lkngkj32.exe 43 PID 2016 wrote to memory of 1708 2016 Lkngkj32.exe 43 PID 2016 wrote to memory of 1708 2016 Lkngkj32.exe 43 PID 2016 wrote to memory of 1708 2016 Lkngkj32.exe 43 PID 1708 wrote to memory of 2144 1708 Lhbhdnio.exe 44 PID 1708 wrote to memory of 2144 1708 Lhbhdnio.exe 44 PID 1708 wrote to memory of 2144 1708 Lhbhdnio.exe 44 PID 1708 wrote to memory of 2144 1708 Lhbhdnio.exe 44 PID 2144 wrote to memory of 2408 2144 Lnopmegg.exe 45 PID 2144 wrote to memory of 2408 2144 Lnopmegg.exe 45 PID 2144 wrote to memory of 2408 2144 Lnopmegg.exe 45 PID 2144 wrote to memory of 2408 2144 Lnopmegg.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\f5628253e78d5b1bd62567862e67a5f0N.exe"C:\Users\Admin\AppData\Local\Temp\f5628253e78d5b1bd62567862e67a5f0N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\Jhfljm32.exeC:\Windows\system32\Jhfljm32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\Jblpge32.exeC:\Windows\system32\Jblpge32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Jemiiqmh.exeC:\Windows\system32\Jemiiqmh.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Jeofnpke.exeC:\Windows\system32\Jeofnpke.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Jnjjcbiq.exeC:\Windows\system32\Jnjjcbiq.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Jpigonhd.exeC:\Windows\system32\Jpigonhd.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Kpkcdn32.exeC:\Windows\system32\Kpkcdn32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Kcllfi32.exeC:\Windows\system32\Kcllfi32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Kldaon32.exeC:\Windows\system32\Kldaon32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Kcqfahom.exeC:\Windows\system32\Kcqfahom.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\Klijjnen.exeC:\Windows\system32\Klijjnen.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\Lddoopbi.exeC:\Windows\system32\Lddoopbi.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\Lkngkj32.exeC:\Windows\system32\Lkngkj32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Lhbhdnio.exeC:\Windows\system32\Lhbhdnio.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\Lnopmegg.exeC:\Windows\system32\Lnopmegg.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\Lbmicc32.exeC:\Windows\system32\Lbmicc32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2408 -
C:\Windows\SysWOW64\Lcneklck.exeC:\Windows\system32\Lcneklck.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2472 -
C:\Windows\SysWOW64\Lglnajjb.exeC:\Windows\system32\Lglnajjb.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1456 -
C:\Windows\SysWOW64\Mnffnd32.exeC:\Windows\system32\Mnffnd32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3044 -
C:\Windows\SysWOW64\Mogcelgm.exeC:\Windows\system32\Mogcelgm.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1532 -
C:\Windows\SysWOW64\Mfakbf32.exeC:\Windows\system32\Mfakbf32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1636 -
C:\Windows\SysWOW64\Mcekkkmc.exeC:\Windows\system32\Mcekkkmc.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:496 -
C:\Windows\SysWOW64\Mjodhe32.exeC:\Windows\system32\Mjodhe32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1840 -
C:\Windows\SysWOW64\Mbjhlg32.exeC:\Windows\system32\Mbjhlg32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1624 -
C:\Windows\SysWOW64\Meidib32.exeC:\Windows\system32\Meidib32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:816 -
C:\Windows\SysWOW64\Mfhabe32.exeC:\Windows\system32\Mfhabe32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1644 -
C:\Windows\SysWOW64\Mifmoa32.exeC:\Windows\system32\Mifmoa32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2780 -
C:\Windows\SysWOW64\Memncbmj.exeC:\Windows\system32\Memncbmj.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2792 -
C:\Windows\SysWOW64\Nlgfqldf.exeC:\Windows\system32\Nlgfqldf.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2832 -
C:\Windows\SysWOW64\Nbaomf32.exeC:\Windows\system32\Nbaomf32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2944 -
C:\Windows\SysWOW64\Nhngem32.exeC:\Windows\system32\Nhngem32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2600 -
C:\Windows\SysWOW64\Njopgh32.exeC:\Windows\system32\Njopgh32.exe33⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\Nmmlccfp.exeC:\Windows\system32\Nmmlccfp.exe34⤵
- Executes dropped EXE
PID:948 -
C:\Windows\SysWOW64\Nhbqqlfe.exeC:\Windows\system32\Nhbqqlfe.exe35⤵
- Executes dropped EXE
PID:1008 -
C:\Windows\SysWOW64\Nmpiicdm.exeC:\Windows\system32\Nmpiicdm.exe36⤵
- Executes dropped EXE
PID:952 -
C:\Windows\SysWOW64\Npneeocq.exeC:\Windows\system32\Npneeocq.exe37⤵
- Executes dropped EXE
PID:1168 -
C:\Windows\SysWOW64\Njcibgcf.exeC:\Windows\system32\Njcibgcf.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2488 -
C:\Windows\SysWOW64\Odlnkmjg.exeC:\Windows\system32\Odlnkmjg.exe39⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Oemjbe32.exeC:\Windows\system32\Oemjbe32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2412 -
C:\Windows\SysWOW64\Ofmgmhgh.exeC:\Windows\system32\Ofmgmhgh.exe41⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Ohncdp32.exeC:\Windows\system32\Ohncdp32.exe42⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Oohlaj32.exeC:\Windows\system32\Oohlaj32.exe43⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Oebdndlp.exeC:\Windows\system32\Oebdndlp.exe44⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Oimpnc32.exeC:\Windows\system32\Oimpnc32.exe45⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Okolfkjg.exeC:\Windows\system32\Okolfkjg.exe46⤵
- Executes dropped EXE
PID:536 -
C:\Windows\SysWOW64\Obfdgiji.exeC:\Windows\system32\Obfdgiji.exe47⤵
- Executes dropped EXE
PID:1132 -
C:\Windows\SysWOW64\Oedqcdim.exeC:\Windows\system32\Oedqcdim.exe48⤵
- Executes dropped EXE
PID:916 -
C:\Windows\SysWOW64\Olnipn32.exeC:\Windows\system32\Olnipn32.exe49⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Omoehf32.exeC:\Windows\system32\Omoehf32.exe50⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Oefmid32.exeC:\Windows\system32\Oefmid32.exe51⤵
- Executes dropped EXE
PID:648 -
C:\Windows\SysWOW64\Odimdqne.exeC:\Windows\system32\Odimdqne.exe52⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Pkcfak32.exeC:\Windows\system32\Pkcfak32.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2676 -
C:\Windows\SysWOW64\Pamnnemo.exeC:\Windows\system32\Pamnnemo.exe54⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Phgfko32.exeC:\Windows\system32\Phgfko32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Pkebgj32.exeC:\Windows\system32\Pkebgj32.exe56⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Pmdocf32.exeC:\Windows\system32\Pmdocf32.exe57⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Pdngpp32.exeC:\Windows\system32\Pdngpp32.exe58⤵
- Executes dropped EXE
PID:1076 -
C:\Windows\SysWOW64\Pkholjam.exeC:\Windows\system32\Pkholjam.exe59⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Pnfkheap.exeC:\Windows\system32\Pnfkheap.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2912 -
C:\Windows\SysWOW64\Plildb32.exeC:\Windows\system32\Plildb32.exe61⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Pccdqloh.exeC:\Windows\system32\Pccdqloh.exe62⤵
- Executes dropped EXE
PID:1260 -
C:\Windows\SysWOW64\Pgopak32.exeC:\Windows\system32\Pgopak32.exe63⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Pnihneon.exeC:\Windows\system32\Pnihneon.exe64⤵
- Executes dropped EXE
PID:308 -
C:\Windows\SysWOW64\Pllhib32.exeC:\Windows\system32\Pllhib32.exe65⤵
- Executes dropped EXE
PID:1052 -
C:\Windows\SysWOW64\Pceqfl32.exeC:\Windows\system32\Pceqfl32.exe66⤵PID:2228
-
C:\Windows\SysWOW64\Pedmbg32.exeC:\Windows\system32\Pedmbg32.exe67⤵PID:1716
-
C:\Windows\SysWOW64\Plneoace.exeC:\Windows\system32\Plneoace.exe68⤵PID:1632
-
C:\Windows\SysWOW64\Polakmbi.exeC:\Windows\system32\Polakmbi.exe69⤵PID:1544
-
C:\Windows\SysWOW64\Qakmghbm.exeC:\Windows\system32\Qakmghbm.exe70⤵PID:2196
-
C:\Windows\SysWOW64\Qhdfdb32.exeC:\Windows\system32\Qhdfdb32.exe71⤵PID:2524
-
C:\Windows\SysWOW64\Qlpadaac.exeC:\Windows\system32\Qlpadaac.exe72⤵PID:2464
-
C:\Windows\SysWOW64\Qamjmh32.exeC:\Windows\system32\Qamjmh32.exe73⤵PID:3008
-
C:\Windows\SysWOW64\Qfifmghc.exeC:\Windows\system32\Qfifmghc.exe74⤵PID:2592
-
C:\Windows\SysWOW64\Qlbnja32.exeC:\Windows\system32\Qlbnja32.exe75⤵PID:2744
-
C:\Windows\SysWOW64\Andkbien.exeC:\Windows\system32\Andkbien.exe76⤵PID:2564
-
C:\Windows\SysWOW64\Adncoc32.exeC:\Windows\system32\Adncoc32.exe77⤵PID:1028
-
C:\Windows\SysWOW64\Akhkkmdh.exeC:\Windows\system32\Akhkkmdh.exe78⤵PID:2940
-
C:\Windows\SysWOW64\Anfggicl.exeC:\Windows\system32\Anfggicl.exe79⤵
- System Location Discovery: System Language Discovery
PID:2980 -
C:\Windows\SysWOW64\Aqddcdbo.exeC:\Windows\system32\Aqddcdbo.exe80⤵PID:1712
-
C:\Windows\SysWOW64\Agolpnjl.exeC:\Windows\system32\Agolpnjl.exe81⤵PID:2028
-
C:\Windows\SysWOW64\Anhdmh32.exeC:\Windows\system32\Anhdmh32.exe82⤵
- System Location Discovery: System Language Discovery
PID:3032 -
C:\Windows\SysWOW64\Aqgqid32.exeC:\Windows\system32\Aqgqid32.exe83⤵PID:2240
-
C:\Windows\SysWOW64\Aklefm32.exeC:\Windows\system32\Aklefm32.exe84⤵
- Drops file in System32 directory
PID:1424 -
C:\Windows\SysWOW64\Amnanefa.exeC:\Windows\system32\Amnanefa.exe85⤵PID:1680
-
C:\Windows\SysWOW64\Adeiobgc.exeC:\Windows\system32\Adeiobgc.exe86⤵PID:2092
-
C:\Windows\SysWOW64\Ajaagi32.exeC:\Windows\system32\Ajaagi32.exe87⤵PID:1696
-
C:\Windows\SysWOW64\Aqljdclg.exeC:\Windows\system32\Aqljdclg.exe88⤵PID:688
-
C:\Windows\SysWOW64\Acjfpokk.exeC:\Windows\system32\Acjfpokk.exe89⤵PID:1836
-
C:\Windows\SysWOW64\Bjdnmi32.exeC:\Windows\system32\Bjdnmi32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2992 -
C:\Windows\SysWOW64\Bmbkid32.exeC:\Windows\system32\Bmbkid32.exe91⤵PID:2588
-
C:\Windows\SysWOW64\Bclcfnih.exeC:\Windows\system32\Bclcfnih.exe92⤵PID:2816
-
C:\Windows\SysWOW64\Bbocak32.exeC:\Windows\system32\Bbocak32.exe93⤵PID:2880
-
C:\Windows\SysWOW64\Bmegodpi.exeC:\Windows\system32\Bmegodpi.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2984 -
C:\Windows\SysWOW64\Bocckoom.exeC:\Windows\system32\Bocckoom.exe95⤵PID:2656
-
C:\Windows\SysWOW64\Beplcfmd.exeC:\Windows\system32\Beplcfmd.exe96⤵PID:2068
-
C:\Windows\SysWOW64\Bmgddcnf.exeC:\Windows\system32\Bmgddcnf.exe97⤵
- System Location Discovery: System Language Discovery
PID:2424 -
C:\Windows\SysWOW64\Bnhqll32.exeC:\Windows\system32\Bnhqll32.exe98⤵PID:1276
-
C:\Windows\SysWOW64\Bfphmi32.exeC:\Windows\system32\Bfphmi32.exe99⤵PID:1608
-
C:\Windows\SysWOW64\Bgqeea32.exeC:\Windows\system32\Bgqeea32.exe100⤵PID:1060
-
C:\Windows\SysWOW64\Bnkmakbb.exeC:\Windows\system32\Bnkmakbb.exe101⤵PID:2716
-
C:\Windows\SysWOW64\Bedene32.exeC:\Windows\system32\Bedene32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2660 -
C:\Windows\SysWOW64\Bgcbja32.exeC:\Windows\system32\Bgcbja32.exe103⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2804 -
C:\Windows\SysWOW64\Bnmjgkpo.exeC:\Windows\system32\Bnmjgkpo.exe104⤵PID:2380
-
C:\Windows\SysWOW64\Cegbce32.exeC:\Windows\system32\Cegbce32.exe105⤵PID:2960
-
C:\Windows\SysWOW64\Ckajqo32.exeC:\Windows\system32\Ckajqo32.exe106⤵PID:2628
-
C:\Windows\SysWOW64\Cjdkllec.exeC:\Windows\system32\Cjdkllec.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1108 -
C:\Windows\SysWOW64\Ceioieei.exeC:\Windows\system32\Ceioieei.exe108⤵PID:2760
-
C:\Windows\SysWOW64\Cfkkam32.exeC:\Windows\system32\Cfkkam32.exe109⤵
- System Location Discovery: System Language Discovery
PID:2848 -
C:\Windows\SysWOW64\Cmdcngbd.exeC:\Windows\system32\Cmdcngbd.exe110⤵PID:2056
-
C:\Windows\SysWOW64\Cpcpjbah.exeC:\Windows\system32\Cpcpjbah.exe111⤵
- Modifies registry class
PID:2372 -
C:\Windows\SysWOW64\Cfmhfm32.exeC:\Windows\system32\Cfmhfm32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1952 -
C:\Windows\SysWOW64\Cikdbhhi.exeC:\Windows\system32\Cikdbhhi.exe113⤵PID:2168
-
C:\Windows\SysWOW64\Cpemob32.exeC:\Windows\system32\Cpemob32.exe114⤵PID:1248
-
C:\Windows\SysWOW64\Cfoellgb.exeC:\Windows\system32\Cfoellgb.exe115⤵
- Drops file in System32 directory
PID:1592 -
C:\Windows\SysWOW64\Cmimif32.exeC:\Windows\system32\Cmimif32.exe116⤵
- Modifies registry class
PID:2396 -
C:\Windows\SysWOW64\Cllmdcej.exeC:\Windows\system32\Cllmdcej.exe117⤵
- Modifies registry class
PID:2448 -
C:\Windows\SysWOW64\Ccceeqfl.exeC:\Windows\system32\Ccceeqfl.exe118⤵PID:2708
-
C:\Windows\SysWOW64\Cedbmi32.exeC:\Windows\system32\Cedbmi32.exe119⤵
- System Location Discovery: System Language Discovery
PID:2852 -
C:\Windows\SysWOW64\Cipnng32.exeC:\Windows\system32\Cipnng32.exe120⤵PID:328
-
C:\Windows\SysWOW64\Domffn32.exeC:\Windows\system32\Domffn32.exe121⤵PID:2264
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-