Analysis
-
max time kernel
46s -
max time network
20s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
02/09/2024, 12:15
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bf22d23de8fbd27eca22430d4686fa90N.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
bf22d23de8fbd27eca22430d4686fa90N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
6 signatures
120 seconds
General
-
Target
bf22d23de8fbd27eca22430d4686fa90N.exe
-
Size
93KB
-
MD5
bf22d23de8fbd27eca22430d4686fa90
-
SHA1
0bd2713e8f25f870c75d28de0dcc057482162f6a
-
SHA256
175890a95fc1cbe9cc2981686f6f9860a4f4c1dbb653d8c7fd5badeac8af090e
-
SHA512
e186541923aa84b42027940182bf37b4dc54434dcd874029c5214d6a9d307a2621603050f3cf16fba3713f4747b799f23cc53353dd4463d58898529946ff587a
-
SSDEEP
1536:fb54LZTAzY+aJoj6/GBn0jdfd0MV9PBepgnYyx2825ZsaMiwihtIbbpkp:D5YJo+UnYFBMpgYF825ZdMiwaIbbpkp
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jafmngde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljcbcngi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ladpagin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nobpmb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blgeahoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bakdjn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdnjaibm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iplnpq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khglkqfj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nggkipci.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oolbcaij.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Innbde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mchokq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkbpgeai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aafnpkii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmemoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nphbfplf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nkbcgnie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nejdjf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cojghf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbncof32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpdbmooo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aiimfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Blgeahoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Doamhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jcfjhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kcngcp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npkfff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eoomai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcmgal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kheofahm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kqcqpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nlapaapg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjnlikic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljcbcngi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mddibb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmfmej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anjojphb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfmjoqoe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebabicfn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ambhpljg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cedpdpdf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcoolj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmgcepio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glomllkd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjgonf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lqjfpbmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhbpahan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkilgb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knjdimdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knjdimdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kioiffcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lehfafgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nogmin32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohkdfhge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fcjeakfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgkphj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kdgfpbaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Niqgof32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohjmlaci.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mddibb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cedpdpdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jpcdqpqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjkiie32.exe -
Executes dropped EXE 64 IoCs
pid Process 2276 Gbnenk32.exe 2696 Hpdbmooo.exe 2708 Hhadgakg.exe 2592 Hlpmmpam.exe 2720 Hkejnl32.exe 2600 Igkjcm32.exe 2996 Ilkpac32.exe 2280 Iphhgb32.exe 2616 Iciaim32.exe 2860 Jobocn32.exe 1932 Jdogldmo.exe 760 Jjnlikic.exe 848 Kqkalenn.exe 2096 Kckjmpko.exe 2088 Kcngcp32.exe 828 Kkilgb32.exe 584 Knjdimdh.exe 856 Kioiffcn.exe 1508 Ljcbcngi.exe 1764 Lehfafgp.exe 1900 Lgiobadq.exe 2240 Ljjhdm32.exe 2232 Ladpagin.exe 2512 Mddibb32.exe 2148 Miaaki32.exe 1936 Mifkfhpa.exe 2192 Mkggnp32.exe 2360 Nkjdcp32.exe 2352 Nogmin32.exe 2876 Npkfff32.exe 2588 Nggkipci.exe 2348 Nobpmb32.exe 928 Ohkdfhge.exe 2372 Odfofhic.exe 672 Oolbcaij.exe 2880 Pcnhmdli.exe 1260 Pmfmej32.exe 1624 Pmiikipg.exe 1716 Pqgbah32.exe 2284 Pmmcfi32.exe 1388 Qkbpgeai.exe 540 Qekdpkgj.exe 1744 Qoqhncgp.exe 1680 Aiimfi32.exe 2496 Anfeop32.exe 824 Ajmfca32.exe 1724 Aafnpkii.exe 3012 Acejlfhl.exe 1552 Anjojphb.exe 2976 Afecna32.exe 1576 Aakhkj32.exe 1664 Abldccka.exe 2660 Ambhpljg.exe 2768 Bboahbio.exe 2628 Blgeahoo.exe 1960 Bfmjoqoe.exe 420 Bnhncclq.exe 2520 Bimbql32.exe 520 Bbfgiabg.exe 2180 Bhbpahan.exe 2188 Bakdjn32.exe 336 Cfhlbe32.exe 1600 Camqpnel.exe 1768 Cihedpcg.exe -
Loads dropped DLL 64 IoCs
pid Process 1656 bf22d23de8fbd27eca22430d4686fa90N.exe 1656 bf22d23de8fbd27eca22430d4686fa90N.exe 2276 Gbnenk32.exe 2276 Gbnenk32.exe 2696 Hpdbmooo.exe 2696 Hpdbmooo.exe 2708 Hhadgakg.exe 2708 Hhadgakg.exe 2592 Hlpmmpam.exe 2592 Hlpmmpam.exe 2720 Hkejnl32.exe 2720 Hkejnl32.exe 2600 Igkjcm32.exe 2600 Igkjcm32.exe 2996 Ilkpac32.exe 2996 Ilkpac32.exe 2280 Iphhgb32.exe 2280 Iphhgb32.exe 2616 Iciaim32.exe 2616 Iciaim32.exe 2860 Jobocn32.exe 2860 Jobocn32.exe 1932 Jdogldmo.exe 1932 Jdogldmo.exe 760 Jjnlikic.exe 760 Jjnlikic.exe 848 Kqkalenn.exe 848 Kqkalenn.exe 2096 Kckjmpko.exe 2096 Kckjmpko.exe 2088 Kcngcp32.exe 2088 Kcngcp32.exe 828 Kkilgb32.exe 828 Kkilgb32.exe 584 Knjdimdh.exe 584 Knjdimdh.exe 856 Kioiffcn.exe 856 Kioiffcn.exe 1508 Ljcbcngi.exe 1508 Ljcbcngi.exe 1764 Lehfafgp.exe 1764 Lehfafgp.exe 1900 Lgiobadq.exe 1900 Lgiobadq.exe 2240 Ljjhdm32.exe 2240 Ljjhdm32.exe 2232 Ladpagin.exe 2232 Ladpagin.exe 2512 Mddibb32.exe 2512 Mddibb32.exe 2148 Miaaki32.exe 2148 Miaaki32.exe 1936 Mifkfhpa.exe 1936 Mifkfhpa.exe 2192 Mkggnp32.exe 2192 Mkggnp32.exe 2360 Nkjdcp32.exe 2360 Nkjdcp32.exe 2352 Nogmin32.exe 2352 Nogmin32.exe 2876 Npkfff32.exe 2876 Npkfff32.exe 2588 Nggkipci.exe 2588 Nggkipci.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Odnmig32.dll Jjkiie32.exe File created C:\Windows\SysWOW64\Kbncof32.exe Kkckblgq.exe File created C:\Windows\SysWOW64\Khglkqfj.exe Kbncof32.exe File created C:\Windows\SysWOW64\Dcihik32.dll Ocdnloph.exe File created C:\Windows\SysWOW64\Jobocn32.exe Iciaim32.exe File opened for modification C:\Windows\SysWOW64\Jobocn32.exe Iciaim32.exe File created C:\Windows\SysWOW64\Jjgonf32.exe Jcmgal32.exe File created C:\Windows\SysWOW64\Ldlipnke.dll Fbfldc32.exe File opened for modification C:\Windows\SysWOW64\Ioheci32.exe Hagepa32.exe File created C:\Windows\SysWOW64\Mdmlljbm.dll Jgkphj32.exe File created C:\Windows\SysWOW64\Mchokq32.exe Mjpkbk32.exe File opened for modification C:\Windows\SysWOW64\Hkejnl32.exe Hlpmmpam.exe File created C:\Windows\SysWOW64\Akfbdoha.dll Igkjcm32.exe File created C:\Windows\SysWOW64\Acfoejcg.dll Dkjkcfjc.exe File created C:\Windows\SysWOW64\Ckabkdol.dll Ddnfql32.exe File created C:\Windows\SysWOW64\Moeodd32.dll Liboodmk.exe File opened for modification C:\Windows\SysWOW64\Khglkqfj.exe Kbncof32.exe File created C:\Windows\SysWOW64\Ikmfgnde.dll Npffaq32.exe File created C:\Windows\SysWOW64\Jdogldmo.exe Jobocn32.exe File created C:\Windows\SysWOW64\Npkfff32.exe Nogmin32.exe File opened for modification C:\Windows\SysWOW64\Anjojphb.exe Acejlfhl.exe File opened for modification C:\Windows\SysWOW64\Eclfhgaf.exe Elbmkm32.exe File created C:\Windows\SysWOW64\Iphhgb32.exe Ilkpac32.exe File created C:\Windows\SysWOW64\Qkbpgeai.exe Pmmcfi32.exe File created C:\Windows\SysWOW64\Ckkfef32.dll Jcmgal32.exe File created C:\Windows\SysWOW64\Lgmekpmn.exe Lpapgnpb.exe File opened for modification C:\Windows\SysWOW64\Lgmekpmn.exe Lpapgnpb.exe File created C:\Windows\SysWOW64\Mkfpqgco.dll Mcjlap32.exe File created C:\Windows\SysWOW64\Iindop32.dll Pmmcfi32.exe File created C:\Windows\SysWOW64\Epbilc32.dll Ambhpljg.exe File created C:\Windows\SysWOW64\Ddnfql32.exe Doamhe32.exe File opened for modification C:\Windows\SysWOW64\Jdogldmo.exe Jobocn32.exe File opened for modification C:\Windows\SysWOW64\Kfgcieii.exe Komjmk32.exe File created C:\Windows\SysWOW64\Cbloen32.dll Bimbql32.exe File created C:\Windows\SysWOW64\Fmdfppkb.exe Fclbgj32.exe File created C:\Windows\SysWOW64\Kicqkb32.dll Kfgcieii.exe File opened for modification C:\Windows\SysWOW64\Mkggnp32.exe Mifkfhpa.exe File opened for modification C:\Windows\SysWOW64\Pmfmej32.exe Pcnhmdli.exe File created C:\Windows\SysWOW64\Dmqddn32.dll Lfdbcing.exe File opened for modification C:\Windows\SysWOW64\Igkjcm32.exe Hkejnl32.exe File opened for modification C:\Windows\SysWOW64\Enmqjq32.exe Echlmh32.exe File created C:\Windows\SysWOW64\Iddacacc.dll Kdgfpbaf.exe File opened for modification C:\Windows\SysWOW64\Bfmjoqoe.exe Blgeahoo.exe File opened for modification C:\Windows\SysWOW64\Fipdqmje.exe Fbfldc32.exe File created C:\Windows\SysWOW64\Iplnpq32.exe Innbde32.exe File created C:\Windows\SysWOW64\Knddcg32.exe Khglkqfj.exe File created C:\Windows\SysWOW64\Hiohip32.dll Lqjfpbmm.exe File opened for modification C:\Windows\SysWOW64\Bnhncclq.exe Bfmjoqoe.exe File opened for modification C:\Windows\SysWOW64\Cfhlbe32.exe Bakdjn32.exe File created C:\Windows\SysWOW64\Fmgcepio.exe Fcoolj32.exe File opened for modification C:\Windows\SysWOW64\Cpidai32.exe Cedpdpdf.exe File created C:\Windows\SysWOW64\Manljd32.exe Mjddnjdf.exe File created C:\Windows\SysWOW64\Boghbgla.dll Niqgof32.exe File created C:\Windows\SysWOW64\Knjdimdh.exe Kkilgb32.exe File opened for modification C:\Windows\SysWOW64\Nobpmb32.exe Nggkipci.exe File created C:\Windows\SysWOW64\Piffca32.dll Bnhncclq.exe File created C:\Windows\SysWOW64\Mbnfjpai.dll Pcnhmdli.exe File opened for modification C:\Windows\SysWOW64\Dpdfemkm.exe Docjne32.exe File created C:\Windows\SysWOW64\Ajmfca32.exe Anfeop32.exe File opened for modification C:\Windows\SysWOW64\Gegaeabe.exe Glomllkd.exe File created C:\Windows\SysWOW64\Enkdda32.exe Dcepgh32.exe File created C:\Windows\SysWOW64\Bnhncclq.exe Bfmjoqoe.exe File created C:\Windows\SysWOW64\Camqpnel.exe Cfhlbe32.exe File created C:\Windows\SysWOW64\Cdnjaibm.exe Cihedpcg.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1472 2316 WerFault.exe 196 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilkpac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kckjmpko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebabicfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgiobadq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qekdpkgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glomllkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgkphj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjkiie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpeafo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qoqhncgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nejdjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miaaki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajmfca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aakhkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eclfhgaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjgonf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anjojphb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihqilnig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljjhdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ambhpljg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhbpahan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpdfemkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hadhjaaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Liboodmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkbcgnie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bf22d23de8fbd27eca22430d4686fa90N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oolbcaij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkjkcfjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnpoie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohkdfhge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afecna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbfgiabg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjdnne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpcdqpqj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Komjmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfgcieii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okfmbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iciaim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knjdimdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lehfafgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bboahbio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpidai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcjmcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Docjne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmgcepio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogbgbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfhlbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Echlmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enmqjq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjddnjdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlapaapg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqgbah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Camqpnel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddnfql32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Innbde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odfofhic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acejlfhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceacoqfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgqhgjbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcmgal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcfjhj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kheofahm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knddcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgmekpmn.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dcepgh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gbdlnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gocalqhm.dll" Jnpoie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jpeafo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Boghbgla.dll" Niqgof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pmfmej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enlhahnp.dll" Cedpdpdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fcjeakfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kkckblgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mciljggi.dll" Dpdfemkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kckjmpko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Odfofhic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Doamhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fjdnne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jhqeka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mchokq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aecmfopg.dll" Lgmekpmn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 bf22d23de8fbd27eca22430d4686fa90N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmadmn32.dll" Kckjmpko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nogmin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qkbpgeai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ihqilnig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kqcqpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lqjfpbmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hagepa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afhggc32.dll" Nlapaapg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhopbilb.dll" Glomllkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kdgfpbaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Knjdimdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Miokdmmk.dll" Mddibb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Glomllkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckkfef32.dll" Jcmgal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID bf22d23de8fbd27eca22430d4686fa90N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Igkjcm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jobocn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pmiikipg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mklago32.dll" Bfmjoqoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cpidai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hkejnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pqgbah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cpejfjha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckabkdol.dll" Ddnfql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gegaeabe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jpeafo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kicqkb32.dll" Kfgcieii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node bf22d23de8fbd27eca22430d4686fa90N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mddibb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kdgfpbaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Miiaogio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Echlmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jgkphj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kdqifajl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icijhlgk.dll" Hkejnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beofli32.dll" Kqkalenn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Camlob32.dll" Gindjqnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hagepa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfkokh32.dll" Innbde32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lqjfpbmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lbmpnjai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hpdbmooo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ljjhdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pmfmej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pmmcfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odnmig32.dll" Jjkiie32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1656 wrote to memory of 2276 1656 bf22d23de8fbd27eca22430d4686fa90N.exe 30 PID 1656 wrote to memory of 2276 1656 bf22d23de8fbd27eca22430d4686fa90N.exe 30 PID 1656 wrote to memory of 2276 1656 bf22d23de8fbd27eca22430d4686fa90N.exe 30 PID 1656 wrote to memory of 2276 1656 bf22d23de8fbd27eca22430d4686fa90N.exe 30 PID 2276 wrote to memory of 2696 2276 Gbnenk32.exe 31 PID 2276 wrote to memory of 2696 2276 Gbnenk32.exe 31 PID 2276 wrote to memory of 2696 2276 Gbnenk32.exe 31 PID 2276 wrote to memory of 2696 2276 Gbnenk32.exe 31 PID 2696 wrote to memory of 2708 2696 Hpdbmooo.exe 32 PID 2696 wrote to memory of 2708 2696 Hpdbmooo.exe 32 PID 2696 wrote to memory of 2708 2696 Hpdbmooo.exe 32 PID 2696 wrote to memory of 2708 2696 Hpdbmooo.exe 32 PID 2708 wrote to memory of 2592 2708 Hhadgakg.exe 33 PID 2708 wrote to memory of 2592 2708 Hhadgakg.exe 33 PID 2708 wrote to memory of 2592 2708 Hhadgakg.exe 33 PID 2708 wrote to memory of 2592 2708 Hhadgakg.exe 33 PID 2592 wrote to memory of 2720 2592 Hlpmmpam.exe 34 PID 2592 wrote to memory of 2720 2592 Hlpmmpam.exe 34 PID 2592 wrote to memory of 2720 2592 Hlpmmpam.exe 34 PID 2592 wrote to memory of 2720 2592 Hlpmmpam.exe 34 PID 2720 wrote to memory of 2600 2720 Hkejnl32.exe 35 PID 2720 wrote to memory of 2600 2720 Hkejnl32.exe 35 PID 2720 wrote to memory of 2600 2720 Hkejnl32.exe 35 PID 2720 wrote to memory of 2600 2720 Hkejnl32.exe 35 PID 2600 wrote to memory of 2996 2600 Igkjcm32.exe 36 PID 2600 wrote to memory of 2996 2600 Igkjcm32.exe 36 PID 2600 wrote to memory of 2996 2600 Igkjcm32.exe 36 PID 2600 wrote to memory of 2996 2600 Igkjcm32.exe 36 PID 2996 wrote to memory of 2280 2996 Ilkpac32.exe 37 PID 2996 wrote to memory of 2280 2996 Ilkpac32.exe 37 PID 2996 wrote to memory of 2280 2996 Ilkpac32.exe 37 PID 2996 wrote to memory of 2280 2996 Ilkpac32.exe 37 PID 2280 wrote to memory of 2616 2280 Iphhgb32.exe 38 PID 2280 wrote to memory of 2616 2280 Iphhgb32.exe 38 PID 2280 wrote to memory of 2616 2280 Iphhgb32.exe 38 PID 2280 wrote to memory of 2616 2280 Iphhgb32.exe 38 PID 2616 wrote to memory of 2860 2616 Iciaim32.exe 39 PID 2616 wrote to memory of 2860 2616 Iciaim32.exe 39 PID 2616 wrote to memory of 2860 2616 Iciaim32.exe 39 PID 2616 wrote to memory of 2860 2616 Iciaim32.exe 39 PID 2860 wrote to memory of 1932 2860 Jobocn32.exe 40 PID 2860 wrote to memory of 1932 2860 Jobocn32.exe 40 PID 2860 wrote to memory of 1932 2860 Jobocn32.exe 40 PID 2860 wrote to memory of 1932 2860 Jobocn32.exe 40 PID 1932 wrote to memory of 760 1932 Jdogldmo.exe 41 PID 1932 wrote to memory of 760 1932 Jdogldmo.exe 41 PID 1932 wrote to memory of 760 1932 Jdogldmo.exe 41 PID 1932 wrote to memory of 760 1932 Jdogldmo.exe 41 PID 760 wrote to memory of 848 760 Jjnlikic.exe 42 PID 760 wrote to memory of 848 760 Jjnlikic.exe 42 PID 760 wrote to memory of 848 760 Jjnlikic.exe 42 PID 760 wrote to memory of 848 760 Jjnlikic.exe 42 PID 848 wrote to memory of 2096 848 Kqkalenn.exe 43 PID 848 wrote to memory of 2096 848 Kqkalenn.exe 43 PID 848 wrote to memory of 2096 848 Kqkalenn.exe 43 PID 848 wrote to memory of 2096 848 Kqkalenn.exe 43 PID 2096 wrote to memory of 2088 2096 Kckjmpko.exe 44 PID 2096 wrote to memory of 2088 2096 Kckjmpko.exe 44 PID 2096 wrote to memory of 2088 2096 Kckjmpko.exe 44 PID 2096 wrote to memory of 2088 2096 Kckjmpko.exe 44 PID 2088 wrote to memory of 828 2088 Kcngcp32.exe 45 PID 2088 wrote to memory of 828 2088 Kcngcp32.exe 45 PID 2088 wrote to memory of 828 2088 Kcngcp32.exe 45 PID 2088 wrote to memory of 828 2088 Kcngcp32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\bf22d23de8fbd27eca22430d4686fa90N.exe"C:\Users\Admin\AppData\Local\Temp\bf22d23de8fbd27eca22430d4686fa90N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\Gbnenk32.exeC:\Windows\system32\Gbnenk32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\Hpdbmooo.exeC:\Windows\system32\Hpdbmooo.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Hhadgakg.exeC:\Windows\system32\Hhadgakg.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Hlpmmpam.exeC:\Windows\system32\Hlpmmpam.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Hkejnl32.exeC:\Windows\system32\Hkejnl32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Igkjcm32.exeC:\Windows\system32\Igkjcm32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Ilkpac32.exeC:\Windows\system32\Ilkpac32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\Iphhgb32.exeC:\Windows\system32\Iphhgb32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\Iciaim32.exeC:\Windows\system32\Iciaim32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Jobocn32.exeC:\Windows\system32\Jobocn32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Jdogldmo.exeC:\Windows\system32\Jdogldmo.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\Jjnlikic.exeC:\Windows\system32\Jjnlikic.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\SysWOW64\Kqkalenn.exeC:\Windows\system32\Kqkalenn.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Windows\SysWOW64\Kckjmpko.exeC:\Windows\system32\Kckjmpko.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\Kcngcp32.exeC:\Windows\system32\Kcngcp32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Kkilgb32.exeC:\Windows\system32\Kkilgb32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:828 -
C:\Windows\SysWOW64\Knjdimdh.exeC:\Windows\system32\Knjdimdh.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:584 -
C:\Windows\SysWOW64\Kioiffcn.exeC:\Windows\system32\Kioiffcn.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:856 -
C:\Windows\SysWOW64\Ljcbcngi.exeC:\Windows\system32\Ljcbcngi.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1508 -
C:\Windows\SysWOW64\Lehfafgp.exeC:\Windows\system32\Lehfafgp.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1764 -
C:\Windows\SysWOW64\Lgiobadq.exeC:\Windows\system32\Lgiobadq.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1900 -
C:\Windows\SysWOW64\Ljjhdm32.exeC:\Windows\system32\Ljjhdm32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2240 -
C:\Windows\SysWOW64\Ladpagin.exeC:\Windows\system32\Ladpagin.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2232 -
C:\Windows\SysWOW64\Mddibb32.exeC:\Windows\system32\Mddibb32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2512 -
C:\Windows\SysWOW64\Miaaki32.exeC:\Windows\system32\Miaaki32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2148 -
C:\Windows\SysWOW64\Mifkfhpa.exeC:\Windows\system32\Mifkfhpa.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1936 -
C:\Windows\SysWOW64\Mkggnp32.exeC:\Windows\system32\Mkggnp32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2192 -
C:\Windows\SysWOW64\Nkjdcp32.exeC:\Windows\system32\Nkjdcp32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2360 -
C:\Windows\SysWOW64\Nogmin32.exeC:\Windows\system32\Nogmin32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2352 -
C:\Windows\SysWOW64\Npkfff32.exeC:\Windows\system32\Npkfff32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2876 -
C:\Windows\SysWOW64\Nggkipci.exeC:\Windows\system32\Nggkipci.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2588 -
C:\Windows\SysWOW64\Nobpmb32.exeC:\Windows\system32\Nobpmb32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Ohkdfhge.exeC:\Windows\system32\Ohkdfhge.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:928 -
C:\Windows\SysWOW64\Odfofhic.exeC:\Windows\system32\Odfofhic.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2372 -
C:\Windows\SysWOW64\Oolbcaij.exeC:\Windows\system32\Oolbcaij.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:672 -
C:\Windows\SysWOW64\Pcnhmdli.exeC:\Windows\system32\Pcnhmdli.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2880 -
C:\Windows\SysWOW64\Pmfmej32.exeC:\Windows\system32\Pmfmej32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1260 -
C:\Windows\SysWOW64\Pmiikipg.exeC:\Windows\system32\Pmiikipg.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:1624 -
C:\Windows\SysWOW64\Pqgbah32.exeC:\Windows\system32\Pqgbah32.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1716 -
C:\Windows\SysWOW64\Pmmcfi32.exeC:\Windows\system32\Pmmcfi32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2284 -
C:\Windows\SysWOW64\Qkbpgeai.exeC:\Windows\system32\Qkbpgeai.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1388 -
C:\Windows\SysWOW64\Qekdpkgj.exeC:\Windows\system32\Qekdpkgj.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:540 -
C:\Windows\SysWOW64\Qoqhncgp.exeC:\Windows\system32\Qoqhncgp.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1744 -
C:\Windows\SysWOW64\Aiimfi32.exeC:\Windows\system32\Aiimfi32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Anfeop32.exeC:\Windows\system32\Anfeop32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2496 -
C:\Windows\SysWOW64\Ajmfca32.exeC:\Windows\system32\Ajmfca32.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:824 -
C:\Windows\SysWOW64\Aafnpkii.exeC:\Windows\system32\Aafnpkii.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Acejlfhl.exeC:\Windows\system32\Acejlfhl.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3012 -
C:\Windows\SysWOW64\Anjojphb.exeC:\Windows\system32\Anjojphb.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1552 -
C:\Windows\SysWOW64\Afecna32.exeC:\Windows\system32\Afecna32.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2976 -
C:\Windows\SysWOW64\Aakhkj32.exeC:\Windows\system32\Aakhkj32.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1576 -
C:\Windows\SysWOW64\Abldccka.exeC:\Windows\system32\Abldccka.exe53⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Ambhpljg.exeC:\Windows\system32\Ambhpljg.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2660 -
C:\Windows\SysWOW64\Bboahbio.exeC:\Windows\system32\Bboahbio.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2768 -
C:\Windows\SysWOW64\Blgeahoo.exeC:\Windows\system32\Blgeahoo.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2628 -
C:\Windows\SysWOW64\Bfmjoqoe.exeC:\Windows\system32\Bfmjoqoe.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1960 -
C:\Windows\SysWOW64\Bnhncclq.exeC:\Windows\system32\Bnhncclq.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:420 -
C:\Windows\SysWOW64\Bimbql32.exeC:\Windows\system32\Bimbql32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2520 -
C:\Windows\SysWOW64\Bbfgiabg.exeC:\Windows\system32\Bbfgiabg.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:520 -
C:\Windows\SysWOW64\Bhbpahan.exeC:\Windows\system32\Bhbpahan.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2180 -
C:\Windows\SysWOW64\Bakdjn32.exeC:\Windows\system32\Bakdjn32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2188 -
C:\Windows\SysWOW64\Cfhlbe32.exeC:\Windows\system32\Cfhlbe32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:336 -
C:\Windows\SysWOW64\Camqpnel.exeC:\Windows\system32\Camqpnel.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1600 -
C:\Windows\SysWOW64\Cihedpcg.exeC:\Windows\system32\Cihedpcg.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1768 -
C:\Windows\SysWOW64\Cdnjaibm.exeC:\Windows\system32\Cdnjaibm.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2524 -
C:\Windows\SysWOW64\Cpejfjha.exeC:\Windows\system32\Cpejfjha.exe67⤵
- Modifies registry class
PID:2448 -
C:\Windows\SysWOW64\Ceacoqfi.exeC:\Windows\system32\Ceacoqfi.exe68⤵
- System Location Discovery: System Language Discovery
PID:1068 -
C:\Windows\SysWOW64\Cojghf32.exeC:\Windows\system32\Cojghf32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2968 -
C:\Windows\SysWOW64\Cedpdpdf.exeC:\Windows\system32\Cedpdpdf.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2144 -
C:\Windows\SysWOW64\Cpidai32.exeC:\Windows\system32\Cpidai32.exe71⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2792 -
C:\Windows\SysWOW64\Defljp32.exeC:\Windows\system32\Defljp32.exe72⤵PID:2716
-
C:\Windows\SysWOW64\Dlpdfjjp.exeC:\Windows\system32\Dlpdfjjp.exe73⤵PID:2732
-
C:\Windows\SysWOW64\Dcjmcd32.exeC:\Windows\system32\Dcjmcd32.exe74⤵
- System Location Discovery: System Language Discovery
PID:2572 -
C:\Windows\SysWOW64\Doamhe32.exeC:\Windows\system32\Doamhe32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2608 -
C:\Windows\SysWOW64\Ddnfql32.exeC:\Windows\system32\Ddnfql32.exe76⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1536 -
C:\Windows\SysWOW64\Docjne32.exeC:\Windows\system32\Docjne32.exe77⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:564 -
C:\Windows\SysWOW64\Dpdfemkm.exeC:\Windows\system32\Dpdfemkm.exe78⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2912 -
C:\Windows\SysWOW64\Dkjkcfjc.exeC:\Windows\system32\Dkjkcfjc.exe79⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2168 -
C:\Windows\SysWOW64\Dcepgh32.exeC:\Windows\system32\Dcepgh32.exe80⤵
- Drops file in System32 directory
- Modifies registry class
PID:952 -
C:\Windows\SysWOW64\Enkdda32.exeC:\Windows\system32\Enkdda32.exe81⤵PID:2436
-
C:\Windows\SysWOW64\Echlmh32.exeC:\Windows\system32\Echlmh32.exe82⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2392 -
C:\Windows\SysWOW64\Enmqjq32.exeC:\Windows\system32\Enmqjq32.exe83⤵
- System Location Discovery: System Language Discovery
PID:3004 -
C:\Windows\SysWOW64\Eoomai32.exeC:\Windows\system32\Eoomai32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2892 -
C:\Windows\SysWOW64\Elbmkm32.exeC:\Windows\system32\Elbmkm32.exe85⤵
- Drops file in System32 directory
PID:2228 -
C:\Windows\SysWOW64\Eclfhgaf.exeC:\Windows\system32\Eclfhgaf.exe86⤵
- System Location Discovery: System Language Discovery
PID:744 -
C:\Windows\SysWOW64\Elejqm32.exeC:\Windows\system32\Elejqm32.exe87⤵PID:1956
-
C:\Windows\SysWOW64\Ebabicfn.exeC:\Windows\system32\Ebabicfn.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2804 -
C:\Windows\SysWOW64\Emggflfc.exeC:\Windows\system32\Emggflfc.exe89⤵PID:2900
-
C:\Windows\SysWOW64\Enhcnd32.exeC:\Windows\system32\Enhcnd32.exe90⤵PID:2080
-
C:\Windows\SysWOW64\Fgqhgjbb.exeC:\Windows\system32\Fgqhgjbb.exe91⤵
- System Location Discovery: System Language Discovery
PID:2368 -
C:\Windows\SysWOW64\Fbfldc32.exeC:\Windows\system32\Fbfldc32.exe92⤵
- Drops file in System32 directory
PID:2928 -
C:\Windows\SysWOW64\Fipdqmje.exeC:\Windows\system32\Fipdqmje.exe93⤵PID:1036
-
C:\Windows\SysWOW64\Fbiijb32.exeC:\Windows\system32\Fbiijb32.exe94⤵PID:2172
-
C:\Windows\SysWOW64\Fcjeakfd.exeC:\Windows\system32\Fcjeakfd.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2076 -
C:\Windows\SysWOW64\Fjdnne32.exeC:\Windows\system32\Fjdnne32.exe96⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1776 -
C:\Windows\SysWOW64\Fclbgj32.exeC:\Windows\system32\Fclbgj32.exe97⤵
- Drops file in System32 directory
PID:912 -
C:\Windows\SysWOW64\Fmdfppkb.exeC:\Windows\system32\Fmdfppkb.exe98⤵PID:1276
-
C:\Windows\SysWOW64\Fcoolj32.exeC:\Windows\system32\Fcoolj32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1924 -
C:\Windows\SysWOW64\Fmgcepio.exeC:\Windows\system32\Fmgcepio.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2884 -
C:\Windows\SysWOW64\Gbdlnf32.exeC:\Windows\system32\Gbdlnf32.exe101⤵
- Modifies registry class
PID:2064 -
C:\Windows\SysWOW64\Gindjqnc.exeC:\Windows\system32\Gindjqnc.exe102⤵
- Modifies registry class
PID:2556 -
C:\Windows\SysWOW64\Gfadcemm.exeC:\Windows\system32\Gfadcemm.exe103⤵PID:552
-
C:\Windows\SysWOW64\Glomllkd.exeC:\Windows\system32\Glomllkd.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2244 -
C:\Windows\SysWOW64\Gegaeabe.exeC:\Windows\system32\Gegaeabe.exe105⤵
- Modifies registry class
PID:2624 -
C:\Windows\SysWOW64\Hadhjaaa.exeC:\Windows\system32\Hadhjaaa.exe106⤵
- System Location Discovery: System Language Discovery
PID:1760 -
C:\Windows\SysWOW64\Hagepa32.exeC:\Windows\system32\Hagepa32.exe107⤵
- Drops file in System32 directory
- Modifies registry class
PID:2320 -
C:\Windows\SysWOW64\Ioheci32.exeC:\Windows\system32\Ioheci32.exe108⤵PID:3044
-
C:\Windows\SysWOW64\Iagaod32.exeC:\Windows\system32\Iagaod32.exe109⤵PID:2196
-
C:\Windows\SysWOW64\Ihqilnig.exeC:\Windows\system32\Ihqilnig.exe110⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:536 -
C:\Windows\SysWOW64\Innbde32.exeC:\Windows\system32\Innbde32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2256 -
C:\Windows\SysWOW64\Iplnpq32.exeC:\Windows\system32\Iplnpq32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2212 -
C:\Windows\SysWOW64\Jnpoie32.exeC:\Windows\system32\Jnpoie32.exe113⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2744 -
C:\Windows\SysWOW64\Jcmgal32.exeC:\Windows\system32\Jcmgal32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2816 -
C:\Windows\SysWOW64\Jjgonf32.exeC:\Windows\system32\Jjgonf32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1640 -
C:\Windows\SysWOW64\Jpqgkpcl.exeC:\Windows\system32\Jpqgkpcl.exe116⤵PID:2268
-
C:\Windows\SysWOW64\Jgkphj32.exeC:\Windows\system32\Jgkphj32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:576 -
C:\Windows\SysWOW64\Jjilde32.exeC:\Windows\system32\Jjilde32.exe118⤵PID:680
-
C:\Windows\SysWOW64\Jpcdqpqj.exeC:\Windows\system32\Jpcdqpqj.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2988 -
C:\Windows\SysWOW64\Jjkiie32.exeC:\Windows\system32\Jjkiie32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2452 -
C:\Windows\SysWOW64\Jpeafo32.exeC:\Windows\system32\Jpeafo32.exe121⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1028
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-