Analysis
-
max time kernel
40s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
19/08/2024, 07:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
be93e410e5427c3eeea6a48f319b39b0N.exe
Resource
win7-20240729-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
be93e410e5427c3eeea6a48f319b39b0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
be93e410e5427c3eeea6a48f319b39b0N.exe
-
Size
90KB
-
MD5
be93e410e5427c3eeea6a48f319b39b0
-
SHA1
1f2aff5190c83f0e3cebb060763dd6efac880690
-
SHA256
02b361c3bcb136916374a567e016d9539bf58242a7b99ca2a30a3de122348772
-
SHA512
b3b4636230b83a2c022bd96435830bd79cfcf43d15bf36e02eb4112b43e8a75205288f2e0676d847b0ba73eef7e03e05e4bedead491fc7732ced0320bf0789dd
-
SSDEEP
1536:9s0PkacjJCBCY3gyGDlpbpvpY2JdNpXHkxmWDGDu/Ub0VkVNK:MayUI7pJJJF3kxmWDGDu/Ub0+NK
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opkpme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aogpmcmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aioppl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjomoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Icmlnmgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kiccle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llooad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kbikokin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmeiei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lpmhgc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abbknb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjcfjoil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jalolemm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jcmhmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knkbimbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fncddc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdpikmci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kacakgip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Plfjme32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbfaopqo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flbgak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gocpcfeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kononm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbgcdmjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abbknb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cpkaai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjeholco.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncbfcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aamekk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gddbfm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghaeaaki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hqcpfcbl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omhjejai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lpodmb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhaobd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pifakj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blklfk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhlhmi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdjblboj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hhhkbqea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hngppgae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dopkai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkjahg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iofiimkd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiccle32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pifakj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojgado32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dknehe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djhldahb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjlaod32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kblhdkgk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkglim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oqomkimg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Behnkm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djaedbnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Elbkbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbeimf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hngppgae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjnaehgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjdcdjcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ghpngkhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jgdkbo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpijgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gocpcfeb.exe -
Executes dropped EXE 64 IoCs
pid Process 2208 Ghaeaaki.exe 2684 Geeekf32.exe 2856 Gkancm32.exe 2824 Gegbpe32.exe 3016 Gdjblboj.exe 2644 Hopgikop.exe 2300 Hnbgdh32.exe 960 Hfiofefm.exe 3020 Hhhkbqea.exe 2948 Hkfgnldd.exe 1980 Hnecjgch.exe 1564 Hqcpfcbl.exe 2928 Hhjhgpcn.exe 1712 Hkidclbb.exe 1692 Hngppgae.exe 1216 Hdailaib.exe 848 Hgpeimhf.exe 2016 Hjnaehgj.exe 836 Hnimeg32.exe 2172 Hdcebagp.exe 1112 Hgbanlfc.exe 996 Hfdbji32.exe 1324 Hmojfcdk.exe 940 Igdndl32.exe 1220 Ifgooikk.exe 2332 Iiekkdjo.exe 2740 Imaglc32.exe 2860 Ibnodj32.exe 2628 Imccab32.exe 2708 Icmlnmgb.exe 2952 Ibplji32.exe 3012 Ieohfemq.exe 2176 Iijdfc32.exe 1716 Ifndph32.exe 1492 Igoagpja.exe 2792 Iofiimkd.exe 1540 Iaheqe32.exe 3056 Ikmjnnah.exe 2248 Jnlfjjpl.exe 1464 Jchobqnc.exe 688 Jgdkbo32.exe 2464 Jalolemm.exe 2524 Jckkhplq.exe 2224 Jjdcdjcm.exe 336 Jjdcdjcm.exe 1776 Jcmhmp32.exe 924 Jfkdik32.exe 2152 Jijqeg32.exe 2392 Jaahgd32.exe 964 Jpdibapb.exe 1624 Jbbenlof.exe 2620 Jfnaok32.exe 824 Jjimpj32.exe 2656 Jilmkffb.exe 2756 Jlkigbef.exe 2164 Jpfehq32.exe 2112 Jbdadl32.exe 2924 Jfpndkel.exe 1320 Kiojqfdp.exe 1260 Kmjfae32.exe 1120 Kphbmp32.exe 2204 Knkbimbg.exe 1612 Kfbjjjci.exe 1500 Khdgabih.exe -
Loads dropped DLL 64 IoCs
pid Process 1968 be93e410e5427c3eeea6a48f319b39b0N.exe 1968 be93e410e5427c3eeea6a48f319b39b0N.exe 2208 Ghaeaaki.exe 2208 Ghaeaaki.exe 2684 Geeekf32.exe 2684 Geeekf32.exe 2856 Gkancm32.exe 2856 Gkancm32.exe 2824 Gegbpe32.exe 2824 Gegbpe32.exe 3016 Gdjblboj.exe 3016 Gdjblboj.exe 2644 Hopgikop.exe 2644 Hopgikop.exe 2300 Hnbgdh32.exe 2300 Hnbgdh32.exe 960 Hfiofefm.exe 960 Hfiofefm.exe 3020 Hhhkbqea.exe 3020 Hhhkbqea.exe 2948 Hkfgnldd.exe 2948 Hkfgnldd.exe 1980 Hnecjgch.exe 1980 Hnecjgch.exe 1564 Hqcpfcbl.exe 1564 Hqcpfcbl.exe 2928 Hhjhgpcn.exe 2928 Hhjhgpcn.exe 1712 Hkidclbb.exe 1712 Hkidclbb.exe 1692 Hngppgae.exe 1692 Hngppgae.exe 1216 Hdailaib.exe 1216 Hdailaib.exe 848 Hgpeimhf.exe 848 Hgpeimhf.exe 2016 Hjnaehgj.exe 2016 Hjnaehgj.exe 836 Hnimeg32.exe 836 Hnimeg32.exe 2172 Hdcebagp.exe 2172 Hdcebagp.exe 1112 Hgbanlfc.exe 1112 Hgbanlfc.exe 996 Hfdbji32.exe 996 Hfdbji32.exe 1324 Hmojfcdk.exe 1324 Hmojfcdk.exe 940 Igdndl32.exe 940 Igdndl32.exe 1220 Ifgooikk.exe 1220 Ifgooikk.exe 2332 Iiekkdjo.exe 2332 Iiekkdjo.exe 2740 Imaglc32.exe 2740 Imaglc32.exe 2860 Ibnodj32.exe 2860 Ibnodj32.exe 2628 Imccab32.exe 2628 Imccab32.exe 2708 Icmlnmgb.exe 2708 Icmlnmgb.exe 2952 Ibplji32.exe 2952 Ibplji32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dbfaopqo.exe Djoinbpm.exe File created C:\Windows\SysWOW64\Mjkjek32.dll Cpkaai32.exe File created C:\Windows\SysWOW64\Mnnhjk32.exe Mkplnp32.exe File opened for modification C:\Windows\SysWOW64\Pppihdha.exe Pifakj32.exe File opened for modification C:\Windows\SysWOW64\Bhfjgh32.exe Behnkm32.exe File created C:\Windows\SysWOW64\Bdajepnn.dll Jlkigbef.exe File created C:\Windows\SysWOW64\Jfkldo32.dll Cqfdem32.exe File created C:\Windows\SysWOW64\Lckdcn32.exe Lpmhgc32.exe File opened for modification C:\Windows\SysWOW64\Qjqqianh.exe Qhbdmeoe.exe File opened for modification C:\Windows\SysWOW64\Djfooa32.exe Dggcbf32.exe File opened for modification C:\Windows\SysWOW64\Cclkcdpl.exe Ckebbgoj.exe File created C:\Windows\SysWOW64\Ggqamh32.exe Gdbeqmag.exe File opened for modification C:\Windows\SysWOW64\Ghpngkhm.exe Gddbfm32.exe File created C:\Windows\SysWOW64\Lpodmb32.exe Lielphqc.exe File opened for modification C:\Windows\SysWOW64\Lhkiae32.exe Lelmei32.exe File opened for modification C:\Windows\SysWOW64\Cobkhe32.exe Cldolj32.exe File created C:\Windows\SysWOW64\Ghlell32.exe Gdpikmci.exe File created C:\Windows\SysWOW64\Goemhfco.exe Gkjahg32.exe File opened for modification C:\Windows\SysWOW64\Flbgak32.exe Fidkep32.exe File created C:\Windows\SysWOW64\Kbikokin.exe Kononm32.exe File created C:\Windows\SysWOW64\Dflpdb32.exe Dcnchg32.exe File created C:\Windows\SysWOW64\Fpijgk32.exe Fmknko32.exe File created C:\Windows\SysWOW64\Gdjblboj.exe Gegbpe32.exe File created C:\Windows\SysWOW64\Peooek32.exe Pbqbioeb.exe File created C:\Windows\SysWOW64\Cnhhia32.exe Coehnecn.exe File created C:\Windows\SysWOW64\Hllgeipk.dll Pppihdha.exe File created C:\Windows\SysWOW64\Jckflh32.dll Fimedaoe.exe File opened for modification C:\Windows\SysWOW64\Ndhlfh32.exe Nfeljlqh.exe File created C:\Windows\SysWOW64\Mbcbdo32.dll Omhjejai.exe File created C:\Windows\SysWOW64\Chdjpl32.exe Cjaieoko.exe File opened for modification C:\Windows\SysWOW64\Fpdqlkhe.exe Fmfdppia.exe File created C:\Windows\SysWOW64\Hnimeg32.exe Hjnaehgj.exe File created C:\Windows\SysWOW64\Naofga32.dll Ncdciq32.exe File created C:\Windows\SysWOW64\Nfeljlqh.exe Nnndin32.exe File created C:\Windows\SysWOW64\Gdpikmci.exe Gaamobdf.exe File opened for modification C:\Windows\SysWOW64\Koeeoljm.exe Kkiiom32.exe File created C:\Windows\SysWOW64\Okgiokkl.dll Pbnfdpge.exe File opened for modification C:\Windows\SysWOW64\Fjlaod32.exe Fbeimf32.exe File created C:\Windows\SysWOW64\Bimkbqpd.dll Ojgado32.exe File created C:\Windows\SysWOW64\Bnfodojp.exe Bglghdbc.exe File opened for modification C:\Windows\SysWOW64\Bjlpjp32.exe Bdpgai32.exe File created C:\Windows\SysWOW64\Bcoddhio.dll Jfkdik32.exe File created C:\Windows\SysWOW64\Lphnlcnh.exe Lmjbphod.exe File created C:\Windows\SysWOW64\Lelmei32.exe Lcnqin32.exe File opened for modification C:\Windows\SysWOW64\Lmolkg32.exe Legcjjjm.exe File created C:\Windows\SysWOW64\Lcegdl32.dll Dopkai32.exe File created C:\Windows\SysWOW64\Nnpopj32.dll Dqpgll32.exe File opened for modification C:\Windows\SysWOW64\Gkgdbh32.exe Ghihfl32.exe File created C:\Windows\SysWOW64\Qlnamo32.dll Ifndph32.exe File created C:\Windows\SysWOW64\Qdapln32.dll Iofiimkd.exe File created C:\Windows\SysWOW64\Ocglmcdp.exe Opkpme32.exe File created C:\Windows\SysWOW64\Gbjncbgq.dll Dggcbf32.exe File created C:\Windows\SysWOW64\Iiekkdjo.exe Ifgooikk.exe File opened for modification C:\Windows\SysWOW64\Onqaonnc.exe Nkbdbbop.exe File created C:\Windows\SysWOW64\Glclampi.dll Dknehe32.exe File created C:\Windows\SysWOW64\Eecipl32.dll Ecnpgj32.exe File created C:\Windows\SysWOW64\Bbchlkgc.dll Gkgdbh32.exe File created C:\Windows\SysWOW64\Fnhpam32.dll Imccab32.exe File opened for modification C:\Windows\SysWOW64\Akejdp32.exe Adkbgf32.exe File created C:\Windows\SysWOW64\Bncboo32.exe Bhfjgh32.exe File created C:\Windows\SysWOW64\Mqoqlfkl.exe Mnqdpj32.exe File created C:\Windows\SysWOW64\Omhjejai.exe Okgnna32.exe File opened for modification C:\Windows\SysWOW64\Blmikkle.exe Bjomoo32.exe File opened for modification C:\Windows\SysWOW64\Nbgcdmjb.exe Ncdciq32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4720 4696 WerFault.exe 342 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lielphqc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkplnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncdciq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgpeimhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpfagd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eimien32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghihfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kalkjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lelmei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlhnfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pligbekc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfhficcn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elnagijk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmfdppia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffeoid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpkkbcle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mognco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qifnjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdiaqj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efllcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifgooikk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjdcdjcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcignoki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcnchg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fimedaoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghlell32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language be93e410e5427c3eeea6a48f319b39b0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nodnmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gepeep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pejejkhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egbffj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnndin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhfjgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgpjcnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nflidmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkiemqdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meojkide.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqomkimg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abpohb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blmikkle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffcbce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibplji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igoagpja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdajff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emdgjpkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gklnmgic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhjhgpcn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnimeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojnhdn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pihnqj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aihjpman.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqpgll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcppmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejeknelp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koeeoljm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkkfdmpq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgpmbgai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfnaok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeobfgak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coehnecn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdbeqmag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kphbmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnfodojp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chickknc.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kononm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pihnqj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Djhldahb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jlkigbef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jchobqnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmenq32.dll" Bpbokj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dopkai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fadmenpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgmobc32.dll" Lhkiae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kiojqfdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neponk32.dll" Kacakgip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aokdfe32.dll" Oqajqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilgdco32.dll" Cjaieoko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Enjand32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmhocf32.dll" Ejcohe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pafklb32.dll" Ffoihepa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ifgooikk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhpbdd32.dll" Djhldahb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gloibpen.dll" Liqcei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlilmc32.dll" Qhbdmeoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibjnpail.dll" Akejdp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Behnkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgapfkgp.dll" Dnonjqdq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmbpajno.dll" Jjdcdjcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oknckq32.dll" Mkiemqdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nodnmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qdieaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dmfhqmge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifgpnf32.dll" Fidkep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gaffja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gegbpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kkiiom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Moikinib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cdbqflae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdgplhji.dll" Dmobpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpfgde32.dll" Eheblj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hfdbji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdhlhqbi.dll" Bjomoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ndhlfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ncbfcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Igdndl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cnhhia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelnjj32.dll" Elleai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hngppgae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqddlfbf.dll" Kphbmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kmeiei32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ngkfnp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pngcnpkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dqiakm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jalolemm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cgpmbgai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ffcbce32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jfnaok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lgpjcnhh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mkiemqdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odjoeplp.dll" Gocpcfeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Koeeoljm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Akejdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chkmhc32.dll" Aefaemqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bglghdbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nljikmpj.dll" Jjimpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbgbmipo.dll" Gklnmgic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pppihdha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfkfnp32.dll" Dpedmhfi.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1968 wrote to memory of 2208 1968 be93e410e5427c3eeea6a48f319b39b0N.exe 29 PID 1968 wrote to memory of 2208 1968 be93e410e5427c3eeea6a48f319b39b0N.exe 29 PID 1968 wrote to memory of 2208 1968 be93e410e5427c3eeea6a48f319b39b0N.exe 29 PID 1968 wrote to memory of 2208 1968 be93e410e5427c3eeea6a48f319b39b0N.exe 29 PID 2208 wrote to memory of 2684 2208 Ghaeaaki.exe 30 PID 2208 wrote to memory of 2684 2208 Ghaeaaki.exe 30 PID 2208 wrote to memory of 2684 2208 Ghaeaaki.exe 30 PID 2208 wrote to memory of 2684 2208 Ghaeaaki.exe 30 PID 2684 wrote to memory of 2856 2684 Geeekf32.exe 31 PID 2684 wrote to memory of 2856 2684 Geeekf32.exe 31 PID 2684 wrote to memory of 2856 2684 Geeekf32.exe 31 PID 2684 wrote to memory of 2856 2684 Geeekf32.exe 31 PID 2856 wrote to memory of 2824 2856 Gkancm32.exe 32 PID 2856 wrote to memory of 2824 2856 Gkancm32.exe 32 PID 2856 wrote to memory of 2824 2856 Gkancm32.exe 32 PID 2856 wrote to memory of 2824 2856 Gkancm32.exe 32 PID 2824 wrote to memory of 3016 2824 Gegbpe32.exe 33 PID 2824 wrote to memory of 3016 2824 Gegbpe32.exe 33 PID 2824 wrote to memory of 3016 2824 Gegbpe32.exe 33 PID 2824 wrote to memory of 3016 2824 Gegbpe32.exe 33 PID 3016 wrote to memory of 2644 3016 Gdjblboj.exe 34 PID 3016 wrote to memory of 2644 3016 Gdjblboj.exe 34 PID 3016 wrote to memory of 2644 3016 Gdjblboj.exe 34 PID 3016 wrote to memory of 2644 3016 Gdjblboj.exe 34 PID 2644 wrote to memory of 2300 2644 Hopgikop.exe 35 PID 2644 wrote to memory of 2300 2644 Hopgikop.exe 35 PID 2644 wrote to memory of 2300 2644 Hopgikop.exe 35 PID 2644 wrote to memory of 2300 2644 Hopgikop.exe 35 PID 2300 wrote to memory of 960 2300 Hnbgdh32.exe 36 PID 2300 wrote to memory of 960 2300 Hnbgdh32.exe 36 PID 2300 wrote to memory of 960 2300 Hnbgdh32.exe 36 PID 2300 wrote to memory of 960 2300 Hnbgdh32.exe 36 PID 960 wrote to memory of 3020 960 Hfiofefm.exe 37 PID 960 wrote to memory of 3020 960 Hfiofefm.exe 37 PID 960 wrote to memory of 3020 960 Hfiofefm.exe 37 PID 960 wrote to memory of 3020 960 Hfiofefm.exe 37 PID 3020 wrote to memory of 2948 3020 Hhhkbqea.exe 38 PID 3020 wrote to memory of 2948 3020 Hhhkbqea.exe 38 PID 3020 wrote to memory of 2948 3020 Hhhkbqea.exe 38 PID 3020 wrote to memory of 2948 3020 Hhhkbqea.exe 38 PID 2948 wrote to memory of 1980 2948 Hkfgnldd.exe 39 PID 2948 wrote to memory of 1980 2948 Hkfgnldd.exe 39 PID 2948 wrote to memory of 1980 2948 Hkfgnldd.exe 39 PID 2948 wrote to memory of 1980 2948 Hkfgnldd.exe 39 PID 1980 wrote to memory of 1564 1980 Hnecjgch.exe 40 PID 1980 wrote to memory of 1564 1980 Hnecjgch.exe 40 PID 1980 wrote to memory of 1564 1980 Hnecjgch.exe 40 PID 1980 wrote to memory of 1564 1980 Hnecjgch.exe 40 PID 1564 wrote to memory of 2928 1564 Hqcpfcbl.exe 41 PID 1564 wrote to memory of 2928 1564 Hqcpfcbl.exe 41 PID 1564 wrote to memory of 2928 1564 Hqcpfcbl.exe 41 PID 1564 wrote to memory of 2928 1564 Hqcpfcbl.exe 41 PID 2928 wrote to memory of 1712 2928 Hhjhgpcn.exe 42 PID 2928 wrote to memory of 1712 2928 Hhjhgpcn.exe 42 PID 2928 wrote to memory of 1712 2928 Hhjhgpcn.exe 42 PID 2928 wrote to memory of 1712 2928 Hhjhgpcn.exe 42 PID 1712 wrote to memory of 1692 1712 Hkidclbb.exe 43 PID 1712 wrote to memory of 1692 1712 Hkidclbb.exe 43 PID 1712 wrote to memory of 1692 1712 Hkidclbb.exe 43 PID 1712 wrote to memory of 1692 1712 Hkidclbb.exe 43 PID 1692 wrote to memory of 1216 1692 Hngppgae.exe 44 PID 1692 wrote to memory of 1216 1692 Hngppgae.exe 44 PID 1692 wrote to memory of 1216 1692 Hngppgae.exe 44 PID 1692 wrote to memory of 1216 1692 Hngppgae.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\be93e410e5427c3eeea6a48f319b39b0N.exe"C:\Users\Admin\AppData\Local\Temp\be93e410e5427c3eeea6a48f319b39b0N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\Ghaeaaki.exeC:\Windows\system32\Ghaeaaki.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Geeekf32.exeC:\Windows\system32\Geeekf32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Gkancm32.exeC:\Windows\system32\Gkancm32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Gegbpe32.exeC:\Windows\system32\Gegbpe32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Gdjblboj.exeC:\Windows\system32\Gdjblboj.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Hopgikop.exeC:\Windows\system32\Hopgikop.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Hnbgdh32.exeC:\Windows\system32\Hnbgdh32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\Hfiofefm.exeC:\Windows\system32\Hfiofefm.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\SysWOW64\Hhhkbqea.exeC:\Windows\system32\Hhhkbqea.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\Hkfgnldd.exeC:\Windows\system32\Hkfgnldd.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Hnecjgch.exeC:\Windows\system32\Hnecjgch.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\Hqcpfcbl.exeC:\Windows\system32\Hqcpfcbl.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\SysWOW64\Hhjhgpcn.exeC:\Windows\system32\Hhjhgpcn.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Hkidclbb.exeC:\Windows\system32\Hkidclbb.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\Hngppgae.exeC:\Windows\system32\Hngppgae.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\Hdailaib.exeC:\Windows\system32\Hdailaib.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1216 -
C:\Windows\SysWOW64\Hgpeimhf.exeC:\Windows\system32\Hgpeimhf.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:848 -
C:\Windows\SysWOW64\Hjnaehgj.exeC:\Windows\system32\Hjnaehgj.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2016 -
C:\Windows\SysWOW64\Hnimeg32.exeC:\Windows\system32\Hnimeg32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:836 -
C:\Windows\SysWOW64\Hdcebagp.exeC:\Windows\system32\Hdcebagp.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2172 -
C:\Windows\SysWOW64\Hgbanlfc.exeC:\Windows\system32\Hgbanlfc.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1112 -
C:\Windows\SysWOW64\Hfdbji32.exeC:\Windows\system32\Hfdbji32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:996 -
C:\Windows\SysWOW64\Hmojfcdk.exeC:\Windows\system32\Hmojfcdk.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1324 -
C:\Windows\SysWOW64\Igdndl32.exeC:\Windows\system32\Igdndl32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:940 -
C:\Windows\SysWOW64\Ifgooikk.exeC:\Windows\system32\Ifgooikk.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1220 -
C:\Windows\SysWOW64\Iiekkdjo.exeC:\Windows\system32\Iiekkdjo.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2332 -
C:\Windows\SysWOW64\Imaglc32.exeC:\Windows\system32\Imaglc32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2740 -
C:\Windows\SysWOW64\Ibnodj32.exeC:\Windows\system32\Ibnodj32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2860 -
C:\Windows\SysWOW64\Imccab32.exeC:\Windows\system32\Imccab32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2628 -
C:\Windows\SysWOW64\Icmlnmgb.exeC:\Windows\system32\Icmlnmgb.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2708 -
C:\Windows\SysWOW64\Ibplji32.exeC:\Windows\system32\Ibplji32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2952 -
C:\Windows\SysWOW64\Ieohfemq.exeC:\Windows\system32\Ieohfemq.exe33⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Iijdfc32.exeC:\Windows\system32\Iijdfc32.exe34⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Ifndph32.exeC:\Windows\system32\Ifndph32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1716 -
C:\Windows\SysWOW64\Igoagpja.exeC:\Windows\system32\Igoagpja.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1492 -
C:\Windows\SysWOW64\Iofiimkd.exeC:\Windows\system32\Iofiimkd.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2792 -
C:\Windows\SysWOW64\Iaheqe32.exeC:\Windows\system32\Iaheqe32.exe38⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Ikmjnnah.exeC:\Windows\system32\Ikmjnnah.exe39⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Jnlfjjpl.exeC:\Windows\system32\Jnlfjjpl.exe40⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Jchobqnc.exeC:\Windows\system32\Jchobqnc.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:1464 -
C:\Windows\SysWOW64\Jgdkbo32.exeC:\Windows\system32\Jgdkbo32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:688 -
C:\Windows\SysWOW64\Jalolemm.exeC:\Windows\system32\Jalolemm.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2464 -
C:\Windows\SysWOW64\Jckkhplq.exeC:\Windows\system32\Jckkhplq.exe44⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Jjdcdjcm.exeC:\Windows\system32\Jjdcdjcm.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Jjdcdjcm.exeC:\Windows\system32\Jjdcdjcm.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:336 -
C:\Windows\SysWOW64\Jcmhmp32.exeC:\Windows\system32\Jcmhmp32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Jfkdik32.exeC:\Windows\system32\Jfkdik32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:924 -
C:\Windows\SysWOW64\Jijqeg32.exeC:\Windows\system32\Jijqeg32.exe49⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Jaahgd32.exeC:\Windows\system32\Jaahgd32.exe50⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Jpdibapb.exeC:\Windows\system32\Jpdibapb.exe51⤵
- Executes dropped EXE
PID:964 -
C:\Windows\SysWOW64\Jbbenlof.exeC:\Windows\system32\Jbbenlof.exe52⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Jfnaok32.exeC:\Windows\system32\Jfnaok32.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2620 -
C:\Windows\SysWOW64\Jjimpj32.exeC:\Windows\system32\Jjimpj32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:824 -
C:\Windows\SysWOW64\Jilmkffb.exeC:\Windows\system32\Jilmkffb.exe55⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Jlkigbef.exeC:\Windows\system32\Jlkigbef.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2756 -
C:\Windows\SysWOW64\Jpfehq32.exeC:\Windows\system32\Jpfehq32.exe57⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Jbdadl32.exeC:\Windows\system32\Jbdadl32.exe58⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Jfpndkel.exeC:\Windows\system32\Jfpndkel.exe59⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Kiojqfdp.exeC:\Windows\system32\Kiojqfdp.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:1320 -
C:\Windows\SysWOW64\Kmjfae32.exeC:\Windows\system32\Kmjfae32.exe61⤵
- Executes dropped EXE
PID:1260 -
C:\Windows\SysWOW64\Kphbmp32.exeC:\Windows\system32\Kphbmp32.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1120 -
C:\Windows\SysWOW64\Knkbimbg.exeC:\Windows\system32\Knkbimbg.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Kfbjjjci.exeC:\Windows\system32\Kfbjjjci.exe64⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Khdgabih.exeC:\Windows\system32\Khdgabih.exe65⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Kpkocpjj.exeC:\Windows\system32\Kpkocpjj.exe66⤵PID:2272
-
C:\Windows\SysWOW64\Kononm32.exeC:\Windows\system32\Kononm32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2556 -
C:\Windows\SysWOW64\Kbikokin.exeC:\Windows\system32\Kbikokin.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1616 -
C:\Windows\SysWOW64\Kalkjh32.exeC:\Windows\system32\Kalkjh32.exe69⤵
- System Location Discovery: System Language Discovery
PID:2748 -
C:\Windows\SysWOW64\Kiccle32.exeC:\Windows\system32\Kiccle32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2612 -
C:\Windows\SysWOW64\Kblhdkgk.exeC:\Windows\system32\Kblhdkgk.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2640 -
C:\Windows\SysWOW64\Kanhph32.exeC:\Windows\system32\Kanhph32.exe72⤵PID:2288
-
C:\Windows\SysWOW64\Kejdqffo.exeC:\Windows\system32\Kejdqffo.exe73⤵PID:2084
-
C:\Windows\SysWOW64\Khhpmbeb.exeC:\Windows\system32\Khhpmbeb.exe74⤵PID:2968
-
C:\Windows\SysWOW64\Kkglim32.exeC:\Windows\system32\Kkglim32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1608 -
C:\Windows\SysWOW64\Kmeiei32.exeC:\Windows\system32\Kmeiei32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3064 -
C:\Windows\SysWOW64\Kaaeegkc.exeC:\Windows\system32\Kaaeegkc.exe77⤵PID:2772
-
C:\Windows\SysWOW64\Kdoaackf.exeC:\Windows\system32\Kdoaackf.exe78⤵PID:1400
-
C:\Windows\SysWOW64\Kfnmnojj.exeC:\Windows\system32\Kfnmnojj.exe79⤵PID:1764
-
C:\Windows\SysWOW64\Kkiiom32.exeC:\Windows\system32\Kkiiom32.exe80⤵
- Drops file in System32 directory
- Modifies registry class
PID:2124 -
C:\Windows\SysWOW64\Koeeoljm.exeC:\Windows\system32\Koeeoljm.exe81⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2796 -
C:\Windows\SysWOW64\Kacakgip.exeC:\Windows\system32\Kacakgip.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2268 -
C:\Windows\SysWOW64\Lpfagd32.exeC:\Windows\system32\Lpfagd32.exe83⤵
- System Location Discovery: System Language Discovery
PID:292 -
C:\Windows\SysWOW64\Ldangbhd.exeC:\Windows\system32\Ldangbhd.exe84⤵PID:2720
-
C:\Windows\SysWOW64\Lgpjcnhh.exeC:\Windows\system32\Lgpjcnhh.exe85⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2840 -
C:\Windows\SysWOW64\Lkkfdmpq.exeC:\Windows\system32\Lkkfdmpq.exe86⤵
- System Location Discovery: System Language Discovery
PID:1748 -
C:\Windows\SysWOW64\Lmjbphod.exeC:\Windows\system32\Lmjbphod.exe87⤵
- Drops file in System32 directory
PID:2760 -
C:\Windows\SysWOW64\Lphnlcnh.exeC:\Windows\system32\Lphnlcnh.exe88⤵PID:2484
-
C:\Windows\SysWOW64\Lbgkhoml.exeC:\Windows\system32\Lbgkhoml.exe89⤵PID:2940
-
C:\Windows\SysWOW64\Lgbfin32.exeC:\Windows\system32\Lgbfin32.exe90⤵PID:2692
-
C:\Windows\SysWOW64\Liqcei32.exeC:\Windows\system32\Liqcei32.exe91⤵
- Modifies registry class
PID:2444 -
C:\Windows\SysWOW64\Llooad32.exeC:\Windows\system32\Llooad32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1848 -
C:\Windows\SysWOW64\Lpkkbcle.exeC:\Windows\system32\Lpkkbcle.exe93⤵
- System Location Discovery: System Language Discovery
PID:2060 -
C:\Windows\SysWOW64\Lcignoki.exeC:\Windows\system32\Lcignoki.exe94⤵
- System Location Discovery: System Language Discovery
PID:2040 -
C:\Windows\SysWOW64\Legcjjjm.exeC:\Windows\system32\Legcjjjm.exe95⤵
- Drops file in System32 directory
PID:2168 -
C:\Windows\SysWOW64\Lmolkg32.exeC:\Windows\system32\Lmolkg32.exe96⤵PID:2140
-
C:\Windows\SysWOW64\Lpmhgc32.exeC:\Windows\system32\Lpmhgc32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2648 -
C:\Windows\SysWOW64\Lckdcn32.exeC:\Windows\system32\Lckdcn32.exe98⤵PID:2868
-
C:\Windows\SysWOW64\Lggpdmap.exeC:\Windows\system32\Lggpdmap.exe99⤵PID:2784
-
C:\Windows\SysWOW64\Lielphqc.exeC:\Windows\system32\Lielphqc.exe100⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2128 -
C:\Windows\SysWOW64\Lpodmb32.exeC:\Windows\system32\Lpodmb32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:504 -
C:\Windows\SysWOW64\Lcnqin32.exeC:\Windows\system32\Lcnqin32.exe102⤵
- Drops file in System32 directory
PID:2256 -
C:\Windows\SysWOW64\Lelmei32.exeC:\Windows\system32\Lelmei32.exe103⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:632 -
C:\Windows\SysWOW64\Lhkiae32.exeC:\Windows\system32\Lhkiae32.exe104⤵
- Modifies registry class
PID:2400 -
C:\Windows\SysWOW64\Mkiemqdo.exeC:\Windows\system32\Mkiemqdo.exe105⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:388 -
C:\Windows\SysWOW64\Mcpmonea.exeC:\Windows\system32\Mcpmonea.exe106⤵PID:2576
-
C:\Windows\SysWOW64\Meojkide.exeC:\Windows\system32\Meojkide.exe107⤵
- System Location Discovery: System Language Discovery
PID:1068 -
C:\Windows\SysWOW64\Mdajff32.exeC:\Windows\system32\Mdajff32.exe108⤵
- System Location Discovery: System Language Discovery
PID:2852 -
C:\Windows\SysWOW64\Mlhbgc32.exeC:\Windows\system32\Mlhbgc32.exe109⤵PID:2716
-
C:\Windows\SysWOW64\Mognco32.exeC:\Windows\system32\Mognco32.exe110⤵
- System Location Discovery: System Language Discovery
PID:2880 -
C:\Windows\SysWOW64\Maejpj32.exeC:\Windows\system32\Maejpj32.exe111⤵PID:2116
-
C:\Windows\SysWOW64\Mdcfle32.exeC:\Windows\system32\Mdcfle32.exe112⤵PID:920
-
C:\Windows\SysWOW64\Moikinib.exeC:\Windows\system32\Moikinib.exe113⤵
- Modifies registry class
PID:2188 -
C:\Windows\SysWOW64\Mpjgag32.exeC:\Windows\system32\Mpjgag32.exe114⤵PID:2380
-
C:\Windows\SysWOW64\Mhaobd32.exeC:\Windows\system32\Mhaobd32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2064 -
C:\Windows\SysWOW64\Mkplnp32.exeC:\Windows\system32\Mkplnp32.exe116⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2108 -
C:\Windows\SysWOW64\Mnnhjk32.exeC:\Windows\system32\Mnnhjk32.exe117⤵PID:2500
-
C:\Windows\SysWOW64\Mdhpgeeg.exeC:\Windows\system32\Mdhpgeeg.exe118⤵PID:1472
-
C:\Windows\SysWOW64\Mgglcqdk.exeC:\Windows\system32\Mgglcqdk.exe119⤵PID:2440
-
C:\Windows\SysWOW64\Mjeholco.exeC:\Windows\system32\Mjeholco.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3032 -
C:\Windows\SysWOW64\Mnqdpj32.exeC:\Windows\system32\Mnqdpj32.exe121⤵
- Drops file in System32 directory
PID:3052
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-