Analysis
-
max time kernel
119s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
28/09/2024, 13:07
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
07746ab24a5458627b6788d8178d9ae148855d5d5b1ec3ac6e290070ed79b2b1N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
07746ab24a5458627b6788d8178d9ae148855d5d5b1ec3ac6e290070ed79b2b1N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
07746ab24a5458627b6788d8178d9ae148855d5d5b1ec3ac6e290070ed79b2b1N.exe
-
Size
96KB
-
MD5
0a57be8546ae9bbf87576cc314746260
-
SHA1
f86780a58c7f4f4567bb9e255ddd127121ba1c32
-
SHA256
07746ab24a5458627b6788d8178d9ae148855d5d5b1ec3ac6e290070ed79b2b1
-
SHA512
34a92c3784aa2f8551433790ebfb372352b156f3c8d3ca1f04a6225ff24fbb5bacc87d56700f3379ff0c654cc93154bc5c137b8dec1a82065c4178c78c2748fb
-
SSDEEP
1536:pMi7QcEIG0R8htIWtTHOzqg8qFChz/Ev5CEHN1AerDtZar3vhD:pfTvHRqu78qQzMvoEt1AerDtsr3vhD
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Meoell32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhpemm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dahifbpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Epbpbnan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obokcqhk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcjcme32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnkion32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mihdgkpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gqdefddb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opnbbe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkmlmbcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aqbdkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmljgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gkephn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loqmba32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgfjhcge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aaimopli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfhkhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlkjne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oalhqohl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Edfbaabj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgbfnngi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pljlbf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmpbdm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgoboc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgblmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Inlkik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jdpjba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pgfjhcge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnfqccna.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jenpajfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdefgj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adfqgl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koaqcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jaeafklf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knkgpi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abpcooea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maefamlh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiffkkbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlhnifmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmgbao32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amfognic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mpgobc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nfoghakb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Helgmg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkbojpna.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilnomp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aoagccfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gepafc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoojnc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmpkqklh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnifja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Clpabm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeaepd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmkhjncg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Anbkipok.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olkfmi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aciqcifh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iapgkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jagnlkjd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmnclmoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Accqnc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cagienkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbknkl32.exe -
Executes dropped EXE 64 IoCs
pid Process 2380 Fcjeon32.exe 1732 Fbmfkkbm.exe 2468 Ffibkj32.exe 2880 Fcmben32.exe 3024 Fdnolfon.exe 2760 Fnfcel32.exe 2644 Fbbofjnh.exe 2480 Fofpoo32.exe 1472 Fbdlkj32.exe 2360 Gjpqpl32.exe 2800 Gqiimfam.exe 1092 Gkomjo32.exe 2912 Gnmifk32.exe 2696 Gegabegc.exe 2324 Gfhnjm32.exe 2984 Gqnbhf32.exe 1552 Gfkkpmko.exe 2168 Gjfgqk32.exe 300 Gaqomeke.exe 1376 Gbaken32.exe 1656 Gjicfk32.exe 760 Gildahhp.exe 2476 Gpelnb32.exe 2536 Gcahoqhf.exe 964 Hebdfind.exe 280 Hllmcc32.exe 2724 Hnkion32.exe 2700 Hpjeialg.exe 2824 Hbiaemkk.exe 2632 Hhejnc32.exe 2764 Hlafnbal.exe 1804 Hbknkl32.exe 2304 Hlccdboi.exe 2876 Helgmg32.exe 2856 Hhjcic32.exe 1660 Hfmddp32.exe 2500 Iabhah32.exe 752 Ihmpobck.exe 2940 Ifoqjo32.exe 2636 Iinmfk32.exe 1792 Imiigiab.exe 600 Idcacc32.exe 2052 Imleli32.exe 272 Ibhndp32.exe 1304 Ifdjeoep.exe 656 Imnbbi32.exe 1540 Iplnnd32.exe 468 Ibkkjp32.exe 1612 Ieigfk32.exe 2548 Ihhcbf32.exe 2704 Ipokcdjn.exe 2820 Ibmgpoia.exe 2736 Iapgkl32.exe 2808 Iigpli32.exe 2356 Jlelhe32.exe 2708 Jkhldafl.exe 108 Jbpdeogo.exe 1972 Jenpajfb.exe 2152 Jhlmmfef.exe 1724 Jlhhndno.exe 2540 Jofejpmc.exe 1852 Jaeafklf.exe 3048 Jdcmbgkj.exe 1080 Jgaiobjn.exe -
Loads dropped DLL 64 IoCs
pid Process 2072 07746ab24a5458627b6788d8178d9ae148855d5d5b1ec3ac6e290070ed79b2b1N.exe 2072 07746ab24a5458627b6788d8178d9ae148855d5d5b1ec3ac6e290070ed79b2b1N.exe 2380 Fcjeon32.exe 2380 Fcjeon32.exe 1732 Fbmfkkbm.exe 1732 Fbmfkkbm.exe 2468 Ffibkj32.exe 2468 Ffibkj32.exe 2880 Fcmben32.exe 2880 Fcmben32.exe 3024 Fdnolfon.exe 3024 Fdnolfon.exe 2760 Fnfcel32.exe 2760 Fnfcel32.exe 2644 Fbbofjnh.exe 2644 Fbbofjnh.exe 2480 Fofpoo32.exe 2480 Fofpoo32.exe 1472 Fbdlkj32.exe 1472 Fbdlkj32.exe 2360 Gjpqpl32.exe 2360 Gjpqpl32.exe 2800 Gqiimfam.exe 2800 Gqiimfam.exe 1092 Gkomjo32.exe 1092 Gkomjo32.exe 2912 Gnmifk32.exe 2912 Gnmifk32.exe 2696 Gegabegc.exe 2696 Gegabegc.exe 2324 Gfhnjm32.exe 2324 Gfhnjm32.exe 2984 Gqnbhf32.exe 2984 Gqnbhf32.exe 1552 Gfkkpmko.exe 1552 Gfkkpmko.exe 2168 Gjfgqk32.exe 2168 Gjfgqk32.exe 300 Gaqomeke.exe 300 Gaqomeke.exe 1376 Gbaken32.exe 1376 Gbaken32.exe 1656 Gjicfk32.exe 1656 Gjicfk32.exe 760 Gildahhp.exe 760 Gildahhp.exe 2476 Gpelnb32.exe 2476 Gpelnb32.exe 2536 Gcahoqhf.exe 2536 Gcahoqhf.exe 964 Hebdfind.exe 964 Hebdfind.exe 280 Hllmcc32.exe 280 Hllmcc32.exe 2724 Hnkion32.exe 2724 Hnkion32.exe 2700 Hpjeialg.exe 2700 Hpjeialg.exe 2824 Hbiaemkk.exe 2824 Hbiaemkk.exe 2632 Hhejnc32.exe 2632 Hhejnc32.exe 2764 Hlafnbal.exe 2764 Hlafnbal.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Kaajei32.exe Kocmim32.exe File opened for modification C:\Windows\SysWOW64\Oaghki32.exe Oippjl32.exe File created C:\Windows\SysWOW64\Accqnc32.exe Apedah32.exe File created C:\Windows\SysWOW64\Bbbpenco.exe Bjkhdacm.exe File created C:\Windows\SysWOW64\Cihifg32.dll Ihglhp32.exe File opened for modification C:\Windows\SysWOW64\Fjlmpfhg.exe Ffaaoh32.exe File created C:\Windows\SysWOW64\Iahkpg32.exe Injndk32.exe File created C:\Windows\SysWOW64\Oagoep32.exe Obdojcef.exe File created C:\Windows\SysWOW64\Mnaiol32.exe Mjfnomde.exe File created C:\Windows\SysWOW64\Obecdjcn.dll Piicpk32.exe File opened for modification C:\Windows\SysWOW64\Hgbfnngi.exe Hpkompgg.exe File opened for modification C:\Windows\SysWOW64\Clbnhmjo.exe Chfbgn32.exe File opened for modification C:\Windows\SysWOW64\Nedhjj32.exe Nbflno32.exe File created C:\Windows\SysWOW64\Amohfo32.exe Ajqljc32.exe File created C:\Windows\SysWOW64\Koaqcn32.exe Klbdgb32.exe File created C:\Windows\SysWOW64\Gjffnf32.dll Kgqocoin.exe File created C:\Windows\SysWOW64\Fiqhbk32.dll Aficjnpm.exe File created C:\Windows\SysWOW64\Lbmnig32.dll Bbmcibjp.exe File created C:\Windows\SysWOW64\Cjehmbkc.dll Hpphhp32.exe File opened for modification C:\Windows\SysWOW64\Fofpoo32.exe Fbbofjnh.exe File created C:\Windows\SysWOW64\Aehnpfik.dll Macilmnk.exe File created C:\Windows\SysWOW64\Ceeieced.exe Cfcijf32.exe File opened for modification C:\Windows\SysWOW64\Eeohkeoe.exe Ecploipa.exe File created C:\Windows\SysWOW64\Ogjknh32.dll Hebnlb32.exe File opened for modification C:\Windows\SysWOW64\Nnafnopi.exe Njfjnpgp.exe File created C:\Windows\SysWOW64\Mjcial32.dll 07746ab24a5458627b6788d8178d9ae148855d5d5b1ec3ac6e290070ed79b2b1N.exe File created C:\Windows\SysWOW64\Cmhlga32.dll Jjbbpmgo.exe File created C:\Windows\SysWOW64\Mleijpbj.dll Plolgk32.exe File created C:\Windows\SysWOW64\Aqhhanig.exe Anjlebjc.exe File created C:\Windows\SysWOW64\Ihpfgalh.exe Iimfld32.exe File created C:\Windows\SysWOW64\Bccmmf32.exe Bdqlajbb.exe File created C:\Windows\SysWOW64\Ifoqjo32.exe Ihmpobck.exe File created C:\Windows\SysWOW64\Melifl32.exe Mbnljqic.exe File created C:\Windows\SysWOW64\Qpmcjc32.dll Dlfgcl32.exe File opened for modification C:\Windows\SysWOW64\Iahkpg32.exe Injndk32.exe File created C:\Windows\SysWOW64\Edeomgho.dll Nnmlcp32.exe File created C:\Windows\SysWOW64\Qiioon32.exe Qkfocaki.exe File created C:\Windows\SysWOW64\Infaph32.dll Hnkion32.exe File created C:\Windows\SysWOW64\Ihmpobck.exe Iabhah32.exe File created C:\Windows\SysWOW64\Pondgbkk.dll Bjbeofpp.exe File created C:\Windows\SysWOW64\Eeaepd32.exe Elipgofb.exe File opened for modification C:\Windows\SysWOW64\Fhbnbpjc.exe Edfbaabj.exe File created C:\Windows\SysWOW64\Kjlqgcoc.dll Gqiimfam.exe File opened for modification C:\Windows\SysWOW64\Amfognic.exe Aflfjc32.exe File created C:\Windows\SysWOW64\Bckjhl32.exe Behilopf.exe File created C:\Windows\SysWOW64\Iikifegp.exe Ieomef32.exe File opened for modification C:\Windows\SysWOW64\Jmdepg32.exe Iihiphln.exe File created C:\Windows\SysWOW64\Dahapj32.dll Pojecajj.exe File created C:\Windows\SysWOW64\Cpqmndme.dll Qnghel32.exe File created C:\Windows\SysWOW64\Akkggpci.dll Bqgmfkhg.exe File created C:\Windows\SysWOW64\Cobhlhdl.dll Fbbofjnh.exe File created C:\Windows\SysWOW64\Kncaojfb.exe Koaqcn32.exe File created C:\Windows\SysWOW64\Ljamki32.dll Qcachc32.exe File created C:\Windows\SysWOW64\Pphcfh32.dll Oijjka32.exe File opened for modification C:\Windows\SysWOW64\Hldlga32.exe Hifpke32.exe File created C:\Windows\SysWOW64\Kjoahnho.dll Jampjian.exe File created C:\Windows\SysWOW64\Hfiocpon.dll Oadkej32.exe File created C:\Windows\SysWOW64\Nmejllia.exe Nenakoho.exe File created C:\Windows\SysWOW64\Nmmnnh32.dll Jmhnkfpa.exe File opened for modification C:\Windows\SysWOW64\Ldpbpgoh.exe Lfmbek32.exe File opened for modification C:\Windows\SysWOW64\Nnmlcp32.exe Npjlhcmd.exe File opened for modification C:\Windows\SysWOW64\Bmpkqklh.exe Bjbndpmd.exe File created C:\Windows\SysWOW64\Ajaclncd.dll Ciihklpj.exe File opened for modification C:\Windows\SysWOW64\Kofaicon.exe Khlili32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6460 900 WerFault.exe 701 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnheohcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pplaki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Achjibcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmgalkcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbnljqic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amfognic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmmagpef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjlmpfhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcigco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inhanl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoojnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phfmllbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehpalp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgclio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkfocaki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfegij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndqkleln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkoicb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbbpenco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnpciaef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjihalag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aobnniji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dejbqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Allefimb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkegah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciihklpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlfmbibo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oijjka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Panaeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhiomn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elajgpmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeaepd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fajbke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihglhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqpflg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bceibfgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcjeon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjfgqk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poklngnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffaaoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajmijmnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihhcbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nenakoho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qododfek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmkilb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdklfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plolgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eihgfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgigil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbhcim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdbbgdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbdiia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjonncab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdnild32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qiioon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cinafkkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gifclb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmbmeifk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhjjgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqiimfam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibmgpoia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjjpjgjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giipab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jialfgcc.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kdjccf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fkecij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jlphbbbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kekiphge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ljddjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fbdlkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baleem32.dll" Bmhkmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Panaeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mbcoio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ceebklai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bccmmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdkqhhpm.dll" Kokjdb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qkibcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lonpma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mggabaea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkppib32.dll" Aojabdlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jgdfdbhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fgigil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hofpgamj.dll" Iikifegp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoapfe32.dll" Mpgobc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ppnnai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nagbgl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Omcifpnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oadkej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejloak32.dll" Jimbkh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pkmlmbcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lnjcomcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 07746ab24a5458627b6788d8178d9ae148855d5d5b1ec3ac6e290070ed79b2b1N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gckemgnc.dll" Jkhldafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cihifg32.dll" Ihglhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfiocpon.dll" Oadkej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fnacpffh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nmkplgnq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqdkghnj.dll" Qcogbdkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofaejacl.dll" Cmpgpond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cbdiia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lkakicam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ldoimh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dlfgcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngdjmc32.dll" Kdbbgdjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oghnkh32.dll" Ccmpce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Neqnqofm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mfokinhf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bnqned32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lldmleam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leblqb32.dll" Pdjjag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pejmfqan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmgamof.dll" Jdpjba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jolghndm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Olbfagca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bibjaofg.dll" Pkmlmbcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ccjoli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Imleli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahbakd32.dll" Nbniid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjbklf32.dll" Nfdddm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmlfpfpl.dll" Ajmijmnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajaclncd.dll" Ciihklpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cfkloq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mbnljqic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mndmoaog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jojfgkfk.dll" Gmmfaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ifjlcmmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qqmfpqmc.dll" Pafdjmkq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ojmpooah.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2072 wrote to memory of 2380 2072 07746ab24a5458627b6788d8178d9ae148855d5d5b1ec3ac6e290070ed79b2b1N.exe 30 PID 2072 wrote to memory of 2380 2072 07746ab24a5458627b6788d8178d9ae148855d5d5b1ec3ac6e290070ed79b2b1N.exe 30 PID 2072 wrote to memory of 2380 2072 07746ab24a5458627b6788d8178d9ae148855d5d5b1ec3ac6e290070ed79b2b1N.exe 30 PID 2072 wrote to memory of 2380 2072 07746ab24a5458627b6788d8178d9ae148855d5d5b1ec3ac6e290070ed79b2b1N.exe 30 PID 2380 wrote to memory of 1732 2380 Fcjeon32.exe 31 PID 2380 wrote to memory of 1732 2380 Fcjeon32.exe 31 PID 2380 wrote to memory of 1732 2380 Fcjeon32.exe 31 PID 2380 wrote to memory of 1732 2380 Fcjeon32.exe 31 PID 1732 wrote to memory of 2468 1732 Fbmfkkbm.exe 32 PID 1732 wrote to memory of 2468 1732 Fbmfkkbm.exe 32 PID 1732 wrote to memory of 2468 1732 Fbmfkkbm.exe 32 PID 1732 wrote to memory of 2468 1732 Fbmfkkbm.exe 32 PID 2468 wrote to memory of 2880 2468 Ffibkj32.exe 33 PID 2468 wrote to memory of 2880 2468 Ffibkj32.exe 33 PID 2468 wrote to memory of 2880 2468 Ffibkj32.exe 33 PID 2468 wrote to memory of 2880 2468 Ffibkj32.exe 33 PID 2880 wrote to memory of 3024 2880 Fcmben32.exe 34 PID 2880 wrote to memory of 3024 2880 Fcmben32.exe 34 PID 2880 wrote to memory of 3024 2880 Fcmben32.exe 34 PID 2880 wrote to memory of 3024 2880 Fcmben32.exe 34 PID 3024 wrote to memory of 2760 3024 Fdnolfon.exe 35 PID 3024 wrote to memory of 2760 3024 Fdnolfon.exe 35 PID 3024 wrote to memory of 2760 3024 Fdnolfon.exe 35 PID 3024 wrote to memory of 2760 3024 Fdnolfon.exe 35 PID 2760 wrote to memory of 2644 2760 Fnfcel32.exe 36 PID 2760 wrote to memory of 2644 2760 Fnfcel32.exe 36 PID 2760 wrote to memory of 2644 2760 Fnfcel32.exe 36 PID 2760 wrote to memory of 2644 2760 Fnfcel32.exe 36 PID 2644 wrote to memory of 2480 2644 Fbbofjnh.exe 37 PID 2644 wrote to memory of 2480 2644 Fbbofjnh.exe 37 PID 2644 wrote to memory of 2480 2644 Fbbofjnh.exe 37 PID 2644 wrote to memory of 2480 2644 Fbbofjnh.exe 37 PID 2480 wrote to memory of 1472 2480 Fofpoo32.exe 38 PID 2480 wrote to memory of 1472 2480 Fofpoo32.exe 38 PID 2480 wrote to memory of 1472 2480 Fofpoo32.exe 38 PID 2480 wrote to memory of 1472 2480 Fofpoo32.exe 38 PID 1472 wrote to memory of 2360 1472 Fbdlkj32.exe 39 PID 1472 wrote to memory of 2360 1472 Fbdlkj32.exe 39 PID 1472 wrote to memory of 2360 1472 Fbdlkj32.exe 39 PID 1472 wrote to memory of 2360 1472 Fbdlkj32.exe 39 PID 2360 wrote to memory of 2800 2360 Gjpqpl32.exe 40 PID 2360 wrote to memory of 2800 2360 Gjpqpl32.exe 40 PID 2360 wrote to memory of 2800 2360 Gjpqpl32.exe 40 PID 2360 wrote to memory of 2800 2360 Gjpqpl32.exe 40 PID 2800 wrote to memory of 1092 2800 Gqiimfam.exe 41 PID 2800 wrote to memory of 1092 2800 Gqiimfam.exe 41 PID 2800 wrote to memory of 1092 2800 Gqiimfam.exe 41 PID 2800 wrote to memory of 1092 2800 Gqiimfam.exe 41 PID 1092 wrote to memory of 2912 1092 Gkomjo32.exe 42 PID 1092 wrote to memory of 2912 1092 Gkomjo32.exe 42 PID 1092 wrote to memory of 2912 1092 Gkomjo32.exe 42 PID 1092 wrote to memory of 2912 1092 Gkomjo32.exe 42 PID 2912 wrote to memory of 2696 2912 Gnmifk32.exe 43 PID 2912 wrote to memory of 2696 2912 Gnmifk32.exe 43 PID 2912 wrote to memory of 2696 2912 Gnmifk32.exe 43 PID 2912 wrote to memory of 2696 2912 Gnmifk32.exe 43 PID 2696 wrote to memory of 2324 2696 Gegabegc.exe 44 PID 2696 wrote to memory of 2324 2696 Gegabegc.exe 44 PID 2696 wrote to memory of 2324 2696 Gegabegc.exe 44 PID 2696 wrote to memory of 2324 2696 Gegabegc.exe 44 PID 2324 wrote to memory of 2984 2324 Gfhnjm32.exe 45 PID 2324 wrote to memory of 2984 2324 Gfhnjm32.exe 45 PID 2324 wrote to memory of 2984 2324 Gfhnjm32.exe 45 PID 2324 wrote to memory of 2984 2324 Gfhnjm32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\07746ab24a5458627b6788d8178d9ae148855d5d5b1ec3ac6e290070ed79b2b1N.exe"C:\Users\Admin\AppData\Local\Temp\07746ab24a5458627b6788d8178d9ae148855d5d5b1ec3ac6e290070ed79b2b1N.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\Fcjeon32.exeC:\Windows\system32\Fcjeon32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Fbmfkkbm.exeC:\Windows\system32\Fbmfkkbm.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\Ffibkj32.exeC:\Windows\system32\Ffibkj32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Fcmben32.exeC:\Windows\system32\Fcmben32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Fdnolfon.exeC:\Windows\system32\Fdnolfon.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\Fnfcel32.exeC:\Windows\system32\Fnfcel32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Fbbofjnh.exeC:\Windows\system32\Fbbofjnh.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Fofpoo32.exeC:\Windows\system32\Fofpoo32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Fbdlkj32.exeC:\Windows\system32\Fbdlkj32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\SysWOW64\Gjpqpl32.exeC:\Windows\system32\Gjpqpl32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\Gqiimfam.exeC:\Windows\system32\Gqiimfam.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Gkomjo32.exeC:\Windows\system32\Gkomjo32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Windows\SysWOW64\Gnmifk32.exeC:\Windows\system32\Gnmifk32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Gegabegc.exeC:\Windows\system32\Gegabegc.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Gfhnjm32.exeC:\Windows\system32\Gfhnjm32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\Gqnbhf32.exeC:\Windows\system32\Gqnbhf32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2984 -
C:\Windows\SysWOW64\Gfkkpmko.exeC:\Windows\system32\Gfkkpmko.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1552 -
C:\Windows\SysWOW64\Gjfgqk32.exeC:\Windows\system32\Gjfgqk32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2168 -
C:\Windows\SysWOW64\Gaqomeke.exeC:\Windows\system32\Gaqomeke.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:300 -
C:\Windows\SysWOW64\Gbaken32.exeC:\Windows\system32\Gbaken32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1376 -
C:\Windows\SysWOW64\Gjicfk32.exeC:\Windows\system32\Gjicfk32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1656 -
C:\Windows\SysWOW64\Gildahhp.exeC:\Windows\system32\Gildahhp.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:760 -
C:\Windows\SysWOW64\Gpelnb32.exeC:\Windows\system32\Gpelnb32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2476 -
C:\Windows\SysWOW64\Gcahoqhf.exeC:\Windows\system32\Gcahoqhf.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2536 -
C:\Windows\SysWOW64\Hebdfind.exeC:\Windows\system32\Hebdfind.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:964 -
C:\Windows\SysWOW64\Hllmcc32.exeC:\Windows\system32\Hllmcc32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:280 -
C:\Windows\SysWOW64\Hnkion32.exeC:\Windows\system32\Hnkion32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2724 -
C:\Windows\SysWOW64\Hpjeialg.exeC:\Windows\system32\Hpjeialg.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2700 -
C:\Windows\SysWOW64\Hbiaemkk.exeC:\Windows\system32\Hbiaemkk.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2824 -
C:\Windows\SysWOW64\Hhejnc32.exeC:\Windows\system32\Hhejnc32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2632 -
C:\Windows\SysWOW64\Hlafnbal.exeC:\Windows\system32\Hlafnbal.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2764 -
C:\Windows\SysWOW64\Hbknkl32.exeC:\Windows\system32\Hbknkl32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Hlccdboi.exeC:\Windows\system32\Hlccdboi.exe34⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Helgmg32.exeC:\Windows\system32\Helgmg32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Hhjcic32.exeC:\Windows\system32\Hhjcic32.exe36⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Hfmddp32.exeC:\Windows\system32\Hfmddp32.exe37⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Iabhah32.exeC:\Windows\system32\Iabhah32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2500 -
C:\Windows\SysWOW64\Ihmpobck.exeC:\Windows\system32\Ihmpobck.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:752 -
C:\Windows\SysWOW64\Ifoqjo32.exeC:\Windows\system32\Ifoqjo32.exe40⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Iinmfk32.exeC:\Windows\system32\Iinmfk32.exe41⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Imiigiab.exeC:\Windows\system32\Imiigiab.exe42⤵
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\Idcacc32.exeC:\Windows\system32\Idcacc32.exe43⤵
- Executes dropped EXE
PID:600 -
C:\Windows\SysWOW64\Imleli32.exeC:\Windows\system32\Imleli32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:2052 -
C:\Windows\SysWOW64\Ibhndp32.exeC:\Windows\system32\Ibhndp32.exe45⤵
- Executes dropped EXE
PID:272 -
C:\Windows\SysWOW64\Ifdjeoep.exeC:\Windows\system32\Ifdjeoep.exe46⤵
- Executes dropped EXE
PID:1304 -
C:\Windows\SysWOW64\Imnbbi32.exeC:\Windows\system32\Imnbbi32.exe47⤵
- Executes dropped EXE
PID:656 -
C:\Windows\SysWOW64\Iplnnd32.exeC:\Windows\system32\Iplnnd32.exe48⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Ibkkjp32.exeC:\Windows\system32\Ibkkjp32.exe49⤵
- Executes dropped EXE
PID:468 -
C:\Windows\SysWOW64\Ieigfk32.exeC:\Windows\system32\Ieigfk32.exe50⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Ihhcbf32.exeC:\Windows\system32\Ihhcbf32.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2548 -
C:\Windows\SysWOW64\Ipokcdjn.exeC:\Windows\system32\Ipokcdjn.exe52⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Ibmgpoia.exeC:\Windows\system32\Ibmgpoia.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2820 -
C:\Windows\SysWOW64\Iapgkl32.exeC:\Windows\system32\Iapgkl32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Iigpli32.exeC:\Windows\system32\Iigpli32.exe55⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Jlelhe32.exeC:\Windows\system32\Jlelhe32.exe56⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Jkhldafl.exeC:\Windows\system32\Jkhldafl.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2708 -
C:\Windows\SysWOW64\Jbpdeogo.exeC:\Windows\system32\Jbpdeogo.exe58⤵
- Executes dropped EXE
PID:108 -
C:\Windows\SysWOW64\Jenpajfb.exeC:\Windows\system32\Jenpajfb.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Jhlmmfef.exeC:\Windows\system32\Jhlmmfef.exe60⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Jlhhndno.exeC:\Windows\system32\Jlhhndno.exe61⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Jofejpmc.exeC:\Windows\system32\Jofejpmc.exe62⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Jaeafklf.exeC:\Windows\system32\Jaeafklf.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1852 -
C:\Windows\SysWOW64\Jdcmbgkj.exeC:\Windows\system32\Jdcmbgkj.exe64⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Jgaiobjn.exeC:\Windows\system32\Jgaiobjn.exe65⤵
- Executes dropped EXE
PID:1080 -
C:\Windows\SysWOW64\Joiappkp.exeC:\Windows\system32\Joiappkp.exe66⤵PID:1356
-
C:\Windows\SysWOW64\Jagnlkjd.exeC:\Windows\system32\Jagnlkjd.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1244 -
C:\Windows\SysWOW64\Jdejhfig.exeC:\Windows\system32\Jdejhfig.exe68⤵PID:2400
-
C:\Windows\SysWOW64\Jgdfdbhk.exeC:\Windows\system32\Jgdfdbhk.exe69⤵
- Modifies registry class
PID:1296 -
C:\Windows\SysWOW64\Jjbbpmgo.exeC:\Windows\system32\Jjbbpmgo.exe70⤵
- Drops file in System32 directory
PID:3016 -
C:\Windows\SysWOW64\Jaijak32.exeC:\Windows\system32\Jaijak32.exe71⤵PID:2840
-
C:\Windows\SysWOW64\Jckgicnp.exeC:\Windows\system32\Jckgicnp.exe72⤵PID:2328
-
C:\Windows\SysWOW64\Jkbojpna.exeC:\Windows\system32\Jkbojpna.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2768 -
C:\Windows\SysWOW64\Jnpkflne.exeC:\Windows\system32\Jnpkflne.exe74⤵PID:2648
-
C:\Windows\SysWOW64\Jlckbh32.exeC:\Windows\system32\Jlckbh32.exe75⤵PID:1696
-
C:\Windows\SysWOW64\Kdjccf32.exeC:\Windows\system32\Kdjccf32.exe76⤵
- Modifies registry class
PID:1928 -
C:\Windows\SysWOW64\Kghpoa32.exeC:\Windows\system32\Kghpoa32.exe77⤵PID:2000
-
C:\Windows\SysWOW64\Knbhlkkc.exeC:\Windows\system32\Knbhlkkc.exe78⤵PID:1580
-
C:\Windows\SysWOW64\Klehgh32.exeC:\Windows\system32\Klehgh32.exe79⤵PID:2084
-
C:\Windows\SysWOW64\Koddccaa.exeC:\Windows\system32\Koddccaa.exe80⤵PID:1740
-
C:\Windows\SysWOW64\Kgkleabc.exeC:\Windows\system32\Kgkleabc.exe81⤵PID:1864
-
C:\Windows\SysWOW64\Kjihalag.exeC:\Windows\system32\Kjihalag.exe82⤵
- System Location Discovery: System Language Discovery
PID:3040 -
C:\Windows\SysWOW64\Khlili32.exeC:\Windows\system32\Khlili32.exe83⤵
- Drops file in System32 directory
PID:1764 -
C:\Windows\SysWOW64\Kofaicon.exeC:\Windows\system32\Kofaicon.exe84⤵PID:2976
-
C:\Windows\SysWOW64\Kfpifm32.exeC:\Windows\system32\Kfpifm32.exe85⤵PID:2780
-
C:\Windows\SysWOW64\Khoebi32.exeC:\Windows\system32\Khoebi32.exe86⤵PID:1236
-
C:\Windows\SysWOW64\Kljabgnh.exeC:\Windows\system32\Kljabgnh.exe87⤵PID:2828
-
C:\Windows\SysWOW64\Kohnoc32.exeC:\Windows\system32\Kohnoc32.exe88⤵PID:2816
-
C:\Windows\SysWOW64\Kdefgj32.exeC:\Windows\system32\Kdefgj32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1932 -
C:\Windows\SysWOW64\Kllnhg32.exeC:\Windows\system32\Kllnhg32.exe90⤵PID:2664
-
C:\Windows\SysWOW64\Kkoncdcp.exeC:\Windows\system32\Kkoncdcp.exe91⤵PID:856
-
C:\Windows\SysWOW64\Kokjdb32.exeC:\Windows\system32\Kokjdb32.exe92⤵
- Modifies registry class
PID:2124 -
C:\Windows\SysWOW64\Kbigpn32.exeC:\Windows\system32\Kbigpn32.exe93⤵PID:2992
-
C:\Windows\SysWOW64\Kdhcli32.exeC:\Windows\system32\Kdhcli32.exe94⤵PID:2772
-
C:\Windows\SysWOW64\Khcomhbi.exeC:\Windows\system32\Khcomhbi.exe95⤵PID:1916
-
C:\Windows\SysWOW64\Lkakicam.exeC:\Windows\system32\Lkakicam.exe96⤵
- Modifies registry class
PID:1560 -
C:\Windows\SysWOW64\Lnpgeopa.exeC:\Windows\system32\Lnpgeopa.exe97⤵PID:2248
-
C:\Windows\SysWOW64\Lqncaj32.exeC:\Windows\system32\Lqncaj32.exe98⤵PID:2100
-
C:\Windows\SysWOW64\Lhelbh32.exeC:\Windows\system32\Lhelbh32.exe99⤵PID:2896
-
C:\Windows\SysWOW64\Lkdhoc32.exeC:\Windows\system32\Lkdhoc32.exe100⤵PID:2756
-
C:\Windows\SysWOW64\Ljghjpfe.exeC:\Windows\system32\Ljghjpfe.exe101⤵PID:2608
-
C:\Windows\SysWOW64\Lqqpgj32.exeC:\Windows\system32\Lqqpgj32.exe102⤵PID:2308
-
C:\Windows\SysWOW64\Lcomce32.exeC:\Windows\system32\Lcomce32.exe103⤵PID:576
-
C:\Windows\SysWOW64\Lkfddc32.exeC:\Windows\system32\Lkfddc32.exe104⤵PID:2132
-
C:\Windows\SysWOW64\Lneaqn32.exeC:\Windows\system32\Lneaqn32.exe105⤵PID:2980
-
C:\Windows\SysWOW64\Lmgalkcf.exeC:\Windows\system32\Lmgalkcf.exe106⤵
- System Location Discovery: System Language Discovery
PID:2044 -
C:\Windows\SysWOW64\Ldoimh32.exeC:\Windows\system32\Ldoimh32.exe107⤵
- Modifies registry class
PID:400 -
C:\Windows\SysWOW64\Lgmeid32.exeC:\Windows\system32\Lgmeid32.exe108⤵PID:1668
-
C:\Windows\SysWOW64\Ljkaeo32.exeC:\Windows\system32\Ljkaeo32.exe109⤵PID:1844
-
C:\Windows\SysWOW64\Lmjnak32.exeC:\Windows\system32\Lmjnak32.exe110⤵PID:1272
-
C:\Windows\SysWOW64\Lohjnf32.exeC:\Windows\system32\Lohjnf32.exe111⤵PID:2176
-
C:\Windows\SysWOW64\Lgoboc32.exeC:\Windows\system32\Lgoboc32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2316 -
C:\Windows\SysWOW64\Lfbbjpgd.exeC:\Windows\system32\Lfbbjpgd.exe113⤵PID:1604
-
C:\Windows\SysWOW64\Liqoflfh.exeC:\Windows\system32\Liqoflfh.exe114⤵PID:2888
-
C:\Windows\SysWOW64\Lmljgj32.exeC:\Windows\system32\Lmljgj32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1156 -
C:\Windows\SysWOW64\Lokgcf32.exeC:\Windows\system32\Lokgcf32.exe116⤵PID:1968
-
C:\Windows\SysWOW64\Lbicoamh.exeC:\Windows\system32\Lbicoamh.exe117⤵PID:3004
-
C:\Windows\SysWOW64\Mjpkqonj.exeC:\Windows\system32\Mjpkqonj.exe118⤵PID:2968
-
C:\Windows\SysWOW64\Mmogmjmn.exeC:\Windows\system32\Mmogmjmn.exe119⤵PID:688
-
C:\Windows\SysWOW64\Mkaghg32.exeC:\Windows\system32\Mkaghg32.exe120⤵PID:2528
-
C:\Windows\SysWOW64\Mchoid32.exeC:\Windows\system32\Mchoid32.exe121⤵PID:2228
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-