Analysis
-
max time kernel
107s -
max time network
108s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
20-08-2024 15:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b9d0ee8e6ad91e2b72b4f1fc39db94f0N.exe
Resource
win7-20240705-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
b9d0ee8e6ad91e2b72b4f1fc39db94f0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
b9d0ee8e6ad91e2b72b4f1fc39db94f0N.exe
-
Size
256KB
-
MD5
b9d0ee8e6ad91e2b72b4f1fc39db94f0
-
SHA1
1603e9e1fe06c38f82286ef698c2b13df19ed5cc
-
SHA256
547fd2b12f16776b1c83da00305f98dd4ebd625c599b2abcdb62d87b03f812bf
-
SHA512
d5db413edcec0c4eba0cf4ce191acc6a68d4b084afa9d5704c74c6f8ec9f307f7a84e5e161b0aac956d7a9bfab0345c166da8b7d8c04df3657112c8b70f849c5
-
SSDEEP
3072:Ykx9B45AmILLY5yNfI2VceK3KcWmjRrzqzWspSnocyA5qKcWmjRrzeceKSAxpce0:4AmfENf3HVpaopOpHVILifyeYVDcfR
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjomap32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpfcdojl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahchda32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhknpmma.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkfadkgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnjgfb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckjknfnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjcngpjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajcdnd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfmcfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Caageq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbiado32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojbacd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qfmmplad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baannc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pedbahod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akoqpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aoioli32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mockmala.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dodjjimm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bqkill32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfadkb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljbfpo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkicaahi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nabfjpak.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ookjdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmdonkgc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okedcjcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igpdfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oanokhdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eigonjcj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neccpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfmcfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngjkfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohjlgefb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdmein32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbhpch32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lobjni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aijnep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfgogh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oidhlb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffmfchle.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkgcea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdkifmjq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agiamhdo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgnkhg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmfclm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bohibc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpabni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbpjaeoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjchaf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oampjeml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oadfkdgd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gikkfqmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plcdiabk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aglnbhal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfhadc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gijekg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjmoag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mleoafmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmfeidbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bqfoamfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfogeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkmkkjko.exe -
Executes dropped EXE 64 IoCs
pid Process 3612 Lfodbqfa.exe 2648 Mimpolee.exe 2308 Mhppji32.exe 1932 Mpghkf32.exe 4248 Mojhgbdl.exe 1860 Mfaqhp32.exe 2184 Medqcmki.exe 212 Mhbmphjm.exe 2504 Mlnipg32.exe 1584 Mpieqeko.exe 4812 Molelb32.exe 2196 Mbhamajc.exe 4108 Mefmimif.exe 1784 Mibijk32.exe 3616 Mhdjehhj.exe 3536 Mplafeil.exe 1796 Moobbb32.exe 4472 Mbjnbqhp.exe 3348 Mffjcopi.exe 4404 Midfokpm.exe 3960 Mhgfkg32.exe 3984 Mpnnle32.exe 4820 Moaogand.exe 4192 Mblkhq32.exe 624 Mfhfhong.exe 216 Mekgdl32.exe 5044 Mhicpg32.exe 552 Mleoafmn.exe 1924 Mpqkad32.exe 2884 Mockmala.exe 2832 Mbognp32.exe 3144 Mfjcnold.exe 4424 Niipjj32.exe 4656 Nhlpfgbb.exe 3404 Npchgdcd.exe 4272 Noehba32.exe 4352 Nbadcpbh.exe 3564 Neppokal.exe 2064 Niklpj32.exe 2620 Nlihle32.exe 2740 Npedmdab.exe 1968 Nbcqiope.exe 5112 Ngomin32.exe 3624 Niniei32.exe 4932 Nhpiafnm.exe 4000 Nlleaeff.exe 4984 Nojanpej.exe 3888 Ncfmno32.exe 3720 Nedjjj32.exe 5020 Nipekiep.exe 2140 Nlnbgddc.exe 368 Npjnhc32.exe 2476 Nomncpcg.exe 2072 Ngdfdmdi.exe 4796 Neffpj32.exe 2224 Nheble32.exe 4532 Nlqomd32.exe 4484 Nookip32.exe 2432 Ncjginjn.exe 2728 Oeicejia.exe 3308 Oidofh32.exe 4840 Olckbd32.exe 2524 Opogbbig.exe 1916 Ooagno32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kkjaopom.dll Gpcfmkff.exe File created C:\Windows\SysWOW64\Mqafhl32.exe Ljhnlb32.exe File created C:\Windows\SysWOW64\Gabfbmnl.dll Mgphpe32.exe File created C:\Windows\SysWOW64\Ploknb32.exe Phcomcng.exe File created C:\Windows\SysWOW64\Mholheco.dll Bjodjb32.exe File opened for modification C:\Windows\SysWOW64\Dpnbog32.exe Dakacjdb.exe File created C:\Windows\SysWOW64\Idieem32.exe Iakiia32.exe File created C:\Windows\SysWOW64\Lhhmmcaa.dll Cihclh32.exe File opened for modification C:\Windows\SysWOW64\Ofkgcobj.exe Oclkgccf.exe File created C:\Windows\SysWOW64\Cmcgolla.dll Gifkpknp.exe File created C:\Windows\SysWOW64\Lfodbqfa.exe b9d0ee8e6ad91e2b72b4f1fc39db94f0N.exe File opened for modification C:\Windows\SysWOW64\Mibijk32.exe Mefmimif.exe File opened for modification C:\Windows\SysWOW64\Fknbil32.exe Fgbfhmll.exe File opened for modification C:\Windows\SysWOW64\Mjbogmdb.exe Majjng32.exe File created C:\Windows\SysWOW64\Ppejnh32.dll Akoqpg32.exe File opened for modification C:\Windows\SysWOW64\Bfjnjcni.exe Bggnof32.exe File created C:\Windows\SysWOW64\Bjfjka32.exe Bfjnjcni.exe File created C:\Windows\SysWOW64\Bcgpgh32.dll Fmjaphek.exe File created C:\Windows\SysWOW64\Igajal32.exe Iojbpo32.exe File created C:\Windows\SysWOW64\Kjamidgd.dll Ahofoogd.exe File created C:\Windows\SysWOW64\Gckdpj32.dll Efepbi32.exe File created C:\Windows\SysWOW64\Kideagnd.dll Hkbmqb32.exe File created C:\Windows\SysWOW64\Hcmbee32.exe Hmpjmn32.exe File opened for modification C:\Windows\SysWOW64\Lfodbqfa.exe b9d0ee8e6ad91e2b72b4f1fc39db94f0N.exe File created C:\Windows\SysWOW64\Aihaoqlp.exe Aggegh32.exe File created C:\Windows\SysWOW64\Hpdfnolo.exe Hnfjbdmk.exe File created C:\Windows\SysWOW64\Dcoobn32.dll Olgncmim.exe File opened for modification C:\Windows\SysWOW64\Dmoohe32.exe Ccgjopal.exe File opened for modification C:\Windows\SysWOW64\Hmbphg32.exe Hblkjo32.exe File created C:\Windows\SysWOW64\Jncoikmp.exe Igigla32.exe File opened for modification C:\Windows\SysWOW64\Poliea32.exe Pahilmoc.exe File created C:\Windows\SysWOW64\Pfkbfh32.dll Anobgl32.exe File created C:\Windows\SysWOW64\Anclbkbp.exe Ahgcjddh.exe File created C:\Windows\SysWOW64\Kbblcj32.dll Epmmqheb.exe File created C:\Windows\SysWOW64\Mpieqeko.exe Mlnipg32.exe File created C:\Windows\SysWOW64\Dpqodfij.exe Dannij32.exe File created C:\Windows\SysWOW64\Kiggbhda.exe Knbbep32.exe File created C:\Windows\SysWOW64\Aphnnafb.exe Amjbbfgo.exe File created C:\Windows\SysWOW64\Dmncdk32.dll Baegibae.exe File opened for modification C:\Windows\SysWOW64\Pedbahod.exe Ocffempp.exe File created C:\Windows\SysWOW64\Mefiblfk.dll Cfadkb32.exe File opened for modification C:\Windows\SysWOW64\Eiildjag.exe Efkphnbd.exe File opened for modification C:\Windows\SysWOW64\Kiejmi32.exe Kqnbkl32.exe File created C:\Windows\SysWOW64\Kaofbcjo.dll Eeelnp32.exe File created C:\Windows\SysWOW64\Cgqqdeod.exe Cpihcgoa.exe File opened for modification C:\Windows\SysWOW64\Ajpqnneo.exe Akoqpg32.exe File created C:\Windows\SysWOW64\Gfkbde32.exe Glengm32.exe File created C:\Windows\SysWOW64\Qemhbj32.exe Pkgcea32.exe File opened for modification C:\Windows\SysWOW64\Flpmagqi.exe Fiaael32.exe File created C:\Windows\SysWOW64\Memicmfo.dll Bjfjka32.exe File opened for modification C:\Windows\SysWOW64\Bhpofl32.exe Baegibae.exe File created C:\Windows\SysWOW64\Eemnff32.dll Jebfng32.exe File created C:\Windows\SysWOW64\Cglbhhga.exe Cpbjkn32.exe File created C:\Windows\SysWOW64\Cnbkfjcb.dll Nedjjj32.exe File opened for modification C:\Windows\SysWOW64\Ollnhb32.exe Ojnblg32.exe File created C:\Windows\SysWOW64\Dclkee32.exe Dpqodfij.exe File opened for modification C:\Windows\SysWOW64\Mifljdjo.exe Micoed32.exe File created C:\Windows\SysWOW64\Fadggj32.dll Alkijdci.exe File created C:\Windows\SysWOW64\Gdodhh32.dll Oepifi32.exe File created C:\Windows\SysWOW64\Djfcaohp.exe Dclkee32.exe File created C:\Windows\SysWOW64\Nacmdf32.exe Nlfelogp.exe File created C:\Windows\SysWOW64\Lobjni32.exe Lnangaoa.exe File created C:\Windows\SysWOW64\Lopmii32.exe Lqmmmmph.exe File opened for modification C:\Windows\SysWOW64\Gpaqbbld.exe Gmcdffmq.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5340 5948 WerFault.exe 952 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjnkcekm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhflnpoi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdmein32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajcdnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dinmhkke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmieae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmdonkgc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbchdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkgcea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlqomd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffaong32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkmmaeap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijqmhnko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jokkgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoioli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qaqegecm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Digehphc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbpjaeoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flmqlg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gifkpknp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmjaphek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knbbep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emmkiclm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nipekiep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klcekpdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmdgikhi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfhfhong.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hacbhb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqimikfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gldglf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpeahb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oigllh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqfoamfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oadfkdgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ondljl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idieem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiejmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkkple32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcigeooj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfeeabda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agdhbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjhfpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hncmmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caojpaij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbhboolf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejdocm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnbklm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojbacd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjnmpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igdnabjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhbebj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eidbij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnpfop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olgemcli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acgolj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dakacjdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfodbqfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpqkad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofmdio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Micoed32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkicaahi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odmbaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nclbpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cqpbglno.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmbfbn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpgeee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkiaej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gigmlgok.dll" Ijadbdoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oflpld32.dll" Oekiqccc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hefnkkkj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgiiiidd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Caageq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qqhcpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cqpbglno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djklmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jglklggl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glfdiedd.dll" Dhbebj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npjnhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qgnbaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijogmdqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kajimagp.dll" Amnlme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeeobqbq.dll" Digehphc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnjqmpgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmeafpab.dll" Pomgjn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agiamhdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmhidbhg.dll" Ajbmdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anclbkbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddhpmfbl.dll" Bdpaeehj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnipbc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilcldb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkjcgjio.dll" Jenmcggo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nefped32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjnmpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkoepmnk.dll" Ckmehb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdhedh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lqhdbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkhfob32.dll" Mfhfhong.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qjnkcekm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihgnkkbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgamnded.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djfoankj.dll" Dmoohe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghndhd32.dll" Mjcngpjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qgpogili.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhfedm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Filclgic.dll" Geaepk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aplpihjd.dll" Dcjnoece.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehkljb32.dll" Lgccinoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckjknfnh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Joahqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekfkeh32.dll" Klcekpdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oigllh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chalkm32.dll" Oadfkdgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afdnfjpa.dll" Fpejlmcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnfnlf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aeaanjkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onocomdo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olgemcli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Giqkkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kalhafbk.dll" Oondnini.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdinlh32.dll" Fplpll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jncoikmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfkegm32.dll" Mgclpkac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebcneqod.dll" Felbnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Feoodn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phlacbfm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmeakf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mapmipen.dll" Jkomneim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbgcih32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3948 wrote to memory of 3612 3948 b9d0ee8e6ad91e2b72b4f1fc39db94f0N.exe 84 PID 3948 wrote to memory of 3612 3948 b9d0ee8e6ad91e2b72b4f1fc39db94f0N.exe 84 PID 3948 wrote to memory of 3612 3948 b9d0ee8e6ad91e2b72b4f1fc39db94f0N.exe 84 PID 3612 wrote to memory of 2648 3612 Lfodbqfa.exe 85 PID 3612 wrote to memory of 2648 3612 Lfodbqfa.exe 85 PID 3612 wrote to memory of 2648 3612 Lfodbqfa.exe 85 PID 2648 wrote to memory of 2308 2648 Mimpolee.exe 86 PID 2648 wrote to memory of 2308 2648 Mimpolee.exe 86 PID 2648 wrote to memory of 2308 2648 Mimpolee.exe 86 PID 2308 wrote to memory of 1932 2308 Mhppji32.exe 87 PID 2308 wrote to memory of 1932 2308 Mhppji32.exe 87 PID 2308 wrote to memory of 1932 2308 Mhppji32.exe 87 PID 1932 wrote to memory of 4248 1932 Mpghkf32.exe 88 PID 1932 wrote to memory of 4248 1932 Mpghkf32.exe 88 PID 1932 wrote to memory of 4248 1932 Mpghkf32.exe 88 PID 4248 wrote to memory of 1860 4248 Mojhgbdl.exe 89 PID 4248 wrote to memory of 1860 4248 Mojhgbdl.exe 89 PID 4248 wrote to memory of 1860 4248 Mojhgbdl.exe 89 PID 1860 wrote to memory of 2184 1860 Mfaqhp32.exe 90 PID 1860 wrote to memory of 2184 1860 Mfaqhp32.exe 90 PID 1860 wrote to memory of 2184 1860 Mfaqhp32.exe 90 PID 2184 wrote to memory of 212 2184 Medqcmki.exe 91 PID 2184 wrote to memory of 212 2184 Medqcmki.exe 91 PID 2184 wrote to memory of 212 2184 Medqcmki.exe 91 PID 212 wrote to memory of 2504 212 Mhbmphjm.exe 92 PID 212 wrote to memory of 2504 212 Mhbmphjm.exe 92 PID 212 wrote to memory of 2504 212 Mhbmphjm.exe 92 PID 2504 wrote to memory of 1584 2504 Mlnipg32.exe 93 PID 2504 wrote to memory of 1584 2504 Mlnipg32.exe 93 PID 2504 wrote to memory of 1584 2504 Mlnipg32.exe 93 PID 1584 wrote to memory of 4812 1584 Mpieqeko.exe 94 PID 1584 wrote to memory of 4812 1584 Mpieqeko.exe 94 PID 1584 wrote to memory of 4812 1584 Mpieqeko.exe 94 PID 4812 wrote to memory of 2196 4812 Molelb32.exe 95 PID 4812 wrote to memory of 2196 4812 Molelb32.exe 95 PID 4812 wrote to memory of 2196 4812 Molelb32.exe 95 PID 2196 wrote to memory of 4108 2196 Mbhamajc.exe 96 PID 2196 wrote to memory of 4108 2196 Mbhamajc.exe 96 PID 2196 wrote to memory of 4108 2196 Mbhamajc.exe 96 PID 4108 wrote to memory of 1784 4108 Mefmimif.exe 97 PID 4108 wrote to memory of 1784 4108 Mefmimif.exe 97 PID 4108 wrote to memory of 1784 4108 Mefmimif.exe 97 PID 1784 wrote to memory of 3616 1784 Mibijk32.exe 98 PID 1784 wrote to memory of 3616 1784 Mibijk32.exe 98 PID 1784 wrote to memory of 3616 1784 Mibijk32.exe 98 PID 3616 wrote to memory of 3536 3616 Mhdjehhj.exe 99 PID 3616 wrote to memory of 3536 3616 Mhdjehhj.exe 99 PID 3616 wrote to memory of 3536 3616 Mhdjehhj.exe 99 PID 3536 wrote to memory of 1796 3536 Mplafeil.exe 100 PID 3536 wrote to memory of 1796 3536 Mplafeil.exe 100 PID 3536 wrote to memory of 1796 3536 Mplafeil.exe 100 PID 1796 wrote to memory of 4472 1796 Moobbb32.exe 101 PID 1796 wrote to memory of 4472 1796 Moobbb32.exe 101 PID 1796 wrote to memory of 4472 1796 Moobbb32.exe 101 PID 4472 wrote to memory of 3348 4472 Mbjnbqhp.exe 102 PID 4472 wrote to memory of 3348 4472 Mbjnbqhp.exe 102 PID 4472 wrote to memory of 3348 4472 Mbjnbqhp.exe 102 PID 3348 wrote to memory of 4404 3348 Mffjcopi.exe 103 PID 3348 wrote to memory of 4404 3348 Mffjcopi.exe 103 PID 3348 wrote to memory of 4404 3348 Mffjcopi.exe 103 PID 4404 wrote to memory of 3960 4404 Midfokpm.exe 104 PID 4404 wrote to memory of 3960 4404 Midfokpm.exe 104 PID 4404 wrote to memory of 3960 4404 Midfokpm.exe 104 PID 3960 wrote to memory of 3984 3960 Mhgfkg32.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\b9d0ee8e6ad91e2b72b4f1fc39db94f0N.exe"C:\Users\Admin\AppData\Local\Temp\b9d0ee8e6ad91e2b72b4f1fc39db94f0N.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\SysWOW64\Lfodbqfa.exeC:\Windows\system32\Lfodbqfa.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3612 -
C:\Windows\SysWOW64\Mimpolee.exeC:\Windows\system32\Mimpolee.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Mhppji32.exeC:\Windows\system32\Mhppji32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\Mpghkf32.exeC:\Windows\system32\Mpghkf32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\Mojhgbdl.exeC:\Windows\system32\Mojhgbdl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4248 -
C:\Windows\SysWOW64\Mfaqhp32.exeC:\Windows\system32\Mfaqhp32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\Medqcmki.exeC:\Windows\system32\Medqcmki.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Mhbmphjm.exeC:\Windows\system32\Mhbmphjm.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Windows\SysWOW64\Mlnipg32.exeC:\Windows\system32\Mlnipg32.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Mpieqeko.exeC:\Windows\system32\Mpieqeko.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\Molelb32.exeC:\Windows\system32\Molelb32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Windows\SysWOW64\Mbhamajc.exeC:\Windows\system32\Mbhamajc.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Mefmimif.exeC:\Windows\system32\Mefmimif.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4108 -
C:\Windows\SysWOW64\Mibijk32.exeC:\Windows\system32\Mibijk32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\SysWOW64\Mhdjehhj.exeC:\Windows\system32\Mhdjehhj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Windows\SysWOW64\Mplafeil.exeC:\Windows\system32\Mplafeil.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Windows\SysWOW64\Moobbb32.exeC:\Windows\system32\Moobbb32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\Mbjnbqhp.exeC:\Windows\system32\Mbjnbqhp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Windows\SysWOW64\Mffjcopi.exeC:\Windows\system32\Mffjcopi.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3348 -
C:\Windows\SysWOW64\Midfokpm.exeC:\Windows\system32\Midfokpm.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Windows\SysWOW64\Mhgfkg32.exeC:\Windows\system32\Mhgfkg32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Windows\SysWOW64\Mpnnle32.exeC:\Windows\system32\Mpnnle32.exe23⤵
- Executes dropped EXE
PID:3984 -
C:\Windows\SysWOW64\Moaogand.exeC:\Windows\system32\Moaogand.exe24⤵
- Executes dropped EXE
PID:4820 -
C:\Windows\SysWOW64\Mblkhq32.exeC:\Windows\system32\Mblkhq32.exe25⤵
- Executes dropped EXE
PID:4192 -
C:\Windows\SysWOW64\Mfhfhong.exeC:\Windows\system32\Mfhfhong.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:624 -
C:\Windows\SysWOW64\Mekgdl32.exeC:\Windows\system32\Mekgdl32.exe27⤵
- Executes dropped EXE
PID:216 -
C:\Windows\SysWOW64\Mhicpg32.exeC:\Windows\system32\Mhicpg32.exe28⤵
- Executes dropped EXE
PID:5044 -
C:\Windows\SysWOW64\Mleoafmn.exeC:\Windows\system32\Mleoafmn.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:552 -
C:\Windows\SysWOW64\Mpqkad32.exeC:\Windows\system32\Mpqkad32.exe30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1924 -
C:\Windows\SysWOW64\Mockmala.exeC:\Windows\system32\Mockmala.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Mbognp32.exeC:\Windows\system32\Mbognp32.exe32⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Mfjcnold.exeC:\Windows\system32\Mfjcnold.exe33⤵
- Executes dropped EXE
PID:3144 -
C:\Windows\SysWOW64\Niipjj32.exeC:\Windows\system32\Niipjj32.exe34⤵
- Executes dropped EXE
PID:4424 -
C:\Windows\SysWOW64\Nhlpfgbb.exeC:\Windows\system32\Nhlpfgbb.exe35⤵
- Executes dropped EXE
PID:4656 -
C:\Windows\SysWOW64\Npchgdcd.exeC:\Windows\system32\Npchgdcd.exe36⤵
- Executes dropped EXE
PID:3404 -
C:\Windows\SysWOW64\Noehba32.exeC:\Windows\system32\Noehba32.exe37⤵
- Executes dropped EXE
PID:4272 -
C:\Windows\SysWOW64\Nbadcpbh.exeC:\Windows\system32\Nbadcpbh.exe38⤵
- Executes dropped EXE
PID:4352 -
C:\Windows\SysWOW64\Neppokal.exeC:\Windows\system32\Neppokal.exe39⤵
- Executes dropped EXE
PID:3564 -
C:\Windows\SysWOW64\Niklpj32.exeC:\Windows\system32\Niklpj32.exe40⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Nlihle32.exeC:\Windows\system32\Nlihle32.exe41⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Npedmdab.exeC:\Windows\system32\Npedmdab.exe42⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Nbcqiope.exeC:\Windows\system32\Nbcqiope.exe43⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Ngomin32.exeC:\Windows\system32\Ngomin32.exe44⤵
- Executes dropped EXE
PID:5112 -
C:\Windows\SysWOW64\Niniei32.exeC:\Windows\system32\Niniei32.exe45⤵
- Executes dropped EXE
PID:3624 -
C:\Windows\SysWOW64\Nhpiafnm.exeC:\Windows\system32\Nhpiafnm.exe46⤵
- Executes dropped EXE
PID:4932 -
C:\Windows\SysWOW64\Nlleaeff.exeC:\Windows\system32\Nlleaeff.exe47⤵
- Executes dropped EXE
PID:4000 -
C:\Windows\SysWOW64\Nojanpej.exeC:\Windows\system32\Nojanpej.exe48⤵
- Executes dropped EXE
PID:4984 -
C:\Windows\SysWOW64\Ncfmno32.exeC:\Windows\system32\Ncfmno32.exe49⤵
- Executes dropped EXE
PID:3888 -
C:\Windows\SysWOW64\Nedjjj32.exeC:\Windows\system32\Nedjjj32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3720 -
C:\Windows\SysWOW64\Nipekiep.exeC:\Windows\system32\Nipekiep.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5020 -
C:\Windows\SysWOW64\Nlnbgddc.exeC:\Windows\system32\Nlnbgddc.exe52⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Npjnhc32.exeC:\Windows\system32\Npjnhc32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:368 -
C:\Windows\SysWOW64\Nomncpcg.exeC:\Windows\system32\Nomncpcg.exe54⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Ngdfdmdi.exeC:\Windows\system32\Ngdfdmdi.exe55⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Neffpj32.exeC:\Windows\system32\Neffpj32.exe56⤵
- Executes dropped EXE
PID:4796 -
C:\Windows\SysWOW64\Nheble32.exeC:\Windows\system32\Nheble32.exe57⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Nlqomd32.exeC:\Windows\system32\Nlqomd32.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4532 -
C:\Windows\SysWOW64\Nookip32.exeC:\Windows\system32\Nookip32.exe59⤵
- Executes dropped EXE
PID:4484 -
C:\Windows\SysWOW64\Ncjginjn.exeC:\Windows\system32\Ncjginjn.exe60⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Oeicejia.exeC:\Windows\system32\Oeicejia.exe61⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Oidofh32.exeC:\Windows\system32\Oidofh32.exe62⤵
- Executes dropped EXE
PID:3308 -
C:\Windows\SysWOW64\Olckbd32.exeC:\Windows\system32\Olckbd32.exe63⤵
- Executes dropped EXE
PID:4840 -
C:\Windows\SysWOW64\Opogbbig.exeC:\Windows\system32\Opogbbig.exe64⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Ooagno32.exeC:\Windows\system32\Ooagno32.exe65⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\Oghppm32.exeC:\Windows\system32\Oghppm32.exe66⤵PID:1708
-
C:\Windows\SysWOW64\Oigllh32.exeC:\Windows\system32\Oigllh32.exe67⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3324 -
C:\Windows\SysWOW64\Ohjlgefb.exeC:\Windows\system32\Ohjlgefb.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1464 -
C:\Windows\SysWOW64\Opadhb32.exeC:\Windows\system32\Opadhb32.exe69⤵PID:2204
-
C:\Windows\SysWOW64\Ocopdn32.exeC:\Windows\system32\Ocopdn32.exe70⤵PID:1688
-
C:\Windows\SysWOW64\Ogklelna.exeC:\Windows\system32\Ogklelna.exe71⤵PID:2788
-
C:\Windows\SysWOW64\Oiihahme.exeC:\Windows\system32\Oiihahme.exe72⤵PID:4448
-
C:\Windows\SysWOW64\Olgemcli.exeC:\Windows\system32\Olgemcli.exe73⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4648 -
C:\Windows\SysWOW64\Opcqnb32.exeC:\Windows\system32\Opcqnb32.exe74⤵PID:3424
-
C:\Windows\SysWOW64\Oepifi32.exeC:\Windows\system32\Oepifi32.exe75⤵
- Drops file in System32 directory
PID:2396 -
C:\Windows\SysWOW64\Oileggkb.exeC:\Windows\system32\Oileggkb.exe76⤵PID:4616
-
C:\Windows\SysWOW64\Oljaccjf.exeC:\Windows\system32\Oljaccjf.exe77⤵PID:4576
-
C:\Windows\SysWOW64\Opemca32.exeC:\Windows\system32\Opemca32.exe78⤵PID:5048
-
C:\Windows\SysWOW64\Ocdjpmac.exeC:\Windows\system32\Ocdjpmac.exe79⤵PID:3236
-
C:\Windows\SysWOW64\Oebflhaf.exeC:\Windows\system32\Oebflhaf.exe80⤵PID:2092
-
C:\Windows\SysWOW64\Ojnblg32.exeC:\Windows\system32\Ojnblg32.exe81⤵
- Drops file in System32 directory
PID:64 -
C:\Windows\SysWOW64\Ollnhb32.exeC:\Windows\system32\Ollnhb32.exe82⤵PID:2580
-
C:\Windows\SysWOW64\Ookjdn32.exeC:\Windows\system32\Ookjdn32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2332 -
C:\Windows\SysWOW64\Ocffempp.exeC:\Windows\system32\Ocffempp.exe84⤵
- Drops file in System32 directory
PID:1384 -
C:\Windows\SysWOW64\Pedbahod.exeC:\Windows\system32\Pedbahod.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1216 -
C:\Windows\SysWOW64\Phcomcng.exeC:\Windows\system32\Phcomcng.exe86⤵
- Drops file in System32 directory
PID:1528 -
C:\Windows\SysWOW64\Ploknb32.exeC:\Windows\system32\Ploknb32.exe87⤵PID:208
-
C:\Windows\SysWOW64\Pomgjn32.exeC:\Windows\system32\Pomgjn32.exe88⤵
- Modifies registry class
PID:768 -
C:\Windows\SysWOW64\Pgdokkfg.exeC:\Windows\system32\Pgdokkfg.exe89⤵PID:4236
-
C:\Windows\SysWOW64\Pfgogh32.exeC:\Windows\system32\Pfgogh32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1624 -
C:\Windows\SysWOW64\Phelcc32.exeC:\Windows\system32\Phelcc32.exe91⤵PID:2488
-
C:\Windows\SysWOW64\Pjehmfch.exeC:\Windows\system32\Pjehmfch.exe92⤵PID:968
-
C:\Windows\SysWOW64\Plcdiabk.exeC:\Windows\system32\Plcdiabk.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2080 -
C:\Windows\SysWOW64\Pcmlfl32.exeC:\Windows\system32\Pcmlfl32.exe94⤵PID:2036
-
C:\Windows\SysWOW64\Pleaoa32.exeC:\Windows\system32\Pleaoa32.exe95⤵PID:832
-
C:\Windows\SysWOW64\Podmkm32.exeC:\Windows\system32\Podmkm32.exe96⤵PID:396
-
C:\Windows\SysWOW64\Pgkelj32.exeC:\Windows\system32\Pgkelj32.exe97⤵PID:672
-
C:\Windows\SysWOW64\Pjjahe32.exeC:\Windows\system32\Pjjahe32.exe98⤵PID:4020
-
C:\Windows\SysWOW64\Phlacbfm.exeC:\Windows\system32\Phlacbfm.exe99⤵
- Modifies registry class
PID:3880 -
C:\Windows\SysWOW64\Pqcjepfo.exeC:\Windows\system32\Pqcjepfo.exe100⤵PID:4080
-
C:\Windows\SysWOW64\Qgnbaj32.exeC:\Windows\system32\Qgnbaj32.exe101⤵
- Modifies registry class
PID:4336 -
C:\Windows\SysWOW64\Qhonib32.exeC:\Windows\system32\Qhonib32.exe102⤵PID:5180
-
C:\Windows\SysWOW64\Qqffjo32.exeC:\Windows\system32\Qqffjo32.exe103⤵PID:5220
-
C:\Windows\SysWOW64\Qgpogili.exeC:\Windows\system32\Qgpogili.exe104⤵
- Modifies registry class
PID:5264 -
C:\Windows\SysWOW64\Qjnkcekm.exeC:\Windows\system32\Qjnkcekm.exe105⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5316 -
C:\Windows\SysWOW64\Qqhcpo32.exeC:\Windows\system32\Qqhcpo32.exe106⤵
- Modifies registry class
PID:5364 -
C:\Windows\SysWOW64\Acgolj32.exeC:\Windows\system32\Acgolj32.exe107⤵
- System Location Discovery: System Language Discovery
PID:5404 -
C:\Windows\SysWOW64\Afelhf32.exeC:\Windows\system32\Afelhf32.exe108⤵PID:5448
-
C:\Windows\SysWOW64\Ahchda32.exeC:\Windows\system32\Ahchda32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5504 -
C:\Windows\SysWOW64\Aqkpeopg.exeC:\Windows\system32\Aqkpeopg.exe110⤵PID:5548
-
C:\Windows\SysWOW64\Agdhbi32.exeC:\Windows\system32\Agdhbi32.exe111⤵
- System Location Discovery: System Language Discovery
PID:5612 -
C:\Windows\SysWOW64\Afghneoo.exeC:\Windows\system32\Afghneoo.exe112⤵PID:5652
-
C:\Windows\SysWOW64\Ajcdnd32.exeC:\Windows\system32\Ajcdnd32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5704 -
C:\Windows\SysWOW64\Aqmlknnd.exeC:\Windows\system32\Aqmlknnd.exe114⤵PID:5752
-
C:\Windows\SysWOW64\Ackigjmh.exeC:\Windows\system32\Ackigjmh.exe115⤵PID:5800
-
C:\Windows\SysWOW64\Aggegh32.exeC:\Windows\system32\Aggegh32.exe116⤵
- Drops file in System32 directory
PID:5844 -
C:\Windows\SysWOW64\Aihaoqlp.exeC:\Windows\system32\Aihaoqlp.exe117⤵PID:5904
-
C:\Windows\SysWOW64\Aqoiqn32.exeC:\Windows\system32\Aqoiqn32.exe118⤵PID:5940
-
C:\Windows\SysWOW64\Aobilkcl.exeC:\Windows\system32\Aobilkcl.exe119⤵PID:5980
-
C:\Windows\SysWOW64\Agiamhdo.exeC:\Windows\system32\Agiamhdo.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6032 -
C:\Windows\SysWOW64\Aijnep32.exeC:\Windows\system32\Aijnep32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6076
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-