Analysis
-
max time kernel
101s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
22-08-2024 16:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a3686dbada8149d52ee19ea8f4b48040N.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
a3686dbada8149d52ee19ea8f4b48040N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
a3686dbada8149d52ee19ea8f4b48040N.exe
-
Size
128KB
-
MD5
a3686dbada8149d52ee19ea8f4b48040
-
SHA1
976ee66e35c309a4d3eacd6e438f58cb718dcc6d
-
SHA256
88be16241debef72683e201514a0993f08e8edb85abfa6c11473383064cb998b
-
SHA512
88ba3fb2d3f306ea1fb08d3acdf279e1addb8c5527080a015ea8d88d66d05f5ac69b422a1d8844da6b2281b772d3d960810b5056213aa9187f10fefcce52c257
-
SSDEEP
3072:PeRM1TMOve2lj9pui6yYPaI7DehizrVtN:Pe61pG6pui6yYPaIGc
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ahbqliap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Liibigjq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmkipb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igoagpja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqijmkfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hhklibbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jlcmhann.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdffcn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dindme32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjfjjd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moikinib.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blcmbmip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pfaopc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ngikaijm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ghlgdecf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pikaqppk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nnidchqp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Macnjk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpdkajic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Glbcpokl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbmdig32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbpcgo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gefjlg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjndca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ijkjde32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgichoqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gekncjfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jbpcgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hnomkloi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jajbfeop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iodolf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ihmcelkk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfoeqmfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Okefjcle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kdckgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aefhpc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apdminod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lppgfkpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mcoioi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aglhph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mlifie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efifjg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Andlmnki.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pojgnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kqijck32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccileljk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ndekok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cgfqii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppmkilbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Annpaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lcpecdio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdkheh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jgfghodj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgfoee32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmegkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qnkdeagl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fpojlp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkbdbbop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pclolakk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mhegckpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lblhep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Caajmilh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojjnioae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lakqoe32.exe -
Executes dropped EXE 64 IoCs
pid Process 556 Lkffohon.exe 2176 Ldokhn32.exe 2820 Mgaqohql.exe 2748 Mjbiac32.exe 3024 Mcmkoi32.exe 1840 Nmhlnngi.exe 864 Necqbp32.exe 2536 Niaihojk.exe 2976 Npkaei32.exe 2600 Nehjmppo.exe 108 Njdbefnf.exe 2496 Oldooi32.exe 860 Ohmljj32.exe 1608 Oaeacppk.exe 2512 Ofbikf32.exe 2428 Ppmkilbp.exe 608 Ppogok32.exe 1636 Pacqlcdi.exe 1540 Paemac32.exe 1028 Pdffcn32.exe 1628 Qnagbc32.exe 1108 Agilkijf.exe 968 Aglhph32.exe 1952 Apdminod.exe 892 Ahancp32.exe 2076 Abjcleqm.exe 1600 Bhfhnofg.exe 2432 Bncpffdn.exe 2884 Bcpiombe.exe 2896 Bnhjae32.exe 952 Bcdbjl32.exe 2616 Cicggcke.exe 2660 Ccileljk.exe 2580 Cncmei32.exe 2020 Cbqekhmp.exe 3016 Fgnfpm32.exe 2980 Fmjkbfnh.exe 2184 Fcjqpm32.exe 1284 Flbehbqm.exe 2380 Gnenfjdh.exe 2440 Ghkbccdn.exe 2800 Gdbchd32.exe 2204 Gqidme32.exe 2208 Gdfmccfm.exe 980 Gopnca32.exe 1532 Hqpjndio.exe 2292 Hfmbfkhf.exe 2544 Hikobfgj.exe 2552 Hbccklmj.exe 2132 Himkgf32.exe 3052 Hfalaj32.exe 2276 Hnlqemal.exe 2400 Hefibg32.exe 3068 Hnomkloi.exe 2656 Iggbdb32.exe 2624 Iekbmfdc.exe 2848 Ifloeo32.exe 3004 Iabcbg32.exe 872 Iadphghe.exe 1360 Ifahpnfl.exe 1644 Imkqmh32.exe 2332 Ifceemdj.exe 2200 Jlpmndba.exe 588 Jhgnbehe.exe -
Loads dropped DLL 64 IoCs
pid Process 1072 a3686dbada8149d52ee19ea8f4b48040N.exe 1072 a3686dbada8149d52ee19ea8f4b48040N.exe 556 Lkffohon.exe 556 Lkffohon.exe 2176 Ldokhn32.exe 2176 Ldokhn32.exe 2820 Mgaqohql.exe 2820 Mgaqohql.exe 2748 Mjbiac32.exe 2748 Mjbiac32.exe 3024 Mcmkoi32.exe 3024 Mcmkoi32.exe 1840 Nmhlnngi.exe 1840 Nmhlnngi.exe 864 Necqbp32.exe 864 Necqbp32.exe 2536 Niaihojk.exe 2536 Niaihojk.exe 2976 Npkaei32.exe 2976 Npkaei32.exe 2600 Nehjmppo.exe 2600 Nehjmppo.exe 108 Njdbefnf.exe 108 Njdbefnf.exe 2496 Oldooi32.exe 2496 Oldooi32.exe 860 Ohmljj32.exe 860 Ohmljj32.exe 1608 Oaeacppk.exe 1608 Oaeacppk.exe 2512 Ofbikf32.exe 2512 Ofbikf32.exe 2428 Ppmkilbp.exe 2428 Ppmkilbp.exe 608 Ppogok32.exe 608 Ppogok32.exe 1636 Pacqlcdi.exe 1636 Pacqlcdi.exe 1540 Paemac32.exe 1540 Paemac32.exe 1028 Pdffcn32.exe 1028 Pdffcn32.exe 1628 Qnagbc32.exe 1628 Qnagbc32.exe 1108 Agilkijf.exe 1108 Agilkijf.exe 968 Aglhph32.exe 968 Aglhph32.exe 1952 Apdminod.exe 1952 Apdminod.exe 892 Ahancp32.exe 892 Ahancp32.exe 2076 Abjcleqm.exe 2076 Abjcleqm.exe 1600 Bhfhnofg.exe 1600 Bhfhnofg.exe 2432 Bncpffdn.exe 2432 Bncpffdn.exe 2884 Bcpiombe.exe 2884 Bcpiombe.exe 2896 Bnhjae32.exe 2896 Bnhjae32.exe 952 Bcdbjl32.exe 952 Bcdbjl32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ehahglmg.dll Jajbfeop.exe File opened for modification C:\Windows\SysWOW64\Ndeifbfj.exe Ngahmngp.exe File created C:\Windows\SysWOW64\Ogldfl32.exe Oncpmf32.exe File opened for modification C:\Windows\SysWOW64\Fcehpbdm.exe Fmkpchmp.exe File created C:\Windows\SysWOW64\Gqidme32.exe Gdbchd32.exe File created C:\Windows\SysWOW64\Bfcqoqeh.exe Bdbdgh32.exe File opened for modification C:\Windows\SysWOW64\Bfcqoqeh.exe Bdbdgh32.exe File created C:\Windows\SysWOW64\Cfhjjp32.exe Conbmfif.exe File opened for modification C:\Windows\SysWOW64\Bdnmda32.exe Boadlk32.exe File opened for modification C:\Windows\SysWOW64\Boadlk32.exe Bdkpob32.exe File created C:\Windows\SysWOW64\Dpdnea32.dll Gcpdip32.exe File opened for modification C:\Windows\SysWOW64\Lahaqm32.exe Lkoidcaj.exe File opened for modification C:\Windows\SysWOW64\Imccab32.exe Iiekkdjo.exe File opened for modification C:\Windows\SysWOW64\Liohhbno.exe Lmhhcaik.exe File created C:\Windows\SysWOW64\Gqpoindi.dll Ieoiai32.exe File created C:\Windows\SysWOW64\Deeeafii.exe Dcgiejje.exe File created C:\Windows\SysWOW64\Chmlfj32.exe Cbcdjpba.exe File created C:\Windows\SysWOW64\Bpdqqmjp.dll Nlcnaaog.exe File created C:\Windows\SysWOW64\Cnhjbjam.exe Caajmilh.exe File opened for modification C:\Windows\SysWOW64\Hebqbl32.exe Hljljflh.exe File created C:\Windows\SysWOW64\Jlnadiko.exe Jojaje32.exe File created C:\Windows\SysWOW64\Kgahcn32.exe Kdckgc32.exe File created C:\Windows\SysWOW64\Ddlloi32.exe Dheljhof.exe File created C:\Windows\SysWOW64\Dpnioi32.dll Ilaieljl.exe File created C:\Windows\SysWOW64\Pfekbg32.exe Oceaql32.exe File created C:\Windows\SysWOW64\Eaojgf32.dll Hmbbcjic.exe File opened for modification C:\Windows\SysWOW64\Gaokhdja.exe Ggfgoo32.exe File created C:\Windows\SysWOW64\Heaeli32.dll Qlaffbqk.exe File created C:\Windows\SysWOW64\Omkidb32.exe Oqdioaqf.exe File opened for modification C:\Windows\SysWOW64\Fmkpchmp.exe Fbflfomj.exe File opened for modification C:\Windows\SysWOW64\Kmbclj32.exe Kblooa32.exe File created C:\Windows\SysWOW64\Bnkpjd32.exe Bdbkaoce.exe File opened for modification C:\Windows\SysWOW64\Laqadknn.exe Lhhmle32.exe File created C:\Windows\SysWOW64\Fbeimf32.exe Fmhaep32.exe File opened for modification C:\Windows\SysWOW64\Flbgak32.exe Ffeoid32.exe File created C:\Windows\SysWOW64\Dindme32.exe Doipoldo.exe File created C:\Windows\SysWOW64\Nlgfbh32.exe Ndlanf32.exe File opened for modification C:\Windows\SysWOW64\Hfiloiik.exe Hmphfc32.exe File created C:\Windows\SysWOW64\Bdgdja32.dll Fagqed32.exe File created C:\Windows\SysWOW64\Jjbgok32.exe Jajbfeop.exe File opened for modification C:\Windows\SysWOW64\Nlfdjphd.exe Ngikaijm.exe File created C:\Windows\SysWOW64\Iebmaoed.exe Ijklmn32.exe File opened for modification C:\Windows\SysWOW64\Hejaon32.exe Hopibdfd.exe File opened for modification C:\Windows\SysWOW64\Opaeok32.exe Ohjmnn32.exe File created C:\Windows\SysWOW64\Jocceo32.exe Jifkmh32.exe File created C:\Windows\SysWOW64\Clcjjimp.dll Nikflm32.exe File created C:\Windows\SysWOW64\Oioddd32.dll Ihhehoci.exe File opened for modification C:\Windows\SysWOW64\Hhklibbf.exe Hnbhpl32.exe File created C:\Windows\SysWOW64\Iilndc32.dll Jbhlilip.exe File opened for modification C:\Windows\SysWOW64\Pacqlcdi.exe Ppogok32.exe File opened for modification C:\Windows\SysWOW64\Qeihfp32.exe Qkcdigpa.exe File created C:\Windows\SysWOW64\Qfkbfpca.dll Nfqbol32.exe File opened for modification C:\Windows\SysWOW64\Hjhaob32.exe Hgjdcghp.exe File opened for modification C:\Windows\SysWOW64\Hnbhpl32.exe Hnpkkm32.exe File opened for modification C:\Windows\SysWOW64\Lophcpam.exe Lmolkg32.exe File created C:\Windows\SysWOW64\Fplgljbm.exe Fmmjpoci.exe File created C:\Windows\SysWOW64\Qnpbbn32.exe Qlaffbqk.exe File created C:\Windows\SysWOW64\Finqaibj.dll Hebqbl32.exe File created C:\Windows\SysWOW64\Jegheghc.exe Jbhlilip.exe File created C:\Windows\SysWOW64\Noffadai.exe Ndaaclac.exe File opened for modification C:\Windows\SysWOW64\Deeeafii.exe Dcgiejje.exe File created C:\Windows\SysWOW64\Clgpckcb.exe Ckhdihlp.exe File opened for modification C:\Windows\SysWOW64\Qnagbc32.exe Pdffcn32.exe File created C:\Windows\SysWOW64\Ldikbhfh.exe Lnobfn32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 968 4888 WerFault.exe 849 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkbdbbop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhaogp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhfhnofg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmbclj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbjbibli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efolib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gopnca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfalaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifecen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apbeeppo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acafnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogldfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hddjcbfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdbdgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jiiikq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kolcdahb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hebqbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeahjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jffddfjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdmbiojc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igoagpja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojlkonpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amfcfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbccklmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aefhpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjhajo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgfoee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieoiai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmondpbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eemded32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmhlnngi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clpeajjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiccbfoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaokhdja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Himkgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocdohdfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ageedflj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knqnmeff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dalffg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aamhdckg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebhlmlhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojakdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lddjmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbokda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beqogc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anbaqfep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcjogidl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpahad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgffpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncbilimn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okjdfq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghcdpjqj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhnlmjie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Badlln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljhppo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Domgache.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daibfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfkidh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpfagd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjefmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaojiqej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggfgoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdmklico.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egobfdpi.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qpgfhg32.dll" Onacgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aennhcpi.dll" Enajgllm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lklmoccl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jgfghodj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ocdohdfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdoafi32.dll" Qokhjjbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Loicnemp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nfogeamk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blhphg32.dll" Lamkllea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pikkfilp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghjcmh32.dll" Baeanl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibofgebi.dll" Ndaaclac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keemfmgm.dll" Iapghlbe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ekkppkpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fplcpm32.dll" Ijfadkbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqkiai32.dll" Kbjbibli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bgcdcjpf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Glbcpokl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jffddfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfomdk32.dll" Lmolkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ecnbpcje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfdanc32.dll" Gpihog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kfklgape.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkbnqpih.dll" Mjialchg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ageedflj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcdggbbn.dll" Jiiikq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ndeifbfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbkegbkn.dll" Abacjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmchhqaf.dll" Qnagbc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Joepjokm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Igoagpja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anogmi32.dll" Aolihc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfejocnp.dll" Kqijck32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kgfoee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dobcekld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eemded32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cohlnkeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkjigh32.dll" Eipekmjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kplhfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojlpmp32.dll" Fjnkac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Faimkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpidah32.dll" Capopb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Idabbpgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhobea32.dll" Dheljhof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lddjmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nkbdbbop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ojjnioae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ahbqliap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Amfeodoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfqliakm.dll" Bdkpob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dpnmoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pqekin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kpblne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gfqmkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kipddm32.dll" Hfkidh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lafpipoa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mddidnqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Poldnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfcpnn32.dll" Aqnjml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cncmei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Flmecm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pclolakk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ihopjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibkfah32.dll" Coacdg32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1072 wrote to memory of 556 1072 a3686dbada8149d52ee19ea8f4b48040N.exe 29 PID 1072 wrote to memory of 556 1072 a3686dbada8149d52ee19ea8f4b48040N.exe 29 PID 1072 wrote to memory of 556 1072 a3686dbada8149d52ee19ea8f4b48040N.exe 29 PID 1072 wrote to memory of 556 1072 a3686dbada8149d52ee19ea8f4b48040N.exe 29 PID 556 wrote to memory of 2176 556 Lkffohon.exe 30 PID 556 wrote to memory of 2176 556 Lkffohon.exe 30 PID 556 wrote to memory of 2176 556 Lkffohon.exe 30 PID 556 wrote to memory of 2176 556 Lkffohon.exe 30 PID 2176 wrote to memory of 2820 2176 Ldokhn32.exe 31 PID 2176 wrote to memory of 2820 2176 Ldokhn32.exe 31 PID 2176 wrote to memory of 2820 2176 Ldokhn32.exe 31 PID 2176 wrote to memory of 2820 2176 Ldokhn32.exe 31 PID 2820 wrote to memory of 2748 2820 Mgaqohql.exe 32 PID 2820 wrote to memory of 2748 2820 Mgaqohql.exe 32 PID 2820 wrote to memory of 2748 2820 Mgaqohql.exe 32 PID 2820 wrote to memory of 2748 2820 Mgaqohql.exe 32 PID 2748 wrote to memory of 3024 2748 Mjbiac32.exe 33 PID 2748 wrote to memory of 3024 2748 Mjbiac32.exe 33 PID 2748 wrote to memory of 3024 2748 Mjbiac32.exe 33 PID 2748 wrote to memory of 3024 2748 Mjbiac32.exe 33 PID 3024 wrote to memory of 1840 3024 Mcmkoi32.exe 34 PID 3024 wrote to memory of 1840 3024 Mcmkoi32.exe 34 PID 3024 wrote to memory of 1840 3024 Mcmkoi32.exe 34 PID 3024 wrote to memory of 1840 3024 Mcmkoi32.exe 34 PID 1840 wrote to memory of 864 1840 Nmhlnngi.exe 35 PID 1840 wrote to memory of 864 1840 Nmhlnngi.exe 35 PID 1840 wrote to memory of 864 1840 Nmhlnngi.exe 35 PID 1840 wrote to memory of 864 1840 Nmhlnngi.exe 35 PID 864 wrote to memory of 2536 864 Necqbp32.exe 36 PID 864 wrote to memory of 2536 864 Necqbp32.exe 36 PID 864 wrote to memory of 2536 864 Necqbp32.exe 36 PID 864 wrote to memory of 2536 864 Necqbp32.exe 36 PID 2536 wrote to memory of 2976 2536 Niaihojk.exe 37 PID 2536 wrote to memory of 2976 2536 Niaihojk.exe 37 PID 2536 wrote to memory of 2976 2536 Niaihojk.exe 37 PID 2536 wrote to memory of 2976 2536 Niaihojk.exe 37 PID 2976 wrote to memory of 2600 2976 Npkaei32.exe 38 PID 2976 wrote to memory of 2600 2976 Npkaei32.exe 38 PID 2976 wrote to memory of 2600 2976 Npkaei32.exe 38 PID 2976 wrote to memory of 2600 2976 Npkaei32.exe 38 PID 2600 wrote to memory of 108 2600 Nehjmppo.exe 39 PID 2600 wrote to memory of 108 2600 Nehjmppo.exe 39 PID 2600 wrote to memory of 108 2600 Nehjmppo.exe 39 PID 2600 wrote to memory of 108 2600 Nehjmppo.exe 39 PID 108 wrote to memory of 2496 108 Njdbefnf.exe 40 PID 108 wrote to memory of 2496 108 Njdbefnf.exe 40 PID 108 wrote to memory of 2496 108 Njdbefnf.exe 40 PID 108 wrote to memory of 2496 108 Njdbefnf.exe 40 PID 2496 wrote to memory of 860 2496 Oldooi32.exe 41 PID 2496 wrote to memory of 860 2496 Oldooi32.exe 41 PID 2496 wrote to memory of 860 2496 Oldooi32.exe 41 PID 2496 wrote to memory of 860 2496 Oldooi32.exe 41 PID 860 wrote to memory of 1608 860 Ohmljj32.exe 42 PID 860 wrote to memory of 1608 860 Ohmljj32.exe 42 PID 860 wrote to memory of 1608 860 Ohmljj32.exe 42 PID 860 wrote to memory of 1608 860 Ohmljj32.exe 42 PID 1608 wrote to memory of 2512 1608 Oaeacppk.exe 43 PID 1608 wrote to memory of 2512 1608 Oaeacppk.exe 43 PID 1608 wrote to memory of 2512 1608 Oaeacppk.exe 43 PID 1608 wrote to memory of 2512 1608 Oaeacppk.exe 43 PID 2512 wrote to memory of 2428 2512 Ofbikf32.exe 44 PID 2512 wrote to memory of 2428 2512 Ofbikf32.exe 44 PID 2512 wrote to memory of 2428 2512 Ofbikf32.exe 44 PID 2512 wrote to memory of 2428 2512 Ofbikf32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\a3686dbada8149d52ee19ea8f4b48040N.exe"C:\Users\Admin\AppData\Local\Temp\a3686dbada8149d52ee19ea8f4b48040N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\SysWOW64\Lkffohon.exeC:\Windows\system32\Lkffohon.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Windows\SysWOW64\Ldokhn32.exeC:\Windows\system32\Ldokhn32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\Mgaqohql.exeC:\Windows\system32\Mgaqohql.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Mjbiac32.exeC:\Windows\system32\Mjbiac32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Mcmkoi32.exeC:\Windows\system32\Mcmkoi32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\Nmhlnngi.exeC:\Windows\system32\Nmhlnngi.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Windows\SysWOW64\Necqbp32.exeC:\Windows\system32\Necqbp32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Windows\SysWOW64\Niaihojk.exeC:\Windows\system32\Niaihojk.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\Npkaei32.exeC:\Windows\system32\Npkaei32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Nehjmppo.exeC:\Windows\system32\Nehjmppo.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Njdbefnf.exeC:\Windows\system32\Njdbefnf.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:108 -
C:\Windows\SysWOW64\Oldooi32.exeC:\Windows\system32\Oldooi32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Ohmljj32.exeC:\Windows\system32\Ohmljj32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\SysWOW64\Oaeacppk.exeC:\Windows\system32\Oaeacppk.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\SysWOW64\Ofbikf32.exeC:\Windows\system32\Ofbikf32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\Ppmkilbp.exeC:\Windows\system32\Ppmkilbp.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2428 -
C:\Windows\SysWOW64\Ppogok32.exeC:\Windows\system32\Ppogok32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:608 -
C:\Windows\SysWOW64\Pacqlcdi.exeC:\Windows\system32\Pacqlcdi.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1636 -
C:\Windows\SysWOW64\Paemac32.exeC:\Windows\system32\Paemac32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1540 -
C:\Windows\SysWOW64\Pdffcn32.exeC:\Windows\system32\Pdffcn32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1028 -
C:\Windows\SysWOW64\Qnagbc32.exeC:\Windows\system32\Qnagbc32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1628 -
C:\Windows\SysWOW64\Agilkijf.exeC:\Windows\system32\Agilkijf.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1108 -
C:\Windows\SysWOW64\Aglhph32.exeC:\Windows\system32\Aglhph32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:968 -
C:\Windows\SysWOW64\Apdminod.exeC:\Windows\system32\Apdminod.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1952 -
C:\Windows\SysWOW64\Ahancp32.exeC:\Windows\system32\Ahancp32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:892 -
C:\Windows\SysWOW64\Abjcleqm.exeC:\Windows\system32\Abjcleqm.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2076 -
C:\Windows\SysWOW64\Bhfhnofg.exeC:\Windows\system32\Bhfhnofg.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1600 -
C:\Windows\SysWOW64\Bncpffdn.exeC:\Windows\system32\Bncpffdn.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2432 -
C:\Windows\SysWOW64\Bcpiombe.exeC:\Windows\system32\Bcpiombe.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2884 -
C:\Windows\SysWOW64\Bnhjae32.exeC:\Windows\system32\Bnhjae32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2896 -
C:\Windows\SysWOW64\Bcdbjl32.exeC:\Windows\system32\Bcdbjl32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:952 -
C:\Windows\SysWOW64\Cicggcke.exeC:\Windows\system32\Cicggcke.exe33⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Ccileljk.exeC:\Windows\system32\Ccileljk.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Cncmei32.exeC:\Windows\system32\Cncmei32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2580 -
C:\Windows\SysWOW64\Cbqekhmp.exeC:\Windows\system32\Cbqekhmp.exe36⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Fgnfpm32.exeC:\Windows\system32\Fgnfpm32.exe37⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Fmjkbfnh.exeC:\Windows\system32\Fmjkbfnh.exe38⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Fcjqpm32.exeC:\Windows\system32\Fcjqpm32.exe39⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Flbehbqm.exeC:\Windows\system32\Flbehbqm.exe40⤵
- Executes dropped EXE
PID:1284 -
C:\Windows\SysWOW64\Gnenfjdh.exeC:\Windows\system32\Gnenfjdh.exe41⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Ghkbccdn.exeC:\Windows\system32\Ghkbccdn.exe42⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Gdbchd32.exeC:\Windows\system32\Gdbchd32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2800 -
C:\Windows\SysWOW64\Gqidme32.exeC:\Windows\system32\Gqidme32.exe44⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Gdfmccfm.exeC:\Windows\system32\Gdfmccfm.exe45⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Gopnca32.exeC:\Windows\system32\Gopnca32.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:980 -
C:\Windows\SysWOW64\Hqpjndio.exeC:\Windows\system32\Hqpjndio.exe47⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Hfmbfkhf.exeC:\Windows\system32\Hfmbfkhf.exe48⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Hikobfgj.exeC:\Windows\system32\Hikobfgj.exe49⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Hbccklmj.exeC:\Windows\system32\Hbccklmj.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2552 -
C:\Windows\SysWOW64\Himkgf32.exeC:\Windows\system32\Himkgf32.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2132 -
C:\Windows\SysWOW64\Hfalaj32.exeC:\Windows\system32\Hfalaj32.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3052 -
C:\Windows\SysWOW64\Hnlqemal.exeC:\Windows\system32\Hnlqemal.exe53⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Hefibg32.exeC:\Windows\system32\Hefibg32.exe54⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Hnomkloi.exeC:\Windows\system32\Hnomkloi.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Iggbdb32.exeC:\Windows\system32\Iggbdb32.exe56⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Iekbmfdc.exeC:\Windows\system32\Iekbmfdc.exe57⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Ifloeo32.exeC:\Windows\system32\Ifloeo32.exe58⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Iabcbg32.exeC:\Windows\system32\Iabcbg32.exe59⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Iadphghe.exeC:\Windows\system32\Iadphghe.exe60⤵
- Executes dropped EXE
PID:872 -
C:\Windows\SysWOW64\Ifahpnfl.exeC:\Windows\system32\Ifahpnfl.exe61⤵
- Executes dropped EXE
PID:1360 -
C:\Windows\SysWOW64\Imkqmh32.exeC:\Windows\system32\Imkqmh32.exe62⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Ifceemdj.exeC:\Windows\system32\Ifceemdj.exe63⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Jlpmndba.exeC:\Windows\system32\Jlpmndba.exe64⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Jhgnbehe.exeC:\Windows\system32\Jhgnbehe.exe65⤵
- Executes dropped EXE
PID:588 -
C:\Windows\SysWOW64\Jpnfdbig.exeC:\Windows\system32\Jpnfdbig.exe66⤵PID:2344
-
C:\Windows\SysWOW64\Jifkmh32.exeC:\Windows\system32\Jifkmh32.exe67⤵
- Drops file in System32 directory
PID:2036 -
C:\Windows\SysWOW64\Jocceo32.exeC:\Windows\system32\Jocceo32.exe68⤵PID:2032
-
C:\Windows\SysWOW64\Jhlgnd32.exeC:\Windows\system32\Jhlgnd32.exe69⤵PID:1976
-
C:\Windows\SysWOW64\Joepjokm.exeC:\Windows\system32\Joepjokm.exe70⤵
- Modifies registry class
PID:1676 -
C:\Windows\SysWOW64\Jadlgjjq.exeC:\Windows\system32\Jadlgjjq.exe71⤵PID:1680
-
C:\Windows\SysWOW64\Jmkmlk32.exeC:\Windows\system32\Jmkmlk32.exe72⤵PID:2528
-
C:\Windows\SysWOW64\Kfcadq32.exeC:\Windows\system32\Kfcadq32.exe73⤵PID:2760
-
C:\Windows\SysWOW64\Kbjbibli.exeC:\Windows\system32\Kbjbibli.exe74⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3064 -
C:\Windows\SysWOW64\Kmpfgklo.exeC:\Windows\system32\Kmpfgklo.exe75⤵PID:2864
-
C:\Windows\SysWOW64\Kblooa32.exeC:\Windows\system32\Kblooa32.exe76⤵
- Drops file in System32 directory
PID:2016 -
C:\Windows\SysWOW64\Kmbclj32.exeC:\Windows\system32\Kmbclj32.exe77⤵
- System Location Discovery: System Language Discovery
PID:3032 -
C:\Windows\SysWOW64\Kbokda32.exeC:\Windows\system32\Kbokda32.exe78⤵
- System Location Discovery: System Language Discovery
PID:2964 -
C:\Windows\SysWOW64\Khkdmh32.exeC:\Windows\system32\Khkdmh32.exe79⤵PID:2988
-
C:\Windows\SysWOW64\Kpblne32.exeC:\Windows\system32\Kpblne32.exe80⤵
- Modifies registry class
PID:2876 -
C:\Windows\SysWOW64\Keodflee.exeC:\Windows\system32\Keodflee.exe81⤵PID:2368
-
C:\Windows\SysWOW64\Lklmoccl.exeC:\Windows\system32\Lklmoccl.exe82⤵
- Modifies registry class
PID:2144 -
C:\Windows\SysWOW64\Lafekm32.exeC:\Windows\system32\Lafekm32.exe83⤵PID:1444
-
C:\Windows\SysWOW64\Lddagi32.exeC:\Windows\system32\Lddagi32.exe84⤵PID:1296
-
C:\Windows\SysWOW64\Lkoidcaj.exeC:\Windows\system32\Lkoidcaj.exe85⤵
- Drops file in System32 directory
PID:1756 -
C:\Windows\SysWOW64\Lahaqm32.exeC:\Windows\system32\Lahaqm32.exe86⤵PID:1340
-
C:\Windows\SysWOW64\Ldgnmhhj.exeC:\Windows\system32\Ldgnmhhj.exe87⤵PID:896
-
C:\Windows\SysWOW64\Lkafib32.exeC:\Windows\system32\Lkafib32.exe88⤵PID:1596
-
C:\Windows\SysWOW64\Lnobfn32.exeC:\Windows\system32\Lnobfn32.exe89⤵
- Drops file in System32 directory
PID:2764 -
C:\Windows\SysWOW64\Ldikbhfh.exeC:\Windows\system32\Ldikbhfh.exe90⤵PID:2940
-
C:\Windows\SysWOW64\Lamkllea.exeC:\Windows\system32\Lamkllea.exe91⤵
- Modifies registry class
PID:2612 -
C:\Windows\SysWOW64\Lkepdbkb.exeC:\Windows\system32\Lkepdbkb.exe92⤵PID:2492
-
C:\Windows\SysWOW64\Ljhppo32.exeC:\Windows\system32\Ljhppo32.exe93⤵
- System Location Discovery: System Language Discovery
PID:2348 -
C:\Windows\SysWOW64\Lcqdidim.exeC:\Windows\system32\Lcqdidim.exe94⤵PID:2684
-
C:\Windows\SysWOW64\Mjkmfn32.exeC:\Windows\system32\Mjkmfn32.exe95⤵PID:2956
-
C:\Windows\SysWOW64\Mjmiknng.exeC:\Windows\system32\Mjmiknng.exe96⤵PID:396
-
C:\Windows\SysWOW64\Mfdjpo32.exeC:\Windows\system32\Mfdjpo32.exe97⤵PID:2392
-
C:\Windows\SysWOW64\Moloidjl.exeC:\Windows\system32\Moloidjl.exe98⤵PID:2388
-
C:\Windows\SysWOW64\Mdigakic.exeC:\Windows\system32\Mdigakic.exe99⤵PID:1956
-
C:\Windows\SysWOW64\Mkconepp.exeC:\Windows\system32\Mkconepp.exe100⤵PID:2088
-
C:\Windows\SysWOW64\Mfhcknpf.exeC:\Windows\system32\Mfhcknpf.exe101⤵PID:2004
-
C:\Windows\SysWOW64\Mkelcenm.exeC:\Windows\system32\Mkelcenm.exe102⤵PID:1792
-
C:\Windows\SysWOW64\Nndhpqma.exeC:\Windows\system32\Nndhpqma.exe103⤵PID:1796
-
C:\Windows\SysWOW64\Nglmifca.exeC:\Windows\system32\Nglmifca.exe104⤵PID:2916
-
C:\Windows\SysWOW64\Nbaafocg.exeC:\Windows\system32\Nbaafocg.exe105⤵PID:2772
-
C:\Windows\SysWOW64\Njmejaqb.exeC:\Windows\system32\Njmejaqb.exe106⤵PID:2628
-
C:\Windows\SysWOW64\Nqgngk32.exeC:\Windows\system32\Nqgngk32.exe107⤵PID:964
-
C:\Windows\SysWOW64\Ngafdepl.exeC:\Windows\system32\Ngafdepl.exe108⤵PID:3044
-
C:\Windows\SysWOW64\Nqijmkfm.exeC:\Windows\system32\Nqijmkfm.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1868 -
C:\Windows\SysWOW64\Nffcebdd.exeC:\Windows\system32\Nffcebdd.exe110⤵PID:2576
-
C:\Windows\SysWOW64\Nqkgbkdj.exeC:\Windows\system32\Nqkgbkdj.exe111⤵PID:1640
-
C:\Windows\SysWOW64\Ojoood32.exeC:\Windows\system32\Ojoood32.exe112⤵PID:2436
-
C:\Windows\SysWOW64\Ojakdd32.exeC:\Windows\system32\Ojakdd32.exe113⤵
- System Location Discovery: System Language Discovery
PID:2304 -
C:\Windows\SysWOW64\Oakcan32.exeC:\Windows\system32\Oakcan32.exe114⤵PID:1760
-
C:\Windows\SysWOW64\Pbaide32.exeC:\Windows\system32\Pbaide32.exe115⤵PID:2568
-
C:\Windows\SysWOW64\Pikaqppk.exeC:\Windows\system32\Pikaqppk.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2724 -
C:\Windows\SysWOW64\Pmijgn32.exeC:\Windows\system32\Pmijgn32.exe117⤵PID:2908
-
C:\Windows\SysWOW64\Pojgnf32.exeC:\Windows\system32\Pojgnf32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2676 -
C:\Windows\SysWOW64\Pfaopc32.exeC:\Windows\system32\Pfaopc32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2868 -
C:\Windows\SysWOW64\Qpjchicb.exeC:\Windows\system32\Qpjchicb.exe120⤵PID:2808
-
C:\Windows\SysWOW64\Qhehmkqn.exeC:\Windows\system32\Qhehmkqn.exe121⤵PID:2460
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-