Analysis
-
max time kernel
59s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
23-08-2024 11:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
acb1934d56f2cd831515cd68fd6616c0N.exe
Resource
win7-20240729-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
acb1934d56f2cd831515cd68fd6616c0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
acb1934d56f2cd831515cd68fd6616c0N.exe
-
Size
80KB
-
MD5
acb1934d56f2cd831515cd68fd6616c0
-
SHA1
f7db9b1eb9145630d275b656ff350cb5ec3ca7e9
-
SHA256
0cad7237eae79e0f3745677319eab2424a62e129d48f2ef75be5dabb0f5be7a4
-
SHA512
5e5faeed21f5506dd106e47ad0ff49ac7ef97b713b6069ed9282ec6db6b702059d608063ca5de37249e46b9ab73fe66f43bc9c2dccad1c854f0432f462b97843
-
SSDEEP
1536:bezey5ChB6Jd7qaw2CB8Qcn4gvu2LcaIZTJ+7LhkiB0:Kzt50qd7d9Qcn4gbcaMU7ui
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efgnfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kigidd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgichoqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpahad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijmibn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npbpjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Behpcefk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkjbgk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aagadh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Laacmc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lepfoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfeegfkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohajic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekkppkpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmndbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbeakllj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kleeqp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdobqgpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdonpjbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnllcoed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcolpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogcaaahi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epkgkfmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfdigocb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqodho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ceclmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpajjmon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgkkdnkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhjcmcep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qfegakmc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egchocif.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgjnpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igomfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocmdeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfnpek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmlief32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qmoone32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Megkgpaq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjfdfcjj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbpffhnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edahca32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Macpcccp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcikllja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqninhmc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbhhlo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkhhpeka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efoobkej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enmplm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfkphnmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Danblfmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eomfiobe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pinqoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbhcankf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dilggefh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fimgmj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfhjfp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlebog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgfnfq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejpkho32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kejfio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pemdic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcjleq32.exe -
Executes dropped EXE 64 IoCs
pid Process 2528 Kcgdgnmc.exe 2088 Kidlodkj.exe 2720 Kakdpb32.exe 3052 Kpndlobg.exe 2872 Kigidd32.exe 2636 Kleeqp32.exe 2712 Kmdbkbpn.exe 1920 Lepfoe32.exe 2688 Lohkhjcj.exe 872 Laidie32.exe 1636 Lhclfphg.exe 2896 Lkahbkgk.exe 2580 Lomdcj32.exe 2120 Looahi32.exe 2432 Lpqnpacp.exe 2412 Lgjfmlkm.exe 2492 Mapjjdjb.exe 1692 Mdnffpif.exe 632 Mmgkoe32.exe 1800 Mebpchmb.exe 3024 Mpgdaqmh.exe 2076 Mpgdaqmh.exe 2044 Mgalnk32.exe 1576 Momqbm32.exe 2836 Makmnh32.exe 1740 Mheekb32.exe 2840 Mlqakaqi.exe 2484 Nlcnaaog.exe 2604 Noajmlnj.exe 2612 Nhjofbdk.exe 2188 Nocgbl32.exe 1724 Ndqokc32.exe 1776 Nhlkkabh.exe 2940 Njmhcj32.exe 2920 Nnidchqp.exe 2908 Npgppdpc.exe 1428 Ncellpog.exe 2196 Ngahmngp.exe 2032 Nkmdmm32.exe 1512 Nlnqeeeh.exe 1468 Nqjmec32.exe 908 Ngcebnen.exe 1440 Nffenj32.exe 1988 Njbanida.exe 2180 Nlpmjdce.exe 316 Nqlikc32.exe 2308 Ocjfgo32.exe 3040 Ofibcj32.exe 2824 Ojdndi32.exe 2788 Ombjpd32.exe 1584 Ooaflp32.exe 1040 Obpbhk32.exe 2772 Ojgkih32.exe 2472 Ohikeegf.exe 2968 Omeged32.exe 1060 Ooccap32.exe 2692 Obbonk32.exe 3008 Ofmknifp.exe 2020 Oilgje32.exe 2504 Okjdfq32.exe 2944 Onipbl32.exe 1868 Obdlcjkd.exe 1456 Odbhofjh.exe 2428 Ogadkajl.exe -
Loads dropped DLL 64 IoCs
pid Process 2876 acb1934d56f2cd831515cd68fd6616c0N.exe 2876 acb1934d56f2cd831515cd68fd6616c0N.exe 2528 Kcgdgnmc.exe 2528 Kcgdgnmc.exe 2088 Kidlodkj.exe 2088 Kidlodkj.exe 2720 Kakdpb32.exe 2720 Kakdpb32.exe 3052 Kpndlobg.exe 3052 Kpndlobg.exe 2872 Kigidd32.exe 2872 Kigidd32.exe 2636 Kleeqp32.exe 2636 Kleeqp32.exe 2712 Kmdbkbpn.exe 2712 Kmdbkbpn.exe 1920 Lepfoe32.exe 1920 Lepfoe32.exe 2688 Lohkhjcj.exe 2688 Lohkhjcj.exe 872 Laidie32.exe 872 Laidie32.exe 1636 Lhclfphg.exe 1636 Lhclfphg.exe 2896 Lkahbkgk.exe 2896 Lkahbkgk.exe 2580 Lomdcj32.exe 2580 Lomdcj32.exe 2120 Looahi32.exe 2120 Looahi32.exe 2432 Lpqnpacp.exe 2432 Lpqnpacp.exe 2412 Lgjfmlkm.exe 2412 Lgjfmlkm.exe 2492 Mapjjdjb.exe 2492 Mapjjdjb.exe 1692 Mdnffpif.exe 1692 Mdnffpif.exe 632 Mmgkoe32.exe 632 Mmgkoe32.exe 1800 Mebpchmb.exe 1800 Mebpchmb.exe 3024 Mpgdaqmh.exe 3024 Mpgdaqmh.exe 2076 Mpgdaqmh.exe 2076 Mpgdaqmh.exe 2044 Mgalnk32.exe 2044 Mgalnk32.exe 1576 Momqbm32.exe 1576 Momqbm32.exe 2836 Makmnh32.exe 2836 Makmnh32.exe 1740 Mheekb32.exe 1740 Mheekb32.exe 2840 Mlqakaqi.exe 2840 Mlqakaqi.exe 2484 Nlcnaaog.exe 2484 Nlcnaaog.exe 2604 Noajmlnj.exe 2604 Noajmlnj.exe 2612 Nhjofbdk.exe 2612 Nhjofbdk.exe 2188 Nocgbl32.exe 2188 Nocgbl32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ohofimje.exe Oepjmbka.exe File opened for modification C:\Windows\SysWOW64\Abaaakob.exe Acnqen32.exe File created C:\Windows\SysWOW64\Ddmohbln.exe Danblfmk.exe File created C:\Windows\SysWOW64\Kiolio32.exe Kecpipck.exe File created C:\Windows\SysWOW64\Eggpoami.dll Jchjqc32.exe File created C:\Windows\SysWOW64\Bhhfjfck.dll Kbgqbdbd.exe File created C:\Windows\SysWOW64\Nmhhdpoh.dll Aahkhgag.exe File created C:\Windows\SysWOW64\Naebmppm.exe Nmifla32.exe File created C:\Windows\SysWOW64\Ejpkho32.exe Egaoldnf.exe File created C:\Windows\SysWOW64\Hkgjge32.exe Hhhmki32.exe File created C:\Windows\SysWOW64\Ickaaf32.exe Ipmeej32.exe File created C:\Windows\SysWOW64\Bckidl32.exe Bpomdmqa.exe File opened for modification C:\Windows\SysWOW64\Idqpjg32.exe Ilihij32.exe File created C:\Windows\SysWOW64\Mmepboin.exe Mjfdfcjj.exe File created C:\Windows\SysWOW64\Jlfkcfof.dll Process not Found File created C:\Windows\SysWOW64\Bdjihjnq.dll Eelinm32.exe File created C:\Windows\SysWOW64\Lbqgnl32.dll Jdfqomom.exe File created C:\Windows\SysWOW64\Ejnhel32.dll Majfcb32.exe File created C:\Windows\SysWOW64\Oeianohn.dll Npbpjn32.exe File created C:\Windows\SysWOW64\Oepjmbka.exe Oadnlc32.exe File created C:\Windows\SysWOW64\Pcmadj32.exe Pqodho32.exe File created C:\Windows\SysWOW64\Ckdhaj32.dll Qokhjjbk.exe File created C:\Windows\SysWOW64\Hnpkkm32.exe Process not Found File created C:\Windows\SysWOW64\Hnckabmd.dll Ilneef32.exe File opened for modification C:\Windows\SysWOW64\Coidpiac.exe Bjnhpj32.exe File opened for modification C:\Windows\SysWOW64\Cpigeblb.exe Cmkkhfmn.exe File created C:\Windows\SysWOW64\Epkqhe32.dll Ipbgci32.exe File created C:\Windows\SysWOW64\Mmgmhngk.exe Mjialchg.exe File opened for modification C:\Windows\SysWOW64\Kgdijk32.exe Kefmnp32.exe File created C:\Windows\SysWOW64\Kmeknakn.exe Knckbe32.exe File created C:\Windows\SysWOW64\Donijk32.exe Dlomnp32.exe File opened for modification C:\Windows\SysWOW64\Jnfdlpje.exe Jkhhpeka.exe File opened for modification C:\Windows\SysWOW64\Pmeemp32.exe Pjgiad32.exe File opened for modification C:\Windows\SysWOW64\Aeljmq32.exe Aaqnmbdd.exe File created C:\Windows\SysWOW64\Ikibkhla.exe Ihjfolmn.exe File created C:\Windows\SysWOW64\Noiiaj32.exe Nknmplji.exe File created C:\Windows\SysWOW64\Dldndf32.exe Djfagjai.exe File created C:\Windows\SysWOW64\Bfkbfg32.exe Bbpffhnb.exe File opened for modification C:\Windows\SysWOW64\Jcfmkcdn.exe Jpgaohej.exe File created C:\Windows\SysWOW64\Ojmkof32.dll Kmedck32.exe File created C:\Windows\SysWOW64\Elmmhc32.exe Ejnqkh32.exe File created C:\Windows\SysWOW64\Hbjjfl32.exe Process not Found File created C:\Windows\SysWOW64\Pnbcij32.exe Pjfghl32.exe File created C:\Windows\SysWOW64\Adenqd32.exe Apjbpemb.exe File created C:\Windows\SysWOW64\Dohnfc32.exe Cljajh32.exe File created C:\Windows\SysWOW64\Gbmbgngb.exe Fpnekc32.exe File opened for modification C:\Windows\SysWOW64\Bagncl32.exe Bnkbcmaj.exe File created C:\Windows\SysWOW64\Fpnekc32.exe Flcjjdpe.exe File created C:\Windows\SysWOW64\Pmeemp32.exe Pjgiad32.exe File created C:\Windows\SysWOW64\Giafmfad.exe Process not Found File created C:\Windows\SysWOW64\Kedbbm32.dll Fpgpjdnf.exe File created C:\Windows\SysWOW64\Ndcnik32.exe Naebmppm.exe File created C:\Windows\SysWOW64\Bkdmogal.dll Cbhcankf.exe File created C:\Windows\SysWOW64\Ebhlmlhl.exe Enmplm32.exe File opened for modification C:\Windows\SysWOW64\Fiomhc32.exe Fdcahdib.exe File opened for modification C:\Windows\SysWOW64\Ianambhc.exe Ickaaf32.exe File created C:\Windows\SysWOW64\Ljjkgfig.exe Kgkokjjd.exe File opened for modification C:\Windows\SysWOW64\Oenngb32.exe Oabafcek.exe File created C:\Windows\SysWOW64\Pliibcdi.dll Pbjoaibo.exe File created C:\Windows\SysWOW64\Aahkhgag.exe Abejlj32.exe File opened for modification C:\Windows\SysWOW64\Djiegp32.exe Dkfdlclg.exe File created C:\Windows\SysWOW64\Enijcn32.exe Efbbba32.exe File created C:\Windows\SysWOW64\Ocbnqfln.exe Okkfoikl.exe File created C:\Windows\SysWOW64\Npphimpc.dll Ghcmedmo.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 9436 9364 Process not Found 1065 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmlcbafa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbkkbpjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmpooiji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgichoqj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Faefim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqpfchka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fimgmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnhmqc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeofcpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Belfldoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojgkih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbihmcqp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgcooh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mapjjdjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojdndi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ickaaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aahkhgag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knkngp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neihmpon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Looahi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhlkkabh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aendjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgdmkhnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncbilimn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfffmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noffadai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lepfoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onipbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbienj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnnehb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbdepe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nodikecl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fecool32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apgnpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fglkeaqk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpgpjdnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nabegpbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdakej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooncljom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofcnmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piipibff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfhjfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdejpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqhhin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ommfibdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfhghgie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coejfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hakani32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaqnmbdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pccelqeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmejdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hljljflh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hojeka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kceijg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pejnpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glmckikf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcpglhpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Licbca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npbpjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glefpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbfbfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fallil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfijmdbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpafhpaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfbcpo32.dll" Lepfoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pidnhdck.dll" Lbgmah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhmdoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iankbldh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlcnaaog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmhlmn32.dll" Jknlfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljhjlejh.dll" Cmqmgedi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okmceiii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gphkoi32.dll" Donijk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qmmbhegc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebnbdank.dll" Lnkjfcik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnnpma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgiidckm.dll" Iomhkgkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qpmbgaid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjabhq32.dll" Jbbpmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lebemmbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohcnekjc.dll" Ofmknifp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onipbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goompeid.dll" Hgpgae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chahin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlnadiko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnmglbgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddhfnf32.dll" Ngahmngp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fagbad32.dll" Mafmhcam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oahllk32.dll" Pbohmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lalchnfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbioifig.dll" Ajnlqgfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhiodnob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Poplqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkjbgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbcjfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gigjch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqakem32.dll" Mbiokdam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hieegjdf.dll" Pfpflenm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehfkpkhl.dll" Gbeakllj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdbloobc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Koacjg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hegdinpd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oncpmf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qbidffao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnllcoed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clapna32.dll" Oilgje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccjpfmic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmifla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imqkokae.dll" Cpojcpcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amhogfdf.dll" Amalcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opkfgdkf.dll" Njbanida.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkkiab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fgmaphdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Angohn32.dll" Jcknqicd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Meaiia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbjjjlll.dll" Kecpipck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ceeibbgn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Danblfmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmcchb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkpekjie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpmjplag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qfegakmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naconeen.dll" Bakgmgpe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gibmglep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfmcapna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgkjji32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2876 wrote to memory of 2528 2876 acb1934d56f2cd831515cd68fd6616c0N.exe 29 PID 2876 wrote to memory of 2528 2876 acb1934d56f2cd831515cd68fd6616c0N.exe 29 PID 2876 wrote to memory of 2528 2876 acb1934d56f2cd831515cd68fd6616c0N.exe 29 PID 2876 wrote to memory of 2528 2876 acb1934d56f2cd831515cd68fd6616c0N.exe 29 PID 2528 wrote to memory of 2088 2528 Kcgdgnmc.exe 30 PID 2528 wrote to memory of 2088 2528 Kcgdgnmc.exe 30 PID 2528 wrote to memory of 2088 2528 Kcgdgnmc.exe 30 PID 2528 wrote to memory of 2088 2528 Kcgdgnmc.exe 30 PID 2088 wrote to memory of 2720 2088 Kidlodkj.exe 31 PID 2088 wrote to memory of 2720 2088 Kidlodkj.exe 31 PID 2088 wrote to memory of 2720 2088 Kidlodkj.exe 31 PID 2088 wrote to memory of 2720 2088 Kidlodkj.exe 31 PID 2720 wrote to memory of 3052 2720 Kakdpb32.exe 32 PID 2720 wrote to memory of 3052 2720 Kakdpb32.exe 32 PID 2720 wrote to memory of 3052 2720 Kakdpb32.exe 32 PID 2720 wrote to memory of 3052 2720 Kakdpb32.exe 32 PID 3052 wrote to memory of 2872 3052 Kpndlobg.exe 33 PID 3052 wrote to memory of 2872 3052 Kpndlobg.exe 33 PID 3052 wrote to memory of 2872 3052 Kpndlobg.exe 33 PID 3052 wrote to memory of 2872 3052 Kpndlobg.exe 33 PID 2872 wrote to memory of 2636 2872 Kigidd32.exe 34 PID 2872 wrote to memory of 2636 2872 Kigidd32.exe 34 PID 2872 wrote to memory of 2636 2872 Kigidd32.exe 34 PID 2872 wrote to memory of 2636 2872 Kigidd32.exe 34 PID 2636 wrote to memory of 2712 2636 Kleeqp32.exe 35 PID 2636 wrote to memory of 2712 2636 Kleeqp32.exe 35 PID 2636 wrote to memory of 2712 2636 Kleeqp32.exe 35 PID 2636 wrote to memory of 2712 2636 Kleeqp32.exe 35 PID 2712 wrote to memory of 1920 2712 Kmdbkbpn.exe 36 PID 2712 wrote to memory of 1920 2712 Kmdbkbpn.exe 36 PID 2712 wrote to memory of 1920 2712 Kmdbkbpn.exe 36 PID 2712 wrote to memory of 1920 2712 Kmdbkbpn.exe 36 PID 1920 wrote to memory of 2688 1920 Lepfoe32.exe 37 PID 1920 wrote to memory of 2688 1920 Lepfoe32.exe 37 PID 1920 wrote to memory of 2688 1920 Lepfoe32.exe 37 PID 1920 wrote to memory of 2688 1920 Lepfoe32.exe 37 PID 2688 wrote to memory of 872 2688 Lohkhjcj.exe 38 PID 2688 wrote to memory of 872 2688 Lohkhjcj.exe 38 PID 2688 wrote to memory of 872 2688 Lohkhjcj.exe 38 PID 2688 wrote to memory of 872 2688 Lohkhjcj.exe 38 PID 872 wrote to memory of 1636 872 Laidie32.exe 39 PID 872 wrote to memory of 1636 872 Laidie32.exe 39 PID 872 wrote to memory of 1636 872 Laidie32.exe 39 PID 872 wrote to memory of 1636 872 Laidie32.exe 39 PID 1636 wrote to memory of 2896 1636 Lhclfphg.exe 40 PID 1636 wrote to memory of 2896 1636 Lhclfphg.exe 40 PID 1636 wrote to memory of 2896 1636 Lhclfphg.exe 40 PID 1636 wrote to memory of 2896 1636 Lhclfphg.exe 40 PID 2896 wrote to memory of 2580 2896 Lkahbkgk.exe 41 PID 2896 wrote to memory of 2580 2896 Lkahbkgk.exe 41 PID 2896 wrote to memory of 2580 2896 Lkahbkgk.exe 41 PID 2896 wrote to memory of 2580 2896 Lkahbkgk.exe 41 PID 2580 wrote to memory of 2120 2580 Lomdcj32.exe 42 PID 2580 wrote to memory of 2120 2580 Lomdcj32.exe 42 PID 2580 wrote to memory of 2120 2580 Lomdcj32.exe 42 PID 2580 wrote to memory of 2120 2580 Lomdcj32.exe 42 PID 2120 wrote to memory of 2432 2120 Looahi32.exe 43 PID 2120 wrote to memory of 2432 2120 Looahi32.exe 43 PID 2120 wrote to memory of 2432 2120 Looahi32.exe 43 PID 2120 wrote to memory of 2432 2120 Looahi32.exe 43 PID 2432 wrote to memory of 2412 2432 Lpqnpacp.exe 44 PID 2432 wrote to memory of 2412 2432 Lpqnpacp.exe 44 PID 2432 wrote to memory of 2412 2432 Lpqnpacp.exe 44 PID 2432 wrote to memory of 2412 2432 Lpqnpacp.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\acb1934d56f2cd831515cd68fd6616c0N.exe"C:\Users\Admin\AppData\Local\Temp\acb1934d56f2cd831515cd68fd6616c0N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Kcgdgnmc.exeC:\Windows\system32\Kcgdgnmc.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\Kidlodkj.exeC:\Windows\system32\Kidlodkj.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Kakdpb32.exeC:\Windows\system32\Kakdpb32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Kpndlobg.exeC:\Windows\system32\Kpndlobg.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Kigidd32.exeC:\Windows\system32\Kigidd32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Kleeqp32.exeC:\Windows\system32\Kleeqp32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Kmdbkbpn.exeC:\Windows\system32\Kmdbkbpn.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Lepfoe32.exeC:\Windows\system32\Lepfoe32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\Lohkhjcj.exeC:\Windows\system32\Lohkhjcj.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Laidie32.exeC:\Windows\system32\Laidie32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\SysWOW64\Lhclfphg.exeC:\Windows\system32\Lhclfphg.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\Lkahbkgk.exeC:\Windows\system32\Lkahbkgk.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Lomdcj32.exeC:\Windows\system32\Lomdcj32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Looahi32.exeC:\Windows\system32\Looahi32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\Lpqnpacp.exeC:\Windows\system32\Lpqnpacp.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\Lgjfmlkm.exeC:\Windows\system32\Lgjfmlkm.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2412 -
C:\Windows\SysWOW64\Mapjjdjb.exeC:\Windows\system32\Mapjjdjb.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2492 -
C:\Windows\SysWOW64\Mdnffpif.exeC:\Windows\system32\Mdnffpif.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1692 -
C:\Windows\SysWOW64\Mmgkoe32.exeC:\Windows\system32\Mmgkoe32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:632 -
C:\Windows\SysWOW64\Mebpchmb.exeC:\Windows\system32\Mebpchmb.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1800 -
C:\Windows\SysWOW64\Mpgdaqmh.exeC:\Windows\system32\Mpgdaqmh.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3024 -
C:\Windows\SysWOW64\Mpgdaqmh.exeC:\Windows\system32\Mpgdaqmh.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2076 -
C:\Windows\SysWOW64\Mgalnk32.exeC:\Windows\system32\Mgalnk32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2044 -
C:\Windows\SysWOW64\Momqbm32.exeC:\Windows\system32\Momqbm32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1576 -
C:\Windows\SysWOW64\Makmnh32.exeC:\Windows\system32\Makmnh32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2836 -
C:\Windows\SysWOW64\Mheekb32.exeC:\Windows\system32\Mheekb32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1740 -
C:\Windows\SysWOW64\Mlqakaqi.exeC:\Windows\system32\Mlqakaqi.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2840 -
C:\Windows\SysWOW64\Nlcnaaog.exeC:\Windows\system32\Nlcnaaog.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2484 -
C:\Windows\SysWOW64\Noajmlnj.exeC:\Windows\system32\Noajmlnj.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2604 -
C:\Windows\SysWOW64\Nhjofbdk.exeC:\Windows\system32\Nhjofbdk.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2612 -
C:\Windows\SysWOW64\Nocgbl32.exeC:\Windows\system32\Nocgbl32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2188 -
C:\Windows\SysWOW64\Ndqokc32.exeC:\Windows\system32\Ndqokc32.exe33⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Nhlkkabh.exeC:\Windows\system32\Nhlkkabh.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1776 -
C:\Windows\SysWOW64\Njmhcj32.exeC:\Windows\system32\Njmhcj32.exe35⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Nnidchqp.exeC:\Windows\system32\Nnidchqp.exe36⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Npgppdpc.exeC:\Windows\system32\Npgppdpc.exe37⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Ncellpog.exeC:\Windows\system32\Ncellpog.exe38⤵
- Executes dropped EXE
PID:1428 -
C:\Windows\SysWOW64\Ngahmngp.exeC:\Windows\system32\Ngahmngp.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:2196 -
C:\Windows\SysWOW64\Nkmdmm32.exeC:\Windows\system32\Nkmdmm32.exe40⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Nlnqeeeh.exeC:\Windows\system32\Nlnqeeeh.exe41⤵
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\Nqjmec32.exeC:\Windows\system32\Nqjmec32.exe42⤵
- Executes dropped EXE
PID:1468 -
C:\Windows\SysWOW64\Ngcebnen.exeC:\Windows\system32\Ngcebnen.exe43⤵
- Executes dropped EXE
PID:908 -
C:\Windows\SysWOW64\Nffenj32.exeC:\Windows\system32\Nffenj32.exe44⤵
- Executes dropped EXE
PID:1440 -
C:\Windows\SysWOW64\Njbanida.exeC:\Windows\system32\Njbanida.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:1988 -
C:\Windows\SysWOW64\Nlpmjdce.exeC:\Windows\system32\Nlpmjdce.exe46⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Nqlikc32.exeC:\Windows\system32\Nqlikc32.exe47⤵
- Executes dropped EXE
PID:316 -
C:\Windows\SysWOW64\Ocjfgo32.exeC:\Windows\system32\Ocjfgo32.exe48⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Ofibcj32.exeC:\Windows\system32\Ofibcj32.exe49⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Ojdndi32.exeC:\Windows\system32\Ojdndi32.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2824 -
C:\Windows\SysWOW64\Ombjpd32.exeC:\Windows\system32\Ombjpd32.exe51⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Ooaflp32.exeC:\Windows\system32\Ooaflp32.exe52⤵
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\Obpbhk32.exeC:\Windows\system32\Obpbhk32.exe53⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Ojgkih32.exeC:\Windows\system32\Ojgkih32.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2772 -
C:\Windows\SysWOW64\Ohikeegf.exeC:\Windows\system32\Ohikeegf.exe55⤵
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\Omeged32.exeC:\Windows\system32\Omeged32.exe56⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Ooccap32.exeC:\Windows\system32\Ooccap32.exe57⤵
- Executes dropped EXE
PID:1060 -
C:\Windows\SysWOW64\Obbonk32.exeC:\Windows\system32\Obbonk32.exe58⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Ofmknifp.exeC:\Windows\system32\Ofmknifp.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:3008 -
C:\Windows\SysWOW64\Oilgje32.exeC:\Windows\system32\Oilgje32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:2020 -
C:\Windows\SysWOW64\Okjdfq32.exeC:\Windows\system32\Okjdfq32.exe61⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Onipbl32.exeC:\Windows\system32\Onipbl32.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2944 -
C:\Windows\SysWOW64\Obdlcjkd.exeC:\Windows\system32\Obdlcjkd.exe63⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Odbhofjh.exeC:\Windows\system32\Odbhofjh.exe64⤵
- Executes dropped EXE
PID:1456 -
C:\Windows\SysWOW64\Ogadkajl.exeC:\Windows\system32\Ogadkajl.exe65⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Oohmmojn.exeC:\Windows\system32\Oohmmojn.exe66⤵PID:1256
-
C:\Windows\SysWOW64\Onkmhl32.exeC:\Windows\system32\Onkmhl32.exe67⤵PID:1752
-
C:\Windows\SysWOW64\Obfiijia.exeC:\Windows\system32\Obfiijia.exe68⤵PID:2236
-
C:\Windows\SysWOW64\Oeeeeehe.exeC:\Windows\system32\Oeeeeehe.exe69⤵PID:2820
-
C:\Windows\SysWOW64\Ogcaaahi.exeC:\Windows\system32\Ogcaaahi.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1568 -
C:\Windows\SysWOW64\Pjbnmm32.exeC:\Windows\system32\Pjbnmm32.exe71⤵PID:2592
-
C:\Windows\SysWOW64\Pbienj32.exeC:\Windows\system32\Pbienj32.exe72⤵
- System Location Discovery: System Language Discovery
PID:2344 -
C:\Windows\SysWOW64\Pqlfjfni.exeC:\Windows\system32\Pqlfjfni.exe73⤵PID:2380
-
C:\Windows\SysWOW64\Pgfnfq32.exeC:\Windows\system32\Pgfnfq32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2964 -
C:\Windows\SysWOW64\Pjdjbl32.exeC:\Windows\system32\Pjdjbl32.exe75⤵PID:1076
-
C:\Windows\SysWOW64\Pmbfoh32.exeC:\Windows\system32\Pmbfoh32.exe76⤵PID:2900
-
C:\Windows\SysWOW64\Pejnpe32.exeC:\Windows\system32\Pejnpe32.exe77⤵
- System Location Discovery: System Language Discovery
PID:2980 -
C:\Windows\SysWOW64\Pghklq32.exeC:\Windows\system32\Pghklq32.exe78⤵PID:2164
-
C:\Windows\SysWOW64\Pjfghl32.exeC:\Windows\system32\Pjfghl32.exe79⤵
- Drops file in System32 directory
PID:1160 -
C:\Windows\SysWOW64\Pnbcij32.exeC:\Windows\system32\Pnbcij32.exe80⤵PID:1968
-
C:\Windows\SysWOW64\Paqoef32.exeC:\Windows\system32\Paqoef32.exe81⤵PID:2272
-
C:\Windows\SysWOW64\Ppcoqbao.exeC:\Windows\system32\Ppcoqbao.exe82⤵PID:3048
-
C:\Windows\SysWOW64\Pfmgmm32.exeC:\Windows\system32\Pfmgmm32.exe83⤵PID:2280
-
C:\Windows\SysWOW64\Pildih32.exeC:\Windows\system32\Pildih32.exe84⤵PID:2556
-
C:\Windows\SysWOW64\Pmgpjgph.exeC:\Windows\system32\Pmgpjgph.exe85⤵PID:2192
-
C:\Windows\SysWOW64\Ppelfbol.exeC:\Windows\system32\Ppelfbol.exe86⤵PID:2372
-
C:\Windows\SysWOW64\Pfpdcm32.exeC:\Windows\system32\Pfpdcm32.exe87⤵PID:2728
-
C:\Windows\SysWOW64\Pjkpckob.exeC:\Windows\system32\Pjkpckob.exe88⤵PID:2624
-
C:\Windows\SysWOW64\Pinqoh32.exeC:\Windows\system32\Pinqoh32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:944 -
C:\Windows\SysWOW64\Pllmkcdp.exeC:\Windows\system32\Pllmkcdp.exe90⤵PID:1844
-
C:\Windows\SysWOW64\Pccelqeb.exeC:\Windows\system32\Pccelqeb.exe91⤵
- System Location Discovery: System Language Discovery
PID:2776 -
C:\Windows\SysWOW64\Qfbahldf.exeC:\Windows\system32\Qfbahldf.exe92⤵PID:1236
-
C:\Windows\SysWOW64\Qeeadi32.exeC:\Windows\system32\Qeeadi32.exe93⤵PID:2388
-
C:\Windows\SysWOW64\Qmlief32.exeC:\Windows\system32\Qmlief32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1900 -
C:\Windows\SysWOW64\Qnmfmoaa.exeC:\Windows\system32\Qnmfmoaa.exe95⤵PID:560
-
C:\Windows\SysWOW64\Qbiamm32.exeC:\Windows\system32\Qbiamm32.exe96⤵PID:1152
-
C:\Windows\SysWOW64\Qegnii32.exeC:\Windows\system32\Qegnii32.exe97⤵PID:1280
-
C:\Windows\SysWOW64\Qhejed32.exeC:\Windows\system32\Qhejed32.exe98⤵PID:588
-
C:\Windows\SysWOW64\Qpmbgaid.exeC:\Windows\system32\Qpmbgaid.exe99⤵
- Modifies registry class
PID:1712 -
C:\Windows\SysWOW64\Qnpbbn32.exeC:\Windows\system32\Qnpbbn32.exe100⤵PID:2228
-
C:\Windows\SysWOW64\Abkncmhh.exeC:\Windows\system32\Abkncmhh.exe101⤵PID:2168
-
C:\Windows\SysWOW64\Aeikohgk.exeC:\Windows\system32\Aeikohgk.exe102⤵PID:1608
-
C:\Windows\SysWOW64\Alcclb32.exeC:\Windows\system32\Alcclb32.exe103⤵PID:2456
-
C:\Windows\SysWOW64\Ajfcgoec.exeC:\Windows\system32\Ajfcgoec.exe104⤵PID:2932
-
C:\Windows\SysWOW64\Anbohn32.exeC:\Windows\system32\Anbohn32.exe105⤵PID:1676
-
C:\Windows\SysWOW64\Aapkdi32.exeC:\Windows\system32\Aapkdi32.exe106⤵PID:2128
-
C:\Windows\SysWOW64\Adohpe32.exeC:\Windows\system32\Adohpe32.exe107⤵PID:980
-
C:\Windows\SysWOW64\Alfpab32.exeC:\Windows\system32\Alfpab32.exe108⤵PID:1120
-
C:\Windows\SysWOW64\Alfpab32.exeC:\Windows\system32\Alfpab32.exe109⤵PID:1796
-
C:\Windows\SysWOW64\Andlmnki.exeC:\Windows\system32\Andlmnki.exe110⤵PID:628
-
C:\Windows\SysWOW64\Amglij32.exeC:\Windows\system32\Amglij32.exe111⤵PID:2828
-
C:\Windows\SysWOW64\Aendjh32.exeC:\Windows\system32\Aendjh32.exe112⤵
- System Location Discovery: System Language Discovery
PID:2764 -
C:\Windows\SysWOW64\Afoqbpid.exeC:\Windows\system32\Afoqbpid.exe113⤵PID:2928
-
C:\Windows\SysWOW64\Ajkmbo32.exeC:\Windows\system32\Ajkmbo32.exe114⤵PID:2476
-
C:\Windows\SysWOW64\Amiioj32.exeC:\Windows\system32\Amiioj32.exe115⤵PID:948
-
C:\Windows\SysWOW64\Aaeeoihj.exeC:\Windows\system32\Aaeeoihj.exe116⤵PID:2064
-
C:\Windows\SysWOW64\Adcakdhn.exeC:\Windows\system32\Adcakdhn.exe117⤵PID:3012
-
C:\Windows\SysWOW64\Afamgpga.exeC:\Windows\system32\Afamgpga.exe118⤵PID:900
-
C:\Windows\SysWOW64\Aipickfe.exeC:\Windows\system32\Aipickfe.exe119⤵PID:2544
-
C:\Windows\SysWOW64\Amledj32.exeC:\Windows\system32\Amledj32.exe120⤵PID:2312
-
C:\Windows\SysWOW64\Aagadh32.exeC:\Windows\system32\Aagadh32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2356
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-