Analysis
-
max time kernel
40s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
29-08-2024 05:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
536e2787fa9f57d93b59c51289c39ce0N.exe
Resource
win7-20240705-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
536e2787fa9f57d93b59c51289c39ce0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
536e2787fa9f57d93b59c51289c39ce0N.exe
-
Size
93KB
-
MD5
536e2787fa9f57d93b59c51289c39ce0
-
SHA1
081cc8644304b414ee162fdbbc73a08f9267126e
-
SHA256
11c4e8ad3da951f91f493c4ef4a35c894cd16c23e3d16edd3f02441b4e2fc982
-
SHA512
3dbdc1da42921e445d7e583858947127e0625a25c85d91127e64bdb80e8202326cd5eafecf99d6074ef5994d140f4ee15d8cadef342fd789ef3e659f804e1b05
-
SSDEEP
1536:z8422nJPZCIxRS1sYVnkXJBJtld62rfTnXquqXDVsRQrRkRLJzeLD9N0iQGRNQR5:Nn+IxIKZBLvrrfTn6FOerSJdEN0s4WEd
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpaaho32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbdfoiki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iaicpepa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iljjabfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Afaieb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nlkonhkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aikkgnnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bimdka32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqeagpop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ggofcmih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpcnmnnh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hilbfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lfckko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Joajdmma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dafeaapg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bamfloef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cplfcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cekkaanh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enpoje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcodhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fhbcaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gigllafc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nogodcli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iikneggd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpejcnlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oooeeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Omaepoml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Plnhbk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjdeaohb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pkgonf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnhhpaio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aclfigao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mgnjhfbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dibjec32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbmdpg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhjnmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kpecad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kdckgc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjjdpdga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Japfphle.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pefmkpbl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkebig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Paojeafn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkgonf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doflofbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fqeagpop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fohacl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mahlgkgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ibdcnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jckiolgm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbajjiml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Capopb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddeammok.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlepmnhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fkflii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joajdmma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nppemgjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pnhhpaio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aikkgnnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Badlln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doclijgd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieglfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lkgmdbja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihehbpel.exe -
Executes dropped EXE 64 IoCs
pid Process 1224 Kncmknkg.exe 2664 Kdmehh32.exe 2776 Lkgmdbja.exe 2580 Lqdfmihh.exe 2948 Ldpbmg32.exe 2572 Lqfbbh32.exe 2368 Lfckko32.exe 2064 Liaggk32.exe 2476 Lcgldc32.exe 2828 Liddljan.exe 2896 Lkbphfab.exe 1916 Lmbmbi32.exe 1888 Mncijanc.exe 2668 Mgkncfdc.exe 2216 Mpbfddef.exe 2128 Mgnjhfbq.exe 2060 Mjlgdaad.exe 1684 Mbcofobg.exe 2340 Mhpgnfpn.exe 1540 Mahlgkgo.exe 3048 Mcghcgfb.exe 1440 Mnllppfh.exe 856 Makhlkel.exe 1044 Nfgadbcc.exe 1580 Nifmqm32.exe 2716 Namebk32.exe 2712 Nppemgjd.exe 2592 Nfjnja32.exe 2172 Nmdfglhm.exe 2240 Nikflm32.exe 2024 Nlibhhme.exe 1720 Nogodcli.exe 2660 Nfogeamk.exe 2932 Nimcallo.exe 2212 Nhpcmi32.exe 1772 Nlkonhkb.exe 1232 Nojljcjf.exe 2228 Nahhfoij.exe 2408 Neddfm32.exe 2352 Nhbpbi32.exe 1068 Nlnlcg32.exe 1592 Nolhoc32.exe 1968 Oefqlmpq.exe 908 Ohdmhhod.exe 2184 Olpiig32.exe 984 Oooeeb32.exe 1692 Omaepoml.exe 1736 Oehmamnn.exe 1600 Ogjjie32.exe 2700 Okefjcle.exe 2628 Ooabjbdn.exe 2644 Oaonfncb.exe 756 Opbnbj32.exe 2204 Ohifch32.exe 2972 Okhboc32.exe 2816 Omfoko32.exe 2976 Oaaklmao.exe 1784 Odpghiqc.exe 1724 Ogncddpg.exe 2020 Oimpppoj.exe 2028 Onhkan32.exe 2140 Opghmjfg.exe 1012 Ocedieek.exe 2348 Oecpeqdo.exe -
Loads dropped DLL 64 IoCs
pid Process 1148 536e2787fa9f57d93b59c51289c39ce0N.exe 1148 536e2787fa9f57d93b59c51289c39ce0N.exe 1224 Kncmknkg.exe 1224 Kncmknkg.exe 2664 Kdmehh32.exe 2664 Kdmehh32.exe 2776 Lkgmdbja.exe 2776 Lkgmdbja.exe 2580 Lqdfmihh.exe 2580 Lqdfmihh.exe 2948 Ldpbmg32.exe 2948 Ldpbmg32.exe 2572 Lqfbbh32.exe 2572 Lqfbbh32.exe 2368 Lfckko32.exe 2368 Lfckko32.exe 2064 Liaggk32.exe 2064 Liaggk32.exe 2476 Lcgldc32.exe 2476 Lcgldc32.exe 2828 Liddljan.exe 2828 Liddljan.exe 2896 Lkbphfab.exe 2896 Lkbphfab.exe 1916 Lmbmbi32.exe 1916 Lmbmbi32.exe 1888 Mncijanc.exe 1888 Mncijanc.exe 2668 Mgkncfdc.exe 2668 Mgkncfdc.exe 2216 Mpbfddef.exe 2216 Mpbfddef.exe 2128 Mgnjhfbq.exe 2128 Mgnjhfbq.exe 2060 Mjlgdaad.exe 2060 Mjlgdaad.exe 1684 Mbcofobg.exe 1684 Mbcofobg.exe 2340 Mhpgnfpn.exe 2340 Mhpgnfpn.exe 1540 Mahlgkgo.exe 1540 Mahlgkgo.exe 3048 Mcghcgfb.exe 3048 Mcghcgfb.exe 1440 Mnllppfh.exe 1440 Mnllppfh.exe 856 Makhlkel.exe 856 Makhlkel.exe 1044 Nfgadbcc.exe 1044 Nfgadbcc.exe 1580 Nifmqm32.exe 1580 Nifmqm32.exe 2716 Namebk32.exe 2716 Namebk32.exe 2712 Nppemgjd.exe 2712 Nppemgjd.exe 2592 Nfjnja32.exe 2592 Nfjnja32.exe 2172 Nmdfglhm.exe 2172 Nmdfglhm.exe 2240 Nikflm32.exe 2240 Nikflm32.exe 2024 Nlibhhme.exe 2024 Nlibhhme.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Gjkeii32.exe Gkhenlcd.exe File created C:\Windows\SysWOW64\Bkodfk32.dll Kpecad32.exe File created C:\Windows\SysWOW64\Gkgmhnkb.dll Iaicpepa.exe File created C:\Windows\SysWOW64\Ihclmp32.exe Idhplaoe.exe File created C:\Windows\SysWOW64\Lociadma.dll Kjpdoj32.exe File created C:\Windows\SysWOW64\Nmnjfc32.dll Lqfbbh32.exe File opened for modification C:\Windows\SysWOW64\Eljihn32.exe Ehnmgo32.exe File created C:\Windows\SysWOW64\Imciibmf.dll Edenlp32.exe File created C:\Windows\SysWOW64\Oimpppoj.exe Ogncddpg.exe File created C:\Windows\SysWOW64\Obonid32.dll Poegde32.exe File opened for modification C:\Windows\SysWOW64\Folknlae.exe Fmnoapba.exe File created C:\Windows\SysWOW64\Akojljcj.dll Ibdcnm32.exe File opened for modification C:\Windows\SysWOW64\Oooeeb32.exe Olpiig32.exe File opened for modification C:\Windows\SysWOW64\Difcpc32.exe Dghgdg32.exe File created C:\Windows\SysWOW64\Omemciec.dll Dghgdg32.exe File opened for modification C:\Windows\SysWOW64\Eoeiniea.exe Elgmbnfn.exe File created C:\Windows\SysWOW64\Ehbgbngm.exe Edgkap32.exe File created C:\Windows\SysWOW64\Nfogeamk.exe Nogodcli.exe File opened for modification C:\Windows\SysWOW64\Omaepoml.exe Oooeeb32.exe File opened for modification C:\Windows\SysWOW64\Pkebig32.exe Plbbmjhf.exe File created C:\Windows\SysWOW64\Ddhcnb32.dll Fffckf32.exe File created C:\Windows\SysWOW64\Padcqp32.exe Pnhhpaio.exe File created C:\Windows\SysWOW64\Jecinj32.dll Cjmaed32.exe File opened for modification C:\Windows\SysWOW64\Kckeno32.exe Kooimpao.exe File opened for modification C:\Windows\SysWOW64\Nikflm32.exe Nmdfglhm.exe File created C:\Windows\SysWOW64\Ncfoko32.dll Odpghiqc.exe File created C:\Windows\SysWOW64\Gccjbo32.exe Gqenfc32.exe File created C:\Windows\SysWOW64\Manhdpha.dll Ihehbpel.exe File created C:\Windows\SysWOW64\Mahlgkgo.exe Mhpgnfpn.exe File created C:\Windows\SysWOW64\Dkafofde.exe Dbjonicb.exe File opened for modification C:\Windows\SysWOW64\Ehlqao32.exe Eiipfbgj.exe File opened for modification C:\Windows\SysWOW64\Ejfpofkh.exe Eghcckld.exe File created C:\Windows\SysWOW64\Fjkije32.exe Fgmmnj32.exe File opened for modification C:\Windows\SysWOW64\Fhbcaa32.exe Fjpbeecn.exe File created C:\Windows\SysWOW64\Hpejcnlf.exe Hhobbqkc.exe File created C:\Windows\SysWOW64\Ionahd32.dll Lcooinfc.exe File created C:\Windows\SysWOW64\Lmbmbi32.exe Lkbphfab.exe File created C:\Windows\SysWOW64\Opgqdo32.dll Acjjch32.exe File opened for modification C:\Windows\SysWOW64\Ggabhmge.exe Gninpg32.exe File created C:\Windows\SysWOW64\Lnldmlgc.dll Ajcbpbkn.exe File created C:\Windows\SysWOW64\Fqbeapqb.exe Flgiaa32.exe File opened for modification C:\Windows\SysWOW64\Gkhenlcd.exe Giiibqdp.exe File created C:\Windows\SysWOW64\Bbeflgfa.dll Ggofcmih.exe File created C:\Windows\SysWOW64\Qdbpml32.exe Padcqp32.exe File created C:\Windows\SysWOW64\Daibfa32.exe Dibjec32.exe File created C:\Windows\SysWOW64\Dkcgae32.dll Dlepmnhq.exe File opened for modification C:\Windows\SysWOW64\Hgconl32.exe Hchcmnlj.exe File created C:\Windows\SysWOW64\Hilbfc32.exe Hfmfjh32.exe File opened for modification C:\Windows\SysWOW64\Jkdanngk.exe Jlaqba32.exe File created C:\Windows\SysWOW64\Dbjonicb.exe Ddgnbl32.exe File created C:\Windows\SysWOW64\Londmb32.dll Eohedi32.exe File created C:\Windows\SysWOW64\Bglnbdbj.dll Gfdcdi32.exe File created C:\Windows\SysWOW64\Jedlph32.exe Jbfpcl32.exe File created C:\Windows\SysWOW64\Ngolkmca.dll Jhhagb32.exe File created C:\Windows\SysWOW64\Phdiglap.exe Pefmkpbl.exe File created C:\Windows\SysWOW64\Badbapio.dll Qkoeoe32.exe File created C:\Windows\SysWOW64\Bibagmhk.exe Bakjfp32.exe File created C:\Windows\SysWOW64\Bnagecdp.exe Bkckihel.exe File created C:\Windows\SysWOW64\Mfodloop.dll Dmimkc32.exe File created C:\Windows\SysWOW64\Ddjkhl32.exe Dlbcgo32.exe File opened for modification C:\Windows\SysWOW64\Gmnkqcem.exe Gnkkeg32.exe File opened for modification C:\Windows\SysWOW64\Ibdcnm32.exe Idabbpgj.exe File created C:\Windows\SysWOW64\Oefqlmpq.exe Nolhoc32.exe File created C:\Windows\SysWOW64\Flccpbpf.dll Aclfigao.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4796 4676 WerFault.exe 410 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epnkfq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggjmhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iiiapg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jllggbde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pefmkpbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmbdlc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pockoeeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Padcqp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehpjmoio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhbcaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpejcnlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hinolcbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opbnbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bggohi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enmbeehg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbkgjgqi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihclmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfckko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfmlif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgojdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqbaqccn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhhagb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nojljcjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooabjbdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcgqoech.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkmmdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekofijic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goohckob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjlgdaad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkckihel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dadikaaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eakkkdnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipcjlaqd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plpehj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjmaed32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcjpcmjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbkfpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpnchjpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmbpaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkhenlcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnllppfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akldhi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afaieb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggofcmih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihehbpel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kckeno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnhhpaio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aikkgnnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bknani32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clnmmlkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhpflblk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkbphfab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnagecdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bccihj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Capopb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhnahl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmpckbci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejfpofkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giiibqdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bibagmhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gccjbo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phibbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aogqihcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daibfa32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hllkhoaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lfckko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Folknlae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Imbakfcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mcghcgfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hpaaho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Limobelk.dll" Hcjpcmjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ipcjlaqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kfgedkko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pnhhpaio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dafeaapg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfegkk32.dll" Nifmqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qnkdeagl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpneniod.dll" Abacjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Midgogjn.dll" Bamfloef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dghgdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epoemc32.dll" Egegnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pidjce32.dll" Kncmknkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kncmknkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lodbhp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hfmfjh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lhjjle32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hffpiikm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daonhboj.dll" Hebckd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jckiolgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpmqkp32.dll" Qddmbkoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Folknlae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dadikaaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fcaankpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bakhhhfi.dll" Joajdmma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lqfbbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oaaklmao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Egegnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Goadik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gnfajgbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hidledja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hhobbqkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dekfjd32.dll" Jinkkgeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mjlgdaad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aoqjhiie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gccjbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lohnfj32.dll" 536e2787fa9f57d93b59c51289c39ce0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flccpbpf.dll" Aclfigao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dgcnihnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hfiloiik.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jkdanngk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkgnmi32.dll" Onhkan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glfmnp32.dll" Chldbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qklhifhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dadikaaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiopaj32.dll" Fqeagpop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mnllppfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbacjdbg.dll" Pkgonf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gmnkqcem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hhobbqkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nogodcli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fqeagpop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bakjfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dafeaapg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efahad32.dll" Giiibqdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmafgkho.dll" Omaepoml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipdaao32.dll" Padcqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffajkmnj.dll" Bimdka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hbdfoiki.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1148 wrote to memory of 1224 1148 536e2787fa9f57d93b59c51289c39ce0N.exe 29 PID 1148 wrote to memory of 1224 1148 536e2787fa9f57d93b59c51289c39ce0N.exe 29 PID 1148 wrote to memory of 1224 1148 536e2787fa9f57d93b59c51289c39ce0N.exe 29 PID 1148 wrote to memory of 1224 1148 536e2787fa9f57d93b59c51289c39ce0N.exe 29 PID 1224 wrote to memory of 2664 1224 Kncmknkg.exe 30 PID 1224 wrote to memory of 2664 1224 Kncmknkg.exe 30 PID 1224 wrote to memory of 2664 1224 Kncmknkg.exe 30 PID 1224 wrote to memory of 2664 1224 Kncmknkg.exe 30 PID 2664 wrote to memory of 2776 2664 Kdmehh32.exe 31 PID 2664 wrote to memory of 2776 2664 Kdmehh32.exe 31 PID 2664 wrote to memory of 2776 2664 Kdmehh32.exe 31 PID 2664 wrote to memory of 2776 2664 Kdmehh32.exe 31 PID 2776 wrote to memory of 2580 2776 Lkgmdbja.exe 32 PID 2776 wrote to memory of 2580 2776 Lkgmdbja.exe 32 PID 2776 wrote to memory of 2580 2776 Lkgmdbja.exe 32 PID 2776 wrote to memory of 2580 2776 Lkgmdbja.exe 32 PID 2580 wrote to memory of 2948 2580 Lqdfmihh.exe 33 PID 2580 wrote to memory of 2948 2580 Lqdfmihh.exe 33 PID 2580 wrote to memory of 2948 2580 Lqdfmihh.exe 33 PID 2580 wrote to memory of 2948 2580 Lqdfmihh.exe 33 PID 2948 wrote to memory of 2572 2948 Ldpbmg32.exe 34 PID 2948 wrote to memory of 2572 2948 Ldpbmg32.exe 34 PID 2948 wrote to memory of 2572 2948 Ldpbmg32.exe 34 PID 2948 wrote to memory of 2572 2948 Ldpbmg32.exe 34 PID 2572 wrote to memory of 2368 2572 Lqfbbh32.exe 35 PID 2572 wrote to memory of 2368 2572 Lqfbbh32.exe 35 PID 2572 wrote to memory of 2368 2572 Lqfbbh32.exe 35 PID 2572 wrote to memory of 2368 2572 Lqfbbh32.exe 35 PID 2368 wrote to memory of 2064 2368 Lfckko32.exe 36 PID 2368 wrote to memory of 2064 2368 Lfckko32.exe 36 PID 2368 wrote to memory of 2064 2368 Lfckko32.exe 36 PID 2368 wrote to memory of 2064 2368 Lfckko32.exe 36 PID 2064 wrote to memory of 2476 2064 Liaggk32.exe 37 PID 2064 wrote to memory of 2476 2064 Liaggk32.exe 37 PID 2064 wrote to memory of 2476 2064 Liaggk32.exe 37 PID 2064 wrote to memory of 2476 2064 Liaggk32.exe 37 PID 2476 wrote to memory of 2828 2476 Lcgldc32.exe 38 PID 2476 wrote to memory of 2828 2476 Lcgldc32.exe 38 PID 2476 wrote to memory of 2828 2476 Lcgldc32.exe 38 PID 2476 wrote to memory of 2828 2476 Lcgldc32.exe 38 PID 2828 wrote to memory of 2896 2828 Liddljan.exe 39 PID 2828 wrote to memory of 2896 2828 Liddljan.exe 39 PID 2828 wrote to memory of 2896 2828 Liddljan.exe 39 PID 2828 wrote to memory of 2896 2828 Liddljan.exe 39 PID 2896 wrote to memory of 1916 2896 Lkbphfab.exe 40 PID 2896 wrote to memory of 1916 2896 Lkbphfab.exe 40 PID 2896 wrote to memory of 1916 2896 Lkbphfab.exe 40 PID 2896 wrote to memory of 1916 2896 Lkbphfab.exe 40 PID 1916 wrote to memory of 1888 1916 Lmbmbi32.exe 41 PID 1916 wrote to memory of 1888 1916 Lmbmbi32.exe 41 PID 1916 wrote to memory of 1888 1916 Lmbmbi32.exe 41 PID 1916 wrote to memory of 1888 1916 Lmbmbi32.exe 41 PID 1888 wrote to memory of 2668 1888 Mncijanc.exe 42 PID 1888 wrote to memory of 2668 1888 Mncijanc.exe 42 PID 1888 wrote to memory of 2668 1888 Mncijanc.exe 42 PID 1888 wrote to memory of 2668 1888 Mncijanc.exe 42 PID 2668 wrote to memory of 2216 2668 Mgkncfdc.exe 43 PID 2668 wrote to memory of 2216 2668 Mgkncfdc.exe 43 PID 2668 wrote to memory of 2216 2668 Mgkncfdc.exe 43 PID 2668 wrote to memory of 2216 2668 Mgkncfdc.exe 43 PID 2216 wrote to memory of 2128 2216 Mpbfddef.exe 44 PID 2216 wrote to memory of 2128 2216 Mpbfddef.exe 44 PID 2216 wrote to memory of 2128 2216 Mpbfddef.exe 44 PID 2216 wrote to memory of 2128 2216 Mpbfddef.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\536e2787fa9f57d93b59c51289c39ce0N.exe"C:\Users\Admin\AppData\Local\Temp\536e2787fa9f57d93b59c51289c39ce0N.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\Kncmknkg.exeC:\Windows\system32\Kncmknkg.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\SysWOW64\Kdmehh32.exeC:\Windows\system32\Kdmehh32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Lkgmdbja.exeC:\Windows\system32\Lkgmdbja.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Lqdfmihh.exeC:\Windows\system32\Lqdfmihh.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Ldpbmg32.exeC:\Windows\system32\Ldpbmg32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Lqfbbh32.exeC:\Windows\system32\Lqfbbh32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Lfckko32.exeC:\Windows\system32\Lfckko32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\Liaggk32.exeC:\Windows\system32\Liaggk32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\Lcgldc32.exeC:\Windows\system32\Lcgldc32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Liddljan.exeC:\Windows\system32\Liddljan.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Lkbphfab.exeC:\Windows\system32\Lkbphfab.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Lmbmbi32.exeC:\Windows\system32\Lmbmbi32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\Mncijanc.exeC:\Windows\system32\Mncijanc.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\SysWOW64\Mgkncfdc.exeC:\Windows\system32\Mgkncfdc.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Mpbfddef.exeC:\Windows\system32\Mpbfddef.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Mgnjhfbq.exeC:\Windows\system32\Mgnjhfbq.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2128 -
C:\Windows\SysWOW64\Mjlgdaad.exeC:\Windows\system32\Mjlgdaad.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2060 -
C:\Windows\SysWOW64\Mbcofobg.exeC:\Windows\system32\Mbcofobg.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1684 -
C:\Windows\SysWOW64\Mhpgnfpn.exeC:\Windows\system32\Mhpgnfpn.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2340 -
C:\Windows\SysWOW64\Mahlgkgo.exeC:\Windows\system32\Mahlgkgo.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1540 -
C:\Windows\SysWOW64\Mcghcgfb.exeC:\Windows\system32\Mcghcgfb.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3048 -
C:\Windows\SysWOW64\Mnllppfh.exeC:\Windows\system32\Mnllppfh.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1440 -
C:\Windows\SysWOW64\Makhlkel.exeC:\Windows\system32\Makhlkel.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:856 -
C:\Windows\SysWOW64\Nfgadbcc.exeC:\Windows\system32\Nfgadbcc.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1044 -
C:\Windows\SysWOW64\Nifmqm32.exeC:\Windows\system32\Nifmqm32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1580 -
C:\Windows\SysWOW64\Namebk32.exeC:\Windows\system32\Namebk32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2716 -
C:\Windows\SysWOW64\Nppemgjd.exeC:\Windows\system32\Nppemgjd.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2712 -
C:\Windows\SysWOW64\Nfjnja32.exeC:\Windows\system32\Nfjnja32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2592 -
C:\Windows\SysWOW64\Nmdfglhm.exeC:\Windows\system32\Nmdfglhm.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2172 -
C:\Windows\SysWOW64\Nikflm32.exeC:\Windows\system32\Nikflm32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2240 -
C:\Windows\SysWOW64\Nlibhhme.exeC:\Windows\system32\Nlibhhme.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2024 -
C:\Windows\SysWOW64\Nogodcli.exeC:\Windows\system32\Nogodcli.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1720 -
C:\Windows\SysWOW64\Nfogeamk.exeC:\Windows\system32\Nfogeamk.exe34⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Nimcallo.exeC:\Windows\system32\Nimcallo.exe35⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Nhpcmi32.exeC:\Windows\system32\Nhpcmi32.exe36⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Nlkonhkb.exeC:\Windows\system32\Nlkonhkb.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Nojljcjf.exeC:\Windows\system32\Nojljcjf.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1232 -
C:\Windows\SysWOW64\Nahhfoij.exeC:\Windows\system32\Nahhfoij.exe39⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Neddfm32.exeC:\Windows\system32\Neddfm32.exe40⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Nhbpbi32.exeC:\Windows\system32\Nhbpbi32.exe41⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Nlnlcg32.exeC:\Windows\system32\Nlnlcg32.exe42⤵
- Executes dropped EXE
PID:1068 -
C:\Windows\SysWOW64\Nolhoc32.exeC:\Windows\system32\Nolhoc32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1592 -
C:\Windows\SysWOW64\Oefqlmpq.exeC:\Windows\system32\Oefqlmpq.exe44⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Ohdmhhod.exeC:\Windows\system32\Ohdmhhod.exe45⤵
- Executes dropped EXE
PID:908 -
C:\Windows\SysWOW64\Olpiig32.exeC:\Windows\system32\Olpiig32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2184 -
C:\Windows\SysWOW64\Oooeeb32.exeC:\Windows\system32\Oooeeb32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:984 -
C:\Windows\SysWOW64\Omaepoml.exeC:\Windows\system32\Omaepoml.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1692 -
C:\Windows\SysWOW64\Oehmamnn.exeC:\Windows\system32\Oehmamnn.exe49⤵
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Ogjjie32.exeC:\Windows\system32\Ogjjie32.exe50⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Okefjcle.exeC:\Windows\system32\Okefjcle.exe51⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Ooabjbdn.exeC:\Windows\system32\Ooabjbdn.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2628 -
C:\Windows\SysWOW64\Oaonfncb.exeC:\Windows\system32\Oaonfncb.exe53⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Opbnbj32.exeC:\Windows\system32\Opbnbj32.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:756 -
C:\Windows\SysWOW64\Ohifch32.exeC:\Windows\system32\Ohifch32.exe55⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Okhboc32.exeC:\Windows\system32\Okhboc32.exe56⤵
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Omfoko32.exeC:\Windows\system32\Omfoko32.exe57⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Oaaklmao.exeC:\Windows\system32\Oaaklmao.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2976 -
C:\Windows\SysWOW64\Odpghiqc.exeC:\Windows\system32\Odpghiqc.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1784 -
C:\Windows\SysWOW64\Ogncddpg.exeC:\Windows\system32\Ogncddpg.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1724 -
C:\Windows\SysWOW64\Oimpppoj.exeC:\Windows\system32\Oimpppoj.exe61⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Onhkan32.exeC:\Windows\system32\Onhkan32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:2028 -
C:\Windows\SysWOW64\Opghmjfg.exeC:\Windows\system32\Opghmjfg.exe63⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Ocedieek.exeC:\Windows\system32\Ocedieek.exe64⤵
- Executes dropped EXE
PID:1012 -
C:\Windows\SysWOW64\Oecpeqdo.exeC:\Windows\system32\Oecpeqdo.exe65⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Oiolfo32.exeC:\Windows\system32\Oiolfo32.exe66⤵PID:1108
-
C:\Windows\SysWOW64\Plnhbk32.exeC:\Windows\system32\Plnhbk32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:752 -
C:\Windows\SysWOW64\Ppidbidd.exeC:\Windows\system32\Ppidbidd.exe68⤵PID:2220
-
C:\Windows\SysWOW64\Pcgqoech.exeC:\Windows\system32\Pcgqoech.exe69⤵
- System Location Discovery: System Language Discovery
PID:1568 -
C:\Windows\SysWOW64\Pefmkpbl.exeC:\Windows\system32\Pefmkpbl.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1056 -
C:\Windows\SysWOW64\Phdiglap.exeC:\Windows\system32\Phdiglap.exe71⤵PID:2196
-
C:\Windows\SysWOW64\Plpehj32.exeC:\Windows\system32\Plpehj32.exe72⤵
- System Location Discovery: System Language Discovery
PID:2740 -
C:\Windows\SysWOW64\Ppkahi32.exeC:\Windows\system32\Ppkahi32.exe73⤵PID:2696
-
C:\Windows\SysWOW64\Pcjmdd32.exeC:\Windows\system32\Pcjmdd32.exe74⤵PID:664
-
C:\Windows\SysWOW64\Pjdeaohb.exeC:\Windows\system32\Pjdeaohb.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1732 -
C:\Windows\SysWOW64\Plbbmjhf.exeC:\Windows\system32\Plbbmjhf.exe76⤵
- Drops file in System32 directory
PID:2836 -
C:\Windows\SysWOW64\Pkebig32.exeC:\Windows\system32\Pkebig32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2988 -
C:\Windows\SysWOW64\Pcljjd32.exeC:\Windows\system32\Pcljjd32.exe78⤵PID:308
-
C:\Windows\SysWOW64\Paojeafn.exeC:\Windows\system32\Paojeafn.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1152 -
C:\Windows\SysWOW64\Phibbk32.exeC:\Windows\system32\Phibbk32.exe80⤵
- System Location Discovery: System Language Discovery
PID:2528 -
C:\Windows\SysWOW64\Pkgonf32.exeC:\Windows\system32\Pkgonf32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1456 -
C:\Windows\SysWOW64\Pockoeeg.exeC:\Windows\system32\Pockoeeg.exe82⤵
- System Location Discovery: System Language Discovery
PID:460 -
C:\Windows\SysWOW64\Pfmclold.exeC:\Windows\system32\Pfmclold.exe83⤵PID:1468
-
C:\Windows\SysWOW64\Phkohkkh.exeC:\Windows\system32\Phkohkkh.exe84⤵PID:340
-
C:\Windows\SysWOW64\Pkjkdfjk.exeC:\Windows\system32\Pkjkdfjk.exe85⤵PID:2524
-
C:\Windows\SysWOW64\Poegde32.exeC:\Windows\system32\Poegde32.exe86⤵
- Drops file in System32 directory
PID:744 -
C:\Windows\SysWOW64\Pnhhpaio.exeC:\Windows\system32\Pnhhpaio.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2036 -
C:\Windows\SysWOW64\Padcqp32.exeC:\Windows\system32\Padcqp32.exe88⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2736 -
C:\Windows\SysWOW64\Qdbpml32.exeC:\Windows\system32\Qdbpml32.exe89⤵PID:2584
-
C:\Windows\SysWOW64\Qhnlmjie.exeC:\Windows\system32\Qhnlmjie.exe90⤵PID:564
-
C:\Windows\SysWOW64\Qklhifhi.exeC:\Windows\system32\Qklhifhi.exe91⤵
- Modifies registry class
PID:816 -
C:\Windows\SysWOW64\Qnkdeagl.exeC:\Windows\system32\Qnkdeagl.exe92⤵
- Modifies registry class
PID:2792 -
C:\Windows\SysWOW64\Qqiqam32.exeC:\Windows\system32\Qqiqam32.exe93⤵PID:2980
-
C:\Windows\SysWOW64\Qddmbkoi.exeC:\Windows\system32\Qddmbkoi.exe94⤵
- Modifies registry class
PID:2000 -
C:\Windows\SysWOW64\Qgcingnm.exeC:\Windows\system32\Qgcingnm.exe95⤵PID:1500
-
C:\Windows\SysWOW64\Qkoeoe32.exeC:\Windows\system32\Qkoeoe32.exe96⤵
- Drops file in System32 directory
PID:2384 -
C:\Windows\SysWOW64\Qmpafnld.exeC:\Windows\system32\Qmpafnld.exe97⤵PID:2536
-
C:\Windows\SysWOW64\Aqkmgl32.exeC:\Windows\system32\Aqkmgl32.exe98⤵PID:1532
-
C:\Windows\SysWOW64\Acjjch32.exeC:\Windows\system32\Acjjch32.exe99⤵
- Drops file in System32 directory
PID:3044 -
C:\Windows\SysWOW64\Ageedflj.exeC:\Windows\system32\Ageedflj.exe100⤵PID:2412
-
C:\Windows\SysWOW64\Ajcbpbkn.exeC:\Windows\system32\Ajcbpbkn.exe101⤵
- Drops file in System32 directory
PID:1884 -
C:\Windows\SysWOW64\Aqnjml32.exeC:\Windows\system32\Aqnjml32.exe102⤵PID:1608
-
C:\Windows\SysWOW64\Aoqjhiie.exeC:\Windows\system32\Aoqjhiie.exe103⤵
- Modifies registry class
PID:3012 -
C:\Windows\SysWOW64\Aclfigao.exeC:\Windows\system32\Aclfigao.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2516 -
C:\Windows\SysWOW64\Ajfoea32.exeC:\Windows\system32\Ajfoea32.exe105⤵PID:2984
-
C:\Windows\SysWOW64\Aiioanpf.exeC:\Windows\system32\Aiioanpf.exe106⤵PID:2920
-
C:\Windows\SysWOW64\Aqpgblqh.exeC:\Windows\system32\Aqpgblqh.exe107⤵PID:1136
-
C:\Windows\SysWOW64\Acncngpl.exeC:\Windows\system32\Acncngpl.exe108⤵PID:2396
-
C:\Windows\SysWOW64\Abacjd32.exeC:\Windows\system32\Abacjd32.exe109⤵
- Modifies registry class
PID:2136 -
C:\Windows\SysWOW64\Afmokbop.exeC:\Windows\system32\Afmokbop.exe110⤵PID:1992
-
C:\Windows\SysWOW64\Aikkgnnc.exeC:\Windows\system32\Aikkgnnc.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1436 -
C:\Windows\SysWOW64\Amgggm32.exeC:\Windows\system32\Amgggm32.exe112⤵PID:2148
-
C:\Windows\SysWOW64\Aoedch32.exeC:\Windows\system32\Aoedch32.exe113⤵PID:2284
-
C:\Windows\SysWOW64\Abcppcdc.exeC:\Windows\system32\Abcppcdc.exe114⤵PID:2892
-
C:\Windows\SysWOW64\Aebllocg.exeC:\Windows\system32\Aebllocg.exe115⤵PID:1656
-
C:\Windows\SysWOW64\Ainhln32.exeC:\Windows\system32\Ainhln32.exe116⤵PID:2072
-
C:\Windows\SysWOW64\Akldhi32.exeC:\Windows\system32\Akldhi32.exe117⤵
- System Location Discovery: System Language Discovery
PID:2560 -
C:\Windows\SysWOW64\Aogqihcm.exeC:\Windows\system32\Aogqihcm.exe118⤵
- System Location Discovery: System Language Discovery
PID:748 -
C:\Windows\SysWOW64\Afaieb32.exeC:\Windows\system32\Afaieb32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3032 -
C:\Windows\SysWOW64\Aediaoae.exeC:\Windows\system32\Aediaoae.exe120⤵PID:1952
-
C:\Windows\SysWOW64\Aipebm32.exeC:\Windows\system32\Aipebm32.exe121⤵PID:2192
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-