Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/09/2024, 14:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ea7e9337f22afffbb9e263a022a650b0N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
ea7e9337f22afffbb9e263a022a650b0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
ea7e9337f22afffbb9e263a022a650b0N.exe
-
Size
136KB
-
MD5
ea7e9337f22afffbb9e263a022a650b0
-
SHA1
2e2f944d96b93e9f3e0d7aa87ee30c66f1ebbcbc
-
SHA256
0a2edfc69926dfc846421326558b58c635f2e8d0b648ac736ad34534e30515ba
-
SHA512
240783469348bf0c91f1cc3e882c231d876f8ebd01e964c84e89cdf8df690c68cca69742c1bf8eeb488e25825ae6a134202dd98772b3c49a0043a440caf6cb3a
-
SSDEEP
3072:Xmxkulv8M4O9AlUU5NytsohLwdNbw+Y92xQuohLwdNbw5bxH0zVWccA:XkD98M4OilFytsohxd2Quohdbd0zscj
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obeacl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmfcop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdmkoepk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdadjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdkhjgeh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpepkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khldkllj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkmmlgik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Libjncnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mflgih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jikhnaao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fefqdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gojhafnb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igebkiof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnlgbnbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcghkf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhkeohhn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bolcma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmmcpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkqlgc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fooembgb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpabpcdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aaejojjq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plbkfdba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnchhllf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icncgf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hffibceh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmdkjmip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikjhki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qoeamo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epbbkf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmdkjmip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mneohj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eeojcmfi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elkofg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmbndmkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gqdgom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnhgha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hddmjk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijcngenj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfabnl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlifadkk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmehdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckpckece.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeojcmfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibfmmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khjgel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qhilkege.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgnjqe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfhfhbce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkjpggkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfoeil32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdkmeiei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjhgbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjhcag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elibpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gockgdeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmhjdiap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifolhann.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfohgepi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpgmpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbeedh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oefjdgjk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efjmbaba.exe -
Executes dropped EXE 64 IoCs
pid Process 2792 Lopfhk32.exe 2920 Lpabpcdf.exe 2828 Ljigih32.exe 2548 Laqojfli.exe 800 Ldokfakl.exe 576 Lgngbmjp.exe 1996 Ljldnhid.exe 1664 Lljpjchg.exe 1744 Ldahkaij.exe 2284 Lgpdglhn.exe 2880 Ljnqdhga.exe 1760 Llmmpcfe.exe 2280 Mphiqbon.exe 2460 Mgbaml32.exe 1200 Mjqmig32.exe 1712 Mqjefamk.exe 1372 Mciabmlo.exe 2436 Mfgnnhkc.exe 640 Mkdffoij.exe 1528 Mbnocipg.exe 2516 Mfjkdh32.exe 1516 Mdmkoepk.exe 2092 Mhhgpc32.exe 2428 Mobomnoq.exe 272 Mneohj32.exe 2584 Mflgih32.exe 2808 Mhjcec32.exe 2724 Mkipao32.exe 2220 Mnglnj32.exe 308 Mqehjecl.exe 2576 Mdadjd32.exe 2596 Ngpqfp32.exe 604 Nbeedh32.exe 3064 Nqhepeai.exe 1444 Ncfalqpm.exe 2176 Njpihk32.exe 2848 Nqjaeeog.exe 2292 Ncinap32.exe 1640 Ngdjaofc.exe 2496 Nnnbni32.exe 1788 Nmabjfek.exe 1036 Nckkgp32.exe 2476 Nfigck32.exe 2316 Nqokpd32.exe 896 Npbklabl.exe 2052 Nflchkii.exe 1204 Nijpdfhm.exe 3052 Nlilqbgp.exe 804 Npdhaq32.exe 2568 Obbdml32.exe 2612 Olkifaen.exe 1112 Opfegp32.exe 1964 Obeacl32.exe 2396 Oecmogln.exe 620 Oioipf32.exe 1984 Olmela32.exe 540 Onlahm32.exe 1076 Obgnhkkh.exe 2376 Oefjdgjk.exe 1736 Ohdfqbio.exe 2664 Ojbbmnhc.exe 2624 Objjnkie.exe 664 Oalkih32.exe 2152 Odkgec32.exe -
Loads dropped DLL 64 IoCs
pid Process 2644 ea7e9337f22afffbb9e263a022a650b0N.exe 2644 ea7e9337f22afffbb9e263a022a650b0N.exe 2792 Lopfhk32.exe 2792 Lopfhk32.exe 2920 Lpabpcdf.exe 2920 Lpabpcdf.exe 2828 Ljigih32.exe 2828 Ljigih32.exe 2548 Laqojfli.exe 2548 Laqojfli.exe 800 Ldokfakl.exe 800 Ldokfakl.exe 576 Lgngbmjp.exe 576 Lgngbmjp.exe 1996 Ljldnhid.exe 1996 Ljldnhid.exe 1664 Lljpjchg.exe 1664 Lljpjchg.exe 1744 Ldahkaij.exe 1744 Ldahkaij.exe 2284 Lgpdglhn.exe 2284 Lgpdglhn.exe 2880 Ljnqdhga.exe 2880 Ljnqdhga.exe 1760 Llmmpcfe.exe 1760 Llmmpcfe.exe 2280 Mphiqbon.exe 2280 Mphiqbon.exe 2460 Mgbaml32.exe 2460 Mgbaml32.exe 1200 Mjqmig32.exe 1200 Mjqmig32.exe 1712 Mqjefamk.exe 1712 Mqjefamk.exe 1372 Mciabmlo.exe 1372 Mciabmlo.exe 2436 Mfgnnhkc.exe 2436 Mfgnnhkc.exe 640 Mkdffoij.exe 640 Mkdffoij.exe 1528 Mbnocipg.exe 1528 Mbnocipg.exe 2516 Mfjkdh32.exe 2516 Mfjkdh32.exe 1516 Mdmkoepk.exe 1516 Mdmkoepk.exe 2092 Mhhgpc32.exe 2092 Mhhgpc32.exe 2428 Mobomnoq.exe 2428 Mobomnoq.exe 272 Mneohj32.exe 272 Mneohj32.exe 2584 Mflgih32.exe 2584 Mflgih32.exe 2808 Mhjcec32.exe 2808 Mhjcec32.exe 2724 Mkipao32.exe 2724 Mkipao32.exe 2220 Mnglnj32.exe 2220 Mnglnj32.exe 308 Mqehjecl.exe 308 Mqehjecl.exe 2576 Mdadjd32.exe 2576 Mdadjd32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Anafme32.dll Igceej32.exe File created C:\Windows\SysWOW64\Qmgaio32.dll Jbclgf32.exe File opened for modification C:\Windows\SysWOW64\Nqjaeeog.exe Njpihk32.exe File created C:\Windows\SysWOW64\Iggkja32.dll Ohipla32.exe File created C:\Windows\SysWOW64\Qhkipdeb.exe Qdompf32.exe File opened for modification C:\Windows\SysWOW64\Boifga32.exe Blkjkflb.exe File opened for modification C:\Windows\SysWOW64\Bnapnm32.exe Bkbdabog.exe File created C:\Windows\SysWOW64\Feachqgb.exe Fgocmc32.exe File created C:\Windows\SysWOW64\Libjncnc.exe Kkojbf32.exe File created C:\Windows\SysWOW64\Fihfnp32.exe Fkefbcmf.exe File opened for modification C:\Windows\SysWOW64\Fpdkpiik.exe Fliook32.exe File created C:\Windows\SysWOW64\Lcmdjb32.dll Odkgec32.exe File opened for modification C:\Windows\SysWOW64\Qhilkege.exe Qejpoi32.exe File created C:\Windows\SysWOW64\Oehiknbl.dll Afliclij.exe File created C:\Windows\SysWOW64\Mmjgpkif.dll Cmhjdiap.exe File created C:\Windows\SysWOW64\Efhqmadd.exe Edidqf32.exe File opened for modification C:\Windows\SysWOW64\Elibpg32.exe Ehnfpifm.exe File opened for modification C:\Windows\SysWOW64\Hffibceh.exe Hgciff32.exe File opened for modification C:\Windows\SysWOW64\Hiioin32.exe Hjfnnajl.exe File opened for modification C:\Windows\SysWOW64\Igebkiof.exe Icifjk32.exe File opened for modification C:\Windows\SysWOW64\Keioca32.exe Kambcbhb.exe File created C:\Windows\SysWOW64\Kbmome32.exe Koaclfgl.exe File created C:\Windows\SysWOW64\Epflllfi.dll Mfgnnhkc.exe File created C:\Windows\SysWOW64\Eifmimch.exe Ejcmmp32.exe File created C:\Windows\SysWOW64\Hellqgnm.dll Goqnae32.exe File created C:\Windows\SysWOW64\Gaojnq32.exe Gncnmane.exe File created C:\Windows\SysWOW64\Aognbnkm.exe Aklabp32.exe File created C:\Windows\SysWOW64\Boemlbpk.exe Bpbmqe32.exe File created C:\Windows\SysWOW64\Djocbqpb.exe Dfcgbb32.exe File created C:\Windows\SysWOW64\Famaimfe.exe Fmaeho32.exe File opened for modification C:\Windows\SysWOW64\Fdnjkh32.exe Fpbnjjkm.exe File opened for modification C:\Windows\SysWOW64\Aacmij32.exe Qoeamo32.exe File created C:\Windows\SysWOW64\Acblbcob.dll Efedga32.exe File created C:\Windows\SysWOW64\Hadcipbi.exe Hnhgha32.exe File opened for modification C:\Windows\SysWOW64\Iclbpj32.exe Ieibdnnp.exe File opened for modification C:\Windows\SysWOW64\Blbjlj32.dll Kambcbhb.exe File created C:\Windows\SysWOW64\Iinkmi32.dll Nmabjfek.exe File created C:\Windows\SysWOW64\Lnebcjoe.dll Pehcij32.exe File opened for modification C:\Windows\SysWOW64\Emoldlmc.exe Eicpcm32.exe File created C:\Windows\SysWOW64\Flnlkgjq.exe Fhbpkh32.exe File created C:\Windows\SysWOW64\Bmblbf32.dll Fooembgb.exe File opened for modification C:\Windows\SysWOW64\Hnhgha32.exe Hjmlhbbg.exe File created C:\Windows\SysWOW64\Igejec32.dll Apmcefmf.exe File created C:\Windows\SysWOW64\Kneoni32.dll Dnefhpma.exe File created C:\Windows\SysWOW64\Ebnabb32.exe Edlafebn.exe File opened for modification C:\Windows\SysWOW64\Njpihk32.exe Ncfalqpm.exe File created C:\Windows\SysWOW64\Agbbgqhh.exe Addfkeid.exe File created C:\Windows\SysWOW64\Bgghac32.exe Bhdhefpc.exe File created C:\Windows\SysWOW64\Iinhdmma.exe Ifolhann.exe File created C:\Windows\SysWOW64\Pdioqoen.dll Obbdml32.exe File created C:\Windows\SysWOW64\Jlhdnf32.dll Pbgjgomc.exe File opened for modification C:\Windows\SysWOW64\Qbnphngk.exe Qkghgpfi.exe File opened for modification C:\Windows\SysWOW64\Dcbnpgkh.exe Deondj32.exe File created C:\Windows\SysWOW64\Elkofg32.exe Ehpcehcj.exe File created C:\Windows\SysWOW64\Keclgbfi.dll Glklejoo.exe File created C:\Windows\SysWOW64\Glklejoo.exe Gmhkin32.exe File created C:\Windows\SysWOW64\Ghdiokbq.exe Giaidnkf.exe File opened for modification C:\Windows\SysWOW64\Mqehjecl.exe Mnglnj32.exe File opened for modification C:\Windows\SysWOW64\Onqkclni.exe Ojeobm32.exe File created C:\Windows\SysWOW64\Cdlfik32.dll Ppddpd32.exe File created C:\Windows\SysWOW64\Aclpaali.exe Adipfd32.exe File created C:\Windows\SysWOW64\Nbiahjpi.dll Elibpg32.exe File created C:\Windows\SysWOW64\Hcjdjiqp.dll Fakdcnhh.exe File created C:\Windows\SysWOW64\Ebenek32.dll Jlnmel32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5312 5292 WerFault.exe 515 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhilkege.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnqlmq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeoijidl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afliclij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epeoaffo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikjhki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acicla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blinefnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjjnhnbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcjmmdbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khjgel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npdhaq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdpcokdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpgmpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgdkkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejcmmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjaeba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljigih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdppqbkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmpaom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Addfkeid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkdmfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhgifgnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmmneg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Popgboae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcpimq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgghac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjogcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djocbqpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmbndmkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhenjmbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njpihk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppddpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aahfdihn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apmcefmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Colpld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anogijnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciokijfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jplfkjbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohipla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iikkon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olkifaen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plmbkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpdkpiik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giolnomh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmmdin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeojcmfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkebafoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imggplgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfckcoen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gojhafnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nijpdfhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odkgec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhkipdeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aphjjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjhcag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhkeohhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oalkih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkielpdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgidfcdk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccbbachm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqdgom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjljnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iaimipjl.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Deondj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkekhpob.dll" Fdnjkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gamnhq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgjkfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqdhpbib.dll" Mkipao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgknkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edlafebn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eeojcmfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogalkad.dll" Njpihk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gojhafnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifmocb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Engeeehn.dll" Ciokijfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aphjjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moibemdg.dll" Gecpnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpidki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmdgipkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iddpheep.dll" Jfaeme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmkkio32.dll" Jplfkjbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mobafhlg.dll" Jnofgg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mphiqbon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdnfmn32.dll" Khjgel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emdeok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fefqdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikeebbaa.dll" Gncnmane.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibacbcgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jimdcqom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efhqmadd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmkcil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gqdgom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkjkle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Koaclfgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lljpjchg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckkhdaei.dll" Giolnomh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gaojnq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkjkle32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plmbkd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aejlnmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Boemlbpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhdhefpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fkqlgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfjkdh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eoebgcol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbiahjpi.dll" Elibpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dllmckbg.dll" Hmbndmkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Inmmbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aklabp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcoaml32.dll" Aclpaali.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccnifd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dahkok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojmklbll.dll" Efjmbaba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajokhp32.dll" Ehnfpifm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdnfjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmimcbja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olmela32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plbkfdba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmmpolof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcnoejch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkmohi32.dll" Nijpdfhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgidfcdk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ciokijfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmkfji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehnfpifm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpdkpiik.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adipfd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2644 wrote to memory of 2792 2644 ea7e9337f22afffbb9e263a022a650b0N.exe 30 PID 2644 wrote to memory of 2792 2644 ea7e9337f22afffbb9e263a022a650b0N.exe 30 PID 2644 wrote to memory of 2792 2644 ea7e9337f22afffbb9e263a022a650b0N.exe 30 PID 2644 wrote to memory of 2792 2644 ea7e9337f22afffbb9e263a022a650b0N.exe 30 PID 2792 wrote to memory of 2920 2792 Lopfhk32.exe 31 PID 2792 wrote to memory of 2920 2792 Lopfhk32.exe 31 PID 2792 wrote to memory of 2920 2792 Lopfhk32.exe 31 PID 2792 wrote to memory of 2920 2792 Lopfhk32.exe 31 PID 2920 wrote to memory of 2828 2920 Lpabpcdf.exe 32 PID 2920 wrote to memory of 2828 2920 Lpabpcdf.exe 32 PID 2920 wrote to memory of 2828 2920 Lpabpcdf.exe 32 PID 2920 wrote to memory of 2828 2920 Lpabpcdf.exe 32 PID 2828 wrote to memory of 2548 2828 Ljigih32.exe 33 PID 2828 wrote to memory of 2548 2828 Ljigih32.exe 33 PID 2828 wrote to memory of 2548 2828 Ljigih32.exe 33 PID 2828 wrote to memory of 2548 2828 Ljigih32.exe 33 PID 2548 wrote to memory of 800 2548 Laqojfli.exe 34 PID 2548 wrote to memory of 800 2548 Laqojfli.exe 34 PID 2548 wrote to memory of 800 2548 Laqojfli.exe 34 PID 2548 wrote to memory of 800 2548 Laqojfli.exe 34 PID 800 wrote to memory of 576 800 Ldokfakl.exe 35 PID 800 wrote to memory of 576 800 Ldokfakl.exe 35 PID 800 wrote to memory of 576 800 Ldokfakl.exe 35 PID 800 wrote to memory of 576 800 Ldokfakl.exe 35 PID 576 wrote to memory of 1996 576 Lgngbmjp.exe 36 PID 576 wrote to memory of 1996 576 Lgngbmjp.exe 36 PID 576 wrote to memory of 1996 576 Lgngbmjp.exe 36 PID 576 wrote to memory of 1996 576 Lgngbmjp.exe 36 PID 1996 wrote to memory of 1664 1996 Ljldnhid.exe 37 PID 1996 wrote to memory of 1664 1996 Ljldnhid.exe 37 PID 1996 wrote to memory of 1664 1996 Ljldnhid.exe 37 PID 1996 wrote to memory of 1664 1996 Ljldnhid.exe 37 PID 1664 wrote to memory of 1744 1664 Lljpjchg.exe 38 PID 1664 wrote to memory of 1744 1664 Lljpjchg.exe 38 PID 1664 wrote to memory of 1744 1664 Lljpjchg.exe 38 PID 1664 wrote to memory of 1744 1664 Lljpjchg.exe 38 PID 1744 wrote to memory of 2284 1744 Ldahkaij.exe 39 PID 1744 wrote to memory of 2284 1744 Ldahkaij.exe 39 PID 1744 wrote to memory of 2284 1744 Ldahkaij.exe 39 PID 1744 wrote to memory of 2284 1744 Ldahkaij.exe 39 PID 2284 wrote to memory of 2880 2284 Lgpdglhn.exe 40 PID 2284 wrote to memory of 2880 2284 Lgpdglhn.exe 40 PID 2284 wrote to memory of 2880 2284 Lgpdglhn.exe 40 PID 2284 wrote to memory of 2880 2284 Lgpdglhn.exe 40 PID 2880 wrote to memory of 1760 2880 Ljnqdhga.exe 41 PID 2880 wrote to memory of 1760 2880 Ljnqdhga.exe 41 PID 2880 wrote to memory of 1760 2880 Ljnqdhga.exe 41 PID 2880 wrote to memory of 1760 2880 Ljnqdhga.exe 41 PID 1760 wrote to memory of 2280 1760 Llmmpcfe.exe 42 PID 1760 wrote to memory of 2280 1760 Llmmpcfe.exe 42 PID 1760 wrote to memory of 2280 1760 Llmmpcfe.exe 42 PID 1760 wrote to memory of 2280 1760 Llmmpcfe.exe 42 PID 2280 wrote to memory of 2460 2280 Mphiqbon.exe 43 PID 2280 wrote to memory of 2460 2280 Mphiqbon.exe 43 PID 2280 wrote to memory of 2460 2280 Mphiqbon.exe 43 PID 2280 wrote to memory of 2460 2280 Mphiqbon.exe 43 PID 2460 wrote to memory of 1200 2460 Mgbaml32.exe 44 PID 2460 wrote to memory of 1200 2460 Mgbaml32.exe 44 PID 2460 wrote to memory of 1200 2460 Mgbaml32.exe 44 PID 2460 wrote to memory of 1200 2460 Mgbaml32.exe 44 PID 1200 wrote to memory of 1712 1200 Mjqmig32.exe 45 PID 1200 wrote to memory of 1712 1200 Mjqmig32.exe 45 PID 1200 wrote to memory of 1712 1200 Mjqmig32.exe 45 PID 1200 wrote to memory of 1712 1200 Mjqmig32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\ea7e9337f22afffbb9e263a022a650b0N.exe"C:\Users\Admin\AppData\Local\Temp\ea7e9337f22afffbb9e263a022a650b0N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Lopfhk32.exeC:\Windows\system32\Lopfhk32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Lpabpcdf.exeC:\Windows\system32\Lpabpcdf.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Ljigih32.exeC:\Windows\system32\Ljigih32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Laqojfli.exeC:\Windows\system32\Laqojfli.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Ldokfakl.exeC:\Windows\system32\Ldokfakl.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Windows\SysWOW64\Lgngbmjp.exeC:\Windows\system32\Lgngbmjp.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Windows\SysWOW64\Ljldnhid.exeC:\Windows\system32\Ljldnhid.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\Lljpjchg.exeC:\Windows\system32\Lljpjchg.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\Ldahkaij.exeC:\Windows\system32\Ldahkaij.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\Lgpdglhn.exeC:\Windows\system32\Lgpdglhn.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\Ljnqdhga.exeC:\Windows\system32\Ljnqdhga.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Llmmpcfe.exeC:\Windows\system32\Llmmpcfe.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\Mphiqbon.exeC:\Windows\system32\Mphiqbon.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\Mgbaml32.exeC:\Windows\system32\Mgbaml32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\Mjqmig32.exeC:\Windows\system32\Mjqmig32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\SysWOW64\Mqjefamk.exeC:\Windows\system32\Mqjefamk.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1712 -
C:\Windows\SysWOW64\Mciabmlo.exeC:\Windows\system32\Mciabmlo.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1372 -
C:\Windows\SysWOW64\Mfgnnhkc.exeC:\Windows\system32\Mfgnnhkc.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2436 -
C:\Windows\SysWOW64\Mkdffoij.exeC:\Windows\system32\Mkdffoij.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:640 -
C:\Windows\SysWOW64\Mbnocipg.exeC:\Windows\system32\Mbnocipg.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1528 -
C:\Windows\SysWOW64\Mfjkdh32.exeC:\Windows\system32\Mfjkdh32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2516 -
C:\Windows\SysWOW64\Mdmkoepk.exeC:\Windows\system32\Mdmkoepk.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1516 -
C:\Windows\SysWOW64\Mhhgpc32.exeC:\Windows\system32\Mhhgpc32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2092 -
C:\Windows\SysWOW64\Mobomnoq.exeC:\Windows\system32\Mobomnoq.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2428 -
C:\Windows\SysWOW64\Mneohj32.exeC:\Windows\system32\Mneohj32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:272 -
C:\Windows\SysWOW64\Mflgih32.exeC:\Windows\system32\Mflgih32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2584 -
C:\Windows\SysWOW64\Mhjcec32.exeC:\Windows\system32\Mhjcec32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2808 -
C:\Windows\SysWOW64\Mkipao32.exeC:\Windows\system32\Mkipao32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2724 -
C:\Windows\SysWOW64\Mnglnj32.exeC:\Windows\system32\Mnglnj32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2220 -
C:\Windows\SysWOW64\Mqehjecl.exeC:\Windows\system32\Mqehjecl.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:308 -
C:\Windows\SysWOW64\Mdadjd32.exeC:\Windows\system32\Mdadjd32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2576 -
C:\Windows\SysWOW64\Ngpqfp32.exeC:\Windows\system32\Ngpqfp32.exe33⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Nbeedh32.exeC:\Windows\system32\Nbeedh32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:604 -
C:\Windows\SysWOW64\Nqhepeai.exeC:\Windows\system32\Nqhepeai.exe35⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Ncfalqpm.exeC:\Windows\system32\Ncfalqpm.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1444 -
C:\Windows\SysWOW64\Njpihk32.exeC:\Windows\system32\Njpihk32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2176 -
C:\Windows\SysWOW64\Nqjaeeog.exeC:\Windows\system32\Nqjaeeog.exe38⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Ncinap32.exeC:\Windows\system32\Ncinap32.exe39⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Ngdjaofc.exeC:\Windows\system32\Ngdjaofc.exe40⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Nnnbni32.exeC:\Windows\system32\Nnnbni32.exe41⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Nmabjfek.exeC:\Windows\system32\Nmabjfek.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1788 -
C:\Windows\SysWOW64\Nckkgp32.exeC:\Windows\system32\Nckkgp32.exe43⤵
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\Nfigck32.exeC:\Windows\system32\Nfigck32.exe44⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Nqokpd32.exeC:\Windows\system32\Nqokpd32.exe45⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Npbklabl.exeC:\Windows\system32\Npbklabl.exe46⤵
- Executes dropped EXE
PID:896 -
C:\Windows\SysWOW64\Nflchkii.exeC:\Windows\system32\Nflchkii.exe47⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Nijpdfhm.exeC:\Windows\system32\Nijpdfhm.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1204 -
C:\Windows\SysWOW64\Nlilqbgp.exeC:\Windows\system32\Nlilqbgp.exe49⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Npdhaq32.exeC:\Windows\system32\Npdhaq32.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:804 -
C:\Windows\SysWOW64\Obbdml32.exeC:\Windows\system32\Obbdml32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2568 -
C:\Windows\SysWOW64\Olkifaen.exeC:\Windows\system32\Olkifaen.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2612 -
C:\Windows\SysWOW64\Opfegp32.exeC:\Windows\system32\Opfegp32.exe53⤵
- Executes dropped EXE
PID:1112 -
C:\Windows\SysWOW64\Obeacl32.exeC:\Windows\system32\Obeacl32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Oecmogln.exeC:\Windows\system32\Oecmogln.exe55⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Oioipf32.exeC:\Windows\system32\Oioipf32.exe56⤵
- Executes dropped EXE
PID:620 -
C:\Windows\SysWOW64\Olmela32.exeC:\Windows\system32\Olmela32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:1984 -
C:\Windows\SysWOW64\Onlahm32.exeC:\Windows\system32\Onlahm32.exe58⤵
- Executes dropped EXE
PID:540 -
C:\Windows\SysWOW64\Obgnhkkh.exeC:\Windows\system32\Obgnhkkh.exe59⤵
- Executes dropped EXE
PID:1076 -
C:\Windows\SysWOW64\Oefjdgjk.exeC:\Windows\system32\Oefjdgjk.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Ohdfqbio.exeC:\Windows\system32\Ohdfqbio.exe61⤵
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Ojbbmnhc.exeC:\Windows\system32\Ojbbmnhc.exe62⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Objjnkie.exeC:\Windows\system32\Objjnkie.exe63⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Oalkih32.exeC:\Windows\system32\Oalkih32.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:664 -
C:\Windows\SysWOW64\Odkgec32.exeC:\Windows\system32\Odkgec32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2152 -
C:\Windows\SysWOW64\Ohfcfb32.exeC:\Windows\system32\Ohfcfb32.exe66⤵PID:956
-
C:\Windows\SysWOW64\Ojeobm32.exeC:\Windows\system32\Ojeobm32.exe67⤵
- Drops file in System32 directory
PID:2040 -
C:\Windows\SysWOW64\Onqkclni.exeC:\Windows\system32\Onqkclni.exe68⤵PID:1040
-
C:\Windows\SysWOW64\Oaogognm.exeC:\Windows\system32\Oaogognm.exe69⤵PID:2960
-
C:\Windows\SysWOW64\Ohipla32.exeC:\Windows\system32\Ohipla32.exe70⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2100 -
C:\Windows\SysWOW64\Oflpgnld.exeC:\Windows\system32\Oflpgnld.exe71⤵PID:992
-
C:\Windows\SysWOW64\Pnchhllf.exeC:\Windows\system32\Pnchhllf.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1228 -
C:\Windows\SysWOW64\Pmehdh32.exeC:\Windows\system32\Pmehdh32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1324 -
C:\Windows\SysWOW64\Ppddpd32.exeC:\Windows\system32\Ppddpd32.exe74⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2172 -
C:\Windows\SysWOW64\Pdppqbkn.exeC:\Windows\system32\Pdppqbkn.exe75⤵
- System Location Discovery: System Language Discovery
PID:3004 -
C:\Windows\SysWOW64\Pfnmmn32.exeC:\Windows\system32\Pfnmmn32.exe76⤵PID:1588
-
C:\Windows\SysWOW64\Piliii32.exeC:\Windows\system32\Piliii32.exe77⤵PID:760
-
C:\Windows\SysWOW64\Pmhejhao.exeC:\Windows\system32\Pmhejhao.exe78⤵PID:1700
-
C:\Windows\SysWOW64\Ppfafcpb.exeC:\Windows\system32\Ppfafcpb.exe79⤵PID:2148
-
C:\Windows\SysWOW64\Pdbmfb32.exeC:\Windows\system32\Pdbmfb32.exe80⤵PID:1368
-
C:\Windows\SysWOW64\Pfpibn32.exeC:\Windows\system32\Pfpibn32.exe81⤵PID:1816
-
C:\Windows\SysWOW64\Pjleclph.exeC:\Windows\system32\Pjleclph.exe82⤵PID:2064
-
C:\Windows\SysWOW64\Plmbkd32.exeC:\Windows\system32\Plmbkd32.exe83⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3020 -
C:\Windows\SysWOW64\Ppinkcnp.exeC:\Windows\system32\Ppinkcnp.exe84⤵PID:2020
-
C:\Windows\SysWOW64\Pbgjgomc.exeC:\Windows\system32\Pbgjgomc.exe85⤵
- Drops file in System32 directory
PID:484 -
C:\Windows\SysWOW64\Pfbfhm32.exeC:\Windows\system32\Pfbfhm32.exe86⤵PID:1376
-
C:\Windows\SysWOW64\Piabdiep.exeC:\Windows\system32\Piabdiep.exe87⤵PID:2388
-
C:\Windows\SysWOW64\Pmmneg32.exeC:\Windows\system32\Pmmneg32.exe88⤵
- System Location Discovery: System Language Discovery
PID:2240 -
C:\Windows\SysWOW64\Ppkjac32.exeC:\Windows\system32\Ppkjac32.exe89⤵PID:1936
-
C:\Windows\SysWOW64\Ponklpcg.exeC:\Windows\system32\Ponklpcg.exe90⤵PID:828
-
C:\Windows\SysWOW64\Pfebnmcj.exeC:\Windows\system32\Pfebnmcj.exe91⤵PID:1708
-
C:\Windows\SysWOW64\Pehcij32.exeC:\Windows\system32\Pehcij32.exe92⤵
- Drops file in System32 directory
PID:1728 -
C:\Windows\SysWOW64\Phfoee32.exeC:\Windows\system32\Phfoee32.exe93⤵PID:2640
-
C:\Windows\SysWOW64\Plbkfdba.exeC:\Windows\system32\Plbkfdba.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:936 -
C:\Windows\SysWOW64\Popgboae.exeC:\Windows\system32\Popgboae.exe95⤵
- System Location Discovery: System Language Discovery
PID:2076 -
C:\Windows\SysWOW64\Paocnkph.exeC:\Windows\system32\Paocnkph.exe96⤵PID:2628
-
C:\Windows\SysWOW64\Qejpoi32.exeC:\Windows\system32\Qejpoi32.exe97⤵
- Drops file in System32 directory
PID:2360 -
C:\Windows\SysWOW64\Qhilkege.exeC:\Windows\system32\Qhilkege.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1580 -
C:\Windows\SysWOW64\Qldhkc32.exeC:\Windows\system32\Qldhkc32.exe99⤵PID:3028
-
C:\Windows\SysWOW64\Qkghgpfi.exeC:\Windows\system32\Qkghgpfi.exe100⤵
- Drops file in System32 directory
PID:2264 -
C:\Windows\SysWOW64\Qbnphngk.exeC:\Windows\system32\Qbnphngk.exe101⤵PID:2708
-
C:\Windows\SysWOW64\Qaapcj32.exeC:\Windows\system32\Qaapcj32.exe102⤵PID:2560
-
C:\Windows\SysWOW64\Qdompf32.exeC:\Windows\system32\Qdompf32.exe103⤵
- Drops file in System32 directory
PID:2312 -
C:\Windows\SysWOW64\Qhkipdeb.exeC:\Windows\system32\Qhkipdeb.exe104⤵
- System Location Discovery: System Language Discovery
PID:2096 -
C:\Windows\SysWOW64\Qkielpdf.exeC:\Windows\system32\Qkielpdf.exe105⤵
- System Location Discovery: System Language Discovery
PID:332 -
C:\Windows\SysWOW64\Qoeamo32.exeC:\Windows\system32\Qoeamo32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3012 -
C:\Windows\SysWOW64\Aacmij32.exeC:\Windows\system32\Aacmij32.exe107⤵PID:1792
-
C:\Windows\SysWOW64\Aeoijidl.exeC:\Windows\system32\Aeoijidl.exe108⤵
- System Location Discovery: System Language Discovery
PID:2956 -
C:\Windows\SysWOW64\Ahmefdcp.exeC:\Windows\system32\Ahmefdcp.exe109⤵PID:1132
-
C:\Windows\SysWOW64\Aklabp32.exeC:\Windows\system32\Aklabp32.exe110⤵
- Drops file in System32 directory
- Modifies registry class
PID:2248 -
C:\Windows\SysWOW64\Aognbnkm.exeC:\Windows\system32\Aognbnkm.exe111⤵PID:1292
-
C:\Windows\SysWOW64\Aaejojjq.exeC:\Windows\system32\Aaejojjq.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2104 -
C:\Windows\SysWOW64\Aphjjf32.exeC:\Windows\system32\Aphjjf32.exe113⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:340 -
C:\Windows\SysWOW64\Addfkeid.exeC:\Windows\system32\Addfkeid.exe114⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2720 -
C:\Windows\SysWOW64\Agbbgqhh.exeC:\Windows\system32\Agbbgqhh.exe115⤵PID:2588
-
C:\Windows\SysWOW64\Aknngo32.exeC:\Windows\system32\Aknngo32.exe116⤵PID:624
-
C:\Windows\SysWOW64\Anljck32.exeC:\Windows\system32\Anljck32.exe117⤵PID:2300
-
C:\Windows\SysWOW64\Aahfdihn.exeC:\Windows\system32\Aahfdihn.exe118⤵
- System Location Discovery: System Language Discovery
PID:2688 -
C:\Windows\SysWOW64\Apkgpf32.exeC:\Windows\system32\Apkgpf32.exe119⤵PID:3024
-
C:\Windows\SysWOW64\Acicla32.exeC:\Windows\system32\Acicla32.exe120⤵
- System Location Discovery: System Language Discovery
PID:2844 -
C:\Windows\SysWOW64\Akpkmo32.exeC:\Windows\system32\Akpkmo32.exe121⤵PID:2160
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-