Analysis
-
max time kernel
36s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
04-08-2024 16:25
Static task
static1
Behavioral task
behavioral1
Sample
f3b3bfd21b7002cafe43dc54f22967a0N.exe
Resource
win7-20240704-en
General
-
Target
f3b3bfd21b7002cafe43dc54f22967a0N.exe
-
Size
163KB
-
MD5
f3b3bfd21b7002cafe43dc54f22967a0
-
SHA1
cff29f23904cba71ab507ff8cdf32a9fe4b186b4
-
SHA256
ead03a781763691c7dfd5c7537cc61cf4c08c168fd95061b2f654e046bcaa081
-
SHA512
355e9e390999af9fdeda0c7c51f0999446c5709e3147d3114b14623ff6bae4a69b944c1780bc22165509c1c7b026f44b1c3e273a362e9e429f3b3e0e0ffd52fd
-
SSDEEP
1536:P8munJ1bvIN9h8KVMeaki7Dw7LlProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:aJ1Af9MeVYw7LltOrWKDBr+yJb
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Mhhiiloh.exeFnjnkkbk.exeBpmkbl32.exeLamjph32.exeCjjpag32.exeIhlnhffh.exeMlgkbi32.exeBeggec32.exePjofjm32.exeOnipqp32.exeGjpddigo.exeNqpmimbe.exeGibkmgcj.exeNknkeg32.exeEfmlqigc.exeKjhfjpdd.exeGpafgp32.exePkepnalk.exeOolbcaij.exePfflql32.exeAinkcf32.exeLpdankjg.exePbjifgcd.exeCkkenikc.exeEqamla32.exeFijnabef.exeKlfmijae.exeOfaolcmh.exeHiockd32.exeKhgkpl32.exeOfilgh32.exeOklmhcdf.exeCamqpnel.exeBfgdmjlp.exeDmebcgbb.exeHhcndhap.exeIgkhjdde.exeGekhgh32.exeKbkdpnil.exeOkcchbnn.exeBdaojbjf.exeCgdqpq32.exeDqobnf32.exeHabili32.exeKpoejbhe.exeOgmkne32.exeJbnlaqhi.exePefhlcdk.exePioamlkk.exeJoekimld.exeCihedpcg.exeDdjphm32.exeQlgndbil.exeJkfpjf32.exeLhdcojaa.exeQnqjkh32.exeEqngcc32.exeGbhcpmkm.exeBedcembk.exeBimbql32.exeMdgkjopd.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhhiiloh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnjnkkbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpmkbl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lamjph32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjjpag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihlnhffh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlgkbi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beggec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Beggec32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjofjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onipqp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjpddigo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqpmimbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gibkmgcj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nknkeg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efmlqigc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjhfjpdd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpafgp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkepnalk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oolbcaij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfflql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ainkcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpdankjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbjifgcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckkenikc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqamla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fijnabef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klfmijae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofaolcmh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiockd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khgkpl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofilgh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oklmhcdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Camqpnel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfgdmjlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmebcgbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhcndhap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igkhjdde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gekhgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbkdpnil.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okcchbnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdaojbjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgdqpq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dqobnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Habili32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpoejbhe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogmkne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbnlaqhi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pefhlcdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjjpag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pioamlkk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joekimld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cihedpcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddjphm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlgndbil.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkfpjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhdcojaa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqpmimbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qnqjkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqngcc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbhcpmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bedcembk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bimbql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdgkjopd.exe -
Executes dropped EXE 64 IoCs
Processes:
Jjjdhc32.exeJcciqi32.exeJedehaea.exeJnmiag32.exeJnofgg32.exeKhgkpl32.exeKekkiq32.exeKmfpmc32.exeKdphjm32.exeKmimcbja.exeLibjncnc.exeLgfjggll.exeLcmklh32.exeLcohahpn.exeLkjmfjmi.exeLhnmoo32.exeMgcjpkak.exeMdgkjopd.exeMakkcc32.exeMjfphf32.exeMdldeo32.exeMjkibehc.exeNccnlk32.exeNjmfhe32.exeNcfjajma.exeNmnojp32.exeNghpjn32.exeNbmdhfog.exeOgabql32.exeOaigib32.exeObkcajde.exeOfilgh32.exePndalkgf.exePpcmfn32.exePepfnd32.exePjmnfk32.exePllkpn32.exePeeoidik.exePfflql32.exePalpneop.exePdjljpnc.exeQigebglj.exeQboikm32.exeQlgndbil.exeApefjqob.exeAinkcf32.exeAhchdb32.exeBdaojbjf.exeBcflko32.exeBjpdhifk.exeBlnpddeo.exeBfgdmjlp.exeBplijcle.exeBjembh32.exeCkfjjqhd.exeCdnncfoe.exeClefdcog.exeCbbomjnn.exeCdqkifmb.exeCgogealf.exeCqglng32.exeCkmpkpbl.exeCqjhcfpc.exeCgdqpq32.exepid process 548 Jjjdhc32.exe 2228 Jcciqi32.exe 2748 Jedehaea.exe 2708 Jnmiag32.exe 2988 Jnofgg32.exe 928 Khgkpl32.exe 3000 Kekkiq32.exe 2344 Kmfpmc32.exe 2768 Kdphjm32.exe 1724 Kmimcbja.exe 584 Libjncnc.exe 2336 Lgfjggll.exe 2612 Lcmklh32.exe 3028 Lcohahpn.exe 932 Lkjmfjmi.exe 976 Lhnmoo32.exe 340 Mgcjpkak.exe 872 Mdgkjopd.exe 1276 Makkcc32.exe 2924 Mjfphf32.exe 1576 Mdldeo32.exe 2284 Mjkibehc.exe 2408 Nccnlk32.exe 2024 Njmfhe32.exe 2216 Ncfjajma.exe 1600 Nmnojp32.exe 1436 Nghpjn32.exe 2548 Nbmdhfog.exe 2796 Ogabql32.exe 2088 Oaigib32.exe 2492 Obkcajde.exe 2856 Ofilgh32.exe 1732 Pndalkgf.exe 1496 Ppcmfn32.exe 472 Pepfnd32.exe 2600 Pjmnfk32.exe 836 Pllkpn32.exe 564 Peeoidik.exe 1020 Pfflql32.exe 2220 Palpneop.exe 1836 Pdjljpnc.exe 1540 Qigebglj.exe 1340 Qboikm32.exe 1360 Qlgndbil.exe 2468 Apefjqob.exe 760 Ainkcf32.exe 524 Ahchdb32.exe 2316 Bdaojbjf.exe 2232 Bcflko32.exe 2904 Bjpdhifk.exe 2992 Blnpddeo.exe 2440 Bfgdmjlp.exe 2544 Bplijcle.exe 3012 Bjembh32.exe 3004 Ckfjjqhd.exe 2724 Cdnncfoe.exe 1088 Clefdcog.exe 2108 Cbbomjnn.exe 1632 Cdqkifmb.exe 1768 Cgogealf.exe 1608 Cqglng32.exe 2524 Ckmpkpbl.exe 1060 Cqjhcfpc.exe 2276 Cgdqpq32.exe -
Loads dropped DLL 64 IoCs
Processes:
f3b3bfd21b7002cafe43dc54f22967a0N.exeJjjdhc32.exeJcciqi32.exeJedehaea.exeJnmiag32.exeJnofgg32.exeKhgkpl32.exeKekkiq32.exeKmfpmc32.exeKdphjm32.exeKmimcbja.exeLibjncnc.exeLgfjggll.exeLcmklh32.exeLcohahpn.exeLkjmfjmi.exeLhnmoo32.exeMgcjpkak.exeMdgkjopd.exeMakkcc32.exeMjfphf32.exeMdldeo32.exeMjkibehc.exeNccnlk32.exeNjmfhe32.exeNcfjajma.exeNmnojp32.exeNghpjn32.exeNbmdhfog.exeOgabql32.exeOaigib32.exeObkcajde.exepid process 2444 f3b3bfd21b7002cafe43dc54f22967a0N.exe 2444 f3b3bfd21b7002cafe43dc54f22967a0N.exe 548 Jjjdhc32.exe 548 Jjjdhc32.exe 2228 Jcciqi32.exe 2228 Jcciqi32.exe 2748 Jedehaea.exe 2748 Jedehaea.exe 2708 Jnmiag32.exe 2708 Jnmiag32.exe 2988 Jnofgg32.exe 2988 Jnofgg32.exe 928 Khgkpl32.exe 928 Khgkpl32.exe 3000 Kekkiq32.exe 3000 Kekkiq32.exe 2344 Kmfpmc32.exe 2344 Kmfpmc32.exe 2768 Kdphjm32.exe 2768 Kdphjm32.exe 1724 Kmimcbja.exe 1724 Kmimcbja.exe 584 Libjncnc.exe 584 Libjncnc.exe 2336 Lgfjggll.exe 2336 Lgfjggll.exe 2612 Lcmklh32.exe 2612 Lcmklh32.exe 3028 Lcohahpn.exe 3028 Lcohahpn.exe 932 Lkjmfjmi.exe 932 Lkjmfjmi.exe 976 Lhnmoo32.exe 976 Lhnmoo32.exe 340 Mgcjpkak.exe 340 Mgcjpkak.exe 872 Mdgkjopd.exe 872 Mdgkjopd.exe 1276 Makkcc32.exe 1276 Makkcc32.exe 2924 Mjfphf32.exe 2924 Mjfphf32.exe 1576 Mdldeo32.exe 1576 Mdldeo32.exe 2284 Mjkibehc.exe 2284 Mjkibehc.exe 2408 Nccnlk32.exe 2408 Nccnlk32.exe 2024 Njmfhe32.exe 2024 Njmfhe32.exe 2216 Ncfjajma.exe 2216 Ncfjajma.exe 1600 Nmnojp32.exe 1600 Nmnojp32.exe 1436 Nghpjn32.exe 1436 Nghpjn32.exe 2548 Nbmdhfog.exe 2548 Nbmdhfog.exe 2796 Ogabql32.exe 2796 Ogabql32.exe 2088 Oaigib32.exe 2088 Oaigib32.exe 2492 Obkcajde.exe 2492 Obkcajde.exe -
Drops file in System32 directory 64 IoCs
Processes:
Camqpnel.exeJcfgoadd.exeDfpfke32.exeJbakpi32.exeNmmjjk32.exeApefjqob.exeLkifkdjm.exeOabplobe.exeLbgkfbbj.exeJnmiag32.exeFpkchm32.exeBahelebm.exeJcckibfg.exeKecmfg32.exeIpdolbbj.exeAjociq32.exeAidpjm32.exeHofqpc32.exeBhdjno32.exeFedfgejh.exeKikokf32.exeGibkmgcj.exeKnoaeimg.exeMaocekoo.exeJnofgg32.exeCgogealf.exeJbnlaqhi.exeDnhefh32.exeKiemmh32.exeDkblohek.exeGhpkbn32.exeLmfgkh32.exeEbockkal.exeJjmcfl32.exeKkalcdao.exePjofjm32.exeLhdcojaa.exeOdflmp32.exeCcqhdmbc.exeHeqimm32.exeNgpcohbm.exeMkaeob32.exePmkdhq32.exeAblbjj32.exeFmodaadg.exeCpdhna32.exeOmqjgl32.exeHjggap32.exeEpcddopf.exeAljmbknm.exeOgbldk32.exePbblkaea.exeAjjinaco.exeGenlgnhd.exeDqinhcoc.exeFhglop32.exeFfboohnm.exeFefcmehe.exeNcdpdcfh.exeMcbmmbhb.exeQfkgdd32.exeFmaqgaae.exedescription ioc process File created C:\Windows\SysWOW64\Jkcgmf32.dll Camqpnel.exe File created C:\Windows\SysWOW64\Dmhpkkdp.dll Jcfgoadd.exe File opened for modification C:\Windows\SysWOW64\Ekpkhkji.exe Dfpfke32.exe File created C:\Windows\SysWOW64\Cadbgifg.dll Jbakpi32.exe File opened for modification C:\Windows\SysWOW64\Ndgbgefh.exe Nmmjjk32.exe File created C:\Windows\SysWOW64\Ainkcf32.exe Apefjqob.exe File created C:\Windows\SysWOW64\Aopbmapo.dll Lkifkdjm.exe File created C:\Windows\SysWOW64\Occlcg32.exe Oabplobe.exe File created C:\Windows\SysWOW64\Lhdcojaa.exe Lbgkfbbj.exe File created C:\Windows\SysWOW64\Jnofgg32.exe Jnmiag32.exe File opened for modification C:\Windows\SysWOW64\Ffeldglk.exe Fpkchm32.exe File created C:\Windows\SysWOW64\Blniinac.exe Bahelebm.exe File opened for modification C:\Windows\SysWOW64\Jjmcfl32.exe Jcckibfg.exe File created C:\Windows\SysWOW64\Mpenafkn.dll Kecmfg32.exe File created C:\Windows\SysWOW64\Ikicikap.exe Ipdolbbj.exe File created C:\Windows\SysWOW64\Mhpioaop.dll Ajociq32.exe File created C:\Windows\SysWOW64\Acjdgf32.exe Aidpjm32.exe File created C:\Windows\SysWOW64\Oebblmoe.dll Hofqpc32.exe File opened for modification C:\Windows\SysWOW64\Cnabffeo.exe Bhdjno32.exe File created C:\Windows\SysWOW64\Fhbbcail.exe Fedfgejh.exe File opened for modification C:\Windows\SysWOW64\Kodghqop.exe Kikokf32.exe File created C:\Windows\SysWOW64\Edoblfhf.dll Gibkmgcj.exe File created C:\Windows\SysWOW64\Eldplnan.dll Knoaeimg.exe File opened for modification C:\Windows\SysWOW64\Mifkfhpa.exe Maocekoo.exe File opened for modification C:\Windows\SysWOW64\Khgkpl32.exe Jnofgg32.exe File opened for modification C:\Windows\SysWOW64\Cqglng32.exe Cgogealf.exe File created C:\Windows\SysWOW64\Jkfpjf32.exe Jbnlaqhi.exe File created C:\Windows\SysWOW64\Bgjond32.dll Dnhefh32.exe File created C:\Windows\SysWOW64\Fcijnhod.dll Kiemmh32.exe File created C:\Windows\SysWOW64\Jkfapl32.dll Dkblohek.exe File opened for modification C:\Windows\SysWOW64\Gnicoh32.exe Ghpkbn32.exe File created C:\Windows\SysWOW64\Lbbbnidk.dll Lmfgkh32.exe File opened for modification C:\Windows\SysWOW64\Llkbcl32.exe Lkifkdjm.exe File created C:\Windows\SysWOW64\Eiilge32.exe Ebockkal.exe File created C:\Windows\SysWOW64\Jkopndcb.exe Jjmcfl32.exe File created C:\Windows\SysWOW64\Kbkdpnil.exe Kkalcdao.exe File opened for modification C:\Windows\SysWOW64\Polobd32.exe Pjofjm32.exe File created C:\Windows\SysWOW64\Lalhgogb.exe Lhdcojaa.exe File created C:\Windows\SysWOW64\Okpdjjil.exe Odflmp32.exe File created C:\Windows\SysWOW64\Cjjpag32.exe Ccqhdmbc.exe File created C:\Windows\SysWOW64\Hljaigmo.exe Heqimm32.exe File created C:\Windows\SysWOW64\Nphghn32.exe Ngpcohbm.exe File created C:\Windows\SysWOW64\Aghijlbj.dll Mkaeob32.exe File opened for modification C:\Windows\SysWOW64\Pbglpg32.exe Pmkdhq32.exe File created C:\Windows\SysWOW64\Geogecdd.dll Ablbjj32.exe File created C:\Windows\SysWOW64\Mgmhmkfc.dll Fmodaadg.exe File created C:\Windows\SysWOW64\Cljamifd.dll Cpdhna32.exe File opened for modification C:\Windows\SysWOW64\Eiilge32.exe Ebockkal.exe File created C:\Windows\SysWOW64\Lpjqnpjb.dll Omqjgl32.exe File created C:\Windows\SysWOW64\Iqapnjli.exe Hjggap32.exe File created C:\Windows\SysWOW64\Efmlqigc.exe Epcddopf.exe File created C:\Windows\SysWOW64\Kljmfe32.dll Aljmbknm.exe File opened for modification C:\Windows\SysWOW64\Onldqejb.exe Ogbldk32.exe File created C:\Windows\SysWOW64\Mhcqcl32.dll Pbblkaea.exe File opened for modification C:\Windows\SysWOW64\Aadakl32.exe Ajjinaco.exe File created C:\Windows\SysWOW64\Hofqpc32.exe Genlgnhd.exe File created C:\Windows\SysWOW64\Ilpcfn32.dll Dqinhcoc.exe File created C:\Windows\SysWOW64\Fnadkjlc.exe Fhglop32.exe File opened for modification C:\Windows\SysWOW64\Fpkchm32.exe Ffboohnm.exe File opened for modification C:\Windows\SysWOW64\Fjckelfm.exe Fefcmehe.exe File opened for modification C:\Windows\SysWOW64\Nhqhmj32.exe Ncdpdcfh.exe File opened for modification C:\Windows\SysWOW64\Mjlejl32.exe Mcbmmbhb.exe File created C:\Windows\SysWOW64\Fgielf32.dll Qfkgdd32.exe File opened for modification C:\Windows\SysWOW64\Fppmcmah.exe Fmaqgaae.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 7056 2380 WerFault.exe Gajjhkgh.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Clefdcog.exePbpoebgc.exeQlgndbil.exeQemomb32.exeCjhckg32.exeJbakpi32.exeMcbmmbhb.exeMkggnp32.exeJijacjnc.exePodpoffm.exeFnmjpk32.exeKbqgolpf.exeHhcndhap.exeQcjoci32.exeHkejnl32.exeKodghqop.exeBakaaepk.exeJbedkhie.exeOahbjmjp.exeQnqjkh32.exeIhiabfhk.exeOnipqp32.exeCkmbdh32.exeIhdmld32.exeQidckjae.exeMakkcc32.exePeeoidik.exeDcjaeamd.exeMacjgadf.exePaafmp32.exeBhdjno32.exeObnbpb32.exeKkalcdao.exeNnbjpqoa.exePmqffonj.exeFacfpddd.exeHbpbck32.exeQboikm32.exeBlnpddeo.exeKecmfg32.exeDphhka32.exeIqllghon.exeLamjph32.exeIianmlfn.exeKaholp32.exeEfmlqigc.exeJcfgoadd.exeFejifdab.exeMheeif32.exeDfinam32.exeFacdgl32.exeFhmldfdm.exeGkbnap32.exeLgpfpe32.exeKmklak32.exeMeemgk32.exeGbbbjg32.exeOgbldk32.exeDnckki32.exeGplcia32.exeHiockd32.exeIhnjmf32.exeMdoccg32.exeNhqhmj32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clefdcog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbpoebgc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlgndbil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qemomb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjhckg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbakpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcbmmbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkggnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jijacjnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Podpoffm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnmjpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbqgolpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhcndhap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcjoci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkejnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kodghqop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bakaaepk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbedkhie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oahbjmjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnqjkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihiabfhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onipqp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckmbdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihdmld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qidckjae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Makkcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peeoidik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcjaeamd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Macjgadf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paafmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhdjno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obnbpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkalcdao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnbjpqoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmqffonj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Facfpddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbpbck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qboikm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blnpddeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kecmfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dphhka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqllghon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lamjph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iianmlfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaholp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efmlqigc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcfgoadd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fejifdab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mheeif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfinam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Facdgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhmldfdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkbnap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgpfpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmklak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meemgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbbbjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogbldk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnckki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gplcia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiockd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihnjmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdoccg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhqhmj32.exe -
Modifies registry class 64 IoCs
Processes:
Oklmhcdf.exePfqlkfoc.exePhgannal.exePeeabm32.exeFacfpddd.exeGhpkbn32.exePjmnfk32.exeBcflko32.exePefhlcdk.exeBdcnhk32.exeKnoaeimg.exeCgogealf.exeFmodaadg.exeCfhlbe32.exeJcciqi32.exeJnmiag32.exeKpdeoh32.exeObcffefa.exeCdqkifmb.exeIqllghon.exeGkpakq32.exeJkopndcb.exeLnlaomae.exeAjociq32.exePepfnd32.exeGeqlnjcf.exeMhhiiloh.exeCccdjl32.exeEfoifiep.exeAfpapcnc.exeDcjaeamd.exeHhcndhap.exeMkibjgli.exeDhgccbhp.exeDnfhqi32.exeEbockkal.exeMeemgk32.exeIpdolbbj.exeBmdefk32.exeFejfmk32.exeCobhdhha.exeKbcddlnd.exeLamjph32.exeMcbmmbhb.exeCpejfjha.exeKmimcbja.exeImhqbkbm.exeBmgifa32.exeJdogldmo.exeCpjklo32.exeJclnnmic.exeMeffjjln.exeJgppmpjp.exeLgfjggll.exeIgcgnbim.exeMkaeob32.exeGjemoi32.exeGcppkbia.exeGenlgnhd.exeQidckjae.exeAkjfhdka.exeIejkhlip.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpboioea.dll" Oklmhcdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfqlkfoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Heiebkoj.dll" Phgannal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmpgan32.dll" Peeabm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Facfpddd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghpkbn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjmnfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeomnifk.dll" Bcflko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djqdbbek.dll" Pefhlcdk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdcnhk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knoaeimg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgogealf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmodaadg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gegknghg.dll" Cfhlbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iddpheep.dll" Jcciqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnmiag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpdeoh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obcffefa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdqkifmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iqllghon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Peeabm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkpakq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkopndcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cldcdi32.dll" Lnlaomae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajociq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pepfnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Geqlnjcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhhiiloh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddbdimmi.dll" Cccdjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efoifiep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pohoplja.dll" Afpapcnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnllkimj.dll" Dcjaeamd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhcndhap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkibjgli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhgccbhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnfhqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebockkal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Meemgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipdolbbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmdefk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppgeni32.dll" Fejfmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cobhdhha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijcbdhqk.dll" Kbcddlnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lamjph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcbmmbhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elookl32.dll" Cpejfjha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmimcbja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imhqbkbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bijpeihq.dll" Bmgifa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdogldmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Endbib32.dll" Cpjklo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jclnnmic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Meffjjln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgokbo32.dll" Jgppmpjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgfjggll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igcgnbim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aghijlbj.dll" Mkaeob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cobhdhha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oijehm32.dll" Gjemoi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gcppkbia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Genlgnhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljmien32.dll" Qidckjae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqkcelpl.dll" Akjfhdka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iejkhlip.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
f3b3bfd21b7002cafe43dc54f22967a0N.exeJjjdhc32.exeJcciqi32.exeJedehaea.exeJnmiag32.exeJnofgg32.exeKhgkpl32.exeKekkiq32.exeKmfpmc32.exeKdphjm32.exeKmimcbja.exeLibjncnc.exeLgfjggll.exeLcmklh32.exeLcohahpn.exeLkjmfjmi.exedescription pid process target process PID 2444 wrote to memory of 548 2444 f3b3bfd21b7002cafe43dc54f22967a0N.exe Jjjdhc32.exe PID 2444 wrote to memory of 548 2444 f3b3bfd21b7002cafe43dc54f22967a0N.exe Jjjdhc32.exe PID 2444 wrote to memory of 548 2444 f3b3bfd21b7002cafe43dc54f22967a0N.exe Jjjdhc32.exe PID 2444 wrote to memory of 548 2444 f3b3bfd21b7002cafe43dc54f22967a0N.exe Jjjdhc32.exe PID 548 wrote to memory of 2228 548 Jjjdhc32.exe Jcciqi32.exe PID 548 wrote to memory of 2228 548 Jjjdhc32.exe Jcciqi32.exe PID 548 wrote to memory of 2228 548 Jjjdhc32.exe Jcciqi32.exe PID 548 wrote to memory of 2228 548 Jjjdhc32.exe Jcciqi32.exe PID 2228 wrote to memory of 2748 2228 Jcciqi32.exe Jedehaea.exe PID 2228 wrote to memory of 2748 2228 Jcciqi32.exe Jedehaea.exe PID 2228 wrote to memory of 2748 2228 Jcciqi32.exe Jedehaea.exe PID 2228 wrote to memory of 2748 2228 Jcciqi32.exe Jedehaea.exe PID 2748 wrote to memory of 2708 2748 Jedehaea.exe Jnmiag32.exe PID 2748 wrote to memory of 2708 2748 Jedehaea.exe Jnmiag32.exe PID 2748 wrote to memory of 2708 2748 Jedehaea.exe Jnmiag32.exe PID 2748 wrote to memory of 2708 2748 Jedehaea.exe Jnmiag32.exe PID 2708 wrote to memory of 2988 2708 Jnmiag32.exe Jnofgg32.exe PID 2708 wrote to memory of 2988 2708 Jnmiag32.exe Jnofgg32.exe PID 2708 wrote to memory of 2988 2708 Jnmiag32.exe Jnofgg32.exe PID 2708 wrote to memory of 2988 2708 Jnmiag32.exe Jnofgg32.exe PID 2988 wrote to memory of 928 2988 Jnofgg32.exe Khgkpl32.exe PID 2988 wrote to memory of 928 2988 Jnofgg32.exe Khgkpl32.exe PID 2988 wrote to memory of 928 2988 Jnofgg32.exe Khgkpl32.exe PID 2988 wrote to memory of 928 2988 Jnofgg32.exe Khgkpl32.exe PID 928 wrote to memory of 3000 928 Khgkpl32.exe Kekkiq32.exe PID 928 wrote to memory of 3000 928 Khgkpl32.exe Kekkiq32.exe PID 928 wrote to memory of 3000 928 Khgkpl32.exe Kekkiq32.exe PID 928 wrote to memory of 3000 928 Khgkpl32.exe Kekkiq32.exe PID 3000 wrote to memory of 2344 3000 Kekkiq32.exe Kmfpmc32.exe PID 3000 wrote to memory of 2344 3000 Kekkiq32.exe Kmfpmc32.exe PID 3000 wrote to memory of 2344 3000 Kekkiq32.exe Kmfpmc32.exe PID 3000 wrote to memory of 2344 3000 Kekkiq32.exe Kmfpmc32.exe PID 2344 wrote to memory of 2768 2344 Kmfpmc32.exe Kdphjm32.exe PID 2344 wrote to memory of 2768 2344 Kmfpmc32.exe Kdphjm32.exe PID 2344 wrote to memory of 2768 2344 Kmfpmc32.exe Kdphjm32.exe PID 2344 wrote to memory of 2768 2344 Kmfpmc32.exe Kdphjm32.exe PID 2768 wrote to memory of 1724 2768 Kdphjm32.exe Kmimcbja.exe PID 2768 wrote to memory of 1724 2768 Kdphjm32.exe Kmimcbja.exe PID 2768 wrote to memory of 1724 2768 Kdphjm32.exe Kmimcbja.exe PID 2768 wrote to memory of 1724 2768 Kdphjm32.exe Kmimcbja.exe PID 1724 wrote to memory of 584 1724 Kmimcbja.exe Libjncnc.exe PID 1724 wrote to memory of 584 1724 Kmimcbja.exe Libjncnc.exe PID 1724 wrote to memory of 584 1724 Kmimcbja.exe Libjncnc.exe PID 1724 wrote to memory of 584 1724 Kmimcbja.exe Libjncnc.exe PID 584 wrote to memory of 2336 584 Libjncnc.exe Lgfjggll.exe PID 584 wrote to memory of 2336 584 Libjncnc.exe Lgfjggll.exe PID 584 wrote to memory of 2336 584 Libjncnc.exe Lgfjggll.exe PID 584 wrote to memory of 2336 584 Libjncnc.exe Lgfjggll.exe PID 2336 wrote to memory of 2612 2336 Lgfjggll.exe Lcmklh32.exe PID 2336 wrote to memory of 2612 2336 Lgfjggll.exe Lcmklh32.exe PID 2336 wrote to memory of 2612 2336 Lgfjggll.exe Lcmklh32.exe PID 2336 wrote to memory of 2612 2336 Lgfjggll.exe Lcmklh32.exe PID 2612 wrote to memory of 3028 2612 Lcmklh32.exe Lcohahpn.exe PID 2612 wrote to memory of 3028 2612 Lcmklh32.exe Lcohahpn.exe PID 2612 wrote to memory of 3028 2612 Lcmklh32.exe Lcohahpn.exe PID 2612 wrote to memory of 3028 2612 Lcmklh32.exe Lcohahpn.exe PID 3028 wrote to memory of 932 3028 Lcohahpn.exe Lkjmfjmi.exe PID 3028 wrote to memory of 932 3028 Lcohahpn.exe Lkjmfjmi.exe PID 3028 wrote to memory of 932 3028 Lcohahpn.exe Lkjmfjmi.exe PID 3028 wrote to memory of 932 3028 Lcohahpn.exe Lkjmfjmi.exe PID 932 wrote to memory of 976 932 Lkjmfjmi.exe Lhnmoo32.exe PID 932 wrote to memory of 976 932 Lkjmfjmi.exe Lhnmoo32.exe PID 932 wrote to memory of 976 932 Lkjmfjmi.exe Lhnmoo32.exe PID 932 wrote to memory of 976 932 Lkjmfjmi.exe Lhnmoo32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f3b3bfd21b7002cafe43dc54f22967a0N.exe"C:\Users\Admin\AppData\Local\Temp\f3b3bfd21b7002cafe43dc54f22967a0N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\Jjjdhc32.exeC:\Windows\system32\Jjjdhc32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\SysWOW64\Jcciqi32.exeC:\Windows\system32\Jcciqi32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\Jedehaea.exeC:\Windows\system32\Jedehaea.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Jnmiag32.exeC:\Windows\system32\Jnmiag32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Jnofgg32.exeC:\Windows\system32\Jnofgg32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Khgkpl32.exeC:\Windows\system32\Khgkpl32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Windows\SysWOW64\Kekkiq32.exeC:\Windows\system32\Kekkiq32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\Kmfpmc32.exeC:\Windows\system32\Kmfpmc32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Kdphjm32.exeC:\Windows\system32\Kdphjm32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Kmimcbja.exeC:\Windows\system32\Kmimcbja.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\Libjncnc.exeC:\Windows\system32\Libjncnc.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\SysWOW64\Lgfjggll.exeC:\Windows\system32\Lgfjggll.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\Lcmklh32.exeC:\Windows\system32\Lcmklh32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Lcohahpn.exeC:\Windows\system32\Lcohahpn.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\Lkjmfjmi.exeC:\Windows\system32\Lkjmfjmi.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:932 -
C:\Windows\SysWOW64\Lhnmoo32.exeC:\Windows\system32\Lhnmoo32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:976 -
C:\Windows\SysWOW64\Mgcjpkak.exeC:\Windows\system32\Mgcjpkak.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:340 -
C:\Windows\SysWOW64\Mdgkjopd.exeC:\Windows\system32\Mdgkjopd.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:872 -
C:\Windows\SysWOW64\Makkcc32.exeC:\Windows\system32\Makkcc32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1276 -
C:\Windows\SysWOW64\Mjfphf32.exeC:\Windows\system32\Mjfphf32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2924 -
C:\Windows\SysWOW64\Mdldeo32.exeC:\Windows\system32\Mdldeo32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1576 -
C:\Windows\SysWOW64\Mjkibehc.exeC:\Windows\system32\Mjkibehc.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2284 -
C:\Windows\SysWOW64\Nccnlk32.exeC:\Windows\system32\Nccnlk32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2408 -
C:\Windows\SysWOW64\Njmfhe32.exeC:\Windows\system32\Njmfhe32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2024 -
C:\Windows\SysWOW64\Ncfjajma.exeC:\Windows\system32\Ncfjajma.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2216 -
C:\Windows\SysWOW64\Nmnojp32.exeC:\Windows\system32\Nmnojp32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1600 -
C:\Windows\SysWOW64\Nghpjn32.exeC:\Windows\system32\Nghpjn32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1436 -
C:\Windows\SysWOW64\Nbmdhfog.exeC:\Windows\system32\Nbmdhfog.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2548 -
C:\Windows\SysWOW64\Ogabql32.exeC:\Windows\system32\Ogabql32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2796 -
C:\Windows\SysWOW64\Oaigib32.exeC:\Windows\system32\Oaigib32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2088 -
C:\Windows\SysWOW64\Obkcajde.exeC:\Windows\system32\Obkcajde.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2492 -
C:\Windows\SysWOW64\Ofilgh32.exeC:\Windows\system32\Ofilgh32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Pndalkgf.exeC:\Windows\system32\Pndalkgf.exe34⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Ppcmfn32.exeC:\Windows\system32\Ppcmfn32.exe35⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Pepfnd32.exeC:\Windows\system32\Pepfnd32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:472 -
C:\Windows\SysWOW64\Pjmnfk32.exeC:\Windows\system32\Pjmnfk32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:2600 -
C:\Windows\SysWOW64\Pllkpn32.exeC:\Windows\system32\Pllkpn32.exe38⤵
- Executes dropped EXE
PID:836 -
C:\Windows\SysWOW64\Peeoidik.exeC:\Windows\system32\Peeoidik.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:564 -
C:\Windows\SysWOW64\Pfflql32.exeC:\Windows\system32\Pfflql32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1020 -
C:\Windows\SysWOW64\Palpneop.exeC:\Windows\system32\Palpneop.exe41⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Pdjljpnc.exeC:\Windows\system32\Pdjljpnc.exe42⤵
- Executes dropped EXE
PID:1836 -
C:\Windows\SysWOW64\Qigebglj.exeC:\Windows\system32\Qigebglj.exe43⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Qboikm32.exeC:\Windows\system32\Qboikm32.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1340 -
C:\Windows\SysWOW64\Qlgndbil.exeC:\Windows\system32\Qlgndbil.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1360 -
C:\Windows\SysWOW64\Apefjqob.exeC:\Windows\system32\Apefjqob.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2468 -
C:\Windows\SysWOW64\Ainkcf32.exeC:\Windows\system32\Ainkcf32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:760 -
C:\Windows\SysWOW64\Ahchdb32.exeC:\Windows\system32\Ahchdb32.exe48⤵
- Executes dropped EXE
PID:524 -
C:\Windows\SysWOW64\Bdaojbjf.exeC:\Windows\system32\Bdaojbjf.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Bcflko32.exeC:\Windows\system32\Bcflko32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:2232 -
C:\Windows\SysWOW64\Bjpdhifk.exeC:\Windows\system32\Bjpdhifk.exe51⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Blnpddeo.exeC:\Windows\system32\Blnpddeo.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2992 -
C:\Windows\SysWOW64\Bfgdmjlp.exeC:\Windows\system32\Bfgdmjlp.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Bplijcle.exeC:\Windows\system32\Bplijcle.exe54⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Bjembh32.exeC:\Windows\system32\Bjembh32.exe55⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Ckfjjqhd.exeC:\Windows\system32\Ckfjjqhd.exe56⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Cdnncfoe.exeC:\Windows\system32\Cdnncfoe.exe57⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Clefdcog.exeC:\Windows\system32\Clefdcog.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1088 -
C:\Windows\SysWOW64\Cbbomjnn.exeC:\Windows\system32\Cbbomjnn.exe59⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Cdqkifmb.exeC:\Windows\system32\Cdqkifmb.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:1632 -
C:\Windows\SysWOW64\Cgogealf.exeC:\Windows\system32\Cgogealf.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1768 -
C:\Windows\SysWOW64\Cqglng32.exeC:\Windows\system32\Cqglng32.exe62⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Ckmpkpbl.exeC:\Windows\system32\Ckmpkpbl.exe63⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Cqjhcfpc.exeC:\Windows\system32\Cqjhcfpc.exe64⤵
- Executes dropped EXE
PID:1060 -
C:\Windows\SysWOW64\Cgdqpq32.exeC:\Windows\system32\Cgdqpq32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Cmqihg32.exeC:\Windows\system32\Cmqihg32.exe66⤵PID:2076
-
C:\Windows\SysWOW64\Dcjaeamd.exeC:\Windows\system32\Dcjaeamd.exe67⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3048 -
C:\Windows\SysWOW64\Dfinam32.exeC:\Windows\system32\Dfinam32.exe68⤵
- System Location Discovery: System Language Discovery
PID:2060 -
C:\Windows\SysWOW64\Dqobnf32.exeC:\Windows\system32\Dqobnf32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2452 -
C:\Windows\SysWOW64\Dghjkpck.exeC:\Windows\system32\Dghjkpck.exe70⤵PID:2696
-
C:\Windows\SysWOW64\Dmebcgbb.exeC:\Windows\system32\Dmebcgbb.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2832 -
C:\Windows\SysWOW64\Dcokpa32.exeC:\Windows\system32\Dcokpa32.exe72⤵PID:2744
-
C:\Windows\SysWOW64\Djicmk32.exeC:\Windows\system32\Djicmk32.exe73⤵PID:1072
-
C:\Windows\SysWOW64\Dcageqgm.exeC:\Windows\system32\Dcageqgm.exe74⤵PID:2576
-
C:\Windows\SysWOW64\Dinpnged.exeC:\Windows\system32\Dinpnged.exe75⤵PID:1780
-
C:\Windows\SysWOW64\Dphhka32.exeC:\Windows\system32\Dphhka32.exe76⤵
- System Location Discovery: System Language Discovery
PID:2928 -
C:\Windows\SysWOW64\Dfbqgldn.exeC:\Windows\system32\Dfbqgldn.exe77⤵PID:2136
-
C:\Windows\SysWOW64\Eloipb32.exeC:\Windows\system32\Eloipb32.exe78⤵PID:2948
-
C:\Windows\SysWOW64\Ebialmjb.exeC:\Windows\system32\Ebialmjb.exe79⤵PID:1840
-
C:\Windows\SysWOW64\Elaeeb32.exeC:\Windows\system32\Elaeeb32.exe80⤵PID:1428
-
C:\Windows\SysWOW64\Eejjnhgc.exeC:\Windows\system32\Eejjnhgc.exe81⤵PID:1640
-
C:\Windows\SysWOW64\Eldbkbop.exeC:\Windows\system32\Eldbkbop.exe82⤵PID:2424
-
C:\Windows\SysWOW64\Emeobj32.exeC:\Windows\system32\Emeobj32.exe83⤵PID:1800
-
C:\Windows\SysWOW64\Ecogodlk.exeC:\Windows\system32\Ecogodlk.exe84⤵PID:2712
-
C:\Windows\SysWOW64\Ejioln32.exeC:\Windows\system32\Ejioln32.exe85⤵PID:2328
-
C:\Windows\SysWOW64\Ecadddjh.exeC:\Windows\system32\Ecadddjh.exe86⤵PID:1636
-
C:\Windows\SysWOW64\Ejklan32.exeC:\Windows\system32\Ejklan32.exe87⤵PID:788
-
C:\Windows\SysWOW64\Edcqjc32.exeC:\Windows\system32\Edcqjc32.exe88⤵PID:2240
-
C:\Windows\SysWOW64\Fjnignob.exeC:\Windows\system32\Fjnignob.exe89⤵PID:2616
-
C:\Windows\SysWOW64\Fmlecinf.exeC:\Windows\system32\Fmlecinf.exe90⤵PID:2736
-
C:\Windows\SysWOW64\Fdfmpc32.exeC:\Windows\system32\Fdfmpc32.exe91⤵PID:2624
-
C:\Windows\SysWOW64\Fegjgkla.exeC:\Windows\system32\Fegjgkla.exe92⤵PID:1996
-
C:\Windows\SysWOW64\Flabdecn.exeC:\Windows\system32\Flabdecn.exe93⤵PID:1372
-
C:\Windows\SysWOW64\Fejfmk32.exeC:\Windows\system32\Fejfmk32.exe94⤵
- Modifies registry class
PID:2804 -
C:\Windows\SysWOW64\Flcojeak.exeC:\Windows\system32\Flcojeak.exe95⤵PID:756
-
C:\Windows\SysWOW64\Fobkfqpo.exeC:\Windows\system32\Fobkfqpo.exe96⤵PID:2172
-
C:\Windows\SysWOW64\Figocipe.exeC:\Windows\system32\Figocipe.exe97⤵PID:2808
-
C:\Windows\SysWOW64\Flfkoeoh.exeC:\Windows\system32\Flfkoeoh.exe98⤵PID:1664
-
C:\Windows\SysWOW64\Facdgl32.exeC:\Windows\system32\Facdgl32.exe99⤵
- System Location Discovery: System Language Discovery
PID:2764 -
C:\Windows\SysWOW64\Fhmldfdm.exeC:\Windows\system32\Fhmldfdm.exe100⤵
- System Location Discovery: System Language Discovery
PID:2112 -
C:\Windows\SysWOW64\Fogdap32.exeC:\Windows\system32\Fogdap32.exe101⤵PID:2520
-
C:\Windows\SysWOW64\Geqlnjcf.exeC:\Windows\system32\Geqlnjcf.exe102⤵
- Modifies registry class
PID:272 -
C:\Windows\SysWOW64\Gkmefaan.exeC:\Windows\system32\Gkmefaan.exe103⤵PID:1700
-
C:\Windows\SysWOW64\Goiafp32.exeC:\Windows\system32\Goiafp32.exe104⤵PID:2900
-
C:\Windows\SysWOW64\Gpjmnh32.exeC:\Windows\system32\Gpjmnh32.exe105⤵PID:1236
-
C:\Windows\SysWOW64\Gkpakq32.exeC:\Windows\system32\Gkpakq32.exe106⤵
- Modifies registry class
PID:1716 -
C:\Windows\SysWOW64\Gajjhkgh.exeC:\Windows\system32\Gajjhkgh.exe107⤵PID:2380
-
C:\Windows\SysWOW64\Gdhfdffl.exeC:\Windows\system32\Gdhfdffl.exe108⤵PID:2340
-
C:\Windows\SysWOW64\Gkbnap32.exeC:\Windows\system32\Gkbnap32.exe109⤵
- System Location Discovery: System Language Discovery
PID:2040 -
C:\Windows\SysWOW64\Glckihcg.exeC:\Windows\system32\Glckihcg.exe110⤵PID:2332
-
C:\Windows\SysWOW64\Ggiofa32.exeC:\Windows\system32\Ggiofa32.exe111⤵PID:2628
-
C:\Windows\SysWOW64\Gncgbkki.exeC:\Windows\system32\Gncgbkki.exe112⤵PID:1672
-
C:\Windows\SysWOW64\Gcppkbia.exeC:\Windows\system32\Gcppkbia.exe113⤵
- Modifies registry class
PID:2564 -
C:\Windows\SysWOW64\Genlgnhd.exeC:\Windows\system32\Genlgnhd.exe114⤵
- Drops file in System32 directory
- Modifies registry class
PID:2940 -
C:\Windows\SysWOW64\Hofqpc32.exeC:\Windows\system32\Hofqpc32.exe115⤵
- Drops file in System32 directory
PID:1524 -
C:\Windows\SysWOW64\Heqimm32.exeC:\Windows\system32\Heqimm32.exe116⤵
- Drops file in System32 directory
PID:1992 -
C:\Windows\SysWOW64\Hljaigmo.exeC:\Windows\system32\Hljaigmo.exe117⤵PID:1244
-
C:\Windows\SysWOW64\Hlmnogkl.exeC:\Windows\system32\Hlmnogkl.exe118⤵PID:2104
-
C:\Windows\SysWOW64\Hnnjfo32.exeC:\Windows\system32\Hnnjfo32.exe119⤵PID:3068
-
C:\Windows\SysWOW64\Hhcndhap.exeC:\Windows\system32\Hhcndhap.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1508 -
C:\Windows\SysWOW64\Hnpgloog.exeC:\Windows\system32\Hnpgloog.exe121⤵PID:2640
-
C:\Windows\SysWOW64\Hdjoii32.exeC:\Windows\system32\Hdjoii32.exe122⤵PID:2848
-
C:\Windows\SysWOW64\Hjggap32.exeC:\Windows\system32\Hjggap32.exe123⤵
- Drops file in System32 directory
PID:1728 -
C:\Windows\SysWOW64\Iqapnjli.exeC:\Windows\system32\Iqapnjli.exe124⤵PID:2800
-
C:\Windows\SysWOW64\Igkhjdde.exeC:\Windows\system32\Igkhjdde.exe125⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2680 -
C:\Windows\SysWOW64\Imhqbkbm.exeC:\Windows\system32\Imhqbkbm.exe126⤵
- Modifies registry class
PID:892 -
C:\Windows\SysWOW64\Idohdhbo.exeC:\Windows\system32\Idohdhbo.exe127⤵PID:2052
-
C:\Windows\SysWOW64\Ingmmn32.exeC:\Windows\system32\Ingmmn32.exe128⤵PID:2256
-
C:\Windows\SysWOW64\Ioiidfon.exeC:\Windows\system32\Ioiidfon.exe129⤵PID:1036
-
C:\Windows\SysWOW64\Ifbaapfk.exeC:\Windows\system32\Ifbaapfk.exe130⤵PID:2672
-
C:\Windows\SysWOW64\Iianmlfn.exeC:\Windows\system32\Iianmlfn.exe131⤵
- System Location Discovery: System Language Discovery
PID:280 -
C:\Windows\SysWOW64\Ifengpdh.exeC:\Windows\system32\Ifengpdh.exe132⤵PID:2976
-
C:\Windows\SysWOW64\Ikagogco.exeC:\Windows\system32\Ikagogco.exe133⤵PID:2956
-
C:\Windows\SysWOW64\Iejkhlip.exeC:\Windows\system32\Iejkhlip.exe134⤵
- Modifies registry class
PID:1756 -
C:\Windows\SysWOW64\Jkdcdf32.exeC:\Windows\system32\Jkdcdf32.exe135⤵PID:568
-
C:\Windows\SysWOW64\Jbnlaqhi.exeC:\Windows\system32\Jbnlaqhi.exe136⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2592 -
C:\Windows\SysWOW64\Jkfpjf32.exeC:\Windows\system32\Jkfpjf32.exe137⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1832 -
C:\Windows\SysWOW64\Jbphgpfg.exeC:\Windows\system32\Jbphgpfg.exe138⤵PID:2376
-
C:\Windows\SysWOW64\Jijacjnc.exeC:\Windows\system32\Jijacjnc.exe139⤵
- System Location Discovery: System Language Discovery
PID:3052 -
C:\Windows\SysWOW64\Jngilalk.exeC:\Windows\system32\Jngilalk.exe140⤵PID:2780
-
C:\Windows\SysWOW64\Jgpndg32.exeC:\Windows\system32\Jgpndg32.exe141⤵PID:1848
-
C:\Windows\SysWOW64\Kjepaa32.exeC:\Windows\system32\Kjepaa32.exe142⤵PID:2496
-
C:\Windows\SysWOW64\Klfmijae.exeC:\Windows\system32\Klfmijae.exe143⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1220 -
C:\Windows\SysWOW64\Kflafbak.exeC:\Windows\system32\Kflafbak.exe144⤵PID:2684
-
C:\Windows\SysWOW64\Kmficl32.exeC:\Windows\system32\Kmficl32.exe145⤵PID:2728
-
C:\Windows\SysWOW64\Kpdeoh32.exeC:\Windows\system32\Kpdeoh32.exe146⤵
- Modifies registry class
PID:2688 -
C:\Windows\SysWOW64\Kaholp32.exeC:\Windows\system32\Kaholp32.exe147⤵
- System Location Discovery: System Language Discovery
PID:1760 -
C:\Windows\SysWOW64\Klmbjh32.exeC:\Windows\system32\Klmbjh32.exe148⤵PID:2952
-
C:\Windows\SysWOW64\Lbgkfbbj.exeC:\Windows\system32\Lbgkfbbj.exe149⤵
- Drops file in System32 directory
PID:1908 -
C:\Windows\SysWOW64\Lhdcojaa.exeC:\Windows\system32\Lhdcojaa.exe150⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1972 -
C:\Windows\SysWOW64\Lalhgogb.exeC:\Windows\system32\Lalhgogb.exe151⤵PID:332
-
C:\Windows\SysWOW64\Lhfpdi32.exeC:\Windows\system32\Lhfpdi32.exe152⤵PID:2960
-
C:\Windows\SysWOW64\Lmcilp32.exeC:\Windows\system32\Lmcilp32.exe153⤵PID:2004
-
C:\Windows\SysWOW64\Lhimji32.exeC:\Windows\system32\Lhimji32.exe154⤵PID:1188
-
C:\Windows\SysWOW64\Lijiaabk.exeC:\Windows\system32\Lijiaabk.exe155⤵PID:2324
-
C:\Windows\SysWOW64\Lpdankjg.exeC:\Windows\system32\Lpdankjg.exe156⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1464 -
C:\Windows\SysWOW64\Lkifkdjm.exeC:\Windows\system32\Lkifkdjm.exe157⤵
- Drops file in System32 directory
PID:3064 -
C:\Windows\SysWOW64\Llkbcl32.exeC:\Windows\system32\Llkbcl32.exe158⤵PID:2224
-
C:\Windows\SysWOW64\Lgpfpe32.exeC:\Windows\system32\Lgpfpe32.exe159⤵
- System Location Discovery: System Language Discovery
PID:2636 -
C:\Windows\SysWOW64\Mmjomogn.exeC:\Windows\system32\Mmjomogn.exe160⤵PID:2164
-
C:\Windows\SysWOW64\Mgbcfdmo.exeC:\Windows\system32\Mgbcfdmo.exe161⤵PID:1620
-
C:\Windows\SysWOW64\Miapbpmb.exeC:\Windows\system32\Miapbpmb.exe162⤵PID:396
-
C:\Windows\SysWOW64\Monhjgkj.exeC:\Windows\system32\Monhjgkj.exe163⤵PID:2844
-
C:\Windows\SysWOW64\Mehpga32.exeC:\Windows\system32\Mehpga32.exe164⤵PID:2716
-
C:\Windows\SysWOW64\Mopdpg32.exeC:\Windows\system32\Mopdpg32.exe165⤵PID:1748
-
C:\Windows\SysWOW64\Mhhiiloh.exeC:\Windows\system32\Mhhiiloh.exe166⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2064 -
C:\Windows\SysWOW64\Mneaacno.exeC:\Windows\system32\Mneaacno.exe167⤵PID:1096
-
C:\Windows\SysWOW64\Mdojnm32.exeC:\Windows\system32\Mdojnm32.exe168⤵PID:1628
-
C:\Windows\SysWOW64\Mkibjgli.exeC:\Windows\system32\Mkibjgli.exe169⤵
- Modifies registry class
PID:1128 -
C:\Windows\SysWOW64\Macjgadf.exeC:\Windows\system32\Macjgadf.exe170⤵
- System Location Discovery: System Language Discovery
PID:1520 -
C:\Windows\SysWOW64\Ngpcohbm.exeC:\Windows\system32\Ngpcohbm.exe171⤵
- Drops file in System32 directory
PID:2560 -
C:\Windows\SysWOW64\Nphghn32.exeC:\Windows\system32\Nphghn32.exe172⤵PID:2028
-
C:\Windows\SysWOW64\Nknkeg32.exeC:\Windows\system32\Nknkeg32.exe173⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1204 -
C:\Windows\SysWOW64\Npkdnnfk.exeC:\Windows\system32\Npkdnnfk.exe174⤵PID:768
-
C:\Windows\SysWOW64\Ngeljh32.exeC:\Windows\system32\Ngeljh32.exe175⤵PID:676
-
C:\Windows\SysWOW64\Nnodgbed.exeC:\Windows\system32\Nnodgbed.exe176⤵PID:1104
-
C:\Windows\SysWOW64\Nopaoj32.exeC:\Windows\system32\Nopaoj32.exe177⤵PID:3096
-
C:\Windows\SysWOW64\Njeelc32.exeC:\Windows\system32\Njeelc32.exe178⤵PID:3136
-
C:\Windows\SysWOW64\Nqpmimbe.exeC:\Windows\system32\Nqpmimbe.exe179⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3176 -
C:\Windows\SysWOW64\Njhbabif.exeC:\Windows\system32\Njhbabif.exe180⤵PID:3216
-
C:\Windows\SysWOW64\Okinik32.exeC:\Windows\system32\Okinik32.exe181⤵PID:3256
-
C:\Windows\SysWOW64\Obcffefa.exeC:\Windows\system32\Obcffefa.exe182⤵
- Modifies registry class
PID:3296 -
C:\Windows\SysWOW64\Ohmoco32.exeC:\Windows\system32\Ohmoco32.exe183⤵PID:3336
-
C:\Windows\SysWOW64\Onjgkf32.exeC:\Windows\system32\Onjgkf32.exe184⤵PID:3376
-
C:\Windows\SysWOW64\Ofaolcmh.exeC:\Windows\system32\Ofaolcmh.exe185⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3416 -
C:\Windows\SysWOW64\Ogbldk32.exeC:\Windows\system32\Ogbldk32.exe186⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3456 -
C:\Windows\SysWOW64\Onldqejb.exeC:\Windows\system32\Onldqejb.exe187⤵PID:3560
-
C:\Windows\SysWOW64\Odflmp32.exeC:\Windows\system32\Odflmp32.exe188⤵
- Drops file in System32 directory
PID:3628 -
C:\Windows\SysWOW64\Okpdjjil.exeC:\Windows\system32\Okpdjjil.exe189⤵PID:3668
-
C:\Windows\SysWOW64\Objmgd32.exeC:\Windows\system32\Objmgd32.exe190⤵PID:3708
-
C:\Windows\SysWOW64\Ockinl32.exeC:\Windows\system32\Ockinl32.exe191⤵PID:3748
-
C:\Windows\SysWOW64\Omcngamh.exeC:\Windows\system32\Omcngamh.exe192⤵PID:3788
-
C:\Windows\SysWOW64\Pcnfdl32.exeC:\Windows\system32\Pcnfdl32.exe193⤵PID:3828
-
C:\Windows\SysWOW64\Paafmp32.exeC:\Windows\system32\Paafmp32.exe194⤵
- System Location Discovery: System Language Discovery
PID:3868 -
C:\Windows\SysWOW64\Pglojj32.exeC:\Windows\system32\Pglojj32.exe195⤵PID:3908
-
C:\Windows\SysWOW64\Pmhgba32.exeC:\Windows\system32\Pmhgba32.exe196⤵PID:3948
-
C:\Windows\SysWOW64\Ppgcol32.exeC:\Windows\system32\Ppgcol32.exe197⤵PID:3988
-
C:\Windows\SysWOW64\Pfqlkfoc.exeC:\Windows\system32\Pfqlkfoc.exe198⤵
- Modifies registry class
PID:4028 -
C:\Windows\SysWOW64\Pmkdhq32.exeC:\Windows\system32\Pmkdhq32.exe199⤵
- Drops file in System32 directory
PID:4068 -
C:\Windows\SysWOW64\Pbglpg32.exeC:\Windows\system32\Pbglpg32.exe200⤵PID:3084
-
C:\Windows\SysWOW64\Pefhlcdk.exeC:\Windows\system32\Pefhlcdk.exe201⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3144 -
C:\Windows\SysWOW64\Ppkmjlca.exeC:\Windows\system32\Ppkmjlca.exe202⤵PID:3184
-
C:\Windows\SysWOW64\Pbjifgcd.exeC:\Windows\system32\Pbjifgcd.exe203⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3232 -
C:\Windows\SysWOW64\Phgannal.exeC:\Windows\system32\Phgannal.exe204⤵
- Modifies registry class
PID:3280 -
C:\Windows\SysWOW64\Qnqjkh32.exeC:\Windows\system32\Qnqjkh32.exe205⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3324 -
C:\Windows\SysWOW64\Qekbgbpf.exeC:\Windows\system32\Qekbgbpf.exe206⤵PID:3372
-
C:\Windows\SysWOW64\Qhincn32.exeC:\Windows\system32\Qhincn32.exe207⤵PID:3076
-
C:\Windows\SysWOW64\Qemomb32.exeC:\Windows\system32\Qemomb32.exe208⤵
- System Location Discovery: System Language Discovery
PID:3468 -
C:\Windows\SysWOW64\Ajjgei32.exeC:\Windows\system32\Ajjgei32.exe209⤵PID:3520
-
C:\Windows\SysWOW64\Aeokba32.exeC:\Windows\system32\Aeokba32.exe210⤵PID:3576
-
C:\Windows\SysWOW64\Afqhjj32.exeC:\Windows\system32\Afqhjj32.exe211⤵PID:3616
-
C:\Windows\SysWOW64\Aaflgb32.exeC:\Windows\system32\Aaflgb32.exe212⤵PID:3656
-
C:\Windows\SysWOW64\Afcdpi32.exeC:\Windows\system32\Afcdpi32.exe213⤵PID:3724
-
C:\Windows\SysWOW64\Aiaqle32.exeC:\Windows\system32\Aiaqle32.exe214⤵PID:3772
-
C:\Windows\SysWOW64\Apkihofl.exeC:\Windows\system32\Apkihofl.exe215⤵PID:3820
-
C:\Windows\SysWOW64\Aicmadmm.exeC:\Windows\system32\Aicmadmm.exe216⤵PID:3728
-
C:\Windows\SysWOW64\Albjnplq.exeC:\Windows\system32\Albjnplq.exe217⤵PID:3916
-
C:\Windows\SysWOW64\Ablbjj32.exeC:\Windows\system32\Ablbjj32.exe218⤵
- Drops file in System32 directory
PID:3428 -
C:\Windows\SysWOW64\Amafgc32.exeC:\Windows\system32\Amafgc32.exe219⤵PID:4012
-
C:\Windows\SysWOW64\Aocbokia.exeC:\Windows\system32\Aocbokia.exe220⤵PID:4060
-
C:\Windows\SysWOW64\Blgcio32.exeC:\Windows\system32\Blgcio32.exe221⤵PID:3844
-
C:\Windows\SysWOW64\Baclaf32.exeC:\Windows\system32\Baclaf32.exe222⤵PID:3884
-
C:\Windows\SysWOW64\Bhndnpnp.exeC:\Windows\system32\Bhndnpnp.exe223⤵PID:3212
-
C:\Windows\SysWOW64\Bklpjlmc.exeC:\Windows\system32\Bklpjlmc.exe224⤵PID:3808
-
C:\Windows\SysWOW64\Beadgdli.exeC:\Windows\system32\Beadgdli.exe225⤵PID:3332
-
C:\Windows\SysWOW64\Bknmok32.exeC:\Windows\system32\Bknmok32.exe226⤵PID:3388
-
C:\Windows\SysWOW64\Bahelebm.exeC:\Windows\system32\Bahelebm.exe227⤵
- Drops file in System32 directory
PID:3464 -
C:\Windows\SysWOW64\Blniinac.exeC:\Windows\system32\Blniinac.exe228⤵PID:3512
-
C:\Windows\SysWOW64\Bakaaepk.exeC:\Windows\system32\Bakaaepk.exe229⤵
- System Location Discovery: System Language Discovery
PID:3556 -
C:\Windows\SysWOW64\Bhdjno32.exeC:\Windows\system32\Bhdjno32.exe230⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3268 -
C:\Windows\SysWOW64\Cnabffeo.exeC:\Windows\system32\Cnabffeo.exe231⤵PID:3688
-
C:\Windows\SysWOW64\Cdkkcp32.exeC:\Windows\system32\Cdkkcp32.exe232⤵PID:3756
-
C:\Windows\SysWOW64\Cjhckg32.exeC:\Windows\system32\Cjhckg32.exe233⤵
- System Location Discovery: System Language Discovery
PID:3804 -
C:\Windows\SysWOW64\Cpbkhabp.exeC:\Windows\system32\Cpbkhabp.exe234⤵PID:3888
-
C:\Windows\SysWOW64\Ccqhdmbc.exeC:\Windows\system32\Ccqhdmbc.exe235⤵
- Drops file in System32 directory
PID:3744 -
C:\Windows\SysWOW64\Cjjpag32.exeC:\Windows\system32\Cjjpag32.exe236⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4004 -
C:\Windows\SysWOW64\Cpdhna32.exeC:\Windows\system32\Cpdhna32.exe237⤵
- Drops file in System32 directory
PID:4076 -
C:\Windows\SysWOW64\Cccdjl32.exeC:\Windows\system32\Cccdjl32.exe238⤵
- Modifies registry class
PID:3120 -
C:\Windows\SysWOW64\Cjmmffgn.exeC:\Windows\system32\Cjmmffgn.exe239⤵PID:3040
-
C:\Windows\SysWOW64\Dhgccbhp.exeC:\Windows\system32\Dhgccbhp.exe240⤵
- Modifies registry class
PID:3264 -
C:\Windows\SysWOW64\Dnckki32.exeC:\Windows\system32\Dnckki32.exe241⤵
- System Location Discovery: System Language Discovery
PID:3116 -
C:\Windows\SysWOW64\Dhiphb32.exeC:\Windows\system32\Dhiphb32.exe242⤵PID:3244