Analysis
-
max time kernel
119s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
05-08-2024 01:31
Static task
static1
Behavioral task
behavioral1
Sample
2fb872231a464b54fcd42f579768e7b0N.exe
Resource
win7-20240708-en
General
-
Target
2fb872231a464b54fcd42f579768e7b0N.exe
-
Size
163KB
-
MD5
2fb872231a464b54fcd42f579768e7b0
-
SHA1
28025e358347958eebe5b27cc57532e0e25a74f8
-
SHA256
c54afb8d71d7e94433618fca5ad4a7114e969fecddc12e8071b6051ad63e229c
-
SHA512
6dd3de253b040686ff481d15c6981ad6c238fa634e38f40bc299dc9b6ae989e9ce530d58f9a3bb00780cb1ca79448967f25f86224de0828419e10e447bf27ddb
-
SSDEEP
1536:PkQXQ/xJGHpMImOiWwQuzoHXHdNkhlProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:8QKxwS7zo39NgltOrWKDBr+yJb
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Iamimc32.exeLjffag32.exePiekcd32.exeAlhmjbhj.exeJjpcbe32.exeLccdel32.exeNplmop32.exeQqeicede.exeBbdallnd.exeKqqboncb.exeKfmjgeaj.exeOegbheiq.exeOdlojanh.exeBaohhgnf.exeFikejl32.exeFjmaaddo.exeMdacop32.exeBhhpeafc.exeLjibgg32.exeNgfflj32.exePfikmh32.exeAijpnfif.exeHpefdl32.exeIpllekdl.exeJmbiipml.exeQeohnd32.exeGmpgio32.exeHapicp32.exeIefhhbef.exeAcfaeq32.exeFbamma32.exeInifnq32.exePgpeal32.exeOdhfob32.exeLcagpl32.exeLphhenhc.exeOebimf32.exeLpjdjmfp.exeMelfncqb.exeKiijnq32.exeKnpemf32.exeOcdmaj32.exePbkbgjcc.exeJabbhcfe.exeKohkfj32.exeAfiglkle.exeHojgfemq.exeHomclekn.exeIdcokkak.exeNljddpfe.exeAaheie32.exeEffcma32.exePkdgpo32.exeNkpegi32.exeAigchgkh.exe2fb872231a464b54fcd42f579768e7b0N.exeIgonafba.exeKmjojo32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iamimc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljffag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piekcd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alhmjbhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjpcbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lccdel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nplmop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qqeicede.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbdallnd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqqboncb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfmjgeaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oegbheiq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odlojanh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baohhgnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fikejl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjmaaddo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdacop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhhpeafc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljibgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngfflj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfikmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qqeicede.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aijpnfif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpefdl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipllekdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmbiipml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qeohnd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmpgio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hapicp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iefhhbef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acfaeq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbamma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inifnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgpeal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odhfob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcagpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lphhenhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oebimf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpjdjmfp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Melfncqb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpefdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipllekdl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiijnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knpemf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocdmaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbkbgjcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jabbhcfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jabbhcfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kohkfj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afiglkle.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hojgfemq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Homclekn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idcokkak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nljddpfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaheie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhhpeafc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Effcma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Homclekn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkdgpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkpegi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aigchgkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 2fb872231a464b54fcd42f579768e7b0N.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igonafba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmjojo32.exe -
Executes dropped EXE 64 IoCs
Processes:
Eojnkg32.exeEgafleqm.exeEjobhppq.exeEffcma32.exeFfhpbacb.exeFlehkhai.exeFbopgb32.exeFglipi32.exeFbamma32.exeFikejl32.exeFjmaaddo.exeFebfomdd.exeFhqbkhch.exeFaigdn32.exeGhcoqh32.exeGmpgio32.exeGmbdnn32.exeGanpomec.exeGiieco32.exeGlgaok32.exeGdniqh32.exeGikaio32.exeGbcfadgl.exeGfobbc32.exeGhqnjk32.exeHojgfemq.exeHedocp32.exeHomclekn.exeHeglio32.exeHlqdei32.exeHkcdafqb.exeHdlhjl32.exeHmdmcanc.exeHapicp32.exeHdnepk32.exeHiknhbcg.exeHpefdl32.exeIgonafba.exeInifnq32.exeIdcokkak.exeIipgcaob.exeIompkh32.exeIefhhbef.exeIpllekdl.exeIamimc32.exeIjdqna32.exeIlcmjl32.exeIcmegf32.exeIapebchh.exeIhjnom32.exeIleiplhn.exeJabbhcfe.exeJfnnha32.exeJgojpjem.exeJnicmdli.exeJqgoiokm.exeJhngjmlo.exeJkmcfhkc.exeJjpcbe32.exeJqilooij.exeJdehon32.exeJgcdki32.exeJjbpgd32.exeJmplcp32.exepid process 2248 Eojnkg32.exe 2704 Egafleqm.exe 2792 Ejobhppq.exe 2876 Effcma32.exe 2568 Ffhpbacb.exe 2996 Flehkhai.exe 564 Fbopgb32.exe 2880 Fglipi32.exe 2392 Fbamma32.exe 1708 Fikejl32.exe 2456 Fjmaaddo.exe 1868 Febfomdd.exe 1732 Fhqbkhch.exe 2932 Faigdn32.exe 2036 Ghcoqh32.exe 1548 Gmpgio32.exe 704 Gmbdnn32.exe 2400 Ganpomec.exe 796 Giieco32.exe 1348 Glgaok32.exe 2516 Gdniqh32.exe 1760 Gikaio32.exe 684 Gbcfadgl.exe 896 Gfobbc32.exe 3052 Ghqnjk32.exe 1572 Hojgfemq.exe 2804 Hedocp32.exe 2556 Homclekn.exe 2812 Heglio32.exe 2544 Hlqdei32.exe 2156 Hkcdafqb.exe 772 Hdlhjl32.exe 2852 Hmdmcanc.exe 2092 Hapicp32.exe 1832 Hdnepk32.exe 1332 Hiknhbcg.exe 2612 Hpefdl32.exe 1696 Igonafba.exe 1648 Inifnq32.exe 2184 Idcokkak.exe 604 Iipgcaob.exe 2432 Iompkh32.exe 1752 Iefhhbef.exe 1536 Ipllekdl.exe 2060 Iamimc32.exe 1616 Ijdqna32.exe 2388 Ilcmjl32.exe 864 Icmegf32.exe 2100 Iapebchh.exe 2736 Ihjnom32.exe 2660 Ileiplhn.exe 2768 Jabbhcfe.exe 2584 Jfnnha32.exe 2664 Jgojpjem.exe 2600 Jnicmdli.exe 536 Jqgoiokm.exe 1100 Jhngjmlo.exe 2648 Jkmcfhkc.exe 1952 Jjpcbe32.exe 1940 Jqilooij.exe 764 Jdehon32.exe 840 Jgcdki32.exe 1856 Jjbpgd32.exe 1772 Jmplcp32.exe -
Loads dropped DLL 64 IoCs
Processes:
2fb872231a464b54fcd42f579768e7b0N.exeEojnkg32.exeEgafleqm.exeEjobhppq.exeEffcma32.exeFfhpbacb.exeFlehkhai.exeFbopgb32.exeFglipi32.exeFbamma32.exeFikejl32.exeFjmaaddo.exeFebfomdd.exeFhqbkhch.exeFaigdn32.exeGhcoqh32.exeGmpgio32.exeGmbdnn32.exeGanpomec.exeGiieco32.exeGlgaok32.exeGdniqh32.exeGikaio32.exeGbcfadgl.exeGfobbc32.exeGhqnjk32.exeHojgfemq.exeHedocp32.exeHomclekn.exeHeglio32.exeHlqdei32.exeHkcdafqb.exepid process 2220 2fb872231a464b54fcd42f579768e7b0N.exe 2220 2fb872231a464b54fcd42f579768e7b0N.exe 2248 Eojnkg32.exe 2248 Eojnkg32.exe 2704 Egafleqm.exe 2704 Egafleqm.exe 2792 Ejobhppq.exe 2792 Ejobhppq.exe 2876 Effcma32.exe 2876 Effcma32.exe 2568 Ffhpbacb.exe 2568 Ffhpbacb.exe 2996 Flehkhai.exe 2996 Flehkhai.exe 564 Fbopgb32.exe 564 Fbopgb32.exe 2880 Fglipi32.exe 2880 Fglipi32.exe 2392 Fbamma32.exe 2392 Fbamma32.exe 1708 Fikejl32.exe 1708 Fikejl32.exe 2456 Fjmaaddo.exe 2456 Fjmaaddo.exe 1868 Febfomdd.exe 1868 Febfomdd.exe 1732 Fhqbkhch.exe 1732 Fhqbkhch.exe 2932 Faigdn32.exe 2932 Faigdn32.exe 2036 Ghcoqh32.exe 2036 Ghcoqh32.exe 1548 Gmpgio32.exe 1548 Gmpgio32.exe 704 Gmbdnn32.exe 704 Gmbdnn32.exe 2400 Ganpomec.exe 2400 Ganpomec.exe 796 Giieco32.exe 796 Giieco32.exe 1348 Glgaok32.exe 1348 Glgaok32.exe 2516 Gdniqh32.exe 2516 Gdniqh32.exe 1760 Gikaio32.exe 1760 Gikaio32.exe 684 Gbcfadgl.exe 684 Gbcfadgl.exe 896 Gfobbc32.exe 896 Gfobbc32.exe 3052 Ghqnjk32.exe 3052 Ghqnjk32.exe 1572 Hojgfemq.exe 1572 Hojgfemq.exe 2804 Hedocp32.exe 2804 Hedocp32.exe 2556 Homclekn.exe 2556 Homclekn.exe 2812 Heglio32.exe 2812 Heglio32.exe 2544 Hlqdei32.exe 2544 Hlqdei32.exe 2156 Hkcdafqb.exe 2156 Hkcdafqb.exe -
Drops file in System32 directory 64 IoCs
Processes:
Giieco32.exeGdniqh32.exeKgcpjmcb.exeOjigbhlp.exeEffcma32.exePjpnbg32.exeOegbheiq.exePfikmh32.exePihgic32.exeOebimf32.exeAigchgkh.exeNmpnhdfc.exePqjfoa32.exeQiladcdh.exeJdgdempa.exeNadpgggp.exeFikejl32.exeNpagjpcd.exeNlekia32.exeBilmcf32.exePgpeal32.exePmccjbaf.exeBbdallnd.exeLjffag32.exeModkfi32.exeOhhkjp32.exeIleiplhn.exeMoidahcn.exeOghopm32.exeBaohhgnf.exeIcmegf32.exeOnpjghhn.exeCpceidcn.exeAjgpbj32.exeLpjdjmfp.exeMgalqkbk.exePndpajgd.exeAmcpie32.exeAlhmjbhj.exeBhhpeafc.exeLmebnb32.exeKgemplap.exeNgkogj32.exeOdeiibdq.exeHedocp32.exePoocpnbm.exeIapebchh.exeIamimc32.exeJoaeeklp.exeKiijnq32.exeLfpclh32.exeLcfqkl32.exeFlehkhai.exeNgibaj32.exeGmbdnn32.exeGfobbc32.exeKbbngf32.exeBeejng32.exeBehgcf32.exedescription ioc process File created C:\Windows\SysWOW64\Glgaok32.exe Giieco32.exe File opened for modification C:\Windows\SysWOW64\Gikaio32.exe Gdniqh32.exe File created C:\Windows\SysWOW64\Ancjqghh.dll Kgcpjmcb.exe File created C:\Windows\SysWOW64\Eebghjja.dll Ojigbhlp.exe File created C:\Windows\SysWOW64\Ffhpbacb.exe Effcma32.exe File created C:\Windows\SysWOW64\Adagkoae.dll Pjpnbg32.exe File created C:\Windows\SysWOW64\Ohendqhd.exe Oegbheiq.exe File opened for modification C:\Windows\SysWOW64\Pihgic32.exe Pfikmh32.exe File opened for modification C:\Windows\SysWOW64\Pmccjbaf.exe Pihgic32.exe File opened for modification C:\Windows\SysWOW64\Odeiibdq.exe Oebimf32.exe File created C:\Windows\SysWOW64\Oilpcd32.dll Aigchgkh.exe File created C:\Windows\SysWOW64\Kpjhkjde.exe Kgcpjmcb.exe File opened for modification C:\Windows\SysWOW64\Npojdpef.exe Nmpnhdfc.exe File created C:\Windows\SysWOW64\Pcibkm32.exe Pqjfoa32.exe File created C:\Windows\SysWOW64\Qkkmqnck.exe Qiladcdh.exe File opened for modification C:\Windows\SysWOW64\Jgfqaiod.exe Jdgdempa.exe File opened for modification C:\Windows\SysWOW64\Nilhhdga.exe Nadpgggp.exe File created C:\Windows\SysWOW64\Jndkpj32.dll Fikejl32.exe File created C:\Windows\SysWOW64\Ncpcfkbg.exe Npagjpcd.exe File opened for modification C:\Windows\SysWOW64\Npagjpcd.exe Nlekia32.exe File created C:\Windows\SysWOW64\Blkioa32.exe Bilmcf32.exe File opened for modification C:\Windows\SysWOW64\Amcpie32.exe Aigchgkh.exe File opened for modification C:\Windows\SysWOW64\Pjnamh32.exe Pgpeal32.exe File created C:\Windows\SysWOW64\Poapfn32.exe Pmccjbaf.exe File created C:\Windows\SysWOW64\Lbbjgn32.dll Pmccjbaf.exe File created C:\Windows\SysWOW64\Cifmcd32.dll Bbdallnd.exe File created C:\Windows\SysWOW64\Jpfppg32.dll Ljffag32.exe File opened for modification C:\Windows\SysWOW64\Mabgcd32.exe Modkfi32.exe File created C:\Windows\SysWOW64\Okfgfl32.exe Ohhkjp32.exe File created C:\Windows\SysWOW64\Lbgafalg.dll Ileiplhn.exe File opened for modification C:\Windows\SysWOW64\Ndemjoae.exe Moidahcn.exe File created C:\Windows\SysWOW64\Edobgb32.dll Oghopm32.exe File created C:\Windows\SysWOW64\Bhhpeafc.exe Baohhgnf.exe File created C:\Windows\SysWOW64\Aedeic32.dll Icmegf32.exe File created C:\Windows\SysWOW64\Lmcmdd32.dll Onpjghhn.exe File opened for modification C:\Windows\SysWOW64\Cdoajb32.exe Cpceidcn.exe File opened for modification C:\Windows\SysWOW64\Aijpnfif.exe Ajgpbj32.exe File opened for modification C:\Windows\SysWOW64\Lcfqkl32.exe Lpjdjmfp.exe File created C:\Windows\SysWOW64\Mjkacaml.dll Mgalqkbk.exe File created C:\Windows\SysWOW64\Npagjpcd.exe Nlekia32.exe File opened for modification C:\Windows\SysWOW64\Qflhbhgg.exe Pndpajgd.exe File opened for modification C:\Windows\SysWOW64\Apalea32.exe Amcpie32.exe File created C:\Windows\SysWOW64\Ecjdib32.dll Alhmjbhj.exe File opened for modification C:\Windows\SysWOW64\Bkglameg.exe Bhhpeafc.exe File opened for modification C:\Windows\SysWOW64\Leljop32.exe Lmebnb32.exe File created C:\Windows\SysWOW64\Ihclng32.dll Kgemplap.exe File opened for modification C:\Windows\SysWOW64\Nenobfak.exe Ngkogj32.exe File opened for modification C:\Windows\SysWOW64\Ollajp32.exe Odeiibdq.exe File created C:\Windows\SysWOW64\Giicle32.dll Hedocp32.exe File opened for modification C:\Windows\SysWOW64\Pbnoliap.exe Poocpnbm.exe File created C:\Windows\SysWOW64\Ihjnom32.exe Iapebchh.exe File created C:\Windows\SysWOW64\Kkmgjljo.dll Iamimc32.exe File created C:\Windows\SysWOW64\Epecke32.dll Joaeeklp.exe File created C:\Windows\SysWOW64\Kqqboncb.exe Kiijnq32.exe File created C:\Windows\SysWOW64\Ljkomfjl.exe Lfpclh32.exe File created C:\Windows\SysWOW64\Ibddljof.dll Lcfqkl32.exe File created C:\Windows\SysWOW64\Fbopgb32.exe Flehkhai.exe File opened for modification C:\Windows\SysWOW64\Nekbmgcn.exe Ngibaj32.exe File created C:\Windows\SysWOW64\Jfdnjb32.dll Gmbdnn32.exe File created C:\Windows\SysWOW64\Ghqnjk32.exe Gfobbc32.exe File created C:\Windows\SysWOW64\Kfmjgeaj.exe Kbbngf32.exe File opened for modification C:\Windows\SysWOW64\Okdkal32.exe Oghopm32.exe File opened for modification C:\Windows\SysWOW64\Bhdgjb32.exe Beejng32.exe File created C:\Windows\SysWOW64\Blaopqpo.exe Behgcf32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3512 3456 WerFault.exe Cacacg32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Faigdn32.exeGmpgio32.exeGhqnjk32.exeJgfqaiod.exeJmbiipml.exeOancnfoe.exeBilmcf32.exeNgibaj32.exeAniimjbo.exeBmeimhdj.exeIompkh32.exeMabgcd32.exeLfpclh32.exeNenobfak.exeBhajdblk.exeIgonafba.exeInifnq32.exeLpjdjmfp.exeMoidahcn.exeGfobbc32.exeMofglh32.exeOnbgmg32.exeOappcfmb.exeAijpnfif.exeLcfqkl32.exeFglipi32.exeIlcmjl32.exeNkmdpm32.exePkdgpo32.exeAganeoip.exeFikejl32.exeJgojpjem.exeKegqdqbl.exeGiieco32.exeNkpegi32.exeNilhhdga.exeOkoafmkm.exeQflhbhgg.exeGikaio32.exeIdcokkak.exeNofdklgl.exeJjbpgd32.exeLjkomfjl.exeLlohjo32.exeOcfigjlp.exePqhijbog.exePoapfn32.exeBphbeplm.exeLeimip32.exeOcalkn32.exeGmbdnn32.exeLeljop32.exeMhhfdo32.exeAmqccfed.exeNdjfeo32.exeNgkogj32.exePjnamh32.exeFfhpbacb.exeHapicp32.exeJfnnha32.exePbkbgjcc.exeFbamma32.exeGdniqh32.exeAnlfbi32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Faigdn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmpgio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghqnjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgfqaiod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmbiipml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oancnfoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bilmcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngibaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aniimjbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmeimhdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iompkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mabgcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfpclh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nenobfak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhajdblk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igonafba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inifnq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpjdjmfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Moidahcn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfobbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mofglh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onbgmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oappcfmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aijpnfif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcfqkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fglipi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilcmjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkmdpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkdgpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aganeoip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fikejl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgojpjem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kegqdqbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giieco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkpegi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nilhhdga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okoafmkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qflhbhgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gikaio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idcokkak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nofdklgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjbpgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljkomfjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llohjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocfigjlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqhijbog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poapfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bphbeplm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Leimip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocalkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmbdnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Leljop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhhfdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amqccfed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndjfeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngkogj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjnamh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffhpbacb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hapicp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfnnha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbkbgjcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbamma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdniqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anlfbi32.exe -
Modifies registry class 64 IoCs
Processes:
Fbamma32.exeHomclekn.exeAfgkfl32.exe2fb872231a464b54fcd42f579768e7b0N.exeFglipi32.exeOebimf32.exePcfefmnk.exeOkfgfl32.exeAnlfbi32.exeOghopm32.exeMhjbjopf.exeMabgcd32.exeLegmbd32.exeNekbmgcn.exeNpojdpef.exeQbbhgi32.exeBphbeplm.exeFebfomdd.exeHmdmcanc.exeJjpcbe32.exeKohkfj32.exeLjffag32.exeNdemjoae.exeMbkmlh32.exePqhijbog.exeBehgcf32.exeMhhfdo32.exeFbopgb32.exeIcmegf32.exeLpjdjmfp.exeIgonafba.exeJjdmmdnh.exeLlcefjgf.exeNilhhdga.exeAaloddnn.exeAmcpie32.exeIamimc32.exePcibkm32.exeJkmcfhkc.exeMoanaiie.exeNmpnhdfc.exePcdipnqn.exeOnbgmg32.exeGhcoqh32.exeKnmhgf32.exeAcmhepko.exeOappcfmb.exeGlgaok32.exeOcdmaj32.exeBnkbam32.exeBkglameg.exeJfnnha32.exeLibicbma.exePgpeal32.exeQkkmqnck.exeOancnfoe.exeFhqbkhch.exeIjdqna32.exeKebgia32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbamma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kceojp32.dll" Homclekn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afgkfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkmkpl32.dll" 2fb872231a464b54fcd42f579768e7b0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjejlhlg.dll" Fglipi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oebimf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pcfefmnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chdqghfp.dll" Okfgfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghmnek32.dll" Anlfbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oghopm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 2fb872231a464b54fcd42f579768e7b0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhjbjopf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mabgcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbelde32.dll" Legmbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nekbmgcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjbgng32.dll" Npojdpef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qbbhgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bphbeplm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhghcb32.dll" Febfomdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmdmcanc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjpcbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kohkfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljffag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbpljhnf.dll" Ndemjoae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Negpnjgm.dll" Mbkmlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aceobl32.dll" Pqhijbog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Behgcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhhfdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndemjoae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbopgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icmegf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpjdjmfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igonafba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjdmmdnh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llcefjgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elaieh32.dll" Nilhhdga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aaloddnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amcpie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iamimc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcibkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjbkcgmo.dll" Jkmcfhkc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Moanaiie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmpnhdfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pcdipnqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aliolp32.dll" Onbgmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghcoqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihlfca32.dll" Knmhgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmnbjfam.dll" Acmhepko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbbpnl32.dll" Oappcfmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmjolo32.dll" Fbopgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mncfoa32.dll" Glgaok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ocdmaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oappcfmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnkbam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimbjlde.dll" Bkglameg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfnnha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpjdjmfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Libicbma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgpeal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qkkmqnck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oancnfoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhqbkhch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijdqna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kebgia32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2fb872231a464b54fcd42f579768e7b0N.exeEojnkg32.exeEgafleqm.exeEjobhppq.exeEffcma32.exeFfhpbacb.exeFlehkhai.exeFbopgb32.exeFglipi32.exeFbamma32.exeFikejl32.exeFjmaaddo.exeFebfomdd.exeFhqbkhch.exeFaigdn32.exeGhcoqh32.exedescription pid process target process PID 2220 wrote to memory of 2248 2220 2fb872231a464b54fcd42f579768e7b0N.exe Eojnkg32.exe PID 2220 wrote to memory of 2248 2220 2fb872231a464b54fcd42f579768e7b0N.exe Eojnkg32.exe PID 2220 wrote to memory of 2248 2220 2fb872231a464b54fcd42f579768e7b0N.exe Eojnkg32.exe PID 2220 wrote to memory of 2248 2220 2fb872231a464b54fcd42f579768e7b0N.exe Eojnkg32.exe PID 2248 wrote to memory of 2704 2248 Eojnkg32.exe Egafleqm.exe PID 2248 wrote to memory of 2704 2248 Eojnkg32.exe Egafleqm.exe PID 2248 wrote to memory of 2704 2248 Eojnkg32.exe Egafleqm.exe PID 2248 wrote to memory of 2704 2248 Eojnkg32.exe Egafleqm.exe PID 2704 wrote to memory of 2792 2704 Egafleqm.exe Ejobhppq.exe PID 2704 wrote to memory of 2792 2704 Egafleqm.exe Ejobhppq.exe PID 2704 wrote to memory of 2792 2704 Egafleqm.exe Ejobhppq.exe PID 2704 wrote to memory of 2792 2704 Egafleqm.exe Ejobhppq.exe PID 2792 wrote to memory of 2876 2792 Ejobhppq.exe Effcma32.exe PID 2792 wrote to memory of 2876 2792 Ejobhppq.exe Effcma32.exe PID 2792 wrote to memory of 2876 2792 Ejobhppq.exe Effcma32.exe PID 2792 wrote to memory of 2876 2792 Ejobhppq.exe Effcma32.exe PID 2876 wrote to memory of 2568 2876 Effcma32.exe Ffhpbacb.exe PID 2876 wrote to memory of 2568 2876 Effcma32.exe Ffhpbacb.exe PID 2876 wrote to memory of 2568 2876 Effcma32.exe Ffhpbacb.exe PID 2876 wrote to memory of 2568 2876 Effcma32.exe Ffhpbacb.exe PID 2568 wrote to memory of 2996 2568 Ffhpbacb.exe Flehkhai.exe PID 2568 wrote to memory of 2996 2568 Ffhpbacb.exe Flehkhai.exe PID 2568 wrote to memory of 2996 2568 Ffhpbacb.exe Flehkhai.exe PID 2568 wrote to memory of 2996 2568 Ffhpbacb.exe Flehkhai.exe PID 2996 wrote to memory of 564 2996 Flehkhai.exe Fbopgb32.exe PID 2996 wrote to memory of 564 2996 Flehkhai.exe Fbopgb32.exe PID 2996 wrote to memory of 564 2996 Flehkhai.exe Fbopgb32.exe PID 2996 wrote to memory of 564 2996 Flehkhai.exe Fbopgb32.exe PID 564 wrote to memory of 2880 564 Fbopgb32.exe Fglipi32.exe PID 564 wrote to memory of 2880 564 Fbopgb32.exe Fglipi32.exe PID 564 wrote to memory of 2880 564 Fbopgb32.exe Fglipi32.exe PID 564 wrote to memory of 2880 564 Fbopgb32.exe Fglipi32.exe PID 2880 wrote to memory of 2392 2880 Fglipi32.exe Fbamma32.exe PID 2880 wrote to memory of 2392 2880 Fglipi32.exe Fbamma32.exe PID 2880 wrote to memory of 2392 2880 Fglipi32.exe Fbamma32.exe PID 2880 wrote to memory of 2392 2880 Fglipi32.exe Fbamma32.exe PID 2392 wrote to memory of 1708 2392 Fbamma32.exe Fikejl32.exe PID 2392 wrote to memory of 1708 2392 Fbamma32.exe Fikejl32.exe PID 2392 wrote to memory of 1708 2392 Fbamma32.exe Fikejl32.exe PID 2392 wrote to memory of 1708 2392 Fbamma32.exe Fikejl32.exe PID 1708 wrote to memory of 2456 1708 Fikejl32.exe Fjmaaddo.exe PID 1708 wrote to memory of 2456 1708 Fikejl32.exe Fjmaaddo.exe PID 1708 wrote to memory of 2456 1708 Fikejl32.exe Fjmaaddo.exe PID 1708 wrote to memory of 2456 1708 Fikejl32.exe Fjmaaddo.exe PID 2456 wrote to memory of 1868 2456 Fjmaaddo.exe Febfomdd.exe PID 2456 wrote to memory of 1868 2456 Fjmaaddo.exe Febfomdd.exe PID 2456 wrote to memory of 1868 2456 Fjmaaddo.exe Febfomdd.exe PID 2456 wrote to memory of 1868 2456 Fjmaaddo.exe Febfomdd.exe PID 1868 wrote to memory of 1732 1868 Febfomdd.exe Fhqbkhch.exe PID 1868 wrote to memory of 1732 1868 Febfomdd.exe Fhqbkhch.exe PID 1868 wrote to memory of 1732 1868 Febfomdd.exe Fhqbkhch.exe PID 1868 wrote to memory of 1732 1868 Febfomdd.exe Fhqbkhch.exe PID 1732 wrote to memory of 2932 1732 Fhqbkhch.exe Faigdn32.exe PID 1732 wrote to memory of 2932 1732 Fhqbkhch.exe Faigdn32.exe PID 1732 wrote to memory of 2932 1732 Fhqbkhch.exe Faigdn32.exe PID 1732 wrote to memory of 2932 1732 Fhqbkhch.exe Faigdn32.exe PID 2932 wrote to memory of 2036 2932 Faigdn32.exe Ghcoqh32.exe PID 2932 wrote to memory of 2036 2932 Faigdn32.exe Ghcoqh32.exe PID 2932 wrote to memory of 2036 2932 Faigdn32.exe Ghcoqh32.exe PID 2932 wrote to memory of 2036 2932 Faigdn32.exe Ghcoqh32.exe PID 2036 wrote to memory of 1548 2036 Ghcoqh32.exe Gmpgio32.exe PID 2036 wrote to memory of 1548 2036 Ghcoqh32.exe Gmpgio32.exe PID 2036 wrote to memory of 1548 2036 Ghcoqh32.exe Gmpgio32.exe PID 2036 wrote to memory of 1548 2036 Ghcoqh32.exe Gmpgio32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2fb872231a464b54fcd42f579768e7b0N.exe"C:\Users\Admin\AppData\Local\Temp\2fb872231a464b54fcd42f579768e7b0N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\Eojnkg32.exeC:\Windows\system32\Eojnkg32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\Egafleqm.exeC:\Windows\system32\Egafleqm.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Ejobhppq.exeC:\Windows\system32\Ejobhppq.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Effcma32.exeC:\Windows\system32\Effcma32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Ffhpbacb.exeC:\Windows\system32\Ffhpbacb.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Flehkhai.exeC:\Windows\system32\Flehkhai.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\Fbopgb32.exeC:\Windows\system32\Fbopgb32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Windows\SysWOW64\Fglipi32.exeC:\Windows\system32\Fglipi32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Fbamma32.exeC:\Windows\system32\Fbamma32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\Fikejl32.exeC:\Windows\system32\Fikejl32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\Fjmaaddo.exeC:\Windows\system32\Fjmaaddo.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Febfomdd.exeC:\Windows\system32\Febfomdd.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\Fhqbkhch.exeC:\Windows\system32\Fhqbkhch.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\Faigdn32.exeC:\Windows\system32\Faigdn32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Ghcoqh32.exeC:\Windows\system32\Ghcoqh32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\Gmpgio32.exeC:\Windows\system32\Gmpgio32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1548 -
C:\Windows\SysWOW64\Gmbdnn32.exeC:\Windows\system32\Gmbdnn32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:704 -
C:\Windows\SysWOW64\Ganpomec.exeC:\Windows\system32\Ganpomec.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2400 -
C:\Windows\SysWOW64\Giieco32.exeC:\Windows\system32\Giieco32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:796 -
C:\Windows\SysWOW64\Glgaok32.exeC:\Windows\system32\Glgaok32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1348 -
C:\Windows\SysWOW64\Gdniqh32.exeC:\Windows\system32\Gdniqh32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2516 -
C:\Windows\SysWOW64\Gikaio32.exeC:\Windows\system32\Gikaio32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1760 -
C:\Windows\SysWOW64\Gbcfadgl.exeC:\Windows\system32\Gbcfadgl.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:684 -
C:\Windows\SysWOW64\Gfobbc32.exeC:\Windows\system32\Gfobbc32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:896 -
C:\Windows\SysWOW64\Ghqnjk32.exeC:\Windows\system32\Ghqnjk32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3052 -
C:\Windows\SysWOW64\Hojgfemq.exeC:\Windows\system32\Hojgfemq.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1572 -
C:\Windows\SysWOW64\Hedocp32.exeC:\Windows\system32\Hedocp32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2804 -
C:\Windows\SysWOW64\Homclekn.exeC:\Windows\system32\Homclekn.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2556 -
C:\Windows\SysWOW64\Heglio32.exeC:\Windows\system32\Heglio32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2812 -
C:\Windows\SysWOW64\Hlqdei32.exeC:\Windows\system32\Hlqdei32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2544 -
C:\Windows\SysWOW64\Hkcdafqb.exeC:\Windows\system32\Hkcdafqb.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2156 -
C:\Windows\SysWOW64\Hdlhjl32.exeC:\Windows\system32\Hdlhjl32.exe33⤵
- Executes dropped EXE
PID:772 -
C:\Windows\SysWOW64\Hmdmcanc.exeC:\Windows\system32\Hmdmcanc.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2852 -
C:\Windows\SysWOW64\Hapicp32.exeC:\Windows\system32\Hapicp32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2092 -
C:\Windows\SysWOW64\Hdnepk32.exeC:\Windows\system32\Hdnepk32.exe36⤵
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\Hiknhbcg.exeC:\Windows\system32\Hiknhbcg.exe37⤵
- Executes dropped EXE
PID:1332 -
C:\Windows\SysWOW64\Hpefdl32.exeC:\Windows\system32\Hpefdl32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Igonafba.exeC:\Windows\system32\Igonafba.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1696 -
C:\Windows\SysWOW64\Inifnq32.exeC:\Windows\system32\Inifnq32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1648 -
C:\Windows\SysWOW64\Idcokkak.exeC:\Windows\system32\Idcokkak.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2184 -
C:\Windows\SysWOW64\Iipgcaob.exeC:\Windows\system32\Iipgcaob.exe42⤵
- Executes dropped EXE
PID:604 -
C:\Windows\SysWOW64\Iompkh32.exeC:\Windows\system32\Iompkh32.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2432 -
C:\Windows\SysWOW64\Iefhhbef.exeC:\Windows\system32\Iefhhbef.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Ipllekdl.exeC:\Windows\system32\Ipllekdl.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Iamimc32.exeC:\Windows\system32\Iamimc32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2060 -
C:\Windows\SysWOW64\Ijdqna32.exeC:\Windows\system32\Ijdqna32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:1616 -
C:\Windows\SysWOW64\Ilcmjl32.exeC:\Windows\system32\Ilcmjl32.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2388 -
C:\Windows\SysWOW64\Icmegf32.exeC:\Windows\system32\Icmegf32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:864 -
C:\Windows\SysWOW64\Iapebchh.exeC:\Windows\system32\Iapebchh.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2100 -
C:\Windows\SysWOW64\Ihjnom32.exeC:\Windows\system32\Ihjnom32.exe51⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Ileiplhn.exeC:\Windows\system32\Ileiplhn.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2660 -
C:\Windows\SysWOW64\Jabbhcfe.exeC:\Windows\system32\Jabbhcfe.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Jfnnha32.exeC:\Windows\system32\Jfnnha32.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2584 -
C:\Windows\SysWOW64\Jgojpjem.exeC:\Windows\system32\Jgojpjem.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2664 -
C:\Windows\SysWOW64\Jnicmdli.exeC:\Windows\system32\Jnicmdli.exe56⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Jqgoiokm.exeC:\Windows\system32\Jqgoiokm.exe57⤵
- Executes dropped EXE
PID:536 -
C:\Windows\SysWOW64\Jhngjmlo.exeC:\Windows\system32\Jhngjmlo.exe58⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\Jkmcfhkc.exeC:\Windows\system32\Jkmcfhkc.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2648 -
C:\Windows\SysWOW64\Jjpcbe32.exeC:\Windows\system32\Jjpcbe32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1952 -
C:\Windows\SysWOW64\Jqilooij.exeC:\Windows\system32\Jqilooij.exe61⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Jdehon32.exeC:\Windows\system32\Jdehon32.exe62⤵
- Executes dropped EXE
PID:764 -
C:\Windows\SysWOW64\Jgcdki32.exeC:\Windows\system32\Jgcdki32.exe63⤵
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\Jjbpgd32.exeC:\Windows\system32\Jjbpgd32.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1856 -
C:\Windows\SysWOW64\Jmplcp32.exeC:\Windows\system32\Jmplcp32.exe65⤵
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Jdgdempa.exeC:\Windows\system32\Jdgdempa.exe66⤵
- Drops file in System32 directory
PID:1588 -
C:\Windows\SysWOW64\Jgfqaiod.exeC:\Windows\system32\Jgfqaiod.exe67⤵
- System Location Discovery: System Language Discovery
PID:2920 -
C:\Windows\SysWOW64\Jjdmmdnh.exeC:\Windows\system32\Jjdmmdnh.exe68⤵
- Modifies registry class
PID:1540 -
C:\Windows\SysWOW64\Jmbiipml.exeC:\Windows\system32\Jmbiipml.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2288 -
C:\Windows\SysWOW64\Joaeeklp.exeC:\Windows\system32\Joaeeklp.exe70⤵
- Drops file in System32 directory
PID:2284 -
C:\Windows\SysWOW64\Jcmafj32.exeC:\Windows\system32\Jcmafj32.exe71⤵PID:1500
-
C:\Windows\SysWOW64\Kjfjbdle.exeC:\Windows\system32\Kjfjbdle.exe72⤵PID:2312
-
C:\Windows\SysWOW64\Kiijnq32.exeC:\Windows\system32\Kiijnq32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2800 -
C:\Windows\SysWOW64\Kqqboncb.exeC:\Windows\system32\Kqqboncb.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2772 -
C:\Windows\SysWOW64\Kbbngf32.exeC:\Windows\system32\Kbbngf32.exe75⤵
- Drops file in System32 directory
PID:2596 -
C:\Windows\SysWOW64\Kfmjgeaj.exeC:\Windows\system32\Kfmjgeaj.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2980 -
C:\Windows\SysWOW64\Kilfcpqm.exeC:\Windows\system32\Kilfcpqm.exe77⤵PID:576
-
C:\Windows\SysWOW64\Kmgbdo32.exeC:\Windows\system32\Kmgbdo32.exe78⤵PID:2176
-
C:\Windows\SysWOW64\Kcakaipc.exeC:\Windows\system32\Kcakaipc.exe79⤵PID:808
-
C:\Windows\SysWOW64\Kebgia32.exeC:\Windows\system32\Kebgia32.exe80⤵
- Modifies registry class
PID:2836 -
C:\Windows\SysWOW64\Kmjojo32.exeC:\Windows\system32\Kmjojo32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:888 -
C:\Windows\SysWOW64\Kohkfj32.exeC:\Windows\system32\Kohkfj32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1512 -
C:\Windows\SysWOW64\Kfbcbd32.exeC:\Windows\system32\Kfbcbd32.exe83⤵PID:1780
-
C:\Windows\SysWOW64\Kgcpjmcb.exeC:\Windows\system32\Kgcpjmcb.exe84⤵
- Drops file in System32 directory
PID:1552 -
C:\Windows\SysWOW64\Kpjhkjde.exeC:\Windows\system32\Kpjhkjde.exe85⤵PID:2636
-
C:\Windows\SysWOW64\Knmhgf32.exeC:\Windows\system32\Knmhgf32.exe86⤵
- Modifies registry class
PID:1156 -
C:\Windows\SysWOW64\Kegqdqbl.exeC:\Windows\system32\Kegqdqbl.exe87⤵
- System Location Discovery: System Language Discovery
PID:2252 -
C:\Windows\SysWOW64\Kgemplap.exeC:\Windows\system32\Kgemplap.exe88⤵
- Drops file in System32 directory
PID:2740 -
C:\Windows\SysWOW64\Knpemf32.exeC:\Windows\system32\Knpemf32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3024 -
C:\Windows\SysWOW64\Leimip32.exeC:\Windows\system32\Leimip32.exe90⤵
- System Location Discovery: System Language Discovery
PID:320 -
C:\Windows\SysWOW64\Llcefjgf.exeC:\Windows\system32\Llcefjgf.exe91⤵
- Modifies registry class
PID:476 -
C:\Windows\SysWOW64\Ljffag32.exeC:\Windows\system32\Ljffag32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2972 -
C:\Windows\SysWOW64\Lmebnb32.exeC:\Windows\system32\Lmebnb32.exe93⤵
- Drops file in System32 directory
PID:1980 -
C:\Windows\SysWOW64\Leljop32.exeC:\Windows\system32\Leljop32.exe94⤵
- System Location Discovery: System Language Discovery
PID:2620 -
C:\Windows\SysWOW64\Lgjfkk32.exeC:\Windows\system32\Lgjfkk32.exe95⤵PID:2188
-
C:\Windows\SysWOW64\Ljibgg32.exeC:\Windows\system32\Ljibgg32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1576 -
C:\Windows\SysWOW64\Lmgocb32.exeC:\Windows\system32\Lmgocb32.exe97⤵PID:1392
-
C:\Windows\SysWOW64\Lcagpl32.exeC:\Windows\system32\Lcagpl32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:908 -
C:\Windows\SysWOW64\Lfpclh32.exeC:\Windows\system32\Lfpclh32.exe99⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:992 -
C:\Windows\SysWOW64\Ljkomfjl.exeC:\Windows\system32\Ljkomfjl.exe100⤵
- System Location Discovery: System Language Discovery
PID:884 -
C:\Windows\SysWOW64\Laegiq32.exeC:\Windows\system32\Laegiq32.exe101⤵PID:2676
-
C:\Windows\SysWOW64\Lphhenhc.exeC:\Windows\system32\Lphhenhc.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2788 -
C:\Windows\SysWOW64\Lccdel32.exeC:\Windows\system32\Lccdel32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2552 -
C:\Windows\SysWOW64\Ljmlbfhi.exeC:\Windows\system32\Ljmlbfhi.exe104⤵PID:1820
-
C:\Windows\SysWOW64\Llohjo32.exeC:\Windows\system32\Llohjo32.exe105⤵
- System Location Discovery: System Language Discovery
PID:592 -
C:\Windows\SysWOW64\Lpjdjmfp.exeC:\Windows\system32\Lpjdjmfp.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2452 -
C:\Windows\SysWOW64\Lcfqkl32.exeC:\Windows\system32\Lcfqkl32.exe107⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2872 -
C:\Windows\SysWOW64\Legmbd32.exeC:\Windows\system32\Legmbd32.exe108⤵
- Modifies registry class
PID:2820 -
C:\Windows\SysWOW64\Libicbma.exeC:\Windows\system32\Libicbma.exe109⤵
- Modifies registry class
PID:1996 -
C:\Windows\SysWOW64\Mpmapm32.exeC:\Windows\system32\Mpmapm32.exe110⤵PID:1312
-
C:\Windows\SysWOW64\Mpmapm32.exeC:\Windows\system32\Mpmapm32.exe111⤵PID:2256
-
C:\Windows\SysWOW64\Mbkmlh32.exeC:\Windows\system32\Mbkmlh32.exe112⤵
- Modifies registry class
PID:1932 -
C:\Windows\SysWOW64\Mffimglk.exeC:\Windows\system32\Mffimglk.exe113⤵PID:1720
-
C:\Windows\SysWOW64\Mieeibkn.exeC:\Windows\system32\Mieeibkn.exe114⤵PID:916
-
C:\Windows\SysWOW64\Mhhfdo32.exeC:\Windows\system32\Mhhfdo32.exe115⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2208 -
C:\Windows\SysWOW64\Mponel32.exeC:\Windows\system32\Mponel32.exe116⤵PID:2440
-
C:\Windows\SysWOW64\Moanaiie.exeC:\Windows\system32\Moanaiie.exe117⤵
- Modifies registry class
PID:2796 -
C:\Windows\SysWOW64\Mapjmehi.exeC:\Windows\system32\Mapjmehi.exe118⤵PID:2404
-
C:\Windows\SysWOW64\Melfncqb.exeC:\Windows\system32\Melfncqb.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2728 -
C:\Windows\SysWOW64\Mhjbjopf.exeC:\Windows\system32\Mhjbjopf.exe120⤵
- Modifies registry class
PID:1680 -
C:\Windows\SysWOW64\Mlfojn32.exeC:\Windows\system32\Mlfojn32.exe121⤵PID:2228
-
C:\Windows\SysWOW64\Modkfi32.exeC:\Windows\system32\Modkfi32.exe122⤵
- Drops file in System32 directory
PID:1716 -
C:\Windows\SysWOW64\Mabgcd32.exeC:\Windows\system32\Mabgcd32.exe123⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1448 -
C:\Windows\SysWOW64\Mdacop32.exeC:\Windows\system32\Mdacop32.exe124⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1656 -
C:\Windows\SysWOW64\Mofglh32.exeC:\Windows\system32\Mofglh32.exe125⤵
- System Location Discovery: System Language Discovery
PID:1128 -
C:\Windows\SysWOW64\Meppiblm.exeC:\Windows\system32\Meppiblm.exe126⤵PID:2012
-
C:\Windows\SysWOW64\Mdcpdp32.exeC:\Windows\system32\Mdcpdp32.exe127⤵PID:952
-
C:\Windows\SysWOW64\Mgalqkbk.exeC:\Windows\system32\Mgalqkbk.exe128⤵
- Drops file in System32 directory
PID:2448 -
C:\Windows\SysWOW64\Moidahcn.exeC:\Windows\system32\Moidahcn.exe129⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2376 -
C:\Windows\SysWOW64\Ndemjoae.exeC:\Windows\system32\Ndemjoae.exe130⤵
- Modifies registry class
PID:1604 -
C:\Windows\SysWOW64\Ngdifkpi.exeC:\Windows\system32\Ngdifkpi.exe131⤵PID:2868
-
C:\Windows\SysWOW64\Nkpegi32.exeC:\Windows\system32\Nkpegi32.exe132⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1160 -
C:\Windows\SysWOW64\Nibebfpl.exeC:\Windows\system32\Nibebfpl.exe133⤵PID:1028
-
C:\Windows\SysWOW64\Naimccpo.exeC:\Windows\system32\Naimccpo.exe134⤵PID:1840
-
C:\Windows\SysWOW64\Nplmop32.exeC:\Windows\system32\Nplmop32.exe135⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1816 -
C:\Windows\SysWOW64\Nckjkl32.exeC:\Windows\system32\Nckjkl32.exe136⤵PID:1872
-
C:\Windows\SysWOW64\Ngfflj32.exeC:\Windows\system32\Ngfflj32.exe137⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1104 -
C:\Windows\SysWOW64\Niebhf32.exeC:\Windows\system32\Niebhf32.exe138⤵PID:836
-
C:\Windows\SysWOW64\Nmpnhdfc.exeC:\Windows\system32\Nmpnhdfc.exe139⤵
- Drops file in System32 directory
- Modifies registry class
PID:2244 -
C:\Windows\SysWOW64\Npojdpef.exeC:\Windows\system32\Npojdpef.exe140⤵
- Modifies registry class
PID:2408 -
C:\Windows\SysWOW64\Ndjfeo32.exeC:\Windows\system32\Ndjfeo32.exe141⤵
- System Location Discovery: System Language Discovery
PID:2752 -
C:\Windows\SysWOW64\Ngibaj32.exeC:\Windows\system32\Ngibaj32.exe142⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2976 -
C:\Windows\SysWOW64\Nekbmgcn.exeC:\Windows\system32\Nekbmgcn.exe143⤵
- Modifies registry class
PID:2292 -
C:\Windows\SysWOW64\Nigome32.exeC:\Windows\system32\Nigome32.exe144⤵PID:1864
-
C:\Windows\SysWOW64\Nlekia32.exeC:\Windows\system32\Nlekia32.exe145⤵
- Drops file in System32 directory
PID:340 -
C:\Windows\SysWOW64\Npagjpcd.exeC:\Windows\system32\Npagjpcd.exe146⤵
- Drops file in System32 directory
PID:2952 -
C:\Windows\SysWOW64\Ncpcfkbg.exeC:\Windows\system32\Ncpcfkbg.exe147⤵PID:308
-
C:\Windows\SysWOW64\Ngkogj32.exeC:\Windows\system32\Ngkogj32.exe148⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2332 -
C:\Windows\SysWOW64\Nenobfak.exeC:\Windows\system32\Nenobfak.exe149⤵
- System Location Discovery: System Language Discovery
PID:2756 -
C:\Windows\SysWOW64\Nhllob32.exeC:\Windows\system32\Nhllob32.exe150⤵PID:700
-
C:\Windows\SysWOW64\Npccpo32.exeC:\Windows\system32\Npccpo32.exe151⤵PID:652
-
C:\Windows\SysWOW64\Nofdklgl.exeC:\Windows\system32\Nofdklgl.exe152⤵
- System Location Discovery: System Language Discovery
PID:1792 -
C:\Windows\SysWOW64\Nadpgggp.exeC:\Windows\system32\Nadpgggp.exe153⤵
- Drops file in System32 directory
PID:1544 -
C:\Windows\SysWOW64\Nilhhdga.exeC:\Windows\system32\Nilhhdga.exe154⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1356 -
C:\Windows\SysWOW64\Nljddpfe.exeC:\Windows\system32\Nljddpfe.exe155⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2916 -
C:\Windows\SysWOW64\Nkmdpm32.exeC:\Windows\system32\Nkmdpm32.exe156⤵
- System Location Discovery: System Language Discovery
PID:2296 -
C:\Windows\SysWOW64\Ocdmaj32.exeC:\Windows\system32\Ocdmaj32.exe157⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2992 -
C:\Windows\SysWOW64\Oebimf32.exeC:\Windows\system32\Oebimf32.exe158⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2160 -
C:\Windows\SysWOW64\Odeiibdq.exeC:\Windows\system32\Odeiibdq.exe159⤵
- Drops file in System32 directory
PID:1264 -
C:\Windows\SysWOW64\Ollajp32.exeC:\Windows\system32\Ollajp32.exe160⤵PID:2764
-
C:\Windows\SysWOW64\Okoafmkm.exeC:\Windows\system32\Okoafmkm.exe161⤵
- System Location Discovery: System Language Discovery
PID:2576 -
C:\Windows\SysWOW64\Ocfigjlp.exeC:\Windows\system32\Ocfigjlp.exe162⤵
- System Location Discovery: System Language Discovery
PID:2320 -
C:\Windows\SysWOW64\Oaiibg32.exeC:\Windows\system32\Oaiibg32.exe163⤵PID:1808
-
C:\Windows\SysWOW64\Odhfob32.exeC:\Windows\system32\Odhfob32.exe164⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2888 -
C:\Windows\SysWOW64\Olonpp32.exeC:\Windows\system32\Olonpp32.exe165⤵PID:1824
-
C:\Windows\SysWOW64\Oomjlk32.exeC:\Windows\system32\Oomjlk32.exe166⤵PID:1688
-
C:\Windows\SysWOW64\Onpjghhn.exeC:\Windows\system32\Onpjghhn.exe167⤵
- Drops file in System32 directory
PID:1668 -
C:\Windows\SysWOW64\Oegbheiq.exeC:\Windows\system32\Oegbheiq.exe168⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2784 -
C:\Windows\SysWOW64\Ohendqhd.exeC:\Windows\system32\Ohendqhd.exe169⤵PID:1728
-
C:\Windows\SysWOW64\Oghopm32.exeC:\Windows\system32\Oghopm32.exe170⤵
- Drops file in System32 directory
- Modifies registry class
PID:1740 -
C:\Windows\SysWOW64\Okdkal32.exeC:\Windows\system32\Okdkal32.exe171⤵PID:2616
-
C:\Windows\SysWOW64\Onbgmg32.exeC:\Windows\system32\Onbgmg32.exe172⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3008 -
C:\Windows\SysWOW64\Oancnfoe.exeC:\Windows\system32\Oancnfoe.exe173⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1756 -
C:\Windows\SysWOW64\Odlojanh.exeC:\Windows\system32\Odlojanh.exe174⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:920 -
C:\Windows\SysWOW64\Ohhkjp32.exeC:\Windows\system32\Ohhkjp32.exe175⤵
- Drops file in System32 directory
PID:1692 -
C:\Windows\SysWOW64\Okfgfl32.exeC:\Windows\system32\Okfgfl32.exe176⤵
- Modifies registry class
PID:1828 -
C:\Windows\SysWOW64\Ojigbhlp.exeC:\Windows\system32\Ojigbhlp.exe177⤵
- Drops file in System32 directory
PID:2396 -
C:\Windows\SysWOW64\Oappcfmb.exeC:\Windows\system32\Oappcfmb.exe178⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2656 -
C:\Windows\SysWOW64\Oqcpob32.exeC:\Windows\system32\Oqcpob32.exe179⤵PID:1308
-
C:\Windows\SysWOW64\Ocalkn32.exeC:\Windows\system32\Ocalkn32.exe180⤵
- System Location Discovery: System Language Discovery
PID:1088 -
C:\Windows\SysWOW64\Ogmhkmki.exeC:\Windows\system32\Ogmhkmki.exe181⤵PID:3100
-
C:\Windows\SysWOW64\Pjldghjm.exeC:\Windows\system32\Pjldghjm.exe182⤵PID:3140
-
C:\Windows\SysWOW64\Pqemdbaj.exeC:\Windows\system32\Pqemdbaj.exe183⤵PID:3180
-
C:\Windows\SysWOW64\Pcdipnqn.exeC:\Windows\system32\Pcdipnqn.exe184⤵
- Modifies registry class
PID:3220 -
C:\Windows\SysWOW64\Pgpeal32.exeC:\Windows\system32\Pgpeal32.exe185⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:3260 -
C:\Windows\SysWOW64\Pjnamh32.exeC:\Windows\system32\Pjnamh32.exe186⤵
- System Location Discovery: System Language Discovery
PID:3300 -
C:\Windows\SysWOW64\Pmlmic32.exeC:\Windows\system32\Pmlmic32.exe187⤵PID:3340
-
C:\Windows\SysWOW64\Pqhijbog.exeC:\Windows\system32\Pqhijbog.exe188⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3380 -
C:\Windows\SysWOW64\Pcfefmnk.exeC:\Windows\system32\Pcfefmnk.exe189⤵
- Modifies registry class
PID:3420 -
C:\Windows\SysWOW64\Pfdabino.exeC:\Windows\system32\Pfdabino.exe190⤵PID:3460
-
C:\Windows\SysWOW64\Pjpnbg32.exeC:\Windows\system32\Pjpnbg32.exe191⤵
- Drops file in System32 directory
PID:3500 -
C:\Windows\SysWOW64\Pmojocel.exeC:\Windows\system32\Pmojocel.exe192⤵PID:3540
-
C:\Windows\SysWOW64\Pqjfoa32.exeC:\Windows\system32\Pqjfoa32.exe193⤵
- Drops file in System32 directory
PID:3580 -
C:\Windows\SysWOW64\Pcibkm32.exeC:\Windows\system32\Pcibkm32.exe194⤵
- Modifies registry class
PID:3620 -
C:\Windows\SysWOW64\Pbkbgjcc.exeC:\Windows\system32\Pbkbgjcc.exe195⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3660 -
C:\Windows\SysWOW64\Pjbjhgde.exeC:\Windows\system32\Pjbjhgde.exe196⤵PID:3700
-
C:\Windows\SysWOW64\Piekcd32.exeC:\Windows\system32\Piekcd32.exe197⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3740 -
C:\Windows\SysWOW64\Pkdgpo32.exeC:\Windows\system32\Pkdgpo32.exe198⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3780 -
C:\Windows\SysWOW64\Poocpnbm.exeC:\Windows\system32\Poocpnbm.exe199⤵
- Drops file in System32 directory
PID:3820 -
C:\Windows\SysWOW64\Pbnoliap.exeC:\Windows\system32\Pbnoliap.exe200⤵PID:3860
-
C:\Windows\SysWOW64\Pfikmh32.exeC:\Windows\system32\Pfikmh32.exe201⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3900 -
C:\Windows\SysWOW64\Pihgic32.exeC:\Windows\system32\Pihgic32.exe202⤵
- Drops file in System32 directory
PID:3940 -
C:\Windows\SysWOW64\Pmccjbaf.exeC:\Windows\system32\Pmccjbaf.exe203⤵
- Drops file in System32 directory
PID:3980 -
C:\Windows\SysWOW64\Poapfn32.exeC:\Windows\system32\Poapfn32.exe204⤵
- System Location Discovery: System Language Discovery
PID:4020 -
C:\Windows\SysWOW64\Pndpajgd.exeC:\Windows\system32\Pndpajgd.exe205⤵
- Drops file in System32 directory
PID:4060 -
C:\Windows\SysWOW64\Qflhbhgg.exeC:\Windows\system32\Qflhbhgg.exe206⤵
- System Location Discovery: System Language Discovery
PID:3076 -
C:\Windows\SysWOW64\Qeohnd32.exeC:\Windows\system32\Qeohnd32.exe207⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3124 -
C:\Windows\SysWOW64\Qgmdjp32.exeC:\Windows\system32\Qgmdjp32.exe208⤵PID:3172
-
C:\Windows\SysWOW64\Qodlkm32.exeC:\Windows\system32\Qodlkm32.exe209⤵PID:3228
-
C:\Windows\SysWOW64\Qbbhgi32.exeC:\Windows\system32\Qbbhgi32.exe210⤵
- Modifies registry class
PID:3280 -
C:\Windows\SysWOW64\Qqeicede.exeC:\Windows\system32\Qqeicede.exe211⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3324 -
C:\Windows\SysWOW64\Qiladcdh.exeC:\Windows\system32\Qiladcdh.exe212⤵
- Drops file in System32 directory
PID:3372 -
C:\Windows\SysWOW64\Qkkmqnck.exeC:\Windows\system32\Qkkmqnck.exe213⤵
- Modifies registry class
PID:3440 -
C:\Windows\SysWOW64\Aniimjbo.exeC:\Windows\system32\Aniimjbo.exe214⤵
- System Location Discovery: System Language Discovery
PID:3476 -
C:\Windows\SysWOW64\Aaheie32.exeC:\Windows\system32\Aaheie32.exe215⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3528 -
C:\Windows\SysWOW64\Acfaeq32.exeC:\Windows\system32\Acfaeq32.exe216⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3564 -
C:\Windows\SysWOW64\Aganeoip.exeC:\Windows\system32\Aganeoip.exe217⤵
- System Location Discovery: System Language Discovery
PID:3632 -
C:\Windows\SysWOW64\Ajpjakhc.exeC:\Windows\system32\Ajpjakhc.exe218⤵PID:3672
-
C:\Windows\SysWOW64\Anlfbi32.exeC:\Windows\system32\Anlfbi32.exe219⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3728 -
C:\Windows\SysWOW64\Aajbne32.exeC:\Windows\system32\Aajbne32.exe220⤵PID:3776
-
C:\Windows\SysWOW64\Achojp32.exeC:\Windows\system32\Achojp32.exe221⤵PID:3836
-
C:\Windows\SysWOW64\Afgkfl32.exeC:\Windows\system32\Afgkfl32.exe222⤵
- Modifies registry class
PID:3876 -
C:\Windows\SysWOW64\Ajbggjfq.exeC:\Windows\system32\Ajbggjfq.exe223⤵PID:3924
-
C:\Windows\SysWOW64\Amqccfed.exeC:\Windows\system32\Amqccfed.exe224⤵
- System Location Discovery: System Language Discovery
PID:3976 -
C:\Windows\SysWOW64\Aaloddnn.exeC:\Windows\system32\Aaloddnn.exe225⤵
- Modifies registry class
PID:4028 -
C:\Windows\SysWOW64\Ackkppma.exeC:\Windows\system32\Ackkppma.exe226⤵PID:4076
-
C:\Windows\SysWOW64\Agfgqo32.exeC:\Windows\system32\Agfgqo32.exe227⤵PID:3116
-
C:\Windows\SysWOW64\Afiglkle.exeC:\Windows\system32\Afiglkle.exe228⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3164 -
C:\Windows\SysWOW64\Aigchgkh.exeC:\Windows\system32\Aigchgkh.exe229⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3208 -
C:\Windows\SysWOW64\Amcpie32.exeC:\Windows\system32\Amcpie32.exe230⤵
- Drops file in System32 directory
- Modifies registry class
PID:3292 -
C:\Windows\SysWOW64\Apalea32.exeC:\Windows\system32\Apalea32.exe231⤵PID:3360
-
C:\Windows\SysWOW64\Acmhepko.exeC:\Windows\system32\Acmhepko.exe232⤵
- Modifies registry class
PID:3408 -
C:\Windows\SysWOW64\Ajgpbj32.exeC:\Windows\system32\Ajgpbj32.exe233⤵
- Drops file in System32 directory
PID:3508 -
C:\Windows\SysWOW64\Aijpnfif.exeC:\Windows\system32\Aijpnfif.exe234⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3552 -
C:\Windows\SysWOW64\Alhmjbhj.exeC:\Windows\system32\Alhmjbhj.exe235⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3608 -
C:\Windows\SysWOW64\Acpdko32.exeC:\Windows\system32\Acpdko32.exe236⤵PID:3680
-
C:\Windows\SysWOW64\Afnagk32.exeC:\Windows\system32\Afnagk32.exe237⤵PID:3756
-
C:\Windows\SysWOW64\Bilmcf32.exeC:\Windows\system32\Bilmcf32.exe238⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3816 -
C:\Windows\SysWOW64\Blkioa32.exeC:\Windows\system32\Blkioa32.exe239⤵PID:3856
-
C:\Windows\SysWOW64\Bbdallnd.exeC:\Windows\system32\Bbdallnd.exe240⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3912 -
C:\Windows\SysWOW64\Bhajdblk.exeC:\Windows\system32\Bhajdblk.exe241⤵
- System Location Discovery: System Language Discovery
PID:3988 -
C:\Windows\SysWOW64\Bphbeplm.exeC:\Windows\system32\Bphbeplm.exe242⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4044