Analysis
-
max time kernel
115s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
06-08-2024 18:25
Static task
static1
Behavioral task
behavioral1
Sample
d7bcab6d090e6d2ea29490905fe32410N.exe
Resource
win7-20240704-en
General
-
Target
d7bcab6d090e6d2ea29490905fe32410N.exe
-
Size
163KB
-
MD5
d7bcab6d090e6d2ea29490905fe32410
-
SHA1
75690cacc19c0b1a8f1e4d09d68a9852d8afde6c
-
SHA256
2f7b88be4448ef85b3a0f0879be89a789d68511504f17becf6f982f438be1548
-
SHA512
df339e22dde1956f0c109dd38a96218fe18136b664f76c36f489cef1bb465bf2d5a7deaccbb0180c81525c667b502cb8b66d7dfef6881d4e167497f1a87142d8
-
SSDEEP
1536:PLpAkB1+/yDJVoXhFuAtszdfkHQAVagdlProNVU4qNVUrk/9QbfBr+7GwKrPAsqE:DpheDDdszdfkHQjgdltOrWKDBr+yJb
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Olklmk32.exeBadlln32.exeQifnjm32.exeGkjahg32.exeGnaffpoi.exeGekncjfe.exePnnlfd32.exeEcnbpcje.exeGhqqpd32.exeEnmbeehg.exeCkgogfmg.exeHngbhp32.exePcahga32.exeMddidnqa.exePkebig32.exeFehodaqd.exeAbejlj32.exeOoaiehhj.exeQkolil32.exeGmjehe32.exeIdjlbqmb.exeJmqckf32.exeDcffmb32.exeAlgida32.exeEjfnfn32.exeHleegpgb.exeJbfpcl32.exeKmgekh32.exeBhlmef32.exeDkfdlclg.exeAeljmq32.exeBcedbefd.exeMpbfddef.exePdnfalea.exeCocpjf32.exeFhbcaa32.exeGkojcgga.exeGkbplepn.exeHhhmki32.exeMhbakmgg.exeNlgfbh32.exeKmeknakn.exeEoefea32.exeFffabman.exeDgkkdnkb.exeIkhqbo32.exeHocmbjhn.exeKcjcefbd.exePgdcjjom.exeLaacmc32.exeHlebog32.exeAkpmhdqd.exeCfmceomm.exeKleeqp32.exeFnnpma32.exeKbedmedg.exeHhaogp32.exeIdofmp32.exeCnhhia32.exeMlndfa32.exeLmhhcaik.exeAfjplj32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olklmk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Badlln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qifnjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkjahg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnaffpoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gekncjfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnnlfd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecnbpcje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghqqpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enmbeehg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckgogfmg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hngbhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcahga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mddidnqa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkebig32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fehodaqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abejlj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooaiehhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qkolil32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmjehe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idjlbqmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmqckf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fehodaqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcffmb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Algida32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejfnfn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hleegpgb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbfpcl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmgekh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhlmef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkfdlclg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ooaiehhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aeljmq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcedbefd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpbfddef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdnfalea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cocpjf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhbcaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkojcgga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkbplepn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhhmki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhbakmgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlgfbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmeknakn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eoefea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fffabman.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgkkdnkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikhqbo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hocmbjhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcjcefbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgdcjjom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laacmc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlebog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akpmhdqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfmceomm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kleeqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnnpma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbedmedg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhaogp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idofmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnhhia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlndfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmhhcaik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afjplj32.exe -
Executes dropped EXE 64 IoCs
Processes:
Ejpipf32.exeEbkndibq.exeFijolbfh.exeFkmhij32.exeFlmecm32.exeFkdoii32.exeGdophn32.exeGebiefle.exeGokmnlcf.exeGdjblboj.exeHnecjgch.exeHkidclbb.exeIgdndl32.exeIckoimie.exeIkhqbo32.exeIaheqe32.exeJmqckf32.exeJmcpqfba.exeJijqeg32.exeJpfehq32.exeKeekeg32.exeKpkocpjj.exeKdoaackf.exeKmgekh32.exeLlooad32.exeLhhmle32.exeMnjnolap.exeMhaobd32.exeNcnmhajo.exeNfnfjmgp.exeNokdnail.exeNgfhbd32.exeOnejjm32.exeOgnobcqo.exeOpkpme32.exePmoqfi32.exePpbfmdfo.exePligbekc.exePlkchdiq.exeQhbdmeoe.exeQajiek32.exeQifnjm32.exeAbnbccia.exeAmcfpl32.exeAhpdficc.exeAecdpmbm.exeAkpmhdqd.exeBhdmahpn.exeBonenbgj.exeBoqbcbeh.exeBdmklico.exeBjjcdp32.exeBpdkajic.exeBnhljnhm.exeBcedbefd.exeColegflh.exeCpkaai32.exeCjcfjoil.exeCclkcdpl.exeCkgogfmg.exeCfmceomm.exeCnhhia32.exeDklibf32.exeDgbiggof.exepid process 2908 Ejpipf32.exe 1144 Ebkndibq.exe 2768 Fijolbfh.exe 2784 Fkmhij32.exe 2656 Flmecm32.exe 2692 Fkdoii32.exe 2124 Gdophn32.exe 2512 Gebiefle.exe 1808 Gokmnlcf.exe 2680 Gdjblboj.exe 2136 Hnecjgch.exe 3064 Hkidclbb.exe 944 Igdndl32.exe 2068 Ickoimie.exe 3016 Ikhqbo32.exe 3032 Iaheqe32.exe 632 Jmqckf32.exe 2312 Jmcpqfba.exe 1804 Jijqeg32.exe 752 Jpfehq32.exe 1308 Keekeg32.exe 2572 Kpkocpjj.exe 3056 Kdoaackf.exe 2292 Kmgekh32.exe 3012 Llooad32.exe 1648 Lhhmle32.exe 2584 Mnjnolap.exe 1688 Mhaobd32.exe 2320 Ncnmhajo.exe 3004 Nfnfjmgp.exe 2104 Nokdnail.exe 2800 Ngfhbd32.exe 1368 Onejjm32.exe 836 Ognobcqo.exe 1168 Opkpme32.exe 2924 Pmoqfi32.exe 2520 Ppbfmdfo.exe 2868 Pligbekc.exe 2516 Plkchdiq.exe 2004 Qhbdmeoe.exe 2436 Qajiek32.exe 3036 Qifnjm32.exe 888 Abnbccia.exe 1028 Amcfpl32.exe 1496 Ahpdficc.exe 964 Aecdpmbm.exe 2168 Akpmhdqd.exe 2116 Bhdmahpn.exe 1616 Bonenbgj.exe 3060 Boqbcbeh.exe 3000 Bdmklico.exe 2592 Bjjcdp32.exe 2148 Bpdkajic.exe 1672 Bnhljnhm.exe 2852 Bcedbefd.exe 2968 Colegflh.exe 2700 Cpkaai32.exe 2748 Cjcfjoil.exe 2804 Cclkcdpl.exe 2936 Ckgogfmg.exe 2964 Cfmceomm.exe 1988 Cnhhia32.exe 2248 Dklibf32.exe 1632 Dgbiggof.exe -
Loads dropped DLL 64 IoCs
Processes:
d7bcab6d090e6d2ea29490905fe32410N.exeEjpipf32.exeEbkndibq.exeFijolbfh.exeFkmhij32.exeFlmecm32.exeFkdoii32.exeGdophn32.exeGebiefle.exeGokmnlcf.exeGdjblboj.exeHnecjgch.exeHkidclbb.exeIgdndl32.exeIckoimie.exeIkhqbo32.exeIaheqe32.exeJmqckf32.exeJmcpqfba.exeJijqeg32.exeJpfehq32.exeKeekeg32.exeKpkocpjj.exeKdoaackf.exeKmgekh32.exeLlooad32.exeLhhmle32.exeMnjnolap.exeMhaobd32.exeNcnmhajo.exeNfnfjmgp.exeNokdnail.exepid process 2564 d7bcab6d090e6d2ea29490905fe32410N.exe 2564 d7bcab6d090e6d2ea29490905fe32410N.exe 2908 Ejpipf32.exe 2908 Ejpipf32.exe 1144 Ebkndibq.exe 1144 Ebkndibq.exe 2768 Fijolbfh.exe 2768 Fijolbfh.exe 2784 Fkmhij32.exe 2784 Fkmhij32.exe 2656 Flmecm32.exe 2656 Flmecm32.exe 2692 Fkdoii32.exe 2692 Fkdoii32.exe 2124 Gdophn32.exe 2124 Gdophn32.exe 2512 Gebiefle.exe 2512 Gebiefle.exe 1808 Gokmnlcf.exe 1808 Gokmnlcf.exe 2680 Gdjblboj.exe 2680 Gdjblboj.exe 2136 Hnecjgch.exe 2136 Hnecjgch.exe 3064 Hkidclbb.exe 3064 Hkidclbb.exe 944 Igdndl32.exe 944 Igdndl32.exe 2068 Ickoimie.exe 2068 Ickoimie.exe 3016 Ikhqbo32.exe 3016 Ikhqbo32.exe 3032 Iaheqe32.exe 3032 Iaheqe32.exe 632 Jmqckf32.exe 632 Jmqckf32.exe 2312 Jmcpqfba.exe 2312 Jmcpqfba.exe 1804 Jijqeg32.exe 1804 Jijqeg32.exe 752 Jpfehq32.exe 752 Jpfehq32.exe 1308 Keekeg32.exe 1308 Keekeg32.exe 2572 Kpkocpjj.exe 2572 Kpkocpjj.exe 3056 Kdoaackf.exe 3056 Kdoaackf.exe 2292 Kmgekh32.exe 2292 Kmgekh32.exe 3012 Llooad32.exe 3012 Llooad32.exe 1648 Lhhmle32.exe 1648 Lhhmle32.exe 2584 Mnjnolap.exe 2584 Mnjnolap.exe 1688 Mhaobd32.exe 1688 Mhaobd32.exe 2320 Ncnmhajo.exe 2320 Ncnmhajo.exe 3004 Nfnfjmgp.exe 3004 Nfnfjmgp.exe 2104 Nokdnail.exe 2104 Nokdnail.exe -
Drops file in System32 directory 64 IoCs
Processes:
Ahmpfc32.exePikmob32.exeCnhhia32.exeDpbgghhl.exeAfmokbop.exeIdhplaoe.exePbohmh32.exeDklibf32.exeMchmblji.exeIjcmipjh.exeFfcdlncp.exeFffabman.exeNagobp32.exeDmpckbci.exeOdbhofjh.exeBlcokf32.exeOoabjbdn.exeBndckc32.exeMdnffpif.exeCkdlgq32.exePmoqfi32.exeGmjehe32.exeKmeknakn.exeKcjcefbd.exeLiibigjq.exeIhopjl32.exeNcplfj32.exeNlgfbh32.exeBckidl32.exeFiomhc32.exeJijqeg32.exeGkjahg32.exeHnedfljc.exeMpnhhh32.exeMgalnk32.exeIckoimie.exeGpbkca32.exeGmlokdgp.exeLebcdd32.exeDcffmb32.exeCekihh32.exeCkbakiee.exeCpnchjpa.exeFdnabo32.exeKcjqlm32.exeBdpjjaiq.exeEnmbeehg.exeFnnpma32.exeIpkhpk32.exePgkjji32.exeKhakhg32.exeAqpgblqh.exeGklnmgic.exeQpjeaa32.exeJpfehq32.exeLanmde32.exeHhklibbf.exeIodolf32.exePcdnpp32.exeKicednho.exeNmfblk32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Adcakdhn.exe Ahmpfc32.exe File created C:\Windows\SysWOW64\Pcdnpp32.exe Pikmob32.exe File created C:\Windows\SysWOW64\Dklibf32.exe Cnhhia32.exe File created C:\Windows\SysWOW64\Dpedmhfi.exe Dpbgghhl.exe File created C:\Windows\SysWOW64\Abcppcdc.exe Afmokbop.exe File created C:\Windows\SysWOW64\Anlieh32.dll Idhplaoe.exe File opened for modification C:\Windows\SysWOW64\Pobhfl32.exe Pbohmh32.exe File opened for modification C:\Windows\SysWOW64\Dgbiggof.exe Dklibf32.exe File created C:\Windows\SysWOW64\Hpnlgbjp.dll Mchmblji.exe File created C:\Windows\SysWOW64\Ijeinphf.exe Ijcmipjh.exe File opened for modification C:\Windows\SysWOW64\Fffabman.exe Ffcdlncp.exe File created C:\Windows\SysWOW64\Pjddeg32.dll Fffabman.exe File created C:\Windows\SysWOW64\Dipfpa32.dll Nagobp32.exe File created C:\Windows\SysWOW64\Gqjncg32.dll Dmpckbci.exe File opened for modification C:\Windows\SysWOW64\Oqiidg32.exe Odbhofjh.exe File opened for modification C:\Windows\SysWOW64\Belcck32.exe Blcokf32.exe File created C:\Windows\SysWOW64\Pjilopjf.dll Ooabjbdn.exe File created C:\Windows\SysWOW64\Jdaclb32.dll Bndckc32.exe File opened for modification C:\Windows\SysWOW64\Mmgkoe32.exe Mdnffpif.exe File created C:\Windows\SysWOW64\Cdlppf32.exe Ckdlgq32.exe File created C:\Windows\SysWOW64\Njnknedk.dll Pmoqfi32.exe File created C:\Windows\SysWOW64\Cobaapkk.dll Gmjehe32.exe File created C:\Windows\SysWOW64\Akekgimh.dll Kmeknakn.exe File created C:\Windows\SysWOW64\Bjogpk32.dll Kcjcefbd.exe File created C:\Windows\SysWOW64\Ljaplc32.dll Liibigjq.exe File created C:\Windows\SysWOW64\Jbgdcapi.exe Ihopjl32.exe File opened for modification C:\Windows\SysWOW64\Npdlpnnj.exe Ncplfj32.exe File created C:\Windows\SysWOW64\Nmfblk32.exe Nlgfbh32.exe File created C:\Windows\SysWOW64\Cdmekohf.dll Bckidl32.exe File created C:\Windows\SysWOW64\Fbgaahgl.exe Fiomhc32.exe File created C:\Windows\SysWOW64\Jpfehq32.exe Jijqeg32.exe File created C:\Windows\SysWOW64\Jgmclcjo.dll Gkjahg32.exe File opened for modification C:\Windows\SysWOW64\Hpfamd32.exe Hnedfljc.exe File opened for modification C:\Windows\SysWOW64\Nmaialjp.exe Mpnhhh32.exe File created C:\Windows\SysWOW64\Mlndfa32.exe Mgalnk32.exe File created C:\Windows\SysWOW64\Pobhfl32.exe Pbohmh32.exe File created C:\Windows\SysWOW64\Ikhqbo32.exe Ickoimie.exe File created C:\Windows\SysWOW64\Amhiahbd.dll Gpbkca32.exe File created C:\Windows\SysWOW64\Ggabhmge.exe Gmlokdgp.exe File opened for modification C:\Windows\SysWOW64\Lbfdnijp.exe Lebcdd32.exe File opened for modification C:\Windows\SysWOW64\Dnpgmp32.exe Dcffmb32.exe File opened for modification C:\Windows\SysWOW64\Chiedc32.exe Cekihh32.exe File created C:\Windows\SysWOW64\Bclbnhmo.dll Ckbakiee.exe File opened for modification C:\Windows\SysWOW64\Cocpjf32.exe Cpnchjpa.exe File opened for modification C:\Windows\SysWOW64\Fnfekdpl.exe Fdnabo32.exe File created C:\Windows\SysWOW64\Bdajepnn.dll Jijqeg32.exe File opened for modification C:\Windows\SysWOW64\Kleeqp32.exe Kcjqlm32.exe File created C:\Windows\SysWOW64\Bkjbgk32.exe Bdpjjaiq.exe File created C:\Windows\SysWOW64\Enpoje32.exe Enmbeehg.exe File created C:\Windows\SysWOW64\Fnfekdpl.exe Fdnabo32.exe File opened for modification C:\Windows\SysWOW64\Fdkheh32.exe Fnnpma32.exe File created C:\Windows\SysWOW64\Ijcmipjh.exe Ipkhpk32.exe File created C:\Windows\SysWOW64\Pnebgcqb.exe Pgkjji32.exe File created C:\Windows\SysWOW64\Hdmhfd32.dll Khakhg32.exe File opened for modification C:\Windows\SysWOW64\Afmokbop.exe Aqpgblqh.exe File created C:\Windows\SysWOW64\Ghpngkhm.exe Gklnmgic.exe File created C:\Windows\SysWOW64\Cffebb32.dll Qpjeaa32.exe File opened for modification C:\Windows\SysWOW64\Keekeg32.exe Jpfehq32.exe File created C:\Windows\SysWOW64\Ijgkkd32.dll Lanmde32.exe File created C:\Windows\SysWOW64\Hnedfljc.exe Hhklibbf.exe File created C:\Windows\SysWOW64\Cnflmc32.dll Iodolf32.exe File created C:\Windows\SysWOW64\Qnjbmh32.exe Pcdnpp32.exe File created C:\Windows\SysWOW64\Bmggemgf.dll Kicednho.exe File created C:\Windows\SysWOW64\Nbckeb32.exe Nmfblk32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4252 2440 WerFault.exe Lfnkejeg.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Lejbhbpn.exeGdchifik.exeIdjjih32.exeJcfmkcdn.exeDgkkdnkb.exeKfabfldd.exeGpkckneh.exeLbfdnijp.exeMmgkoe32.exeMheekb32.exeHjaiaolb.exeLbbmlbej.exeHbmnfajm.exeKqgmnk32.exeLiddljan.exeNmaialjp.exeNbckeb32.exePdnfalea.exeKdoaackf.exeCpkaai32.exeLmhhcaik.exeEojpqpih.exeDoipoldo.exeImokbhjf.exeBbkfpb32.exeHojbbiae.exeKebgea32.exeLjnebe32.exeAmalcd32.exeLekeak32.exeHafbid32.exeOodejhfg.exeCkbakiee.exeAkpmhdqd.exeKbonmjph.exeGiaddm32.exeMddidnqa.exeGpfeoqmf.exeJiphpf32.exeQajiek32.exeAeajcf32.exePghmeikh.exeIblcjohm.exeLcpecdio.exeGmlokdgp.exeHenipenb.exeKofnbk32.exeLljolodf.exeLiibigjq.exeMgalnk32.exeHfjglppd.exeBekobn32.exeLhhmle32.exeGkbplepn.exeKhakhg32.exeLdjmkq32.exePgkjji32.exeQegnii32.exeKmbgnl32.exeKnocpn32.exeHifdjcif.exeFdbibjok.exeHphljkfk.exeHehgbg32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lejbhbpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdchifik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idjjih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcfmkcdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgkkdnkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfabfldd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpkckneh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbfdnijp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmgkoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mheekb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjaiaolb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbbmlbej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbmnfajm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqgmnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Liddljan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmaialjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbckeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdnfalea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdoaackf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpkaai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmhhcaik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eojpqpih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doipoldo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imokbhjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbkfpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hojbbiae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kebgea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljnebe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amalcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lekeak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hafbid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oodejhfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckbakiee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akpmhdqd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbonmjph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giaddm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mddidnqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpfeoqmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jiphpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qajiek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeajcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pghmeikh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iblcjohm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcpecdio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmlokdgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Henipenb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kofnbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lljolodf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Liibigjq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgalnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfjglppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bekobn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhhmle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkbplepn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khakhg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldjmkq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgkjji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qegnii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmbgnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knocpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hifdjcif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdbibjok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hphljkfk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hehgbg32.exe -
Modifies registry class 64 IoCs
Processes:
Kbedmedg.exeAliejq32.exeEojpqpih.exeHbmpoj32.exeBnhljnhm.exeEeameodq.exeFcfojhhh.exeNagobp32.exeBaeanl32.exeCkdlgq32.exeDpggnfap.exeKbpbokop.exeHjkneb32.exeLdjmkq32.exeJkhjin32.exeOpkpme32.exePnpfckmc.exeOhajic32.exeEpchbm32.exeFbgaahgl.exeOaaklmao.exeBndckc32.exeGdjblboj.exeDcaiqfib.exeKcmfeldm.exeEgmhjm32.exeQcdgei32.exeIbqmen32.exeHleegpgb.exeNpdlpnnj.exeQkolil32.exeFdpmljan.exePphilb32.exeLicbca32.exePgdcjjom.exeFgojdj32.exePclolakk.exeChafpfqp.exeKiolio32.exeLjnebe32.exeOqiidg32.exeOlklmk32.exeBbpffhnb.exeAlcclb32.exeCofaad32.exeOkkfoikl.exeKicednho.exeBpbadcbj.exeIqnlpq32.exeOnacgf32.exeJchjqc32.exeNlkonhkb.exeOiepmajb.exeKdoaackf.exeFdkheh32.exeIbehna32.exeDlpdifda.exeBelcck32.exeDgphpi32.exeDmpckbci.exeIpqmgbbf.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbedmedg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aliejq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eojpqpih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Heclbhec.dll" Hbmpoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cblpaffb.dll" Bnhljnhm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eeameodq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcfojhhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nagobp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Baeanl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Palndj32.dll" Ckdlgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddclhk32.dll" Dpggnfap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbpbokop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbeheeho.dll" Hjkneb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldjmkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imoqbo32.dll" Aliejq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkhjin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ganqdppd.dll" Opkpme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgokdhjl.dll" Pnpfckmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohajic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdpfpofk.dll" Epchbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdghbiem.dll" Fbgaahgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abcfkfkn.dll" Oaaklmao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdaclb32.dll" Bndckc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdhpbkob.dll" Gdjblboj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfodod32.dll" Dcaiqfib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okjenb32.dll" Kcmfeldm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kccehneq.dll" Egmhjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qcdgei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jobompob.dll" Ibqmen32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hleegpgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kikmdack.dll" Npdlpnnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qkolil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qcdgei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pafklb32.dll" Fdpmljan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pphilb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Licbca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkgnai32.dll" Pgdcjjom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clnjal32.dll" Fgojdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elajhc32.dll" Pclolakk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eepeng32.dll" Chafpfqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kiolio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljnebe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckldighd.dll" Oqiidg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffaqla32.dll" Olklmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbpffhnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Alcclb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cofaad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okkfoikl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epchbm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kicednho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpbadcbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iqnlpq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onacgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jchjqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlkonhkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oiepmajb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jabmdd32.dll" Kdoaackf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdkheh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkdaqcl.dll" Ibehna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlpdifda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Belcck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afjgjj32.dll" Dgphpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqjncg32.dll" Dmpckbci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipqmgbbf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
d7bcab6d090e6d2ea29490905fe32410N.exeEjpipf32.exeEbkndibq.exeFijolbfh.exeFkmhij32.exeFlmecm32.exeFkdoii32.exeGdophn32.exeGebiefle.exeGokmnlcf.exeGdjblboj.exeHnecjgch.exeHkidclbb.exeIgdndl32.exeIckoimie.exeIkhqbo32.exedescription pid process target process PID 2564 wrote to memory of 2908 2564 d7bcab6d090e6d2ea29490905fe32410N.exe Ejpipf32.exe PID 2564 wrote to memory of 2908 2564 d7bcab6d090e6d2ea29490905fe32410N.exe Ejpipf32.exe PID 2564 wrote to memory of 2908 2564 d7bcab6d090e6d2ea29490905fe32410N.exe Ejpipf32.exe PID 2564 wrote to memory of 2908 2564 d7bcab6d090e6d2ea29490905fe32410N.exe Ejpipf32.exe PID 2908 wrote to memory of 1144 2908 Ejpipf32.exe Ebkndibq.exe PID 2908 wrote to memory of 1144 2908 Ejpipf32.exe Ebkndibq.exe PID 2908 wrote to memory of 1144 2908 Ejpipf32.exe Ebkndibq.exe PID 2908 wrote to memory of 1144 2908 Ejpipf32.exe Ebkndibq.exe PID 1144 wrote to memory of 2768 1144 Ebkndibq.exe Fijolbfh.exe PID 1144 wrote to memory of 2768 1144 Ebkndibq.exe Fijolbfh.exe PID 1144 wrote to memory of 2768 1144 Ebkndibq.exe Fijolbfh.exe PID 1144 wrote to memory of 2768 1144 Ebkndibq.exe Fijolbfh.exe PID 2768 wrote to memory of 2784 2768 Fijolbfh.exe Fkmhij32.exe PID 2768 wrote to memory of 2784 2768 Fijolbfh.exe Fkmhij32.exe PID 2768 wrote to memory of 2784 2768 Fijolbfh.exe Fkmhij32.exe PID 2768 wrote to memory of 2784 2768 Fijolbfh.exe Fkmhij32.exe PID 2784 wrote to memory of 2656 2784 Fkmhij32.exe Flmecm32.exe PID 2784 wrote to memory of 2656 2784 Fkmhij32.exe Flmecm32.exe PID 2784 wrote to memory of 2656 2784 Fkmhij32.exe Flmecm32.exe PID 2784 wrote to memory of 2656 2784 Fkmhij32.exe Flmecm32.exe PID 2656 wrote to memory of 2692 2656 Flmecm32.exe Fkdoii32.exe PID 2656 wrote to memory of 2692 2656 Flmecm32.exe Fkdoii32.exe PID 2656 wrote to memory of 2692 2656 Flmecm32.exe Fkdoii32.exe PID 2656 wrote to memory of 2692 2656 Flmecm32.exe Fkdoii32.exe PID 2692 wrote to memory of 2124 2692 Fkdoii32.exe Gdophn32.exe PID 2692 wrote to memory of 2124 2692 Fkdoii32.exe Gdophn32.exe PID 2692 wrote to memory of 2124 2692 Fkdoii32.exe Gdophn32.exe PID 2692 wrote to memory of 2124 2692 Fkdoii32.exe Gdophn32.exe PID 2124 wrote to memory of 2512 2124 Gdophn32.exe Gebiefle.exe PID 2124 wrote to memory of 2512 2124 Gdophn32.exe Gebiefle.exe PID 2124 wrote to memory of 2512 2124 Gdophn32.exe Gebiefle.exe PID 2124 wrote to memory of 2512 2124 Gdophn32.exe Gebiefle.exe PID 2512 wrote to memory of 1808 2512 Gebiefle.exe Gokmnlcf.exe PID 2512 wrote to memory of 1808 2512 Gebiefle.exe Gokmnlcf.exe PID 2512 wrote to memory of 1808 2512 Gebiefle.exe Gokmnlcf.exe PID 2512 wrote to memory of 1808 2512 Gebiefle.exe Gokmnlcf.exe PID 1808 wrote to memory of 2680 1808 Gokmnlcf.exe Gdjblboj.exe PID 1808 wrote to memory of 2680 1808 Gokmnlcf.exe Gdjblboj.exe PID 1808 wrote to memory of 2680 1808 Gokmnlcf.exe Gdjblboj.exe PID 1808 wrote to memory of 2680 1808 Gokmnlcf.exe Gdjblboj.exe PID 2680 wrote to memory of 2136 2680 Gdjblboj.exe Hnecjgch.exe PID 2680 wrote to memory of 2136 2680 Gdjblboj.exe Hnecjgch.exe PID 2680 wrote to memory of 2136 2680 Gdjblboj.exe Hnecjgch.exe PID 2680 wrote to memory of 2136 2680 Gdjblboj.exe Hnecjgch.exe PID 2136 wrote to memory of 3064 2136 Hnecjgch.exe Hkidclbb.exe PID 2136 wrote to memory of 3064 2136 Hnecjgch.exe Hkidclbb.exe PID 2136 wrote to memory of 3064 2136 Hnecjgch.exe Hkidclbb.exe PID 2136 wrote to memory of 3064 2136 Hnecjgch.exe Hkidclbb.exe PID 3064 wrote to memory of 944 3064 Hkidclbb.exe Igdndl32.exe PID 3064 wrote to memory of 944 3064 Hkidclbb.exe Igdndl32.exe PID 3064 wrote to memory of 944 3064 Hkidclbb.exe Igdndl32.exe PID 3064 wrote to memory of 944 3064 Hkidclbb.exe Igdndl32.exe PID 944 wrote to memory of 2068 944 Igdndl32.exe Ickoimie.exe PID 944 wrote to memory of 2068 944 Igdndl32.exe Ickoimie.exe PID 944 wrote to memory of 2068 944 Igdndl32.exe Ickoimie.exe PID 944 wrote to memory of 2068 944 Igdndl32.exe Ickoimie.exe PID 2068 wrote to memory of 3016 2068 Ickoimie.exe Ikhqbo32.exe PID 2068 wrote to memory of 3016 2068 Ickoimie.exe Ikhqbo32.exe PID 2068 wrote to memory of 3016 2068 Ickoimie.exe Ikhqbo32.exe PID 2068 wrote to memory of 3016 2068 Ickoimie.exe Ikhqbo32.exe PID 3016 wrote to memory of 3032 3016 Ikhqbo32.exe Iaheqe32.exe PID 3016 wrote to memory of 3032 3016 Ikhqbo32.exe Iaheqe32.exe PID 3016 wrote to memory of 3032 3016 Ikhqbo32.exe Iaheqe32.exe PID 3016 wrote to memory of 3032 3016 Ikhqbo32.exe Iaheqe32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d7bcab6d090e6d2ea29490905fe32410N.exe"C:\Users\Admin\AppData\Local\Temp\d7bcab6d090e6d2ea29490905fe32410N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\Ejpipf32.exeC:\Windows\system32\Ejpipf32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Ebkndibq.exeC:\Windows\system32\Ebkndibq.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Windows\SysWOW64\Fijolbfh.exeC:\Windows\system32\Fijolbfh.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Fkmhij32.exeC:\Windows\system32\Fkmhij32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Flmecm32.exeC:\Windows\system32\Flmecm32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Fkdoii32.exeC:\Windows\system32\Fkdoii32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Gdophn32.exeC:\Windows\system32\Gdophn32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\Gebiefle.exeC:\Windows\system32\Gebiefle.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\Gokmnlcf.exeC:\Windows\system32\Gokmnlcf.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\SysWOW64\Gdjblboj.exeC:\Windows\system32\Gdjblboj.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Hnecjgch.exeC:\Windows\system32\Hnecjgch.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\Hkidclbb.exeC:\Windows\system32\Hkidclbb.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\Igdndl32.exeC:\Windows\system32\Igdndl32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Windows\SysWOW64\Ickoimie.exeC:\Windows\system32\Ickoimie.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\Ikhqbo32.exeC:\Windows\system32\Ikhqbo32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Iaheqe32.exeC:\Windows\system32\Iaheqe32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3032 -
C:\Windows\SysWOW64\Jmqckf32.exeC:\Windows\system32\Jmqckf32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:632 -
C:\Windows\SysWOW64\Jmcpqfba.exeC:\Windows\system32\Jmcpqfba.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2312 -
C:\Windows\SysWOW64\Jijqeg32.exeC:\Windows\system32\Jijqeg32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1804 -
C:\Windows\SysWOW64\Jpfehq32.exeC:\Windows\system32\Jpfehq32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:752 -
C:\Windows\SysWOW64\Keekeg32.exeC:\Windows\system32\Keekeg32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1308 -
C:\Windows\SysWOW64\Kpkocpjj.exeC:\Windows\system32\Kpkocpjj.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2572 -
C:\Windows\SysWOW64\Kdoaackf.exeC:\Windows\system32\Kdoaackf.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3056 -
C:\Windows\SysWOW64\Kmgekh32.exeC:\Windows\system32\Kmgekh32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2292 -
C:\Windows\SysWOW64\Llooad32.exeC:\Windows\system32\Llooad32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3012 -
C:\Windows\SysWOW64\Lhhmle32.exeC:\Windows\system32\Lhhmle32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1648 -
C:\Windows\SysWOW64\Mnjnolap.exeC:\Windows\system32\Mnjnolap.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2584 -
C:\Windows\SysWOW64\Mhaobd32.exeC:\Windows\system32\Mhaobd32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1688 -
C:\Windows\SysWOW64\Ncnmhajo.exeC:\Windows\system32\Ncnmhajo.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2320 -
C:\Windows\SysWOW64\Nfnfjmgp.exeC:\Windows\system32\Nfnfjmgp.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3004 -
C:\Windows\SysWOW64\Nokdnail.exeC:\Windows\system32\Nokdnail.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2104 -
C:\Windows\SysWOW64\Ngfhbd32.exeC:\Windows\system32\Ngfhbd32.exe33⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Onejjm32.exeC:\Windows\system32\Onejjm32.exe34⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\Ognobcqo.exeC:\Windows\system32\Ognobcqo.exe35⤵
- Executes dropped EXE
PID:836 -
C:\Windows\SysWOW64\Opkpme32.exeC:\Windows\system32\Opkpme32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:1168 -
C:\Windows\SysWOW64\Pmoqfi32.exeC:\Windows\system32\Pmoqfi32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2924 -
C:\Windows\SysWOW64\Ppbfmdfo.exeC:\Windows\system32\Ppbfmdfo.exe38⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Pligbekc.exeC:\Windows\system32\Pligbekc.exe39⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Plkchdiq.exeC:\Windows\system32\Plkchdiq.exe40⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Qhbdmeoe.exeC:\Windows\system32\Qhbdmeoe.exe41⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Qajiek32.exeC:\Windows\system32\Qajiek32.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2436 -
C:\Windows\SysWOW64\Qifnjm32.exeC:\Windows\system32\Qifnjm32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Abnbccia.exeC:\Windows\system32\Abnbccia.exe44⤵
- Executes dropped EXE
PID:888 -
C:\Windows\SysWOW64\Amcfpl32.exeC:\Windows\system32\Amcfpl32.exe45⤵
- Executes dropped EXE
PID:1028 -
C:\Windows\SysWOW64\Ahpdficc.exeC:\Windows\system32\Ahpdficc.exe46⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Aecdpmbm.exeC:\Windows\system32\Aecdpmbm.exe47⤵
- Executes dropped EXE
PID:964 -
C:\Windows\SysWOW64\Akpmhdqd.exeC:\Windows\system32\Akpmhdqd.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2168 -
C:\Windows\SysWOW64\Bhdmahpn.exeC:\Windows\system32\Bhdmahpn.exe49⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Bonenbgj.exeC:\Windows\system32\Bonenbgj.exe50⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Boqbcbeh.exeC:\Windows\system32\Boqbcbeh.exe51⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Bdmklico.exeC:\Windows\system32\Bdmklico.exe52⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Bjjcdp32.exeC:\Windows\system32\Bjjcdp32.exe53⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Bpdkajic.exeC:\Windows\system32\Bpdkajic.exe54⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Bnhljnhm.exeC:\Windows\system32\Bnhljnhm.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:1672 -
C:\Windows\SysWOW64\Bcedbefd.exeC:\Windows\system32\Bcedbefd.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Colegflh.exeC:\Windows\system32\Colegflh.exe57⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Cpkaai32.exeC:\Windows\system32\Cpkaai32.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2700 -
C:\Windows\SysWOW64\Cjcfjoil.exeC:\Windows\system32\Cjcfjoil.exe59⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Cclkcdpl.exeC:\Windows\system32\Cclkcdpl.exe60⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Ckgogfmg.exeC:\Windows\system32\Ckgogfmg.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Cfmceomm.exeC:\Windows\system32\Cfmceomm.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Cnhhia32.exeC:\Windows\system32\Cnhhia32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1988 -
C:\Windows\SysWOW64\Dklibf32.exeC:\Windows\system32\Dklibf32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2248 -
C:\Windows\SysWOW64\Dgbiggof.exeC:\Windows\system32\Dgbiggof.exe65⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Dmobpn32.exeC:\Windows\system32\Dmobpn32.exe66⤵PID:2228
-
C:\Windows\SysWOW64\Djcbib32.exeC:\Windows\system32\Djcbib32.exe67⤵PID:948
-
C:\Windows\SysWOW64\Dopkai32.exeC:\Windows\system32\Dopkai32.exe68⤵PID:2412
-
C:\Windows\SysWOW64\Djfooa32.exeC:\Windows\system32\Djfooa32.exe69⤵PID:1656
-
C:\Windows\SysWOW64\Dpbgghhl.exeC:\Windows\system32\Dpbgghhl.exe70⤵
- Drops file in System32 directory
PID:1220 -
C:\Windows\SysWOW64\Dpedmhfi.exeC:\Windows\system32\Dpedmhfi.exe71⤵PID:3048
-
C:\Windows\SysWOW64\Eeameodq.exeC:\Windows\system32\Eeameodq.exe72⤵
- Modifies registry class
PID:2368 -
C:\Windows\SysWOW64\Elleai32.exeC:\Windows\system32\Elleai32.exe73⤵PID:2720
-
C:\Windows\SysWOW64\Eipekmjg.exeC:\Windows\system32\Eipekmjg.exe74⤵PID:2636
-
C:\Windows\SysWOW64\Elbkbh32.exeC:\Windows\system32\Elbkbh32.exe75⤵PID:2880
-
C:\Windows\SysWOW64\Eapcjo32.exeC:\Windows\system32\Eapcjo32.exe76⤵PID:2648
-
C:\Windows\SysWOW64\Efllcf32.exeC:\Windows\system32\Efllcf32.exe77⤵PID:1396
-
C:\Windows\SysWOW64\Fabppo32.exeC:\Windows\system32\Fabppo32.exe78⤵PID:2912
-
C:\Windows\SysWOW64\Fdpmljan.exeC:\Windows\system32\Fdpmljan.exe79⤵
- Modifies registry class
PID:924 -
C:\Windows\SysWOW64\Fimedaoe.exeC:\Windows\system32\Fimedaoe.exe80⤵PID:764
-
C:\Windows\SysWOW64\Fdbibjok.exeC:\Windows\system32\Fdbibjok.exe81⤵
- System Location Discovery: System Language Discovery
PID:1792 -
C:\Windows\SysWOW64\Fjlaod32.exeC:\Windows\system32\Fjlaod32.exe82⤵PID:856
-
C:\Windows\SysWOW64\Fpijgk32.exeC:\Windows\system32\Fpijgk32.exe83⤵PID:2020
-
C:\Windows\SysWOW64\Fefboabg.exeC:\Windows\system32\Fefboabg.exe84⤵PID:936
-
C:\Windows\SysWOW64\Fbjchfaq.exeC:\Windows\system32\Fbjchfaq.exe85⤵PID:2464
-
C:\Windows\SysWOW64\Fehodaqd.exeC:\Windows\system32\Fehodaqd.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:268 -
C:\Windows\SysWOW64\Flbgak32.exeC:\Windows\system32\Flbgak32.exe87⤵PID:624
-
C:\Windows\SysWOW64\Faopib32.exeC:\Windows\system32\Faopib32.exe88⤵PID:2276
-
C:\Windows\SysWOW64\Gocpcfeb.exeC:\Windows\system32\Gocpcfeb.exe89⤵PID:2952
-
C:\Windows\SysWOW64\Gkjahg32.exeC:\Windows\system32\Gkjahg32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2212 -
C:\Windows\SysWOW64\Gdbeqmag.exeC:\Windows\system32\Gdbeqmag.exe91⤵PID:1728
-
C:\Windows\SysWOW64\Gklnmgic.exeC:\Windows\system32\Gklnmgic.exe92⤵
- Drops file in System32 directory
PID:2732 -
C:\Windows\SysWOW64\Ghpngkhm.exeC:\Windows\system32\Ghpngkhm.exe93⤵PID:2928
-
C:\Windows\SysWOW64\Gkojcgga.exeC:\Windows\system32\Gkojcgga.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2864 -
C:\Windows\SysWOW64\Gpkckneh.exeC:\Windows\system32\Gpkckneh.exe95⤵
- System Location Discovery: System Language Discovery
PID:1716 -
C:\Windows\SysWOW64\Gidgdcli.exeC:\Windows\system32\Gidgdcli.exe96⤵PID:1784
-
C:\Windows\SysWOW64\Hifdjcif.exeC:\Windows\system32\Hifdjcif.exe97⤵
- System Location Discovery: System Language Discovery
PID:800 -
C:\Windows\SysWOW64\Hocmbjhn.exeC:\Windows\system32\Hocmbjhn.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1536 -
C:\Windows\SysWOW64\Hoeigi32.exeC:\Windows\system32\Hoeigi32.exe99⤵PID:2500
-
C:\Windows\SysWOW64\Hjkneb32.exeC:\Windows\system32\Hjkneb32.exe100⤵
- Modifies registry class
PID:692 -
C:\Windows\SysWOW64\Hafbid32.exeC:\Windows\system32\Hafbid32.exe101⤵
- System Location Discovery: System Language Discovery
PID:1816 -
C:\Windows\SysWOW64\Hhpjfoji.exeC:\Windows\system32\Hhpjfoji.exe102⤵PID:1196
-
C:\Windows\SysWOW64\Hojbbiae.exeC:\Windows\system32\Hojbbiae.exe103⤵
- System Location Discovery: System Language Discovery
PID:2208 -
C:\Windows\SysWOW64\Hfdkoc32.exeC:\Windows\system32\Hfdkoc32.exe104⤵PID:1584
-
C:\Windows\SysWOW64\Iqnlpq32.exeC:\Windows\system32\Iqnlpq32.exe105⤵
- Modifies registry class
PID:2776 -
C:\Windows\SysWOW64\Ijfpif32.exeC:\Windows\system32\Ijfpif32.exe106⤵PID:2632
-
C:\Windows\SysWOW64\Ijhmnf32.exeC:\Windows\system32\Ijhmnf32.exe107⤵PID:2644
-
C:\Windows\SysWOW64\Ijkjde32.exeC:\Windows\system32\Ijkjde32.exe108⤵PID:904
-
C:\Windows\SysWOW64\Iogbllfc.exeC:\Windows\system32\Iogbllfc.exe109⤵PID:1984
-
C:\Windows\SysWOW64\Jfdgnf32.exeC:\Windows\system32\Jfdgnf32.exe110⤵PID:1972
-
C:\Windows\SysWOW64\Jollgl32.exeC:\Windows\system32\Jollgl32.exe111⤵PID:2236
-
C:\Windows\SysWOW64\Joohmk32.exeC:\Windows\system32\Joohmk32.exe112⤵PID:2372
-
C:\Windows\SysWOW64\Jgjman32.exeC:\Windows\system32\Jgjman32.exe113⤵PID:2432
-
C:\Windows\SysWOW64\Jgljfmkd.exeC:\Windows\system32\Jgljfmkd.exe114⤵PID:3024
-
C:\Windows\SysWOW64\Jkjbml32.exeC:\Windows\system32\Jkjbml32.exe115⤵PID:932
-
C:\Windows\SysWOW64\Kebgea32.exeC:\Windows\system32\Kebgea32.exe116⤵
- System Location Discovery: System Language Discovery
PID:2316 -
C:\Windows\SysWOW64\Kaihjbno.exeC:\Windows\system32\Kaihjbno.exe117⤵PID:1964
-
C:\Windows\SysWOW64\Kidlodkj.exeC:\Windows\system32\Kidlodkj.exe118⤵PID:1312
-
C:\Windows\SysWOW64\Kcjqlm32.exeC:\Windows\system32\Kcjqlm32.exe119⤵
- Drops file in System32 directory
PID:2144 -
C:\Windows\SysWOW64\Kleeqp32.exeC:\Windows\system32\Kleeqp32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2712 -
C:\Windows\SysWOW64\Kbonmjph.exeC:\Windows\system32\Kbonmjph.exe121⤵
- System Location Discovery: System Language Discovery
PID:2508 -
C:\Windows\SysWOW64\Kofnbk32.exeC:\Windows\system32\Kofnbk32.exe122⤵
- System Location Discovery: System Language Discovery
PID:2844 -
C:\Windows\SysWOW64\Lljolodf.exeC:\Windows\system32\Lljolodf.exe123⤵
- System Location Discovery: System Language Discovery
PID:2896 -
C:\Windows\SysWOW64\Lebcdd32.exeC:\Windows\system32\Lebcdd32.exe124⤵
- Drops file in System32 directory
PID:1364 -
C:\Windows\SysWOW64\Lbfdnijp.exeC:\Windows\system32\Lbfdnijp.exe125⤵
- System Location Discovery: System Language Discovery
PID:1116 -
C:\Windows\SysWOW64\Lomdcj32.exeC:\Windows\system32\Lomdcj32.exe126⤵PID:2920
-
C:\Windows\SysWOW64\Ldjmkq32.exeC:\Windows\system32\Ldjmkq32.exe127⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1544 -
C:\Windows\SysWOW64\Lanmde32.exeC:\Windows\system32\Lanmde32.exe128⤵
- Drops file in System32 directory
PID:1992 -
C:\Windows\SysWOW64\Liibigjq.exeC:\Windows\system32\Liibigjq.exe129⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2380 -
C:\Windows\SysWOW64\Mdnffpif.exeC:\Windows\system32\Mdnffpif.exe130⤵
- Drops file in System32 directory
PID:2444 -
C:\Windows\SysWOW64\Mmgkoe32.exeC:\Windows\system32\Mmgkoe32.exe131⤵
- System Location Discovery: System Language Discovery
PID:1848 -
C:\Windows\SysWOW64\Mdqclpgd.exeC:\Windows\system32\Mdqclpgd.exe132⤵PID:2708
-
C:\Windows\SysWOW64\Mmigdend.exeC:\Windows\system32\Mmigdend.exe133⤵PID:2040
-
C:\Windows\SysWOW64\Mgalnk32.exeC:\Windows\system32\Mgalnk32.exe134⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2832 -
C:\Windows\SysWOW64\Mlndfa32.exeC:\Windows\system32\Mlndfa32.exe135⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2624 -
C:\Windows\SysWOW64\Mchmblji.exeC:\Windows\system32\Mchmblji.exe136⤵
- Drops file in System32 directory
PID:2044 -
C:\Windows\SysWOW64\Mheekb32.exeC:\Windows\system32\Mheekb32.exe137⤵
- System Location Discovery: System Language Discovery
PID:1684 -
C:\Windows\SysWOW64\Meiedg32.exeC:\Windows\system32\Meiedg32.exe138⤵PID:1740
-
C:\Windows\SysWOW64\Nlnqeeeh.exeC:\Windows\system32\Nlnqeeeh.exe139⤵PID:108
-
C:\Windows\SysWOW64\Ocjfgo32.exeC:\Windows\system32\Ocjfgo32.exe140⤵PID:2532
-
C:\Windows\SysWOW64\Okjdfq32.exeC:\Windows\system32\Okjdfq32.exe141⤵PID:1712
-
C:\Windows\SysWOW64\Odbhofjh.exeC:\Windows\system32\Odbhofjh.exe142⤵
- Drops file in System32 directory
PID:2120 -
C:\Windows\SysWOW64\Oqiidg32.exeC:\Windows\system32\Oqiidg32.exe143⤵
- Modifies registry class
PID:2484 -
C:\Windows\SysWOW64\Pnminkof.exeC:\Windows\system32\Pnminkof.exe144⤵PID:1856
-
C:\Windows\SysWOW64\Pegaje32.exeC:\Windows\system32\Pegaje32.exe145⤵PID:2992
-
C:\Windows\SysWOW64\Pnpfckmc.exeC:\Windows\system32\Pnpfckmc.exe146⤵
- Modifies registry class
PID:2440 -
C:\Windows\SysWOW64\Pclolakk.exeC:\Windows\system32\Pclolakk.exe147⤵
- Modifies registry class
PID:1072 -
C:\Windows\SysWOW64\Pjicnlqe.exeC:\Windows\system32\Pjicnlqe.exe148⤵PID:1252
-
C:\Windows\SysWOW64\Pcahga32.exeC:\Windows\system32\Pcahga32.exe149⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2272 -
C:\Windows\SysWOW64\Pphilb32.exeC:\Windows\system32\Pphilb32.exe150⤵
- Modifies registry class
PID:1944 -
C:\Windows\SysWOW64\Qeeadi32.exeC:\Windows\system32\Qeeadi32.exe151⤵PID:1920
-
C:\Windows\SysWOW64\Qpjeaa32.exeC:\Windows\system32\Qpjeaa32.exe152⤵
- Drops file in System32 directory
PID:2080 -
C:\Windows\SysWOW64\Qegnii32.exeC:\Windows\system32\Qegnii32.exe153⤵
- System Location Discovery: System Language Discovery
PID:988 -
C:\Windows\SysWOW64\Qnpbbn32.exeC:\Windows\system32\Qnpbbn32.exe154⤵PID:2688
-
C:\Windows\SysWOW64\Aanonj32.exeC:\Windows\system32\Aanonj32.exe155⤵PID:2684
-
C:\Windows\SysWOW64\Alcclb32.exeC:\Windows\system32\Alcclb32.exe156⤵
- Modifies registry class
PID:1592 -
C:\Windows\SysWOW64\Abmkhmfe.exeC:\Windows\system32\Abmkhmfe.exe157⤵PID:2724
-
C:\Windows\SysWOW64\Ajipmocp.exeC:\Windows\system32\Ajipmocp.exe158⤵PID:1352
-
C:\Windows\SysWOW64\Ahmpfc32.exeC:\Windows\system32\Ahmpfc32.exe159⤵
- Drops file in System32 directory
PID:1568 -
C:\Windows\SysWOW64\Adcakdhn.exeC:\Windows\system32\Adcakdhn.exe160⤵PID:1600
-
C:\Windows\SysWOW64\Aipickfe.exeC:\Windows\system32\Aipickfe.exe161⤵PID:2112
-
C:\Windows\SysWOW64\Bmnbjill.exeC:\Windows\system32\Bmnbjill.exe162⤵PID:2076
-
C:\Windows\SysWOW64\Bdhjfc32.exeC:\Windows\system32\Bdhjfc32.exe163⤵PID:1968
-
C:\Windows\SysWOW64\Blcokf32.exeC:\Windows\system32\Blcokf32.exe164⤵
- Drops file in System32 directory
PID:960 -
C:\Windows\SysWOW64\Belcck32.exeC:\Windows\system32\Belcck32.exe165⤵
- Modifies registry class
PID:2252 -
C:\Windows\SysWOW64\Bodhlane.exeC:\Windows\system32\Bodhlane.exe166⤵PID:2548
-
C:\Windows\SysWOW64\Bhlmef32.exeC:\Windows\system32\Bhlmef32.exe167⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2216 -
C:\Windows\SysWOW64\Baeanl32.exeC:\Windows\system32\Baeanl32.exe168⤵
- Modifies registry class
PID:2328 -
C:\Windows\SysWOW64\Bhoikfbb.exeC:\Windows\system32\Bhoikfbb.exe169⤵PID:1096
-
C:\Windows\SysWOW64\Bnkbcmaj.exeC:\Windows\system32\Bnkbcmaj.exe170⤵PID:2468
-
C:\Windows\SysWOW64\Chafpfqp.exeC:\Windows\system32\Chafpfqp.exe171⤵
- Modifies registry class
PID:2740 -
C:\Windows\SysWOW64\Cnnohmog.exeC:\Windows\system32\Cnnohmog.exe172⤵PID:1588
-
C:\Windows\SysWOW64\Cgfcabeh.exeC:\Windows\system32\Cgfcabeh.exe173⤵PID:2260
-
C:\Windows\SysWOW64\Ckdlgq32.exeC:\Windows\system32\Ckdlgq32.exe174⤵
- Drops file in System32 directory
- Modifies registry class
PID:1292 -
C:\Windows\SysWOW64\Cdlppf32.exeC:\Windows\system32\Cdlppf32.exe175⤵PID:2860
-
C:\Windows\SysWOW64\Cofaad32.exeC:\Windows\system32\Cofaad32.exe176⤵
- Modifies registry class
PID:532 -
C:\Windows\SysWOW64\Cjlenm32.exeC:\Windows\system32\Cjlenm32.exe177⤵PID:2140
-
C:\Windows\SysWOW64\Dohnfc32.exeC:\Windows\system32\Dohnfc32.exe178⤵PID:2244
-
C:\Windows\SysWOW64\Dcffmb32.exeC:\Windows\system32\Dcffmb32.exe179⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:828 -
C:\Windows\SysWOW64\Dnpgmp32.exeC:\Windows\system32\Dnpgmp32.exe180⤵PID:928
-
C:\Windows\SysWOW64\Dheljhof.exeC:\Windows\system32\Dheljhof.exe181⤵PID:588
-
C:\Windows\SysWOW64\Dqqqokla.exeC:\Windows\system32\Dqqqokla.exe182⤵PID:2348
-
C:\Windows\SysWOW64\Dkfdlclg.exeC:\Windows\system32\Dkfdlclg.exe183⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1860 -
C:\Windows\SysWOW64\Dcaiqfib.exeC:\Windows\system32\Dcaiqfib.exe184⤵
- Modifies registry class
PID:2840 -
C:\Windows\SysWOW64\Emlkoknp.exeC:\Windows\system32\Emlkoknp.exe185⤵PID:1580
-
C:\Windows\SysWOW64\Egaoldnf.exeC:\Windows\system32\Egaoldnf.exe186⤵PID:272
-
C:\Windows\SysWOW64\Eqjceidf.exeC:\Windows\system32\Eqjceidf.exe187⤵PID:2884
-
C:\Windows\SysWOW64\Epopff32.exeC:\Windows\system32\Epopff32.exe188⤵PID:2608
-
C:\Windows\SysWOW64\Epamlegl.exeC:\Windows\system32\Epamlegl.exe189⤵PID:2288
-
C:\Windows\SysWOW64\Fngjmb32.exeC:\Windows\system32\Fngjmb32.exe190⤵PID:3096
-
C:\Windows\SysWOW64\Fhonegbd.exeC:\Windows\system32\Fhonegbd.exe191⤵PID:3136
-
C:\Windows\SysWOW64\Fcfojhhh.exeC:\Windows\system32\Fcfojhhh.exe192⤵
- Modifies registry class
PID:3176 -
C:\Windows\SysWOW64\Feeldk32.exeC:\Windows\system32\Feeldk32.exe193⤵PID:3216
-
C:\Windows\SysWOW64\Fnnpma32.exeC:\Windows\system32\Fnnpma32.exe194⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3256 -
C:\Windows\SysWOW64\Fdkheh32.exeC:\Windows\system32\Fdkheh32.exe195⤵
- Modifies registry class
PID:3296 -
C:\Windows\SysWOW64\Gigano32.exeC:\Windows\system32\Gigano32.exe196⤵PID:3336
-
C:\Windows\SysWOW64\Gpaikiig.exeC:\Windows\system32\Gpaikiig.exe197⤵PID:3376
-
C:\Windows\SysWOW64\Gdobqgpn.exeC:\Windows\system32\Gdobqgpn.exe198⤵PID:3416
-
C:\Windows\SysWOW64\Giaddm32.exeC:\Windows\system32\Giaddm32.exe199⤵
- System Location Discovery: System Language Discovery
PID:3456 -
C:\Windows\SysWOW64\Gkbplepn.exeC:\Windows\system32\Gkbplepn.exe200⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3496 -
C:\Windows\SysWOW64\Hkdmaenk.exeC:\Windows\system32\Hkdmaenk.exe201⤵PID:3540
-
C:\Windows\SysWOW64\Hhhmki32.exeC:\Windows\system32\Hhhmki32.exe202⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3580 -
C:\Windows\SysWOW64\Hpcbol32.exeC:\Windows\system32\Hpcbol32.exe203⤵PID:3620
-
C:\Windows\SysWOW64\Hngbhp32.exeC:\Windows\system32\Hngbhp32.exe204⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3660 -
C:\Windows\SysWOW64\Hkkcbdhc.exeC:\Windows\system32\Hkkcbdhc.exe205⤵PID:3752
-
C:\Windows\SysWOW64\Hphljkfk.exeC:\Windows\system32\Hphljkfk.exe206⤵
- System Location Discovery: System Language Discovery
PID:3796 -
C:\Windows\SysWOW64\Ipkhpk32.exeC:\Windows\system32\Ipkhpk32.exe207⤵
- Drops file in System32 directory
PID:3836 -
C:\Windows\SysWOW64\Ijcmipjh.exeC:\Windows\system32\Ijcmipjh.exe208⤵
- Drops file in System32 directory
PID:3876 -
C:\Windows\SysWOW64\Ijeinphf.exeC:\Windows\system32\Ijeinphf.exe209⤵PID:3916
-
C:\Windows\SysWOW64\Ifljcanj.exeC:\Windows\system32\Ifljcanj.exe210⤵PID:3956
-
C:\Windows\SysWOW64\Iodolf32.exeC:\Windows\system32\Iodolf32.exe211⤵
- Drops file in System32 directory
PID:3996 -
C:\Windows\SysWOW64\Ibehna32.exeC:\Windows\system32\Ibehna32.exe212⤵
- Modifies registry class
PID:4036 -
C:\Windows\SysWOW64\Ihopjl32.exeC:\Windows\system32\Ihopjl32.exe213⤵
- Drops file in System32 directory
PID:4076 -
C:\Windows\SysWOW64\Jbgdcapi.exeC:\Windows\system32\Jbgdcapi.exe214⤵PID:3092
-
C:\Windows\SysWOW64\Jjcigcmd.exeC:\Windows\system32\Jjcigcmd.exe215⤵PID:3152
-
C:\Windows\SysWOW64\Jggiah32.exeC:\Windows\system32\Jggiah32.exe216⤵PID:3212
-
C:\Windows\SysWOW64\Jnqanbcj.exeC:\Windows\system32\Jnqanbcj.exe217⤵PID:3248
-
C:\Windows\SysWOW64\Jqakompl.exeC:\Windows\system32\Jqakompl.exe218⤵PID:3304
-
C:\Windows\SysWOW64\Jmhkdnfp.exeC:\Windows\system32\Jmhkdnfp.exe219⤵PID:3356
-
C:\Windows\SysWOW64\Kbedmedg.exeC:\Windows\system32\Kbedmedg.exe220⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3388 -
C:\Windows\SysWOW64\Kiolio32.exeC:\Windows\system32\Kiolio32.exe221⤵
- Modifies registry class
PID:3444 -
C:\Windows\SysWOW64\Knnagehi.exeC:\Windows\system32\Knnagehi.exe222⤵PID:3492
-
C:\Windows\SysWOW64\Kicednho.exeC:\Windows\system32\Kicednho.exe223⤵
- Drops file in System32 directory
- Modifies registry class
PID:3548 -
C:\Windows\SysWOW64\Kcmfeldm.exeC:\Windows\system32\Kcmfeldm.exe224⤵
- Modifies registry class
PID:3596 -
C:\Windows\SysWOW64\Kmeknakn.exeC:\Windows\system32\Kmeknakn.exe225⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3644 -
C:\Windows\SysWOW64\Lmhhcaik.exeC:\Windows\system32\Lmhhcaik.exe226⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3700 -
C:\Windows\SysWOW64\Lafpipoa.exeC:\Windows\system32\Lafpipoa.exe227⤵PID:3744
-
C:\Windows\SysWOW64\Ljnebe32.exeC:\Windows\system32\Ljnebe32.exe228⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3788 -
C:\Windows\SysWOW64\Llpajmkq.exeC:\Windows\system32\Llpajmkq.exe229⤵PID:3828
-
C:\Windows\SysWOW64\Licbca32.exeC:\Windows\system32\Licbca32.exe230⤵
- Modifies registry class
PID:3892 -
C:\Windows\SysWOW64\Lopjlh32.exeC:\Windows\system32\Lopjlh32.exe231⤵PID:3988
-
C:\Windows\SysWOW64\Lejbhbpn.exeC:\Windows\system32\Lejbhbpn.exe232⤵
- System Location Discovery: System Language Discovery
PID:4052 -
C:\Windows\SysWOW64\Lhiodnob.exeC:\Windows\system32\Lhiodnob.exe233⤵PID:3080
-
C:\Windows\SysWOW64\Laacmc32.exeC:\Windows\system32\Laacmc32.exe234⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3132 -
C:\Windows\SysWOW64\Mbqpgf32.exeC:\Windows\system32\Mbqpgf32.exe235⤵PID:3224
-
C:\Windows\SysWOW64\Mogqlgbi.exeC:\Windows\system32\Mogqlgbi.exe236⤵PID:3272
-
C:\Windows\SysWOW64\Mddidnqa.exeC:\Windows\system32\Mddidnqa.exe237⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3344 -
C:\Windows\SysWOW64\Mmlmmdga.exeC:\Windows\system32\Mmlmmdga.exe238⤵PID:3384
-
C:\Windows\SysWOW64\Mhbakmgg.exeC:\Windows\system32\Mhbakmgg.exe239⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3452 -
C:\Windows\SysWOW64\Micnbe32.exeC:\Windows\system32\Micnbe32.exe240⤵PID:3524
-
C:\Windows\SysWOW64\Miekhd32.exeC:\Windows\system32\Miekhd32.exe241⤵PID:3572
-
C:\Windows\SysWOW64\Nihgndip.exeC:\Windows\system32\Nihgndip.exe242⤵PID:3636