Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 01:40
Static task
static1
Behavioral task
behavioral1
Sample
adbc48fe3cc7809ec7310b7880581cf8da54f5e76663c6b2d33a79659892712c.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
adbc48fe3cc7809ec7310b7880581cf8da54f5e76663c6b2d33a79659892712c.exe
Resource
win10v2004-20241007-en
General
-
Target
adbc48fe3cc7809ec7310b7880581cf8da54f5e76663c6b2d33a79659892712c.exe
-
Size
84KB
-
MD5
46de4ab926912ecb1a09cb7b306f59d4
-
SHA1
7ba2a0cac37053a22a07c8fd793c36c184d62b10
-
SHA256
adbc48fe3cc7809ec7310b7880581cf8da54f5e76663c6b2d33a79659892712c
-
SHA512
ed22be246fe78f07f4f21677864e432d1c9a7f4b9bc94901be59368c7d4e1d6f721fb35eeed7328180324e97e7d65fe75cc37bf2d5f007a84fdb29713a7f3676
-
SSDEEP
1536:mPmQc2IwFUedGfOXSREXHfVPfMVwNKT1iqWUPGc4T7VLd:KUvwFUedGWCREXdXNKT1ntPG9pB
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Nhbciaki.exeFfmkhe32.exeHfebhmbm.exeOoidei32.exeEjfnda32.exeEocfmh32.exeGbmoceol.exeFlfkoeoh.exeJgbjjf32.exeKjhopjqi.exeOgdhik32.exeLaackgka.exePcnhmdli.exeNoojdc32.exeOlalpdbc.exeBphooc32.exeIdghhf32.exeEfmckpko.exeKpbhjh32.exeAdgein32.exeGefolhja.exeIkocoa32.exeKlhbdclg.exeMaapjjml.exeNgencpel.exeDdnfql32.exeLojjfo32.exePhobjp32.exeOkkkoj32.exeNpfjbn32.exeNphbfplf.exeBckefnki.exePgodcich.exeChmibmlo.exeFiedfb32.exeLmpeljkm.exeNqmqcmdh.exePaafmp32.exeHkogpn32.exeHbekojlp.exeAbaaoodq.exeFfpkob32.exeJcmgal32.exeOcdnloph.exeMfqiingf.exePqdelh32.exeCmdaeo32.exeKbncof32.exeLaeidfdn.exeClnehado.exeDgnminke.exeGbmlkl32.exeLmbabj32.exeMdepmh32.exePfhhflmg.exeEnpban32.exeIjqjgo32.exeNfjildbp.exeQpaohjkk.exeAinmlomf.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhbciaki.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffmkhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfebhmbm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooidei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejfnda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eocfmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbmoceol.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flfkoeoh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgbjjf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjhopjqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogdhik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Laackgka.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcnhmdli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Noojdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjhopjqi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olalpdbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bphooc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idghhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idghhf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efmckpko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpbhjh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adgein32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gefolhja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikocoa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klhbdclg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Maapjjml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngencpel.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddnfql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lojjfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phobjp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okkkoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npfjbn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nphbfplf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bckefnki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgodcich.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chmibmlo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fiedfb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmpeljkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqmqcmdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Paafmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkogpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbekojlp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abaaoodq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffpkob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfebhmbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcmgal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocdnloph.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfqiingf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pqdelh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmdaeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbncof32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laeidfdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clnehado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgnminke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbmlkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmbabj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdepmh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhbciaki.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfhhflmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enpban32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijqjgo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfjildbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qpaohjkk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ainmlomf.exe -
Executes dropped EXE 64 IoCs
Processes:
Lgfjggll.exeLpnopm32.exeLcmklh32.exeLifcib32.exeLnkege32.exeMnmbme32.exeMnpobefe.exeMlgiiaij.exeMhninb32.exeNkobpmlo.exeNhbciaki.exeNqpdcc32.exeOkhefl32.exeOjmbgh32.exeOcefpnom.exeOjblbgdg.exeOpodknco.exeOleepo32.exePfkimhhi.exePhobjp32.exePllkpn32.exePmnghfhi.exePfhhflmg.exeQanmcdlm.exeQpcjeaad.exeAmgjnepn.exeAeghng32.exeAkdafn32.exeAdleoc32.exeBkhjamcf.exeBdaojbjf.exeBphooc32.exeBgddam32.exeBckefnki.exeClciod32.exeCdqkifmb.exeCnnimkom.exeDjgfgkbo.exeDinpnged.exeDnkhfnck.exeDiqmcgca.exeEnpban32.exeEejjnhgc.exeEldbkbop.exeEelgcg32.exeEfmckpko.exeEmgkhj32.exeEhmpeb32.exeEinlmkhp.exeEphdjeol.exeFfbmfo32.exeFpjaodmj.exeFicehj32.exeFfgfancd.exeFlcojeak.exeFelcbk32.exeFlfkoeoh.exeGmidlmcd.exeGoiafp32.exeGdfiofhn.exeGajjhkgh.exeGkbnap32.exeGcmcebkc.exeGlfgnh32.exepid process 2040 Lgfjggll.exe 2388 Lpnopm32.exe 2768 Lcmklh32.exe 2892 Lifcib32.exe 2820 Lnkege32.exe 2656 Mnmbme32.exe 2596 Mnpobefe.exe 388 Mlgiiaij.exe 1752 Mhninb32.exe 2936 Nkobpmlo.exe 2680 Nhbciaki.exe 584 Nqpdcc32.exe 3020 Okhefl32.exe 2444 Ojmbgh32.exe 1984 Ocefpnom.exe 700 Ojblbgdg.exe 912 Opodknco.exe 2156 Oleepo32.exe 1356 Pfkimhhi.exe 2152 Phobjp32.exe 1556 Pllkpn32.exe 2192 Pmnghfhi.exe 1812 Pfhhflmg.exe 2260 Qanmcdlm.exe 3024 Qpcjeaad.exe 2564 Amgjnepn.exe 1608 Aeghng32.exe 2744 Akdafn32.exe 2716 Adleoc32.exe 2712 Bkhjamcf.exe 2908 Bdaojbjf.exe 2616 Bphooc32.exe 1056 Bgddam32.exe 1720 Bckefnki.exe 1480 Clciod32.exe 568 Cdqkifmb.exe 768 Cnnimkom.exe 2336 Djgfgkbo.exe 2424 Dinpnged.exe 2264 Dnkhfnck.exe 2196 Diqmcgca.exe 980 Enpban32.exe 1864 Eejjnhgc.exe 1616 Eldbkbop.exe 1536 Eelgcg32.exe 1036 Efmckpko.exe 2176 Emgkhj32.exe 1932 Ehmpeb32.exe 2448 Einlmkhp.exe 1040 Ephdjeol.exe 3056 Ffbmfo32.exe 2420 Fpjaodmj.exe 2500 Ficehj32.exe 2736 Ffgfancd.exe 2724 Flcojeak.exe 2632 Felcbk32.exe 1652 Flfkoeoh.exe 2008 Gmidlmcd.exe 528 Goiafp32.exe 780 Gdfiofhn.exe 692 Gajjhkgh.exe 1288 Gkbnap32.exe 2248 Gcmcebkc.exe 1044 Glfgnh32.exe -
Loads dropped DLL 64 IoCs
Processes:
adbc48fe3cc7809ec7310b7880581cf8da54f5e76663c6b2d33a79659892712c.exeLgfjggll.exeLpnopm32.exeLcmklh32.exeLifcib32.exeLnkege32.exeMnmbme32.exeMnpobefe.exeMlgiiaij.exeMhninb32.exeNkobpmlo.exeNhbciaki.exeNqpdcc32.exeOkhefl32.exeOjmbgh32.exeOcefpnom.exeOjblbgdg.exeOpodknco.exeOleepo32.exePfkimhhi.exePhobjp32.exePllkpn32.exePmnghfhi.exePfhhflmg.exeQanmcdlm.exeQpcjeaad.exeAohgfm32.exeAeghng32.exeAkdafn32.exeAdleoc32.exeBkhjamcf.exeBdaojbjf.exepid process 1976 adbc48fe3cc7809ec7310b7880581cf8da54f5e76663c6b2d33a79659892712c.exe 1976 adbc48fe3cc7809ec7310b7880581cf8da54f5e76663c6b2d33a79659892712c.exe 2040 Lgfjggll.exe 2040 Lgfjggll.exe 2388 Lpnopm32.exe 2388 Lpnopm32.exe 2768 Lcmklh32.exe 2768 Lcmklh32.exe 2892 Lifcib32.exe 2892 Lifcib32.exe 2820 Lnkege32.exe 2820 Lnkege32.exe 2656 Mnmbme32.exe 2656 Mnmbme32.exe 2596 Mnpobefe.exe 2596 Mnpobefe.exe 388 Mlgiiaij.exe 388 Mlgiiaij.exe 1752 Mhninb32.exe 1752 Mhninb32.exe 2936 Nkobpmlo.exe 2936 Nkobpmlo.exe 2680 Nhbciaki.exe 2680 Nhbciaki.exe 584 Nqpdcc32.exe 584 Nqpdcc32.exe 3020 Okhefl32.exe 3020 Okhefl32.exe 2444 Ojmbgh32.exe 2444 Ojmbgh32.exe 1984 Ocefpnom.exe 1984 Ocefpnom.exe 700 Ojblbgdg.exe 700 Ojblbgdg.exe 912 Opodknco.exe 912 Opodknco.exe 2156 Oleepo32.exe 2156 Oleepo32.exe 1356 Pfkimhhi.exe 1356 Pfkimhhi.exe 2152 Phobjp32.exe 2152 Phobjp32.exe 1556 Pllkpn32.exe 1556 Pllkpn32.exe 2192 Pmnghfhi.exe 2192 Pmnghfhi.exe 1812 Pfhhflmg.exe 1812 Pfhhflmg.exe 2260 Qanmcdlm.exe 2260 Qanmcdlm.exe 3024 Qpcjeaad.exe 3024 Qpcjeaad.exe 2996 Aohgfm32.exe 2996 Aohgfm32.exe 1608 Aeghng32.exe 1608 Aeghng32.exe 2744 Akdafn32.exe 2744 Akdafn32.exe 2716 Adleoc32.exe 2716 Adleoc32.exe 2712 Bkhjamcf.exe 2712 Bkhjamcf.exe 2908 Bdaojbjf.exe 2908 Bdaojbjf.exe -
Drops file in System32 directory 64 IoCs
Processes:
Bdinnqon.exeIhiabfhk.exeBjfpdf32.exeKpgdnp32.exePglacbbo.exeOcfkaone.exeGlfgnh32.exeImhqbkbm.exeDbadagln.exeIafofkkf.exeIpkema32.exeJclnnmic.exeMjgqcj32.exeIkocoa32.exeAbldccka.exeCmdaeo32.exeDjgfgkbo.exeEfmckpko.exeJacibm32.exeKaekljjo.exePkojoghl.exeEdeclabl.exeHmqieh32.exeIekgod32.exeJcdmbk32.exeMmngof32.exeFfgfancd.exeGnicoh32.exeBlibghmm.exeEqnillbb.exeLckpbm32.exeOcihgo32.exeKlmbjh32.exeLknebaba.exeMljnaocd.exeMlgiiaij.exeDdkgbc32.exePkfghh32.exeHagepa32.exeMhfhaoec.exeLcmklh32.exeHnbcaome.exeHehhqk32.exeMdepmh32.exeCeqjla32.exeAidpjm32.exeLijepc32.exeDhlogjko.exeNqpdcc32.exeKlkfdi32.exeGpgjnbnl.exeGdnibdmf.exeAbinjdad.exeDcbjni32.exeMpngmb32.exeGmipko32.exeOpodknco.exeHlhddh32.exeMaocekoo.exedescription ioc process File created C:\Windows\SysWOW64\Cnabffeo.exe Bdinnqon.exe File opened for modification C:\Windows\SysWOW64\Iadbqlmh.exe Ihiabfhk.exe File created C:\Windows\SysWOW64\Hdjgff32.dll Bjfpdf32.exe File created C:\Windows\SysWOW64\Lknebaba.exe Kpgdnp32.exe File created C:\Windows\SysWOW64\Lddkfl32.dll Pglacbbo.exe File created C:\Windows\SysWOW64\Ocihgo32.exe Ocfkaone.exe File created C:\Windows\SysWOW64\Lnapncmc.dll Glfgnh32.exe File opened for modification C:\Windows\SysWOW64\Ijlaloaf.exe Imhqbkbm.exe File created C:\Windows\SysWOW64\Dgnminke.exe Dbadagln.exe File created C:\Windows\SysWOW64\Cophjpne.dll Iafofkkf.exe File created C:\Windows\SysWOW64\Hpeplh32.dll Ipkema32.exe File opened for modification C:\Windows\SysWOW64\Jobocn32.exe Jclnnmic.exe File created C:\Windows\SysWOW64\Ndoelpid.exe Mjgqcj32.exe File created C:\Windows\SysWOW64\Idghhf32.exe Ikocoa32.exe File opened for modification C:\Windows\SysWOW64\Jlaeab32.exe Ipkema32.exe File created C:\Windows\SysWOW64\Jobocn32.exe Jclnnmic.exe File created C:\Windows\SysWOW64\Bmdefk32.exe Abldccka.exe File opened for modification C:\Windows\SysWOW64\Cglfndaa.exe Cmdaeo32.exe File created C:\Windows\SysWOW64\Cfmlpf32.dll Djgfgkbo.exe File opened for modification C:\Windows\SysWOW64\Emgkhj32.exe Efmckpko.exe File created C:\Windows\SysWOW64\Jjlmkb32.exe Jacibm32.exe File created C:\Windows\SysWOW64\Gjhjgq32.dll Kaekljjo.exe File opened for modification C:\Windows\SysWOW64\Qcjoci32.exe Pkojoghl.exe File opened for modification C:\Windows\SysWOW64\Eokgij32.exe Edeclabl.exe File created C:\Windows\SysWOW64\Hdkaabnh.exe Hmqieh32.exe File created C:\Windows\SysWOW64\Palkap32.dll Iekgod32.exe File created C:\Windows\SysWOW64\Jllakpdk.exe Jcdmbk32.exe File opened for modification C:\Windows\SysWOW64\Mnncii32.exe Mmngof32.exe File opened for modification C:\Windows\SysWOW64\Flcojeak.exe Ffgfancd.exe File created C:\Windows\SysWOW64\Oifcqnkn.dll Gnicoh32.exe File created C:\Windows\SysWOW64\Bfmeqjdf.dll Blibghmm.exe File created C:\Windows\SysWOW64\Bbiboe32.dll Eqnillbb.exe File created C:\Windows\SysWOW64\Lighjd32.exe Lckpbm32.exe File opened for modification C:\Windows\SysWOW64\Olalpdbc.exe Ocihgo32.exe File opened for modification C:\Windows\SysWOW64\Lbgkfbbj.exe Klmbjh32.exe File opened for modification C:\Windows\SysWOW64\Bhjpnj32.exe Bjfpdf32.exe File created C:\Windows\SysWOW64\Lbhmok32.exe Lknebaba.exe File opened for modification C:\Windows\SysWOW64\Jllakpdk.exe Jcdmbk32.exe File opened for modification C:\Windows\SysWOW64\Mbdfni32.exe Mljnaocd.exe File opened for modification C:\Windows\SysWOW64\Mhninb32.exe Mlgiiaij.exe File created C:\Windows\SysWOW64\Gmaonc32.dll Ddkgbc32.exe File created C:\Windows\SysWOW64\Pfkkeq32.exe Pkfghh32.exe File created C:\Windows\SysWOW64\Hgmoqm32.dll Hagepa32.exe File opened for modification C:\Windows\SysWOW64\Manljd32.exe Mhfhaoec.exe File created C:\Windows\SysWOW64\Lifcib32.exe Lcmklh32.exe File created C:\Windows\SysWOW64\Igkhjdde.exe Hnbcaome.exe File created C:\Windows\SysWOW64\Hoalia32.exe Hehhqk32.exe File opened for modification C:\Windows\SysWOW64\Meemgk32.exe Mdepmh32.exe File created C:\Windows\SysWOW64\Bbjkmi32.dll Ceqjla32.exe File created C:\Windows\SysWOW64\Abldccka.exe Aidpjm32.exe File opened for modification C:\Windows\SysWOW64\Laeidfdn.exe Lijepc32.exe File created C:\Windows\SysWOW64\Almdcg32.dll Dhlogjko.exe File created C:\Windows\SysWOW64\Cbnach32.dll Nqpdcc32.exe File created C:\Windows\SysWOW64\Klmbjh32.exe Klkfdi32.exe File opened for modification C:\Windows\SysWOW64\Gmkjgfmf.exe Gpgjnbnl.exe File opened for modification C:\Windows\SysWOW64\Hocmpm32.exe Gdnibdmf.exe File created C:\Windows\SysWOW64\Befima32.dll Abinjdad.exe File opened for modification C:\Windows\SysWOW64\Dhobgp32.exe Dcbjni32.exe File opened for modification C:\Windows\SysWOW64\Maocekoo.exe Mpngmb32.exe File created C:\Windows\SysWOW64\Gcchgini.exe Gmipko32.exe File opened for modification C:\Windows\SysWOW64\Oleepo32.exe Opodknco.exe File created C:\Windows\SysWOW64\Hofqpc32.exe Hlhddh32.exe File created C:\Windows\SysWOW64\Moccnoni.exe Maocekoo.exe File opened for modification C:\Windows\SysWOW64\Hibidc32.exe Hagepa32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 912 1908 WerFault.exe Ockdmn32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Ofgbkacb.exeIgpdnlgd.exeLjeoimeg.exePqdelh32.exeBhpclica.exeIekgod32.exeGjpddigo.exeKoogbk32.exeJllakpdk.exeQanmcdlm.exeEmgkhj32.exePiohgbng.exeAphehidc.exeDjghpd32.exeNmjmekan.exeFlfkoeoh.exeNcipjieo.exeNcfmjc32.exeHhadgakg.exeLbhmok32.exeDcepgh32.exeLgfjggll.exeHjlemlnk.exeOkbapi32.exeNlocka32.exeChgimh32.exeCdqfgh32.exeEgeecf32.exeGbcien32.exeGampaipe.exeNoojdc32.exePbdipa32.exeKjhopjqi.exeOjblbgdg.exeBhndnpnp.exeEfhcej32.exeEdeclabl.exeJclnnmic.exeOhpnag32.exeGmlmpo32.exeNkobpmlo.exeBckefnki.exeGmkjgfmf.exeFphgbn32.exeAbldccka.exeEpipql32.exeIhcfan32.exeMhfhaoec.exeLpnopm32.exeImhqbkbm.exeDdmchcnd.exeGefolhja.exeGnicoh32.exeKobkbaac.exePhobjp32.exeAiimfi32.exeGegaeabe.exeOemhjlha.exeEfmoib32.exeOpodknco.exeAmgjnepn.exeGcmcebkc.exeBjfpdf32.exeJkioho32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofgbkacb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igpdnlgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljeoimeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqdelh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhpclica.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iekgod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjpddigo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koogbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jllakpdk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qanmcdlm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emgkhj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piohgbng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aphehidc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djghpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmjmekan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flfkoeoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncipjieo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncfmjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhadgakg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbhmok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcepgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgfjggll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjlemlnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okbapi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlocka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chgimh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdqfgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egeecf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbcien32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gampaipe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noojdc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbdipa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjhopjqi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojblbgdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhndnpnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efhcej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edeclabl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jclnnmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohpnag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmlmpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkobpmlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bckefnki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmkjgfmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fphgbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abldccka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epipql32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihcfan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhfhaoec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpnopm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imhqbkbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddmchcnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gefolhja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnicoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kobkbaac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phobjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aiimfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gegaeabe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oemhjlha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efmoib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opodknco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amgjnepn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcmcebkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjfpdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkioho32.exe -
Modifies registry class 64 IoCs
Processes:
Mnmbme32.exeNkobpmlo.exeAkdafn32.exeBphooc32.exeIianmlfn.exeIejkhlip.exeNqmqcmdh.exeEqngcc32.exeFmbgageq.exeMdepmh32.exeFbiijb32.exeOjmbgh32.exeAdleoc32.exeJpmooind.exeKeango32.exePiohgbng.exeAaflgb32.exeLmpeljkm.exeLmhdph32.exeMmngof32.exeNdoelpid.exeOcdnloph.exeOknjmb32.exeHplbamdf.exeAeghng32.exeBgddam32.exeNddcimag.exeAhcjmkbo.exeHibidc32.exeMhninb32.exeEelgcg32.exeKckhdg32.exeFjfjcdln.exeOkhefl32.exeIkagogco.exeGbcien32.exeIdghhf32.exeMpcgbhig.exeNcfmjc32.exeOfgbkacb.exeBpfebmia.exeKpgdnp32.exeBaigen32.exeBckefnki.exeEikimeff.exeNcdpdcfh.exeEocfmh32.exeGkbnap32.exeQekbgbpf.exeBojipjcj.exeMkfojakp.exeNmjmekan.exeNdmeecmb.exePhobjp32.exeEldbkbop.exeGdfiofhn.exeGbmlkl32.exeMheeif32.exeIlmlfcel.exeJclnnmic.exeGegaeabe.exeIhcfan32.exeLfdbcing.exeOlalpdbc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnmbme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkobpmlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjojpeec.dll" Akdafn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bphooc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hepmik32.dll" Iianmlfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elllck32.dll" Iejkhlip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nqmqcmdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eqngcc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmbgageq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdepmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbiijb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojmbgh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adleoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpmooind.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Keango32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Piohgbng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aaflgb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmpeljkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmhdph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmngof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndoelpid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmcnifll.dll" Ocdnloph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oknjmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njfiqneo.dll" Hplbamdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aeghng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgddam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nddcimag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahcjmkbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cflibl32.dll" Hibidc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhninb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eelgcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kckhdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjfjcdln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgajcccj.dll" Okhefl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikagogco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbcien32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idghhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjpjcm32.dll" Mpcgbhig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncfmjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjigapme.dll" Ofgbkacb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpfebmia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciifcjnd.dll" Kpgdnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Baigen32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bckefnki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnqnoqah.dll" Eikimeff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncdpdcfh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eocfmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkbnap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qekbgbpf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bojipjcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgnmdf32.dll" Mkfojakp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmqiakmh.dll" Nmjmekan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmdkjqpq.dll" Ndmeecmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iooagm32.dll" Phobjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlijld32.dll" Eldbkbop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liiffa32.dll" Gdfiofhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pobiicng.dll" Gbmlkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mheeif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcbiqgln.dll" Ilmlfcel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jclnnmic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipekokia.dll" Gegaeabe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gocalqhm.dll" Ihcfan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfdbcing.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olalpdbc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
adbc48fe3cc7809ec7310b7880581cf8da54f5e76663c6b2d33a79659892712c.exeLgfjggll.exeLpnopm32.exeLcmklh32.exeLifcib32.exeLnkege32.exeMnmbme32.exeMnpobefe.exeMlgiiaij.exeMhninb32.exeNkobpmlo.exeNhbciaki.exeNqpdcc32.exeOkhefl32.exeOjmbgh32.exeOcefpnom.exedescription pid process target process PID 1976 wrote to memory of 2040 1976 adbc48fe3cc7809ec7310b7880581cf8da54f5e76663c6b2d33a79659892712c.exe Lgfjggll.exe PID 1976 wrote to memory of 2040 1976 adbc48fe3cc7809ec7310b7880581cf8da54f5e76663c6b2d33a79659892712c.exe Lgfjggll.exe PID 1976 wrote to memory of 2040 1976 adbc48fe3cc7809ec7310b7880581cf8da54f5e76663c6b2d33a79659892712c.exe Lgfjggll.exe PID 1976 wrote to memory of 2040 1976 adbc48fe3cc7809ec7310b7880581cf8da54f5e76663c6b2d33a79659892712c.exe Lgfjggll.exe PID 2040 wrote to memory of 2388 2040 Lgfjggll.exe Lpnopm32.exe PID 2040 wrote to memory of 2388 2040 Lgfjggll.exe Lpnopm32.exe PID 2040 wrote to memory of 2388 2040 Lgfjggll.exe Lpnopm32.exe PID 2040 wrote to memory of 2388 2040 Lgfjggll.exe Lpnopm32.exe PID 2388 wrote to memory of 2768 2388 Lpnopm32.exe Lcmklh32.exe PID 2388 wrote to memory of 2768 2388 Lpnopm32.exe Lcmklh32.exe PID 2388 wrote to memory of 2768 2388 Lpnopm32.exe Lcmklh32.exe PID 2388 wrote to memory of 2768 2388 Lpnopm32.exe Lcmklh32.exe PID 2768 wrote to memory of 2892 2768 Lcmklh32.exe Lifcib32.exe PID 2768 wrote to memory of 2892 2768 Lcmklh32.exe Lifcib32.exe PID 2768 wrote to memory of 2892 2768 Lcmklh32.exe Lifcib32.exe PID 2768 wrote to memory of 2892 2768 Lcmklh32.exe Lifcib32.exe PID 2892 wrote to memory of 2820 2892 Lifcib32.exe Lnkege32.exe PID 2892 wrote to memory of 2820 2892 Lifcib32.exe Lnkege32.exe PID 2892 wrote to memory of 2820 2892 Lifcib32.exe Lnkege32.exe PID 2892 wrote to memory of 2820 2892 Lifcib32.exe Lnkege32.exe PID 2820 wrote to memory of 2656 2820 Lnkege32.exe Mnmbme32.exe PID 2820 wrote to memory of 2656 2820 Lnkege32.exe Mnmbme32.exe PID 2820 wrote to memory of 2656 2820 Lnkege32.exe Mnmbme32.exe PID 2820 wrote to memory of 2656 2820 Lnkege32.exe Mnmbme32.exe PID 2656 wrote to memory of 2596 2656 Mnmbme32.exe Mnpobefe.exe PID 2656 wrote to memory of 2596 2656 Mnmbme32.exe Mnpobefe.exe PID 2656 wrote to memory of 2596 2656 Mnmbme32.exe Mnpobefe.exe PID 2656 wrote to memory of 2596 2656 Mnmbme32.exe Mnpobefe.exe PID 2596 wrote to memory of 388 2596 Mnpobefe.exe Mlgiiaij.exe PID 2596 wrote to memory of 388 2596 Mnpobefe.exe Mlgiiaij.exe PID 2596 wrote to memory of 388 2596 Mnpobefe.exe Mlgiiaij.exe PID 2596 wrote to memory of 388 2596 Mnpobefe.exe Mlgiiaij.exe PID 388 wrote to memory of 1752 388 Mlgiiaij.exe Mhninb32.exe PID 388 wrote to memory of 1752 388 Mlgiiaij.exe Mhninb32.exe PID 388 wrote to memory of 1752 388 Mlgiiaij.exe Mhninb32.exe PID 388 wrote to memory of 1752 388 Mlgiiaij.exe Mhninb32.exe PID 1752 wrote to memory of 2936 1752 Mhninb32.exe Nkobpmlo.exe PID 1752 wrote to memory of 2936 1752 Mhninb32.exe Nkobpmlo.exe PID 1752 wrote to memory of 2936 1752 Mhninb32.exe Nkobpmlo.exe PID 1752 wrote to memory of 2936 1752 Mhninb32.exe Nkobpmlo.exe PID 2936 wrote to memory of 2680 2936 Nkobpmlo.exe Nhbciaki.exe PID 2936 wrote to memory of 2680 2936 Nkobpmlo.exe Nhbciaki.exe PID 2936 wrote to memory of 2680 2936 Nkobpmlo.exe Nhbciaki.exe PID 2936 wrote to memory of 2680 2936 Nkobpmlo.exe Nhbciaki.exe PID 2680 wrote to memory of 584 2680 Nhbciaki.exe Nqpdcc32.exe PID 2680 wrote to memory of 584 2680 Nhbciaki.exe Nqpdcc32.exe PID 2680 wrote to memory of 584 2680 Nhbciaki.exe Nqpdcc32.exe PID 2680 wrote to memory of 584 2680 Nhbciaki.exe Nqpdcc32.exe PID 584 wrote to memory of 3020 584 Nqpdcc32.exe Okhefl32.exe PID 584 wrote to memory of 3020 584 Nqpdcc32.exe Okhefl32.exe PID 584 wrote to memory of 3020 584 Nqpdcc32.exe Okhefl32.exe PID 584 wrote to memory of 3020 584 Nqpdcc32.exe Okhefl32.exe PID 3020 wrote to memory of 2444 3020 Okhefl32.exe Ojmbgh32.exe PID 3020 wrote to memory of 2444 3020 Okhefl32.exe Ojmbgh32.exe PID 3020 wrote to memory of 2444 3020 Okhefl32.exe Ojmbgh32.exe PID 3020 wrote to memory of 2444 3020 Okhefl32.exe Ojmbgh32.exe PID 2444 wrote to memory of 1984 2444 Ojmbgh32.exe Ocefpnom.exe PID 2444 wrote to memory of 1984 2444 Ojmbgh32.exe Ocefpnom.exe PID 2444 wrote to memory of 1984 2444 Ojmbgh32.exe Ocefpnom.exe PID 2444 wrote to memory of 1984 2444 Ojmbgh32.exe Ocefpnom.exe PID 1984 wrote to memory of 700 1984 Ocefpnom.exe Ojblbgdg.exe PID 1984 wrote to memory of 700 1984 Ocefpnom.exe Ojblbgdg.exe PID 1984 wrote to memory of 700 1984 Ocefpnom.exe Ojblbgdg.exe PID 1984 wrote to memory of 700 1984 Ocefpnom.exe Ojblbgdg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\adbc48fe3cc7809ec7310b7880581cf8da54f5e76663c6b2d33a79659892712c.exe"C:\Users\Admin\AppData\Local\Temp\adbc48fe3cc7809ec7310b7880581cf8da54f5e76663c6b2d33a79659892712c.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\Lgfjggll.exeC:\Windows\system32\Lgfjggll.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\Lpnopm32.exeC:\Windows\system32\Lpnopm32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\Lcmklh32.exeC:\Windows\system32\Lcmklh32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Lifcib32.exeC:\Windows\system32\Lifcib32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Lnkege32.exeC:\Windows\system32\Lnkege32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Mnmbme32.exeC:\Windows\system32\Mnmbme32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Mnpobefe.exeC:\Windows\system32\Mnpobefe.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Mlgiiaij.exeC:\Windows\system32\Mlgiiaij.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:388 -
C:\Windows\SysWOW64\Mhninb32.exeC:\Windows\system32\Mhninb32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\Nkobpmlo.exeC:\Windows\system32\Nkobpmlo.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Nhbciaki.exeC:\Windows\system32\Nhbciaki.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Nqpdcc32.exeC:\Windows\system32\Nqpdcc32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\SysWOW64\Okhefl32.exeC:\Windows\system32\Okhefl32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\Ojmbgh32.exeC:\Windows\system32\Ojmbgh32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\Ocefpnom.exeC:\Windows\system32\Ocefpnom.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\Ojblbgdg.exeC:\Windows\system32\Ojblbgdg.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:700 -
C:\Windows\SysWOW64\Opodknco.exeC:\Windows\system32\Opodknco.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:912 -
C:\Windows\SysWOW64\Oleepo32.exeC:\Windows\system32\Oleepo32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2156 -
C:\Windows\SysWOW64\Pfkimhhi.exeC:\Windows\system32\Pfkimhhi.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1356 -
C:\Windows\SysWOW64\Phobjp32.exeC:\Windows\system32\Phobjp32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2152 -
C:\Windows\SysWOW64\Pllkpn32.exeC:\Windows\system32\Pllkpn32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1556 -
C:\Windows\SysWOW64\Pmnghfhi.exeC:\Windows\system32\Pmnghfhi.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2192 -
C:\Windows\SysWOW64\Pfhhflmg.exeC:\Windows\system32\Pfhhflmg.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1812 -
C:\Windows\SysWOW64\Qanmcdlm.exeC:\Windows\system32\Qanmcdlm.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2260 -
C:\Windows\SysWOW64\Qpcjeaad.exeC:\Windows\system32\Qpcjeaad.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3024 -
C:\Windows\SysWOW64\Amgjnepn.exeC:\Windows\system32\Amgjnepn.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2564 -
C:\Windows\SysWOW64\Aohgfm32.exeC:\Windows\system32\Aohgfm32.exe28⤵
- Loads dropped DLL
PID:2996 -
C:\Windows\SysWOW64\Aeghng32.exeC:\Windows\system32\Aeghng32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1608 -
C:\Windows\SysWOW64\Akdafn32.exeC:\Windows\system32\Akdafn32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2744 -
C:\Windows\SysWOW64\Adleoc32.exeC:\Windows\system32\Adleoc32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2716 -
C:\Windows\SysWOW64\Bkhjamcf.exeC:\Windows\system32\Bkhjamcf.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2712 -
C:\Windows\SysWOW64\Bdaojbjf.exeC:\Windows\system32\Bdaojbjf.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2908 -
C:\Windows\SysWOW64\Bphooc32.exeC:\Windows\system32\Bphooc32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2616 -
C:\Windows\SysWOW64\Bgddam32.exeC:\Windows\system32\Bgddam32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:1056 -
C:\Windows\SysWOW64\Bckefnki.exeC:\Windows\system32\Bckefnki.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1720 -
C:\Windows\SysWOW64\Clciod32.exeC:\Windows\system32\Clciod32.exe37⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Cdqkifmb.exeC:\Windows\system32\Cdqkifmb.exe38⤵
- Executes dropped EXE
PID:568 -
C:\Windows\SysWOW64\Cnnimkom.exeC:\Windows\system32\Cnnimkom.exe39⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Djgfgkbo.exeC:\Windows\system32\Djgfgkbo.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2336 -
C:\Windows\SysWOW64\Dinpnged.exeC:\Windows\system32\Dinpnged.exe41⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Dnkhfnck.exeC:\Windows\system32\Dnkhfnck.exe42⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Diqmcgca.exeC:\Windows\system32\Diqmcgca.exe43⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Enpban32.exeC:\Windows\system32\Enpban32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:980 -
C:\Windows\SysWOW64\Eejjnhgc.exeC:\Windows\system32\Eejjnhgc.exe45⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Eldbkbop.exeC:\Windows\system32\Eldbkbop.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1616 -
C:\Windows\SysWOW64\Eelgcg32.exeC:\Windows\system32\Eelgcg32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:1536 -
C:\Windows\SysWOW64\Efmckpko.exeC:\Windows\system32\Efmckpko.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1036 -
C:\Windows\SysWOW64\Emgkhj32.exeC:\Windows\system32\Emgkhj32.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2176 -
C:\Windows\SysWOW64\Ehmpeb32.exeC:\Windows\system32\Ehmpeb32.exe50⤵
- Executes dropped EXE
PID:1932 -
C:\Windows\SysWOW64\Einlmkhp.exeC:\Windows\system32\Einlmkhp.exe51⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Ephdjeol.exeC:\Windows\system32\Ephdjeol.exe52⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Ffbmfo32.exeC:\Windows\system32\Ffbmfo32.exe53⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Fpjaodmj.exeC:\Windows\system32\Fpjaodmj.exe54⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Ficehj32.exeC:\Windows\system32\Ficehj32.exe55⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Ffgfancd.exeC:\Windows\system32\Ffgfancd.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2736 -
C:\Windows\SysWOW64\Flcojeak.exeC:\Windows\system32\Flcojeak.exe57⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Felcbk32.exeC:\Windows\system32\Felcbk32.exe58⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Flfkoeoh.exeC:\Windows\system32\Flfkoeoh.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1652 -
C:\Windows\SysWOW64\Gmidlmcd.exeC:\Windows\system32\Gmidlmcd.exe60⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Goiafp32.exeC:\Windows\system32\Goiafp32.exe61⤵
- Executes dropped EXE
PID:528 -
C:\Windows\SysWOW64\Gdfiofhn.exeC:\Windows\system32\Gdfiofhn.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:780 -
C:\Windows\SysWOW64\Gajjhkgh.exeC:\Windows\system32\Gajjhkgh.exe63⤵
- Executes dropped EXE
PID:692 -
C:\Windows\SysWOW64\Gkbnap32.exeC:\Windows\system32\Gkbnap32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:1288 -
C:\Windows\SysWOW64\Gcmcebkc.exeC:\Windows\system32\Gcmcebkc.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2248 -
C:\Windows\SysWOW64\Glfgnh32.exeC:\Windows\system32\Glfgnh32.exe66⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1044 -
C:\Windows\SysWOW64\Ggklka32.exeC:\Windows\system32\Ggklka32.exe67⤵PID:2460
-
C:\Windows\SysWOW64\Hlhddh32.exeC:\Windows\system32\Hlhddh32.exe68⤵
- Drops file in System32 directory
PID:772 -
C:\Windows\SysWOW64\Hofqpc32.exeC:\Windows\system32\Hofqpc32.exe69⤵PID:2088
-
C:\Windows\SysWOW64\Hjlemlnk.exeC:\Windows\system32\Hjlemlnk.exe70⤵
- System Location Discovery: System Language Discovery
PID:1944 -
C:\Windows\SysWOW64\Hdefnjkj.exeC:\Windows\system32\Hdefnjkj.exe71⤵PID:1248
-
C:\Windows\SysWOW64\Hfebhmbm.exeC:\Windows\system32\Hfebhmbm.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2216 -
C:\Windows\SysWOW64\Hhcndhap.exeC:\Windows\system32\Hhcndhap.exe73⤵PID:2016
-
C:\Windows\SysWOW64\Hgiked32.exeC:\Windows\system32\Hgiked32.exe74⤵PID:2836
-
C:\Windows\SysWOW64\Hnbcaome.exeC:\Windows\system32\Hnbcaome.exe75⤵
- Drops file in System32 directory
PID:2776 -
C:\Windows\SysWOW64\Igkhjdde.exeC:\Windows\system32\Igkhjdde.exe76⤵PID:2688
-
C:\Windows\SysWOW64\Imhqbkbm.exeC:\Windows\system32\Imhqbkbm.exe77⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1804 -
C:\Windows\SysWOW64\Ijlaloaf.exeC:\Windows\system32\Ijlaloaf.exe78⤵PID:1484
-
C:\Windows\SysWOW64\Iqfiii32.exeC:\Windows\system32\Iqfiii32.exe79⤵PID:1784
-
C:\Windows\SysWOW64\Iianmlfn.exeC:\Windows\system32\Iianmlfn.exe80⤵
- Modifies registry class
PID:2188 -
C:\Windows\SysWOW64\Iqhfnifq.exeC:\Windows\system32\Iqhfnifq.exe81⤵PID:576
-
C:\Windows\SysWOW64\Ijqjgo32.exeC:\Windows\system32\Ijqjgo32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1640 -
C:\Windows\SysWOW64\Ikagogco.exeC:\Windows\system32\Ikagogco.exe83⤵
- Modifies registry class
PID:2232 -
C:\Windows\SysWOW64\Iejkhlip.exeC:\Windows\system32\Iejkhlip.exe84⤵
- Modifies registry class
PID:1032 -
C:\Windows\SysWOW64\Jkdcdf32.exeC:\Windows\system32\Jkdcdf32.exe85⤵PID:876
-
C:\Windows\SysWOW64\Jgkdigfa.exeC:\Windows\system32\Jgkdigfa.exe86⤵PID:748
-
C:\Windows\SysWOW64\Jacibm32.exeC:\Windows\system32\Jacibm32.exe87⤵
- Drops file in System32 directory
PID:1456 -
C:\Windows\SysWOW64\Jjlmkb32.exeC:\Windows\system32\Jjlmkb32.exe88⤵PID:2348
-
C:\Windows\SysWOW64\Jeaahk32.exeC:\Windows\system32\Jeaahk32.exe89⤵PID:108
-
C:\Windows\SysWOW64\Jmlfmn32.exeC:\Windows\system32\Jmlfmn32.exe90⤵PID:2904
-
C:\Windows\SysWOW64\Jgbjjf32.exeC:\Windows\system32\Jgbjjf32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2756 -
C:\Windows\SysWOW64\Jpmooind.exeC:\Windows\system32\Jpmooind.exe92⤵
- Modifies registry class
PID:2796 -
C:\Windows\SysWOW64\Kfggkc32.exeC:\Windows\system32\Kfggkc32.exe93⤵PID:2660
-
C:\Windows\SysWOW64\Kckhdg32.exeC:\Windows\system32\Kckhdg32.exe94⤵
- Modifies registry class
PID:1788 -
C:\Windows\SysWOW64\Kjepaa32.exeC:\Windows\system32\Kjepaa32.exe95⤵PID:2036
-
C:\Windows\SysWOW64\Kpbhjh32.exeC:\Windows\system32\Kpbhjh32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1116 -
C:\Windows\SysWOW64\Kijmbnpo.exeC:\Windows\system32\Kijmbnpo.exe97⤵PID:1132
-
C:\Windows\SysWOW64\Keango32.exeC:\Windows\system32\Keango32.exe98⤵
- Modifies registry class
PID:860 -
C:\Windows\SysWOW64\Klkfdi32.exeC:\Windows\system32\Klkfdi32.exe99⤵
- Drops file in System32 directory
PID:1744 -
C:\Windows\SysWOW64\Klmbjh32.exeC:\Windows\system32\Klmbjh32.exe100⤵
- Drops file in System32 directory
PID:1768 -
C:\Windows\SysWOW64\Lbgkfbbj.exeC:\Windows\system32\Lbgkfbbj.exe101⤵PID:2056
-
C:\Windows\SysWOW64\Ldhgnk32.exeC:\Windows\system32\Ldhgnk32.exe102⤵PID:2392
-
C:\Windows\SysWOW64\Lkbpke32.exeC:\Windows\system32\Lkbpke32.exe103⤵PID:1504
-
C:\Windows\SysWOW64\Lehdhn32.exeC:\Windows\system32\Lehdhn32.exe104⤵PID:1692
-
C:\Windows\SysWOW64\Lkelpd32.exeC:\Windows\system32\Lkelpd32.exe105⤵PID:2668
-
C:\Windows\SysWOW64\Lhimji32.exeC:\Windows\system32\Lhimji32.exe106⤵PID:2608
-
C:\Windows\SysWOW64\Lijiaabk.exeC:\Windows\system32\Lijiaabk.exe107⤵PID:2032
-
C:\Windows\SysWOW64\Miapbpmb.exeC:\Windows\system32\Miapbpmb.exe108⤵PID:2856
-
C:\Windows\SysWOW64\Mclqqeaq.exeC:\Windows\system32\Mclqqeaq.exe109⤵PID:3004
-
C:\Windows\SysWOW64\Mobaef32.exeC:\Windows\system32\Mobaef32.exe110⤵PID:2120
-
C:\Windows\SysWOW64\Npfjbn32.exeC:\Windows\system32\Npfjbn32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2144 -
C:\Windows\SysWOW64\Naegmabc.exeC:\Windows\system32\Naegmabc.exe112⤵PID:1372
-
C:\Windows\SysWOW64\Nddcimag.exeC:\Windows\system32\Nddcimag.exe113⤵
- Modifies registry class
PID:1572 -
C:\Windows\SysWOW64\Nlohmonb.exeC:\Windows\system32\Nlohmonb.exe114⤵PID:2532
-
C:\Windows\SysWOW64\Ncipjieo.exeC:\Windows\system32\Ncipjieo.exe115⤵
- System Location Discovery: System Language Discovery
PID:2304 -
C:\Windows\SysWOW64\Nfglfdeb.exeC:\Windows\system32\Nfglfdeb.exe116⤵PID:2244
-
C:\Windows\SysWOW64\Nqmqcmdh.exeC:\Windows\system32\Nqmqcmdh.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2772 -
C:\Windows\SysWOW64\Nfjildbp.exeC:\Windows\system32\Nfjildbp.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1852 -
C:\Windows\SysWOW64\Nqpmimbe.exeC:\Windows\system32\Nqpmimbe.exe119⤵PID:2228
-
C:\Windows\SysWOW64\Njhbabif.exeC:\Windows\system32\Njhbabif.exe120⤵PID:1696
-
C:\Windows\SysWOW64\Okinik32.exeC:\Windows\system32\Okinik32.exe121⤵PID:2872
-
C:\Windows\SysWOW64\Obcffefa.exeC:\Windows\system32\Obcffefa.exe122⤵PID:2492
-
C:\Windows\SysWOW64\Odacbpee.exeC:\Windows\system32\Odacbpee.exe123⤵PID:1380
-
C:\Windows\SysWOW64\Okkkoj32.exeC:\Windows\system32\Okkkoj32.exe124⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2292 -
C:\Windows\SysWOW64\Ofaolcmh.exeC:\Windows\system32\Ofaolcmh.exe125⤵PID:1060
-
C:\Windows\SysWOW64\Ooidei32.exeC:\Windows\system32\Ooidei32.exe126⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:540 -
C:\Windows\SysWOW64\Obhpad32.exeC:\Windows\system32\Obhpad32.exe127⤵PID:1792
-
C:\Windows\SysWOW64\Ogdhik32.exeC:\Windows\system32\Ogdhik32.exe128⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2368 -
C:\Windows\SysWOW64\Onoqfehp.exeC:\Windows\system32\Onoqfehp.exe129⤵PID:2360
-
C:\Windows\SysWOW64\Oqmmbqgd.exeC:\Windows\system32\Oqmmbqgd.exe130⤵PID:588
-
C:\Windows\SysWOW64\Okbapi32.exeC:\Windows\system32\Okbapi32.exe131⤵
- System Location Discovery: System Language Discovery
PID:628 -
C:\Windows\SysWOW64\Oqojhp32.exeC:\Windows\system32\Oqojhp32.exe132⤵PID:3008
-
C:\Windows\SysWOW64\Pflbpg32.exeC:\Windows\system32\Pflbpg32.exe133⤵PID:1168
-
C:\Windows\SysWOW64\Paafmp32.exeC:\Windows\system32\Paafmp32.exe134⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1452 -
C:\Windows\SysWOW64\Pglojj32.exeC:\Windows\system32\Pglojj32.exe135⤵PID:1552
-
C:\Windows\SysWOW64\Pmhgba32.exeC:\Windows\system32\Pmhgba32.exe136⤵PID:1580
-
C:\Windows\SysWOW64\Pbepkh32.exeC:\Windows\system32\Pbepkh32.exe137⤵PID:2848
-
C:\Windows\SysWOW64\Piohgbng.exeC:\Windows\system32\Piohgbng.exe138⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2684 -
C:\Windows\SysWOW64\Pbglpg32.exeC:\Windows\system32\Pbglpg32.exe139⤵PID:1492
-
C:\Windows\SysWOW64\Pmmqmpdm.exeC:\Windows\system32\Pmmqmpdm.exe140⤵PID:1756
-
C:\Windows\SysWOW64\Plbmom32.exeC:\Windows\system32\Plbmom32.exe141⤵PID:2496
-
C:\Windows\SysWOW64\Qekbgbpf.exeC:\Windows\system32\Qekbgbpf.exe142⤵
- Modifies registry class
PID:2328 -
C:\Windows\SysWOW64\Qncfphff.exeC:\Windows\system32\Qncfphff.exe143⤵PID:296
-
C:\Windows\SysWOW64\Qhkkim32.exeC:\Windows\system32\Qhkkim32.exe144⤵PID:1528
-
C:\Windows\SysWOW64\Ahngomkd.exeC:\Windows\system32\Ahngomkd.exe145⤵PID:2028
-
C:\Windows\SysWOW64\Aaflgb32.exeC:\Windows\system32\Aaflgb32.exe146⤵
- Modifies registry class
PID:2800 -
C:\Windows\SysWOW64\Ajnqphhe.exeC:\Windows\system32\Ajnqphhe.exe147⤵PID:2844
-
C:\Windows\SysWOW64\Adgein32.exeC:\Windows\system32\Adgein32.exe148⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2928 -
C:\Windows\SysWOW64\Albjnplq.exeC:\Windows\system32\Albjnplq.exe149⤵PID:1724
-
C:\Windows\SysWOW64\Aejnfe32.exeC:\Windows\system32\Aejnfe32.exe150⤵PID:2700
-
C:\Windows\SysWOW64\Aocbokia.exeC:\Windows\system32\Aocbokia.exe151⤵PID:2412
-
C:\Windows\SysWOW64\Bhkghqpb.exeC:\Windows\system32\Bhkghqpb.exe152⤵PID:1928
-
C:\Windows\SysWOW64\Bhndnpnp.exeC:\Windows\system32\Bhndnpnp.exe153⤵
- System Location Discovery: System Language Discovery
PID:1700 -
C:\Windows\SysWOW64\Bimphc32.exeC:\Windows\system32\Bimphc32.exe154⤵PID:2884
-
C:\Windows\SysWOW64\Bojipjcj.exeC:\Windows\system32\Bojipjcj.exe155⤵
- Modifies registry class
PID:2612 -
C:\Windows\SysWOW64\Bhbmip32.exeC:\Windows\system32\Bhbmip32.exe156⤵PID:3052
-
C:\Windows\SysWOW64\Bdinnqon.exeC:\Windows\system32\Bdinnqon.exe157⤵
- Drops file in System32 directory
PID:236 -
C:\Windows\SysWOW64\Cnabffeo.exeC:\Windows\system32\Cnabffeo.exe158⤵PID:1596
-
C:\Windows\SysWOW64\Cgjgol32.exeC:\Windows\system32\Cgjgol32.exe159⤵PID:2940
-
C:\Windows\SysWOW64\Ccqhdmbc.exeC:\Windows\system32\Ccqhdmbc.exe160⤵PID:548
-
C:\Windows\SysWOW64\Cnflae32.exeC:\Windows\system32\Cnflae32.exe161⤵PID:2464
-
C:\Windows\SysWOW64\Cccdjl32.exeC:\Windows\system32\Cccdjl32.exe162⤵PID:2352
-
C:\Windows\SysWOW64\Cojeomee.exeC:\Windows\system32\Cojeomee.exe163⤵PID:1424
-
C:\Windows\SysWOW64\Clnehado.exeC:\Windows\system32\Clnehado.exe164⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:880 -
C:\Windows\SysWOW64\Donojm32.exeC:\Windows\system32\Donojm32.exe165⤵PID:2484
-
C:\Windows\SysWOW64\Ddkgbc32.exeC:\Windows\system32\Ddkgbc32.exe166⤵
- Drops file in System32 directory
PID:2804 -
C:\Windows\SysWOW64\Dnckki32.exeC:\Windows\system32\Dnckki32.exe167⤵PID:1268
-
C:\Windows\SysWOW64\Ddmchcnd.exeC:\Windows\system32\Ddmchcnd.exe168⤵
- System Location Discovery: System Language Discovery
PID:524 -
C:\Windows\SysWOW64\Dbadagln.exeC:\Windows\system32\Dbadagln.exe169⤵
- Drops file in System32 directory
PID:1644 -
C:\Windows\SysWOW64\Dgnminke.exeC:\Windows\system32\Dgnminke.exe170⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:696 -
C:\Windows\SysWOW64\Dqfabdaf.exeC:\Windows\system32\Dqfabdaf.exe171⤵PID:2992
-
C:\Windows\SysWOW64\Dgqion32.exeC:\Windows\system32\Dgqion32.exe172⤵PID:3060
-
C:\Windows\SysWOW64\Dmmbge32.exeC:\Windows\system32\Dmmbge32.exe173⤵PID:1800
-
C:\Windows\SysWOW64\Ejabqi32.exeC:\Windows\system32\Ejabqi32.exe174⤵PID:1336
-
C:\Windows\SysWOW64\Epnkip32.exeC:\Windows\system32\Epnkip32.exe175⤵PID:1028
-
C:\Windows\SysWOW64\Efhcej32.exeC:\Windows\system32\Efhcej32.exe176⤵
- System Location Discovery: System Language Discovery
PID:672 -
C:\Windows\SysWOW64\Eqngcc32.exeC:\Windows\system32\Eqngcc32.exe177⤵
- Modifies registry class
PID:2728 -
C:\Windows\SysWOW64\Emdhhdqb.exeC:\Windows\system32\Emdhhdqb.exe178⤵PID:2224
-
C:\Windows\SysWOW64\Eikimeff.exeC:\Windows\system32\Eikimeff.exe179⤵
- Modifies registry class
PID:2324 -
C:\Windows\SysWOW64\Fmbgageq.exeC:\Windows\system32\Fmbgageq.exe180⤵
- Modifies registry class
PID:2972 -
C:\Windows\SysWOW64\Fjfhkl32.exeC:\Windows\system32\Fjfhkl32.exe181⤵PID:2516
-
C:\Windows\SysWOW64\Fpbqcb32.exeC:\Windows\system32\Fpbqcb32.exe182⤵PID:948
-
C:\Windows\SysWOW64\Gbcien32.exeC:\Windows\system32\Gbcien32.exe183⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:796 -
C:\Windows\SysWOW64\Gpgjnbnl.exeC:\Windows\system32\Gpgjnbnl.exe184⤵
- Drops file in System32 directory
PID:2288 -
C:\Windows\SysWOW64\Gmkjgfmf.exeC:\Windows\system32\Gmkjgfmf.exe185⤵
- System Location Discovery: System Language Discovery
PID:2148 -
C:\Windows\SysWOW64\Gefolhja.exeC:\Windows\system32\Gefolhja.exe186⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3080 -
C:\Windows\SysWOW64\Gampaipe.exeC:\Windows\system32\Gampaipe.exe187⤵
- System Location Discovery: System Language Discovery
PID:3120 -
C:\Windows\SysWOW64\Glbdnbpk.exeC:\Windows\system32\Glbdnbpk.exe188⤵PID:3160
-
C:\Windows\SysWOW64\Gbmlkl32.exeC:\Windows\system32\Gbmlkl32.exe189⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3200 -
C:\Windows\SysWOW64\Gdnibdmf.exeC:\Windows\system32\Gdnibdmf.exe190⤵
- Drops file in System32 directory
PID:3240 -
C:\Windows\SysWOW64\Hocmpm32.exeC:\Windows\system32\Hocmpm32.exe191⤵PID:3280
-
C:\Windows\SysWOW64\Hgoadp32.exeC:\Windows\system32\Hgoadp32.exe192⤵PID:3320
-
C:\Windows\SysWOW64\Hpgfmeag.exeC:\Windows\system32\Hpgfmeag.exe193⤵PID:3360
-
C:\Windows\SysWOW64\Hganjo32.exeC:\Windows\system32\Hganjo32.exe194⤵PID:3400
-
C:\Windows\SysWOW64\Hkogpn32.exeC:\Windows\system32\Hkogpn32.exe195⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3440 -
C:\Windows\SysWOW64\Hehhqk32.exeC:\Windows\system32\Hehhqk32.exe196⤵
- Drops file in System32 directory
PID:3480 -
C:\Windows\SysWOW64\Hoalia32.exeC:\Windows\system32\Hoalia32.exe197⤵PID:3524
-
C:\Windows\SysWOW64\Ihiabfhk.exeC:\Windows\system32\Ihiabfhk.exe198⤵
- Drops file in System32 directory
PID:3572 -
C:\Windows\SysWOW64\Iadbqlmh.exeC:\Windows\system32\Iadbqlmh.exe199⤵PID:3612
-
C:\Windows\SysWOW64\Iafofkkf.exeC:\Windows\system32\Iafofkkf.exe200⤵
- Drops file in System32 directory
PID:3652 -
C:\Windows\SysWOW64\Ikocoa32.exeC:\Windows\system32\Ikocoa32.exe201⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3692 -
C:\Windows\SysWOW64\Idghhf32.exeC:\Windows\system32\Idghhf32.exe202⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3732 -
C:\Windows\SysWOW64\Ibkhak32.exeC:\Windows\system32\Ibkhak32.exe203⤵PID:3772
-
C:\Windows\SysWOW64\Jjfmem32.exeC:\Windows\system32\Jjfmem32.exe204⤵PID:3812
-
C:\Windows\SysWOW64\Jcoanb32.exeC:\Windows\system32\Jcoanb32.exe205⤵PID:3852
-
C:\Windows\SysWOW64\Jndflk32.exeC:\Windows\system32\Jndflk32.exe206⤵PID:3892
-
C:\Windows\SysWOW64\Jgmjdaqb.exeC:\Windows\system32\Jgmjdaqb.exe207⤵PID:3944
-
C:\Windows\SysWOW64\Jcckibfg.exeC:\Windows\system32\Jcckibfg.exe208⤵PID:3984
-
C:\Windows\SysWOW64\Jmlobg32.exeC:\Windows\system32\Jmlobg32.exe209⤵PID:4024
-
C:\Windows\SysWOW64\Kmnlhg32.exeC:\Windows\system32\Kmnlhg32.exe210⤵PID:4068
-
C:\Windows\SysWOW64\Kkciic32.exeC:\Windows\system32\Kkciic32.exe211⤵PID:2184
-
C:\Windows\SysWOW64\Kgjjndeq.exeC:\Windows\system32\Kgjjndeq.exe212⤵PID:3116
-
C:\Windows\SysWOW64\Kabngjla.exeC:\Windows\system32\Kabngjla.exe213⤵PID:3180
-
C:\Windows\SysWOW64\Klhbdclg.exeC:\Windows\system32\Klhbdclg.exe214⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3236 -
C:\Windows\SysWOW64\Kaekljjo.exeC:\Windows\system32\Kaekljjo.exe215⤵
- Drops file in System32 directory
PID:3268 -
C:\Windows\SysWOW64\Kfacdqhf.exeC:\Windows\system32\Kfacdqhf.exe216⤵PID:3312
-
C:\Windows\SysWOW64\Lcedne32.exeC:\Windows\system32\Lcedne32.exe217⤵PID:3372
-
C:\Windows\SysWOW64\Liblfl32.exeC:\Windows\system32\Liblfl32.exe218⤵PID:2276
-
C:\Windows\SysWOW64\Lbkaoalg.exeC:\Windows\system32\Lbkaoalg.exe219⤵PID:3468
-
C:\Windows\SysWOW64\Lmpeljkm.exeC:\Windows\system32\Lmpeljkm.exe220⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3520 -
C:\Windows\SysWOW64\Lmbabj32.exeC:\Windows\system32\Lmbabj32.exe221⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3544 -
C:\Windows\SysWOW64\Lodnjboi.exeC:\Windows\system32\Lodnjboi.exe222⤵PID:3628
-
C:\Windows\SysWOW64\Lofkoamf.exeC:\Windows\system32\Lofkoamf.exe223⤵PID:3664
-
C:\Windows\SysWOW64\Mdepmh32.exeC:\Windows\system32\Mdepmh32.exe224⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:3740 -
C:\Windows\SysWOW64\Meemgk32.exeC:\Windows\system32\Meemgk32.exe225⤵PID:3780
-
C:\Windows\SysWOW64\Mkaeob32.exeC:\Windows\system32\Mkaeob32.exe226⤵PID:3828
-
C:\Windows\SysWOW64\Mheeif32.exeC:\Windows\system32\Mheeif32.exe227⤵
- Modifies registry class
PID:3864 -
C:\Windows\SysWOW64\Manjaldo.exeC:\Windows\system32\Manjaldo.exe228⤵PID:3936
-
C:\Windows\SysWOW64\Mkfojakp.exeC:\Windows\system32\Mkfojakp.exe229⤵
- Modifies registry class
PID:3968 -
C:\Windows\SysWOW64\Mpcgbhig.exeC:\Windows\system32\Mpcgbhig.exe230⤵
- Modifies registry class
PID:4012 -
C:\Windows\SysWOW64\Nikkkn32.exeC:\Windows\system32\Nikkkn32.exe231⤵PID:4076
-
C:\Windows\SysWOW64\Ncdpdcfh.exeC:\Windows\system32\Ncdpdcfh.exe232⤵
- Modifies registry class
PID:3100 -
C:\Windows\SysWOW64\Ninhamne.exeC:\Windows\system32\Ninhamne.exe233⤵PID:3144
-
C:\Windows\SysWOW64\Ncfmjc32.exeC:\Windows\system32\Ncfmjc32.exe234⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3212 -
C:\Windows\SysWOW64\Nommodjj.exeC:\Windows\system32\Nommodjj.exe235⤵PID:3252
-
C:\Windows\SysWOW64\Noojdc32.exeC:\Windows\system32\Noojdc32.exe236⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3340 -
C:\Windows\SysWOW64\Omnmal32.exeC:\Windows\system32\Omnmal32.exe237⤵PID:3420
-
C:\Windows\SysWOW64\Ofgbkacb.exeC:\Windows\system32\Ofgbkacb.exe238⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3432 -
C:\Windows\SysWOW64\Oqlfhjch.exeC:\Windows\system32\Oqlfhjch.exe239⤵PID:3536
-
C:\Windows\SysWOW64\Ojdjqp32.exeC:\Windows\system32\Ojdjqp32.exe240⤵PID:3600
-
C:\Windows\SysWOW64\Pkfghh32.exeC:\Windows\system32\Pkfghh32.exe241⤵
- Drops file in System32 directory
PID:3660 -
C:\Windows\SysWOW64\Pfkkeq32.exeC:\Windows\system32\Pfkkeq32.exe242⤵PID:3684