Analysis
-
max time kernel
26s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 01:29
Static task
static1
Behavioral task
behavioral1
Sample
6e0e796fb3fbefbcba7800bc2917131725abeb0f3e6181ce715e8833a70b492dN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
6e0e796fb3fbefbcba7800bc2917131725abeb0f3e6181ce715e8833a70b492dN.exe
Resource
win10v2004-20241007-en
General
-
Target
6e0e796fb3fbefbcba7800bc2917131725abeb0f3e6181ce715e8833a70b492dN.exe
-
Size
320KB
-
MD5
d97ee933a282c1d5771ec204f5467720
-
SHA1
19489fd133c1cdb18475b08c22eb7c47198a7f47
-
SHA256
6e0e796fb3fbefbcba7800bc2917131725abeb0f3e6181ce715e8833a70b492d
-
SHA512
31a21db6fbeb38d62eba114f80b6cc735170a793ba6ad28a908a222b72bfe23251d151e6dceed7190493b9b920eee27af5370c598691859bd08831cc3c0985d2
-
SSDEEP
6144:Dm8Vwd6+g63/fc/UmKyIxLDXXoq9FJZCUmKyIxLq:SQb+O32XXf9Do3R
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Qfljkp32.exeGbhbdi32.exeMmogmjmn.exeDmdnbecj.exeMnifja32.exeNenkqi32.exeCnfqccna.exeBibpad32.exeBcegin32.exeJlkngc32.exePnopldgn.exeOlkfmi32.exePlmpblnb.exeJhbold32.exeKdklfe32.exeOippjl32.exeLqcmmjko.exeIhpfgalh.exeFkbgckgd.exePiicpk32.exeBmnnkl32.exeFcjeon32.exePpcbgkka.exePnjofo32.exeAnneqafn.exeBgffhkoj.exeIoohokoo.exeKfpifm32.exeQqbecp32.exeFdnolfon.exeKokjdb32.exeAjeeeblb.exeFpmbfbgo.exeFgnadkic.exeMgjnhaco.exeMlkail32.exeAccqnc32.exeOpqoge32.exeAjqljc32.exeCpkmcldj.exeFcphnm32.exeIphecepe.exeHbiaemkk.exeCaaggpdh.exeEaeipfei.exeMklcadfn.exeQdncmgbj.exeAebmjo32.exeCebcmdlg.exeMfglep32.exeAknlofim.exePepcelel.exeQgmpibam.exeCnmfdb32.exeCmbalfem.exeOeehln32.exeGqdefddb.exeMnaiol32.exePdgmlhha.exeIjklknbn.exeFfibkj32.exePmdmmalf.exeHebdfind.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfljkp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbhbdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmogmjmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmdnbecj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mnifja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nenkqi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnfqccna.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bibpad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcegin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jlkngc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnopldgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Olkfmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Plmpblnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jhbold32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kdklfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oippjl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqcmmjko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ihpfgalh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fkbgckgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Piicpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmnnkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fcjeon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ppcbgkka.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnjofo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Anneqafn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bgffhkoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioohokoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfpifm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qqbecp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdnolfon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kokjdb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajeeeblb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpmbfbgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fgnadkic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mgjnhaco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mlkail32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Accqnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Opqoge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajqljc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cpkmcldj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fcphnm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iphecepe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbiaemkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Caaggpdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eaeipfei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mklcadfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qdncmgbj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aebmjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cebcmdlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mfglep32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aknlofim.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pepcelel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qgmpibam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnmfdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmbalfem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeehln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqdefddb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnaiol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdgmlhha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijklknbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffibkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Accqnc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmdmmalf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hebdfind.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Lipecm32.exeLjabkeaf.exeMgebdipp.exeMmdgbp32.exeMhilph32.exeMlkail32.exeMfaefd32.exeNfcbldmm.exeNlpkdkkd.exeNoacef32.exeNdnlnm32.exeNhlddkmc.exeNmhmlbkk.exeOaffbqaa.exeOiakgcnl.exeOlbchn32.exeOhidmoaa.exeOpplolac.exeOaaifdhb.exePcaepg32.exePadeldeo.exePnjfae32.exePeanbblf.exePnmcfeia.exePqkobqhd.exePkacpihj.exePnopldgn.exePjfpafmb.exePmdmmalf.exeQndigd32.exeQqbecp32.exeQinjgbpg.exeQqdbiopj.exeAmkbnp32.exeAkncimmh.exeAmnocpdk.exeAollokco.exeAidphq32.exeAggpdnpj.exeAoohekal.exeAekqmbod.exeAboaff32.exeAennba32.exeAjjfkh32.exeBadnhbce.exeBepjha32.exeBccjdnbi.exeBmkomchi.exeBagkmb32.exeBcegin32.exeBjoofhgc.exeBibpad32.exeBplhnoej.exeBbjdjjdn.exeBidlgdlk.exeBmphhc32.exeBpnddn32.exeBbmapj32.exeBekmle32.exeBmbemb32.exeBpqain32.exeBbonei32.exeChlfnp32.exeClgbno32.exepid process 2000 Lipecm32.exe 2344 Ljabkeaf.exe 2092 Mgebdipp.exe 2084 Mmdgbp32.exe 1656 Mhilph32.exe 2688 Mlkail32.exe 2732 Mfaefd32.exe 2572 Nfcbldmm.exe 2280 Nlpkdkkd.exe 2880 Noacef32.exe 2388 Ndnlnm32.exe 1908 Nhlddkmc.exe 1940 Nmhmlbkk.exe 1284 Oaffbqaa.exe 1636 Oiakgcnl.exe 2320 Olbchn32.exe 2328 Ohidmoaa.exe 1264 Opplolac.exe 1724 Oaaifdhb.exe 1140 Pcaepg32.exe 1800 Padeldeo.exe 680 Pnjfae32.exe 272 Peanbblf.exe 2972 Pnmcfeia.exe 2016 Pqkobqhd.exe 1496 Pkacpihj.exe 2032 Pnopldgn.exe 2284 Pjfpafmb.exe 2332 Pmdmmalf.exe 2060 Qndigd32.exe 1784 Qqbecp32.exe 2352 Qinjgbpg.exe 2712 Qqdbiopj.exe 2816 Amkbnp32.exe 2508 Akncimmh.exe 2504 Amnocpdk.exe 2884 Aollokco.exe 572 Aidphq32.exe 2428 Aggpdnpj.exe 2452 Aoohekal.exe 1976 Aekqmbod.exe 1592 Aboaff32.exe 1796 Aennba32.exe 616 Ajjfkh32.exe 2124 Badnhbce.exe 1768 Bepjha32.exe 1356 Bccjdnbi.exe 2944 Bmkomchi.exe 672 Bagkmb32.exe 2120 Bcegin32.exe 1540 Bjoofhgc.exe 868 Bibpad32.exe 1552 Bplhnoej.exe 2348 Bbjdjjdn.exe 2292 Bidlgdlk.exe 2952 Bmphhc32.exe 2640 Bpnddn32.exe 2600 Bbmapj32.exe 2512 Bekmle32.exe 2548 Bmbemb32.exe 1916 Bpqain32.exe 1780 Bbonei32.exe 2244 Chlfnp32.exe 2212 Clgbno32.exe -
Loads dropped DLL 64 IoCs
Processes:
6e0e796fb3fbefbcba7800bc2917131725abeb0f3e6181ce715e8833a70b492dN.exeLipecm32.exeLjabkeaf.exeMgebdipp.exeMmdgbp32.exeMhilph32.exeMlkail32.exeMfaefd32.exeNfcbldmm.exeNlpkdkkd.exeNoacef32.exeNdnlnm32.exeNhlddkmc.exeNmhmlbkk.exeOaffbqaa.exeOiakgcnl.exeOlbchn32.exeOhidmoaa.exeOpplolac.exeOaaifdhb.exePcaepg32.exePadeldeo.exePnjfae32.exePeanbblf.exePnmcfeia.exePqkobqhd.exePkacpihj.exePnopldgn.exePjfpafmb.exePmdmmalf.exeQndigd32.exeQqbecp32.exepid process 2872 6e0e796fb3fbefbcba7800bc2917131725abeb0f3e6181ce715e8833a70b492dN.exe 2872 6e0e796fb3fbefbcba7800bc2917131725abeb0f3e6181ce715e8833a70b492dN.exe 2000 Lipecm32.exe 2000 Lipecm32.exe 2344 Ljabkeaf.exe 2344 Ljabkeaf.exe 2092 Mgebdipp.exe 2092 Mgebdipp.exe 2084 Mmdgbp32.exe 2084 Mmdgbp32.exe 1656 Mhilph32.exe 1656 Mhilph32.exe 2688 Mlkail32.exe 2688 Mlkail32.exe 2732 Mfaefd32.exe 2732 Mfaefd32.exe 2572 Nfcbldmm.exe 2572 Nfcbldmm.exe 2280 Nlpkdkkd.exe 2280 Nlpkdkkd.exe 2880 Noacef32.exe 2880 Noacef32.exe 2388 Ndnlnm32.exe 2388 Ndnlnm32.exe 1908 Nhlddkmc.exe 1908 Nhlddkmc.exe 1940 Nmhmlbkk.exe 1940 Nmhmlbkk.exe 1284 Oaffbqaa.exe 1284 Oaffbqaa.exe 1636 Oiakgcnl.exe 1636 Oiakgcnl.exe 2320 Olbchn32.exe 2320 Olbchn32.exe 2328 Ohidmoaa.exe 2328 Ohidmoaa.exe 1264 Opplolac.exe 1264 Opplolac.exe 1724 Oaaifdhb.exe 1724 Oaaifdhb.exe 1140 Pcaepg32.exe 1140 Pcaepg32.exe 1800 Padeldeo.exe 1800 Padeldeo.exe 680 Pnjfae32.exe 680 Pnjfae32.exe 272 Peanbblf.exe 272 Peanbblf.exe 2972 Pnmcfeia.exe 2972 Pnmcfeia.exe 2016 Pqkobqhd.exe 2016 Pqkobqhd.exe 1496 Pkacpihj.exe 1496 Pkacpihj.exe 2032 Pnopldgn.exe 2032 Pnopldgn.exe 2284 Pjfpafmb.exe 2284 Pjfpafmb.exe 2332 Pmdmmalf.exe 2332 Pmdmmalf.exe 2060 Qndigd32.exe 2060 Qndigd32.exe 1784 Qqbecp32.exe 1784 Qqbecp32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Hifpke32.exeOnfoin32.exeLokgcf32.exeDaofpchf.exeHdlkcdog.exeIigpli32.exeMmogmjmn.exeFpoolael.exeNbflno32.exeBbonei32.exeFdpkbf32.exeMfglep32.exePkmlmbcd.exeBccmmf32.exeBmbemb32.exeNlfmbibo.exePlolgk32.exeBgffhkoj.exeHahnac32.exeIhglhp32.exeMnaiol32.exeFnfcel32.exeKhabghdl.exePbagipfi.exeIabhah32.exeAoohekal.exeEhjona32.exeQgmfchei.exeAknlofim.exeAkiobk32.exeGqdefddb.exeKnmdeioh.exeQndigd32.exeOjomdoof.exeLfoojj32.exeMgjebg32.exeLmljgj32.exeNoacef32.exeKokjdb32.exe6e0e796fb3fbefbcba7800bc2917131725abeb0f3e6181ce715e8833a70b492dN.exeIhpfgalh.exeJlkngc32.exeJialfgcc.exeAlnalh32.exeCnimiblo.exeCebeem32.exeMlkjne32.exeAqhhanig.exeLhnkffeo.exeHnpbjnpo.exeLonpma32.exeBmlael32.exeNhdhif32.exeOekjjl32.exeCmpgpond.exeLghlndfa.exeJdnmma32.exeBekmle32.exeDbncjf32.exeGncldi32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Hldlga32.exe Hifpke32.exe File created C:\Windows\SysWOW64\Hfiocpon.dll Onfoin32.exe File opened for modification C:\Windows\SysWOW64\Lbicoamh.exe Lokgcf32.exe File created C:\Windows\SysWOW64\Pahoec32.dll Daofpchf.exe File created C:\Windows\SysWOW64\Gedaglad.dll Hdlkcdog.exe File created C:\Windows\SysWOW64\Libmpn32.dll Iigpli32.exe File created C:\Windows\SysWOW64\Pcncbo32.dll Mmogmjmn.exe File opened for modification C:\Windows\SysWOW64\Fcnkhmdp.exe Fpoolael.exe File created C:\Windows\SysWOW64\Hifhgh32.dll Nbflno32.exe File opened for modification C:\Windows\SysWOW64\Chlfnp32.exe Bbonei32.exe File created C:\Windows\SysWOW64\Fkjdopeh.exe Fdpkbf32.exe File opened for modification C:\Windows\SysWOW64\Miehak32.exe Mfglep32.exe File opened for modification C:\Windows\SysWOW64\Pmkhjncg.exe Pkmlmbcd.exe File created C:\Windows\SysWOW64\Pdkiofep.dll Bccmmf32.exe File created C:\Windows\SysWOW64\Bpqain32.exe Bmbemb32.exe File created C:\Windows\SysWOW64\Ndmecgba.exe Nlfmbibo.exe File created C:\Windows\SysWOW64\Mleijpbj.dll Plolgk32.exe File created C:\Windows\SysWOW64\Ckbjaopk.dll Bgffhkoj.exe File created C:\Windows\SysWOW64\Hgbfnngi.exe Hahnac32.exe File opened for modification C:\Windows\SysWOW64\Ifjlcmmj.exe Ihglhp32.exe File created C:\Windows\SysWOW64\Kjkfeo32.dll Mnaiol32.exe File opened for modification C:\Windows\SysWOW64\Fbbofjnh.exe Fnfcel32.exe File opened for modification C:\Windows\SysWOW64\Kokjdb32.exe Khabghdl.exe File created C:\Windows\SysWOW64\Mpioba32.dll Pbagipfi.exe File opened for modification C:\Windows\SysWOW64\Ihmpobck.exe Iabhah32.exe File opened for modification C:\Windows\SysWOW64\Aekqmbod.exe Aoohekal.exe File created C:\Windows\SysWOW64\Ogfdej32.dll Ehjona32.exe File opened for modification C:\Windows\SysWOW64\Qkibcg32.exe Qgmfchei.exe File created C:\Windows\SysWOW64\Dhjojo32.dll Aknlofim.exe File created C:\Windows\SysWOW64\Bcpgdhpp.exe Akiobk32.exe File created C:\Windows\SysWOW64\Coglpp32.dll Gqdefddb.exe File created C:\Windows\SysWOW64\Klpdaf32.exe Knmdeioh.exe File created C:\Windows\SysWOW64\Qqbecp32.exe Qndigd32.exe File opened for modification C:\Windows\SysWOW64\Oibmpl32.exe Ojomdoof.exe File created C:\Windows\SysWOW64\Djbfplfp.dll Lfoojj32.exe File created C:\Windows\SysWOW64\Mlfacfpc.exe Mgjebg32.exe File created C:\Windows\SysWOW64\Bniajoic.exe Bccmmf32.exe File opened for modification C:\Windows\SysWOW64\Lokgcf32.exe Lmljgj32.exe File opened for modification C:\Windows\SysWOW64\Ndnlnm32.exe Noacef32.exe File opened for modification C:\Windows\SysWOW64\Knnkpobc.exe Kokjdb32.exe File created C:\Windows\SysWOW64\Oqjnfnij.dll 6e0e796fb3fbefbcba7800bc2917131725abeb0f3e6181ce715e8833a70b492dN.exe File opened for modification C:\Windows\SysWOW64\Pciddedl.exe Plolgk32.exe File created C:\Windows\SysWOW64\Giqhcmil.dll Ihpfgalh.exe File created C:\Windows\SysWOW64\Diibmpdj.dll Jlkngc32.exe File opened for modification C:\Windows\SysWOW64\Jkchmo32.exe Jialfgcc.exe File created C:\Windows\SysWOW64\Adpqglen.dll Alnalh32.exe File opened for modification C:\Windows\SysWOW64\Cebeem32.exe Cnimiblo.exe File created C:\Windows\SysWOW64\Eepejpil.dll Cebeem32.exe File opened for modification C:\Windows\SysWOW64\Mnifja32.exe Mlkjne32.exe File opened for modification C:\Windows\SysWOW64\Adcdbl32.exe Aqhhanig.exe File opened for modification C:\Windows\SysWOW64\Lklgbadb.exe Lhnkffeo.exe File opened for modification C:\Windows\SysWOW64\Hanogipc.exe Hnpbjnpo.exe File created C:\Windows\SysWOW64\Lgehno32.exe Lonpma32.exe File created C:\Windows\SysWOW64\Akkggpci.dll Bmlael32.exe File created C:\Windows\SysWOW64\Alenfc32.dll Nhdhif32.exe File opened for modification C:\Windows\SysWOW64\Oefdbdjo.dll Oekjjl32.exe File created C:\Windows\SysWOW64\Ciohdhad.dll Cmpgpond.exe File opened for modification C:\Windows\SysWOW64\Mcnbhb32.exe Mnaiol32.exe File created C:\Windows\SysWOW64\Lbnpkmfg.exe Lghlndfa.exe File created C:\Windows\SysWOW64\Codfplej.dll Jdnmma32.exe File created C:\Windows\SysWOW64\Bibjaofg.dll Pkmlmbcd.exe File opened for modification C:\Windows\SysWOW64\Bmbemb32.exe Bekmle32.exe File created C:\Windows\SysWOW64\Abillbab.dll Dbncjf32.exe File opened for modification C:\Windows\SysWOW64\Gbohehoj.exe Gncldi32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 6672 6484 WerFault.exe Dpapaj32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Hmkeke32.exeNcnngfna.exeFqalaa32.exeMclebc32.exeIjklknbn.exeLohjnf32.exeMlhnifmq.exeOeehln32.exeOehdan32.exeEklqcl32.exeEeielfhk.exeHldlga32.exeKdklfe32.exeAficjnpm.exeBbonei32.exeHegnahjo.exeLdllgiek.exeGgicgopd.exeJhbold32.exeCnimiblo.exeEnbnkigh.exeImleli32.exeBbgqjdce.exeOjmpooah.exeIliebpfc.exeKocmim32.exePcaepg32.exeAjjfkh32.exeDcfpel32.exeFgcejm32.exePckajebj.exeFgdnnl32.exeNeqnqofm.exeOkbpde32.exeGqdefddb.exeGcheib32.exeOhagbj32.exeOonldcih.exeOpaebkmc.exeBoidnh32.exeCbiiog32.exeLgkhdddo.exeJmhnkfpa.exeOaaifdhb.exeMmadbjkk.exeNfghdcfj.exeKklkcn32.exeNlfmbibo.exeDaofpchf.exeLbafdlod.exeQdncmgbj.exeNmhmlbkk.exeFjbafi32.exeMeabakda.exeOdjdmjgo.exeNbflno32.exePnbojmmp.exePghfnc32.exeIeigfk32.exeJckgicnp.exeCpkmcldj.exeKadfkhkf.exeMikjpiim.exeNdqkleln.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmkeke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncnngfna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqalaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mclebc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijklknbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lohjnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlhnifmq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeehln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oehdan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eklqcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeielfhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hldlga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdklfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aficjnpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbonei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hegnahjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldllgiek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggicgopd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhbold32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnimiblo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enbnkigh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imleli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbgqjdce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojmpooah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iliebpfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kocmim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcaepg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajjfkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcfpel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgcejm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pckajebj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgdnnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neqnqofm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okbpde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqdefddb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcheib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohagbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oonldcih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opaebkmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boidnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbiiog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgkhdddo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmhnkfpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaaifdhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmadbjkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfghdcfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kklkcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlfmbibo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daofpchf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbafdlod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdncmgbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmhmlbkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjbafi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meabakda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odjdmjgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbflno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnbojmmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pghfnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieigfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jckgicnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpkmcldj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kadfkhkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mikjpiim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndqkleln.exe -
Modifies registry class 64 IoCs
Processes:
Ggicgopd.exeInlkik32.exeIhglhp32.exeBqijljfd.exeFoafdoag.exeEfdhpjok.exeFfaaoh32.exeOaffbqaa.exeAciqcifh.exeKkjnnn32.exeLfbbjpgd.exeGfejjgli.exeHpphhp32.exeOagoep32.exeIjqoilii.exeCbppnbhm.exeNjdqka32.exeDknajh32.exeGkbcbn32.exeGncldi32.exeHebnlb32.exeDhplhc32.exeMndmoaog.exeNajpll32.exeIppdgc32.exeLhfefgkg.exeMnaiol32.exeBbmapj32.exeKkeecogo.exeAfffenbp.exeKnnkpobc.exeAjjfkh32.exeDedlag32.exeEkfndmfb.exeEkjgpm32.exeFindhdcb.exePkacpihj.exeMeabakda.exeIdicbbpi.exeMkndhabp.exeNameek32.exeOekjjl32.exeAlnalh32.exeHmeolj32.exeCcpcckck.exeBfdenafn.exeNdmecgba.exeCedpbd32.exeIeigfk32.exeJampjian.exeKdklfe32.exeCjonncab.exeCmmhaf32.exeGqiimfam.exeJhlmmfef.exePldebkhj.exeFggkcl32.exeFncpef32.exeNidmfh32.exePmdmmalf.exeNlfmbibo.exePgnjde32.exeFcnkhmdp.exeFfodjh32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcijqc32.dll" Ggicgopd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Inlkik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ihglhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfefmpeo.dll" Bqijljfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Foafdoag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbcqem32.dll" Efdhpjok.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ffaaoh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oaffbqaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epojbfko.dll" Aciqcifh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kkjnnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpemjpcl.dll" Lfbbjpgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gfejjgli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hpphhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ankojf32.dll" Oagoep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ijqoilii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cbppnbhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eemjkkbq.dll" Njdqka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dknajh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gkbcbn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gncldi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogjknh32.dll" Hebnlb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dhplhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mndmoaog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Najpll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlfbgb32.dll" Ippdgc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lhfefgkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjkfeo32.dll" Mnaiol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphhqinm.dll" Bbmapj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kkeecogo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoblpdnf.dll" Afffenbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Knnkpobc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcomknkd.dll" Ajjfkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dedlag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ekfndmfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Medgge32.dll" Ekjgpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Findhdcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pkacpihj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Meabakda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Idicbbpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mkndhabp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nameek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oekjjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adpqglen.dll" Alnalh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hmeolj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ccpcckck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Godonkii.dll" Bfdenafn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ndmecgba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaaphj32.dll" Cedpbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hembkl32.dll" Ieigfk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jampjian.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kdklfe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cjonncab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inaqlm32.dll" Cmmhaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gqiimfam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jhlmmfef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pldebkhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fggkcl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fncpef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icblnd32.dll" Nidmfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pmdmmalf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nlfmbibo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epkpbiah.dll" Pgnjde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fcnkhmdp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ffodjh32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
6e0e796fb3fbefbcba7800bc2917131725abeb0f3e6181ce715e8833a70b492dN.exeLipecm32.exeLjabkeaf.exeMgebdipp.exeMmdgbp32.exeMhilph32.exeMlkail32.exeMfaefd32.exeNfcbldmm.exeNlpkdkkd.exeNoacef32.exeNdnlnm32.exeNhlddkmc.exeNmhmlbkk.exeOaffbqaa.exeOiakgcnl.exedescription pid process target process PID 2872 wrote to memory of 2000 2872 6e0e796fb3fbefbcba7800bc2917131725abeb0f3e6181ce715e8833a70b492dN.exe Lipecm32.exe PID 2872 wrote to memory of 2000 2872 6e0e796fb3fbefbcba7800bc2917131725abeb0f3e6181ce715e8833a70b492dN.exe Lipecm32.exe PID 2872 wrote to memory of 2000 2872 6e0e796fb3fbefbcba7800bc2917131725abeb0f3e6181ce715e8833a70b492dN.exe Lipecm32.exe PID 2872 wrote to memory of 2000 2872 6e0e796fb3fbefbcba7800bc2917131725abeb0f3e6181ce715e8833a70b492dN.exe Lipecm32.exe PID 2000 wrote to memory of 2344 2000 Lipecm32.exe Ljabkeaf.exe PID 2000 wrote to memory of 2344 2000 Lipecm32.exe Ljabkeaf.exe PID 2000 wrote to memory of 2344 2000 Lipecm32.exe Ljabkeaf.exe PID 2000 wrote to memory of 2344 2000 Lipecm32.exe Ljabkeaf.exe PID 2344 wrote to memory of 2092 2344 Ljabkeaf.exe Mgebdipp.exe PID 2344 wrote to memory of 2092 2344 Ljabkeaf.exe Mgebdipp.exe PID 2344 wrote to memory of 2092 2344 Ljabkeaf.exe Mgebdipp.exe PID 2344 wrote to memory of 2092 2344 Ljabkeaf.exe Mgebdipp.exe PID 2092 wrote to memory of 2084 2092 Mgebdipp.exe Mmdgbp32.exe PID 2092 wrote to memory of 2084 2092 Mgebdipp.exe Mmdgbp32.exe PID 2092 wrote to memory of 2084 2092 Mgebdipp.exe Mmdgbp32.exe PID 2092 wrote to memory of 2084 2092 Mgebdipp.exe Mmdgbp32.exe PID 2084 wrote to memory of 1656 2084 Mmdgbp32.exe Mhilph32.exe PID 2084 wrote to memory of 1656 2084 Mmdgbp32.exe Mhilph32.exe PID 2084 wrote to memory of 1656 2084 Mmdgbp32.exe Mhilph32.exe PID 2084 wrote to memory of 1656 2084 Mmdgbp32.exe Mhilph32.exe PID 1656 wrote to memory of 2688 1656 Mhilph32.exe Mlkail32.exe PID 1656 wrote to memory of 2688 1656 Mhilph32.exe Mlkail32.exe PID 1656 wrote to memory of 2688 1656 Mhilph32.exe Mlkail32.exe PID 1656 wrote to memory of 2688 1656 Mhilph32.exe Mlkail32.exe PID 2688 wrote to memory of 2732 2688 Mlkail32.exe Mfaefd32.exe PID 2688 wrote to memory of 2732 2688 Mlkail32.exe Mfaefd32.exe PID 2688 wrote to memory of 2732 2688 Mlkail32.exe Mfaefd32.exe PID 2688 wrote to memory of 2732 2688 Mlkail32.exe Mfaefd32.exe PID 2732 wrote to memory of 2572 2732 Mfaefd32.exe Nfcbldmm.exe PID 2732 wrote to memory of 2572 2732 Mfaefd32.exe Nfcbldmm.exe PID 2732 wrote to memory of 2572 2732 Mfaefd32.exe Nfcbldmm.exe PID 2732 wrote to memory of 2572 2732 Mfaefd32.exe Nfcbldmm.exe PID 2572 wrote to memory of 2280 2572 Nfcbldmm.exe Nlpkdkkd.exe PID 2572 wrote to memory of 2280 2572 Nfcbldmm.exe Nlpkdkkd.exe PID 2572 wrote to memory of 2280 2572 Nfcbldmm.exe Nlpkdkkd.exe PID 2572 wrote to memory of 2280 2572 Nfcbldmm.exe Nlpkdkkd.exe PID 2280 wrote to memory of 2880 2280 Nlpkdkkd.exe Noacef32.exe PID 2280 wrote to memory of 2880 2280 Nlpkdkkd.exe Noacef32.exe PID 2280 wrote to memory of 2880 2280 Nlpkdkkd.exe Noacef32.exe PID 2280 wrote to memory of 2880 2280 Nlpkdkkd.exe Noacef32.exe PID 2880 wrote to memory of 2388 2880 Noacef32.exe Ndnlnm32.exe PID 2880 wrote to memory of 2388 2880 Noacef32.exe Ndnlnm32.exe PID 2880 wrote to memory of 2388 2880 Noacef32.exe Ndnlnm32.exe PID 2880 wrote to memory of 2388 2880 Noacef32.exe Ndnlnm32.exe PID 2388 wrote to memory of 1908 2388 Ndnlnm32.exe Nhlddkmc.exe PID 2388 wrote to memory of 1908 2388 Ndnlnm32.exe Nhlddkmc.exe PID 2388 wrote to memory of 1908 2388 Ndnlnm32.exe Nhlddkmc.exe PID 2388 wrote to memory of 1908 2388 Ndnlnm32.exe Nhlddkmc.exe PID 1908 wrote to memory of 1940 1908 Nhlddkmc.exe Nmhmlbkk.exe PID 1908 wrote to memory of 1940 1908 Nhlddkmc.exe Nmhmlbkk.exe PID 1908 wrote to memory of 1940 1908 Nhlddkmc.exe Nmhmlbkk.exe PID 1908 wrote to memory of 1940 1908 Nhlddkmc.exe Nmhmlbkk.exe PID 1940 wrote to memory of 1284 1940 Nmhmlbkk.exe Oaffbqaa.exe PID 1940 wrote to memory of 1284 1940 Nmhmlbkk.exe Oaffbqaa.exe PID 1940 wrote to memory of 1284 1940 Nmhmlbkk.exe Oaffbqaa.exe PID 1940 wrote to memory of 1284 1940 Nmhmlbkk.exe Oaffbqaa.exe PID 1284 wrote to memory of 1636 1284 Oaffbqaa.exe Oiakgcnl.exe PID 1284 wrote to memory of 1636 1284 Oaffbqaa.exe Oiakgcnl.exe PID 1284 wrote to memory of 1636 1284 Oaffbqaa.exe Oiakgcnl.exe PID 1284 wrote to memory of 1636 1284 Oaffbqaa.exe Oiakgcnl.exe PID 1636 wrote to memory of 2320 1636 Oiakgcnl.exe Olbchn32.exe PID 1636 wrote to memory of 2320 1636 Oiakgcnl.exe Olbchn32.exe PID 1636 wrote to memory of 2320 1636 Oiakgcnl.exe Olbchn32.exe PID 1636 wrote to memory of 2320 1636 Oiakgcnl.exe Olbchn32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6e0e796fb3fbefbcba7800bc2917131725abeb0f3e6181ce715e8833a70b492dN.exe"C:\Users\Admin\AppData\Local\Temp\6e0e796fb3fbefbcba7800bc2917131725abeb0f3e6181ce715e8833a70b492dN.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Lipecm32.exeC:\Windows\system32\Lipecm32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\Ljabkeaf.exeC:\Windows\system32\Ljabkeaf.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Mgebdipp.exeC:\Windows\system32\Mgebdipp.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\Mmdgbp32.exeC:\Windows\system32\Mmdgbp32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\Mhilph32.exeC:\Windows\system32\Mhilph32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\Mlkail32.exeC:\Windows\system32\Mlkail32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Mfaefd32.exeC:\Windows\system32\Mfaefd32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Nfcbldmm.exeC:\Windows\system32\Nfcbldmm.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Nlpkdkkd.exeC:\Windows\system32\Nlpkdkkd.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\Noacef32.exeC:\Windows\system32\Noacef32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Ndnlnm32.exeC:\Windows\system32\Ndnlnm32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\Nhlddkmc.exeC:\Windows\system32\Nhlddkmc.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\SysWOW64\Nmhmlbkk.exeC:\Windows\system32\Nmhmlbkk.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\Oaffbqaa.exeC:\Windows\system32\Oaffbqaa.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\SysWOW64\Oiakgcnl.exeC:\Windows\system32\Oiakgcnl.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\Olbchn32.exeC:\Windows\system32\Olbchn32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2320 -
C:\Windows\SysWOW64\Ohidmoaa.exeC:\Windows\system32\Ohidmoaa.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2328 -
C:\Windows\SysWOW64\Opplolac.exeC:\Windows\system32\Opplolac.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1264 -
C:\Windows\SysWOW64\Oaaifdhb.exeC:\Windows\system32\Oaaifdhb.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1724 -
C:\Windows\SysWOW64\Pcaepg32.exeC:\Windows\system32\Pcaepg32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1140 -
C:\Windows\SysWOW64\Padeldeo.exeC:\Windows\system32\Padeldeo.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1800 -
C:\Windows\SysWOW64\Pnjfae32.exeC:\Windows\system32\Pnjfae32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:680 -
C:\Windows\SysWOW64\Peanbblf.exeC:\Windows\system32\Peanbblf.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:272 -
C:\Windows\SysWOW64\Pnmcfeia.exeC:\Windows\system32\Pnmcfeia.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2972 -
C:\Windows\SysWOW64\Pqkobqhd.exeC:\Windows\system32\Pqkobqhd.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2016 -
C:\Windows\SysWOW64\Pkacpihj.exeC:\Windows\system32\Pkacpihj.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1496 -
C:\Windows\SysWOW64\Pnopldgn.exeC:\Windows\system32\Pnopldgn.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2032 -
C:\Windows\SysWOW64\Pjfpafmb.exeC:\Windows\system32\Pjfpafmb.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2284 -
C:\Windows\SysWOW64\Pmdmmalf.exeC:\Windows\system32\Pmdmmalf.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2332 -
C:\Windows\SysWOW64\Qndigd32.exeC:\Windows\system32\Qndigd32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2060 -
C:\Windows\SysWOW64\Qqbecp32.exeC:\Windows\system32\Qqbecp32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1784 -
C:\Windows\SysWOW64\Qinjgbpg.exeC:\Windows\system32\Qinjgbpg.exe33⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Qqdbiopj.exeC:\Windows\system32\Qqdbiopj.exe34⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Amkbnp32.exeC:\Windows\system32\Amkbnp32.exe35⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Akncimmh.exeC:\Windows\system32\Akncimmh.exe36⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Amnocpdk.exeC:\Windows\system32\Amnocpdk.exe37⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Aollokco.exeC:\Windows\system32\Aollokco.exe38⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Aidphq32.exeC:\Windows\system32\Aidphq32.exe39⤵
- Executes dropped EXE
PID:572 -
C:\Windows\SysWOW64\Aggpdnpj.exeC:\Windows\system32\Aggpdnpj.exe40⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Aoohekal.exeC:\Windows\system32\Aoohekal.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2452 -
C:\Windows\SysWOW64\Aekqmbod.exeC:\Windows\system32\Aekqmbod.exe42⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Aboaff32.exeC:\Windows\system32\Aboaff32.exe43⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Aennba32.exeC:\Windows\system32\Aennba32.exe44⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Ajjfkh32.exeC:\Windows\system32\Ajjfkh32.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:616 -
C:\Windows\SysWOW64\Badnhbce.exeC:\Windows\system32\Badnhbce.exe46⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Bepjha32.exeC:\Windows\system32\Bepjha32.exe47⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Bccjdnbi.exeC:\Windows\system32\Bccjdnbi.exe48⤵
- Executes dropped EXE
PID:1356 -
C:\Windows\SysWOW64\Bmkomchi.exeC:\Windows\system32\Bmkomchi.exe49⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Bagkmb32.exeC:\Windows\system32\Bagkmb32.exe50⤵
- Executes dropped EXE
PID:672 -
C:\Windows\SysWOW64\Bcegin32.exeC:\Windows\system32\Bcegin32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Bjoofhgc.exeC:\Windows\system32\Bjoofhgc.exe52⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Bibpad32.exeC:\Windows\system32\Bibpad32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:868 -
C:\Windows\SysWOW64\Bplhnoej.exeC:\Windows\system32\Bplhnoej.exe54⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Bbjdjjdn.exeC:\Windows\system32\Bbjdjjdn.exe55⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Bidlgdlk.exeC:\Windows\system32\Bidlgdlk.exe56⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Bmphhc32.exeC:\Windows\system32\Bmphhc32.exe57⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Bpnddn32.exeC:\Windows\system32\Bpnddn32.exe58⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Bbmapj32.exeC:\Windows\system32\Bbmapj32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2600 -
C:\Windows\SysWOW64\Bekmle32.exeC:\Windows\system32\Bekmle32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2512 -
C:\Windows\SysWOW64\Bmbemb32.exeC:\Windows\system32\Bmbemb32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2548 -
C:\Windows\SysWOW64\Bpqain32.exeC:\Windows\system32\Bpqain32.exe62⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\Bbonei32.exeC:\Windows\system32\Bbonei32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1780 -
C:\Windows\SysWOW64\Chlfnp32.exeC:\Windows\system32\Chlfnp32.exe64⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Clgbno32.exeC:\Windows\system32\Clgbno32.exe65⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Cpcnonob.exeC:\Windows\system32\Cpcnonob.exe66⤵PID:1060
-
C:\Windows\SysWOW64\Cepfgdnj.exeC:\Windows\system32\Cepfgdnj.exe67⤵PID:2164
-
C:\Windows\SysWOW64\Chnbcpmn.exeC:\Windows\system32\Chnbcpmn.exe68⤵PID:1348
-
C:\Windows\SysWOW64\Cjmopkla.exeC:\Windows\system32\Cjmopkla.exe69⤵PID:1144
-
C:\Windows\SysWOW64\Cohkpj32.exeC:\Windows\system32\Cohkpj32.exe70⤵PID:2216
-
C:\Windows\SysWOW64\Cafgle32.exeC:\Windows\system32\Cafgle32.exe71⤵PID:940
-
C:\Windows\SysWOW64\Cebcmdlg.exeC:\Windows\system32\Cebcmdlg.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3016 -
C:\Windows\SysWOW64\Ckolek32.exeC:\Windows\system32\Ckolek32.exe73⤵PID:2912
-
C:\Windows\SysWOW64\Cmmhaf32.exeC:\Windows\system32\Cmmhaf32.exe74⤵
- Modifies registry class
PID:2300 -
C:\Windows\SysWOW64\Cedpbd32.exeC:\Windows\system32\Cedpbd32.exe75⤵
- Modifies registry class
PID:296 -
C:\Windows\SysWOW64\Chcloo32.exeC:\Windows\system32\Chcloo32.exe76⤵PID:2160
-
C:\Windows\SysWOW64\Cmpdgf32.exeC:\Windows\system32\Cmpdgf32.exe77⤵PID:2104
-
C:\Windows\SysWOW64\Cdjmcpnl.exeC:\Windows\system32\Cdjmcpnl.exe78⤵PID:1320
-
C:\Windows\SysWOW64\Cfhiplmp.exeC:\Windows\system32\Cfhiplmp.exe79⤵PID:2616
-
C:\Windows\SysWOW64\Ckcepj32.exeC:\Windows\system32\Ckcepj32.exe80⤵PID:3060
-
C:\Windows\SysWOW64\Cmbalfem.exeC:\Windows\system32\Cmbalfem.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2556 -
C:\Windows\SysWOW64\Dpqnhadq.exeC:\Windows\system32\Dpqnhadq.exe82⤵PID:2040
-
C:\Windows\SysWOW64\Dkfbfjdf.exeC:\Windows\system32\Dkfbfjdf.exe83⤵PID:2012
-
C:\Windows\SysWOW64\Dmdnbecj.exeC:\Windows\system32\Dmdnbecj.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1640 -
C:\Windows\SysWOW64\Dpcjnabn.exeC:\Windows\system32\Dpcjnabn.exe85⤵PID:1704
-
C:\Windows\SysWOW64\Ddnfop32.exeC:\Windows\system32\Ddnfop32.exe86⤵PID:1304
-
C:\Windows\SysWOW64\Dgmbkk32.exeC:\Windows\system32\Dgmbkk32.exe87⤵PID:1180
-
C:\Windows\SysWOW64\Depbfhpe.exeC:\Windows\system32\Depbfhpe.exe88⤵PID:684
-
C:\Windows\SysWOW64\Dcccpl32.exeC:\Windows\system32\Dcccpl32.exe89⤵PID:2584
-
C:\Windows\SysWOW64\Debplg32.exeC:\Windows\system32\Debplg32.exe90⤵PID:1732
-
C:\Windows\SysWOW64\Dhplhc32.exeC:\Windows\system32\Dhplhc32.exe91⤵
- Modifies registry class
PID:3020 -
C:\Windows\SysWOW64\Dllhhaep.exeC:\Windows\system32\Dllhhaep.exe92⤵PID:1752
-
C:\Windows\SysWOW64\Dcfpel32.exeC:\Windows\system32\Dcfpel32.exe93⤵
- System Location Discovery: System Language Discovery
PID:1608 -
C:\Windows\SysWOW64\Dedlag32.exeC:\Windows\system32\Dedlag32.exe94⤵
- Modifies registry class
PID:2232 -
C:\Windows\SysWOW64\Diphbfdi.exeC:\Windows\system32\Diphbfdi.exe95⤵PID:3048
-
C:\Windows\SysWOW64\Domqjm32.exeC:\Windows\system32\Domqjm32.exe96⤵PID:2660
-
C:\Windows\SysWOW64\Degiggjm.exeC:\Windows\system32\Degiggjm.exe97⤵PID:1568
-
C:\Windows\SysWOW64\Eheecbia.exeC:\Windows\system32\Eheecbia.exe98⤵PID:1744
-
C:\Windows\SysWOW64\Ekcaonhe.exeC:\Windows\system32\Ekcaonhe.exe99⤵PID:2408
-
C:\Windows\SysWOW64\Enbnkigh.exeC:\Windows\system32\Enbnkigh.exe100⤵
- System Location Discovery: System Language Discovery
PID:2308 -
C:\Windows\SysWOW64\Eeielfhk.exeC:\Windows\system32\Eeielfhk.exe101⤵
- System Location Discovery: System Language Discovery
PID:1328 -
C:\Windows\SysWOW64\Egjbdo32.exeC:\Windows\system32\Egjbdo32.exe102⤵PID:1032
-
C:\Windows\SysWOW64\Ekfndmfb.exeC:\Windows\system32\Ekfndmfb.exe103⤵
- Modifies registry class
PID:3040 -
C:\Windows\SysWOW64\Eapfagno.exeC:\Windows\system32\Eapfagno.exe104⤵PID:300
-
C:\Windows\SysWOW64\Ehjona32.exeC:\Windows\system32\Ehjona32.exe105⤵
- Drops file in System32 directory
PID:2916 -
C:\Windows\SysWOW64\Ekhkjm32.exeC:\Windows\system32\Ekhkjm32.exe106⤵PID:2796
-
C:\Windows\SysWOW64\Ejkkfjkj.exeC:\Windows\system32\Ejkkfjkj.exe107⤵PID:2044
-
C:\Windows\SysWOW64\Edqocbkp.exeC:\Windows\system32\Edqocbkp.exe108⤵PID:2736
-
C:\Windows\SysWOW64\Egokonjc.exeC:\Windows\system32\Egokonjc.exe109⤵PID:2684
-
C:\Windows\SysWOW64\Ekjgpm32.exeC:\Windows\system32\Ekjgpm32.exe110⤵
- Modifies registry class
PID:2596 -
C:\Windows\SysWOW64\Edclib32.exeC:\Windows\system32\Edclib32.exe111⤵PID:1988
-
C:\Windows\SysWOW64\Efdhpjok.exeC:\Windows\system32\Efdhpjok.exe112⤵
- Modifies registry class
PID:1968 -
C:\Windows\SysWOW64\Enkpahon.exeC:\Windows\system32\Enkpahon.exe113⤵PID:1776
-
C:\Windows\SysWOW64\Eqjmncna.exeC:\Windows\system32\Eqjmncna.exe114⤵PID:1052
-
C:\Windows\SysWOW64\Fchijone.exeC:\Windows\system32\Fchijone.exe115⤵PID:2136
-
C:\Windows\SysWOW64\Fgcejm32.exeC:\Windows\system32\Fgcejm32.exe116⤵
- System Location Discovery: System Language Discovery
PID:1076 -
C:\Windows\SysWOW64\Fjbafi32.exeC:\Windows\system32\Fjbafi32.exe117⤵
- System Location Discovery: System Language Discovery
PID:3056 -
C:\Windows\SysWOW64\Flqmbd32.exeC:\Windows\system32\Flqmbd32.exe118⤵PID:2144
-
C:\Windows\SysWOW64\Fqlicclo.exeC:\Windows\system32\Fqlicclo.exe119⤵PID:2196
-
C:\Windows\SysWOW64\Fcjeon32.exeC:\Windows\system32\Fcjeon32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2980 -
C:\Windows\SysWOW64\Ffibkj32.exeC:\Windows\system32\Ffibkj32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3044 -
C:\Windows\SysWOW64\Fhgnge32.exeC:\Windows\system32\Fhgnge32.exe122⤵PID:2356
-
C:\Windows\SysWOW64\Fmcjhdbc.exeC:\Windows\system32\Fmcjhdbc.exe123⤵PID:2804
-
C:\Windows\SysWOW64\Foafdoag.exeC:\Windows\system32\Foafdoag.exe124⤵
- Modifies registry class
PID:2588 -
C:\Windows\SysWOW64\Fdnolfon.exeC:\Windows\system32\Fdnolfon.exe125⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1668 -
C:\Windows\SysWOW64\Fkhgip32.exeC:\Windows\system32\Fkhgip32.exe126⤵PID:2184
-
C:\Windows\SysWOW64\Fnfcel32.exeC:\Windows\system32\Fnfcel32.exe127⤵
- Drops file in System32 directory
PID:2004 -
C:\Windows\SysWOW64\Fbbofjnh.exeC:\Windows\system32\Fbbofjnh.exe128⤵PID:1772
-
C:\Windows\SysWOW64\Fdpkbf32.exeC:\Windows\system32\Fdpkbf32.exe129⤵
- Drops file in System32 directory
PID:236 -
C:\Windows\SysWOW64\Fkjdopeh.exeC:\Windows\system32\Fkjdopeh.exe130⤵PID:2132
-
C:\Windows\SysWOW64\Fnipkkdl.exeC:\Windows\system32\Fnipkkdl.exe131⤵PID:2272
-
C:\Windows\SysWOW64\Fbdlkj32.exeC:\Windows\system32\Fbdlkj32.exe132⤵PID:2876
-
C:\Windows\SysWOW64\Findhdcb.exeC:\Windows\system32\Findhdcb.exe133⤵
- Modifies registry class
PID:2900 -
C:\Windows\SysWOW64\Fkmqdpce.exeC:\Windows\system32\Fkmqdpce.exe134⤵PID:2480
-
C:\Windows\SysWOW64\Gbfiaj32.exeC:\Windows\system32\Gbfiaj32.exe135⤵PID:2420
-
C:\Windows\SysWOW64\Gqiimfam.exeC:\Windows\system32\Gqiimfam.exe136⤵
- Modifies registry class
PID:1064 -
C:\Windows\SysWOW64\Gcheib32.exeC:\Windows\system32\Gcheib32.exe137⤵
- System Location Discovery: System Language Discovery
PID:1012 -
C:\Windows\SysWOW64\Ggcaiqhj.exeC:\Windows\system32\Ggcaiqhj.exe138⤵PID:624
-
C:\Windows\SysWOW64\Gmpjagfa.exeC:\Windows\system32\Gmpjagfa.exe139⤵PID:872
-
C:\Windows\SysWOW64\Gegabegc.exeC:\Windows\system32\Gegabegc.exe140⤵PID:2680
-
C:\Windows\SysWOW64\Ggfnopfg.exeC:\Windows\system32\Ggfnopfg.exe141⤵PID:2008
-
C:\Windows\SysWOW64\Gnpflj32.exeC:\Windows\system32\Gnpflj32.exe142⤵PID:2440
-
C:\Windows\SysWOW64\Gqnbhf32.exeC:\Windows\system32\Gqnbhf32.exe143⤵PID:2728
-
C:\Windows\SysWOW64\Gcmoda32.exeC:\Windows\system32\Gcmoda32.exe144⤵PID:2656
-
C:\Windows\SysWOW64\Gjfgqk32.exeC:\Windows\system32\Gjfgqk32.exe145⤵PID:2424
-
C:\Windows\SysWOW64\Gaqomeke.exeC:\Windows\system32\Gaqomeke.exe146⤵PID:1956
-
C:\Windows\SysWOW64\Gbaken32.exeC:\Windows\system32\Gbaken32.exe147⤵PID:1524
-
C:\Windows\SysWOW64\Gjicfk32.exeC:\Windows\system32\Gjicfk32.exe148⤵PID:2088
-
C:\Windows\SysWOW64\Gljpncgc.exeC:\Windows\system32\Gljpncgc.exe149⤵PID:492
-
C:\Windows\SysWOW64\Gcahoqhf.exeC:\Windows\system32\Gcahoqhf.exe150⤵PID:1944
-
C:\Windows\SysWOW64\Hebdfind.exeC:\Windows\system32\Hebdfind.exe151⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1680 -
C:\Windows\SysWOW64\Hmjlhfof.exeC:\Windows\system32\Hmjlhfof.exe152⤵PID:2624
-
C:\Windows\SysWOW64\Hnkion32.exeC:\Windows\system32\Hnkion32.exe153⤵PID:2808
-
C:\Windows\SysWOW64\Hfbaql32.exeC:\Windows\system32\Hfbaql32.exe154⤵PID:1788
-
C:\Windows\SysWOW64\Hhcmhdke.exeC:\Windows\system32\Hhcmhdke.exe155⤵PID:1312
-
C:\Windows\SysWOW64\Hpjeialg.exeC:\Windows\system32\Hpjeialg.exe156⤵PID:1116
-
C:\Windows\SysWOW64\Hbiaemkk.exeC:\Windows\system32\Hbiaemkk.exe157⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1596 -
C:\Windows\SysWOW64\Hegnahjo.exeC:\Windows\system32\Hegnahjo.exe158⤵
- System Location Discovery: System Language Discovery
PID:2996 -
C:\Windows\SysWOW64\Hlafnbal.exeC:\Windows\system32\Hlafnbal.exe159⤵PID:2852
-
C:\Windows\SysWOW64\Hnpbjnpo.exeC:\Windows\system32\Hnpbjnpo.exe160⤵
- Drops file in System32 directory
PID:2700 -
C:\Windows\SysWOW64\Hanogipc.exeC:\Windows\system32\Hanogipc.exe161⤵PID:2612
-
C:\Windows\SysWOW64\Hdlkcdog.exeC:\Windows\system32\Hdlkcdog.exe162⤵
- Drops file in System32 directory
PID:344 -
C:\Windows\SysWOW64\Hmeolj32.exeC:\Windows\system32\Hmeolj32.exe163⤵
- Modifies registry class
PID:1080 -
C:\Windows\SysWOW64\Helgmg32.exeC:\Windows\system32\Helgmg32.exe164⤵PID:1700
-
C:\Windows\SysWOW64\Hdoghdmd.exeC:\Windows\system32\Hdoghdmd.exe165⤵PID:1468
-
C:\Windows\SysWOW64\Hfmddp32.exeC:\Windows\system32\Hfmddp32.exe166⤵PID:2608
-
C:\Windows\SysWOW64\Hmglajcd.exeC:\Windows\system32\Hmglajcd.exe167⤵PID:2740
-
C:\Windows\SysWOW64\Iabhah32.exeC:\Windows\system32\Iabhah32.exe168⤵
- Drops file in System32 directory
PID:2264 -
C:\Windows\SysWOW64\Ihmpobck.exeC:\Windows\system32\Ihmpobck.exe169⤵PID:2276
-
C:\Windows\SysWOW64\Ijklknbn.exeC:\Windows\system32\Ijklknbn.exe170⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1148 -
C:\Windows\SysWOW64\Iphecepe.exeC:\Windows\system32\Iphecepe.exe171⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:880 -
C:\Windows\SysWOW64\Ifampo32.exeC:\Windows\system32\Ifampo32.exe172⤵PID:2316
-
C:\Windows\SysWOW64\Imleli32.exeC:\Windows\system32\Imleli32.exe173⤵
- System Location Discovery: System Language Discovery
PID:2536 -
C:\Windows\SysWOW64\Ibhndp32.exeC:\Windows\system32\Ibhndp32.exe174⤵PID:2236
-
C:\Windows\SysWOW64\Iibfajdc.exeC:\Windows\system32\Iibfajdc.exe175⤵PID:2676
-
C:\Windows\SysWOW64\Imnbbi32.exeC:\Windows\system32\Imnbbi32.exe176⤵PID:2176
-
C:\Windows\SysWOW64\Iplnnd32.exeC:\Windows\system32\Iplnnd32.exe177⤵PID:2360
-
C:\Windows\SysWOW64\Ibkkjp32.exeC:\Windows\system32\Ibkkjp32.exe178⤵PID:3004
-
C:\Windows\SysWOW64\Ieigfk32.exeC:\Windows\system32\Ieigfk32.exe179⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:884 -
C:\Windows\SysWOW64\Iiecgjba.exeC:\Windows\system32\Iiecgjba.exe180⤵PID:1748
-
C:\Windows\SysWOW64\Ipokcdjn.exeC:\Windows\system32\Ipokcdjn.exe181⤵PID:1124
-
C:\Windows\SysWOW64\Ibmgpoia.exeC:\Windows\system32\Ibmgpoia.exe182⤵PID:1424
-
C:\Windows\SysWOW64\Ielclkhe.exeC:\Windows\system32\Ielclkhe.exe183⤵PID:836
-
C:\Windows\SysWOW64\Iigpli32.exeC:\Windows\system32\Iigpli32.exe184⤵
- Drops file in System32 directory
PID:1648 -
C:\Windows\SysWOW64\Jkhldafl.exeC:\Windows\system32\Jkhldafl.exe185⤵PID:2648
-
C:\Windows\SysWOW64\Jodhdp32.exeC:\Windows\system32\Jodhdp32.exe186⤵PID:1960
-
C:\Windows\SysWOW64\Jdaqmg32.exeC:\Windows\system32\Jdaqmg32.exe187⤵PID:2404
-
C:\Windows\SysWOW64\Jhlmmfef.exeC:\Windows\system32\Jhlmmfef.exe188⤵
- Modifies registry class
PID:2380 -
C:\Windows\SysWOW64\Jofejpmc.exeC:\Windows\system32\Jofejpmc.exe189⤵PID:2744
-
C:\Windows\SysWOW64\Jaeafklf.exeC:\Windows\system32\Jaeafklf.exe190⤵PID:2336
-
C:\Windows\SysWOW64\Jdcmbgkj.exeC:\Windows\system32\Jdcmbgkj.exe191⤵PID:2140
-
C:\Windows\SysWOW64\Jgaiobjn.exeC:\Windows\system32\Jgaiobjn.exe192⤵PID:2080
-
C:\Windows\SysWOW64\Jnkakl32.exeC:\Windows\system32\Jnkakl32.exe193⤵PID:3104
-
C:\Windows\SysWOW64\Jagnlkjd.exeC:\Windows\system32\Jagnlkjd.exe194⤵PID:3148
-
C:\Windows\SysWOW64\Jhafhe32.exeC:\Windows\system32\Jhafhe32.exe195⤵PID:3188
-
C:\Windows\SysWOW64\Jgdfdbhk.exeC:\Windows\system32\Jgdfdbhk.exe196⤵PID:3228
-
C:\Windows\SysWOW64\Jnnnalph.exeC:\Windows\system32\Jnnnalph.exe197⤵PID:3268
-
C:\Windows\SysWOW64\Jaijak32.exeC:\Windows\system32\Jaijak32.exe198⤵PID:3308
-
C:\Windows\SysWOW64\Jckgicnp.exeC:\Windows\system32\Jckgicnp.exe199⤵
- System Location Discovery: System Language Discovery
PID:3348 -
C:\Windows\SysWOW64\Jkbojpna.exeC:\Windows\system32\Jkbojpna.exe200⤵PID:3388
-
C:\Windows\SysWOW64\Jlckbh32.exeC:\Windows\system32\Jlckbh32.exe201⤵PID:3428
-
C:\Windows\SysWOW64\Kdjccf32.exeC:\Windows\system32\Kdjccf32.exe202⤵PID:3468
-
C:\Windows\SysWOW64\Kghpoa32.exeC:\Windows\system32\Kghpoa32.exe203⤵PID:3508
-
C:\Windows\SysWOW64\Kjglkm32.exeC:\Windows\system32\Kjglkm32.exe204⤵PID:3548
-
C:\Windows\SysWOW64\Klehgh32.exeC:\Windows\system32\Klehgh32.exe205⤵PID:3588
-
C:\Windows\SysWOW64\Kpadhg32.exeC:\Windows\system32\Kpadhg32.exe206⤵PID:3628
-
C:\Windows\SysWOW64\Kgkleabc.exeC:\Windows\system32\Kgkleabc.exe207⤵PID:3668
-
C:\Windows\SysWOW64\Kjihalag.exeC:\Windows\system32\Kjihalag.exe208⤵PID:3708
-
C:\Windows\SysWOW64\Klhemhpk.exeC:\Windows\system32\Klhemhpk.exe209⤵PID:3748
-
C:\Windows\SysWOW64\Kofaicon.exeC:\Windows\system32\Kofaicon.exe210⤵PID:3788
-
C:\Windows\SysWOW64\Kfpifm32.exeC:\Windows\system32\Kfpifm32.exe211⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3828 -
C:\Windows\SysWOW64\Kjleflod.exeC:\Windows\system32\Kjleflod.exe212⤵PID:3868
-
C:\Windows\SysWOW64\Kkmand32.exeC:\Windows\system32\Kkmand32.exe213⤵PID:3908
-
C:\Windows\SysWOW64\Kcdjoaee.exeC:\Windows\system32\Kcdjoaee.exe214⤵PID:3948
-
C:\Windows\SysWOW64\Kdefgj32.exeC:\Windows\system32\Kdefgj32.exe215⤵PID:3988
-
C:\Windows\SysWOW64\Khabghdl.exeC:\Windows\system32\Khabghdl.exe216⤵
- Drops file in System32 directory
PID:4028 -
C:\Windows\SysWOW64\Kokjdb32.exeC:\Windows\system32\Kokjdb32.exe217⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4068 -
C:\Windows\SysWOW64\Knnkpobc.exeC:\Windows\system32\Knnkpobc.exe218⤵
- Modifies registry class
PID:3084 -
C:\Windows\SysWOW64\Kdhcli32.exeC:\Windows\system32\Kdhcli32.exe219⤵PID:3132
-
C:\Windows\SysWOW64\Kgfoie32.exeC:\Windows\system32\Kgfoie32.exe220⤵PID:3176
-
C:\Windows\SysWOW64\Lnpgeopa.exeC:\Windows\system32\Lnpgeopa.exe221⤵PID:3236
-
C:\Windows\SysWOW64\Lblcfnhj.exeC:\Windows\system32\Lblcfnhj.exe222⤵PID:3280
-
C:\Windows\SysWOW64\Lhelbh32.exeC:\Windows\system32\Lhelbh32.exe223⤵PID:3332
-
C:\Windows\SysWOW64\Lghlndfa.exeC:\Windows\system32\Lghlndfa.exe224⤵
- Drops file in System32 directory
PID:3372 -
C:\Windows\SysWOW64\Lbnpkmfg.exeC:\Windows\system32\Lbnpkmfg.exe225⤵PID:3436
-
C:\Windows\SysWOW64\Ldllgiek.exeC:\Windows\system32\Ldllgiek.exe226⤵
- System Location Discovery: System Language Discovery
PID:3484 -
C:\Windows\SysWOW64\Lgkhdddo.exeC:\Windows\system32\Lgkhdddo.exe227⤵
- System Location Discovery: System Language Discovery
PID:3540 -
C:\Windows\SysWOW64\Ljieppcb.exeC:\Windows\system32\Ljieppcb.exe228⤵PID:3596
-
C:\Windows\SysWOW64\Lmgalkcf.exeC:\Windows\system32\Lmgalkcf.exe229⤵PID:3636
-
C:\Windows\SysWOW64\Lqcmmjko.exeC:\Windows\system32\Lqcmmjko.exe230⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3688 -
C:\Windows\SysWOW64\Ldoimh32.exeC:\Windows\system32\Ldoimh32.exe231⤵PID:3732
-
C:\Windows\SysWOW64\Lgmeid32.exeC:\Windows\system32\Lgmeid32.exe232⤵PID:3780
-
C:\Windows\SysWOW64\Lngnfnji.exeC:\Windows\system32\Lngnfnji.exe233⤵PID:3836
-
C:\Windows\SysWOW64\Lohjnf32.exeC:\Windows\system32\Lohjnf32.exe234⤵
- System Location Discovery: System Language Discovery
PID:3888 -
C:\Windows\SysWOW64\Lfbbjpgd.exeC:\Windows\system32\Lfbbjpgd.exe235⤵
- Modifies registry class
PID:3936 -
C:\Windows\SysWOW64\Lmljgj32.exeC:\Windows\system32\Lmljgj32.exe236⤵
- Drops file in System32 directory
PID:3976 -
C:\Windows\SysWOW64\Lokgcf32.exeC:\Windows\system32\Lokgcf32.exe237⤵
- Drops file in System32 directory
PID:4036 -
C:\Windows\SysWOW64\Lbicoamh.exeC:\Windows\system32\Lbicoamh.exe238⤵PID:4080
-
C:\Windows\SysWOW64\Micklk32.exeC:\Windows\system32\Micklk32.exe239⤵PID:3092
-
C:\Windows\SysWOW64\Mmogmjmn.exeC:\Windows\system32\Mmogmjmn.exe240⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3160 -
C:\Windows\SysWOW64\Mchoid32.exeC:\Windows\system32\Mchoid32.exe241⤵PID:3216
-
C:\Windows\SysWOW64\Mfglep32.exeC:\Windows\system32\Mfglep32.exe242⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3296