Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 01:37
Static task
static1
Behavioral task
behavioral1
Sample
8e8d13d676f086d1d6340a8a604785da41da6ea28a1f75e1eded33556360d5c5N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
8e8d13d676f086d1d6340a8a604785da41da6ea28a1f75e1eded33556360d5c5N.exe
Resource
win10v2004-20241007-en
General
-
Target
8e8d13d676f086d1d6340a8a604785da41da6ea28a1f75e1eded33556360d5c5N.exe
-
Size
90KB
-
MD5
43529a03a63b769caae7cd75a5712a20
-
SHA1
11c56dee213905b7aba2e7593cf1e8748359b319
-
SHA256
8e8d13d676f086d1d6340a8a604785da41da6ea28a1f75e1eded33556360d5c5
-
SHA512
50557ddbd3133bcbd9221ca6beee5f920c52609240d30cb49b89bee981999b0e82ffb2b0972e5d8b470359e6faa8dc45d0b62fa5931fe71b5f54a7b9eb79388d
-
SSDEEP
1536:Qt5M2b4lS7wQ8C1QRy/rde7P4DSj1onPWVLVl/9954mGIp24G7u/Ub0VkVNK:QtNbZv8nRy/Ber42n/995tpFG7u/Ub05
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Behgcf32.exeCophko32.exeJonbee32.exeAekqmbod.exeHnmeen32.exeQfmafg32.exeGcokiaji.exeHcdnhoac.exeGildahhp.exeMiehak32.exeMdacop32.exeAchojp32.exeLiklhmom.exeCiifbchf.exeGcjbna32.exeHmaick32.exeIbckfa32.exeKqfdnljm.exeKcopdb32.exeDhpemm32.exeFolfoj32.exeGcbabpcf.exeFcbbjcif.exeDobgihgp.exeOalfhf32.exeIeagbm32.exePeanbblf.exeBilmcf32.exePcnejk32.exeDikogf32.exeKbgjkn32.exeBgblmk32.exeDhmfod32.exeNadimacd.exeEoajel32.exeHloiib32.exeBlaopqpo.exeGligjd32.exeEnkpahon.exeJcpkpe32.exeMfllkece.exePomhcg32.exeCjgoje32.exeOllajp32.exeIhfjognl.exeLjabkeaf.exeOghhfg32.exePlmpblnb.exeEdnbncmb.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Behgcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cophko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jonbee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aekqmbod.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnmeen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qfmafg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcokiaji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hcdnhoac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gildahhp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Miehak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdacop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Achojp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Liklhmom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ciifbchf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gcjbna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmaick32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibckfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kqfdnljm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kcopdb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhpemm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Folfoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gcbabpcf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcbbjcif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dobgihgp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oalfhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ieagbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Peanbblf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bilmcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pcnejk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dikogf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbgjkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bgblmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhmfod32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nadimacd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eoajel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hloiib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Blaopqpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gligjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Enkpahon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jcpkpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mfllkece.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pomhcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjgoje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ollajp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ihfjognl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljabkeaf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oghhfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Plmpblnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ednbncmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Lpjdjmfp.exeLcfqkl32.exeLegmbd32.exeLibicbma.exeMffimglk.exeMhhfdo32.exeMponel32.exeMigbnb32.exeMhjbjopf.exeMdacop32.exeMhloponc.exeMeppiblm.exeMholen32.exeNgdifkpi.exeNibebfpl.exeNplmop32.exeNgfflj32.exeNkbalifo.exeNlcnda32.exeNgibaj32.exeNigome32.exeNodgel32.exeNgkogj32.exeNpccpo32.exeNofdklgl.exeNeplhf32.exeNkmdpm32.exeOdeiibdq.exeOllajp32.exeOokmfk32.exeOdhfob32.exeOalfhf32.exeOdjbdb32.exeOkdkal32.exeOnbgmg32.exeOdlojanh.exeOhhkjp32.exePjldghjm.exePmjqcc32.exePfbelipa.exePjnamh32.exePqhijbog.exePcfefmnk.exePgbafl32.exePfdabino.exePmojocel.exePqjfoa32.exePcibkm32.exePbkbgjcc.exePmagdbci.exePoocpnbm.exePbnoliap.exePdlkiepd.exePihgic32.exePmccjbaf.exePoapfn32.exePndpajgd.exeQflhbhgg.exeQijdocfj.exeQgmdjp32.exeQodlkm32.exeQbbhgi32.exeQqeicede.exeQgoapp32.exepid process 2660 Lpjdjmfp.exe 2552 Lcfqkl32.exe 2524 Legmbd32.exe 2988 Libicbma.exe 1896 Mffimglk.exe 1716 Mhhfdo32.exe 2400 Mponel32.exe 2392 Migbnb32.exe 1496 Mhjbjopf.exe 2012 Mdacop32.exe 2728 Mhloponc.exe 2428 Meppiblm.exe 348 Mholen32.exe 2064 Ngdifkpi.exe 2232 Nibebfpl.exe 764 Nplmop32.exe 2452 Ngfflj32.exe 2100 Nkbalifo.exe 1296 Nlcnda32.exe 1208 Ngibaj32.exe 2272 Nigome32.exe 2344 Nodgel32.exe 2328 Ngkogj32.exe 288 Npccpo32.exe 2324 Nofdklgl.exe 2628 Neplhf32.exe 796 Nkmdpm32.exe 1740 Odeiibdq.exe 3016 Ollajp32.exe 2864 Ookmfk32.exe 2888 Odhfob32.exe 2180 Oalfhf32.exe 1828 Odjbdb32.exe 1140 Okdkal32.exe 2756 Onbgmg32.exe 2024 Odlojanh.exe 1908 Ohhkjp32.exe 1360 Pjldghjm.exe 2244 Pmjqcc32.exe 856 Pfbelipa.exe 1100 Pjnamh32.exe 1624 Pqhijbog.exe 2368 Pcfefmnk.exe 2916 Pgbafl32.exe 2976 Pfdabino.exe 3044 Pmojocel.exe 1884 Pqjfoa32.exe 1992 Pcibkm32.exe 2700 Pbkbgjcc.exe 2664 Pmagdbci.exe 692 Poocpnbm.exe 1308 Pbnoliap.exe 2492 Pdlkiepd.exe 1840 Pihgic32.exe 1104 Pmccjbaf.exe 1724 Poapfn32.exe 1680 Pndpajgd.exe 2132 Qflhbhgg.exe 2288 Qijdocfj.exe 1764 Qgmdjp32.exe 2284 Qodlkm32.exe 1784 Qbbhgi32.exe 912 Qqeicede.exe 1584 Qgoapp32.exe -
Loads dropped DLL 64 IoCs
Processes:
8e8d13d676f086d1d6340a8a604785da41da6ea28a1f75e1eded33556360d5c5N.exeLpjdjmfp.exeLcfqkl32.exeLegmbd32.exeLibicbma.exeMffimglk.exeMhhfdo32.exeMponel32.exeMigbnb32.exeMhjbjopf.exeMdacop32.exeMhloponc.exeMeppiblm.exeMholen32.exeNgdifkpi.exeNibebfpl.exeNplmop32.exeNgfflj32.exeNkbalifo.exeNlcnda32.exeNgibaj32.exeNigome32.exeNodgel32.exeNgkogj32.exeNpccpo32.exeNofdklgl.exeNeplhf32.exeNkmdpm32.exeOdeiibdq.exeOllajp32.exeOokmfk32.exeOdhfob32.exepid process 2824 8e8d13d676f086d1d6340a8a604785da41da6ea28a1f75e1eded33556360d5c5N.exe 2824 8e8d13d676f086d1d6340a8a604785da41da6ea28a1f75e1eded33556360d5c5N.exe 2660 Lpjdjmfp.exe 2660 Lpjdjmfp.exe 2552 Lcfqkl32.exe 2552 Lcfqkl32.exe 2524 Legmbd32.exe 2524 Legmbd32.exe 2988 Libicbma.exe 2988 Libicbma.exe 1896 Mffimglk.exe 1896 Mffimglk.exe 1716 Mhhfdo32.exe 1716 Mhhfdo32.exe 2400 Mponel32.exe 2400 Mponel32.exe 2392 Migbnb32.exe 2392 Migbnb32.exe 1496 Mhjbjopf.exe 1496 Mhjbjopf.exe 2012 Mdacop32.exe 2012 Mdacop32.exe 2728 Mhloponc.exe 2728 Mhloponc.exe 2428 Meppiblm.exe 2428 Meppiblm.exe 348 Mholen32.exe 348 Mholen32.exe 2064 Ngdifkpi.exe 2064 Ngdifkpi.exe 2232 Nibebfpl.exe 2232 Nibebfpl.exe 764 Nplmop32.exe 764 Nplmop32.exe 2452 Ngfflj32.exe 2452 Ngfflj32.exe 2100 Nkbalifo.exe 2100 Nkbalifo.exe 1296 Nlcnda32.exe 1296 Nlcnda32.exe 1208 Ngibaj32.exe 1208 Ngibaj32.exe 2272 Nigome32.exe 2272 Nigome32.exe 2344 Nodgel32.exe 2344 Nodgel32.exe 2328 Ngkogj32.exe 2328 Ngkogj32.exe 288 Npccpo32.exe 288 Npccpo32.exe 2324 Nofdklgl.exe 2324 Nofdklgl.exe 2628 Neplhf32.exe 2628 Neplhf32.exe 796 Nkmdpm32.exe 796 Nkmdpm32.exe 1740 Odeiibdq.exe 1740 Odeiibdq.exe 3016 Ollajp32.exe 3016 Ollajp32.exe 2864 Ookmfk32.exe 2864 Ookmfk32.exe 2888 Odhfob32.exe 2888 Odhfob32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Oijjka32.exePmccjbaf.exeEjehgkdp.exeLeammn32.exeFmcjhdbc.exeGjbmelgm.exeQkibcg32.exeIdiaii32.exeMapccndn.exeOaffbqaa.exeDhobddbf.exeEdfpih32.exeGcbabpcf.exeLihobnap.exeOhojmjep.exePcbncfjd.exePanaeb32.exeDkgippgb.exeGppipc32.exeDchmkkkj.exeDfphcj32.exeEknmhk32.exeCdgpnqpo.exeEfdhpjok.exeHloiib32.exeLfjcfb32.exeLkdhoc32.exeEeielfhk.exeDmhdkdlg.exeBajomhbl.exeEkknjcfh.exeLflplbpi.exeGmpjagfa.exeNfidjbdg.exeDmjqpdje.exePjldghjm.exeIeigfk32.exeBgdibkam.exeMeoell32.exeAgdjkogm.exeFgcejm32.exeMkddnf32.exeGkbcbn32.exeBeejng32.exeKcijeg32.exeAjgbkbjp.exeEcploipa.exeFidhof32.exeIabhah32.exeKkoncdcp.exeOhkaco32.exeCofnjj32.exeQdojgmfe.exeGnefapmj.exedescription ioc process File created C:\Windows\SysWOW64\Nfllknkp.dll Oijjka32.exe File created C:\Windows\SysWOW64\Poapfn32.exe Pmccjbaf.exe File created C:\Windows\SysWOW64\Elcdcgcc.exe Ejehgkdp.exe File created C:\Windows\SysWOW64\Lgpiij32.exe Leammn32.exe File created C:\Windows\SysWOW64\Foafdoag.exe Fmcjhdbc.exe File created C:\Windows\SysWOW64\Ngfpmcbo.dll Gjbmelgm.exe File created C:\Windows\SysWOW64\Qngopb32.exe Qkibcg32.exe File created C:\Windows\SysWOW64\Kadfkhkf.exe File created C:\Windows\SysWOW64\Ihdmihpn.exe Idiaii32.exe File created C:\Windows\SysWOW64\Mcnpojca.exe Mapccndn.exe File created C:\Windows\SysWOW64\Odebolpe.exe Oaffbqaa.exe File opened for modification C:\Windows\SysWOW64\Kglehp32.exe File created C:\Windows\SysWOW64\Dknoaoaj.exe Dhobddbf.exe File created C:\Windows\SysWOW64\Annehbkj.dll Edfpih32.exe File opened for modification C:\Windows\SysWOW64\Ggnmbn32.exe Gcbabpcf.exe File created C:\Windows\SysWOW64\Hdffnl32.dll Lihobnap.exe File created C:\Windows\SysWOW64\Nllcmj32.dll Ohojmjep.exe File created C:\Windows\SysWOW64\Cocphf32.exe File created C:\Windows\SysWOW64\Pkifdd32.exe Pcbncfjd.exe File created C:\Windows\SysWOW64\Pdmnam32.exe Panaeb32.exe File created C:\Windows\SysWOW64\Nmepgp32.dll File created C:\Windows\SysWOW64\Dcnqanhd.exe Dkgippgb.exe File created C:\Windows\SysWOW64\Fbjhch32.dll Gppipc32.exe File opened for modification C:\Windows\SysWOW64\Dakmfh32.exe Dchmkkkj.exe File created C:\Windows\SysWOW64\Ahmiofbn.dll Dfphcj32.exe File created C:\Windows\SysWOW64\Eoiiijcc.exe Eknmhk32.exe File created C:\Windows\SysWOW64\Olbkdn32.dll File created C:\Windows\SysWOW64\Aaaphj32.dll Cdgpnqpo.exe File created C:\Windows\SysWOW64\Enkpahon.exe Efdhpjok.exe File opened for modification C:\Windows\SysWOW64\Hnmeen32.exe Hloiib32.exe File created C:\Windows\SysWOW64\Lihobnap.exe Lfjcfb32.exe File opened for modification C:\Windows\SysWOW64\Lnbdko32.exe Lkdhoc32.exe File created C:\Windows\SysWOW64\Edlfhc32.exe Eeielfhk.exe File opened for modification C:\Windows\SysWOW64\Dacpkc32.exe Dmhdkdlg.exe File created C:\Windows\SysWOW64\Beejng32.exe Bajomhbl.exe File opened for modification C:\Windows\SysWOW64\Ecbfkpfk.exe Ekknjcfh.exe File created C:\Windows\SysWOW64\Fllcjack.dll Lflplbpi.exe File opened for modification C:\Windows\SysWOW64\Gqlebf32.exe Gmpjagfa.exe File opened for modification C:\Windows\SysWOW64\Nigafnck.exe Nfidjbdg.exe File opened for modification C:\Windows\SysWOW64\Dphmloih.exe Dmjqpdje.exe File opened for modification C:\Windows\SysWOW64\Jbjpom32.exe File created C:\Windows\SysWOW64\Pmjqcc32.exe Pjldghjm.exe File created C:\Windows\SysWOW64\Hembkl32.dll Ieigfk32.exe File opened for modification C:\Windows\SysWOW64\Bjbeofpp.exe Bgdibkam.exe File opened for modification C:\Windows\SysWOW64\Cfmhdpnc.exe File created C:\Windows\SysWOW64\Mijamjnm.exe Meoell32.exe File created C:\Windows\SysWOW64\Ajbggjfq.exe Agdjkogm.exe File created C:\Windows\SysWOW64\Fpkbeabf.dll Fgcejm32.exe File created C:\Windows\SysWOW64\Iiegdegb.dll Mkddnf32.exe File opened for modification C:\Windows\SysWOW64\Mpopnejo.exe Mkddnf32.exe File created C:\Windows\SysWOW64\Gnaooi32.exe Gkbcbn32.exe File created C:\Windows\SysWOW64\Bhdgjb32.exe Beejng32.exe File opened for modification C:\Windows\SysWOW64\Lfhfab32.exe Kcijeg32.exe File created C:\Windows\SysWOW64\Ncehag32.dll Ajgbkbjp.exe File created C:\Windows\SysWOW64\Eacljf32.exe Ecploipa.exe File created C:\Windows\SysWOW64\Icehdl32.dll File created C:\Windows\SysWOW64\Fkbdkb32.exe Fidhof32.exe File opened for modification C:\Windows\SysWOW64\Ihmpobck.exe Iabhah32.exe File created C:\Windows\SysWOW64\Jondii32.dll Kkoncdcp.exe File opened for modification C:\Windows\SysWOW64\Mqpflg32.exe File created C:\Windows\SysWOW64\Pkjmoj32.exe Ohkaco32.exe File opened for modification C:\Windows\SysWOW64\Cadjgf32.exe Cofnjj32.exe File created C:\Windows\SysWOW64\Qgmfchei.exe Qdojgmfe.exe File opened for modification C:\Windows\SysWOW64\Gacbmk32.exe Gnefapmj.exe -
Program crash 1 IoCs
Processes:
pid pid_target process target process 11520 11540 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Aknlofim.exeBaojapfj.exeDkgippgb.exeFpicodoj.exeDanmmd32.exeMdbiji32.exeCojhejbh.exeDohgomgf.exeCillkbac.exeMhloponc.exeHmmphlpp.exeIggned32.exeJjomgo32.exeCafgle32.exeAjgbkbjp.exeIkefkcmo.exeJaeafklf.exeMijamjnm.exeNfkapb32.exeOeehln32.exePbnoliap.exeBlobjaba.exeFgiepced.exeLnbdko32.exeHjofdi32.exeOdhfob32.exeQbbhgi32.exeDhbhmb32.exeNpgihn32.exeDddfdejn.exeMfjoeeeh.exeNlnnnk32.exePnjofo32.exeGnbjlpom.exeAgljom32.exeHbfepmmn.exeJdejhfig.exeNfghdcfj.exeCpcnonob.exeHfpdkl32.exeIaeegh32.exeJnnnalph.exeDmmmfc32.exeBcpgdhpp.exeFdmhbplb.exeLmbonmll.exeMfoiqe32.exeBfhmqhkd.exeJhffnk32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aknlofim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baojapfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkgippgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpicodoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Danmmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdbiji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cojhejbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dohgomgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cillkbac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhloponc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmmphlpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iggned32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjomgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cafgle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajgbkbjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikefkcmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaeafklf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mijamjnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfkapb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeehln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbnoliap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blobjaba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgiepced.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnbdko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjofdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odhfob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qbbhgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhbhmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npgihn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dddfdejn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfjoeeeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlnnnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnjofo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnbjlpom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agljom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbfepmmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdejhfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfghdcfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpcnonob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfpdkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iaeegh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnnnalph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmmmfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcpgdhpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdmhbplb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmbonmll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfoiqe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfhmqhkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhffnk32.exe -
Modifies registry class 64 IoCs
Processes:
Hphidanj.exeGqnbhf32.exeEnlglnci.exeHbqoqbho.exeJcpkpe32.exeMmhamoho.exeCmjdaqgi.exeFdhlnhhc.exeOldpnn32.exeEniclh32.exeFkjdopeh.exeLgkhdddo.exeCejphiik.exeDmgkgeah.exeEeaepd32.exeCmfkfa32.exeCjjkpe32.exeOokmfk32.exeCgdcgm32.exeEgdlec32.exeNadimacd.exeGfhnjm32.exeOiakgcnl.exeAcekjjmk.exeKhabghdl.exeGcbabpcf.exeKcdjoaee.exeMhonngce.exeHcdnhoac.exeDdhpod32.exeFbmfkkbm.exeLipecm32.exeCpmjhk32.exeAckkppma.exeLgpiij32.exeIfoqjo32.exeMbbfep32.exeBdkgocpm.exeBkglameg.exeDgmbkk32.exeObdojcef.exeDdfebnoo.exeGbjlaplk.exeKhlili32.exeMeabakda.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hphidanj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gqnbhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aldhcb32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knbbpakg.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnfddh32.dll" Enlglnci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdkbmk32.dll" Hbqoqbho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jcpkpe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mmhamoho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cmjdaqgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajhaomoi.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fdhlnhhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmgkfh32.dll" Oldpnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajnfie32.dll" Eniclh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cobhlhdl.dll" Fkjdopeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lgkhdddo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cejphiik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdodelbc.dll" Dmgkgeah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohceeg32.dll" Eeaepd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cmfkfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coalledf.dll" Cjjkpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnalpimd.dll" Ookmfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cgdcgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgofmajn.dll" Egdlec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkidapal.dll" Nadimacd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gfhnjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qblodoke.dll" Oiakgcnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Acekjjmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Khabghdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gcbabpcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbcfdk32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kcdjoaee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mhonngce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hcdnhoac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eklaogoi.dll" Ddhpod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fbmfkkbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdhqpd32.dll" Lipecm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedohngn.dll" Khabghdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cpmjhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maanne32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ackkppma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lgpiij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ifoqjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mbbfep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfgheegc.dll" Bdkgocpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bkglameg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dgmbkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Obdojcef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqbfik32.dll" Ddfebnoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gbjlaplk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Khlili32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Meabakda.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
8e8d13d676f086d1d6340a8a604785da41da6ea28a1f75e1eded33556360d5c5N.exeLpjdjmfp.exeLcfqkl32.exeLegmbd32.exeLibicbma.exeMffimglk.exeMhhfdo32.exeMponel32.exeMigbnb32.exeMhjbjopf.exeMdacop32.exeMhloponc.exeMeppiblm.exeMholen32.exeNgdifkpi.exeNibebfpl.exedescription pid process target process PID 2824 wrote to memory of 2660 2824 8e8d13d676f086d1d6340a8a604785da41da6ea28a1f75e1eded33556360d5c5N.exe Lpjdjmfp.exe PID 2824 wrote to memory of 2660 2824 8e8d13d676f086d1d6340a8a604785da41da6ea28a1f75e1eded33556360d5c5N.exe Lpjdjmfp.exe PID 2824 wrote to memory of 2660 2824 8e8d13d676f086d1d6340a8a604785da41da6ea28a1f75e1eded33556360d5c5N.exe Lpjdjmfp.exe PID 2824 wrote to memory of 2660 2824 8e8d13d676f086d1d6340a8a604785da41da6ea28a1f75e1eded33556360d5c5N.exe Lpjdjmfp.exe PID 2660 wrote to memory of 2552 2660 Lpjdjmfp.exe Lcfqkl32.exe PID 2660 wrote to memory of 2552 2660 Lpjdjmfp.exe Lcfqkl32.exe PID 2660 wrote to memory of 2552 2660 Lpjdjmfp.exe Lcfqkl32.exe PID 2660 wrote to memory of 2552 2660 Lpjdjmfp.exe Lcfqkl32.exe PID 2552 wrote to memory of 2524 2552 Lcfqkl32.exe Legmbd32.exe PID 2552 wrote to memory of 2524 2552 Lcfqkl32.exe Legmbd32.exe PID 2552 wrote to memory of 2524 2552 Lcfqkl32.exe Legmbd32.exe PID 2552 wrote to memory of 2524 2552 Lcfqkl32.exe Legmbd32.exe PID 2524 wrote to memory of 2988 2524 Legmbd32.exe Libicbma.exe PID 2524 wrote to memory of 2988 2524 Legmbd32.exe Libicbma.exe PID 2524 wrote to memory of 2988 2524 Legmbd32.exe Libicbma.exe PID 2524 wrote to memory of 2988 2524 Legmbd32.exe Libicbma.exe PID 2988 wrote to memory of 1896 2988 Libicbma.exe Mffimglk.exe PID 2988 wrote to memory of 1896 2988 Libicbma.exe Mffimglk.exe PID 2988 wrote to memory of 1896 2988 Libicbma.exe Mffimglk.exe PID 2988 wrote to memory of 1896 2988 Libicbma.exe Mffimglk.exe PID 1896 wrote to memory of 1716 1896 Mffimglk.exe Mhhfdo32.exe PID 1896 wrote to memory of 1716 1896 Mffimglk.exe Mhhfdo32.exe PID 1896 wrote to memory of 1716 1896 Mffimglk.exe Mhhfdo32.exe PID 1896 wrote to memory of 1716 1896 Mffimglk.exe Mhhfdo32.exe PID 1716 wrote to memory of 2400 1716 Mhhfdo32.exe Mponel32.exe PID 1716 wrote to memory of 2400 1716 Mhhfdo32.exe Mponel32.exe PID 1716 wrote to memory of 2400 1716 Mhhfdo32.exe Mponel32.exe PID 1716 wrote to memory of 2400 1716 Mhhfdo32.exe Mponel32.exe PID 2400 wrote to memory of 2392 2400 Mponel32.exe Migbnb32.exe PID 2400 wrote to memory of 2392 2400 Mponel32.exe Migbnb32.exe PID 2400 wrote to memory of 2392 2400 Mponel32.exe Migbnb32.exe PID 2400 wrote to memory of 2392 2400 Mponel32.exe Migbnb32.exe PID 2392 wrote to memory of 1496 2392 Migbnb32.exe Mhjbjopf.exe PID 2392 wrote to memory of 1496 2392 Migbnb32.exe Mhjbjopf.exe PID 2392 wrote to memory of 1496 2392 Migbnb32.exe Mhjbjopf.exe PID 2392 wrote to memory of 1496 2392 Migbnb32.exe Mhjbjopf.exe PID 1496 wrote to memory of 2012 1496 Mhjbjopf.exe Mdacop32.exe PID 1496 wrote to memory of 2012 1496 Mhjbjopf.exe Mdacop32.exe PID 1496 wrote to memory of 2012 1496 Mhjbjopf.exe Mdacop32.exe PID 1496 wrote to memory of 2012 1496 Mhjbjopf.exe Mdacop32.exe PID 2012 wrote to memory of 2728 2012 Mdacop32.exe Mhloponc.exe PID 2012 wrote to memory of 2728 2012 Mdacop32.exe Mhloponc.exe PID 2012 wrote to memory of 2728 2012 Mdacop32.exe Mhloponc.exe PID 2012 wrote to memory of 2728 2012 Mdacop32.exe Mhloponc.exe PID 2728 wrote to memory of 2428 2728 Mhloponc.exe Meppiblm.exe PID 2728 wrote to memory of 2428 2728 Mhloponc.exe Meppiblm.exe PID 2728 wrote to memory of 2428 2728 Mhloponc.exe Meppiblm.exe PID 2728 wrote to memory of 2428 2728 Mhloponc.exe Meppiblm.exe PID 2428 wrote to memory of 348 2428 Meppiblm.exe Mholen32.exe PID 2428 wrote to memory of 348 2428 Meppiblm.exe Mholen32.exe PID 2428 wrote to memory of 348 2428 Meppiblm.exe Mholen32.exe PID 2428 wrote to memory of 348 2428 Meppiblm.exe Mholen32.exe PID 348 wrote to memory of 2064 348 Mholen32.exe Ngdifkpi.exe PID 348 wrote to memory of 2064 348 Mholen32.exe Ngdifkpi.exe PID 348 wrote to memory of 2064 348 Mholen32.exe Ngdifkpi.exe PID 348 wrote to memory of 2064 348 Mholen32.exe Ngdifkpi.exe PID 2064 wrote to memory of 2232 2064 Ngdifkpi.exe Nibebfpl.exe PID 2064 wrote to memory of 2232 2064 Ngdifkpi.exe Nibebfpl.exe PID 2064 wrote to memory of 2232 2064 Ngdifkpi.exe Nibebfpl.exe PID 2064 wrote to memory of 2232 2064 Ngdifkpi.exe Nibebfpl.exe PID 2232 wrote to memory of 764 2232 Nibebfpl.exe Nplmop32.exe PID 2232 wrote to memory of 764 2232 Nibebfpl.exe Nplmop32.exe PID 2232 wrote to memory of 764 2232 Nibebfpl.exe Nplmop32.exe PID 2232 wrote to memory of 764 2232 Nibebfpl.exe Nplmop32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8e8d13d676f086d1d6340a8a604785da41da6ea28a1f75e1eded33556360d5c5N.exe"C:\Users\Admin\AppData\Local\Temp\8e8d13d676f086d1d6340a8a604785da41da6ea28a1f75e1eded33556360d5c5N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Lpjdjmfp.exeC:\Windows\system32\Lpjdjmfp.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Lcfqkl32.exeC:\Windows\system32\Lcfqkl32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Legmbd32.exeC:\Windows\system32\Legmbd32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Libicbma.exeC:\Windows\system32\Libicbma.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Mffimglk.exeC:\Windows\system32\Mffimglk.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\Mhhfdo32.exeC:\Windows\system32\Mhhfdo32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\Mponel32.exeC:\Windows\system32\Mponel32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\Migbnb32.exeC:\Windows\system32\Migbnb32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\Mhjbjopf.exeC:\Windows\system32\Mhjbjopf.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\SysWOW64\Mdacop32.exeC:\Windows\system32\Mdacop32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\Mhloponc.exeC:\Windows\system32\Mhloponc.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Meppiblm.exeC:\Windows\system32\Meppiblm.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Mholen32.exeC:\Windows\system32\Mholen32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:348 -
C:\Windows\SysWOW64\Ngdifkpi.exeC:\Windows\system32\Ngdifkpi.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\Nibebfpl.exeC:\Windows\system32\Nibebfpl.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\Nplmop32.exeC:\Windows\system32\Nplmop32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:764 -
C:\Windows\SysWOW64\Ngfflj32.exeC:\Windows\system32\Ngfflj32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2452 -
C:\Windows\SysWOW64\Nkbalifo.exeC:\Windows\system32\Nkbalifo.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2100 -
C:\Windows\SysWOW64\Nlcnda32.exeC:\Windows\system32\Nlcnda32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1296 -
C:\Windows\SysWOW64\Ngibaj32.exeC:\Windows\system32\Ngibaj32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1208 -
C:\Windows\SysWOW64\Nigome32.exeC:\Windows\system32\Nigome32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2272 -
C:\Windows\SysWOW64\Nodgel32.exeC:\Windows\system32\Nodgel32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2344 -
C:\Windows\SysWOW64\Ngkogj32.exeC:\Windows\system32\Ngkogj32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2328 -
C:\Windows\SysWOW64\Npccpo32.exeC:\Windows\system32\Npccpo32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:288 -
C:\Windows\SysWOW64\Nofdklgl.exeC:\Windows\system32\Nofdklgl.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2324 -
C:\Windows\SysWOW64\Neplhf32.exeC:\Windows\system32\Neplhf32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2628 -
C:\Windows\SysWOW64\Nkmdpm32.exeC:\Windows\system32\Nkmdpm32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:796 -
C:\Windows\SysWOW64\Odeiibdq.exeC:\Windows\system32\Odeiibdq.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1740 -
C:\Windows\SysWOW64\Ollajp32.exeC:\Windows\system32\Ollajp32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:3016 -
C:\Windows\SysWOW64\Ookmfk32.exeC:\Windows\system32\Ookmfk32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2864 -
C:\Windows\SysWOW64\Odhfob32.exeC:\Windows\system32\Odhfob32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2888 -
C:\Windows\SysWOW64\Oalfhf32.exeC:\Windows\system32\Oalfhf32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Odjbdb32.exeC:\Windows\system32\Odjbdb32.exe34⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Okdkal32.exeC:\Windows\system32\Okdkal32.exe35⤵
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\Onbgmg32.exeC:\Windows\system32\Onbgmg32.exe36⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Odlojanh.exeC:\Windows\system32\Odlojanh.exe37⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Ohhkjp32.exeC:\Windows\system32\Ohhkjp32.exe38⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Pjldghjm.exeC:\Windows\system32\Pjldghjm.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1360 -
C:\Windows\SysWOW64\Pmjqcc32.exeC:\Windows\system32\Pmjqcc32.exe40⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Pfbelipa.exeC:\Windows\system32\Pfbelipa.exe41⤵
- Executes dropped EXE
PID:856 -
C:\Windows\SysWOW64\Pjnamh32.exeC:\Windows\system32\Pjnamh32.exe42⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\Pqhijbog.exeC:\Windows\system32\Pqhijbog.exe43⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Pcfefmnk.exeC:\Windows\system32\Pcfefmnk.exe44⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Pgbafl32.exeC:\Windows\system32\Pgbafl32.exe45⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Pfdabino.exeC:\Windows\system32\Pfdabino.exe46⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Pmojocel.exeC:\Windows\system32\Pmojocel.exe47⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Pqjfoa32.exeC:\Windows\system32\Pqjfoa32.exe48⤵
- Executes dropped EXE
PID:1884 -
C:\Windows\SysWOW64\Pcibkm32.exeC:\Windows\system32\Pcibkm32.exe49⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Pbkbgjcc.exeC:\Windows\system32\Pbkbgjcc.exe50⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Pmagdbci.exeC:\Windows\system32\Pmagdbci.exe51⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Poocpnbm.exeC:\Windows\system32\Poocpnbm.exe52⤵
- Executes dropped EXE
PID:692 -
C:\Windows\SysWOW64\Pbnoliap.exeC:\Windows\system32\Pbnoliap.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1308 -
C:\Windows\SysWOW64\Pdlkiepd.exeC:\Windows\system32\Pdlkiepd.exe54⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Pihgic32.exeC:\Windows\system32\Pihgic32.exe55⤵
- Executes dropped EXE
PID:1840 -
C:\Windows\SysWOW64\Pmccjbaf.exeC:\Windows\system32\Pmccjbaf.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1104 -
C:\Windows\SysWOW64\Poapfn32.exeC:\Windows\system32\Poapfn32.exe57⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Pndpajgd.exeC:\Windows\system32\Pndpajgd.exe58⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Qflhbhgg.exeC:\Windows\system32\Qflhbhgg.exe59⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Qijdocfj.exeC:\Windows\system32\Qijdocfj.exe60⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Qgmdjp32.exeC:\Windows\system32\Qgmdjp32.exe61⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Qodlkm32.exeC:\Windows\system32\Qodlkm32.exe62⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Qbbhgi32.exeC:\Windows\system32\Qbbhgi32.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1784 -
C:\Windows\SysWOW64\Qqeicede.exeC:\Windows\system32\Qqeicede.exe64⤵
- Executes dropped EXE
PID:912 -
C:\Windows\SysWOW64\Qgoapp32.exeC:\Windows\system32\Qgoapp32.exe65⤵
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\Qkkmqnck.exeC:\Windows\system32\Qkkmqnck.exe66⤵PID:3020
-
C:\Windows\SysWOW64\Qjnmlk32.exeC:\Windows\system32\Qjnmlk32.exe67⤵PID:2332
-
C:\Windows\SysWOW64\Aniimjbo.exeC:\Windows\system32\Aniimjbo.exe68⤵PID:2148
-
C:\Windows\SysWOW64\Abeemhkh.exeC:\Windows\system32\Abeemhkh.exe69⤵PID:3048
-
C:\Windows\SysWOW64\Aecaidjl.exeC:\Windows\system32\Aecaidjl.exe70⤵PID:2504
-
C:\Windows\SysWOW64\Acfaeq32.exeC:\Windows\system32\Acfaeq32.exe71⤵PID:3004
-
C:\Windows\SysWOW64\Aganeoip.exeC:\Windows\system32\Aganeoip.exe72⤵PID:2568
-
C:\Windows\SysWOW64\Anlfbi32.exeC:\Windows\system32\Anlfbi32.exe73⤵PID:1708
-
C:\Windows\SysWOW64\Amnfnfgg.exeC:\Windows\system32\Amnfnfgg.exe74⤵PID:2776
-
C:\Windows\SysWOW64\Aajbne32.exeC:\Windows\system32\Aajbne32.exe75⤵PID:1736
-
C:\Windows\SysWOW64\Achojp32.exeC:\Windows\system32\Achojp32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2136 -
C:\Windows\SysWOW64\Agdjkogm.exeC:\Windows\system32\Agdjkogm.exe77⤵
- Drops file in System32 directory
PID:1556 -
C:\Windows\SysWOW64\Ajbggjfq.exeC:\Windows\system32\Ajbggjfq.exe78⤵PID:656
-
C:\Windows\SysWOW64\Ackkppma.exeC:\Windows\system32\Ackkppma.exe79⤵
- Modifies registry class
PID:2364 -
C:\Windows\SysWOW64\Agfgqo32.exeC:\Windows\system32\Agfgqo32.exe80⤵PID:1956
-
C:\Windows\SysWOW64\Ajecmj32.exeC:\Windows\system32\Ajecmj32.exe81⤵PID:2248
-
C:\Windows\SysWOW64\Amcpie32.exeC:\Windows\system32\Amcpie32.exe82⤵PID:2384
-
C:\Windows\SysWOW64\Abphal32.exeC:\Windows\system32\Abphal32.exe83⤵PID:1856
-
C:\Windows\SysWOW64\Afkdakjb.exeC:\Windows\system32\Afkdakjb.exe84⤵PID:1904
-
C:\Windows\SysWOW64\Ajgpbj32.exeC:\Windows\system32\Ajgpbj32.exe85⤵PID:2992
-
C:\Windows\SysWOW64\Amelne32.exeC:\Windows\system32\Amelne32.exe86⤵PID:2544
-
C:\Windows\SysWOW64\Alhmjbhj.exeC:\Windows\system32\Alhmjbhj.exe87⤵PID:2276
-
C:\Windows\SysWOW64\Acpdko32.exeC:\Windows\system32\Acpdko32.exe88⤵PID:2616
-
C:\Windows\SysWOW64\Afnagk32.exeC:\Windows\system32\Afnagk32.exe89⤵PID:2220
-
C:\Windows\SysWOW64\Aeqabgoj.exeC:\Windows\system32\Aeqabgoj.exe90⤵PID:2184
-
C:\Windows\SysWOW64\Bilmcf32.exeC:\Windows\system32\Bilmcf32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2056 -
C:\Windows\SysWOW64\Blkioa32.exeC:\Windows\system32\Blkioa32.exe92⤵PID:1404
-
C:\Windows\SysWOW64\Bpfeppop.exeC:\Windows\system32\Bpfeppop.exe93⤵PID:1696
-
C:\Windows\SysWOW64\Bbdallnd.exeC:\Windows\system32\Bbdallnd.exe94⤵PID:1944
-
C:\Windows\SysWOW64\Biojif32.exeC:\Windows\system32\Biojif32.exe95⤵PID:1688
-
C:\Windows\SysWOW64\Bphbeplm.exeC:\Windows\system32\Bphbeplm.exe96⤵PID:2964
-
C:\Windows\SysWOW64\Bnkbam32.exeC:\Windows\system32\Bnkbam32.exe97⤵PID:2808
-
C:\Windows\SysWOW64\Bajomhbl.exeC:\Windows\system32\Bajomhbl.exe98⤵
- Drops file in System32 directory
PID:2440 -
C:\Windows\SysWOW64\Beejng32.exeC:\Windows\system32\Beejng32.exe99⤵
- Drops file in System32 directory
PID:1772 -
C:\Windows\SysWOW64\Bhdgjb32.exeC:\Windows\system32\Bhdgjb32.exe100⤵PID:2000
-
C:\Windows\SysWOW64\Blobjaba.exeC:\Windows\system32\Blobjaba.exe101⤵
- System Location Discovery: System Language Discovery
PID:1948 -
C:\Windows\SysWOW64\Bonoflae.exeC:\Windows\system32\Bonoflae.exe102⤵PID:2156
-
C:\Windows\SysWOW64\Balkchpi.exeC:\Windows\system32\Balkchpi.exe103⤵PID:2144
-
C:\Windows\SysWOW64\Behgcf32.exeC:\Windows\system32\Behgcf32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2356 -
C:\Windows\SysWOW64\Bdkgocpm.exeC:\Windows\system32\Bdkgocpm.exe105⤵
- Modifies registry class
PID:444 -
C:\Windows\SysWOW64\Blaopqpo.exeC:\Windows\system32\Blaopqpo.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1636 -
C:\Windows\SysWOW64\Bjdplm32.exeC:\Windows\system32\Bjdplm32.exe107⤵PID:600
-
C:\Windows\SysWOW64\Bmclhi32.exeC:\Windows\system32\Bmclhi32.exe108⤵PID:988
-
C:\Windows\SysWOW64\Baohhgnf.exeC:\Windows\system32\Baohhgnf.exe109⤵PID:1408
-
C:\Windows\SysWOW64\Bdmddc32.exeC:\Windows\system32\Bdmddc32.exe110⤵PID:2172
-
C:\Windows\SysWOW64\Bfkpqn32.exeC:\Windows\system32\Bfkpqn32.exe111⤵PID:2588
-
C:\Windows\SysWOW64\Bkglameg.exeC:\Windows\system32\Bkglameg.exe112⤵
- Modifies registry class
PID:2508 -
C:\Windows\SysWOW64\Bmeimhdj.exeC:\Windows\system32\Bmeimhdj.exe113⤵PID:2768
-
C:\Windows\SysWOW64\Baadng32.exeC:\Windows\system32\Baadng32.exe114⤵PID:1996
-
C:\Windows\SysWOW64\Cdoajb32.exeC:\Windows\system32\Cdoajb32.exe115⤵PID:1512
-
C:\Windows\SysWOW64\Cfnmfn32.exeC:\Windows\system32\Cfnmfn32.exe116⤵PID:2972
-
C:\Windows\SysWOW64\Ckiigmcd.exeC:\Windows\system32\Ckiigmcd.exe117⤵PID:2020
-
C:\Windows\SysWOW64\Cmgechbh.exeC:\Windows\system32\Cmgechbh.exe118⤵PID:2960
-
C:\Windows\SysWOW64\Cpfaocal.exeC:\Windows\system32\Cpfaocal.exe119⤵PID:1920
-
C:\Windows\SysWOW64\Cbdnko32.exeC:\Windows\system32\Cbdnko32.exe120⤵PID:992
-
C:\Windows\SysWOW64\Cklfll32.exeC:\Windows\system32\Cklfll32.exe121⤵PID:1448
-
C:\Windows\SysWOW64\Cmjbhh32.exeC:\Windows\system32\Cmjbhh32.exe122⤵PID:1924
-
C:\Windows\SysWOW64\Clmbddgp.exeC:\Windows\system32\Clmbddgp.exe123⤵PID:1864
-
C:\Windows\SysWOW64\Cddjebgb.exeC:\Windows\system32\Cddjebgb.exe124⤵PID:344
-
C:\Windows\SysWOW64\Cgbfamff.exeC:\Windows\system32\Cgbfamff.exe125⤵PID:2352
-
C:\Windows\SysWOW64\Ciqcmiei.exeC:\Windows\system32\Ciqcmiei.exe126⤵PID:1396
-
C:\Windows\SysWOW64\Cmlong32.exeC:\Windows\system32\Cmlong32.exe127⤵PID:2036
-
C:\Windows\SysWOW64\Cpkkjc32.exeC:\Windows\system32\Cpkkjc32.exe128⤵PID:2300
-
C:\Windows\SysWOW64\Conkepdq.exeC:\Windows\system32\Conkepdq.exe129⤵PID:1832
-
C:\Windows\SysWOW64\Cgdcgm32.exeC:\Windows\system32\Cgdcgm32.exe130⤵
- Modifies registry class
PID:620 -
C:\Windows\SysWOW64\Cicpch32.exeC:\Windows\system32\Cicpch32.exe131⤵PID:1400
-
C:\Windows\SysWOW64\Chfpoeja.exeC:\Windows\system32\Chfpoeja.exe132⤵PID:1436
-
C:\Windows\SysWOW64\Clalod32.exeC:\Windows\system32\Clalod32.exe133⤵PID:336
-
C:\Windows\SysWOW64\Cophko32.exeC:\Windows\system32\Cophko32.exe134⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:568 -
C:\Windows\SysWOW64\Cckdlnjg.exeC:\Windows\system32\Cckdlnjg.exe135⤵PID:1900
-
C:\Windows\SysWOW64\Cejphiik.exeC:\Windows\system32\Cejphiik.exe136⤵
- Modifies registry class
PID:2800 -
C:\Windows\SysWOW64\Chhldeho.exeC:\Windows\system32\Chhldeho.exe137⤵PID:2164
-
C:\Windows\SysWOW64\Dldhdc32.exeC:\Windows\system32\Dldhdc32.exe138⤵PID:1216
-
C:\Windows\SysWOW64\Dkgippgb.exeC:\Windows\system32\Dkgippgb.exe139⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1284 -
C:\Windows\SysWOW64\Dcnqanhd.exeC:\Windows\system32\Dcnqanhd.exe140⤵PID:3024
-
C:\Windows\SysWOW64\Delmmigh.exeC:\Windows\system32\Delmmigh.exe141⤵PID:588
-
C:\Windows\SysWOW64\Ddomif32.exeC:\Windows\system32\Ddomif32.exe142⤵PID:824
-
C:\Windows\SysWOW64\Dlfejcoe.exeC:\Windows\system32\Dlfejcoe.exe143⤵PID:2624
-
C:\Windows\SysWOW64\Dodafoni.exeC:\Windows\system32\Dodafoni.exe144⤵PID:324
-
C:\Windows\SysWOW64\Dacnbjml.exeC:\Windows\system32\Dacnbjml.exe145⤵PID:1660
-
C:\Windows\SysWOW64\Dhmfod32.exeC:\Windows\system32\Dhmfod32.exe146⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3036 -
C:\Windows\SysWOW64\Dognlnlf.exeC:\Windows\system32\Dognlnlf.exe147⤵PID:876
-
C:\Windows\SysWOW64\Daejhjkj.exeC:\Windows\system32\Daejhjkj.exe148⤵PID:1984
-
C:\Windows\SysWOW64\Dddfdejn.exeC:\Windows\system32\Dddfdejn.exe149⤵
- System Location Discovery: System Language Discovery
PID:2516 -
C:\Windows\SysWOW64\Dhobddbf.exeC:\Windows\system32\Dhobddbf.exe150⤵
- Drops file in System32 directory
PID:2060 -
C:\Windows\SysWOW64\Dknoaoaj.exeC:\Windows\system32\Dknoaoaj.exe151⤵PID:1368
-
C:\Windows\SysWOW64\Dnlkmkpn.exeC:\Windows\system32\Dnlkmkpn.exe152⤵PID:3008
-
C:\Windows\SysWOW64\Dpjgifpa.exeC:\Windows\system32\Dpjgifpa.exe153⤵PID:2604
-
C:\Windows\SysWOW64\Dciceaoe.exeC:\Windows\system32\Dciceaoe.exe154⤵PID:2348
-
C:\Windows\SysWOW64\Dkpkfooh.exeC:\Windows\system32\Dkpkfooh.exe155⤵PID:2280
-
C:\Windows\SysWOW64\Djclbl32.exeC:\Windows\system32\Djclbl32.exe156⤵PID:540
-
C:\Windows\SysWOW64\Dlahng32.exeC:\Windows\system32\Dlahng32.exe157⤵PID:1264
-
C:\Windows\SysWOW64\Ddhpod32.exeC:\Windows\system32\Ddhpod32.exe158⤵
- Modifies registry class
PID:264 -
C:\Windows\SysWOW64\Egglkp32.exeC:\Windows\system32\Egglkp32.exe159⤵PID:524
-
C:\Windows\SysWOW64\Ejehgkdp.exeC:\Windows\system32\Ejehgkdp.exe160⤵
- Drops file in System32 directory
PID:2596 -
C:\Windows\SysWOW64\Elcdcgcc.exeC:\Windows\system32\Elcdcgcc.exe161⤵PID:3000
-
C:\Windows\SysWOW64\Eobapbbg.exeC:\Windows\system32\Eobapbbg.exe162⤵PID:1608
-
C:\Windows\SysWOW64\Egiiapci.exeC:\Windows\system32\Egiiapci.exe163⤵PID:2784
-
C:\Windows\SysWOW64\Ejgemkbm.exeC:\Windows\system32\Ejgemkbm.exe164⤵PID:1656
-
C:\Windows\SysWOW64\Elfaifaq.exeC:\Windows\system32\Elfaifaq.exe165⤵PID:1932
-
C:\Windows\SysWOW64\Eodnebpd.exeC:\Windows\system32\Eodnebpd.exe166⤵PID:1412
-
C:\Windows\SysWOW64\Efnfbl32.exeC:\Windows\system32\Efnfbl32.exe167⤵PID:2320
-
C:\Windows\SysWOW64\Ehmbng32.exeC:\Windows\system32\Ehmbng32.exe168⤵PID:2920
-
C:\Windows\SysWOW64\Ekknjcfh.exeC:\Windows\system32\Ekknjcfh.exe169⤵
- Drops file in System32 directory
PID:1516 -
C:\Windows\SysWOW64\Ecbfkpfk.exeC:\Windows\system32\Ecbfkpfk.exe170⤵PID:2772
-
C:\Windows\SysWOW64\Efqbglen.exeC:\Windows\system32\Efqbglen.exe171⤵PID:1576
-
C:\Windows\SysWOW64\Ehoocgeb.exeC:\Windows\system32\Ehoocgeb.exe172⤵PID:2008
-
C:\Windows\SysWOW64\Eknkpbdf.exeC:\Windows\system32\Eknkpbdf.exe173⤵PID:1852
-
C:\Windows\SysWOW64\Enlglnci.exeC:\Windows\system32\Enlglnci.exe174⤵
- Modifies registry class
PID:2268 -
C:\Windows\SysWOW64\Efcomkcl.exeC:\Windows\system32\Efcomkcl.exe175⤵PID:3104
-
C:\Windows\SysWOW64\Edfpih32.exeC:\Windows\system32\Edfpih32.exe176⤵
- Drops file in System32 directory
PID:3144 -
C:\Windows\SysWOW64\Egdlec32.exeC:\Windows\system32\Egdlec32.exe177⤵
- Modifies registry class
PID:3184 -
C:\Windows\SysWOW64\Fokdfajl.exeC:\Windows\system32\Fokdfajl.exe178⤵PID:3224
-
C:\Windows\SysWOW64\Fnndan32.exeC:\Windows\system32\Fnndan32.exe179⤵PID:3268
-
C:\Windows\SysWOW64\Fbjpblip.exeC:\Windows\system32\Fbjpblip.exe180⤵PID:3308
-
C:\Windows\SysWOW64\Fdhlnhhc.exeC:\Windows\system32\Fdhlnhhc.exe181⤵
- Modifies registry class
PID:3348 -
C:\Windows\SysWOW64\Fidhof32.exeC:\Windows\system32\Fidhof32.exe182⤵
- Drops file in System32 directory
PID:3388 -
C:\Windows\SysWOW64\Fkbdkb32.exeC:\Windows\system32\Fkbdkb32.exe183⤵PID:3428
-
C:\Windows\SysWOW64\Fnqqgm32.exeC:\Windows\system32\Fnqqgm32.exe184⤵PID:3468
-
C:\Windows\SysWOW64\Fqomci32.exeC:\Windows\system32\Fqomci32.exe185⤵PID:3508
-
C:\Windows\SysWOW64\Fdjidgfa.exeC:\Windows\system32\Fdjidgfa.exe186⤵PID:3548
-
C:\Windows\SysWOW64\Fgiepced.exeC:\Windows\system32\Fgiepced.exe187⤵
- System Location Discovery: System Language Discovery
PID:3588 -
C:\Windows\SysWOW64\Fkdaqa32.exeC:\Windows\system32\Fkdaqa32.exe188⤵PID:3628
-
C:\Windows\SysWOW64\Fncmmmma.exeC:\Windows\system32\Fncmmmma.exe189⤵PID:3668
-
C:\Windows\SysWOW64\Fqajihle.exeC:\Windows\system32\Fqajihle.exe190⤵PID:3708
-
C:\Windows\SysWOW64\Femeig32.exeC:\Windows\system32\Femeig32.exe191⤵PID:3748
-
C:\Windows\SysWOW64\Fcpfedki.exeC:\Windows\system32\Fcpfedki.exe192⤵PID:3788
-
C:\Windows\SysWOW64\Ffnbaojm.exeC:\Windows\system32\Ffnbaojm.exe193⤵PID:3828
-
C:\Windows\SysWOW64\Fjjnan32.exeC:\Windows\system32\Fjjnan32.exe194⤵PID:3868
-
C:\Windows\SysWOW64\Fmhjni32.exeC:\Windows\system32\Fmhjni32.exe195⤵PID:3908
-
C:\Windows\SysWOW64\Fqcfnhjb.exeC:\Windows\system32\Fqcfnhjb.exe196⤵PID:3948
-
C:\Windows\SysWOW64\Fcbbjcif.exeC:\Windows\system32\Fcbbjcif.exe197⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3988 -
C:\Windows\SysWOW64\Ffqofohj.exeC:\Windows\system32\Ffqofohj.exe198⤵PID:4028
-
C:\Windows\SysWOW64\Fjlkgn32.exeC:\Windows\system32\Fjlkgn32.exe199⤵PID:4068
-
C:\Windows\SysWOW64\Fmjgcipg.exeC:\Windows\system32\Fmjgcipg.exe200⤵PID:3080
-
C:\Windows\SysWOW64\Fpicodoj.exeC:\Windows\system32\Fpicodoj.exe201⤵
- System Location Discovery: System Language Discovery
PID:3124 -
C:\Windows\SysWOW64\Fcdopc32.exeC:\Windows\system32\Fcdopc32.exe202⤵PID:3172
-
C:\Windows\SysWOW64\Ffcllo32.exeC:\Windows\system32\Ffcllo32.exe203⤵PID:3220
-
C:\Windows\SysWOW64\Giahhj32.exeC:\Windows\system32\Giahhj32.exe204⤵PID:3288
-
C:\Windows\SysWOW64\Glpdde32.exeC:\Windows\system32\Glpdde32.exe205⤵PID:3280
-
C:\Windows\SysWOW64\Gpkpedmh.exeC:\Windows\system32\Gpkpedmh.exe206⤵PID:3376
-
C:\Windows\SysWOW64\Gbjlaplk.exeC:\Windows\system32\Gbjlaplk.exe207⤵
- Modifies registry class
PID:3424 -
C:\Windows\SysWOW64\Gfehan32.exeC:\Windows\system32\Gfehan32.exe208⤵PID:3440
-
C:\Windows\SysWOW64\Gicdnj32.exeC:\Windows\system32\Gicdnj32.exe209⤵PID:3532
-
C:\Windows\SysWOW64\Gmoqnhla.exeC:\Windows\system32\Gmoqnhla.exe210⤵PID:3576
-
C:\Windows\SysWOW64\Gpnmjd32.exeC:\Windows\system32\Gpnmjd32.exe211⤵PID:3616
-
C:\Windows\SysWOW64\Gblifo32.exeC:\Windows\system32\Gblifo32.exe212⤵PID:3676
-
C:\Windows\SysWOW64\Gfgegnbb.exeC:\Windows\system32\Gfgegnbb.exe213⤵PID:3680
-
C:\Windows\SysWOW64\Gifaciae.exeC:\Windows\system32\Gifaciae.exe214⤵PID:3776
-
C:\Windows\SysWOW64\Ghiaof32.exeC:\Windows\system32\Ghiaof32.exe215⤵PID:3824
-
C:\Windows\SysWOW64\Gppipc32.exeC:\Windows\system32\Gppipc32.exe216⤵
- Drops file in System32 directory
PID:3884 -
C:\Windows\SysWOW64\Gnbjlpom.exeC:\Windows\system32\Gnbjlpom.exe217⤵
- System Location Discovery: System Language Discovery
PID:3920 -
C:\Windows\SysWOW64\Gaafhloq.exeC:\Windows\system32\Gaafhloq.exe218⤵PID:3972
-
C:\Windows\SysWOW64\Gihniioc.exeC:\Windows\system32\Gihniioc.exe219⤵PID:4024
-
C:\Windows\SysWOW64\Ghkndf32.exeC:\Windows\system32\Ghkndf32.exe220⤵PID:4048
-
C:\Windows\SysWOW64\Gjijqa32.exeC:\Windows\system32\Gjijqa32.exe221⤵PID:4080
-
C:\Windows\SysWOW64\Gnefapmj.exeC:\Windows\system32\Gnefapmj.exe222⤵
- Drops file in System32 directory
PID:3164 -
C:\Windows\SysWOW64\Gacbmk32.exeC:\Windows\system32\Gacbmk32.exe223⤵PID:3208
-
C:\Windows\SysWOW64\Geoonjeg.exeC:\Windows\system32\Geoonjeg.exe224⤵PID:3296
-
C:\Windows\SysWOW64\Ghmkjedk.exeC:\Windows\system32\Ghmkjedk.exe225⤵PID:3320
-
C:\Windows\SysWOW64\Gligjd32.exeC:\Windows\system32\Gligjd32.exe226⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3412 -
C:\Windows\SysWOW64\Gngcgp32.exeC:\Windows\system32\Gngcgp32.exe227⤵PID:3476
-
C:\Windows\SysWOW64\Gmjcblbb.exeC:\Windows\system32\Gmjcblbb.exe228⤵PID:3492
-
C:\Windows\SysWOW64\Heakcjcd.exeC:\Windows\system32\Heakcjcd.exe229⤵PID:3540
-
C:\Windows\SysWOW64\Hddlof32.exeC:\Windows\system32\Hddlof32.exe230⤵PID:3608
-
C:\Windows\SysWOW64\Hfbhkb32.exeC:\Windows\system32\Hfbhkb32.exe231⤵PID:3736
-
C:\Windows\SysWOW64\Hjndlqal.exeC:\Windows\system32\Hjndlqal.exe232⤵PID:3808
-
C:\Windows\SysWOW64\Hmmphlpp.exeC:\Windows\system32\Hmmphlpp.exe233⤵
- System Location Discovery: System Language Discovery
PID:3876 -
C:\Windows\SysWOW64\Hpkldg32.exeC:\Windows\system32\Hpkldg32.exe234⤵PID:3916
-
C:\Windows\SysWOW64\Hdfhdfgl.exeC:\Windows\system32\Hdfhdfgl.exe235⤵PID:3968
-
C:\Windows\SysWOW64\Hfedqagp.exeC:\Windows\system32\Hfedqagp.exe236⤵PID:4040
-
C:\Windows\SysWOW64\Hjqqap32.exeC:\Windows\system32\Hjqqap32.exe237⤵PID:4064
-
C:\Windows\SysWOW64\Hmomml32.exeC:\Windows\system32\Hmomml32.exe238⤵PID:3140
-
C:\Windows\SysWOW64\Hpmiig32.exeC:\Windows\system32\Hpmiig32.exe239⤵PID:3156
-
C:\Windows\SysWOW64\Hfgafadm.exeC:\Windows\system32\Hfgafadm.exe240⤵PID:3316
-
C:\Windows\SysWOW64\Hjcmgp32.exeC:\Windows\system32\Hjcmgp32.exe241⤵PID:3384
-
C:\Windows\SysWOW64\Hmaick32.exeC:\Windows\system32\Hmaick32.exe242⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3460