Analysis
-
max time kernel
63s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 01:41
Static task
static1
Behavioral task
behavioral1
Sample
8c1e5c37a038de4d7d2fa778f2c28c8a2923473b68796af2b06cf94729d1cb3eN.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
8c1e5c37a038de4d7d2fa778f2c28c8a2923473b68796af2b06cf94729d1cb3eN.exe
Resource
win10v2004-20241007-en
General
-
Target
8c1e5c37a038de4d7d2fa778f2c28c8a2923473b68796af2b06cf94729d1cb3eN.exe
-
Size
448KB
-
MD5
fbc69269342153f2c8ea2266bd3a0e60
-
SHA1
c0915ce19704d5aae9f94e6f8c93bf8bf6336abb
-
SHA256
8c1e5c37a038de4d7d2fa778f2c28c8a2923473b68796af2b06cf94729d1cb3e
-
SHA512
fdac9861fafd51c84dbe56b0ba1f2b0b7428587527a5004b155600e7c2c6fb0e022dc5e3f7454525086bd07ddebf6f2cfe205a28a22cfd0ed6ad19c679ad5fbb
-
SSDEEP
6144:YCgjSDBqLkaPrdQt383PQ///NR5fKr2n0MO3LPlkUCmVs5bPQ///NR5fjlt01PBV:YCVDALkrr/Ng1/Nblt01PBExK
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Ghgjflof.exeKlonqpbi.exeMmemoe32.exeNifgekbm.exeLkfdfo32.exe8c1e5c37a038de4d7d2fa778f2c28c8a2923473b68796af2b06cf94729d1cb3eN.exeNpnclf32.exeLgabgl32.exePelnniga.exeGjpddigo.exeJkdfmoha.exeEjdaoa32.exeKhglkqfj.exeHoniikpa.exeDglbmg32.exePkfiaqgk.exeHhfmbq32.exeLpiacp32.exeDeiipp32.exeNphbfplf.exeGlkgcmbg.exeHhadgakg.exeOhmalgeb.exeLelljepm.exeMbjfcnkg.exePglacbbo.exeAfecna32.exeKqcqpc32.exeGdmbhnjj.exePipjpj32.exeLoocanbe.exeMcjlap32.exeKmoekf32.exeNkjdcp32.exeHdqhambg.exeKdjceb32.exeEqnillbb.exeMbpibm32.exeFkoqmhii.exeQfljmmjl.exeDlhaaogd.exeFjhgidjk.exeMgoaap32.exeJkgbcofn.exeCimooo32.exeLbplciof.exeGcchgini.exeIbmkbh32.exeJofdll32.exeEhclbpic.exeJclnnmic.exeMpkjgckc.exeMldgbcoe.exeKoogbk32.exeLqjfpbmm.exeFipdqmje.exeQgfmlp32.exeAilboh32.exeEkpkhkji.exeFacfpddd.exeAepnkjcd.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghgjflof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klonqpbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmemoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nifgekbm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkfdfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghgjflof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" 8c1e5c37a038de4d7d2fa778f2c28c8a2923473b68796af2b06cf94729d1cb3eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npnclf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgabgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pelnniga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjpddigo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkdfmoha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejdaoa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khglkqfj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Honiikpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dglbmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkfiaqgk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhfmbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpiacp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Deiipp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nphbfplf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glkgcmbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhadgakg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohmalgeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lelljepm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbjfcnkg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pglacbbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afecna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqcqpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdmbhnjj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pipjpj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loocanbe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcjlap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmoekf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkjdcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdqhambg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdjceb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqnillbb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbpibm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkoqmhii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfljmmjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlhaaogd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhfmbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjhgidjk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgoaap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkgbcofn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cimooo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbplciof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afecna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcchgini.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibmkbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jofdll32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehclbpic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jclnnmic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpkjgckc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mldgbcoe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koogbk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqjfpbmm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fipdqmje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgfmlp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ailboh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekpkhkji.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Facfpddd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aepnkjcd.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Bodhjdcc.exeBpfebmia.exeBhmmcjjd.exeBbikig32.exeCpohhk32.exeClfhml32.exeClhecl32.exeCgbfcjag.exeChabmm32.exeCjboeenh.exeDajgfboj.exeDckcnj32.exeDjeljd32.exeDlchfp32.exeDcmpcjcf.exeDflmpebj.exeDleelp32.exeDcpmijqc.exeDfniee32.exeDlhaaogd.exeDofnnkfg.exeDfpfke32.exeDljngoea.exeDcdfdi32.exeEdeclabl.exeEkpkhkji.exeEhclbpic.exeEgflml32.exeEnpdjfgj.exeEdjlgq32.exeEkddck32.exeEbnmpemq.exeEdmilpld.exeEkfaij32.exeEmhnqbjo.exeEcbfmm32.exeEfpbih32.exeEmjjfb32.exeFnbmoi32.exeFelekcop.exeFacfpddd.exeFijnabef.exeGddobpbe.exeGlkgcmbg.exeGhbhhnhk.exeGjpddigo.exeGnlpeh32.exeGhddnnfi.exeGieaef32.exeGpoibp32.exeGihnkejd.exeGmcikd32.exeGdmbhnjj.exeHeonpf32.exeHijjpeha.exeHpdbmooo.exeHbboiknb.exeHilgfe32.exeHpfoboml.exeHahljg32.exeHhadgakg.exeHolldk32.exeHbghdj32.exeHdhdlbpk.exepid process 2096 Bodhjdcc.exe 2964 Bpfebmia.exe 2360 Bhmmcjjd.exe 2216 Bbikig32.exe 2704 Cpohhk32.exe 2092 Clfhml32.exe 2744 Clhecl32.exe 1168 Cgbfcjag.exe 1332 Chabmm32.exe 2420 Cjboeenh.exe 3056 Dajgfboj.exe 1960 Dckcnj32.exe 1016 Djeljd32.exe 2392 Dlchfp32.exe 2400 Dcmpcjcf.exe 1040 Dflmpebj.exe 2644 Dleelp32.exe 696 Dcpmijqc.exe 924 Dfniee32.exe 692 Dlhaaogd.exe 1768 Dofnnkfg.exe 556 Dfpfke32.exe 2668 Dljngoea.exe 1916 Dcdfdi32.exe 2680 Edeclabl.exe 1088 Ekpkhkji.exe 2944 Ehclbpic.exe 1672 Egflml32.exe 2240 Enpdjfgj.exe 2980 Edjlgq32.exe 2840 Ekddck32.exe 2844 Ebnmpemq.exe 2876 Edmilpld.exe 2736 Ekfaij32.exe 2144 Emhnqbjo.exe 2268 Ecbfmm32.exe 2468 Efpbih32.exe 2464 Emjjfb32.exe 2328 Fnbmoi32.exe 2544 Felekcop.exe 1484 Facfpddd.exe 2664 Fijnabef.exe 2384 Gddobpbe.exe 1708 Glkgcmbg.exe 2152 Ghbhhnhk.exe 2352 Gjpddigo.exe 2440 Gnlpeh32.exe 2356 Ghddnnfi.exe 2800 Gieaef32.exe 2984 Gpoibp32.exe 2896 Gihnkejd.exe 2296 Gmcikd32.exe 1636 Gdmbhnjj.exe 1904 Heonpf32.exe 2860 Hijjpeha.exe 3060 Hpdbmooo.exe 1944 Hbboiknb.exe 2128 Hilgfe32.exe 2164 Hpfoboml.exe 2232 Hahljg32.exe 3036 Hhadgakg.exe 3040 Holldk32.exe 1068 Hbghdj32.exe 800 Hdhdlbpk.exe -
Loads dropped DLL 64 IoCs
Processes:
8c1e5c37a038de4d7d2fa778f2c28c8a2923473b68796af2b06cf94729d1cb3eN.exeBodhjdcc.exeBpfebmia.exeBhmmcjjd.exeBbikig32.exeCpohhk32.exeClfhml32.exeClhecl32.exeCgbfcjag.exeChabmm32.exeCjboeenh.exeDajgfboj.exeDckcnj32.exeDjeljd32.exeDlchfp32.exeDcmpcjcf.exeDflmpebj.exeDleelp32.exeDcpmijqc.exeDfniee32.exeDlhaaogd.exeDofnnkfg.exeDfpfke32.exeDljngoea.exeDcdfdi32.exeEdeclabl.exeEkpkhkji.exeEhclbpic.exeEgflml32.exeEnpdjfgj.exeEdjlgq32.exeEkddck32.exepid process 2368 8c1e5c37a038de4d7d2fa778f2c28c8a2923473b68796af2b06cf94729d1cb3eN.exe 2368 8c1e5c37a038de4d7d2fa778f2c28c8a2923473b68796af2b06cf94729d1cb3eN.exe 2096 Bodhjdcc.exe 2096 Bodhjdcc.exe 2964 Bpfebmia.exe 2964 Bpfebmia.exe 2360 Bhmmcjjd.exe 2360 Bhmmcjjd.exe 2216 Bbikig32.exe 2216 Bbikig32.exe 2704 Cpohhk32.exe 2704 Cpohhk32.exe 2092 Clfhml32.exe 2092 Clfhml32.exe 2744 Clhecl32.exe 2744 Clhecl32.exe 1168 Cgbfcjag.exe 1168 Cgbfcjag.exe 1332 Chabmm32.exe 1332 Chabmm32.exe 2420 Cjboeenh.exe 2420 Cjboeenh.exe 3056 Dajgfboj.exe 3056 Dajgfboj.exe 1960 Dckcnj32.exe 1960 Dckcnj32.exe 1016 Djeljd32.exe 1016 Djeljd32.exe 2392 Dlchfp32.exe 2392 Dlchfp32.exe 2400 Dcmpcjcf.exe 2400 Dcmpcjcf.exe 1040 Dflmpebj.exe 1040 Dflmpebj.exe 2644 Dleelp32.exe 2644 Dleelp32.exe 696 Dcpmijqc.exe 696 Dcpmijqc.exe 924 Dfniee32.exe 924 Dfniee32.exe 692 Dlhaaogd.exe 692 Dlhaaogd.exe 1768 Dofnnkfg.exe 1768 Dofnnkfg.exe 556 Dfpfke32.exe 556 Dfpfke32.exe 2668 Dljngoea.exe 2668 Dljngoea.exe 1916 Dcdfdi32.exe 1916 Dcdfdi32.exe 2680 Edeclabl.exe 2680 Edeclabl.exe 1088 Ekpkhkji.exe 1088 Ekpkhkji.exe 2944 Ehclbpic.exe 2944 Ehclbpic.exe 1672 Egflml32.exe 1672 Egflml32.exe 2240 Enpdjfgj.exe 2240 Enpdjfgj.exe 2980 Edjlgq32.exe 2980 Edjlgq32.exe 2840 Ekddck32.exe 2840 Ekddck32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Ogekbchg.exeMlhmkbhb.exeNljjqbfp.exePiemih32.exeJclnnmic.exeCcecheeb.exeDgalhgpg.exeKgoebmip.exeOcfkaone.exeMigdig32.exeNlapaapg.exeGjpddigo.exeLgiobadq.exeAjcldpkd.exeFjdnne32.exeKjkehhjf.exeLqjfpbmm.exeAfbpnlcd.exeGnlpeh32.exeFbfldc32.exeKomjmk32.exeLjbkig32.exePjppmlhm.exeLijepc32.exeKjebjjck.exeNpiiafpa.exeCgobcd32.exeGeinjapb.exeHbknmicj.exeKkckblgq.exeEqnillbb.exeGmipko32.exeDfniee32.exeMeffjjln.exeMlbkmdah.exePdndggcl.exeAmkbpm32.exeAplkah32.exeMbdfni32.exeMcjlap32.exeDcpmijqc.exeEgflml32.exeNpppaejj.exeDglbmg32.exeKcamln32.exeIockhigl.exeJfpmifoa.exeBodhjdcc.exeCjboeenh.exeKggfnoch.exeAcejlfhl.exeDhgelk32.exeHhjgll32.exeAblmilgf.exeOnocon32.exeKhglkqfj.exeIijfoh32.exeIjopjhfh.exePmiikipg.exeJjneoeeh.exeKdjceb32.exeNmhqokcq.exeGapoob32.exeIdemkp32.exedescription ioc process File created C:\Windows\SysWOW64\Onocon32.exe Ogekbchg.exe File created C:\Windows\SysWOW64\Gmeckg32.dll Mlhmkbhb.exe File created C:\Windows\SysWOW64\Npffaq32.exe Nljjqbfp.exe File opened for modification C:\Windows\SysWOW64\Pkfiaqgk.exe Piemih32.exe File opened for modification C:\Windows\SysWOW64\Jfjjkhhg.exe Jclnnmic.exe File created C:\Windows\SysWOW64\Cipleo32.exe Ccecheeb.exe File opened for modification C:\Windows\SysWOW64\Enkdda32.exe Dgalhgpg.exe File opened for modification C:\Windows\SysWOW64\Kninog32.exe Kgoebmip.exe File created C:\Windows\SysWOW64\Oipcnieb.exe Ocfkaone.exe File created C:\Windows\SysWOW64\Gaejddnk.dll Migdig32.exe File created C:\Windows\SysWOW64\Gnhapl32.dll Nlapaapg.exe File created C:\Windows\SysWOW64\Npdmdbpm.dll Gjpddigo.exe File opened for modification C:\Windows\SysWOW64\Ljgkom32.exe Lgiobadq.exe File created C:\Windows\SysWOW64\Bleilh32.exe Ajcldpkd.exe File created C:\Windows\SysWOW64\Fmbjjp32.exe Fjdnne32.exe File created C:\Windows\SysWOW64\Ikaainpb.dll Kjkehhjf.exe File created C:\Windows\SysWOW64\Lbkchj32.exe Lqjfpbmm.exe File created C:\Windows\SysWOW64\Abgqlf32.dll Afbpnlcd.exe File opened for modification C:\Windows\SysWOW64\Ghddnnfi.exe Gnlpeh32.exe File opened for modification C:\Windows\SysWOW64\Fipdqmje.exe Fbfldc32.exe File created C:\Windows\SysWOW64\Kfgcieii.exe Komjmk32.exe File created C:\Windows\SysWOW64\Eohhqjab.dll Ljbkig32.exe File created C:\Windows\SysWOW64\Pqjhjf32.exe Pjppmlhm.exe File created C:\Windows\SysWOW64\Jqfcla32.dll Lijepc32.exe File created C:\Windows\SysWOW64\Kmdofebo.exe Kjebjjck.exe File created C:\Windows\SysWOW64\Ngcanq32.exe Npiiafpa.exe File created C:\Windows\SysWOW64\Ocndli32.dll Cgobcd32.exe File opened for modification C:\Windows\SysWOW64\Ghgjflof.exe Geinjapb.exe File opened for modification C:\Windows\SysWOW64\Hidfjckg.exe Hbknmicj.exe File opened for modification C:\Windows\SysWOW64\Koogbk32.exe Kkckblgq.exe File created C:\Windows\SysWOW64\Efkbdbai.exe Eqnillbb.exe File created C:\Windows\SysWOW64\Gcchgini.exe Gmipko32.exe File opened for modification C:\Windows\SysWOW64\Dlhaaogd.exe Dfniee32.exe File opened for modification C:\Windows\SysWOW64\Mmmnkglp.exe Meffjjln.exe File created C:\Windows\SysWOW64\Gjpldngk.dll Mlbkmdah.exe File created C:\Windows\SysWOW64\Fmehidpd.dll Pdndggcl.exe File created C:\Windows\SysWOW64\Koffcphn.dll Amkbpm32.exe File created C:\Windows\SysWOW64\Nfhpah32.dll Aplkah32.exe File created C:\Windows\SysWOW64\Gnfmhdpb.dll Mbdfni32.exe File created C:\Windows\SysWOW64\Mhfhaoec.exe Mcjlap32.exe File created C:\Windows\SysWOW64\Dfniee32.exe Dcpmijqc.exe File created C:\Windows\SysWOW64\Enpdjfgj.exe Egflml32.exe File created C:\Windows\SysWOW64\Nlnjkhha.dll Npppaejj.exe File created C:\Windows\SysWOW64\Dnfjiali.exe Dglbmg32.exe File created C:\Windows\SysWOW64\Kjkehhjf.exe Kcamln32.exe File created C:\Windows\SysWOW64\Iabhdefo.exe Iockhigl.exe File opened for modification C:\Windows\SysWOW64\Jjkiie32.exe Jfpmifoa.exe File created C:\Windows\SysWOW64\Lpqafeln.dll Bodhjdcc.exe File created C:\Windows\SysWOW64\Oiiakm32.dll Cjboeenh.exe File created C:\Windows\SysWOW64\Ddpidhgj.dll Kggfnoch.exe File created C:\Windows\SysWOW64\Dcfepmgj.dll Acejlfhl.exe File opened for modification C:\Windows\SysWOW64\Doamhe32.exe Dhgelk32.exe File opened for modification C:\Windows\SysWOW64\Hjhchg32.exe Hhjgll32.exe File created C:\Windows\SysWOW64\Oedqakci.dll Ablmilgf.exe File created C:\Windows\SysWOW64\Dkolfk32.dll Onocon32.exe File opened for modification C:\Windows\SysWOW64\Kjihci32.exe Khglkqfj.exe File created C:\Windows\SysWOW64\Ipdolbbj.exe Iijfoh32.exe File created C:\Windows\SysWOW64\Iphhgb32.exe Ijopjhfh.exe File created C:\Windows\SysWOW64\Pqdelh32.exe Pmiikipg.exe File created C:\Windows\SysWOW64\Jllakpdk.exe Jjneoeeh.exe File created C:\Windows\SysWOW64\Injchoib.dll Kdjceb32.exe File opened for modification C:\Windows\SysWOW64\Nhnemdbf.exe Nmhqokcq.exe File opened for modification C:\Windows\SysWOW64\Hhjgll32.exe Gapoob32.exe File opened for modification C:\Windows\SysWOW64\Iokahhac.exe Idemkp32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5808 5740 WerFault.exe Bmenijcd.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Jofdll32.exeNeekogkm.exeGfadcemm.exeBkdbab32.exeJddqgdii.exeAfcghbgp.exeDnfjiali.exeIcgdcm32.exeAjcldpkd.exeCihedpcg.exeFghngimj.exeHnflnfbm.exeEbnmpemq.exeAemafjeg.exeFbfldc32.exeFfpkob32.exeMlmjgnaa.exeCgbfcjag.exeHilgfe32.exeEjdaoa32.exeEoomai32.exeHidfjckg.exeJkabmi32.exeOhjmlaci.exeEmjjfb32.exeGjpddigo.exeKbcddlnd.exePdndggcl.exePhmfpddb.exeQnnhcknd.exeBpfebmia.exeOdanqb32.exeGhbhhnhk.exeHaleefoe.exeKqcqpc32.exeGlkgcmbg.exeJdogldmo.exeGbheif32.exePoibmdmh.exeEdelakoq.exeIphhgb32.exeJjnlikic.exePgnnhbpm.exeKgdiho32.exeIijfoh32.exeIjampgde.exeOggghc32.exeDcmpcjcf.exeKflcok32.exeNmhqokcq.exeKfgcieii.exeOibpdico.exeFjhgidjk.exeLgabgl32.exeAilboh32.exeIgkjcm32.exeCfjihdcc.exeFohphgce.exeAcejlfhl.exeAmmoel32.exeBhbpahan.exeEdpoeoea.exeKninog32.exeEcbfmm32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jofdll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neekogkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfadcemm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkdbab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jddqgdii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afcghbgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnfjiali.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icgdcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajcldpkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cihedpcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fghngimj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnflnfbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebnmpemq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aemafjeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbfldc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffpkob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlmjgnaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgbfcjag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hilgfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejdaoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoomai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hidfjckg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkabmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohjmlaci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emjjfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjpddigo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbcddlnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdndggcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phmfpddb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnnhcknd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpfebmia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odanqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghbhhnhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Haleefoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqcqpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glkgcmbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdogldmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbheif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poibmdmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edelakoq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iphhgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjnlikic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgnnhbpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgdiho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iijfoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijampgde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oggghc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcmpcjcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kflcok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmhqokcq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfgcieii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oibpdico.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjhgidjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgabgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ailboh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igkjcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfjihdcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fohphgce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acejlfhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ammoel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhbpahan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edpoeoea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kninog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecbfmm32.exe -
Modifies registry class 64 IoCs
Processes:
Kmoekf32.exeBjoohdbd.exeEkfaij32.exeNpkfff32.exeOqmokioh.exeBjalndpb.exeNpffaq32.exeNebnigmp.exeOobiclmh.exeIpdolbbj.exeNickoldp.exeJghcbjll.exeNilndfgl.exeQgfmlp32.exeAbgdnm32.exeClfhml32.exeJdjgfomh.exeKomjmk32.exePaekijkb.exeKgdiho32.exeLkfdfo32.exeEkddck32.exeKdgfpbaf.exeKqemeb32.exeMnkfcjqe.exeGnlpeh32.exeJkioho32.exeFkoqmhii.exeGbheif32.exeLelljepm.exeNljjqbfp.exeQckalamk.exeAkphfbbl.exeIcbkhnan.exeJfpmifoa.exeMcjlap32.exeNpppaejj.exeLekcffem.exeBemmenhb.exeLoocanbe.exeOpebpdad.exeDcpmijqc.exeMbemho32.exeMaocekoo.exeBimbql32.exeIockhigl.exeIoheci32.exeIebmpcjc.exeOmjbihpn.exeHahljg32.exeAmjkefmd.exeHhadgakg.exeLpiacp32.exeLjgkom32.exeLpddgd32.exeDkjkcfjc.exeOpcejd32.exeOibpdico.exeCgbfcjag.exePobeao32.exeAnfeop32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmoekf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjoohdbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekfaij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npkfff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjqjnn32.dll" Oqmokioh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qapppg32.dll" Bjalndpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npffaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nebnigmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oobiclmh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipdolbbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijpfnpij.dll" Nickoldp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baipij32.dll" Jghcbjll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hipdajoc.dll" Nilndfgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qgfmlp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abgdnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Clfhml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nickoldp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdjgfomh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Becbne32.dll" Komjmk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nilndfgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Paekijkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgdiho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkfdfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lncicbma.dll" Ekddck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fohecb32.dll" Kdgfpbaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kqemeb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnkfcjqe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nebnigmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgkbnmhi.dll" Gnlpeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkioho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fkoqmhii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbheif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lelljepm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nljjqbfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjehbgng.dll" Qckalamk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Polhjf32.dll" Akphfbbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icbkhnan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfpmifoa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcjlap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npppaejj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lekcffem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bemmenhb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Loocanbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opebpdad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcpmijqc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbemho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Maocekoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bimbql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlelkn32.dll" Iockhigl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhdpfo32.dll" Ioheci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdffecqf.dll" Iebmpcjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omjbihpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hahljg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amjkefmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhadgakg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpiacp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljgkom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blfkol32.dll" Lpddgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkjkcfjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opcejd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oibpdico.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgbfcjag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pobeao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgohnp32.dll" Anfeop32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
8c1e5c37a038de4d7d2fa778f2c28c8a2923473b68796af2b06cf94729d1cb3eN.exeBodhjdcc.exeBpfebmia.exeBhmmcjjd.exeBbikig32.exeCpohhk32.exeClfhml32.exeClhecl32.exeCgbfcjag.exeChabmm32.exeCjboeenh.exeDajgfboj.exeDckcnj32.exeDjeljd32.exeDlchfp32.exeDcmpcjcf.exedescription pid process target process PID 2368 wrote to memory of 2096 2368 8c1e5c37a038de4d7d2fa778f2c28c8a2923473b68796af2b06cf94729d1cb3eN.exe Bodhjdcc.exe PID 2368 wrote to memory of 2096 2368 8c1e5c37a038de4d7d2fa778f2c28c8a2923473b68796af2b06cf94729d1cb3eN.exe Bodhjdcc.exe PID 2368 wrote to memory of 2096 2368 8c1e5c37a038de4d7d2fa778f2c28c8a2923473b68796af2b06cf94729d1cb3eN.exe Bodhjdcc.exe PID 2368 wrote to memory of 2096 2368 8c1e5c37a038de4d7d2fa778f2c28c8a2923473b68796af2b06cf94729d1cb3eN.exe Bodhjdcc.exe PID 2096 wrote to memory of 2964 2096 Bodhjdcc.exe Bpfebmia.exe PID 2096 wrote to memory of 2964 2096 Bodhjdcc.exe Bpfebmia.exe PID 2096 wrote to memory of 2964 2096 Bodhjdcc.exe Bpfebmia.exe PID 2096 wrote to memory of 2964 2096 Bodhjdcc.exe Bpfebmia.exe PID 2964 wrote to memory of 2360 2964 Bpfebmia.exe Bhmmcjjd.exe PID 2964 wrote to memory of 2360 2964 Bpfebmia.exe Bhmmcjjd.exe PID 2964 wrote to memory of 2360 2964 Bpfebmia.exe Bhmmcjjd.exe PID 2964 wrote to memory of 2360 2964 Bpfebmia.exe Bhmmcjjd.exe PID 2360 wrote to memory of 2216 2360 Bhmmcjjd.exe Bbikig32.exe PID 2360 wrote to memory of 2216 2360 Bhmmcjjd.exe Bbikig32.exe PID 2360 wrote to memory of 2216 2360 Bhmmcjjd.exe Bbikig32.exe PID 2360 wrote to memory of 2216 2360 Bhmmcjjd.exe Bbikig32.exe PID 2216 wrote to memory of 2704 2216 Bbikig32.exe Cpohhk32.exe PID 2216 wrote to memory of 2704 2216 Bbikig32.exe Cpohhk32.exe PID 2216 wrote to memory of 2704 2216 Bbikig32.exe Cpohhk32.exe PID 2216 wrote to memory of 2704 2216 Bbikig32.exe Cpohhk32.exe PID 2704 wrote to memory of 2092 2704 Cpohhk32.exe Clfhml32.exe PID 2704 wrote to memory of 2092 2704 Cpohhk32.exe Clfhml32.exe PID 2704 wrote to memory of 2092 2704 Cpohhk32.exe Clfhml32.exe PID 2704 wrote to memory of 2092 2704 Cpohhk32.exe Clfhml32.exe PID 2092 wrote to memory of 2744 2092 Clfhml32.exe Clhecl32.exe PID 2092 wrote to memory of 2744 2092 Clfhml32.exe Clhecl32.exe PID 2092 wrote to memory of 2744 2092 Clfhml32.exe Clhecl32.exe PID 2092 wrote to memory of 2744 2092 Clfhml32.exe Clhecl32.exe PID 2744 wrote to memory of 1168 2744 Clhecl32.exe Cgbfcjag.exe PID 2744 wrote to memory of 1168 2744 Clhecl32.exe Cgbfcjag.exe PID 2744 wrote to memory of 1168 2744 Clhecl32.exe Cgbfcjag.exe PID 2744 wrote to memory of 1168 2744 Clhecl32.exe Cgbfcjag.exe PID 1168 wrote to memory of 1332 1168 Cgbfcjag.exe Chabmm32.exe PID 1168 wrote to memory of 1332 1168 Cgbfcjag.exe Chabmm32.exe PID 1168 wrote to memory of 1332 1168 Cgbfcjag.exe Chabmm32.exe PID 1168 wrote to memory of 1332 1168 Cgbfcjag.exe Chabmm32.exe PID 1332 wrote to memory of 2420 1332 Chabmm32.exe Cjboeenh.exe PID 1332 wrote to memory of 2420 1332 Chabmm32.exe Cjboeenh.exe PID 1332 wrote to memory of 2420 1332 Chabmm32.exe Cjboeenh.exe PID 1332 wrote to memory of 2420 1332 Chabmm32.exe Cjboeenh.exe PID 2420 wrote to memory of 3056 2420 Cjboeenh.exe Dajgfboj.exe PID 2420 wrote to memory of 3056 2420 Cjboeenh.exe Dajgfboj.exe PID 2420 wrote to memory of 3056 2420 Cjboeenh.exe Dajgfboj.exe PID 2420 wrote to memory of 3056 2420 Cjboeenh.exe Dajgfboj.exe PID 3056 wrote to memory of 1960 3056 Dajgfboj.exe Dckcnj32.exe PID 3056 wrote to memory of 1960 3056 Dajgfboj.exe Dckcnj32.exe PID 3056 wrote to memory of 1960 3056 Dajgfboj.exe Dckcnj32.exe PID 3056 wrote to memory of 1960 3056 Dajgfboj.exe Dckcnj32.exe PID 1960 wrote to memory of 1016 1960 Dckcnj32.exe Djeljd32.exe PID 1960 wrote to memory of 1016 1960 Dckcnj32.exe Djeljd32.exe PID 1960 wrote to memory of 1016 1960 Dckcnj32.exe Djeljd32.exe PID 1960 wrote to memory of 1016 1960 Dckcnj32.exe Djeljd32.exe PID 1016 wrote to memory of 2392 1016 Djeljd32.exe Dlchfp32.exe PID 1016 wrote to memory of 2392 1016 Djeljd32.exe Dlchfp32.exe PID 1016 wrote to memory of 2392 1016 Djeljd32.exe Dlchfp32.exe PID 1016 wrote to memory of 2392 1016 Djeljd32.exe Dlchfp32.exe PID 2392 wrote to memory of 2400 2392 Dlchfp32.exe Dcmpcjcf.exe PID 2392 wrote to memory of 2400 2392 Dlchfp32.exe Dcmpcjcf.exe PID 2392 wrote to memory of 2400 2392 Dlchfp32.exe Dcmpcjcf.exe PID 2392 wrote to memory of 2400 2392 Dlchfp32.exe Dcmpcjcf.exe PID 2400 wrote to memory of 1040 2400 Dcmpcjcf.exe Dflmpebj.exe PID 2400 wrote to memory of 1040 2400 Dcmpcjcf.exe Dflmpebj.exe PID 2400 wrote to memory of 1040 2400 Dcmpcjcf.exe Dflmpebj.exe PID 2400 wrote to memory of 1040 2400 Dcmpcjcf.exe Dflmpebj.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c1e5c37a038de4d7d2fa778f2c28c8a2923473b68796af2b06cf94729d1cb3eN.exe"C:\Users\Admin\AppData\Local\Temp\8c1e5c37a038de4d7d2fa778f2c28c8a2923473b68796af2b06cf94729d1cb3eN.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\Bodhjdcc.exeC:\Windows\system32\Bodhjdcc.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\Bpfebmia.exeC:\Windows\system32\Bpfebmia.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Bhmmcjjd.exeC:\Windows\system32\Bhmmcjjd.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\Bbikig32.exeC:\Windows\system32\Bbikig32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Cpohhk32.exeC:\Windows\system32\Cpohhk32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Clfhml32.exeC:\Windows\system32\Clfhml32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\Clhecl32.exeC:\Windows\system32\Clhecl32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Cgbfcjag.exeC:\Windows\system32\Cgbfcjag.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\SysWOW64\Chabmm32.exeC:\Windows\system32\Chabmm32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Windows\SysWOW64\Cjboeenh.exeC:\Windows\system32\Cjboeenh.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Dajgfboj.exeC:\Windows\system32\Dajgfboj.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\Dckcnj32.exeC:\Windows\system32\Dckcnj32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\Djeljd32.exeC:\Windows\system32\Djeljd32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\SysWOW64\Dlchfp32.exeC:\Windows\system32\Dlchfp32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\Dcmpcjcf.exeC:\Windows\system32\Dcmpcjcf.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\Dflmpebj.exeC:\Windows\system32\Dflmpebj.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1040 -
C:\Windows\SysWOW64\Dleelp32.exeC:\Windows\system32\Dleelp32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2644 -
C:\Windows\SysWOW64\Dcpmijqc.exeC:\Windows\system32\Dcpmijqc.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:696 -
C:\Windows\SysWOW64\Dfniee32.exeC:\Windows\system32\Dfniee32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:924 -
C:\Windows\SysWOW64\Dlhaaogd.exeC:\Windows\system32\Dlhaaogd.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:692 -
C:\Windows\SysWOW64\Dofnnkfg.exeC:\Windows\system32\Dofnnkfg.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1768 -
C:\Windows\SysWOW64\Dfpfke32.exeC:\Windows\system32\Dfpfke32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:556 -
C:\Windows\SysWOW64\Dljngoea.exeC:\Windows\system32\Dljngoea.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2668 -
C:\Windows\SysWOW64\Dcdfdi32.exeC:\Windows\system32\Dcdfdi32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1916 -
C:\Windows\SysWOW64\Edeclabl.exeC:\Windows\system32\Edeclabl.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2680 -
C:\Windows\SysWOW64\Ekpkhkji.exeC:\Windows\system32\Ekpkhkji.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1088 -
C:\Windows\SysWOW64\Ehclbpic.exeC:\Windows\system32\Ehclbpic.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2944 -
C:\Windows\SysWOW64\Egflml32.exeC:\Windows\system32\Egflml32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1672 -
C:\Windows\SysWOW64\Enpdjfgj.exeC:\Windows\system32\Enpdjfgj.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2240 -
C:\Windows\SysWOW64\Edjlgq32.exeC:\Windows\system32\Edjlgq32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2980 -
C:\Windows\SysWOW64\Ekddck32.exeC:\Windows\system32\Ekddck32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2840 -
C:\Windows\SysWOW64\Ebnmpemq.exeC:\Windows\system32\Ebnmpemq.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2844 -
C:\Windows\SysWOW64\Edmilpld.exeC:\Windows\system32\Edmilpld.exe34⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Ekfaij32.exeC:\Windows\system32\Ekfaij32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2736 -
C:\Windows\SysWOW64\Emhnqbjo.exeC:\Windows\system32\Emhnqbjo.exe36⤵
- Executes dropped EXE
PID:2144 -
C:\Windows\SysWOW64\Ecbfmm32.exeC:\Windows\system32\Ecbfmm32.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2268 -
C:\Windows\SysWOW64\Efpbih32.exeC:\Windows\system32\Efpbih32.exe38⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Emjjfb32.exeC:\Windows\system32\Emjjfb32.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2464 -
C:\Windows\SysWOW64\Fnbmoi32.exeC:\Windows\system32\Fnbmoi32.exe40⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Felekcop.exeC:\Windows\system32\Felekcop.exe41⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Facfpddd.exeC:\Windows\system32\Facfpddd.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1484 -
C:\Windows\SysWOW64\Fijnabef.exeC:\Windows\system32\Fijnabef.exe43⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Gddobpbe.exeC:\Windows\system32\Gddobpbe.exe44⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Glkgcmbg.exeC:\Windows\system32\Glkgcmbg.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1708 -
C:\Windows\SysWOW64\Ghbhhnhk.exeC:\Windows\system32\Ghbhhnhk.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2152 -
C:\Windows\SysWOW64\Gjpddigo.exeC:\Windows\system32\Gjpddigo.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2352 -
C:\Windows\SysWOW64\Gnlpeh32.exeC:\Windows\system32\Gnlpeh32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2440 -
C:\Windows\SysWOW64\Ghddnnfi.exeC:\Windows\system32\Ghddnnfi.exe49⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Gieaef32.exeC:\Windows\system32\Gieaef32.exe50⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Gpoibp32.exeC:\Windows\system32\Gpoibp32.exe51⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Gihnkejd.exeC:\Windows\system32\Gihnkejd.exe52⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Gmcikd32.exeC:\Windows\system32\Gmcikd32.exe53⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Gdmbhnjj.exeC:\Windows\system32\Gdmbhnjj.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Heonpf32.exeC:\Windows\system32\Heonpf32.exe55⤵
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Hijjpeha.exeC:\Windows\system32\Hijjpeha.exe56⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Hpdbmooo.exeC:\Windows\system32\Hpdbmooo.exe57⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Hbboiknb.exeC:\Windows\system32\Hbboiknb.exe58⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Hilgfe32.exeC:\Windows\system32\Hilgfe32.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2128 -
C:\Windows\SysWOW64\Hpfoboml.exeC:\Windows\system32\Hpfoboml.exe60⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Hahljg32.exeC:\Windows\system32\Hahljg32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2232 -
C:\Windows\SysWOW64\Hhadgakg.exeC:\Windows\system32\Hhadgakg.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3036 -
C:\Windows\SysWOW64\Holldk32.exeC:\Windows\system32\Holldk32.exe63⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Hbghdj32.exeC:\Windows\system32\Hbghdj32.exe64⤵
- Executes dropped EXE
PID:1068 -
C:\Windows\SysWOW64\Hdhdlbpk.exeC:\Windows\system32\Hdhdlbpk.exe65⤵
- Executes dropped EXE
PID:800 -
C:\Windows\SysWOW64\Hhdqma32.exeC:\Windows\system32\Hhdqma32.exe66⤵PID:2228
-
C:\Windows\SysWOW64\Honiikpa.exeC:\Windows\system32\Honiikpa.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1652 -
C:\Windows\SysWOW64\Haleefoe.exeC:\Windows\system32\Haleefoe.exe68⤵
- System Location Discovery: System Language Discovery
PID:2348 -
C:\Windows\SysWOW64\Hhfmbq32.exeC:\Windows\system32\Hhfmbq32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3016 -
C:\Windows\SysWOW64\Iopeoknn.exeC:\Windows\system32\Iopeoknn.exe70⤵PID:1872
-
C:\Windows\SysWOW64\Imcfjg32.exeC:\Windows\system32\Imcfjg32.exe71⤵PID:2700
-
C:\Windows\SysWOW64\Ipabfcdm.exeC:\Windows\system32\Ipabfcdm.exe72⤵PID:2772
-
C:\Windows\SysWOW64\Ihijhpdo.exeC:\Windows\system32\Ihijhpdo.exe73⤵PID:2784
-
C:\Windows\SysWOW64\Igkjcm32.exeC:\Windows\system32\Igkjcm32.exe74⤵
- System Location Discovery: System Language Discovery
PID:2288 -
C:\Windows\SysWOW64\Iijfoh32.exeC:\Windows\system32\Iijfoh32.exe75⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2684 -
C:\Windows\SysWOW64\Ipdolbbj.exeC:\Windows\system32\Ipdolbbj.exe76⤵
- Modifies registry class
PID:2148 -
C:\Windows\SysWOW64\Icbkhnan.exeC:\Windows\system32\Icbkhnan.exe77⤵
- Modifies registry class
PID:2208 -
C:\Windows\SysWOW64\Ikicikap.exeC:\Windows\system32\Ikicikap.exe78⤵PID:2324
-
C:\Windows\SysWOW64\Ilkpac32.exeC:\Windows\system32\Ilkpac32.exe79⤵PID:340
-
C:\Windows\SysWOW64\Igpdnlgd.exeC:\Windows\system32\Igpdnlgd.exe80⤵PID:2304
-
C:\Windows\SysWOW64\Ijopjhfh.exeC:\Windows\system32\Ijopjhfh.exe81⤵
- Drops file in System32 directory
PID:2344 -
C:\Windows\SysWOW64\Iphhgb32.exeC:\Windows\system32\Iphhgb32.exe82⤵
- System Location Discovery: System Language Discovery
PID:1188 -
C:\Windows\SysWOW64\Icgdcm32.exeC:\Windows\system32\Icgdcm32.exe83⤵
- System Location Discovery: System Language Discovery
PID:2976 -
C:\Windows\SysWOW64\Ijampgde.exeC:\Windows\system32\Ijampgde.exe84⤵
- System Location Discovery: System Language Discovery
PID:2816 -
C:\Windows\SysWOW64\Iloilcci.exeC:\Windows\system32\Iloilcci.exe85⤵PID:3032
-
C:\Windows\SysWOW64\Ialadj32.exeC:\Windows\system32\Ialadj32.exe86⤵PID:1668
-
C:\Windows\SysWOW64\Jfhmehji.exeC:\Windows\system32\Jfhmehji.exe87⤵PID:2780
-
C:\Windows\SysWOW64\Jkdfmoha.exeC:\Windows\system32\Jkdfmoha.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2244 -
C:\Windows\SysWOW64\Jclnnmic.exeC:\Windows\system32\Jclnnmic.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2068 -
C:\Windows\SysWOW64\Jfjjkhhg.exeC:\Windows\system32\Jfjjkhhg.exe90⤵PID:1644
-
C:\Windows\SysWOW64\Jhhfgcgj.exeC:\Windows\system32\Jhhfgcgj.exe91⤵PID:2532
-
C:\Windows\SysWOW64\Jkgbcofn.exeC:\Windows\system32\Jkgbcofn.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2444 -
C:\Windows\SysWOW64\Jneoojeb.exeC:\Windows\system32\Jneoojeb.exe93⤵PID:1288
-
C:\Windows\SysWOW64\Jdogldmo.exeC:\Windows\system32\Jdogldmo.exe94⤵
- System Location Discovery: System Language Discovery
PID:2488 -
C:\Windows\SysWOW64\Jkioho32.exeC:\Windows\system32\Jkioho32.exe95⤵
- Modifies registry class
PID:1240 -
C:\Windows\SysWOW64\Jhmpbc32.exeC:\Windows\system32\Jhmpbc32.exe96⤵PID:316
-
C:\Windows\SysWOW64\Jjnlikic.exeC:\Windows\system32\Jjnlikic.exe97⤵
- System Location Discovery: System Language Discovery
PID:1480 -
C:\Windows\SysWOW64\Jnjhjj32.exeC:\Windows\system32\Jnjhjj32.exe98⤵PID:3064
-
C:\Windows\SysWOW64\Jddqgdii.exeC:\Windows\system32\Jddqgdii.exe99⤵
- System Location Discovery: System Language Discovery
PID:1612 -
C:\Windows\SysWOW64\Jgbmco32.exeC:\Windows\system32\Jgbmco32.exe100⤵PID:404
-
C:\Windows\SysWOW64\Kmoekf32.exeC:\Windows\system32\Kmoekf32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1032 -
C:\Windows\SysWOW64\Kqkalenn.exeC:\Windows\system32\Kqkalenn.exe102⤵PID:2912
-
C:\Windows\SysWOW64\Kgdiho32.exeC:\Windows\system32\Kgdiho32.exe103⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1924 -
C:\Windows\SysWOW64\Kjcedj32.exeC:\Windows\system32\Kjcedj32.exe104⤵PID:2932
-
C:\Windows\SysWOW64\Kqmnadlk.exeC:\Windows\system32\Kqmnadlk.exe105⤵PID:756
-
C:\Windows\SysWOW64\Kggfnoch.exeC:\Windows\system32\Kggfnoch.exe106⤵
- Drops file in System32 directory
PID:1740 -
C:\Windows\SysWOW64\Kjebjjck.exeC:\Windows\system32\Kjebjjck.exe107⤵
- Drops file in System32 directory
PID:2040 -
C:\Windows\SysWOW64\Kmdofebo.exeC:\Windows\system32\Kmdofebo.exe108⤵PID:1964
-
C:\Windows\SysWOW64\Kcngcp32.exeC:\Windows\system32\Kcngcp32.exe109⤵PID:2892
-
C:\Windows\SysWOW64\Kflcok32.exeC:\Windows\system32\Kflcok32.exe110⤵
- System Location Discovery: System Language Discovery
PID:3068 -
C:\Windows\SysWOW64\Kodghqop.exeC:\Windows\system32\Kodghqop.exe111⤵PID:1884
-
C:\Windows\SysWOW64\Kbcddlnd.exeC:\Windows\system32\Kbcddlnd.exe112⤵
- System Location Discovery: System Language Discovery
PID:1520 -
C:\Windows\SysWOW64\Kimlqfeq.exeC:\Windows\system32\Kimlqfeq.exe113⤵PID:1796
-
C:\Windows\SysWOW64\Knjdimdh.exeC:\Windows\system32\Knjdimdh.exe114⤵PID:2940
-
C:\Windows\SysWOW64\Kfaljjdj.exeC:\Windows\system32\Kfaljjdj.exe115⤵PID:2084
-
C:\Windows\SysWOW64\Kioiffcn.exeC:\Windows\system32\Kioiffcn.exe116⤵PID:1500
-
C:\Windows\SysWOW64\Lpiacp32.exeC:\Windows\system32\Lpiacp32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2160 -
C:\Windows\SysWOW64\Liaeleak.exeC:\Windows\system32\Liaeleak.exe118⤵PID:2516
-
C:\Windows\SysWOW64\Llpaha32.exeC:\Windows\system32\Llpaha32.exe119⤵PID:2712
-
C:\Windows\SysWOW64\Lamjph32.exeC:\Windows\system32\Lamjph32.exe120⤵PID:2952
-
C:\Windows\SysWOW64\Lehfafgp.exeC:\Windows\system32\Lehfafgp.exe121⤵PID:2916
-
C:\Windows\SysWOW64\Lnqkjl32.exeC:\Windows\system32\Lnqkjl32.exe122⤵PID:1656
-
C:\Windows\SysWOW64\Lekcffem.exeC:\Windows\system32\Lekcffem.exe123⤵
- Modifies registry class
PID:1760 -
C:\Windows\SysWOW64\Lgiobadq.exeC:\Windows\system32\Lgiobadq.exe124⤵
- Drops file in System32 directory
PID:1800 -
C:\Windows\SysWOW64\Ljgkom32.exeC:\Windows\system32\Ljgkom32.exe125⤵
- Modifies registry class
PID:2396 -
C:\Windows\SysWOW64\Lpddgd32.exeC:\Windows\system32\Lpddgd32.exe126⤵
- Modifies registry class
PID:2428 -
C:\Windows\SysWOW64\Lcppgbjd.exeC:\Windows\system32\Lcppgbjd.exe127⤵PID:2824
-
C:\Windows\SysWOW64\Limhpihl.exeC:\Windows\system32\Limhpihl.exe128⤵PID:2760
-
C:\Windows\SysWOW64\Ladpagin.exeC:\Windows\system32\Ladpagin.exe129⤵PID:2016
-
C:\Windows\SysWOW64\Mbemho32.exeC:\Windows\system32\Mbemho32.exe130⤵
- Modifies registry class
PID:2172 -
C:\Windows\SysWOW64\Mjlejl32.exeC:\Windows\system32\Mjlejl32.exe131⤵PID:1980
-
C:\Windows\SysWOW64\Mmkafhnb.exeC:\Windows\system32\Mmkafhnb.exe132⤵PID:2580
-
C:\Windows\SysWOW64\Mddibb32.exeC:\Windows\system32\Mddibb32.exe133⤵PID:1608
-
C:\Windows\SysWOW64\Meffjjln.exeC:\Windows\system32\Meffjjln.exe134⤵
- Drops file in System32 directory
PID:1580 -
C:\Windows\SysWOW64\Mmmnkglp.exeC:\Windows\system32\Mmmnkglp.exe135⤵PID:2336
-
C:\Windows\SysWOW64\Mpkjgckc.exeC:\Windows\system32\Mpkjgckc.exe136⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2436 -
C:\Windows\SysWOW64\Mbjfcnkg.exeC:\Windows\system32\Mbjfcnkg.exe137⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2476 -
C:\Windows\SysWOW64\Midnqh32.exeC:\Windows\system32\Midnqh32.exe138⤵PID:1592
-
C:\Windows\SysWOW64\Mlbkmdah.exeC:\Windows\system32\Mlbkmdah.exe139⤵
- Drops file in System32 directory
PID:1516 -
C:\Windows\SysWOW64\Maocekoo.exeC:\Windows\system32\Maocekoo.exe140⤵
- Modifies registry class
PID:988 -
C:\Windows\SysWOW64\Mifkfhpa.exeC:\Windows\system32\Mifkfhpa.exe141⤵PID:2452
-
C:\Windows\SysWOW64\Mldgbcoe.exeC:\Windows\system32\Mldgbcoe.exe142⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:656 -
C:\Windows\SysWOW64\Moccnoni.exeC:\Windows\system32\Moccnoni.exe143⤵PID:2276
-
C:\Windows\SysWOW64\Maapjjml.exeC:\Windows\system32\Maapjjml.exe144⤵PID:1932
-
C:\Windows\SysWOW64\Mdplfflp.exeC:\Windows\system32\Mdplfflp.exe145⤵PID:2308
-
C:\Windows\SysWOW64\Nkjdcp32.exeC:\Windows\system32\Nkjdcp32.exe146⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1956 -
C:\Windows\SysWOW64\Nmhqokcq.exeC:\Windows\system32\Nmhqokcq.exe147⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1952 -
C:\Windows\SysWOW64\Nhnemdbf.exeC:\Windows\system32\Nhnemdbf.exe148⤵PID:2316
-
C:\Windows\SysWOW64\Nklaipbj.exeC:\Windows\system32\Nklaipbj.exe149⤵PID:1692
-
C:\Windows\SysWOW64\Npiiafpa.exeC:\Windows\system32\Npiiafpa.exe150⤵
- Drops file in System32 directory
PID:872 -
C:\Windows\SysWOW64\Ngcanq32.exeC:\Windows\system32\Ngcanq32.exe151⤵PID:2756
-
C:\Windows\SysWOW64\Nianjl32.exeC:\Windows\system32\Nianjl32.exe152⤵PID:2372
-
C:\Windows\SysWOW64\Npkfff32.exeC:\Windows\system32\Npkfff32.exe153⤵
- Modifies registry class
PID:1368 -
C:\Windows\SysWOW64\Ngencpel.exeC:\Windows\system32\Ngencpel.exe154⤵PID:2572
-
C:\Windows\SysWOW64\Nickoldp.exeC:\Windows\system32\Nickoldp.exe155⤵
- Modifies registry class
PID:2808 -
C:\Windows\SysWOW64\Npnclf32.exeC:\Windows\system32\Npnclf32.exe156⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2176 -
C:\Windows\SysWOW64\Nejkdm32.exeC:\Windows\system32\Nejkdm32.exe157⤵PID:1704
-
C:\Windows\SysWOW64\Nifgekbm.exeC:\Windows\system32\Nifgekbm.exe158⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2180 -
C:\Windows\SysWOW64\Npppaejj.exeC:\Windows\system32\Npppaejj.exe159⤵
- Drops file in System32 directory
- Modifies registry class
PID:2960 -
C:\Windows\SysWOW64\Ogjhnp32.exeC:\Windows\system32\Ogjhnp32.exe160⤵PID:768
-
C:\Windows\SysWOW64\Oihdjk32.exeC:\Windows\system32\Oihdjk32.exe161⤵PID:2060
-
C:\Windows\SysWOW64\Ocqhcqgk.exeC:\Windows\system32\Ocqhcqgk.exe162⤵PID:1476
-
C:\Windows\SysWOW64\Oeoeplfn.exeC:\Windows\system32\Oeoeplfn.exe163⤵PID:636
-
C:\Windows\SysWOW64\Ohmalgeb.exeC:\Windows\system32\Ohmalgeb.exe164⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1584 -
C:\Windows\SysWOW64\Oklmhcdf.exeC:\Windows\system32\Oklmhcdf.exe165⤵PID:2120
-
C:\Windows\SysWOW64\Oafedmlb.exeC:\Windows\system32\Oafedmlb.exe166⤵PID:2064
-
C:\Windows\SysWOW64\Oojfnakl.exeC:\Windows\system32\Oojfnakl.exe167⤵PID:2460
-
C:\Windows\SysWOW64\Ogekbchg.exeC:\Windows\system32\Ogekbchg.exe168⤵
- Drops file in System32 directory
PID:2524 -
C:\Windows\SysWOW64\Onocon32.exeC:\Windows\system32\Onocon32.exe169⤵
- Drops file in System32 directory
PID:776 -
C:\Windows\SysWOW64\Oqmokioh.exeC:\Windows\system32\Oqmokioh.exe170⤵
- Modifies registry class
PID:1200 -
C:\Windows\SysWOW64\Oggghc32.exeC:\Windows\system32\Oggghc32.exe171⤵
- System Location Discovery: System Language Discovery
PID:2520 -
C:\Windows\SysWOW64\Onapdmma.exeC:\Windows\system32\Onapdmma.exe172⤵PID:2548
-
C:\Windows\SysWOW64\Pdkhag32.exeC:\Windows\system32\Pdkhag32.exe173⤵PID:844
-
C:\Windows\SysWOW64\Pkepnalk.exeC:\Windows\system32\Pkepnalk.exe174⤵PID:1020
-
C:\Windows\SysWOW64\Pjhpin32.exeC:\Windows\system32\Pjhpin32.exe175⤵PID:1864
-
C:\Windows\SysWOW64\Pdndggcl.exeC:\Windows\system32\Pdndggcl.exe176⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:976 -
C:\Windows\SysWOW64\Pglacbbo.exeC:\Windows\system32\Pglacbbo.exe177⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3080 -
C:\Windows\SysWOW64\Pmiikipg.exeC:\Windows\system32\Pmiikipg.exe178⤵
- Drops file in System32 directory
PID:3120 -
C:\Windows\SysWOW64\Pqdelh32.exeC:\Windows\system32\Pqdelh32.exe179⤵PID:3160
-
C:\Windows\SysWOW64\Pgnnhbpm.exeC:\Windows\system32\Pgnnhbpm.exe180⤵
- System Location Discovery: System Language Discovery
PID:3200 -
C:\Windows\SysWOW64\Pipjpj32.exeC:\Windows\system32\Pipjpj32.exe181⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3240 -
C:\Windows\SysWOW64\Poibmdmh.exeC:\Windows\system32\Poibmdmh.exe182⤵
- System Location Discovery: System Language Discovery
PID:3280 -
C:\Windows\SysWOW64\Pfcjiodd.exeC:\Windows\system32\Pfcjiodd.exe183⤵PID:3320
-
C:\Windows\SysWOW64\Pmmcfi32.exeC:\Windows\system32\Pmmcfi32.exe184⤵PID:3360
-
C:\Windows\SysWOW64\Pkpcbecl.exeC:\Windows\system32\Pkpcbecl.exe185⤵PID:3400
-
C:\Windows\SysWOW64\Pdigkk32.exeC:\Windows\system32\Pdigkk32.exe186⤵PID:3440
-
C:\Windows\SysWOW64\Qmpplh32.exeC:\Windows\system32\Qmpplh32.exe187⤵PID:3480
-
C:\Windows\SysWOW64\Qfhddn32.exeC:\Windows\system32\Qfhddn32.exe188⤵PID:3520
-
C:\Windows\SysWOW64\Qifpqi32.exeC:\Windows\system32\Qifpqi32.exe189⤵PID:3560
-
C:\Windows\SysWOW64\Qoqhncgp.exeC:\Windows\system32\Qoqhncgp.exe190⤵PID:3604
-
C:\Windows\SysWOW64\Aemafjeg.exeC:\Windows\system32\Aemafjeg.exe191⤵
- System Location Discovery: System Language Discovery
PID:3644 -
C:\Windows\SysWOW64\Aglmbfdk.exeC:\Windows\system32\Aglmbfdk.exe192⤵PID:3684
-
C:\Windows\SysWOW64\Anfeop32.exeC:\Windows\system32\Anfeop32.exe193⤵
- Modifies registry class
PID:3724 -
C:\Windows\SysWOW64\Aepnkjcd.exeC:\Windows\system32\Aepnkjcd.exe194⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3764 -
C:\Windows\SysWOW64\Akjfhdka.exeC:\Windows\system32\Akjfhdka.exe195⤵PID:3804
-
C:\Windows\SysWOW64\Amkbpm32.exeC:\Windows\system32\Amkbpm32.exe196⤵
- Drops file in System32 directory
PID:3844 -
C:\Windows\SysWOW64\Acejlfhl.exeC:\Windows\system32\Acejlfhl.exe197⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3884 -
C:\Windows\SysWOW64\Afcghbgp.exeC:\Windows\system32\Afcghbgp.exe198⤵
- System Location Discovery: System Language Discovery
PID:3924 -
C:\Windows\SysWOW64\Ammoel32.exeC:\Windows\system32\Ammoel32.exe199⤵
- System Location Discovery: System Language Discovery
PID:3968 -
C:\Windows\SysWOW64\Aplkah32.exeC:\Windows\system32\Aplkah32.exe200⤵
- Drops file in System32 directory
PID:4008 -
C:\Windows\SysWOW64\Afecna32.exeC:\Windows\system32\Afecna32.exe201⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4048 -
C:\Windows\SysWOW64\Aakhkj32.exeC:\Windows\system32\Aakhkj32.exe202⤵PID:4088
-
C:\Windows\SysWOW64\Acjdgf32.exeC:\Windows\system32\Acjdgf32.exe203⤵PID:3092
-
C:\Windows\SysWOW64\Ajcldpkd.exeC:\Windows\system32\Ajcldpkd.exe204⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3148 -
C:\Windows\SysWOW64\Bleilh32.exeC:\Windows\system32\Bleilh32.exe205⤵PID:3140
-
C:\Windows\SysWOW64\Bemmenhb.exeC:\Windows\system32\Bemmenhb.exe206⤵
- Modifies registry class
PID:3260 -
C:\Windows\SysWOW64\Bmdefk32.exeC:\Windows\system32\Bmdefk32.exe207⤵PID:3316
-
C:\Windows\SysWOW64\Bneancnc.exeC:\Windows\system32\Bneancnc.exe208⤵PID:3300
-
C:\Windows\SysWOW64\Bepjjn32.exeC:\Windows\system32\Bepjjn32.exe209⤵PID:3408
-
C:\Windows\SysWOW64\Blibghmm.exeC:\Windows\system32\Blibghmm.exe210⤵PID:3460
-
C:\Windows\SysWOW64\Bnhncclq.exeC:\Windows\system32\Bnhncclq.exe211⤵PID:3492
-
C:\Windows\SysWOW64\Bebfpm32.exeC:\Windows\system32\Bebfpm32.exe212⤵PID:3568
-
C:\Windows\SysWOW64\Bimbql32.exeC:\Windows\system32\Bimbql32.exe213⤵
- Modifies registry class
PID:3620 -
C:\Windows\SysWOW64\Bjoohdbd.exeC:\Windows\system32\Bjoohdbd.exe214⤵
- Modifies registry class
PID:3668 -
C:\Windows\SysWOW64\Baigen32.exeC:\Windows\system32\Baigen32.exe215⤵PID:3716
-
C:\Windows\SysWOW64\Bhbpahan.exeC:\Windows\system32\Bhbpahan.exe216⤵
- System Location Discovery: System Language Discovery
PID:3736 -
C:\Windows\SysWOW64\Bjalndpb.exeC:\Windows\system32\Bjalndpb.exe217⤵
- Modifies registry class
PID:3824 -
C:\Windows\SysWOW64\Bakdjn32.exeC:\Windows\system32\Bakdjn32.exe218⤵PID:3868
-
C:\Windows\SysWOW64\Befpkmph.exeC:\Windows\system32\Befpkmph.exe219⤵PID:3916
-
C:\Windows\SysWOW64\Cfhlbe32.exeC:\Windows\system32\Cfhlbe32.exe220⤵PID:3976
-
C:\Windows\SysWOW64\Ckchcc32.exeC:\Windows\system32\Ckchcc32.exe221⤵PID:4024
-
C:\Windows\SysWOW64\Camqpnel.exeC:\Windows\system32\Camqpnel.exe222⤵PID:4072
-
C:\Windows\SysWOW64\Cdlmlidp.exeC:\Windows\system32\Cdlmlidp.exe223⤵PID:3100
-
C:\Windows\SysWOW64\Cfjihdcc.exeC:\Windows\system32\Cfjihdcc.exe224⤵
- System Location Discovery: System Language Discovery
PID:3112 -
C:\Windows\SysWOW64\Cihedpcg.exeC:\Windows\system32\Cihedpcg.exe225⤵
- System Location Discovery: System Language Discovery
PID:3228 -
C:\Windows\SysWOW64\Cdnjaibm.exeC:\Windows\system32\Cdnjaibm.exe226⤵PID:3292
-
C:\Windows\SysWOW64\Cglfndaa.exeC:\Windows\system32\Cglfndaa.exe227⤵PID:3348
-
C:\Windows\SysWOW64\Clinfk32.exeC:\Windows\system32\Clinfk32.exe228⤵PID:3420
-
C:\Windows\SysWOW64\Cpejfjha.exeC:\Windows\system32\Cpejfjha.exe229⤵PID:3468
-
C:\Windows\SysWOW64\Cgobcd32.exeC:\Windows\system32\Cgobcd32.exe230⤵
- Drops file in System32 directory
PID:3532 -
C:\Windows\SysWOW64\Cimooo32.exeC:\Windows\system32\Cimooo32.exe231⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3600 -
C:\Windows\SysWOW64\Cpgglifo.exeC:\Windows\system32\Cpgglifo.exe232⤵PID:3664
-
C:\Windows\SysWOW64\Ccecheeb.exeC:\Windows\system32\Ccecheeb.exe233⤵
- Drops file in System32 directory
PID:3712 -
C:\Windows\SysWOW64\Cipleo32.exeC:\Windows\system32\Cipleo32.exe234⤵PID:3776
-
C:\Windows\SysWOW64\Clnhajlc.exeC:\Windows\system32\Clnhajlc.exe235⤵PID:3792
-
C:\Windows\SysWOW64\Dchpnd32.exeC:\Windows\system32\Dchpnd32.exe236⤵PID:3856
-
C:\Windows\SysWOW64\Defljp32.exeC:\Windows\system32\Defljp32.exe237⤵PID:3964
-
C:\Windows\SysWOW64\Dhehfk32.exeC:\Windows\system32\Dhehfk32.exe238⤵PID:4040
-
C:\Windows\SysWOW64\Dkcebg32.exeC:\Windows\system32\Dkcebg32.exe239⤵PID:4084
-
C:\Windows\SysWOW64\Deiipp32.exeC:\Windows\system32\Deiipp32.exe240⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3216 -
C:\Windows\SysWOW64\Dhgelk32.exeC:\Windows\system32\Dhgelk32.exe241⤵
- Drops file in System32 directory
PID:3252 -
C:\Windows\SysWOW64\Doamhe32.exeC:\Windows\system32\Doamhe32.exe242⤵PID:3384