Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:41
Static task
static1
Behavioral task
behavioral1
Sample
adfd91c8248d10542dbd6d036ea2b2984e1ee7550bab2be40d6f0867eda8f4b0.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
adfd91c8248d10542dbd6d036ea2b2984e1ee7550bab2be40d6f0867eda8f4b0.exe
Resource
win10v2004-20241007-en
General
-
Target
adfd91c8248d10542dbd6d036ea2b2984e1ee7550bab2be40d6f0867eda8f4b0.exe
-
Size
1.9MB
-
MD5
84c24d3d3092fb84662660790271af94
-
SHA1
b6b9945c52e2d927cff1c88fa3105a79d35f182c
-
SHA256
adfd91c8248d10542dbd6d036ea2b2984e1ee7550bab2be40d6f0867eda8f4b0
-
SHA512
e37c528a8621228526c5df22bbe72d8ae45d16907ddb63843df93be497f3e6299c02981ca0df681e271e1e27418bfbe8ebcacba77bbc0da16fa160b583ec675b
-
SSDEEP
24576:wotNIVyeNIVy2jUKaNIVyeNIVy2jUtc9uO2NIVyeNIVy2jUKaNIVyeNIVy2jUO:w/yj1yj3uOpyj1yjH
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Hhfpbpdo.exeGfmojenc.exeKjhloj32.exeGgfglb32.exeOdoogi32.exeAonoao32.exeJilfifme.exeIpflihfq.exeIphioh32.exeIggjga32.exeJcikgacl.exeFdglmkeg.exeIloidijb.exeEiloco32.exeLikhem32.exePidlqb32.exeFgiaemic.exeMmkkmc32.exeNeclenfo.exeOloahhki.exeDfiildio.exeGkmdecbg.exeJpaleglc.exeKdkdgchl.exeJlgepanl.exeCbeapmll.exeDblgpl32.exeFdccbl32.exeBnlhncgi.exeBnoddcef.exeDnljkk32.exeGfheof32.exeKlfaapbl.exeLqhdbm32.exePhodcg32.exeDcffnbee.exeFamhmfkl.exeHpcodihc.exeIeojgc32.exeKbhmbdle.exePeahgl32.exeQeodhjmo.exeLopmii32.exeJldbpl32.exeNcofplba.exeLgbloglj.exeHoobdp32.exeNjljch32.exeJjoiil32.exeNaecop32.exeMoipoh32.exeJqhafffk.exeIhkjno32.exeDmjmekgn.exeDolmodpi.exeDpalgenf.exeNmbjcljl.exeOmpfej32.exeMkmkkjko.exeCbdjeg32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhfpbpdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfmojenc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjhloj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggfglb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odoogi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aonoao32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jilfifme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipflihfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iphioh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iggjga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcikgacl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdglmkeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iloidijb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiloco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Likhem32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pidlqb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgiaemic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmkkmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Neclenfo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oloahhki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfiildio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkmdecbg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpaleglc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdkdgchl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlgepanl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbeapmll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dblgpl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdccbl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkmdecbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnlhncgi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnoddcef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnljkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfheof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odoogi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klfaapbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lqhdbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdglmkeg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phodcg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcffnbee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Famhmfkl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpcodihc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieojgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbhmbdle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Peahgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qeodhjmo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lopmii32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jldbpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncofplba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgbloglj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hoobdp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njljch32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjoiil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Naecop32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moipoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jqhafffk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihkjno32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnljkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmjmekgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dolmodpi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpalgenf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmbjcljl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ompfej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkmkkjko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbdjeg32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Ajpqnneo.exeAfgacokc.exeAlqjpi32.exeBhoqeibl.exeBjbfklei.exeCihclh32.exeCijpahho.exeCbeapmll.exeCjliajmo.exeCjnffjkl.exeCkpbnb32.exeCcgjopal.exeDjqblj32.exeDmoohe32.exeDpnkdq32.exeDblgpl32.exeDjcoai32.exeDmalne32.exeDckdjomg.exeDfjpfj32.exeDihlbf32.exeDlghoa32.exeDcnqpo32.exeDflmlj32.exeDikihe32.exeDlieda32.exeDcpmen32.exeDjjebh32.exeDlkbjqgm.exeEjlbhh32.exeElnoopdj.exeEbhglj32.exeEjoomhmi.exeElpkep32.exeEbjcajjd.exeEjalcgkg.exeElbhjp32.exeEciplm32.exeEjchhgid.exeEleepoob.exeEclmamod.exeEjfeng32.exeElgaeolp.exeFbajbi32.exeFjhacf32.exeFlinkojm.exeFdqfll32.exeFjjnifbl.exeFllkqn32.exeFdccbl32.exeFfaong32.exeFmkgkapm.exeFpjcgm32.exeFbhpch32.exeFibhpbea.exeFlqdlnde.exeFdglmkeg.exeFffhifdk.exeFmpqfq32.exeGpnmbl32.exeGfheof32.exeGmbmkpie.exeGdlfhj32.exeGfkbde32.exepid process 3896 Ajpqnneo.exe 2856 Afgacokc.exe 4404 Alqjpi32.exe 1836 Bhoqeibl.exe 232 Bjbfklei.exe 2980 Cihclh32.exe 3936 Cijpahho.exe 1004 Cbeapmll.exe 348 Cjliajmo.exe 4968 Cjnffjkl.exe 2352 Ckpbnb32.exe 1656 Ccgjopal.exe 4572 Djqblj32.exe 1140 Dmoohe32.exe 2944 Dpnkdq32.exe 4548 Dblgpl32.exe 1672 Djcoai32.exe 2016 Dmalne32.exe 1696 Dckdjomg.exe 932 Dfjpfj32.exe 3044 Dihlbf32.exe 2788 Dlghoa32.exe 1388 Dcnqpo32.exe 3120 Dflmlj32.exe 4040 Dikihe32.exe 3396 Dlieda32.exe 4028 Dcpmen32.exe 1312 Djjebh32.exe 3892 Dlkbjqgm.exe 2592 Ejlbhh32.exe 2524 Elnoopdj.exe 4328 Ebhglj32.exe 3940 Ejoomhmi.exe 2372 Elpkep32.exe 3644 Ebjcajjd.exe 3488 Ejalcgkg.exe 2928 Elbhjp32.exe 1328 Eciplm32.exe 3468 Ejchhgid.exe 860 Eleepoob.exe 4888 Eclmamod.exe 372 Ejfeng32.exe 728 Elgaeolp.exe 5052 Fbajbi32.exe 1676 Fjhacf32.exe 4984 Flinkojm.exe 4132 Fdqfll32.exe 1744 Fjjnifbl.exe 2448 Fllkqn32.exe 1968 Fdccbl32.exe 5024 Ffaong32.exe 1868 Fmkgkapm.exe 3868 Fpjcgm32.exe 4212 Fbhpch32.exe 1624 Fibhpbea.exe 796 Flqdlnde.exe 4912 Fdglmkeg.exe 3008 Fffhifdk.exe 4464 Fmpqfq32.exe 4168 Gpnmbl32.exe 1600 Gfheof32.exe 4508 Gmbmkpie.exe 3388 Gdlfhj32.exe 2556 Gfkbde32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Iknmla32.exeMkohaj32.exeAogbfi32.exeBhhiemoj.exeDnmaea32.exeBkmeha32.exeHdehni32.exeLjeafb32.exeFeqeog32.exeKmfhkf32.exeIpgkjlmg.exeFdpnda32.exeIciaqc32.exePaoollik.exeEkmhejao.exeQpeahb32.exeDqpfmlce.exeApjdikqd.exeBbhildae.exeNaecop32.exeCbfgkffn.exeDnljkk32.exeIdhnkf32.exePaeelgnj.exeApeknk32.exeHlcjhkdp.exeIpflihfq.exeJjlmclqa.exeKdpmbc32.exeEqmlccdi.exeFbplml32.exeDblgpl32.exeDmalne32.exeDfjpfj32.exeEclmamod.exeGdlfhj32.exeMebcop32.exeBnmoijje.exeDalofi32.exePhfjcf32.exeIgajal32.exeKnooej32.exeBdickcpo.exeFkjmlaac.exeIeojgc32.exeNoblkqca.exeDmjmekgn.exeNnkpnclp.exeOpclldhj.exePagbaglh.exeIhbponja.exeMfkkqmiq.exeEleepoob.exeGfmojenc.exeMepfiq32.exeJjoiil32.exeNggnadib.exeCgmhcaac.exeNmlddqem.exeCgiohbfi.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Iloidijb.exe Iknmla32.exe File created C:\Windows\SysWOW64\Mnmdme32.exe Mkohaj32.exe File created C:\Windows\SysWOW64\Adcjop32.exe Aogbfi32.exe File opened for modification C:\Windows\SysWOW64\Bobabg32.exe Bhhiemoj.exe File created C:\Windows\SysWOW64\Dolmodpi.exe Dnmaea32.exe File opened for modification C:\Windows\SysWOW64\Bbhildae.exe Bkmeha32.exe File created C:\Windows\SysWOW64\Backpf32.dll Hdehni32.exe File opened for modification C:\Windows\SysWOW64\Lobjni32.exe Ljeafb32.exe File created C:\Windows\SysWOW64\Aobmce32.dll Feqeog32.exe File created C:\Windows\SysWOW64\Gicbkkca.dll Kmfhkf32.exe File created C:\Windows\SysWOW64\Mmmncpmp.dll Ipgkjlmg.exe File created C:\Windows\SysWOW64\Gihfoi32.dll Fdpnda32.exe File opened for modification C:\Windows\SysWOW64\Ikpjbq32.exe Iciaqc32.exe File created C:\Windows\SysWOW64\Ihbjebjh.dll Paoollik.exe File opened for modification C:\Windows\SysWOW64\Ebgpad32.exe Ekmhejao.exe File created C:\Windows\SysWOW64\Aogbfi32.exe Qpeahb32.exe File created C:\Windows\SysWOW64\Dkekjdck.exe Dqpfmlce.exe File created C:\Windows\SysWOW64\Icifhjkc.dll Apjdikqd.exe File opened for modification C:\Windows\SysWOW64\Cmnnimak.exe Bbhildae.exe File opened for modification C:\Windows\SysWOW64\Nccokk32.exe Naecop32.exe File created C:\Windows\SysWOW64\Dmlkhofd.exe Cbfgkffn.exe File created C:\Windows\SysWOW64\Dkpjdo32.exe Dnljkk32.exe File created C:\Windows\SysWOW64\Iggjga32.exe Idhnkf32.exe File created C:\Windows\SysWOW64\Hlhefcoo.dll Paeelgnj.exe File created C:\Windows\SysWOW64\Dohnnkjk.dll Apeknk32.exe File created C:\Windows\SysWOW64\Dokmlmhl.dll Hlcjhkdp.exe File created C:\Windows\SysWOW64\Igpdfb32.exe Ipflihfq.exe File created C:\Windows\SysWOW64\Jpfepf32.exe Jjlmclqa.exe File created C:\Windows\SysWOW64\Kgninn32.exe Kdpmbc32.exe File created C:\Windows\SysWOW64\Blghiiea.dll Eqmlccdi.exe File created C:\Windows\SysWOW64\Paoinm32.dll Fbplml32.exe File created C:\Windows\SysWOW64\Djcoai32.exe Dblgpl32.exe File opened for modification C:\Windows\SysWOW64\Dckdjomg.exe Dmalne32.exe File created C:\Windows\SysWOW64\Lfifmo32.dll Dfjpfj32.exe File opened for modification C:\Windows\SysWOW64\Ejfeng32.exe Eclmamod.exe File created C:\Windows\SysWOW64\Gfkbde32.exe Gdlfhj32.exe File created C:\Windows\SysWOW64\Eegiklal.dll Mebcop32.exe File opened for modification C:\Windows\SysWOW64\Bakgoh32.exe Bnmoijje.exe File opened for modification C:\Windows\SysWOW64\Dncpkjoc.exe Dalofi32.exe File created C:\Windows\SysWOW64\Kcpahpmd.exe Kmfhkf32.exe File created C:\Windows\SysWOW64\Eoaedogc.dll Phfjcf32.exe File created C:\Windows\SysWOW64\Ilnbicff.exe Igajal32.exe File opened for modification C:\Windows\SysWOW64\Abhqefpg.exe Apjdikqd.exe File opened for modification C:\Windows\SysWOW64\Kdigadjo.exe Knooej32.exe File created C:\Windows\SysWOW64\Chnidloo.dll Bdickcpo.exe File created C:\Windows\SysWOW64\Fbdehlip.exe Fkjmlaac.exe File opened for modification C:\Windows\SysWOW64\Ibcjqgnm.exe Ieojgc32.exe File opened for modification C:\Windows\SysWOW64\Nmfmde32.exe Noblkqca.exe File opened for modification C:\Windows\SysWOW64\Dcffnbee.exe Dmjmekgn.exe File created C:\Windows\SysWOW64\Acajpc32.dll Dmjmekgn.exe File created C:\Windows\SysWOW64\Oeehkn32.exe Nnkpnclp.exe File created C:\Windows\SysWOW64\Ohlqcagj.exe Opclldhj.exe File opened for modification C:\Windows\SysWOW64\Phajna32.exe Pagbaglh.exe File created C:\Windows\SysWOW64\Goniok32.dll Ihbponja.exe File opened for modification C:\Windows\SysWOW64\Mfnhfm32.exe Mfkkqmiq.exe File created C:\Windows\SysWOW64\Eclmamod.exe Eleepoob.exe File created C:\Windows\SysWOW64\Gmggfp32.exe Gfmojenc.exe File created C:\Windows\SysWOW64\Mmkkmc32.exe Mepfiq32.exe File created C:\Windows\SysWOW64\Lobjni32.exe Ljeafb32.exe File opened for modification C:\Windows\SysWOW64\Jqhafffk.exe Jjoiil32.exe File created C:\Windows\SysWOW64\Ndqojdee.dll Nggnadib.exe File created C:\Windows\SysWOW64\Cmgqpkip.exe Cgmhcaac.exe File opened for modification C:\Windows\SysWOW64\Neclenfo.exe Nmlddqem.exe File opened for modification C:\Windows\SysWOW64\Cigkdmel.exe Cgiohbfi.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2840 3204 WerFault.exe Gddgpqbe.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Gaqhjggp.exeDkbgjo32.exeEbhglj32.exeFlqdlnde.exeJlgepanl.exeDcffnbee.exeHdmoohbo.exePajeam32.exeCfipef32.exeBhhiemoj.exePfhmjf32.exeFbgihaji.exePdjgha32.exeOpclldhj.exeFmfgek32.exeFbelcblk.exeMoipoh32.exeEkgqennl.exeEahobg32.exeGbfldf32.exeKmfhkf32.exePhajna32.exeQclmck32.exeMeepdp32.exeOeehkn32.exeBlgifbil.exeNnhmnn32.exeEbfign32.exeDflmlj32.exeQmhlgmmm.exeCkclhn32.exeDijbno32.exeHoobdp32.exeIpoopgnf.exeQeodhjmo.exeNpbceggm.exeMepfiq32.exeNnbnhedj.exeLopmii32.exeFkjmlaac.exeCbkfbcpb.exeFdkdibjp.exeBjbfklei.exeGdobnj32.exeFbplml32.exeAdgmoigj.exeBbfmgd32.exeDncpkjoc.exeFibhpbea.exeKgninn32.exeIbaeen32.exeHlcjhkdp.exeAkepfpcl.exeIeojgc32.exeDmjmekgn.exeAahbbkaq.exeQmgelf32.exePnkbkk32.exeNmlddqem.exeOeokal32.exeHpcodihc.exeFeqeog32.exeCjnffjkl.exePldcjeia.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaqhjggp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkbgjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebhglj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flqdlnde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlgepanl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcffnbee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdmoohbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pajeam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfipef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhhiemoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfhmjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbgihaji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdjgha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opclldhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmfgek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbelcblk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Moipoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekgqennl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eahobg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbfldf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmfhkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phajna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qclmck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meepdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeehkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blgifbil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnhmnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebfign32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dflmlj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmhlgmmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckclhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dijbno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoobdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipoopgnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qeodhjmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npbceggm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mepfiq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnbnhedj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lopmii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkjmlaac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbkfbcpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdkdibjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjbfklei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdobnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbplml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adgmoigj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbfmgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dncpkjoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fibhpbea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgninn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibaeen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlcjhkdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akepfpcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieojgc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmjmekgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aahbbkaq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmgelf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnkbkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmlddqem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeokal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpcodihc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feqeog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjnffjkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pldcjeia.exe -
Modifies registry class 64 IoCs
Processes:
Dgpeha32.exeadfd91c8248d10542dbd6d036ea2b2984e1ee7550bab2be40d6f0867eda8f4b0.exeAlqjpi32.exeDcnqpo32.exeIjegcm32.exeBadanigc.exeDjjebh32.exeKcejco32.exeIebngial.exeDdnobj32.exeGaloohke.exePimfpc32.exeEkgqennl.exeHplicjok.exeNnfgcd32.exeAdhdjpjf.exeJoekag32.exeLfbped32.exeDolmodpi.exeMogcihaj.exeFjocbhbo.exeDlkbjqgm.exeElpkep32.exeGfkbde32.exeAlpbecod.exeCkclhn32.exeEbgpad32.exeFbpchb32.exeJoahqn32.exeCjnffjkl.exeDmalne32.exeMgehfkop.exeOmgcpokp.exeBakgoh32.exePnplfj32.exeGeanfelc.exeApjdikqd.exeKgipcogp.exeKjhloj32.exeNccokk32.exeFbplml32.exeAimogakj.exeJcgnbaeo.exeGpnfge32.exeIefgbh32.exeKgdpni32.exeFdglmkeg.exeMjkblhfo.exeCggimh32.exeDnljkk32.exeQobhkjdi.exeQpeahb32.exeGpmomo32.exeDlieda32.exeHdjbiheb.exeIloidijb.exeLmmolepp.exeHpqldc32.exeOqhoeb32.exeBinhnomg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgpeha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node adfd91c8248d10542dbd6d036ea2b2984e1ee7550bab2be40d6f0867eda8f4b0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apedgj32.dll" Alqjpi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcnqpo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijegcm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Badanigc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djjebh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcejco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iebngial.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddnobj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lipgdi32.dll" Galoohke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fknofqcc.dll" Pimfpc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekgqennl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hplicjok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empmffib.dll" Ijegcm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnfgcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lielhgaa.dll" Adhdjpjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Joekag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Badanigc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfbped32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cinclj32.dll" Dolmodpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mogcihaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjocbhbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlkbjqgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elpkep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfkbde32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alpbecod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckclhn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebgpad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbpchb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Joahqn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjnffjkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmalne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgehfkop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omgcpokp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bakgoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnplfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajiqfi32.dll" Geanfelc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icifhjkc.dll" Apjdikqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlejfm32.dll" Dcnqpo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgipcogp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmokmkpo.dll" Kjhloj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nccokk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paoinm32.dll" Fbplml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iblbgn32.dll" Aimogakj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcgnbaeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oodlnfco.dll" Nccokk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfnmog32.dll" Gpnfge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iefgbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgdpni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdglmkeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjkblhfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cggimh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abocgb32.dll" Dnljkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qobhkjdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qpeahb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmbdpnaj.dll" Gpmomo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlieda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnbokg32.dll" Hdjbiheb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abakhdbk.dll" Iloidijb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmmolepp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pccopc32.dll" Hpqldc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oqhoeb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Binhnomg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
adfd91c8248d10542dbd6d036ea2b2984e1ee7550bab2be40d6f0867eda8f4b0.exeAjpqnneo.exeAfgacokc.exeAlqjpi32.exeBhoqeibl.exeBjbfklei.exeCihclh32.exeCijpahho.exeCbeapmll.exeCjliajmo.exeCjnffjkl.exeCkpbnb32.exeCcgjopal.exeDjqblj32.exeDmoohe32.exeDpnkdq32.exeDblgpl32.exeDjcoai32.exeDmalne32.exeDckdjomg.exeDfjpfj32.exeDihlbf32.exedescription pid process target process PID 904 wrote to memory of 3896 904 adfd91c8248d10542dbd6d036ea2b2984e1ee7550bab2be40d6f0867eda8f4b0.exe Ajpqnneo.exe PID 904 wrote to memory of 3896 904 adfd91c8248d10542dbd6d036ea2b2984e1ee7550bab2be40d6f0867eda8f4b0.exe Ajpqnneo.exe PID 904 wrote to memory of 3896 904 adfd91c8248d10542dbd6d036ea2b2984e1ee7550bab2be40d6f0867eda8f4b0.exe Ajpqnneo.exe PID 3896 wrote to memory of 2856 3896 Ajpqnneo.exe Afgacokc.exe PID 3896 wrote to memory of 2856 3896 Ajpqnneo.exe Afgacokc.exe PID 3896 wrote to memory of 2856 3896 Ajpqnneo.exe Afgacokc.exe PID 2856 wrote to memory of 4404 2856 Afgacokc.exe Alqjpi32.exe PID 2856 wrote to memory of 4404 2856 Afgacokc.exe Alqjpi32.exe PID 2856 wrote to memory of 4404 2856 Afgacokc.exe Alqjpi32.exe PID 4404 wrote to memory of 1836 4404 Alqjpi32.exe Bhoqeibl.exe PID 4404 wrote to memory of 1836 4404 Alqjpi32.exe Bhoqeibl.exe PID 4404 wrote to memory of 1836 4404 Alqjpi32.exe Bhoqeibl.exe PID 1836 wrote to memory of 232 1836 Bhoqeibl.exe Bjbfklei.exe PID 1836 wrote to memory of 232 1836 Bhoqeibl.exe Bjbfklei.exe PID 1836 wrote to memory of 232 1836 Bhoqeibl.exe Bjbfklei.exe PID 232 wrote to memory of 2980 232 Bjbfklei.exe Cihclh32.exe PID 232 wrote to memory of 2980 232 Bjbfklei.exe Cihclh32.exe PID 232 wrote to memory of 2980 232 Bjbfklei.exe Cihclh32.exe PID 2980 wrote to memory of 3936 2980 Cihclh32.exe Cijpahho.exe PID 2980 wrote to memory of 3936 2980 Cihclh32.exe Cijpahho.exe PID 2980 wrote to memory of 3936 2980 Cihclh32.exe Cijpahho.exe PID 3936 wrote to memory of 1004 3936 Cijpahho.exe Cbeapmll.exe PID 3936 wrote to memory of 1004 3936 Cijpahho.exe Cbeapmll.exe PID 3936 wrote to memory of 1004 3936 Cijpahho.exe Cbeapmll.exe PID 1004 wrote to memory of 348 1004 Cbeapmll.exe Cjliajmo.exe PID 1004 wrote to memory of 348 1004 Cbeapmll.exe Cjliajmo.exe PID 1004 wrote to memory of 348 1004 Cbeapmll.exe Cjliajmo.exe PID 348 wrote to memory of 4968 348 Cjliajmo.exe Cjnffjkl.exe PID 348 wrote to memory of 4968 348 Cjliajmo.exe Cjnffjkl.exe PID 348 wrote to memory of 4968 348 Cjliajmo.exe Cjnffjkl.exe PID 4968 wrote to memory of 2352 4968 Cjnffjkl.exe Ckpbnb32.exe PID 4968 wrote to memory of 2352 4968 Cjnffjkl.exe Ckpbnb32.exe PID 4968 wrote to memory of 2352 4968 Cjnffjkl.exe Ckpbnb32.exe PID 2352 wrote to memory of 1656 2352 Ckpbnb32.exe Ccgjopal.exe PID 2352 wrote to memory of 1656 2352 Ckpbnb32.exe Ccgjopal.exe PID 2352 wrote to memory of 1656 2352 Ckpbnb32.exe Ccgjopal.exe PID 1656 wrote to memory of 4572 1656 Ccgjopal.exe Djqblj32.exe PID 1656 wrote to memory of 4572 1656 Ccgjopal.exe Djqblj32.exe PID 1656 wrote to memory of 4572 1656 Ccgjopal.exe Djqblj32.exe PID 4572 wrote to memory of 1140 4572 Djqblj32.exe Dmoohe32.exe PID 4572 wrote to memory of 1140 4572 Djqblj32.exe Dmoohe32.exe PID 4572 wrote to memory of 1140 4572 Djqblj32.exe Dmoohe32.exe PID 1140 wrote to memory of 2944 1140 Dmoohe32.exe Dpnkdq32.exe PID 1140 wrote to memory of 2944 1140 Dmoohe32.exe Dpnkdq32.exe PID 1140 wrote to memory of 2944 1140 Dmoohe32.exe Dpnkdq32.exe PID 2944 wrote to memory of 4548 2944 Dpnkdq32.exe Dblgpl32.exe PID 2944 wrote to memory of 4548 2944 Dpnkdq32.exe Dblgpl32.exe PID 2944 wrote to memory of 4548 2944 Dpnkdq32.exe Dblgpl32.exe PID 4548 wrote to memory of 1672 4548 Dblgpl32.exe Djcoai32.exe PID 4548 wrote to memory of 1672 4548 Dblgpl32.exe Djcoai32.exe PID 4548 wrote to memory of 1672 4548 Dblgpl32.exe Djcoai32.exe PID 1672 wrote to memory of 2016 1672 Djcoai32.exe Dmalne32.exe PID 1672 wrote to memory of 2016 1672 Djcoai32.exe Dmalne32.exe PID 1672 wrote to memory of 2016 1672 Djcoai32.exe Dmalne32.exe PID 2016 wrote to memory of 1696 2016 Dmalne32.exe Dckdjomg.exe PID 2016 wrote to memory of 1696 2016 Dmalne32.exe Dckdjomg.exe PID 2016 wrote to memory of 1696 2016 Dmalne32.exe Dckdjomg.exe PID 1696 wrote to memory of 932 1696 Dckdjomg.exe Dfjpfj32.exe PID 1696 wrote to memory of 932 1696 Dckdjomg.exe Dfjpfj32.exe PID 1696 wrote to memory of 932 1696 Dckdjomg.exe Dfjpfj32.exe PID 932 wrote to memory of 3044 932 Dfjpfj32.exe Dihlbf32.exe PID 932 wrote to memory of 3044 932 Dfjpfj32.exe Dihlbf32.exe PID 932 wrote to memory of 3044 932 Dfjpfj32.exe Dihlbf32.exe PID 3044 wrote to memory of 2788 3044 Dihlbf32.exe Dlghoa32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\adfd91c8248d10542dbd6d036ea2b2984e1ee7550bab2be40d6f0867eda8f4b0.exe"C:\Users\Admin\AppData\Local\Temp\adfd91c8248d10542dbd6d036ea2b2984e1ee7550bab2be40d6f0867eda8f4b0.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Windows\SysWOW64\Ajpqnneo.exeC:\Windows\system32\Ajpqnneo.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3896 -
C:\Windows\SysWOW64\Afgacokc.exeC:\Windows\system32\Afgacokc.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Alqjpi32.exeC:\Windows\system32\Alqjpi32.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Windows\SysWOW64\Bhoqeibl.exeC:\Windows\system32\Bhoqeibl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\SysWOW64\Bjbfklei.exeC:\Windows\system32\Bjbfklei.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:232 -
C:\Windows\SysWOW64\Cihclh32.exeC:\Windows\system32\Cihclh32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Cijpahho.exeC:\Windows\system32\Cijpahho.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Windows\SysWOW64\Cbeapmll.exeC:\Windows\system32\Cbeapmll.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Windows\SysWOW64\Cjliajmo.exeC:\Windows\system32\Cjliajmo.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:348 -
C:\Windows\SysWOW64\Cjnffjkl.exeC:\Windows\system32\Cjnffjkl.exe11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\SysWOW64\Ckpbnb32.exeC:\Windows\system32\Ckpbnb32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Ccgjopal.exeC:\Windows\system32\Ccgjopal.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\Djqblj32.exeC:\Windows\system32\Djqblj32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Windows\SysWOW64\Dmoohe32.exeC:\Windows\system32\Dmoohe32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\SysWOW64\Dpnkdq32.exeC:\Windows\system32\Dpnkdq32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Dblgpl32.exeC:\Windows\system32\Dblgpl32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Windows\SysWOW64\Djcoai32.exeC:\Windows\system32\Djcoai32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\SysWOW64\Dmalne32.exeC:\Windows\system32\Dmalne32.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Dckdjomg.exeC:\Windows\system32\Dckdjomg.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\Dfjpfj32.exeC:\Windows\system32\Dfjpfj32.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:932 -
C:\Windows\SysWOW64\Dihlbf32.exeC:\Windows\system32\Dihlbf32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Dlghoa32.exeC:\Windows\system32\Dlghoa32.exe23⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Dcnqpo32.exeC:\Windows\system32\Dcnqpo32.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:1388 -
C:\Windows\SysWOW64\Dflmlj32.exeC:\Windows\system32\Dflmlj32.exe25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3120 -
C:\Windows\SysWOW64\Dikihe32.exeC:\Windows\system32\Dikihe32.exe26⤵
- Executes dropped EXE
PID:4040 -
C:\Windows\SysWOW64\Dlieda32.exeC:\Windows\system32\Dlieda32.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:3396 -
C:\Windows\SysWOW64\Dcpmen32.exeC:\Windows\system32\Dcpmen32.exe28⤵
- Executes dropped EXE
PID:4028 -
C:\Windows\SysWOW64\Djjebh32.exeC:\Windows\system32\Djjebh32.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:1312 -
C:\Windows\SysWOW64\Dlkbjqgm.exeC:\Windows\system32\Dlkbjqgm.exe30⤵
- Executes dropped EXE
- Modifies registry class
PID:3892 -
C:\Windows\SysWOW64\Ejlbhh32.exeC:\Windows\system32\Ejlbhh32.exe31⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Elnoopdj.exeC:\Windows\system32\Elnoopdj.exe32⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Ebhglj32.exeC:\Windows\system32\Ebhglj32.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4328 -
C:\Windows\SysWOW64\Ejoomhmi.exeC:\Windows\system32\Ejoomhmi.exe34⤵
- Executes dropped EXE
PID:3940 -
C:\Windows\SysWOW64\Elpkep32.exeC:\Windows\system32\Elpkep32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2372 -
C:\Windows\SysWOW64\Ebjcajjd.exeC:\Windows\system32\Ebjcajjd.exe36⤵
- Executes dropped EXE
PID:3644 -
C:\Windows\SysWOW64\Ejalcgkg.exeC:\Windows\system32\Ejalcgkg.exe37⤵
- Executes dropped EXE
PID:3488 -
C:\Windows\SysWOW64\Elbhjp32.exeC:\Windows\system32\Elbhjp32.exe38⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Eciplm32.exeC:\Windows\system32\Eciplm32.exe39⤵
- Executes dropped EXE
PID:1328 -
C:\Windows\SysWOW64\Ejchhgid.exeC:\Windows\system32\Ejchhgid.exe40⤵
- Executes dropped EXE
PID:3468 -
C:\Windows\SysWOW64\Eleepoob.exeC:\Windows\system32\Eleepoob.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:860 -
C:\Windows\SysWOW64\Eclmamod.exeC:\Windows\system32\Eclmamod.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4888 -
C:\Windows\SysWOW64\Ejfeng32.exeC:\Windows\system32\Ejfeng32.exe43⤵
- Executes dropped EXE
PID:372 -
C:\Windows\SysWOW64\Elgaeolp.exeC:\Windows\system32\Elgaeolp.exe44⤵
- Executes dropped EXE
PID:728 -
C:\Windows\SysWOW64\Fbajbi32.exeC:\Windows\system32\Fbajbi32.exe45⤵
- Executes dropped EXE
PID:5052 -
C:\Windows\SysWOW64\Fjhacf32.exeC:\Windows\system32\Fjhacf32.exe46⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Flinkojm.exeC:\Windows\system32\Flinkojm.exe47⤵
- Executes dropped EXE
PID:4984 -
C:\Windows\SysWOW64\Fdqfll32.exeC:\Windows\system32\Fdqfll32.exe48⤵
- Executes dropped EXE
PID:4132 -
C:\Windows\SysWOW64\Fjjnifbl.exeC:\Windows\system32\Fjjnifbl.exe49⤵
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\Fllkqn32.exeC:\Windows\system32\Fllkqn32.exe50⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Fdccbl32.exeC:\Windows\system32\Fdccbl32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Ffaong32.exeC:\Windows\system32\Ffaong32.exe52⤵
- Executes dropped EXE
PID:5024 -
C:\Windows\SysWOW64\Fmkgkapm.exeC:\Windows\system32\Fmkgkapm.exe53⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Fpjcgm32.exeC:\Windows\system32\Fpjcgm32.exe54⤵
- Executes dropped EXE
PID:3868 -
C:\Windows\SysWOW64\Fbhpch32.exeC:\Windows\system32\Fbhpch32.exe55⤵
- Executes dropped EXE
PID:4212 -
C:\Windows\SysWOW64\Fibhpbea.exeC:\Windows\system32\Fibhpbea.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1624 -
C:\Windows\SysWOW64\Flqdlnde.exeC:\Windows\system32\Flqdlnde.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:796 -
C:\Windows\SysWOW64\Fdglmkeg.exeC:\Windows\system32\Fdglmkeg.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4912 -
C:\Windows\SysWOW64\Fffhifdk.exeC:\Windows\system32\Fffhifdk.exe59⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Fmpqfq32.exeC:\Windows\system32\Fmpqfq32.exe60⤵
- Executes dropped EXE
PID:4464 -
C:\Windows\SysWOW64\Gpnmbl32.exeC:\Windows\system32\Gpnmbl32.exe61⤵
- Executes dropped EXE
PID:4168 -
C:\Windows\SysWOW64\Gfheof32.exeC:\Windows\system32\Gfheof32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Gmbmkpie.exeC:\Windows\system32\Gmbmkpie.exe63⤵
- Executes dropped EXE
PID:4508 -
C:\Windows\SysWOW64\Gdlfhj32.exeC:\Windows\system32\Gdlfhj32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3388 -
C:\Windows\SysWOW64\Gfkbde32.exeC:\Windows\system32\Gfkbde32.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:2556 -
C:\Windows\SysWOW64\Gmdjapgb.exeC:\Windows\system32\Gmdjapgb.exe66⤵PID:3668
-
C:\Windows\SysWOW64\Gdobnj32.exeC:\Windows\system32\Gdobnj32.exe67⤵
- System Location Discovery: System Language Discovery
PID:548 -
C:\Windows\SysWOW64\Gfmojenc.exeC:\Windows\system32\Gfmojenc.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3168 -
C:\Windows\SysWOW64\Gmggfp32.exeC:\Windows\system32\Gmggfp32.exe69⤵PID:5136
-
C:\Windows\SysWOW64\Gpecbk32.exeC:\Windows\system32\Gpecbk32.exe70⤵PID:5176
-
C:\Windows\SysWOW64\Gbdoof32.exeC:\Windows\system32\Gbdoof32.exe71⤵PID:5216
-
C:\Windows\SysWOW64\Gkkgpc32.exeC:\Windows\system32\Gkkgpc32.exe72⤵PID:5256
-
C:\Windows\SysWOW64\Glldgljg.exeC:\Windows\system32\Glldgljg.exe73⤵PID:5296
-
C:\Windows\SysWOW64\Gbfldf32.exeC:\Windows\system32\Gbfldf32.exe74⤵
- System Location Discovery: System Language Discovery
PID:5336 -
C:\Windows\SysWOW64\Gkmdecbg.exeC:\Windows\system32\Gkmdecbg.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5376 -
C:\Windows\SysWOW64\Hmlpaoaj.exeC:\Windows\system32\Hmlpaoaj.exe76⤵PID:5416
-
C:\Windows\SysWOW64\Hdehni32.exeC:\Windows\system32\Hdehni32.exe77⤵
- Drops file in System32 directory
PID:5456 -
C:\Windows\SysWOW64\Hgdejd32.exeC:\Windows\system32\Hgdejd32.exe78⤵PID:5496
-
C:\Windows\SysWOW64\Hibafp32.exeC:\Windows\system32\Hibafp32.exe79⤵PID:5536
-
C:\Windows\SysWOW64\Hplicjok.exeC:\Windows\system32\Hplicjok.exe80⤵
- Modifies registry class
PID:5576 -
C:\Windows\SysWOW64\Hckeoeno.exeC:\Windows\system32\Hckeoeno.exe81⤵PID:5616
-
C:\Windows\SysWOW64\Hkbmqb32.exeC:\Windows\system32\Hkbmqb32.exe82⤵PID:5660
-
C:\Windows\SysWOW64\Hlcjhkdp.exeC:\Windows\system32\Hlcjhkdp.exe83⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5700 -
C:\Windows\SysWOW64\Hdjbiheb.exeC:\Windows\system32\Hdjbiheb.exe84⤵
- Modifies registry class
PID:5744 -
C:\Windows\SysWOW64\Hkdjfb32.exeC:\Windows\system32\Hkdjfb32.exe85⤵PID:5784
-
C:\Windows\SysWOW64\Hmbfbn32.exeC:\Windows\system32\Hmbfbn32.exe86⤵PID:5828
-
C:\Windows\SysWOW64\Hdmoohbo.exeC:\Windows\system32\Hdmoohbo.exe87⤵
- System Location Discovery: System Language Discovery
PID:5872 -
C:\Windows\SysWOW64\Hgkkkcbc.exeC:\Windows\system32\Hgkkkcbc.exe88⤵PID:5916
-
C:\Windows\SysWOW64\Hmechmip.exeC:\Windows\system32\Hmechmip.exe89⤵PID:5960
-
C:\Windows\SysWOW64\Hpcodihc.exeC:\Windows\system32\Hpcodihc.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:6004 -
C:\Windows\SysWOW64\Hgmgqc32.exeC:\Windows\system32\Hgmgqc32.exe91⤵PID:6044
-
C:\Windows\SysWOW64\Ingpmmgm.exeC:\Windows\system32\Ingpmmgm.exe92⤵PID:6084
-
C:\Windows\SysWOW64\Ipflihfq.exeC:\Windows\system32\Ipflihfq.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6124 -
C:\Windows\SysWOW64\Igpdfb32.exeC:\Windows\system32\Igpdfb32.exe94⤵PID:1028
-
C:\Windows\SysWOW64\Iinqbn32.exeC:\Windows\system32\Iinqbn32.exe95⤵PID:2416
-
C:\Windows\SysWOW64\Iphioh32.exeC:\Windows\system32\Iphioh32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4712 -
C:\Windows\SysWOW64\Icfekc32.exeC:\Windows\system32\Icfekc32.exe97⤵PID:1120
-
C:\Windows\SysWOW64\Iknmla32.exeC:\Windows\system32\Iknmla32.exe98⤵
- Drops file in System32 directory
PID:4480 -
C:\Windows\SysWOW64\Iloidijb.exeC:\Windows\system32\Iloidijb.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5160 -
C:\Windows\SysWOW64\Iciaqc32.exeC:\Windows\system32\Iciaqc32.exe100⤵
- Drops file in System32 directory
PID:5212 -
C:\Windows\SysWOW64\Ikpjbq32.exeC:\Windows\system32\Ikpjbq32.exe101⤵PID:5284
-
C:\Windows\SysWOW64\Innfnl32.exeC:\Windows\system32\Innfnl32.exe102⤵PID:5352
-
C:\Windows\SysWOW64\Idhnkf32.exeC:\Windows\system32\Idhnkf32.exe103⤵
- Drops file in System32 directory
PID:5412 -
C:\Windows\SysWOW64\Iggjga32.exeC:\Windows\system32\Iggjga32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5492 -
C:\Windows\SysWOW64\Ijegcm32.exeC:\Windows\system32\Ijegcm32.exe105⤵
- Modifies registry class
PID:5564 -
C:\Windows\SysWOW64\Ipoopgnf.exeC:\Windows\system32\Ipoopgnf.exe106⤵
- System Location Discovery: System Language Discovery
PID:5636 -
C:\Windows\SysWOW64\Igigla32.exeC:\Windows\system32\Igigla32.exe107⤵PID:5688
-
C:\Windows\SysWOW64\Jjgchm32.exeC:\Windows\system32\Jjgchm32.exe108⤵PID:5772
-
C:\Windows\SysWOW64\Jpaleglc.exeC:\Windows\system32\Jpaleglc.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3456 -
C:\Windows\SysWOW64\Jgkdbacp.exeC:\Windows\system32\Jgkdbacp.exe110⤵PID:5912
-
C:\Windows\SysWOW64\Jjjpnlbd.exeC:\Windows\system32\Jjjpnlbd.exe111⤵PID:5980
-
C:\Windows\SysWOW64\Jpdhkf32.exeC:\Windows\system32\Jpdhkf32.exe112⤵PID:6032
-
C:\Windows\SysWOW64\Jcbdgb32.exeC:\Windows\system32\Jcbdgb32.exe113⤵PID:6092
-
C:\Windows\SysWOW64\Jjlmclqa.exeC:\Windows\system32\Jjlmclqa.exe114⤵
- Drops file in System32 directory
PID:4428 -
C:\Windows\SysWOW64\Jpfepf32.exeC:\Windows\system32\Jpfepf32.exe115⤵PID:4676
-
C:\Windows\SysWOW64\Jgpmmp32.exeC:\Windows\system32\Jgpmmp32.exe116⤵PID:5060
-
C:\Windows\SysWOW64\Jjoiil32.exeC:\Windows\system32\Jjoiil32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1080 -
C:\Windows\SysWOW64\Jqhafffk.exeC:\Windows\system32\Jqhafffk.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5192 -
C:\Windows\SysWOW64\Jcgnbaeo.exeC:\Windows\system32\Jcgnbaeo.exe119⤵
- Modifies registry class
PID:3924 -
C:\Windows\SysWOW64\Jjafok32.exeC:\Windows\system32\Jjafok32.exe120⤵PID:5364
-
C:\Windows\SysWOW64\Jqknkedi.exeC:\Windows\system32\Jqknkedi.exe121⤵PID:5184
-
C:\Windows\SysWOW64\Jcikgacl.exeC:\Windows\system32\Jcikgacl.exe122⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:684 -
C:\Windows\SysWOW64\Knooej32.exeC:\Windows\system32\Knooej32.exe123⤵
- Drops file in System32 directory
PID:5304 -
C:\Windows\SysWOW64\Kdigadjo.exeC:\Windows\system32\Kdigadjo.exe124⤵PID:5736
-
C:\Windows\SysWOW64\Kggcnoic.exeC:\Windows\system32\Kggcnoic.exe125⤵PID:5820
-
C:\Windows\SysWOW64\Knalji32.exeC:\Windows\system32\Knalji32.exe126⤵PID:5904
-
C:\Windows\SysWOW64\Kdkdgchl.exeC:\Windows\system32\Kdkdgchl.exe127⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6012 -
C:\Windows\SysWOW64\Kgipcogp.exeC:\Windows\system32\Kgipcogp.exe128⤵
- Modifies registry class
PID:6076 -
C:\Windows\SysWOW64\Kjhloj32.exeC:\Windows\system32\Kjhloj32.exe129⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:244 -
C:\Windows\SysWOW64\Kmfhkf32.exeC:\Windows\system32\Kmfhkf32.exe130⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3304 -
C:\Windows\SysWOW64\Kcpahpmd.exeC:\Windows\system32\Kcpahpmd.exe131⤵PID:4648
-
C:\Windows\SysWOW64\Kkgiimng.exeC:\Windows\system32\Kkgiimng.exe132⤵PID:5924
-
C:\Windows\SysWOW64\Kmieae32.exeC:\Windows\system32\Kmieae32.exe133⤵PID:5972
-
C:\Windows\SysWOW64\Kdpmbc32.exeC:\Windows\system32\Kdpmbc32.exe134⤵
- Drops file in System32 directory
PID:5332 -
C:\Windows\SysWOW64\Kgninn32.exeC:\Windows\system32\Kgninn32.exe135⤵
- System Location Discovery: System Language Discovery
PID:5512 -
C:\Windows\SysWOW64\Knhakh32.exeC:\Windows\system32\Knhakh32.exe136⤵PID:5604
-
C:\Windows\SysWOW64\Kqfngd32.exeC:\Windows\system32\Kqfngd32.exe137⤵PID:5264
-
C:\Windows\SysWOW64\Kcejco32.exeC:\Windows\system32\Kcejco32.exe138⤵
- Modifies registry class
PID:5944 -
C:\Windows\SysWOW64\Ljobpiql.exeC:\Windows\system32\Ljobpiql.exe139⤵PID:6060
-
C:\Windows\SysWOW64\Lmmolepp.exeC:\Windows\system32\Lmmolepp.exe140⤵
- Modifies registry class
PID:452 -
C:\Windows\SysWOW64\Lcggio32.exeC:\Windows\system32\Lcggio32.exe141⤵PID:5884
-
C:\Windows\SysWOW64\Mcqjon32.exeC:\Windows\system32\Mcqjon32.exe142⤵PID:5152
-
C:\Windows\SysWOW64\Mjkblhfo.exeC:\Windows\system32\Mjkblhfo.exe143⤵
- Modifies registry class
PID:4852 -
C:\Windows\SysWOW64\Mepfiq32.exeC:\Windows\system32\Mepfiq32.exe144⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5648 -
C:\Windows\SysWOW64\Mmkkmc32.exeC:\Windows\system32\Mmkkmc32.exe145⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5892 -
C:\Windows\SysWOW64\Mebcop32.exeC:\Windows\system32\Mebcop32.exe146⤵
- Drops file in System32 directory
PID:5628 -
C:\Windows\SysWOW64\Mkmkkjko.exeC:\Windows\system32\Mkmkkjko.exe147⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:540 -
C:\Windows\SysWOW64\Mmnhcb32.exeC:\Windows\system32\Mmnhcb32.exe148⤵PID:4160
-
C:\Windows\SysWOW64\Meepdp32.exeC:\Windows\system32\Meepdp32.exe149⤵
- System Location Discovery: System Language Discovery
PID:2664 -
C:\Windows\SysWOW64\Mkohaj32.exeC:\Windows\system32\Mkohaj32.exe150⤵
- Drops file in System32 directory
PID:2620 -
C:\Windows\SysWOW64\Mnmdme32.exeC:\Windows\system32\Mnmdme32.exe151⤵PID:5752
-
C:\Windows\SysWOW64\Mgehfkop.exeC:\Windows\system32\Mgehfkop.exe152⤵
- Modifies registry class
PID:4400 -
C:\Windows\SysWOW64\Nlcalieg.exeC:\Windows\system32\Nlcalieg.exe153⤵PID:5288
-
C:\Windows\SysWOW64\Nnbnhedj.exeC:\Windows\system32\Nnbnhedj.exe154⤵
- System Location Discovery: System Language Discovery
PID:6020 -
C:\Windows\SysWOW64\Napjdpcn.exeC:\Windows\system32\Napjdpcn.exe155⤵PID:5792
-
C:\Windows\SysWOW64\Ncofplba.exeC:\Windows\system32\Ncofplba.exe156⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:944 -
C:\Windows\SysWOW64\Njinmf32.exeC:\Windows\system32\Njinmf32.exe157⤵PID:2568
-
C:\Windows\SysWOW64\Nnfgcd32.exeC:\Windows\system32\Nnfgcd32.exe158⤵
- Modifies registry class
PID:4228 -
C:\Windows\SysWOW64\Naecop32.exeC:\Windows\system32\Naecop32.exe159⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5996 -
C:\Windows\SysWOW64\Nccokk32.exeC:\Windows\system32\Nccokk32.exe160⤵
- Modifies registry class
PID:3432 -
C:\Windows\SysWOW64\Njmhhefi.exeC:\Windows\system32\Njmhhefi.exe161⤵PID:2644
-
C:\Windows\SysWOW64\Nmlddqem.exeC:\Windows\system32\Nmlddqem.exe162⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5544 -
C:\Windows\SysWOW64\Neclenfo.exeC:\Windows\system32\Neclenfo.exe163⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2408 -
C:\Windows\SysWOW64\Nlmdbh32.exeC:\Windows\system32\Nlmdbh32.exe164⤵PID:3660
-
C:\Windows\SysWOW64\Nnkpnclp.exeC:\Windows\system32\Nnkpnclp.exe165⤵
- Drops file in System32 directory
PID:1256 -
C:\Windows\SysWOW64\Oeehkn32.exeC:\Windows\system32\Oeehkn32.exe166⤵
- System Location Discovery: System Language Discovery
PID:5004 -
C:\Windows\SysWOW64\Oloahhki.exeC:\Windows\system32\Oloahhki.exe167⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6168 -
C:\Windows\SysWOW64\Oalipoiq.exeC:\Windows\system32\Oalipoiq.exe168⤵PID:6208
-
C:\Windows\SysWOW64\Onpjichj.exeC:\Windows\system32\Onpjichj.exe169⤵PID:6260
-
C:\Windows\SysWOW64\Oejbfmpg.exeC:\Windows\system32\Oejbfmpg.exe170⤵PID:6300
-
C:\Windows\SysWOW64\Ohhnbhok.exeC:\Windows\system32\Ohhnbhok.exe171⤵PID:6344
-
C:\Windows\SysWOW64\Ojgjndno.exeC:\Windows\system32\Ojgjndno.exe172⤵PID:6384
-
C:\Windows\SysWOW64\Oaqbkn32.exeC:\Windows\system32\Oaqbkn32.exe173⤵PID:6424
-
C:\Windows\SysWOW64\Odoogi32.exeC:\Windows\system32\Odoogi32.exe174⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6464 -
C:\Windows\SysWOW64\Olfghg32.exeC:\Windows\system32\Olfghg32.exe175⤵PID:6504
-
C:\Windows\SysWOW64\Omgcpokp.exeC:\Windows\system32\Omgcpokp.exe176⤵
- Modifies registry class
PID:6536 -
C:\Windows\SysWOW64\Oeokal32.exeC:\Windows\system32\Oeokal32.exe177⤵
- System Location Discovery: System Language Discovery
PID:6584 -
C:\Windows\SysWOW64\Ohmhmh32.exeC:\Windows\system32\Ohmhmh32.exe178⤵PID:6616
-
C:\Windows\SysWOW64\Okkdic32.exeC:\Windows\system32\Okkdic32.exe179⤵PID:6660
-
C:\Windows\SysWOW64\Peahgl32.exeC:\Windows\system32\Peahgl32.exe180⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6704 -
C:\Windows\SysWOW64\Phodcg32.exeC:\Windows\system32\Phodcg32.exe181⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6744 -
C:\Windows\SysWOW64\Pahilmoc.exeC:\Windows\system32\Pahilmoc.exe182⤵PID:6788
-
C:\Windows\SysWOW64\Plmmif32.exeC:\Windows\system32\Plmmif32.exe183⤵PID:6836
-
C:\Windows\SysWOW64\Poliea32.exeC:\Windows\system32\Poliea32.exe184⤵PID:6892
-
C:\Windows\SysWOW64\Pajeam32.exeC:\Windows\system32\Pajeam32.exe185⤵
- System Location Discovery: System Language Discovery
PID:6952 -
C:\Windows\SysWOW64\Phdnngdn.exeC:\Windows\system32\Phdnngdn.exe186⤵PID:6996
-
C:\Windows\SysWOW64\Ponfka32.exeC:\Windows\system32\Ponfka32.exe187⤵PID:7036
-
C:\Windows\SysWOW64\Palbgl32.exeC:\Windows\system32\Palbgl32.exe188⤵PID:7076
-
C:\Windows\SysWOW64\Phfjcf32.exeC:\Windows\system32\Phfjcf32.exe189⤵
- Drops file in System32 directory
PID:7116 -
C:\Windows\SysWOW64\Paoollik.exeC:\Windows\system32\Paoollik.exe190⤵
- Drops file in System32 directory
PID:6200 -
C:\Windows\SysWOW64\Pldcjeia.exeC:\Windows\system32\Pldcjeia.exe191⤵
- System Location Discovery: System Language Discovery
PID:6284 -
C:\Windows\SysWOW64\Qkipkani.exeC:\Windows\system32\Qkipkani.exe192⤵PID:6352
-
C:\Windows\SysWOW64\Qmhlgmmm.exeC:\Windows\system32\Qmhlgmmm.exe193⤵
- System Location Discovery: System Language Discovery
PID:6408 -
C:\Windows\SysWOW64\Qeodhjmo.exeC:\Windows\system32\Qeodhjmo.exe194⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:6484 -
C:\Windows\SysWOW64\Qklmpalf.exeC:\Windows\system32\Qklmpalf.exe195⤵PID:6544
-
C:\Windows\SysWOW64\Aeaanjkl.exeC:\Windows\system32\Aeaanjkl.exe196⤵PID:6612
-
C:\Windows\SysWOW64\Alkijdci.exeC:\Windows\system32\Alkijdci.exe197⤵PID:6688
-
C:\Windows\SysWOW64\Aojefobm.exeC:\Windows\system32\Aojefobm.exe198⤵PID:6756
-
C:\Windows\SysWOW64\Aahbbkaq.exeC:\Windows\system32\Aahbbkaq.exe199⤵
- System Location Discovery: System Language Discovery
PID:6852 -
C:\Windows\SysWOW64\Aajohjon.exeC:\Windows\system32\Aajohjon.exe200⤵PID:6924
-
C:\Windows\SysWOW64\Adikdfna.exeC:\Windows\system32\Adikdfna.exe201⤵PID:7004
-
C:\Windows\SysWOW64\Alpbecod.exeC:\Windows\system32\Alpbecod.exe202⤵
- Modifies registry class
PID:7084 -
C:\Windows\SysWOW64\Aonoao32.exeC:\Windows\system32\Aonoao32.exe203⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6216 -
C:\Windows\SysWOW64\Aehgnied.exeC:\Windows\system32\Aehgnied.exe204⤵PID:6328
-
C:\Windows\SysWOW64\Akepfpcl.exeC:\Windows\system32\Akepfpcl.exe205⤵
- System Location Discovery: System Language Discovery
PID:6532 -
C:\Windows\SysWOW64\Aekddhcb.exeC:\Windows\system32\Aekddhcb.exe206⤵PID:6712
-
C:\Windows\SysWOW64\Ahippdbe.exeC:\Windows\system32\Ahippdbe.exe207⤵PID:6856
-
C:\Windows\SysWOW64\Bdpaeehj.exeC:\Windows\system32\Bdpaeehj.exe208⤵PID:7108
-
C:\Windows\SysWOW64\Blgifbil.exeC:\Windows\system32\Blgifbil.exe209⤵
- System Location Discovery: System Language Discovery
PID:6412 -
C:\Windows\SysWOW64\Boeebnhp.exeC:\Windows\system32\Boeebnhp.exe210⤵PID:6668
-
C:\Windows\SysWOW64\Badanigc.exeC:\Windows\system32\Badanigc.exe211⤵
- Modifies registry class
PID:6340 -
C:\Windows\SysWOW64\Bdbnjdfg.exeC:\Windows\system32\Bdbnjdfg.exe212⤵PID:7032
-
C:\Windows\SysWOW64\Bklfgo32.exeC:\Windows\system32\Bklfgo32.exe213⤵PID:6932
-
C:\Windows\SysWOW64\Bebjdgmj.exeC:\Windows\system32\Bebjdgmj.exe214⤵PID:7224
-
C:\Windows\SysWOW64\Bnmoijje.exeC:\Windows\system32\Bnmoijje.exe215⤵
- Drops file in System32 directory
PID:7272 -
C:\Windows\SysWOW64\Bakgoh32.exeC:\Windows\system32\Bakgoh32.exe216⤵
- Modifies registry class
PID:7316 -
C:\Windows\SysWOW64\Bdickcpo.exeC:\Windows\system32\Bdickcpo.exe217⤵
- Drops file in System32 directory
PID:7356 -
C:\Windows\SysWOW64\Ckclhn32.exeC:\Windows\system32\Ckclhn32.exe218⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:7396 -
C:\Windows\SysWOW64\Cfipef32.exeC:\Windows\system32\Cfipef32.exe219⤵
- System Location Discovery: System Language Discovery
PID:7440 -
C:\Windows\SysWOW64\Cndeii32.exeC:\Windows\system32\Cndeii32.exe220⤵PID:7480
-
C:\Windows\SysWOW64\Chiigadc.exeC:\Windows\system32\Chiigadc.exe221⤵PID:7524
-
C:\Windows\SysWOW64\Cnfaohbj.exeC:\Windows\system32\Cnfaohbj.exe222⤵PID:7572
-
C:\Windows\SysWOW64\Ckjbhmad.exeC:\Windows\system32\Ckjbhmad.exe223⤵PID:7616
-
C:\Windows\SysWOW64\Cbdjeg32.exeC:\Windows\system32\Cbdjeg32.exe224⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7668 -
C:\Windows\SysWOW64\Cljobphg.exeC:\Windows\system32\Cljobphg.exe225⤵PID:7712
-
C:\Windows\SysWOW64\Cbfgkffn.exeC:\Windows\system32\Cbfgkffn.exe226⤵
- Drops file in System32 directory
PID:7760 -
C:\Windows\SysWOW64\Dmlkhofd.exeC:\Windows\system32\Dmlkhofd.exe227⤵PID:7812
-
C:\Windows\SysWOW64\Domdjj32.exeC:\Windows\system32\Domdjj32.exe228⤵PID:7876
-
C:\Windows\SysWOW64\Dfiildio.exeC:\Windows\system32\Dfiildio.exe229⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7936 -
C:\Windows\SysWOW64\Dkfadkgf.exeC:\Windows\system32\Dkfadkgf.exe230⤵PID:7988
-
C:\Windows\SysWOW64\Dbpjaeoc.exeC:\Windows\system32\Dbpjaeoc.exe231⤵PID:8036
-
C:\Windows\SysWOW64\Dijbno32.exeC:\Windows\system32\Dijbno32.exe232⤵
- System Location Discovery: System Language Discovery
PID:8084 -
C:\Windows\SysWOW64\Eiloco32.exeC:\Windows\system32\Eiloco32.exe233⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:8136 -
C:\Windows\SysWOW64\Ekmhejao.exeC:\Windows\system32\Ekmhejao.exe234⤵
- Drops file in System32 directory
PID:5044 -
C:\Windows\SysWOW64\Ebgpad32.exeC:\Windows\system32\Ebgpad32.exe235⤵
- Modifies registry class
PID:6204 -
C:\Windows\SysWOW64\Emmdom32.exeC:\Windows\system32\Emmdom32.exe236⤵PID:7300
-
C:\Windows\SysWOW64\Ebimgcfi.exeC:\Windows\system32\Ebimgcfi.exe237⤵PID:7392
-
C:\Windows\SysWOW64\Ekaapi32.exeC:\Windows\system32\Ekaapi32.exe238⤵PID:7452
-
C:\Windows\SysWOW64\Enbjad32.exeC:\Windows\system32\Enbjad32.exe239⤵PID:7520
-
C:\Windows\SysWOW64\Fbpchb32.exeC:\Windows\system32\Fbpchb32.exe240⤵
- Modifies registry class
PID:7600 -
C:\Windows\SysWOW64\Fmfgek32.exeC:\Windows\system32\Fmfgek32.exe241⤵
- System Location Discovery: System Language Discovery
PID:7664 -
C:\Windows\SysWOW64\Fealin32.exeC:\Windows\system32\Fealin32.exe242⤵PID:7732