Analysis
-
max time kernel
93s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:19
Static task
static1
Behavioral task
behavioral1
Sample
a592707529dc80e92b0312a57e884019a3ff66867d56344d944037915d21fff2.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
a592707529dc80e92b0312a57e884019a3ff66867d56344d944037915d21fff2.exe
Resource
win10v2004-20241007-en
General
-
Target
a592707529dc80e92b0312a57e884019a3ff66867d56344d944037915d21fff2.exe
-
Size
923KB
-
MD5
d8bfebcc72c62b0fd014f1aa8ae507e1
-
SHA1
79cfe3d3f5e43b39be4b4fd56ac92fb86076be94
-
SHA256
a592707529dc80e92b0312a57e884019a3ff66867d56344d944037915d21fff2
-
SHA512
b87f03cdc46c2cd52b2c41f9c2f63c9916e7f2762df0dee6c5c724fc0984ad6d498b860d3f6b4d915ef0898d673f610815772f7da2b7c1b1d3cfc5fbf98aab37
-
SSDEEP
12288:3RHgAByvNv54B9f01ZmHByvNv5VwLonfBHLqF1Nw5ILonfByvNv5HO:lgvr4B9f01ZmQvrUENOVvru
Malware Config
Extracted
berbew
http://viruslist.com/wcmd.txt
http://viruslist.com/ppslog.php
http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Hffken32.exeAhofoogd.exeBoipmj32.exeNhbfff32.exePabblb32.exeAlcfei32.exeCbbdjm32.exeAdkqoohc.exeIeliebnf.exeNemcjk32.exeOiihahme.exeCkebcg32.exeMhgfkg32.exeHdpbon32.exeBcfahbpo.exeGfokoelp.exeHgkkkcbc.exeOdalmibl.exeOfhknodl.exeIghhln32.exeFkihnmhj.exeAkamff32.exeFelbnn32.exeIpoheakj.exeLgpoihnl.exeAfelhf32.exePcpikkge.exeKkmioc32.exeFjadje32.exeIloidijb.exeIeidhh32.exeCpfcfmlp.exeOhnebd32.exeJgdhgmep.exeKpiljh32.exeDiccgfpd.exeHekgfj32.exea592707529dc80e92b0312a57e884019a3ff66867d56344d944037915d21fff2.exeKaehljpj.exeBmeandma.exeBgpgng32.exeEjfeng32.exeQoifflkg.exeOpcqnb32.exeIbaeen32.exePagbaglh.exeLlbidimc.exeKelalp32.exeNpjnhc32.exeLkabjbih.exePakllc32.exeAfkknogn.exeCcbadp32.exeCfnjpfcl.exeJfbkpd32.exeKcbfcigf.exeJniood32.exeOocddono.exeAcgolj32.exeIqmidndd.exeFmkgkapm.exeDddllkbf.exeNiniei32.exeNpgabc32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hffken32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahofoogd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boipmj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhbfff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pabblb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alcfei32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbbdjm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adkqoohc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieliebnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nemcjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oiihahme.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckebcg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhgfkg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdpbon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bcfahbpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfokoelp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hgkkkcbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Odalmibl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofhknodl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ighhln32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkihnmhj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akamff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Felbnn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipoheakj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lgpoihnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Afelhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pcpikkge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kkmioc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjadje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iloidijb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ieidhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cpfcfmlp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohnebd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgdhgmep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kpiljh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Diccgfpd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hekgfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" a592707529dc80e92b0312a57e884019a3ff66867d56344d944037915d21fff2.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaehljpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bmeandma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bgpgng32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejfeng32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qoifflkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Opcqnb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibaeen32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pagbaglh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Llbidimc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kelalp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npjnhc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkabjbih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pakllc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afkknogn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccbadp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cfnjpfcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jfbkpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kcbfcigf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jniood32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oocddono.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Acgolj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iqmidndd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fmkgkapm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dddllkbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Niniei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Npgabc32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Hkjafn32.exeHbdjchgn.exeHdbfodfa.exeIghhln32.exeInbqhhfj.exeIeliebnf.exeIoambknl.exeIbpiogmp.exeIenekbld.exeJkhngl32.exeJodjhkkj.exeJbbfdfkn.exeJeqbpb32.exeJilnqqbj.exeJkkjmlan.exeJnifigpa.exeJbdbjf32.exeJecofa32.exeJgakbm32.exeJkmgblok.exeJnkcogno.exeJfbkpd32.exeJiaglp32.exeJgdhgmep.exeJpkphjeb.exeJbileede.exeJehhaaci.exeJgfdmlcm.exeJpmlnjco.exeJblijebc.exeJfgdkd32.exeJieagojp.exeKldmckic.exeKppici32.exeKbnepe32.exeKelalp32.exeKgknhl32.exeKpbfii32.exeKbpbed32.exeKeonap32.exeKhmknk32.exeKpdboimg.exeKngcje32.exeKfnkkb32.exeKimghn32.exeKlkcdj32.exeKnippe32.exeKfqgab32.exeKiodmn32.exeKhbdikip.exeKpiljh32.exeKbghfc32.exeKefdbo32.exeKiaqcnpb.exeLlpmoiof.exeLnnikdnj.exeLfealaol.exeLidmhmnp.exeLlbidimc.exeLnqeqd32.exeLfhnaa32.exeLifjnm32.exeLldfjh32.exeLocbfd32.exepid process 4600 Hkjafn32.exe 1376 Hbdjchgn.exe 2556 Hdbfodfa.exe 1456 Ighhln32.exe 2060 Inbqhhfj.exe 4304 Ieliebnf.exe 2504 Ioambknl.exe 224 Ibpiogmp.exe 2772 Ienekbld.exe 2380 Jkhngl32.exe 3964 Jodjhkkj.exe 3436 Jbbfdfkn.exe 1056 Jeqbpb32.exe 2644 Jilnqqbj.exe 4868 Jkkjmlan.exe 1468 Jnifigpa.exe 5096 Jbdbjf32.exe 1328 Jecofa32.exe 2560 Jgakbm32.exe 4700 Jkmgblok.exe 3088 Jnkcogno.exe 1508 Jfbkpd32.exe 2016 Jiaglp32.exe 1236 Jgdhgmep.exe 1368 Jpkphjeb.exe 3024 Jbileede.exe 2444 Jehhaaci.exe 3184 Jgfdmlcm.exe 1124 Jpmlnjco.exe 2852 Jblijebc.exe 3924 Jfgdkd32.exe 1156 Jieagojp.exe 1692 Kldmckic.exe 3908 Kppici32.exe 3812 Kbnepe32.exe 1600 Kelalp32.exe 4540 Kgknhl32.exe 2832 Kpbfii32.exe 992 Kbpbed32.exe 3732 Keonap32.exe 1660 Khmknk32.exe 1472 Kpdboimg.exe 1752 Kngcje32.exe 1760 Kfnkkb32.exe 536 Kimghn32.exe 4132 Klkcdj32.exe 3292 Knippe32.exe 4988 Kfqgab32.exe 4972 Kiodmn32.exe 2188 Khbdikip.exe 3724 Kpiljh32.exe 2400 Kbghfc32.exe 844 Kefdbo32.exe 4720 Kiaqcnpb.exe 2424 Llpmoiof.exe 4424 Lnnikdnj.exe 4800 Lfealaol.exe 1076 Lidmhmnp.exe 4832 Llbidimc.exe 4992 Lnqeqd32.exe 2324 Lfhnaa32.exe 2720 Lifjnm32.exe 1392 Lldfjh32.exe 5164 Locbfd32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Eangpgcl.exeMlbkap32.exeJlgepanl.exeOjdnid32.exeNmdgikhi.exeNgndaccj.exeJbileede.exeOgpepl32.exeInjcmc32.exeJkaicd32.exeEifhdd32.exeLeopnglc.exeCaageq32.exeJilnqqbj.exeKkhpdcab.exeOkjnnj32.exeDokgdkeh.exeOoagno32.exeFdkpma32.exeOdalmibl.exeInbqhhfj.exeNchjdo32.exeBgeaifia.exeAckbmcjl.exeFbcfhibj.exeKjepjkhf.exeKpoalo32.exeAaoaic32.exeLnnbqnjn.exeCmflbf32.exeOcmconhk.exeBihjfnmm.exeDcjnoece.exeFeoodn32.exeEfeihb32.exeOjfcdnjc.exeOcaebc32.exeNiklpj32.exeCgjjdf32.exeHdmoohbo.exeNenbjo32.exeNflkbanj.exeAagkhd32.exeJodjhkkj.exeFdcjlb32.exeMbighjdd.exeEkkkoj32.exeFngcmcfe.exeLgpoihnl.exeNmipdk32.exeAdhdjpjf.exeKpbfii32.exeKefdbo32.exeMhafeb32.exeDdgibkpc.exeKhbdikip.exeJdedak32.exeQohpkf32.exeDbjkkl32.exeGdlfhj32.exeAefjii32.exeGbchdp32.exeJiaglp32.exeKfnkkb32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Edmclccp.exe Eangpgcl.exe File opened for modification C:\Windows\SysWOW64\Mjellmbp.exe Mlbkap32.exe File created C:\Windows\SysWOW64\Jepjhg32.exe Jlgepanl.exe File created C:\Windows\SysWOW64\Anqlll32.dll Ojdnid32.exe File created C:\Windows\SysWOW64\Ncnofeof.exe Nmdgikhi.exe File created C:\Windows\SysWOW64\Npiiffqe.exe Ngndaccj.exe File created C:\Windows\SysWOW64\Algpao32.dll Jbileede.exe File opened for modification C:\Windows\SysWOW64\Ojnblg32.exe Ogpepl32.exe File opened for modification C:\Windows\SysWOW64\Iafonaao.exe Injcmc32.exe File opened for modification C:\Windows\SysWOW64\Kdinljnk.exe Jkaicd32.exe File created C:\Windows\SysWOW64\Eleepoob.exe Eifhdd32.exe File opened for modification C:\Windows\SysWOW64\Ljkifn32.exe Leopnglc.exe File opened for modification C:\Windows\SysWOW64\Chkobkod.exe Caageq32.exe File opened for modification C:\Windows\SysWOW64\Jkkjmlan.exe Jilnqqbj.exe File created C:\Windows\SysWOW64\Jklbcn32.dll Kkhpdcab.exe File created C:\Windows\SysWOW64\Oklkdi32.exe Okjnnj32.exe File created C:\Windows\SysWOW64\Khblgpag.dll Dokgdkeh.exe File opened for modification C:\Windows\SysWOW64\Ocmconhk.exe Ooagno32.exe File created C:\Windows\SysWOW64\Idfjphid.dll Fdkpma32.exe File created C:\Windows\SysWOW64\Phodcg32.exe Odalmibl.exe File created C:\Windows\SysWOW64\Eignmpke.dll Inbqhhfj.exe File created C:\Windows\SysWOW64\Nlhlkhcm.dll Nchjdo32.exe File created C:\Windows\SysWOW64\Fpnfmjbo.dll Bgeaifia.exe File created C:\Windows\SysWOW64\Ajdjin32.exe Ackbmcjl.exe File opened for modification C:\Windows\SysWOW64\Fjjnifbl.exe Fbcfhibj.exe File opened for modification C:\Windows\SysWOW64\Kqbdldnq.exe Kjepjkhf.exe File opened for modification C:\Windows\SysWOW64\Kgiiiidd.exe Kpoalo32.exe File created C:\Windows\SysWOW64\Bhhiemoj.exe Aaoaic32.exe File opened for modification C:\Windows\SysWOW64\Lalnmiia.exe Lnnbqnjn.exe File opened for modification C:\Windows\SysWOW64\Cbbdjm32.exe Cmflbf32.exe File created C:\Windows\SysWOW64\Fgppmg32.dll Ocmconhk.exe File created C:\Windows\SysWOW64\Coaadq32.dll Bihjfnmm.exe File opened for modification C:\Windows\SysWOW64\Dfhjkabi.exe Dcjnoece.exe File created C:\Windows\SysWOW64\Fngcmcfe.exe Feoodn32.exe File created C:\Windows\SysWOW64\Eicedn32.exe Efeihb32.exe File created C:\Windows\SysWOW64\Gdmpga32.dll Ojfcdnjc.exe File created C:\Windows\SysWOW64\Bdlgcp32.dll Ocaebc32.exe File opened for modification C:\Windows\SysWOW64\Nlihle32.exe Niklpj32.exe File created C:\Windows\SysWOW64\Bepdhaek.dll Cgjjdf32.exe File created C:\Windows\SysWOW64\Hgkkkcbc.exe Hdmoohbo.exe File created C:\Windows\SysWOW64\Kodoah32.dll Nenbjo32.exe File created C:\Windows\SysWOW64\Nmiadaea.dll Nflkbanj.exe File created C:\Windows\SysWOW64\Adfgdpmi.exe Aagkhd32.exe File created C:\Windows\SysWOW64\Jbbfdfkn.exe Jodjhkkj.exe File created C:\Windows\SysWOW64\Fhofmq32.exe Fdcjlb32.exe File opened for modification C:\Windows\SysWOW64\Micoed32.exe Mbighjdd.exe File created C:\Windows\SysWOW64\Ggqecq32.dll Ekkkoj32.exe File created C:\Windows\SysWOW64\Fealin32.exe Fngcmcfe.exe File opened for modification C:\Windows\SysWOW64\Lfbped32.exe Lgpoihnl.exe File created C:\Windows\SysWOW64\Adfnba32.dll Nmipdk32.exe File opened for modification C:\Windows\SysWOW64\Akblfj32.exe Adhdjpjf.exe File created C:\Windows\SysWOW64\Kbpbed32.exe Kpbfii32.exe File opened for modification C:\Windows\SysWOW64\Kiaqcnpb.exe Kefdbo32.exe File created C:\Windows\SysWOW64\Fiebmc32.dll Mhafeb32.exe File opened for modification C:\Windows\SysWOW64\Dkqaoe32.exe Ddgibkpc.exe File created C:\Windows\SysWOW64\Apbffmfi.dll Khbdikip.exe File created C:\Windows\SysWOW64\Injdmnab.dll Jdedak32.exe File opened for modification C:\Windows\SysWOW64\Qebhhp32.exe Qohpkf32.exe File created C:\Windows\SysWOW64\Diccgfpd.exe Dbjkkl32.exe File opened for modification C:\Windows\SysWOW64\Gfmojenc.exe Gdlfhj32.exe File created C:\Windows\SysWOW64\Ahgcjddh.exe Aefjii32.exe File created C:\Windows\SysWOW64\Gpgind32.exe Gbchdp32.exe File created C:\Windows\SysWOW64\Jgdhgmep.exe Jiaglp32.exe File opened for modification C:\Windows\SysWOW64\Kimghn32.exe Kfnkkb32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 6120 2708 WerFault.exe Dkqaoe32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Bmomlnjk.exeAckbmcjl.exeAkhcfe32.exeLqndhcdc.exeMcjmel32.exeFealin32.exeBjbfklei.exeHidgai32.exeKpcjgnhb.exeJgdhgmep.exeCglgjeci.exeHhfedm32.exeEbejfk32.exeDdjmba32.exeGpgind32.exeOndljl32.exeCjhfpa32.exeAhenokjf.exeHdbfodfa.exeKhbdikip.exeLfjjga32.exeOcamjm32.exeBgbdcgld.exeBggnof32.exeJqhafffk.exeEbgpad32.exeGmafajfi.exeOgcnmc32.exeKfpcoefj.exeNfjola32.exeLlipehgk.exeCpeohh32.exeDcjnoece.exeHjhalefe.exeLbgalmej.exeHgkkkcbc.exeMmhgmmbf.exeCgqlcg32.exeLfodbqfa.exeOepifi32.exeDmglcj32.exeIqbbpm32.exeLnnbqnjn.exeAfkknogn.exeBaegibae.exeKefdbo32.exeDapkni32.exeLldopb32.exeGemkelcd.exeOjfcdnjc.exePjdpelnc.exeGikdkj32.exePhonha32.exeInbqhhfj.exeMbjnbqhp.exeJdedak32.exePabblb32.exeCmmbbejp.exeDkhnjk32.exeBpfkpp32.exeIenekbld.exeOphjiaql.exePhhhhc32.exeDikihe32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmomlnjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ackbmcjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akhcfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqndhcdc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcjmel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fealin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjbfklei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hidgai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpcjgnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgdhgmep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cglgjeci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhfedm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebejfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddjmba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpgind32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ondljl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjhfpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahenokjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdbfodfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khbdikip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfjjga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocamjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgbdcgld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bggnof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqhafffk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebgpad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmafajfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogcnmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfpcoefj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfjola32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llipehgk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpeohh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcjnoece.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjhalefe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbgalmej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgkkkcbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmhgmmbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgqlcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfodbqfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oepifi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmglcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqbbpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnnbqnjn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afkknogn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baegibae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kefdbo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dapkni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lldopb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gemkelcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojfcdnjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjdpelnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gikdkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phonha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inbqhhfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbjnbqhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdedak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pabblb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmmbbejp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkhnjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpfkpp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ienekbld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ophjiaql.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phhhhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dikihe32.exe -
Modifies registry class 64 IoCs
Processes:
Haoimcgg.exeHjlkge32.exeMkhapk32.exeNdflak32.exeIpeeobbe.exeAagkhd32.exePjbkgfej.exeBmomlnjk.exeDpehof32.exeOghghb32.exeDhjckcgi.exeNglhld32.exePloknb32.exeInainbcn.exeBddjpd32.exeDokgdkeh.exeHbdjchgn.exeMbenmk32.exeJqhafffk.exeNenbjo32.exeGmfplibd.exeHdbfodfa.exeJnkcogno.exeLoglacfo.exeDbnmke32.exeKiaqcnpb.exeOepifi32.exeAkffafgg.exeAkhcfe32.exeCfigpm32.exeOlehhc32.exeQjnkcekm.exeBkphhgfc.exeKiodmn32.exeNpgabc32.exeFibojhim.exeEifhdd32.exeHgdejd32.exeBheplb32.exeOlckbd32.exePkgcea32.exeJlgepanl.exeMpnnle32.exeFbgihaji.exeDddllkbf.exeCjmpkqqj.exeInbqhhfj.exePcpikkge.exeBifmqo32.exeDpqodfij.exeJnhpoamf.exeAchegd32.exeCfkmkf32.exeEecphp32.exeHefnkkkj.exeKlahfp32.exeMfqlfb32.exeLhkgoiqe.exeDakacjdb.exeDapkni32.exeJgcamf32.exeOfhknodl.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Haoimcgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Becnaq32.dll" Hjlkge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mkhapk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdbijb32.dll" Ndflak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmhkafda.dll" Ipeeobbe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aagkhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pjbkgfej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bmomlnjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dpehof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oghghb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dhjckcgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nglhld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ploknb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aokkdnic.dll" Inainbcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bddjpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dokgdkeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jndamj32.dll" Hbdjchgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Headjohq.dll" Mbenmk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jqhafffk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nenbjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndoell32.dll" Gmfplibd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nglhld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hdbfodfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbdmhm32.dll" Jnkcogno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Loglacfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dbnmke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kiaqcnpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oepifi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqpakfgb.dll" Akffafgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Akhcfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icland32.dll" Cfigpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmppfooc.dll" Olehhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qjnkcekm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bkphhgfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjhenbq.dll" Kiodmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Npgabc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fibojhim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eifhdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmpgal32.dll" Hgdejd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bheplb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Olckbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pkgcea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jlgepanl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfljpbki.dll" Mpnnle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lippqp32.dll" Fbgihaji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jilpfgkh.dll" Dddllkbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cjmpkqqj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Inbqhhfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pcpikkge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bifmqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjkmhmpl.dll" Dpqodfij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jnhpoamf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Achegd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cfkmkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eecphp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddipic32.dll" Hefnkkkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Klahfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnifpf32.dll" Mfqlfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lhkgoiqe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dakacjdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhkjmn32.dll" Dapkni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jgcamf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ipeeobbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ofhknodl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a592707529dc80e92b0312a57e884019a3ff66867d56344d944037915d21fff2.exeHkjafn32.exeHbdjchgn.exeHdbfodfa.exeIghhln32.exeInbqhhfj.exeIeliebnf.exeIoambknl.exeIbpiogmp.exeIenekbld.exeJkhngl32.exeJodjhkkj.exeJbbfdfkn.exeJeqbpb32.exeJilnqqbj.exeJkkjmlan.exeJnifigpa.exeJbdbjf32.exeJecofa32.exeJgakbm32.exeJkmgblok.exeJnkcogno.exedescription pid process target process PID 3340 wrote to memory of 4600 3340 a592707529dc80e92b0312a57e884019a3ff66867d56344d944037915d21fff2.exe Hkjafn32.exe PID 3340 wrote to memory of 4600 3340 a592707529dc80e92b0312a57e884019a3ff66867d56344d944037915d21fff2.exe Hkjafn32.exe PID 3340 wrote to memory of 4600 3340 a592707529dc80e92b0312a57e884019a3ff66867d56344d944037915d21fff2.exe Hkjafn32.exe PID 4600 wrote to memory of 1376 4600 Hkjafn32.exe Hbdjchgn.exe PID 4600 wrote to memory of 1376 4600 Hkjafn32.exe Hbdjchgn.exe PID 4600 wrote to memory of 1376 4600 Hkjafn32.exe Hbdjchgn.exe PID 1376 wrote to memory of 2556 1376 Hbdjchgn.exe Hdbfodfa.exe PID 1376 wrote to memory of 2556 1376 Hbdjchgn.exe Hdbfodfa.exe PID 1376 wrote to memory of 2556 1376 Hbdjchgn.exe Hdbfodfa.exe PID 2556 wrote to memory of 1456 2556 Hdbfodfa.exe Ighhln32.exe PID 2556 wrote to memory of 1456 2556 Hdbfodfa.exe Ighhln32.exe PID 2556 wrote to memory of 1456 2556 Hdbfodfa.exe Ighhln32.exe PID 1456 wrote to memory of 2060 1456 Ighhln32.exe Inbqhhfj.exe PID 1456 wrote to memory of 2060 1456 Ighhln32.exe Inbqhhfj.exe PID 1456 wrote to memory of 2060 1456 Ighhln32.exe Inbqhhfj.exe PID 2060 wrote to memory of 4304 2060 Inbqhhfj.exe Ieliebnf.exe PID 2060 wrote to memory of 4304 2060 Inbqhhfj.exe Ieliebnf.exe PID 2060 wrote to memory of 4304 2060 Inbqhhfj.exe Ieliebnf.exe PID 4304 wrote to memory of 2504 4304 Ieliebnf.exe Ioambknl.exe PID 4304 wrote to memory of 2504 4304 Ieliebnf.exe Ioambknl.exe PID 4304 wrote to memory of 2504 4304 Ieliebnf.exe Ioambknl.exe PID 2504 wrote to memory of 224 2504 Ioambknl.exe Ibpiogmp.exe PID 2504 wrote to memory of 224 2504 Ioambknl.exe Ibpiogmp.exe PID 2504 wrote to memory of 224 2504 Ioambknl.exe Ibpiogmp.exe PID 224 wrote to memory of 2772 224 Ibpiogmp.exe Ienekbld.exe PID 224 wrote to memory of 2772 224 Ibpiogmp.exe Ienekbld.exe PID 224 wrote to memory of 2772 224 Ibpiogmp.exe Ienekbld.exe PID 2772 wrote to memory of 2380 2772 Ienekbld.exe Jkhngl32.exe PID 2772 wrote to memory of 2380 2772 Ienekbld.exe Jkhngl32.exe PID 2772 wrote to memory of 2380 2772 Ienekbld.exe Jkhngl32.exe PID 2380 wrote to memory of 3964 2380 Jkhngl32.exe Jodjhkkj.exe PID 2380 wrote to memory of 3964 2380 Jkhngl32.exe Jodjhkkj.exe PID 2380 wrote to memory of 3964 2380 Jkhngl32.exe Jodjhkkj.exe PID 3964 wrote to memory of 3436 3964 Jodjhkkj.exe Jbbfdfkn.exe PID 3964 wrote to memory of 3436 3964 Jodjhkkj.exe Jbbfdfkn.exe PID 3964 wrote to memory of 3436 3964 Jodjhkkj.exe Jbbfdfkn.exe PID 3436 wrote to memory of 1056 3436 Jbbfdfkn.exe Jeqbpb32.exe PID 3436 wrote to memory of 1056 3436 Jbbfdfkn.exe Jeqbpb32.exe PID 3436 wrote to memory of 1056 3436 Jbbfdfkn.exe Jeqbpb32.exe PID 1056 wrote to memory of 2644 1056 Jeqbpb32.exe Jilnqqbj.exe PID 1056 wrote to memory of 2644 1056 Jeqbpb32.exe Jilnqqbj.exe PID 1056 wrote to memory of 2644 1056 Jeqbpb32.exe Jilnqqbj.exe PID 2644 wrote to memory of 4868 2644 Jilnqqbj.exe Jkkjmlan.exe PID 2644 wrote to memory of 4868 2644 Jilnqqbj.exe Jkkjmlan.exe PID 2644 wrote to memory of 4868 2644 Jilnqqbj.exe Jkkjmlan.exe PID 4868 wrote to memory of 1468 4868 Jkkjmlan.exe Jnifigpa.exe PID 4868 wrote to memory of 1468 4868 Jkkjmlan.exe Jnifigpa.exe PID 4868 wrote to memory of 1468 4868 Jkkjmlan.exe Jnifigpa.exe PID 1468 wrote to memory of 5096 1468 Jnifigpa.exe Jbdbjf32.exe PID 1468 wrote to memory of 5096 1468 Jnifigpa.exe Jbdbjf32.exe PID 1468 wrote to memory of 5096 1468 Jnifigpa.exe Jbdbjf32.exe PID 5096 wrote to memory of 1328 5096 Jbdbjf32.exe Jecofa32.exe PID 5096 wrote to memory of 1328 5096 Jbdbjf32.exe Jecofa32.exe PID 5096 wrote to memory of 1328 5096 Jbdbjf32.exe Jecofa32.exe PID 1328 wrote to memory of 2560 1328 Jecofa32.exe Jgakbm32.exe PID 1328 wrote to memory of 2560 1328 Jecofa32.exe Jgakbm32.exe PID 1328 wrote to memory of 2560 1328 Jecofa32.exe Jgakbm32.exe PID 2560 wrote to memory of 4700 2560 Jgakbm32.exe Jkmgblok.exe PID 2560 wrote to memory of 4700 2560 Jgakbm32.exe Jkmgblok.exe PID 2560 wrote to memory of 4700 2560 Jgakbm32.exe Jkmgblok.exe PID 4700 wrote to memory of 3088 4700 Jkmgblok.exe Jnkcogno.exe PID 4700 wrote to memory of 3088 4700 Jkmgblok.exe Jnkcogno.exe PID 4700 wrote to memory of 3088 4700 Jkmgblok.exe Jnkcogno.exe PID 3088 wrote to memory of 1508 3088 Jnkcogno.exe Jfbkpd32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a592707529dc80e92b0312a57e884019a3ff66867d56344d944037915d21fff2.exe"C:\Users\Admin\AppData\Local\Temp\a592707529dc80e92b0312a57e884019a3ff66867d56344d944037915d21fff2.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\Windows\SysWOW64\Hkjafn32.exeC:\Windows\system32\Hkjafn32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\SysWOW64\Hbdjchgn.exeC:\Windows\system32\Hbdjchgn.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\SysWOW64\Hdbfodfa.exeC:\Windows\system32\Hdbfodfa.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Ighhln32.exeC:\Windows\system32\Ighhln32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\SysWOW64\Inbqhhfj.exeC:\Windows\system32\Inbqhhfj.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\Ieliebnf.exeC:\Windows\system32\Ieliebnf.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\Windows\SysWOW64\Ioambknl.exeC:\Windows\system32\Ioambknl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Ibpiogmp.exeC:\Windows\system32\Ibpiogmp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\SysWOW64\Ienekbld.exeC:\Windows\system32\Ienekbld.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Jkhngl32.exeC:\Windows\system32\Jkhngl32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Jodjhkkj.exeC:\Windows\system32\Jodjhkkj.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Windows\SysWOW64\Jbbfdfkn.exeC:\Windows\system32\Jbbfdfkn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3436 -
C:\Windows\SysWOW64\Jeqbpb32.exeC:\Windows\system32\Jeqbpb32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\SysWOW64\Jilnqqbj.exeC:\Windows\system32\Jilnqqbj.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Jkkjmlan.exeC:\Windows\system32\Jkkjmlan.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Windows\SysWOW64\Jnifigpa.exeC:\Windows\system32\Jnifigpa.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\SysWOW64\Jbdbjf32.exeC:\Windows\system32\Jbdbjf32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Windows\SysWOW64\Jecofa32.exeC:\Windows\system32\Jecofa32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Windows\SysWOW64\Jgakbm32.exeC:\Windows\system32\Jgakbm32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\Jkmgblok.exeC:\Windows\system32\Jkmgblok.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Windows\SysWOW64\Jnkcogno.exeC:\Windows\system32\Jnkcogno.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3088 -
C:\Windows\SysWOW64\Jfbkpd32.exeC:\Windows\system32\Jfbkpd32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Jiaglp32.exeC:\Windows\system32\Jiaglp32.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2016 -
C:\Windows\SysWOW64\Jgdhgmep.exeC:\Windows\system32\Jgdhgmep.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1236 -
C:\Windows\SysWOW64\Jpkphjeb.exeC:\Windows\system32\Jpkphjeb.exe26⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\Jbileede.exeC:\Windows\system32\Jbileede.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3024 -
C:\Windows\SysWOW64\Jehhaaci.exeC:\Windows\system32\Jehhaaci.exe28⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Jgfdmlcm.exeC:\Windows\system32\Jgfdmlcm.exe29⤵
- Executes dropped EXE
PID:3184 -
C:\Windows\SysWOW64\Jpmlnjco.exeC:\Windows\system32\Jpmlnjco.exe30⤵
- Executes dropped EXE
PID:1124 -
C:\Windows\SysWOW64\Jblijebc.exeC:\Windows\system32\Jblijebc.exe31⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Jfgdkd32.exeC:\Windows\system32\Jfgdkd32.exe32⤵
- Executes dropped EXE
PID:3924 -
C:\Windows\SysWOW64\Jieagojp.exeC:\Windows\system32\Jieagojp.exe33⤵
- Executes dropped EXE
PID:1156 -
C:\Windows\SysWOW64\Kldmckic.exeC:\Windows\system32\Kldmckic.exe34⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Kppici32.exeC:\Windows\system32\Kppici32.exe35⤵
- Executes dropped EXE
PID:3908 -
C:\Windows\SysWOW64\Kbnepe32.exeC:\Windows\system32\Kbnepe32.exe36⤵
- Executes dropped EXE
PID:3812 -
C:\Windows\SysWOW64\Kelalp32.exeC:\Windows\system32\Kelalp32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Kgknhl32.exeC:\Windows\system32\Kgknhl32.exe38⤵
- Executes dropped EXE
PID:4540 -
C:\Windows\SysWOW64\Kpbfii32.exeC:\Windows\system32\Kpbfii32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2832 -
C:\Windows\SysWOW64\Kbpbed32.exeC:\Windows\system32\Kbpbed32.exe40⤵
- Executes dropped EXE
PID:992 -
C:\Windows\SysWOW64\Keonap32.exeC:\Windows\system32\Keonap32.exe41⤵
- Executes dropped EXE
PID:3732 -
C:\Windows\SysWOW64\Khmknk32.exeC:\Windows\system32\Khmknk32.exe42⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Kpdboimg.exeC:\Windows\system32\Kpdboimg.exe43⤵
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\Kngcje32.exeC:\Windows\system32\Kngcje32.exe44⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Kfnkkb32.exeC:\Windows\system32\Kfnkkb32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1760 -
C:\Windows\SysWOW64\Kimghn32.exeC:\Windows\system32\Kimghn32.exe46⤵
- Executes dropped EXE
PID:536 -
C:\Windows\SysWOW64\Klkcdj32.exeC:\Windows\system32\Klkcdj32.exe47⤵
- Executes dropped EXE
PID:4132 -
C:\Windows\SysWOW64\Knippe32.exeC:\Windows\system32\Knippe32.exe48⤵
- Executes dropped EXE
PID:3292 -
C:\Windows\SysWOW64\Kfqgab32.exeC:\Windows\system32\Kfqgab32.exe49⤵
- Executes dropped EXE
PID:4988 -
C:\Windows\SysWOW64\Kiodmn32.exeC:\Windows\system32\Kiodmn32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:4972 -
C:\Windows\SysWOW64\Khbdikip.exeC:\Windows\system32\Khbdikip.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2188 -
C:\Windows\SysWOW64\Kpiljh32.exeC:\Windows\system32\Kpiljh32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3724 -
C:\Windows\SysWOW64\Kbghfc32.exeC:\Windows\system32\Kbghfc32.exe53⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Kefdbo32.exeC:\Windows\system32\Kefdbo32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:844 -
C:\Windows\SysWOW64\Kiaqcnpb.exeC:\Windows\system32\Kiaqcnpb.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:4720 -
C:\Windows\SysWOW64\Llpmoiof.exeC:\Windows\system32\Llpmoiof.exe56⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Lnnikdnj.exeC:\Windows\system32\Lnnikdnj.exe57⤵
- Executes dropped EXE
PID:4424 -
C:\Windows\SysWOW64\Lfealaol.exeC:\Windows\system32\Lfealaol.exe58⤵
- Executes dropped EXE
PID:4800 -
C:\Windows\SysWOW64\Lidmhmnp.exeC:\Windows\system32\Lidmhmnp.exe59⤵
- Executes dropped EXE
PID:1076 -
C:\Windows\SysWOW64\Llbidimc.exeC:\Windows\system32\Llbidimc.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4832 -
C:\Windows\SysWOW64\Lnqeqd32.exeC:\Windows\system32\Lnqeqd32.exe61⤵
- Executes dropped EXE
PID:4992 -
C:\Windows\SysWOW64\Lfhnaa32.exeC:\Windows\system32\Lfhnaa32.exe62⤵
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Lifjnm32.exeC:\Windows\system32\Lifjnm32.exe63⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Lldfjh32.exeC:\Windows\system32\Lldfjh32.exe64⤵
- Executes dropped EXE
PID:1392 -
C:\Windows\SysWOW64\Locbfd32.exeC:\Windows\system32\Locbfd32.exe65⤵
- Executes dropped EXE
PID:5164 -
C:\Windows\SysWOW64\Lfjjga32.exeC:\Windows\system32\Lfjjga32.exe66⤵
- System Location Discovery: System Language Discovery
PID:5196 -
C:\Windows\SysWOW64\Lihfcm32.exeC:\Windows\system32\Lihfcm32.exe67⤵PID:5236
-
C:\Windows\SysWOW64\Lhkgoiqe.exeC:\Windows\system32\Lhkgoiqe.exe68⤵
- Modifies registry class
PID:5296 -
C:\Windows\SysWOW64\Llipehgk.exeC:\Windows\system32\Llipehgk.exe69⤵
- System Location Discovery: System Language Discovery
PID:5332 -
C:\Windows\SysWOW64\Loglacfo.exeC:\Windows\system32\Loglacfo.exe70⤵
- Modifies registry class
PID:5372 -
C:\Windows\SysWOW64\Lfodbqfa.exeC:\Windows\system32\Lfodbqfa.exe71⤵
- System Location Discovery: System Language Discovery
PID:5412 -
C:\Windows\SysWOW64\Mhppji32.exeC:\Windows\system32\Mhppji32.exe72⤵PID:5452
-
C:\Windows\SysWOW64\Mpghkf32.exeC:\Windows\system32\Mpghkf32.exe73⤵PID:5492
-
C:\Windows\SysWOW64\Mbedga32.exeC:\Windows\system32\Mbedga32.exe74⤵PID:5532
-
C:\Windows\SysWOW64\Mfaqhp32.exeC:\Windows\system32\Mfaqhp32.exe75⤵PID:5572
-
C:\Windows\SysWOW64\Miomdk32.exeC:\Windows\system32\Miomdk32.exe76⤵PID:5612
-
C:\Windows\SysWOW64\Mpieqeko.exeC:\Windows\system32\Mpieqeko.exe77⤵PID:5652
-
C:\Windows\SysWOW64\Molelb32.exeC:\Windows\system32\Molelb32.exe78⤵PID:5688
-
C:\Windows\SysWOW64\Mfcmmp32.exeC:\Windows\system32\Mfcmmp32.exe79⤵PID:5732
-
C:\Windows\SysWOW64\Mhdjehhj.exeC:\Windows\system32\Mhdjehhj.exe80⤵PID:5772
-
C:\Windows\SysWOW64\Mplafeil.exeC:\Windows\system32\Mplafeil.exe81⤵PID:5812
-
C:\Windows\SysWOW64\Mbjnbqhp.exeC:\Windows\system32\Mbjnbqhp.exe82⤵
- System Location Discovery: System Language Discovery
PID:5852 -
C:\Windows\SysWOW64\Mehjol32.exeC:\Windows\system32\Mehjol32.exe83⤵PID:5896
-
C:\Windows\SysWOW64\Mhgfkg32.exeC:\Windows\system32\Mhgfkg32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5940 -
C:\Windows\SysWOW64\Mpnnle32.exeC:\Windows\system32\Mpnnle32.exe85⤵
- Modifies registry class
PID:5980 -
C:\Windows\SysWOW64\Mblkhq32.exeC:\Windows\system32\Mblkhq32.exe86⤵PID:6024
-
C:\Windows\SysWOW64\Mekgdl32.exeC:\Windows\system32\Mekgdl32.exe87⤵PID:6068
-
C:\Windows\SysWOW64\Mhicpg32.exeC:\Windows\system32\Mhicpg32.exe88⤵PID:6112
-
C:\Windows\SysWOW64\Mpqkad32.exeC:\Windows\system32\Mpqkad32.exe89⤵PID:4728
-
C:\Windows\SysWOW64\Mbognp32.exeC:\Windows\system32\Mbognp32.exe90⤵PID:1060
-
C:\Windows\SysWOW64\Nemcjk32.exeC:\Windows\system32\Nemcjk32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4328 -
C:\Windows\SysWOW64\Nhlpfgbb.exeC:\Windows\system32\Nhlpfgbb.exe92⤵PID:3196
-
C:\Windows\SysWOW64\Noehba32.exeC:\Windows\system32\Noehba32.exe93⤵PID:3036
-
C:\Windows\SysWOW64\Ngmpcn32.exeC:\Windows\system32\Ngmpcn32.exe94⤵PID:3084
-
C:\Windows\SysWOW64\Niklpj32.exeC:\Windows\system32\Niklpj32.exe95⤵
- Drops file in System32 directory
PID:4376 -
C:\Windows\SysWOW64\Nlihle32.exeC:\Windows\system32\Nlihle32.exe96⤵PID:2416
-
C:\Windows\SysWOW64\Nohehq32.exeC:\Windows\system32\Nohehq32.exe97⤵PID:1952
-
C:\Windows\SysWOW64\Ngomin32.exeC:\Windows\system32\Ngomin32.exe98⤵PID:5172
-
C:\Windows\SysWOW64\Niniei32.exeC:\Windows\system32\Niniei32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5232 -
C:\Windows\SysWOW64\Nhpiafnm.exeC:\Windows\system32\Nhpiafnm.exe100⤵PID:5268
-
C:\Windows\SysWOW64\Npgabc32.exeC:\Windows\system32\Npgabc32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5360 -
C:\Windows\SysWOW64\Ncfmno32.exeC:\Windows\system32\Ncfmno32.exe102⤵PID:5436
-
C:\Windows\SysWOW64\Nipekiep.exeC:\Windows\system32\Nipekiep.exe103⤵PID:5516
-
C:\Windows\SysWOW64\Nhbfff32.exeC:\Windows\system32\Nhbfff32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5596 -
C:\Windows\SysWOW64\Npjnhc32.exeC:\Windows\system32\Npjnhc32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5672 -
C:\Windows\SysWOW64\Nchjdo32.exeC:\Windows\system32\Nchjdo32.exe106⤵
- Drops file in System32 directory
PID:4192 -
C:\Windows\SysWOW64\Ngdfdmdi.exeC:\Windows\system32\Ngdfdmdi.exe107⤵PID:5808
-
C:\Windows\SysWOW64\Nibbqicm.exeC:\Windows\system32\Nibbqicm.exe108⤵PID:5888
-
C:\Windows\SysWOW64\Nlqomd32.exeC:\Windows\system32\Nlqomd32.exe109⤵PID:5964
-
C:\Windows\SysWOW64\Nookip32.exeC:\Windows\system32\Nookip32.exe110⤵PID:2708
-
C:\Windows\SysWOW64\Ogfcjm32.exeC:\Windows\system32\Ogfcjm32.exe111⤵PID:6120
-
C:\Windows\SysWOW64\Oidofh32.exeC:\Windows\system32\Oidofh32.exe112⤵PID:1052
-
C:\Windows\SysWOW64\Olckbd32.exeC:\Windows\system32\Olckbd32.exe113⤵
- Modifies registry class
PID:4000 -
C:\Windows\SysWOW64\Ooagno32.exeC:\Windows\system32\Ooagno32.exe114⤵
- Drops file in System32 directory
PID:5088 -
C:\Windows\SysWOW64\Ocmconhk.exeC:\Windows\system32\Ocmconhk.exe115⤵
- Drops file in System32 directory
PID:6184 -
C:\Windows\SysWOW64\Oekpkigo.exeC:\Windows\system32\Oekpkigo.exe116⤵PID:6224
-
C:\Windows\SysWOW64\Ohjlgefb.exeC:\Windows\system32\Ohjlgefb.exe117⤵PID:6264
-
C:\Windows\SysWOW64\Olehhc32.exeC:\Windows\system32\Olehhc32.exe118⤵
- Modifies registry class
PID:6304 -
C:\Windows\SysWOW64\Oocddono.exeC:\Windows\system32\Oocddono.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6344 -
C:\Windows\SysWOW64\Ogklelna.exeC:\Windows\system32\Ogklelna.exe120⤵PID:6384
-
C:\Windows\SysWOW64\Oiihahme.exeC:\Windows\system32\Oiihahme.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6424 -
C:\Windows\SysWOW64\Ohlimd32.exeC:\Windows\system32\Ohlimd32.exe122⤵PID:6464
-
C:\Windows\SysWOW64\Opcqnb32.exeC:\Windows\system32\Opcqnb32.exe123⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6504 -
C:\Windows\SysWOW64\Ocamjm32.exeC:\Windows\system32\Ocamjm32.exe124⤵
- System Location Discovery: System Language Discovery
PID:6544 -
C:\Windows\SysWOW64\Oepifi32.exeC:\Windows\system32\Oepifi32.exe125⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:6584 -
C:\Windows\SysWOW64\Ohnebd32.exeC:\Windows\system32\Ohnebd32.exe126⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6624 -
C:\Windows\SysWOW64\Oljaccjf.exeC:\Windows\system32\Oljaccjf.exe127⤵PID:6664
-
C:\Windows\SysWOW64\Oohnonij.exeC:\Windows\system32\Oohnonij.exe128⤵PID:6704
-
C:\Windows\SysWOW64\Ogpepl32.exeC:\Windows\system32\Ogpepl32.exe129⤵
- Drops file in System32 directory
PID:6744 -
C:\Windows\SysWOW64\Ojnblg32.exeC:\Windows\system32\Ojnblg32.exe130⤵PID:6784
-
C:\Windows\SysWOW64\Ollnhb32.exeC:\Windows\system32\Ollnhb32.exe131⤵PID:6824
-
C:\Windows\SysWOW64\Ophjiaql.exeC:\Windows\system32\Ophjiaql.exe132⤵
- System Location Discovery: System Language Discovery
PID:6864 -
C:\Windows\SysWOW64\Ocffempp.exeC:\Windows\system32\Ocffempp.exe133⤵PID:6904
-
C:\Windows\SysWOW64\Pedbahod.exeC:\Windows\system32\Pedbahod.exe134⤵PID:6944
-
C:\Windows\SysWOW64\Pjpobg32.exeC:\Windows\system32\Pjpobg32.exe135⤵PID:6984
-
C:\Windows\SysWOW64\Ploknb32.exeC:\Windows\system32\Ploknb32.exe136⤵
- Modifies registry class
PID:7024 -
C:\Windows\SysWOW64\Ppjgoaoj.exeC:\Windows\system32\Ppjgoaoj.exe137⤵PID:7064
-
C:\Windows\SysWOW64\Pcicklnn.exeC:\Windows\system32\Pcicklnn.exe138⤵PID:7104
-
C:\Windows\SysWOW64\Pjbkgfej.exeC:\Windows\system32\Pjbkgfej.exe139⤵
- Modifies registry class
PID:7144 -
C:\Windows\SysWOW64\Plagcbdn.exeC:\Windows\system32\Plagcbdn.exe140⤵PID:376
-
C:\Windows\SysWOW64\Poodpmca.exeC:\Windows\system32\Poodpmca.exe141⤵PID:4400
-
C:\Windows\SysWOW64\Pgflqkdd.exeC:\Windows\system32\Pgflqkdd.exe142⤵PID:3248
-
C:\Windows\SysWOW64\Phhhhc32.exeC:\Windows\system32\Phhhhc32.exe143⤵
- System Location Discovery: System Language Discovery
PID:3520 -
C:\Windows\SysWOW64\Ppopjp32.exeC:\Windows\system32\Ppopjp32.exe144⤵PID:5260
-
C:\Windows\SysWOW64\Pcmlfl32.exeC:\Windows\system32\Pcmlfl32.exe145⤵PID:5380
-
C:\Windows\SysWOW64\Pflibgil.exeC:\Windows\system32\Pflibgil.exe146⤵PID:5484
-
C:\Windows\SysWOW64\Phjenbhp.exeC:\Windows\system32\Phjenbhp.exe147⤵PID:5580
-
C:\Windows\SysWOW64\Pleaoa32.exeC:\Windows\system32\Pleaoa32.exe148⤵PID:5676
-
C:\Windows\SysWOW64\Pcpikkge.exeC:\Windows\system32\Pcpikkge.exe149⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5796 -
C:\Windows\SysWOW64\Pgkelj32.exeC:\Windows\system32\Pgkelj32.exe150⤵PID:5928
-
C:\Windows\SysWOW64\Pjjahe32.exeC:\Windows\system32\Pjjahe32.exe151⤵PID:4300
-
C:\Windows\SysWOW64\Plhnda32.exeC:\Windows\system32\Plhnda32.exe152⤵PID:3428
-
C:\Windows\SysWOW64\Qcbfakec.exeC:\Windows\system32\Qcbfakec.exe153⤵PID:1496
-
C:\Windows\SysWOW64\Qgnbaj32.exeC:\Windows\system32\Qgnbaj32.exe154⤵PID:6180
-
C:\Windows\SysWOW64\Qjlnnemp.exeC:\Windows\system32\Qjlnnemp.exe155⤵PID:4576
-
C:\Windows\SysWOW64\Qqffjo32.exeC:\Windows\system32\Qqffjo32.exe156⤵PID:6300
-
C:\Windows\SysWOW64\Qoifflkg.exeC:\Windows\system32\Qoifflkg.exe157⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2068 -
C:\Windows\SysWOW64\Qgpogili.exeC:\Windows\system32\Qgpogili.exe158⤵PID:6412
-
C:\Windows\SysWOW64\Qjnkcekm.exeC:\Windows\system32\Qjnkcekm.exe159⤵
- Modifies registry class
PID:2868 -
C:\Windows\SysWOW64\Qlmgopjq.exeC:\Windows\system32\Qlmgopjq.exe160⤵PID:6528
-
C:\Windows\SysWOW64\Acgolj32.exeC:\Windows\system32\Acgolj32.exe161⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6580 -
C:\Windows\SysWOW64\Afelhf32.exeC:\Windows\system32\Afelhf32.exe162⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4240 -
C:\Windows\SysWOW64\Ahchda32.exeC:\Windows\system32\Ahchda32.exe163⤵PID:6692
-
C:\Windows\SysWOW64\Aqkpeopg.exeC:\Windows\system32\Aqkpeopg.exe164⤵PID:3460
-
C:\Windows\SysWOW64\Acilajpk.exeC:\Windows\system32\Acilajpk.exe165⤵PID:6812
-
C:\Windows\SysWOW64\Aimkjp32.exeC:\Windows\system32\Aimkjp32.exe166⤵PID:1768
-
C:\Windows\SysWOW64\Bqdblmhl.exeC:\Windows\system32\Bqdblmhl.exe167⤵PID:6972
-
C:\Windows\SysWOW64\Bcbohigp.exeC:\Windows\system32\Bcbohigp.exe168⤵PID:7020
-
C:\Windows\SysWOW64\Bmkcqn32.exeC:\Windows\system32\Bmkcqn32.exe169⤵PID:7096
-
C:\Windows\SysWOW64\Boipmj32.exeC:\Windows\system32\Boipmj32.exe170⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5248 -
C:\Windows\SysWOW64\Bgpgng32.exeC:\Windows\system32\Bgpgng32.exe171⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4664 -
C:\Windows\SysWOW64\Biadeoce.exeC:\Windows\system32\Biadeoce.exe172⤵PID:3400
-
C:\Windows\SysWOW64\Boklbi32.exeC:\Windows\system32\Boklbi32.exe173⤵PID:5224
-
C:\Windows\SysWOW64\Bgbdcgld.exeC:\Windows\system32\Bgbdcgld.exe174⤵
- System Location Discovery: System Language Discovery
PID:2168 -
C:\Windows\SysWOW64\Bmomlnjk.exeC:\Windows\system32\Bmomlnjk.exe175⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:976 -
C:\Windows\SysWOW64\Bgeaifia.exeC:\Windows\system32\Bgeaifia.exe176⤵
- Drops file in System32 directory
PID:964 -
C:\Windows\SysWOW64\Bifmqo32.exeC:\Windows\system32\Bifmqo32.exe177⤵
- Modifies registry class
PID:5952 -
C:\Windows\SysWOW64\Bmbiamhi.exeC:\Windows\system32\Bmbiamhi.exe178⤵PID:5936
-
C:\Windows\SysWOW64\Bclang32.exeC:\Windows\system32\Bclang32.exe179⤵PID:6108
-
C:\Windows\SysWOW64\Bggnof32.exeC:\Windows\system32\Bggnof32.exe180⤵
- System Location Discovery: System Language Discovery
PID:1564 -
C:\Windows\SysWOW64\Bihjfnmm.exeC:\Windows\system32\Bihjfnmm.exe181⤵
- Drops file in System32 directory
PID:6172 -
C:\Windows\SysWOW64\Cqpbglno.exeC:\Windows\system32\Cqpbglno.exe182⤵PID:4872
-
C:\Windows\SysWOW64\Ccnncgmc.exeC:\Windows\system32\Ccnncgmc.exe183⤵PID:6316
-
C:\Windows\SysWOW64\Cgjjdf32.exeC:\Windows\system32\Cgjjdf32.exe184⤵
- Drops file in System32 directory
PID:6368 -
C:\Windows\SysWOW64\Cjhfpa32.exeC:\Windows\system32\Cjhfpa32.exe185⤵
- System Location Discovery: System Language Discovery
PID:6460 -
C:\Windows\SysWOW64\Cpeohh32.exeC:\Windows\system32\Cpeohh32.exe186⤵
- System Location Discovery: System Language Discovery
PID:6536 -
C:\Windows\SysWOW64\Cglgjeci.exeC:\Windows\system32\Cglgjeci.exe187⤵
- System Location Discovery: System Language Discovery
PID:6616 -
C:\Windows\SysWOW64\Cjjcfabm.exeC:\Windows\system32\Cjjcfabm.exe188⤵PID:3344
-
C:\Windows\SysWOW64\Cmipblaq.exeC:\Windows\system32\Cmipblaq.exe189⤵PID:6728
-
C:\Windows\SysWOW64\Cjmpkqqj.exeC:\Windows\system32\Cjmpkqqj.exe190⤵
- Modifies registry class
PID:2052 -
C:\Windows\SysWOW64\Cmklglpn.exeC:\Windows\system32\Cmklglpn.exe191⤵PID:4016
-
C:\Windows\SysWOW64\Cceddf32.exeC:\Windows\system32\Cceddf32.exe192⤵PID:6916
-
C:\Windows\SysWOW64\Cjomap32.exeC:\Windows\system32\Cjomap32.exe193⤵PID:5156
-
C:\Windows\SysWOW64\Cmniml32.exeC:\Windows\system32\Cmniml32.exe194⤵PID:7092
-
C:\Windows\SysWOW64\Caienjfd.exeC:\Windows\system32\Caienjfd.exe195⤵PID:5544
-
C:\Windows\SysWOW64\Ccgajfeh.exeC:\Windows\system32\Ccgajfeh.exe196⤵PID:2488
-
C:\Windows\SysWOW64\Cffmfadl.exeC:\Windows\system32\Cffmfadl.exe197⤵PID:5364
-
C:\Windows\SysWOW64\Cidjbmcp.exeC:\Windows\system32\Cidjbmcp.exe198⤵PID:5648
-
C:\Windows\SysWOW64\Dakacjdb.exeC:\Windows\system32\Dakacjdb.exe199⤵
- Modifies registry class
PID:2248 -
C:\Windows\SysWOW64\Dcjnoece.exeC:\Windows\system32\Dcjnoece.exe200⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4640 -
C:\Windows\SysWOW64\Dfhjkabi.exeC:\Windows\system32\Dfhjkabi.exe201⤵PID:380
-
C:\Windows\SysWOW64\Diffglam.exeC:\Windows\system32\Diffglam.exe202⤵PID:6168
-
C:\Windows\SysWOW64\Dpqodfij.exeC:\Windows\system32\Dpqodfij.exe203⤵
- Modifies registry class
PID:6312 -
C:\Windows\SysWOW64\Diicml32.exeC:\Windows\system32\Diicml32.exe204⤵PID:6452
-
C:\Windows\SysWOW64\Dapkni32.exeC:\Windows\system32\Dapkni32.exe205⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:6500 -
C:\Windows\SysWOW64\Dcogje32.exeC:\Windows\system32\Dcogje32.exe206⤵PID:3648
-
C:\Windows\SysWOW64\Dhjckcgi.exeC:\Windows\system32\Dhjckcgi.exe207⤵
- Modifies registry class
PID:4460 -
C:\Windows\SysWOW64\Djhpgofm.exeC:\Windows\system32\Djhpgofm.exe208⤵PID:6912
-
C:\Windows\SysWOW64\Dmglcj32.exeC:\Windows\system32\Dmglcj32.exe209⤵
- System Location Discovery: System Language Discovery
PID:6996 -
C:\Windows\SysWOW64\Dpehof32.exeC:\Windows\system32\Dpehof32.exe210⤵
- Modifies registry class
PID:7156 -
C:\Windows\SysWOW64\Ddadpdmn.exeC:\Windows\system32\Ddadpdmn.exe211⤵PID:5320
-
C:\Windows\SysWOW64\Dfoplpla.exeC:\Windows\system32\Dfoplpla.exe212⤵PID:4332
-
C:\Windows\SysWOW64\Dinmhkke.exeC:\Windows\system32\Dinmhkke.exe213⤵PID:6032
-
C:\Windows\SysWOW64\Dmihij32.exeC:\Windows\system32\Dmihij32.exe214⤵PID:556
-
C:\Windows\SysWOW64\Ddcqedkk.exeC:\Windows\system32\Ddcqedkk.exe215⤵PID:6420
-
C:\Windows\SysWOW64\Dhomfc32.exeC:\Windows\system32\Dhomfc32.exe216⤵PID:6556
-
C:\Windows\SysWOW64\Djmibn32.exeC:\Windows\system32\Djmibn32.exe217⤵PID:6676
-
C:\Windows\SysWOW64\Eagaoh32.exeC:\Windows\system32\Eagaoh32.exe218⤵PID:6780
-
C:\Windows\SysWOW64\Efdjgo32.exeC:\Windows\system32\Efdjgo32.exe219⤵PID:7136
-
C:\Windows\SysWOW64\Eaindh32.exeC:\Windows\system32\Eaindh32.exe220⤵PID:2356
-
C:\Windows\SysWOW64\Ehcfaboo.exeC:\Windows\system32\Ehcfaboo.exe221⤵PID:4648
-
C:\Windows\SysWOW64\Empoiimf.exeC:\Windows\system32\Empoiimf.exe222⤵PID:1180
-
C:\Windows\SysWOW64\Ehfcfb32.exeC:\Windows\system32\Ehfcfb32.exe223⤵PID:3172
-
C:\Windows\SysWOW64\Ejdocm32.exeC:\Windows\system32\Ejdocm32.exe224⤵PID:5148
-
C:\Windows\SysWOW64\Eangpgcl.exeC:\Windows\system32\Eangpgcl.exe225⤵
- Drops file in System32 directory
PID:3064 -
C:\Windows\SysWOW64\Edmclccp.exeC:\Windows\system32\Edmclccp.exe226⤵PID:1136
-
C:\Windows\SysWOW64\Efkphnbd.exeC:\Windows\system32\Efkphnbd.exe227⤵PID:7012
-
C:\Windows\SysWOW64\Epcdqd32.exeC:\Windows\system32\Epcdqd32.exe228⤵PID:5892
-
C:\Windows\SysWOW64\Ehjlaaig.exeC:\Windows\system32\Ehjlaaig.exe229⤵PID:2364
-
C:\Windows\SysWOW64\Fkihnmhj.exeC:\Windows\system32\Fkihnmhj.exe230⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7204 -
C:\Windows\SysWOW64\Filiii32.exeC:\Windows\system32\Filiii32.exe231⤵PID:7244
-
C:\Windows\SysWOW64\Facqkg32.exeC:\Windows\system32\Facqkg32.exe232⤵PID:7284
-
C:\Windows\SysWOW64\Fdamgb32.exeC:\Windows\system32\Fdamgb32.exe233⤵PID:7316
-
C:\Windows\SysWOW64\Ffpicn32.exeC:\Windows\system32\Ffpicn32.exe234⤵PID:7368
-
C:\Windows\SysWOW64\Faenpf32.exeC:\Windows\system32\Faenpf32.exe235⤵PID:7408
-
C:\Windows\SysWOW64\Fdcjlb32.exeC:\Windows\system32\Fdcjlb32.exe236⤵
- Drops file in System32 directory
PID:7448 -
C:\Windows\SysWOW64\Fhofmq32.exeC:\Windows\system32\Fhofmq32.exe237⤵PID:7484
-
C:\Windows\SysWOW64\Fknbil32.exeC:\Windows\system32\Fknbil32.exe238⤵PID:7528
-
C:\Windows\SysWOW64\Fagjfflb.exeC:\Windows\system32\Fagjfflb.exe239⤵PID:7568
-
C:\Windows\SysWOW64\Fdffbake.exeC:\Windows\system32\Fdffbake.exe240⤵PID:7608
-
C:\Windows\SysWOW64\Fgdbnmji.exeC:\Windows\system32\Fgdbnmji.exe241⤵PID:7652
-
C:\Windows\SysWOW64\Fibojhim.exeC:\Windows\system32\Fibojhim.exe242⤵
- Modifies registry class
PID:7692