Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 01:20
Static task
static1
Behavioral task
behavioral1
Sample
7a26254828fc66756ddbc8f56167e7cddf1ebc7731bc7600bb0e112c10f28facN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
7a26254828fc66756ddbc8f56167e7cddf1ebc7731bc7600bb0e112c10f28facN.exe
Resource
win10v2004-20241007-en
General
-
Target
7a26254828fc66756ddbc8f56167e7cddf1ebc7731bc7600bb0e112c10f28facN.exe
-
Size
64KB
-
MD5
15547afe700498242bf6912fdc2bf5d0
-
SHA1
5dc33dba6351a14e02a34acac527fc069916bf0a
-
SHA256
7a26254828fc66756ddbc8f56167e7cddf1ebc7731bc7600bb0e112c10f28fac
-
SHA512
b44985f0e950fea0329b9e70b08261d4968cd6f4facb4e88f90d85842f0786fbf07bb677c20fac69c6b2f2143cf4659d0230bacebf76da63c588adbe312a8de3
-
SSDEEP
1536:H+L1CGmL/xuohE4SOxUCQJWEXUk7qK2tvb01SV1iL+iALMH6:Hg1CGmTJaOlxEEk7M1QSV1iL+9Ma
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Cbgobp32.exeGlpepj32.exeIclbpj32.exeJlnmel32.exeJpgmpk32.exeAacmij32.exeAgbbgqhh.exeBhonjg32.exeBhdhefpc.exeHiioin32.exeJnofgg32.exeMgmdapml.exeOefjdgjk.exeDcdkef32.exeFkqlgc32.exeIaimipjl.exeEikfdl32.exeNknimnap.exePaocnkph.exeAnjnnk32.exeAjckilei.exeDboeco32.exeIegeonpc.exeJggoqimd.exeNqokpd32.exeOlbogqoe.exeFamaimfe.exeFpbnjjkm.exeIinhdmma.exeOpfegp32.exeQoeamo32.exeCgidfcdk.exeApkgpf32.exeIfolhann.exeGkgoff32.exeLlmmpcfe.exeOniebmda.exePaaddgkj.exePblcbn32.exeDgnjqe32.exeKhnapkjg.exePjihmmbk.exePioeoi32.exeCnejim32.exeGonale32.exeOflpgnld.exeApmcefmf.exeFdkmeiei.exeKbhbai32.exeOnlahm32.exeOjbbmnhc.exeJbfilffm.exeKoflgf32.exe7a26254828fc66756ddbc8f56167e7cddf1ebc7731bc7600bb0e112c10f28facN.exeFggmldfp.exeFaonom32.exeGgapbcne.exeGajqbakc.exeHbofmcij.exeKmfpmc32.exeOefjdgjk.exeOdmckcmq.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbgobp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glpepj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iclbpj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlnmel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpgmpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aacmij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agbbgqhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhonjg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhdhefpc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiioin32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnofgg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgmdapml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oefjdgjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcdkef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkqlgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iaimipjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eikfdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nknimnap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paocnkph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anjnnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajckilei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dboeco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iegeonpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jggoqimd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqokpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olbogqoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Famaimfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpbnjjkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iinhdmma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opfegp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qoeamo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgidfcdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apkgpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifolhann.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkgoff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llmmpcfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oniebmda.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paaddgkj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pblcbn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgnjqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khnapkjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjihmmbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pioeoi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnejim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkqlgc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gonale32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oflpgnld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apmcefmf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdkmeiei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbhbai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onlahm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojbbmnhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhdhefpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbfilffm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koflgf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 7a26254828fc66756ddbc8f56167e7cddf1ebc7731bc7600bb0e112c10f28facN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fggmldfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Faonom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggapbcne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gajqbakc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbofmcij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmfpmc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oefjdgjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odmckcmq.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Lkdjglfo.exeLncfcgeb.exeLdmopa32.exeLnecigcp.exeLdokfakl.exeLkicbk32.exeLngpog32.exeLcdhgn32.exeLgpdglhn.exeLlmmpcfe.exeMphiqbon.exeMgbaml32.exeMjqmig32.exeMomfan32.exeMblbnj32.exeMfgnnhkc.exeMkdffoij.exeMopbgn32.exeMbnocipg.exeMfjkdh32.exeMmccqbpm.exeMobomnoq.exeMbqkiind.exeMbqkiind.exeMgmdapml.exeMkipao32.exeMdadjd32.exeNgpqfp32.exeNjnmbk32.exeNqhepeai.exeNknimnap.exeNqjaeeog.exeNcinap32.exeNfgjml32.exeNnnbni32.exeNfigck32.exeNjeccjcd.exeNqokpd32.exeNcmglp32.exeNflchkii.exeNmflee32.exeNlilqbgp.exeOimmjffj.exeOlkifaen.exeOpfegp32.exeOniebmda.exeOfqmcj32.exeOecmogln.exeOhbikbkb.exeOpialpld.exeOnlahm32.exeObgnhkkh.exeOefjdgjk.exeOefjdgjk.exeOiafee32.exeOlpbaa32.exeOjbbmnhc.exeObjjnkie.exeOalkih32.exeOdkgec32.exeOlbogqoe.exeOjeobm32.exeOmckoi32.exeOaogognm.exepid process 2700 Lkdjglfo.exe 2676 Lncfcgeb.exe 2828 Ldmopa32.exe 2748 Lnecigcp.exe 800 Ldokfakl.exe 576 Lkicbk32.exe 2420 Lngpog32.exe 1664 Lcdhgn32.exe 344 Lgpdglhn.exe 1704 Llmmpcfe.exe 1688 Mphiqbon.exe 536 Mgbaml32.exe 2352 Mjqmig32.exe 1720 Momfan32.exe 1200 Mblbnj32.exe 2364 Mfgnnhkc.exe 840 Mkdffoij.exe 1864 Mopbgn32.exe 2528 Mbnocipg.exe 1528 Mfjkdh32.exe 3068 Mmccqbpm.exe 1440 Mobomnoq.exe 2264 Mbqkiind.exe 280 Mbqkiind.exe 2072 Mgmdapml.exe 2660 Mkipao32.exe 2820 Mdadjd32.exe 2384 Ngpqfp32.exe 2576 Njnmbk32.exe 1204 Nqhepeai.exe 3056 Nknimnap.exe 2976 Nqjaeeog.exe 1996 Ncinap32.exe 620 Nfgjml32.exe 2044 Nnnbni32.exe 2076 Nfigck32.exe 324 Njeccjcd.exe 1112 Nqokpd32.exe 588 Ncmglp32.exe 1800 Nflchkii.exe 2344 Nmflee32.exe 1368 Nlilqbgp.exe 1604 Oimmjffj.exe 760 Olkifaen.exe 1228 Opfegp32.exe 1524 Oniebmda.exe 1516 Ofqmcj32.exe 2252 Oecmogln.exe 2124 Ohbikbkb.exe 1592 Opialpld.exe 2780 Onlahm32.exe 2744 Obgnhkkh.exe 2596 Oefjdgjk.exe 2672 Oefjdgjk.exe 3004 Oiafee32.exe 2588 Olpbaa32.exe 2104 Ojbbmnhc.exe 2732 Objjnkie.exe 2848 Oalkih32.exe 1768 Odkgec32.exe 3064 Olbogqoe.exe 2472 Ojeobm32.exe 1984 Omckoi32.exe 908 Oaogognm.exe -
Loads dropped DLL 64 IoCs
Processes:
7a26254828fc66756ddbc8f56167e7cddf1ebc7731bc7600bb0e112c10f28facN.exeLkdjglfo.exeLncfcgeb.exeLdmopa32.exeLnecigcp.exeLdokfakl.exeLkicbk32.exeLngpog32.exeLcdhgn32.exeLgpdglhn.exeLlmmpcfe.exeMphiqbon.exeMgbaml32.exeMjqmig32.exeMomfan32.exeMblbnj32.exeMfgnnhkc.exeMkdffoij.exeMopbgn32.exeMbnocipg.exeMfjkdh32.exeMmccqbpm.exeMobomnoq.exeMbqkiind.exeMbqkiind.exeMgmdapml.exeMkipao32.exeMdadjd32.exeNgpqfp32.exeNjnmbk32.exeNqhepeai.exeNknimnap.exepid process 2212 7a26254828fc66756ddbc8f56167e7cddf1ebc7731bc7600bb0e112c10f28facN.exe 2212 7a26254828fc66756ddbc8f56167e7cddf1ebc7731bc7600bb0e112c10f28facN.exe 2700 Lkdjglfo.exe 2700 Lkdjglfo.exe 2676 Lncfcgeb.exe 2676 Lncfcgeb.exe 2828 Ldmopa32.exe 2828 Ldmopa32.exe 2748 Lnecigcp.exe 2748 Lnecigcp.exe 800 Ldokfakl.exe 800 Ldokfakl.exe 576 Lkicbk32.exe 576 Lkicbk32.exe 2420 Lngpog32.exe 2420 Lngpog32.exe 1664 Lcdhgn32.exe 1664 Lcdhgn32.exe 344 Lgpdglhn.exe 344 Lgpdglhn.exe 1704 Llmmpcfe.exe 1704 Llmmpcfe.exe 1688 Mphiqbon.exe 1688 Mphiqbon.exe 536 Mgbaml32.exe 536 Mgbaml32.exe 2352 Mjqmig32.exe 2352 Mjqmig32.exe 1720 Momfan32.exe 1720 Momfan32.exe 1200 Mblbnj32.exe 1200 Mblbnj32.exe 2364 Mfgnnhkc.exe 2364 Mfgnnhkc.exe 840 Mkdffoij.exe 840 Mkdffoij.exe 1864 Mopbgn32.exe 1864 Mopbgn32.exe 2528 Mbnocipg.exe 2528 Mbnocipg.exe 1528 Mfjkdh32.exe 1528 Mfjkdh32.exe 3068 Mmccqbpm.exe 3068 Mmccqbpm.exe 1440 Mobomnoq.exe 1440 Mobomnoq.exe 2264 Mbqkiind.exe 2264 Mbqkiind.exe 280 Mbqkiind.exe 280 Mbqkiind.exe 2072 Mgmdapml.exe 2072 Mgmdapml.exe 2660 Mkipao32.exe 2660 Mkipao32.exe 2820 Mdadjd32.exe 2820 Mdadjd32.exe 2384 Ngpqfp32.exe 2384 Ngpqfp32.exe 2576 Njnmbk32.exe 2576 Njnmbk32.exe 1204 Nqhepeai.exe 1204 Nqhepeai.exe 3056 Nknimnap.exe 3056 Nknimnap.exe -
Drops file in System32 directory 64 IoCs
Processes:
Ahpbkd32.exeQmhahkdj.exeGlpepj32.exeHjohmbpd.exeMfgnnhkc.exeEpnhpglg.exeGlnhjjml.exeOefjdgjk.exeCceogcfj.exeKmfpmc32.exeAeoijidl.exeOefjdgjk.exePdbmfb32.exeBfcodkcb.exeJpjifjdg.exeNnnbni32.exePmehdh32.exeGlbaei32.exeHgciff32.exeHmpaom32.exeMmccqbpm.exePpinkcnp.exeAgeompfe.exeBhmaeg32.exeDnjoco32.exeGehiioaj.exePbemboof.exeAdfbpega.exeCqfbjhgf.exeFahhnn32.exeGkgoff32.exeKbjbge32.exeKkojbf32.exePblcbn32.exeIaimipjl.exeIclbpj32.exeHcepqh32.exeOhbikbkb.exePjihmmbk.exeDgiaefgg.exeDgnjqe32.exeFggmldfp.exeOpfegp32.exeFdiqpigl.exeGonale32.exeLplbjm32.exeBjjaikoa.exeOlbogqoe.exePbigmn32.exeQejpoi32.exeQkghgpfi.exeBbjpil32.exeHqgddm32.exeKkmmlgik.exeOjbbmnhc.exeBnochnpm.exeCbgobp32.exeGojhafnb.exeIkldqile.exeJlqjkk32.exePfbfhm32.exeNqjaeeog.exedescription ioc process File created C:\Windows\SysWOW64\Agbbgqhh.exe Ahpbkd32.exe File opened for modification C:\Windows\SysWOW64\Aacmij32.exe Qmhahkdj.exe File opened for modification C:\Windows\SysWOW64\Gkcekfad.exe Glpepj32.exe File created C:\Windows\SysWOW64\Mmichb32.dll Hjohmbpd.exe File created C:\Windows\SysWOW64\Epflllfi.dll Mfgnnhkc.exe File opened for modification C:\Windows\SysWOW64\Edidqf32.exe Epnhpglg.exe File opened for modification C:\Windows\SysWOW64\Goldfelp.exe Glnhjjml.exe File opened for modification C:\Windows\SysWOW64\Dhigkm32.dll Oefjdgjk.exe File created C:\Windows\SysWOW64\Ohpjoahj.dll Cceogcfj.exe File opened for modification C:\Windows\SysWOW64\Kenhopmf.exe Kmfpmc32.exe File created C:\Windows\SysWOW64\Bmbhcoif.dll Aeoijidl.exe File opened for modification C:\Windows\SysWOW64\Oiafee32.exe Oefjdgjk.exe File created C:\Windows\SysWOW64\Qaacem32.dll Pdbmfb32.exe File created C:\Windows\SysWOW64\Hahkbf32.dll Bfcodkcb.exe File created C:\Windows\SysWOW64\Hgajdjlj.dll Jpjifjdg.exe File created C:\Windows\SysWOW64\Ocamldcp.dll Nnnbni32.exe File opened for modification C:\Windows\SysWOW64\Paaddgkj.exe Pmehdh32.exe File created C:\Windows\SysWOW64\Gncnmane.exe Glbaei32.exe File created C:\Windows\SysWOW64\Hjaeba32.exe Hgciff32.exe File created C:\Windows\SysWOW64\Jfmgba32.dll Hmpaom32.exe File created C:\Windows\SysWOW64\Mobomnoq.exe Mmccqbpm.exe File created C:\Windows\SysWOW64\Kejjjbbm.dll Ppinkcnp.exe File created C:\Windows\SysWOW64\Akpkmo32.exe Ageompfe.exe File created C:\Windows\SysWOW64\Bkknac32.exe Bhmaeg32.exe File opened for modification C:\Windows\SysWOW64\Dmmpolof.exe Dnjoco32.exe File opened for modification C:\Windows\SysWOW64\Ghgfekpn.exe Gehiioaj.exe File created C:\Windows\SysWOW64\Pjleclph.exe Pbemboof.exe File created C:\Windows\SysWOW64\Qjqkek32.dll Adfbpega.exe File created C:\Windows\SysWOW64\Elnfdpam.dll Cqfbjhgf.exe File created C:\Windows\SysWOW64\Ilalae32.dll Fahhnn32.exe File created C:\Windows\SysWOW64\Pkbnjifp.dll Gkgoff32.exe File opened for modification C:\Windows\SysWOW64\Keioca32.exe Kbjbge32.exe File opened for modification C:\Windows\SysWOW64\Libjncnc.exe Kkojbf32.exe File created C:\Windows\SysWOW64\Hqgggnne.dll Pblcbn32.exe File opened for modification C:\Windows\SysWOW64\Iipejmko.exe Iaimipjl.exe File created C:\Windows\SysWOW64\Keppajog.dll Iclbpj32.exe File created C:\Windows\SysWOW64\Eqpkfe32.dll Hcepqh32.exe File created C:\Windows\SysWOW64\Opialpld.exe Ohbikbkb.exe File opened for modification C:\Windows\SysWOW64\Pmhejhao.exe Pjihmmbk.exe File created C:\Windows\SysWOW64\Gdecfn32.dll Ageompfe.exe File created C:\Windows\SysWOW64\Bnnjlmid.dll Dgiaefgg.exe File opened for modification C:\Windows\SysWOW64\Dlifadkk.exe Dgnjqe32.exe File opened for modification C:\Windows\SysWOW64\Fooembgb.exe Fggmldfp.exe File opened for modification C:\Windows\SysWOW64\Oniebmda.exe Opfegp32.exe File opened for modification C:\Windows\SysWOW64\Fggmldfp.exe Fdiqpigl.exe File created C:\Windows\SysWOW64\Gamnhq32.exe Gonale32.exe File opened for modification C:\Windows\SysWOW64\Lbjofi32.exe Lplbjm32.exe File created C:\Windows\SysWOW64\Ppiidm32.dll Bjjaikoa.exe File created C:\Windows\SysWOW64\Egncgo32.dll Olbogqoe.exe File created C:\Windows\SysWOW64\Apimlcdc.dll Pbigmn32.exe File created C:\Windows\SysWOW64\Mahildbb.dll Qejpoi32.exe File opened for modification C:\Windows\SysWOW64\Qobdgo32.exe Qkghgpfi.exe File opened for modification C:\Windows\SysWOW64\Bqmpdioa.exe Bbjpil32.exe File created C:\Windows\SysWOW64\Hcepqh32.exe Hqgddm32.exe File created C:\Windows\SysWOW64\Canhhi32.dll Kkmmlgik.exe File created C:\Windows\SysWOW64\Objjnkie.exe Ojbbmnhc.exe File created C:\Windows\SysWOW64\Bhcgiiek.dll Qkghgpfi.exe File created C:\Windows\SysWOW64\Bbjpil32.exe Bnochnpm.exe File opened for modification C:\Windows\SysWOW64\Cjogcm32.exe Cbgobp32.exe File created C:\Windows\SysWOW64\Ggapbcne.exe Gojhafnb.exe File opened for modification C:\Windows\SysWOW64\Iogpag32.exe Ikldqile.exe File created C:\Windows\SysWOW64\Jnofgg32.exe Jlqjkk32.exe File created C:\Windows\SysWOW64\Pihmcioe.dll Pfbfhm32.exe File created C:\Windows\SysWOW64\Ncinap32.exe Nqjaeeog.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4740 4688 WerFault.exe Lbjofi32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Oefjdgjk.exeCqfbjhgf.exeFahhnn32.exeGamnhq32.exePonklpcg.exeAaejojjq.exeCqdfehii.exeCmppehkh.exeElibpg32.exeFggmldfp.exeFooembgb.exeInmmbc32.exeJfmkbebl.exeJikhnaao.exeOmckoi32.exeQobdgo32.exeQmhahkdj.exeBbjpil32.exeIbfmmb32.exeJjfkmdlg.exeKekkiq32.exeOfqmcj32.exePpddpd32.exePdbmfb32.exeBfoeil32.exeCjhabndo.exeCglalbbi.exeDnefhpma.exeKhgkpl32.exeMobomnoq.exeAeoijidl.exeDgiaefgg.exeLbjofi32.exePhklaacg.exeEfjmbaba.exeGonale32.exeGhgfekpn.exeHgqlafap.exeHoqjqhjf.exeKkojbf32.exeQdompf32.exeDihmpinj.exeFccglehn.exeHgeelf32.exeNqhepeai.exeAgbbgqhh.exeBjjaikoa.exeGiolnomh.exeGhibjjnk.exeIkqnlh32.exeFamaimfe.exeGlpepj32.exeIgqhpj32.exeKfodfh32.exeNqjaeeog.exePacajg32.exeApkgpf32.exeBhkeohhn.exeBddbjhlp.exeDpnladjl.exeJmipdo32.exePjihmmbk.exeCogfqe32.exeJefbnacn.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oefjdgjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cqfbjhgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fahhnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gamnhq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ponklpcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaejojjq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cqdfehii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmppehkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elibpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fggmldfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fooembgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inmmbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfmkbebl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jikhnaao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omckoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qobdgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmhahkdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbjpil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibfmmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjfkmdlg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kekkiq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofqmcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppddpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdbmfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfoeil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjhabndo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cglalbbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnefhpma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khgkpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mobomnoq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeoijidl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgiaefgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbjofi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phklaacg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efjmbaba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gonale32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghgfekpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgqlafap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoqjqhjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkojbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdompf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dihmpinj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fccglehn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgeelf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqhepeai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agbbgqhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjjaikoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giolnomh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghibjjnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikqnlh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Famaimfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glpepj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igqhpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfodfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqjaeeog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pacajg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apkgpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhkeohhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bddbjhlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpnladjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmipdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjihmmbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cogfqe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jefbnacn.exe -
Modifies registry class 64 IoCs
Processes:
Ofqmcj32.exeFccglehn.exeKmfpmc32.exeLplbjm32.exeMgbaml32.exeBhonjg32.exeBkpglbaj.exeDlifadkk.exeEpnhpglg.exeEfljhq32.exeFamaimfe.exeIegeonpc.exeNjeccjcd.exeJabponba.exeNqokpd32.exeOjbbmnhc.exeBgghac32.exeGekfnoog.exeIinhdmma.exeMkdffoij.exeNcmglp32.exeOlkifaen.exePbemboof.exeBcbfbp32.exeDhbdleol.exeHcepqh32.exeIoeclg32.exeNcinap32.exeJggoqimd.exeBbllnlfd.exeKhjgel32.exeKmkihbho.exeQhkipdeb.exeCmppehkh.exeFeddombd.exeFijbco32.exeBknjfb32.exeQmhahkdj.exeFakdcnhh.exeMphiqbon.exeDafoikjb.exeFooembgb.exeKbhbai32.exeMmccqbpm.exeAacmij32.exeApppkekc.exeJipaip32.exePbgjgomc.exeQobdgo32.exePacajg32.exeAjehnk32.exeAlddjg32.exeHgnokgcc.exePehcij32.exeFahhnn32.exeJbhebfck.exeLncfcgeb.exeCnejim32.exePblcbn32.exeDgiaefgg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofqmcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fccglehn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmfpmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lplbjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgbaml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhonjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkpglbaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlifadkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcnllk32.dll" Epnhpglg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efljhq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Famaimfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iegeonpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apjlggne.dll" Njeccjcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jabponba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fchopn32.dll" Nqokpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knbnol32.dll" Ojbbmnhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgghac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdaaomdi.dll" Gekfnoog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogbogkjn.dll" Iinhdmma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bipalg32.dll" Mkdffoij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncmglp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olkifaen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcfoeb32.dll" Pbemboof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bcbfbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acblbcob.dll" Dhbdleol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqpkfe32.dll" Hcepqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ioeclg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncinap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jggoqimd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flkeabdg.dll" Bbllnlfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdnfmn32.dll" Khjgel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmkihbho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mehoblpm.dll" Qhkipdeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dobfbpbc.dll" Cmppehkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Feddombd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fijbco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bknjfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qmhahkdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fakdcnhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mphiqbon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhkbmo32.dll" Dafoikjb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fooembgb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbhbai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmccqbpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aacmij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkeba32.dll" Apppkekc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jipaip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlhdnf32.dll" Pbgjgomc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hagojlib.dll" Qobdgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pacajg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajehnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Alddjg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apppkekc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlifadkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgnokgcc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khjgel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opilhdhd.dll" Pehcij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fahhnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmnfciac.dll" Jbhebfck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmfejo32.dll" Lncfcgeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnejim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khjgel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqgggnne.dll" Pblcbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgiaefgg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
7a26254828fc66756ddbc8f56167e7cddf1ebc7731bc7600bb0e112c10f28facN.exeLkdjglfo.exeLncfcgeb.exeLdmopa32.exeLnecigcp.exeLdokfakl.exeLkicbk32.exeLngpog32.exeLcdhgn32.exeLgpdglhn.exeLlmmpcfe.exeMphiqbon.exeMgbaml32.exeMjqmig32.exeMomfan32.exeMblbnj32.exedescription pid process target process PID 2212 wrote to memory of 2700 2212 7a26254828fc66756ddbc8f56167e7cddf1ebc7731bc7600bb0e112c10f28facN.exe Lkdjglfo.exe PID 2212 wrote to memory of 2700 2212 7a26254828fc66756ddbc8f56167e7cddf1ebc7731bc7600bb0e112c10f28facN.exe Lkdjglfo.exe PID 2212 wrote to memory of 2700 2212 7a26254828fc66756ddbc8f56167e7cddf1ebc7731bc7600bb0e112c10f28facN.exe Lkdjglfo.exe PID 2212 wrote to memory of 2700 2212 7a26254828fc66756ddbc8f56167e7cddf1ebc7731bc7600bb0e112c10f28facN.exe Lkdjglfo.exe PID 2700 wrote to memory of 2676 2700 Lkdjglfo.exe Lncfcgeb.exe PID 2700 wrote to memory of 2676 2700 Lkdjglfo.exe Lncfcgeb.exe PID 2700 wrote to memory of 2676 2700 Lkdjglfo.exe Lncfcgeb.exe PID 2700 wrote to memory of 2676 2700 Lkdjglfo.exe Lncfcgeb.exe PID 2676 wrote to memory of 2828 2676 Lncfcgeb.exe Ldmopa32.exe PID 2676 wrote to memory of 2828 2676 Lncfcgeb.exe Ldmopa32.exe PID 2676 wrote to memory of 2828 2676 Lncfcgeb.exe Ldmopa32.exe PID 2676 wrote to memory of 2828 2676 Lncfcgeb.exe Ldmopa32.exe PID 2828 wrote to memory of 2748 2828 Ldmopa32.exe Lnecigcp.exe PID 2828 wrote to memory of 2748 2828 Ldmopa32.exe Lnecigcp.exe PID 2828 wrote to memory of 2748 2828 Ldmopa32.exe Lnecigcp.exe PID 2828 wrote to memory of 2748 2828 Ldmopa32.exe Lnecigcp.exe PID 2748 wrote to memory of 800 2748 Lnecigcp.exe Ldokfakl.exe PID 2748 wrote to memory of 800 2748 Lnecigcp.exe Ldokfakl.exe PID 2748 wrote to memory of 800 2748 Lnecigcp.exe Ldokfakl.exe PID 2748 wrote to memory of 800 2748 Lnecigcp.exe Ldokfakl.exe PID 800 wrote to memory of 576 800 Ldokfakl.exe Lkicbk32.exe PID 800 wrote to memory of 576 800 Ldokfakl.exe Lkicbk32.exe PID 800 wrote to memory of 576 800 Ldokfakl.exe Lkicbk32.exe PID 800 wrote to memory of 576 800 Ldokfakl.exe Lkicbk32.exe PID 576 wrote to memory of 2420 576 Lkicbk32.exe Lngpog32.exe PID 576 wrote to memory of 2420 576 Lkicbk32.exe Lngpog32.exe PID 576 wrote to memory of 2420 576 Lkicbk32.exe Lngpog32.exe PID 576 wrote to memory of 2420 576 Lkicbk32.exe Lngpog32.exe PID 2420 wrote to memory of 1664 2420 Lngpog32.exe Lcdhgn32.exe PID 2420 wrote to memory of 1664 2420 Lngpog32.exe Lcdhgn32.exe PID 2420 wrote to memory of 1664 2420 Lngpog32.exe Lcdhgn32.exe PID 2420 wrote to memory of 1664 2420 Lngpog32.exe Lcdhgn32.exe PID 1664 wrote to memory of 344 1664 Lcdhgn32.exe Lgpdglhn.exe PID 1664 wrote to memory of 344 1664 Lcdhgn32.exe Lgpdglhn.exe PID 1664 wrote to memory of 344 1664 Lcdhgn32.exe Lgpdglhn.exe PID 1664 wrote to memory of 344 1664 Lcdhgn32.exe Lgpdglhn.exe PID 344 wrote to memory of 1704 344 Lgpdglhn.exe Llmmpcfe.exe PID 344 wrote to memory of 1704 344 Lgpdglhn.exe Llmmpcfe.exe PID 344 wrote to memory of 1704 344 Lgpdglhn.exe Llmmpcfe.exe PID 344 wrote to memory of 1704 344 Lgpdglhn.exe Llmmpcfe.exe PID 1704 wrote to memory of 1688 1704 Llmmpcfe.exe Mphiqbon.exe PID 1704 wrote to memory of 1688 1704 Llmmpcfe.exe Mphiqbon.exe PID 1704 wrote to memory of 1688 1704 Llmmpcfe.exe Mphiqbon.exe PID 1704 wrote to memory of 1688 1704 Llmmpcfe.exe Mphiqbon.exe PID 1688 wrote to memory of 536 1688 Mphiqbon.exe Mgbaml32.exe PID 1688 wrote to memory of 536 1688 Mphiqbon.exe Mgbaml32.exe PID 1688 wrote to memory of 536 1688 Mphiqbon.exe Mgbaml32.exe PID 1688 wrote to memory of 536 1688 Mphiqbon.exe Mgbaml32.exe PID 536 wrote to memory of 2352 536 Mgbaml32.exe Mjqmig32.exe PID 536 wrote to memory of 2352 536 Mgbaml32.exe Mjqmig32.exe PID 536 wrote to memory of 2352 536 Mgbaml32.exe Mjqmig32.exe PID 536 wrote to memory of 2352 536 Mgbaml32.exe Mjqmig32.exe PID 2352 wrote to memory of 1720 2352 Mjqmig32.exe Momfan32.exe PID 2352 wrote to memory of 1720 2352 Mjqmig32.exe Momfan32.exe PID 2352 wrote to memory of 1720 2352 Mjqmig32.exe Momfan32.exe PID 2352 wrote to memory of 1720 2352 Mjqmig32.exe Momfan32.exe PID 1720 wrote to memory of 1200 1720 Momfan32.exe Mblbnj32.exe PID 1720 wrote to memory of 1200 1720 Momfan32.exe Mblbnj32.exe PID 1720 wrote to memory of 1200 1720 Momfan32.exe Mblbnj32.exe PID 1720 wrote to memory of 1200 1720 Momfan32.exe Mblbnj32.exe PID 1200 wrote to memory of 2364 1200 Mblbnj32.exe Mfgnnhkc.exe PID 1200 wrote to memory of 2364 1200 Mblbnj32.exe Mfgnnhkc.exe PID 1200 wrote to memory of 2364 1200 Mblbnj32.exe Mfgnnhkc.exe PID 1200 wrote to memory of 2364 1200 Mblbnj32.exe Mfgnnhkc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7a26254828fc66756ddbc8f56167e7cddf1ebc7731bc7600bb0e112c10f28facN.exe"C:\Users\Admin\AppData\Local\Temp\7a26254828fc66756ddbc8f56167e7cddf1ebc7731bc7600bb0e112c10f28facN.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Lkdjglfo.exeC:\Windows\system32\Lkdjglfo.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Lncfcgeb.exeC:\Windows\system32\Lncfcgeb.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Ldmopa32.exeC:\Windows\system32\Ldmopa32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Lnecigcp.exeC:\Windows\system32\Lnecigcp.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Ldokfakl.exeC:\Windows\system32\Ldokfakl.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Windows\SysWOW64\Lkicbk32.exeC:\Windows\system32\Lkicbk32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Windows\SysWOW64\Lngpog32.exeC:\Windows\system32\Lngpog32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Lcdhgn32.exeC:\Windows\system32\Lcdhgn32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\Lgpdglhn.exeC:\Windows\system32\Lgpdglhn.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:344 -
C:\Windows\SysWOW64\Llmmpcfe.exeC:\Windows\system32\Llmmpcfe.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\Mphiqbon.exeC:\Windows\system32\Mphiqbon.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\Mgbaml32.exeC:\Windows\system32\Mgbaml32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\SysWOW64\Mjqmig32.exeC:\Windows\system32\Mjqmig32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Momfan32.exeC:\Windows\system32\Momfan32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\Mblbnj32.exeC:\Windows\system32\Mblbnj32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\SysWOW64\Mfgnnhkc.exeC:\Windows\system32\Mfgnnhkc.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2364 -
C:\Windows\SysWOW64\Mkdffoij.exeC:\Windows\system32\Mkdffoij.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:840 -
C:\Windows\SysWOW64\Mopbgn32.exeC:\Windows\system32\Mopbgn32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1864 -
C:\Windows\SysWOW64\Mbnocipg.exeC:\Windows\system32\Mbnocipg.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2528 -
C:\Windows\SysWOW64\Mfjkdh32.exeC:\Windows\system32\Mfjkdh32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1528 -
C:\Windows\SysWOW64\Mmccqbpm.exeC:\Windows\system32\Mmccqbpm.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:3068 -
C:\Windows\SysWOW64\Mobomnoq.exeC:\Windows\system32\Mobomnoq.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1440 -
C:\Windows\SysWOW64\Mbqkiind.exeC:\Windows\system32\Mbqkiind.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2264 -
C:\Windows\SysWOW64\Mbqkiind.exeC:\Windows\system32\Mbqkiind.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:280 -
C:\Windows\SysWOW64\Mgmdapml.exeC:\Windows\system32\Mgmdapml.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2072 -
C:\Windows\SysWOW64\Mkipao32.exeC:\Windows\system32\Mkipao32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2660 -
C:\Windows\SysWOW64\Mdadjd32.exeC:\Windows\system32\Mdadjd32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2820 -
C:\Windows\SysWOW64\Ngpqfp32.exeC:\Windows\system32\Ngpqfp32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2384 -
C:\Windows\SysWOW64\Njnmbk32.exeC:\Windows\system32\Njnmbk32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2576 -
C:\Windows\SysWOW64\Nqhepeai.exeC:\Windows\system32\Nqhepeai.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1204 -
C:\Windows\SysWOW64\Nknimnap.exeC:\Windows\system32\Nknimnap.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:3056 -
C:\Windows\SysWOW64\Nqjaeeog.exeC:\Windows\system32\Nqjaeeog.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2976 -
C:\Windows\SysWOW64\Ncinap32.exeC:\Windows\system32\Ncinap32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:1996 -
C:\Windows\SysWOW64\Nfgjml32.exeC:\Windows\system32\Nfgjml32.exe35⤵
- Executes dropped EXE
PID:620 -
C:\Windows\SysWOW64\Nnnbni32.exeC:\Windows\system32\Nnnbni32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2044 -
C:\Windows\SysWOW64\Nfigck32.exeC:\Windows\system32\Nfigck32.exe37⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Njeccjcd.exeC:\Windows\system32\Njeccjcd.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:324 -
C:\Windows\SysWOW64\Nqokpd32.exeC:\Windows\system32\Nqokpd32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1112 -
C:\Windows\SysWOW64\Ncmglp32.exeC:\Windows\system32\Ncmglp32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:588 -
C:\Windows\SysWOW64\Nflchkii.exeC:\Windows\system32\Nflchkii.exe41⤵
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\Nmflee32.exeC:\Windows\system32\Nmflee32.exe42⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Nlilqbgp.exeC:\Windows\system32\Nlilqbgp.exe43⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\Oimmjffj.exeC:\Windows\system32\Oimmjffj.exe44⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Olkifaen.exeC:\Windows\system32\Olkifaen.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:760 -
C:\Windows\SysWOW64\Opfegp32.exeC:\Windows\system32\Opfegp32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1228 -
C:\Windows\SysWOW64\Oniebmda.exeC:\Windows\system32\Oniebmda.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Ofqmcj32.exeC:\Windows\system32\Ofqmcj32.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1516 -
C:\Windows\SysWOW64\Oecmogln.exeC:\Windows\system32\Oecmogln.exe49⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Ohbikbkb.exeC:\Windows\system32\Ohbikbkb.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2124 -
C:\Windows\SysWOW64\Opialpld.exeC:\Windows\system32\Opialpld.exe51⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Onlahm32.exeC:\Windows\system32\Onlahm32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Obgnhkkh.exeC:\Windows\system32\Obgnhkkh.exe53⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Oefjdgjk.exeC:\Windows\system32\Oefjdgjk.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2596 -
C:\Windows\SysWOW64\Oefjdgjk.exeC:\Windows\system32\Oefjdgjk.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2672 -
C:\Windows\SysWOW64\Oiafee32.exeC:\Windows\system32\Oiafee32.exe56⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Olpbaa32.exeC:\Windows\system32\Olpbaa32.exe57⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Ojbbmnhc.exeC:\Windows\system32\Ojbbmnhc.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2104 -
C:\Windows\SysWOW64\Objjnkie.exeC:\Windows\system32\Objjnkie.exe59⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Oalkih32.exeC:\Windows\system32\Oalkih32.exe60⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Odkgec32.exeC:\Windows\system32\Odkgec32.exe61⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Olbogqoe.exeC:\Windows\system32\Olbogqoe.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3064 -
C:\Windows\SysWOW64\Ojeobm32.exeC:\Windows\system32\Ojeobm32.exe63⤵
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\Omckoi32.exeC:\Windows\system32\Omckoi32.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1984 -
C:\Windows\SysWOW64\Oaogognm.exeC:\Windows\system32\Oaogognm.exe65⤵
- Executes dropped EXE
PID:908 -
C:\Windows\SysWOW64\Oejcpf32.exeC:\Windows\system32\Oejcpf32.exe66⤵PID:1824
-
C:\Windows\SysWOW64\Odmckcmq.exeC:\Windows\system32\Odmckcmq.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:848 -
C:\Windows\SysWOW64\Oflpgnld.exeC:\Windows\system32\Oflpgnld.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1816 -
C:\Windows\SysWOW64\Ojglhm32.exeC:\Windows\system32\Ojglhm32.exe69⤵PID:2232
-
C:\Windows\SysWOW64\Pmehdh32.exeC:\Windows\system32\Pmehdh32.exe70⤵
- Drops file in System32 directory
PID:2824 -
C:\Windows\SysWOW64\Paaddgkj.exeC:\Windows\system32\Paaddgkj.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2832 -
C:\Windows\SysWOW64\Ppddpd32.exeC:\Windows\system32\Ppddpd32.exe72⤵
- System Location Discovery: System Language Discovery
PID:2684 -
C:\Windows\SysWOW64\Phklaacg.exeC:\Windows\system32\Phklaacg.exe73⤵
- System Location Discovery: System Language Discovery
PID:3008 -
C:\Windows\SysWOW64\Pjihmmbk.exeC:\Windows\system32\Pjihmmbk.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:276 -
C:\Windows\SysWOW64\Pmhejhao.exeC:\Windows\system32\Pmhejhao.exe75⤵PID:1280
-
C:\Windows\SysWOW64\Pacajg32.exeC:\Windows\system32\Pacajg32.exe76⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1732 -
C:\Windows\SysWOW64\Pdbmfb32.exeC:\Windows\system32\Pdbmfb32.exe77⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1744 -
C:\Windows\SysWOW64\Pbemboof.exeC:\Windows\system32\Pbemboof.exe78⤵
- Drops file in System32 directory
- Modifies registry class
PID:2060 -
C:\Windows\SysWOW64\Pjleclph.exeC:\Windows\system32\Pjleclph.exe79⤵PID:2180
-
C:\Windows\SysWOW64\Pioeoi32.exeC:\Windows\system32\Pioeoi32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2172 -
C:\Windows\SysWOW64\Ppinkcnp.exeC:\Windows\system32\Ppinkcnp.exe81⤵
- Drops file in System32 directory
PID:1712 -
C:\Windows\SysWOW64\Pbgjgomc.exeC:\Windows\system32\Pbgjgomc.exe82⤵PID:2432
-
C:\Windows\SysWOW64\Pbgjgomc.exeC:\Windows\system32\Pbgjgomc.exe83⤵
- Modifies registry class
PID:2956 -
C:\Windows\SysWOW64\Pfbfhm32.exeC:\Windows\system32\Pfbfhm32.exe84⤵
- Drops file in System32 directory
PID:2248 -
C:\Windows\SysWOW64\Peefcjlg.exeC:\Windows\system32\Peefcjlg.exe85⤵PID:2536
-
C:\Windows\SysWOW64\Piabdiep.exeC:\Windows\system32\Piabdiep.exe86⤵PID:2408
-
C:\Windows\SysWOW64\Ponklpcg.exeC:\Windows\system32\Ponklpcg.exe87⤵
- System Location Discovery: System Language Discovery
PID:1560 -
C:\Windows\SysWOW64\Pbigmn32.exeC:\Windows\system32\Pbigmn32.exe88⤵
- Drops file in System32 directory
PID:2572 -
C:\Windows\SysWOW64\Pfebnmcj.exeC:\Windows\system32\Pfebnmcj.exe89⤵PID:2560
-
C:\Windows\SysWOW64\Pehcij32.exeC:\Windows\system32\Pehcij32.exe90⤵
- Modifies registry class
PID:2128 -
C:\Windows\SysWOW64\Ppmgfb32.exeC:\Windows\system32\Ppmgfb32.exe91⤵PID:1152
-
C:\Windows\SysWOW64\Pblcbn32.exeC:\Windows\system32\Pblcbn32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:828 -
C:\Windows\SysWOW64\Paocnkph.exeC:\Windows\system32\Paocnkph.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:896 -
C:\Windows\SysWOW64\Qejpoi32.exeC:\Windows\system32\Qejpoi32.exe94⤵
- Drops file in System32 directory
PID:2028 -
C:\Windows\SysWOW64\Qhilkege.exeC:\Windows\system32\Qhilkege.exe95⤵PID:408
-
C:\Windows\SysWOW64\Qkghgpfi.exeC:\Windows\system32\Qkghgpfi.exe96⤵
- Drops file in System32 directory
PID:568 -
C:\Windows\SysWOW64\Qobdgo32.exeC:\Windows\system32\Qobdgo32.exe97⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1780 -
C:\Windows\SysWOW64\Qbnphngk.exeC:\Windows\system32\Qbnphngk.exe98⤵PID:2964
-
C:\Windows\SysWOW64\Qaapcj32.exeC:\Windows\system32\Qaapcj32.exe99⤵PID:1848
-
C:\Windows\SysWOW64\Qdompf32.exeC:\Windows\system32\Qdompf32.exe100⤵
- System Location Discovery: System Language Discovery
PID:1596 -
C:\Windows\SysWOW64\Qhkipdeb.exeC:\Windows\system32\Qhkipdeb.exe101⤵
- Modifies registry class
PID:2564 -
C:\Windows\SysWOW64\Qkielpdf.exeC:\Windows\system32\Qkielpdf.exe102⤵PID:3052
-
C:\Windows\SysWOW64\Qoeamo32.exeC:\Windows\system32\Qoeamo32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2900 -
C:\Windows\SysWOW64\Qmhahkdj.exeC:\Windows\system32\Qmhahkdj.exe104⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1304 -
C:\Windows\SysWOW64\Aacmij32.exeC:\Windows\system32\Aacmij32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1040 -
C:\Windows\SysWOW64\Aeoijidl.exeC:\Windows\system32\Aeoijidl.exe106⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2896 -
C:\Windows\SysWOW64\Anjnnk32.exeC:\Windows\system32\Anjnnk32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1444 -
C:\Windows\SysWOW64\Aaejojjq.exeC:\Windows\system32\Aaejojjq.exe108⤵
- System Location Discovery: System Language Discovery
PID:1084 -
C:\Windows\SysWOW64\Addfkeid.exeC:\Windows\system32\Addfkeid.exe109⤵PID:1868
-
C:\Windows\SysWOW64\Ahpbkd32.exeC:\Windows\system32\Ahpbkd32.exe110⤵
- Drops file in System32 directory
PID:1036 -
C:\Windows\SysWOW64\Agbbgqhh.exeC:\Windows\system32\Agbbgqhh.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:272 -
C:\Windows\SysWOW64\Aknngo32.exeC:\Windows\system32\Aknngo32.exe112⤵PID:3036
-
C:\Windows\SysWOW64\Anljck32.exeC:\Windows\system32\Anljck32.exe113⤵PID:2752
-
C:\Windows\SysWOW64\Apkgpf32.exeC:\Windows\system32\Apkgpf32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2556 -
C:\Windows\SysWOW64\Adfbpega.exeC:\Windows\system32\Adfbpega.exe115⤵
- Drops file in System32 directory
PID:2772 -
C:\Windows\SysWOW64\Ageompfe.exeC:\Windows\system32\Ageompfe.exe116⤵
- Drops file in System32 directory
PID:604 -
C:\Windows\SysWOW64\Akpkmo32.exeC:\Windows\system32\Akpkmo32.exe117⤵PID:1680
-
C:\Windows\SysWOW64\Ajckilei.exeC:\Windows\system32\Ajckilei.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1260 -
C:\Windows\SysWOW64\Anogijnb.exeC:\Windows\system32\Anogijnb.exe119⤵PID:2168
-
C:\Windows\SysWOW64\Apmcefmf.exeC:\Windows\system32\Apmcefmf.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2448 -
C:\Windows\SysWOW64\Aclpaali.exeC:\Windows\system32\Aclpaali.exe121⤵PID:2388
-
C:\Windows\SysWOW64\Aejlnmkm.exeC:\Windows\system32\Aejlnmkm.exe122⤵PID:888
-
C:\Windows\SysWOW64\Ajehnk32.exeC:\Windows\system32\Ajehnk32.exe123⤵
- Modifies registry class
PID:2088 -
C:\Windows\SysWOW64\Alddjg32.exeC:\Windows\system32\Alddjg32.exe124⤵
- Modifies registry class
PID:2096 -
C:\Windows\SysWOW64\Apppkekc.exeC:\Windows\system32\Apppkekc.exe125⤵
- Modifies registry class
PID:1148 -
C:\Windows\SysWOW64\Aobpfb32.exeC:\Windows\system32\Aobpfb32.exe126⤵PID:2924
-
C:\Windows\SysWOW64\Agihgp32.exeC:\Windows\system32\Agihgp32.exe127⤵PID:2316
-
C:\Windows\SysWOW64\Afliclij.exeC:\Windows\system32\Afliclij.exe128⤵PID:2268
-
C:\Windows\SysWOW64\Bhkeohhn.exeC:\Windows\system32\Bhkeohhn.exe129⤵
- System Location Discovery: System Language Discovery
PID:3032 -
C:\Windows\SysWOW64\Blfapfpg.exeC:\Windows\system32\Blfapfpg.exe130⤵PID:2616
-
C:\Windows\SysWOW64\Bpbmqe32.exeC:\Windows\system32\Bpbmqe32.exe131⤵PID:2720
-
C:\Windows\SysWOW64\Bcpimq32.exeC:\Windows\system32\Bcpimq32.exe132⤵PID:2404
-
C:\Windows\SysWOW64\Bfoeil32.exeC:\Windows\system32\Bfoeil32.exe133⤵
- System Location Discovery: System Language Discovery
PID:2888 -
C:\Windows\SysWOW64\Bjjaikoa.exeC:\Windows\system32\Bjjaikoa.exe134⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2176 -
C:\Windows\SysWOW64\Bhmaeg32.exeC:\Windows\system32\Bhmaeg32.exe135⤵
- Drops file in System32 directory
PID:2960 -
C:\Windows\SysWOW64\Bkknac32.exeC:\Windows\system32\Bkknac32.exe136⤵PID:2792
-
C:\Windows\SysWOW64\Bcbfbp32.exeC:\Windows\system32\Bcbfbp32.exe137⤵
- Modifies registry class
PID:2136 -
C:\Windows\SysWOW64\Baefnmml.exeC:\Windows\system32\Baefnmml.exe138⤵PID:2216
-
C:\Windows\SysWOW64\Bddbjhlp.exeC:\Windows\system32\Bddbjhlp.exe139⤵
- System Location Discovery: System Language Discovery
PID:332 -
C:\Windows\SysWOW64\Bhonjg32.exeC:\Windows\system32\Bhonjg32.exe140⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2640 -
C:\Windows\SysWOW64\Bknjfb32.exeC:\Windows\system32\Bknjfb32.exe141⤵
- Modifies registry class
PID:860 -
C:\Windows\SysWOW64\Bnlgbnbp.exeC:\Windows\system32\Bnlgbnbp.exe142⤵PID:2224
-
C:\Windows\SysWOW64\Bfcodkcb.exeC:\Windows\system32\Bfcodkcb.exe143⤵
- Drops file in System32 directory
PID:2788 -
C:\Windows\SysWOW64\Bdfooh32.exeC:\Windows\system32\Bdfooh32.exe144⤵PID:3020
-
C:\Windows\SysWOW64\Bhbkpgbf.exeC:\Windows\system32\Bhbkpgbf.exe145⤵PID:1684
-
C:\Windows\SysWOW64\Bkpglbaj.exeC:\Windows\system32\Bkpglbaj.exe146⤵
- Modifies registry class
PID:1760 -
C:\Windows\SysWOW64\Bnochnpm.exeC:\Windows\system32\Bnochnpm.exe147⤵
- Drops file in System32 directory
PID:1600 -
C:\Windows\SysWOW64\Bbjpil32.exeC:\Windows\system32\Bbjpil32.exe148⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1092 -
C:\Windows\SysWOW64\Bqmpdioa.exeC:\Windows\system32\Bqmpdioa.exe149⤵PID:2260
-
C:\Windows\SysWOW64\Bhdhefpc.exeC:\Windows\system32\Bhdhefpc.exe150⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2680 -
C:\Windows\SysWOW64\Bgghac32.exeC:\Windows\system32\Bgghac32.exe151⤵
- Modifies registry class
PID:1932 -
C:\Windows\SysWOW64\Bkbdabog.exeC:\Windows\system32\Bkbdabog.exe152⤵PID:1484
-
C:\Windows\SysWOW64\Bnapnm32.exeC:\Windows\system32\Bnapnm32.exe153⤵PID:624
-
C:\Windows\SysWOW64\Bbllnlfd.exeC:\Windows\system32\Bbllnlfd.exe154⤵
- Modifies registry class
PID:2000 -
C:\Windows\SysWOW64\Bdkhjgeh.exeC:\Windows\system32\Bdkhjgeh.exe155⤵PID:3012
-
C:\Windows\SysWOW64\Ccnifd32.exeC:\Windows\system32\Ccnifd32.exe156⤵PID:1820
-
C:\Windows\SysWOW64\Cgidfcdk.exeC:\Windows\system32\Cgidfcdk.exe157⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:712 -
C:\Windows\SysWOW64\Cjhabndo.exeC:\Windows\system32\Cjhabndo.exe158⤵
- System Location Discovery: System Language Discovery
PID:2892 -
C:\Windows\SysWOW64\Cncmcm32.exeC:\Windows\system32\Cncmcm32.exe159⤵PID:1480
-
C:\Windows\SysWOW64\Cmfmojcb.exeC:\Windows\system32\Cmfmojcb.exe160⤵PID:2496
-
C:\Windows\SysWOW64\Cdmepgce.exeC:\Windows\system32\Cdmepgce.exe161⤵PID:2604
-
C:\Windows\SysWOW64\Cglalbbi.exeC:\Windows\system32\Cglalbbi.exe162⤵
- System Location Discovery: System Language Discovery
PID:2192 -
C:\Windows\SysWOW64\Cjjnhnbl.exeC:\Windows\system32\Cjjnhnbl.exe163⤵PID:2332
-
C:\Windows\SysWOW64\Cnejim32.exeC:\Windows\system32\Cnejim32.exe164⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2944 -
C:\Windows\SysWOW64\Cqdfehii.exeC:\Windows\system32\Cqdfehii.exe165⤵
- System Location Discovery: System Language Discovery
PID:2328 -
C:\Windows\SysWOW64\Cogfqe32.exeC:\Windows\system32\Cogfqe32.exe166⤵
- System Location Discovery: System Language Discovery
PID:1292 -
C:\Windows\SysWOW64\Cgnnab32.exeC:\Windows\system32\Cgnnab32.exe167⤵PID:2300
-
C:\Windows\SysWOW64\Cfanmogq.exeC:\Windows\system32\Cfanmogq.exe168⤵PID:2724
-
C:\Windows\SysWOW64\Cmkfji32.exeC:\Windows\system32\Cmkfji32.exe169⤵PID:2436
-
C:\Windows\SysWOW64\Cqfbjhgf.exeC:\Windows\system32\Cqfbjhgf.exe170⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2916 -
C:\Windows\SysWOW64\Cceogcfj.exeC:\Windows\system32\Cceogcfj.exe171⤵
- Drops file in System32 directory
PID:1792 -
C:\Windows\SysWOW64\Cbgobp32.exeC:\Windows\system32\Cbgobp32.exe172⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2312 -
C:\Windows\SysWOW64\Cjogcm32.exeC:\Windows\system32\Cjogcm32.exe173⤵PID:2164
-
C:\Windows\SysWOW64\Cmmcpi32.exeC:\Windows\system32\Cmmcpi32.exe174⤵PID:2320
-
C:\Windows\SysWOW64\Colpld32.exeC:\Windows\system32\Colpld32.exe175⤵PID:3048
-
C:\Windows\SysWOW64\Cehhdkjf.exeC:\Windows\system32\Cehhdkjf.exe176⤵PID:2972
-
C:\Windows\SysWOW64\Cmppehkh.exeC:\Windows\system32\Cmppehkh.exe177⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2868 -
C:\Windows\SysWOW64\Dpnladjl.exeC:\Windows\system32\Dpnladjl.exe178⤵
- System Location Discovery: System Language Discovery
PID:3088 -
C:\Windows\SysWOW64\Dfhdnn32.exeC:\Windows\system32\Dfhdnn32.exe179⤵PID:3128
-
C:\Windows\SysWOW64\Dekdikhc.exeC:\Windows\system32\Dekdikhc.exe180⤵PID:3168
-
C:\Windows\SysWOW64\Dgiaefgg.exeC:\Windows\system32\Dgiaefgg.exe181⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3208 -
C:\Windows\SysWOW64\Dboeco32.exeC:\Windows\system32\Dboeco32.exe182⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3248 -
C:\Windows\SysWOW64\Dihmpinj.exeC:\Windows\system32\Dihmpinj.exe183⤵
- System Location Discovery: System Language Discovery
PID:3288 -
C:\Windows\SysWOW64\Dlgjldnm.exeC:\Windows\system32\Dlgjldnm.exe184⤵PID:3328
-
C:\Windows\SysWOW64\Dnefhpma.exeC:\Windows\system32\Dnefhpma.exe185⤵
- System Location Discovery: System Language Discovery
PID:3368 -
C:\Windows\SysWOW64\Dbabho32.exeC:\Windows\system32\Dbabho32.exe186⤵PID:3408
-
C:\Windows\SysWOW64\Deondj32.exeC:\Windows\system32\Deondj32.exe187⤵PID:3448
-
C:\Windows\SysWOW64\Dgnjqe32.exeC:\Windows\system32\Dgnjqe32.exe188⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3488 -
C:\Windows\SysWOW64\Dlifadkk.exeC:\Windows\system32\Dlifadkk.exe189⤵
- Modifies registry class
PID:3528 -
C:\Windows\SysWOW64\Dnhbmpkn.exeC:\Windows\system32\Dnhbmpkn.exe190⤵PID:3568
-
C:\Windows\SysWOW64\Dafoikjb.exeC:\Windows\system32\Dafoikjb.exe191⤵
- Modifies registry class
PID:3608 -
C:\Windows\SysWOW64\Dcdkef32.exeC:\Windows\system32\Dcdkef32.exe192⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3648 -
C:\Windows\SysWOW64\Dhpgfeao.exeC:\Windows\system32\Dhpgfeao.exe193⤵PID:3688
-
C:\Windows\SysWOW64\Djocbqpb.exeC:\Windows\system32\Djocbqpb.exe194⤵PID:3728
-
C:\Windows\SysWOW64\Dnjoco32.exeC:\Windows\system32\Dnjoco32.exe195⤵
- Drops file in System32 directory
PID:3780 -
C:\Windows\SysWOW64\Dmmpolof.exeC:\Windows\system32\Dmmpolof.exe196⤵PID:3820
-
C:\Windows\SysWOW64\Dpklkgoj.exeC:\Windows\system32\Dpklkgoj.exe197⤵PID:3860
-
C:\Windows\SysWOW64\Dhbdleol.exeC:\Windows\system32\Dhbdleol.exe198⤵
- Modifies registry class
PID:3900 -
C:\Windows\SysWOW64\Ejaphpnp.exeC:\Windows\system32\Ejaphpnp.exe199⤵PID:3940
-
C:\Windows\SysWOW64\Eicpcm32.exeC:\Windows\system32\Eicpcm32.exe200⤵PID:3980
-
C:\Windows\SysWOW64\Epnhpglg.exeC:\Windows\system32\Epnhpglg.exe201⤵
- Drops file in System32 directory
- Modifies registry class
PID:4020 -
C:\Windows\SysWOW64\Edidqf32.exeC:\Windows\system32\Edidqf32.exe202⤵PID:4060
-
C:\Windows\SysWOW64\Eifmimch.exeC:\Windows\system32\Eifmimch.exe203⤵PID:1044
-
C:\Windows\SysWOW64\Eldiehbk.exeC:\Windows\system32\Eldiehbk.exe204⤵PID:3112
-
C:\Windows\SysWOW64\Eppefg32.exeC:\Windows\system32\Eppefg32.exe205⤵PID:3160
-
C:\Windows\SysWOW64\Efjmbaba.exeC:\Windows\system32\Efjmbaba.exe206⤵
- System Location Discovery: System Language Discovery
PID:3216 -
C:\Windows\SysWOW64\Emdeok32.exeC:\Windows\system32\Emdeok32.exe207⤵PID:3268
-
C:\Windows\SysWOW64\Elgfkhpi.exeC:\Windows\system32\Elgfkhpi.exe208⤵PID:3312
-
C:\Windows\SysWOW64\Eoebgcol.exeC:\Windows\system32\Eoebgcol.exe209⤵PID:3364
-
C:\Windows\SysWOW64\Efljhq32.exeC:\Windows\system32\Efljhq32.exe210⤵
- Modifies registry class
PID:3424 -
C:\Windows\SysWOW64\Eikfdl32.exeC:\Windows\system32\Eikfdl32.exe211⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3484 -
C:\Windows\SysWOW64\Elibpg32.exeC:\Windows\system32\Elibpg32.exe212⤵
- System Location Discovery: System Language Discovery
PID:3516 -
C:\Windows\SysWOW64\Eogolc32.exeC:\Windows\system32\Eogolc32.exe213⤵PID:3548
-
C:\Windows\SysWOW64\Eeagimdf.exeC:\Windows\system32\Eeagimdf.exe214⤵PID:3620
-
C:\Windows\SysWOW64\Eimcjl32.exeC:\Windows\system32\Eimcjl32.exe215⤵PID:3660
-
C:\Windows\SysWOW64\Eknpadcn.exeC:\Windows\system32\Eknpadcn.exe216⤵PID:3720
-
C:\Windows\SysWOW64\Fahhnn32.exeC:\Windows\system32\Fahhnn32.exe217⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3776 -
C:\Windows\SysWOW64\Feddombd.exeC:\Windows\system32\Feddombd.exe218⤵
- Modifies registry class
PID:3808 -
C:\Windows\SysWOW64\Fkqlgc32.exeC:\Windows\system32\Fkqlgc32.exe219⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3868 -
C:\Windows\SysWOW64\Fakdcnhh.exeC:\Windows\system32\Fakdcnhh.exe220⤵
- Modifies registry class
PID:3920 -
C:\Windows\SysWOW64\Fdiqpigl.exeC:\Windows\system32\Fdiqpigl.exe221⤵
- Drops file in System32 directory
PID:3960 -
C:\Windows\SysWOW64\Fggmldfp.exeC:\Windows\system32\Fggmldfp.exe222⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4012 -
C:\Windows\SysWOW64\Fooembgb.exeC:\Windows\system32\Fooembgb.exe223⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4068 -
C:\Windows\SysWOW64\Famaimfe.exeC:\Windows\system32\Famaimfe.exe224⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2988 -
C:\Windows\SysWOW64\Fdkmeiei.exeC:\Windows\system32\Fdkmeiei.exe225⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3144 -
C:\Windows\SysWOW64\Fhgifgnb.exeC:\Windows\system32\Fhgifgnb.exe226⤵PID:3200
-
C:\Windows\SysWOW64\Fkefbcmf.exeC:\Windows\system32\Fkefbcmf.exe227⤵PID:3284
-
C:\Windows\SysWOW64\Fihfnp32.exeC:\Windows\system32\Fihfnp32.exe228⤵PID:3316
-
C:\Windows\SysWOW64\Faonom32.exeC:\Windows\system32\Faonom32.exe229⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3404 -
C:\Windows\SysWOW64\Fpbnjjkm.exeC:\Windows\system32\Fpbnjjkm.exe230⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3464 -
C:\Windows\SysWOW64\Fcqjfeja.exeC:\Windows\system32\Fcqjfeja.exe231⤵PID:3540
-
C:\Windows\SysWOW64\Fglfgd32.exeC:\Windows\system32\Fglfgd32.exe232⤵PID:3604
-
C:\Windows\SysWOW64\Fijbco32.exeC:\Windows\system32\Fijbco32.exe233⤵
- Modifies registry class
PID:3632 -
C:\Windows\SysWOW64\Fmfocnjg.exeC:\Windows\system32\Fmfocnjg.exe234⤵PID:3708
-
C:\Windows\SysWOW64\Fpdkpiik.exeC:\Windows\system32\Fpdkpiik.exe235⤵PID:3744
-
C:\Windows\SysWOW64\Fccglehn.exeC:\Windows\system32\Fccglehn.exe236⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3836 -
C:\Windows\SysWOW64\Feachqgb.exeC:\Windows\system32\Feachqgb.exe237⤵PID:3888
-
C:\Windows\SysWOW64\Fimoiopk.exeC:\Windows\system32\Fimoiopk.exe238⤵PID:3956
-
C:\Windows\SysWOW64\Glklejoo.exeC:\Windows\system32\Glklejoo.exe239⤵PID:4028
-
C:\Windows\SysWOW64\Gojhafnb.exeC:\Windows\system32\Gojhafnb.exe240⤵
- Drops file in System32 directory
PID:4084 -
C:\Windows\SysWOW64\Ggapbcne.exeC:\Windows\system32\Ggapbcne.exe241⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3124 -
C:\Windows\SysWOW64\Gecpnp32.exeC:\Windows\system32\Gecpnp32.exe242⤵PID:3180