Analysis
-
max time kernel
74s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 01:21
Static task
static1
Behavioral task
behavioral1
Sample
02ae1a74a38c8a81f0f0ed293ba1235a92699a7f1d08c09f0ec0b9da75a81df9N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
02ae1a74a38c8a81f0f0ed293ba1235a92699a7f1d08c09f0ec0b9da75a81df9N.exe
Resource
win10v2004-20241007-en
General
-
Target
02ae1a74a38c8a81f0f0ed293ba1235a92699a7f1d08c09f0ec0b9da75a81df9N.exe
-
Size
64KB
-
MD5
f9c6852e867ad284363d4c025e77a4c0
-
SHA1
b7ed8a3cb5c4131fdf958105364b5071cae5e02b
-
SHA256
02ae1a74a38c8a81f0f0ed293ba1235a92699a7f1d08c09f0ec0b9da75a81df9
-
SHA512
ee7269a36e1359617808aea86e93ecc796f7b19f0408d36e73215a55f04c1e3ab9b8e885bf1b95fa5fb92444462b9c76360e81c5c6fac47f9bf7ffd050ac4948
-
SSDEEP
1536:tASAdCZT8yEJhrayY4z8rplE6Q/TTSjUy22kxyoQYHXUwXfzwv:tASAdST8t1rYlqSjK2UD1zPzwv
Malware Config
Extracted
berbew
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Oaiglnih.exeAjpgkb32.exeNogmin32.exeOhkdfhge.exeKhpaidpk.exeDhlogjko.exeKjjnnbfj.exeOpfdim32.exeCicggcke.exeHqhiab32.exeMpllpl32.exeMdeaim32.exeBoeppomj.exeDegobhjg.exeOdmgnl32.exeOkqgcb32.exeFghngimj.exeObakli32.exeFcaaloed.exeOmjeba32.exeFaonqiod.exeEpipql32.exeIlmool32.exeLpmeojbo.exeKjchmclb.exeCgeopqfp.exeMljnaocd.exeBhfhnofg.exeCcdnipal.exeNcggifep.exeFaimkd32.exeKeappgmg.exeNdiomdde.exeNeghdg32.exeIimenapo.exePlildb32.exeKifgllbc.exeGinefe32.exeMonjcp32.exeJcaqmkpn.exePgopak32.exeDkhpfo32.exeGhmohcbl.exeAmdmkb32.exeHqjfgb32.exeEhinpnpm.exeOiljcj32.exeAmebjgai.exeIpkgejcf.exeEhonebqq.exeEoalpaaa.exeQiekadkl.exeAfeold32.exeIciaim32.exeAakhkj32.exeFicilgai.exeFqkbkicd.exeAcjfpokk.exeIeqbbl32.exePogegeoj.exeCbcfbege.exeDpdpkfga.exeEehqme32.exeIefeaj32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oaiglnih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajpgkb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nogmin32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohkdfhge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khpaidpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhlogjko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjjnnbfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opfdim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cicggcke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hqhiab32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpllpl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdeaim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boeppomj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Degobhjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odmgnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okqgcb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fghngimj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obakli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcaaloed.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omjeba32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faonqiod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epipql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilmool32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpmeojbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjchmclb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgeopqfp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mljnaocd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhfhnofg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccdnipal.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncggifep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faimkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Keappgmg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndiomdde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neghdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iimenapo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plildb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kifgllbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ginefe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Monjcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcaqmkpn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgopak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkhpfo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghmohcbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amdmkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hqjfgb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehinpnpm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiljcj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amebjgai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipkgejcf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehonebqq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eoalpaaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qiekadkl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afeold32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iciaim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aakhkj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ficilgai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqkbkicd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acjfpokk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ieqbbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pogegeoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbcfbege.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpdpkfga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eehqme32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iefeaj32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Igbqdlea.exeIciaim32.exeJfhmehji.exeJdmjfe32.exeJhkclc32.exeJkllnn32.exeJjqiok32.exeKmabqf32.exeKobkbaac.exeKjhopjqi.exeKeappgmg.exeLnlaomae.exeLlpaha32.exeLggbmbfc.exeLcncbc32.exeLflonn32.exeLfnlcnih.exeLpgqlc32.exeMioeeifi.exeMddibb32.exeMonjcp32.exeMlbkmdah.exeMaocekoo.exeMldgbcoe.exeMlgdhcmb.exeNmhqokcq.exeNogmin32.exeNahfkigd.exeNcjbba32.exeNdiomdde.exeNejkdm32.exeOhkdfhge.exeOlimlf32.exeOojfnakl.exeOdfofhic.exeOkqgcb32.exePqplqile.exePogegeoj.exePmkfqind.exePibgfjdh.exeQidckjae.exeQbmhdp32.exeQnciiq32.exeAmkbpm32.exeAebjaj32.exeAfecna32.exeAakhkj32.exeAbldccka.exeBleilh32.exeBboahbio.exeBlgeahoo.exeBpbabf32.exeBhnffi32.exeBbcjca32.exeBllomg32.exeBojkib32.exeBjalndpb.exeBomhnb32.exeCfhlbe32.exeCooddbfh.exeCdlmlidp.exeCkfeic32.exeCdnjaibm.exeCglfndaa.exepid process 2192 Igbqdlea.exe 2536 Iciaim32.exe 2488 Jfhmehji.exe 2808 Jdmjfe32.exe 2788 Jhkclc32.exe 1784 Jkllnn32.exe 1516 Jjqiok32.exe 1520 Kmabqf32.exe 1904 Kobkbaac.exe 1652 Kjhopjqi.exe 1672 Keappgmg.exe 1312 Lnlaomae.exe 524 Llpaha32.exe 1984 Lggbmbfc.exe 1956 Lcncbc32.exe 2568 Lflonn32.exe 2440 Lfnlcnih.exe 1952 Lpgqlc32.exe 672 Mioeeifi.exe 832 Mddibb32.exe 1676 Monjcp32.exe 2248 Mlbkmdah.exe 2944 Maocekoo.exe 2848 Mldgbcoe.exe 2628 Mlgdhcmb.exe 2872 Nmhqokcq.exe 2908 Nogmin32.exe 2776 Nahfkigd.exe 2136 Ncjbba32.exe 2900 Ndiomdde.exe 2832 Nejkdm32.exe 1452 Ohkdfhge.exe 2492 Olimlf32.exe 1164 Oojfnakl.exe 1136 Odfofhic.exe 2428 Okqgcb32.exe 3008 Pqplqile.exe 1000 Pogegeoj.exe 2112 Pmkfqind.exe 2372 Pibgfjdh.exe 2084 Qidckjae.exe 2024 Qbmhdp32.exe 584 Qnciiq32.exe 1448 Amkbpm32.exe 1564 Aebjaj32.exe 1272 Afecna32.exe 2992 Aakhkj32.exe 2624 Abldccka.exe 1460 Bleilh32.exe 2208 Bboahbio.exe 2620 Blgeahoo.exe 2896 Bpbabf32.exe 2296 Bhnffi32.exe 2784 Bbcjca32.exe 2356 Bllomg32.exe 1828 Bojkib32.exe 2316 Bjalndpb.exe 2640 Bomhnb32.exe 2864 Cfhlbe32.exe 1192 Cooddbfh.exe 2340 Cdlmlidp.exe 772 Ckfeic32.exe 1964 Cdnjaibm.exe 1056 Cglfndaa.exe -
Loads dropped DLL 64 IoCs
Processes:
02ae1a74a38c8a81f0f0ed293ba1235a92699a7f1d08c09f0ec0b9da75a81df9N.exeIgbqdlea.exeIciaim32.exeJfhmehji.exeJdmjfe32.exeJhkclc32.exeJkllnn32.exeJjqiok32.exeKmabqf32.exeKobkbaac.exeKjhopjqi.exeKeappgmg.exeLnlaomae.exeLlpaha32.exeLggbmbfc.exeLcncbc32.exeLflonn32.exeLfnlcnih.exeLpgqlc32.exeMioeeifi.exeMddibb32.exeMonjcp32.exeMlbkmdah.exeMaocekoo.exeMldgbcoe.exeMlgdhcmb.exeNmhqokcq.exeNogmin32.exeNahfkigd.exeNcjbba32.exeNdiomdde.exeNejkdm32.exepid process 3012 02ae1a74a38c8a81f0f0ed293ba1235a92699a7f1d08c09f0ec0b9da75a81df9N.exe 3012 02ae1a74a38c8a81f0f0ed293ba1235a92699a7f1d08c09f0ec0b9da75a81df9N.exe 2192 Igbqdlea.exe 2192 Igbqdlea.exe 2536 Iciaim32.exe 2536 Iciaim32.exe 2488 Jfhmehji.exe 2488 Jfhmehji.exe 2808 Jdmjfe32.exe 2808 Jdmjfe32.exe 2788 Jhkclc32.exe 2788 Jhkclc32.exe 1784 Jkllnn32.exe 1784 Jkllnn32.exe 1516 Jjqiok32.exe 1516 Jjqiok32.exe 1520 Kmabqf32.exe 1520 Kmabqf32.exe 1904 Kobkbaac.exe 1904 Kobkbaac.exe 1652 Kjhopjqi.exe 1652 Kjhopjqi.exe 1672 Keappgmg.exe 1672 Keappgmg.exe 1312 Lnlaomae.exe 1312 Lnlaomae.exe 524 Llpaha32.exe 524 Llpaha32.exe 1984 Lggbmbfc.exe 1984 Lggbmbfc.exe 1956 Lcncbc32.exe 1956 Lcncbc32.exe 2568 Lflonn32.exe 2568 Lflonn32.exe 2440 Lfnlcnih.exe 2440 Lfnlcnih.exe 1952 Lpgqlc32.exe 1952 Lpgqlc32.exe 672 Mioeeifi.exe 672 Mioeeifi.exe 832 Mddibb32.exe 832 Mddibb32.exe 1676 Monjcp32.exe 1676 Monjcp32.exe 2248 Mlbkmdah.exe 2248 Mlbkmdah.exe 2944 Maocekoo.exe 2944 Maocekoo.exe 2848 Mldgbcoe.exe 2848 Mldgbcoe.exe 2628 Mlgdhcmb.exe 2628 Mlgdhcmb.exe 2872 Nmhqokcq.exe 2872 Nmhqokcq.exe 2908 Nogmin32.exe 2908 Nogmin32.exe 2776 Nahfkigd.exe 2776 Nahfkigd.exe 2136 Ncjbba32.exe 2136 Ncjbba32.exe 2900 Ndiomdde.exe 2900 Ndiomdde.exe 2832 Nejkdm32.exe 2832 Nejkdm32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Dammoahg.exeMigdig32.exeCimooo32.exePgacaaij.exeMhgpgjoj.exeEpipql32.exeMbpibm32.exeFdbgia32.exeCfbhlb32.exeKloqiijm.exeEgimdmmc.exeEhonebqq.exeMkkpjg32.exeCiknhb32.exeGbcecpck.exeGkkilfjk.exeOdlnkmjg.exePamnnemo.exePdngpp32.exeCfhlbe32.exeHqhiab32.exeKqqdjceh.exeOdmgnl32.exeEelfedpa.exeFangfcki.exeGokmnlcf.exeQnciiq32.exeDefljp32.exeFghngimj.exeIdcqep32.exeJlbjcd32.exeLflonn32.exeHbhagiem.exeNhhqfb32.exeMpaoojjb.exeHmlkhk32.exeBeplcfmd.exeHfookk32.exeGohqhl32.exeIkjlmjmp.exeLenioenj.exeOobiclmh.exeJemiiqmh.exeNjcibgcf.exePglclk32.exeAcjfpokk.exeBnkmakbb.exeCbcfbege.exeJcdmbk32.exeKnpkhhhg.exeAmebjgai.exeNhbqqlfe.exeLpmeojbo.exeGnjhaj32.exeMljnaocd.exeBiahijec.exeEoalpaaa.exePacqlcdi.exePdnihiad.exeMlbkmdah.exeBkghjq32.exeAcdfki32.exeClkfjman.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Dkeahf32.exe Dammoahg.exe File created C:\Windows\SysWOW64\Nnekggoo.dll Migdig32.exe File created C:\Windows\SysWOW64\Cojghf32.exe Cimooo32.exe File opened for modification C:\Windows\SysWOW64\Qgfmlp32.exe Pgacaaij.exe File created C:\Windows\SysWOW64\Glfijb32.dll Mhgpgjoj.exe File created C:\Windows\SysWOW64\Kmnechcf.dll Epipql32.exe File created C:\Windows\SysWOW64\Fbofhpaj.dll Mbpibm32.exe File created C:\Windows\SysWOW64\Fiopah32.exe Fdbgia32.exe File opened for modification C:\Windows\SysWOW64\Dfdeab32.exe Cfbhlb32.exe File opened for modification C:\Windows\SysWOW64\Kaliaphd.exe Kloqiijm.exe File created C:\Windows\SysWOW64\Edmnnakm.exe Egimdmmc.exe File created C:\Windows\SysWOW64\Eagbnh32.exe Ehonebqq.exe File created C:\Windows\SysWOW64\Cbdfql32.dll Mkkpjg32.exe File created C:\Windows\SysWOW64\Lgqfpqja.dll Ciknhb32.exe File created C:\Windows\SysWOW64\Ofnbdi32.dll Gbcecpck.exe File created C:\Windows\SysWOW64\Hqoaim32.dll Gkkilfjk.exe File created C:\Windows\SysWOW64\Obakli32.exe Odlnkmjg.exe File created C:\Windows\SysWOW64\Pkebgj32.exe Pamnnemo.exe File created C:\Windows\SysWOW64\Pglclk32.exe Pdngpp32.exe File created C:\Windows\SysWOW64\Cooddbfh.exe Cfhlbe32.exe File created C:\Windows\SysWOW64\Hgbanlfc.exe Hqhiab32.exe File created C:\Windows\SysWOW64\Knddcg32.exe Kqqdjceh.exe File created C:\Windows\SysWOW64\Abdpfmcb.dll Odmgnl32.exe File created C:\Windows\SysWOW64\Eodknifb.exe Eelfedpa.exe File opened for modification C:\Windows\SysWOW64\Ggkoojip.exe Fangfcki.exe File created C:\Windows\SysWOW64\Bbojchdc.dll Gokmnlcf.exe File opened for modification C:\Windows\SysWOW64\Amkbpm32.exe Qnciiq32.exe File opened for modification C:\Windows\SysWOW64\Dlpdfjjp.exe Defljp32.exe File created C:\Windows\SysWOW64\Lddcfl32.dll Fghngimj.exe File created C:\Windows\SysWOW64\Ihhpdnkl.dll Idcqep32.exe File created C:\Windows\SysWOW64\Jaoblk32.exe Jlbjcd32.exe File opened for modification C:\Windows\SysWOW64\Lfnlcnih.exe Lflonn32.exe File created C:\Windows\SysWOW64\Ajmnmj32.dll Hbhagiem.exe File opened for modification C:\Windows\SysWOW64\Oobiclmh.exe Nhhqfb32.exe File opened for modification C:\Windows\SysWOW64\Mgigpgkd.exe Mpaoojjb.exe File created C:\Windows\SysWOW64\Hiblmldn.exe Hmlkhk32.exe File created C:\Windows\SysWOW64\Poeepl32.dll Beplcfmd.exe File created C:\Windows\SysWOW64\Mgkjjogi.dll Hfookk32.exe File opened for modification C:\Windows\SysWOW64\Ginefe32.exe Gohqhl32.exe File opened for modification C:\Windows\SysWOW64\Idcqep32.exe Ikjlmjmp.exe File created C:\Windows\SysWOW64\Jqfcla32.dll Lenioenj.exe File created C:\Windows\SysWOW64\Opcejd32.exe Oobiclmh.exe File opened for modification C:\Windows\SysWOW64\Jkjaaglp.exe Jemiiqmh.exe File created C:\Windows\SysWOW64\Ppfbdmgb.dll Njcibgcf.exe File created C:\Windows\SysWOW64\Cfpofi32.dll Pglclk32.exe File opened for modification C:\Windows\SysWOW64\Bmbkid32.exe Acjfpokk.exe File created C:\Windows\SysWOW64\Bipaodah.exe Bnkmakbb.exe File created C:\Windows\SysWOW64\Ocndli32.dll Cbcfbege.exe File created C:\Windows\SysWOW64\Jojnglco.exe Jcdmbk32.exe File opened for modification C:\Windows\SysWOW64\Kfgcieii.exe Knpkhhhg.exe File opened for modification C:\Windows\SysWOW64\Ailboh32.exe Amebjgai.exe File opened for modification C:\Windows\SysWOW64\Njcibgcf.exe Nhbqqlfe.exe File created C:\Windows\SysWOW64\Jpaood32.dll Lpmeojbo.exe File opened for modification C:\Windows\SysWOW64\Mdcdcmai.exe Mkkpjg32.exe File opened for modification C:\Windows\SysWOW64\Gjahfkfg.exe Gnjhaj32.exe File opened for modification C:\Windows\SysWOW64\Mganfp32.exe Mljnaocd.exe File created C:\Windows\SysWOW64\Behinlkh.exe Biahijec.exe File created C:\Windows\SysWOW64\Dcgdlpkc.dll Eoalpaaa.exe File created C:\Windows\SysWOW64\Aoeqbo32.dll Pacqlcdi.exe File created C:\Windows\SysWOW64\Ppejmj32.exe Pdnihiad.exe File created C:\Windows\SysWOW64\Maocekoo.exe Mlbkmdah.exe File created C:\Windows\SysWOW64\Bocckoom.exe Bkghjq32.exe File created C:\Windows\SysWOW64\Jmjmoh32.dll Acdfki32.exe File created C:\Windows\SysWOW64\Dgbgon32.exe Clkfjman.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3876 3816 WerFault.exe Iqmcmaja.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Dnbbjf32.exeHqemlbqi.exeIgbqdlea.exeCojghf32.exeLngpac32.exeAlmjcobe.exeEkppjmia.exeIfahpnfl.exeLpgqlc32.exeMddibb32.exeAbldccka.exeNfmahkhh.exeIlmool32.exeEcjkkp32.exeBfcnfh32.exeHgbhibio.exeCfhlbe32.exeEnhcnd32.exeNphbfplf.exeGihpcn32.exeIiaoip32.exeFmnakege.exeIlfadg32.exePobgjhgh.exeImfgahao.exeJhkclc32.exeKobkbaac.exeDlkqpg32.exeLdkeoo32.exeFcaaloed.exeLenioenj.exeAkjham32.exeDkhpfo32.exeAaeiqf32.exeDfjaej32.exeKlonqpbi.exeEgimdmmc.exeFdbgia32.exeFbfldc32.exeOfmiea32.exeFghngimj.exeQbhpddbf.exeAjbdpblo.exeOkolfkjg.exeJlbjcd32.exePdllci32.exeCooddbfh.exeFokfqflb.exeNqbdllld.exeGgmjkapi.exeLfingaaf.exeKblooa32.exeFangfcki.exeBomhnb32.exeHklhca32.exeLhegcg32.exeDadcppbp.exeMbpibm32.exeDbkffc32.exePjchjcmf.exeOojfnakl.exeJlddpkgh.exeGjahfkfg.exeEodknifb.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnbbjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqemlbqi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igbqdlea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cojghf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lngpac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Almjcobe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekppjmia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifahpnfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpgqlc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mddibb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abldccka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfmahkhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilmool32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecjkkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfcnfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgbhibio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfhlbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enhcnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nphbfplf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gihpcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iiaoip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmnakege.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilfadg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pobgjhgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imfgahao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhkclc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kobkbaac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlkqpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldkeoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcaaloed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lenioenj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akjham32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkhpfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaeiqf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfjaej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klonqpbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egimdmmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdbgia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbfldc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofmiea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fghngimj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qbhpddbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajbdpblo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okolfkjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlbjcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdllci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cooddbfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fokfqflb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqbdllld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggmjkapi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfingaaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kblooa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fangfcki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bomhnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hklhca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhegcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dadcppbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbpibm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbkffc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjchjcmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oojfnakl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlddpkgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjahfkfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eodknifb.exe -
Modifies registry class 64 IoCs
Processes:
Dabfjp32.exeHklhca32.exeFljhmmci.exeHadhjaaa.exeOpmhqc32.exeCcolja32.exeNndhpqma.exePpejmj32.exeGgkoojip.exeBhgaan32.exeNdiomdde.exeOojfnakl.exeFcaaloed.exeFcoaebjc.exeCiknhb32.exeGgncop32.exeDabkla32.exeKnddcg32.exeLbmpnjai.exeAbachg32.exeHqcpfcbl.exeFfenmp32.exeIfqfge32.exeDlkqpg32.exeKocodbpk.exeCqcomn32.exeKoejqi32.exeOdfjdk32.exeEkppjmia.exeKopikdgn.exeNbgakd32.exeOegdcj32.exeFjcfco32.exeGjccbb32.exeHlnbqijd.exeMqfooonp.exeHopgikop.exeMdeaim32.exeIjjgkmqh.exeEodknifb.exeNogmin32.exePamnnemo.exeDcihdo32.exeHqhiab32.exeJcaqmkpn.exeMifmoa32.exePibgfjdh.exeJlddpkgh.exeMnaiah32.exeAlmjcobe.exeKoelibnh.exeHbhagiem.exePabncj32.exeQmcedg32.exeBgmolb32.exeDpdpkfga.exePgopak32.exeOlimlf32.exeHeijidbn.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpimnjhm.dll" Dabfjp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hklhca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eaodhk32.dll" Fljhmmci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idkhbked.dll" Hadhjaaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opmhqc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccolja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nndhpqma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppejmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlcffk32.dll" Ggkoojip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppejmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhgaan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndiomdde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oojfnakl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fcaaloed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcoaebjc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ciknhb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggncop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dabkla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knddcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbmpnjai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abachg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hqcpfcbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffenmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnagimbb.dll" Ifqfge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Boajohpm.dll" Dlkqpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpgbod32.dll" Fcaaloed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcinbihe.dll" Kocodbpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbacpl32.dll" Cqcomn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oicoednb.dll" Koejqi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odfjdk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekppjmia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kopikdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbgakd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oegdcj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjcfco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjccbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlnbqijd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mqfooonp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbenmb32.dll" Hopgikop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcegqmpg.dll" Mdeaim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijjgkmqh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eodknifb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfknaf32.dll" Nogmin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icblchdc.dll" Ffenmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akjlgc32.dll" Pamnnemo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odfjdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkncac32.dll" Dcihdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hqhiab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajkhhfhl.dll" Jcaqmkpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mifmoa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hqhiab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pibgfjdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqocld32.dll" Jlddpkgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnaiah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Almjcobe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldbjfdld.dll" Koelibnh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbhagiem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pabncj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qmcedg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgmolb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpdpkfga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgopak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olimlf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Heijidbn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
02ae1a74a38c8a81f0f0ed293ba1235a92699a7f1d08c09f0ec0b9da75a81df9N.exeIgbqdlea.exeIciaim32.exeJfhmehji.exeJdmjfe32.exeJhkclc32.exeJkllnn32.exeJjqiok32.exeKmabqf32.exeKobkbaac.exeKjhopjqi.exeKeappgmg.exeLnlaomae.exeLlpaha32.exeLggbmbfc.exeLcncbc32.exedescription pid process target process PID 3012 wrote to memory of 2192 3012 02ae1a74a38c8a81f0f0ed293ba1235a92699a7f1d08c09f0ec0b9da75a81df9N.exe Igbqdlea.exe PID 3012 wrote to memory of 2192 3012 02ae1a74a38c8a81f0f0ed293ba1235a92699a7f1d08c09f0ec0b9da75a81df9N.exe Igbqdlea.exe PID 3012 wrote to memory of 2192 3012 02ae1a74a38c8a81f0f0ed293ba1235a92699a7f1d08c09f0ec0b9da75a81df9N.exe Igbqdlea.exe PID 3012 wrote to memory of 2192 3012 02ae1a74a38c8a81f0f0ed293ba1235a92699a7f1d08c09f0ec0b9da75a81df9N.exe Igbqdlea.exe PID 2192 wrote to memory of 2536 2192 Igbqdlea.exe Iciaim32.exe PID 2192 wrote to memory of 2536 2192 Igbqdlea.exe Iciaim32.exe PID 2192 wrote to memory of 2536 2192 Igbqdlea.exe Iciaim32.exe PID 2192 wrote to memory of 2536 2192 Igbqdlea.exe Iciaim32.exe PID 2536 wrote to memory of 2488 2536 Iciaim32.exe Jfhmehji.exe PID 2536 wrote to memory of 2488 2536 Iciaim32.exe Jfhmehji.exe PID 2536 wrote to memory of 2488 2536 Iciaim32.exe Jfhmehji.exe PID 2536 wrote to memory of 2488 2536 Iciaim32.exe Jfhmehji.exe PID 2488 wrote to memory of 2808 2488 Jfhmehji.exe Jdmjfe32.exe PID 2488 wrote to memory of 2808 2488 Jfhmehji.exe Jdmjfe32.exe PID 2488 wrote to memory of 2808 2488 Jfhmehji.exe Jdmjfe32.exe PID 2488 wrote to memory of 2808 2488 Jfhmehji.exe Jdmjfe32.exe PID 2808 wrote to memory of 2788 2808 Jdmjfe32.exe Jhkclc32.exe PID 2808 wrote to memory of 2788 2808 Jdmjfe32.exe Jhkclc32.exe PID 2808 wrote to memory of 2788 2808 Jdmjfe32.exe Jhkclc32.exe PID 2808 wrote to memory of 2788 2808 Jdmjfe32.exe Jhkclc32.exe PID 2788 wrote to memory of 1784 2788 Jhkclc32.exe Jkllnn32.exe PID 2788 wrote to memory of 1784 2788 Jhkclc32.exe Jkllnn32.exe PID 2788 wrote to memory of 1784 2788 Jhkclc32.exe Jkllnn32.exe PID 2788 wrote to memory of 1784 2788 Jhkclc32.exe Jkllnn32.exe PID 1784 wrote to memory of 1516 1784 Jkllnn32.exe Jjqiok32.exe PID 1784 wrote to memory of 1516 1784 Jkllnn32.exe Jjqiok32.exe PID 1784 wrote to memory of 1516 1784 Jkllnn32.exe Jjqiok32.exe PID 1784 wrote to memory of 1516 1784 Jkllnn32.exe Jjqiok32.exe PID 1516 wrote to memory of 1520 1516 Jjqiok32.exe Kmabqf32.exe PID 1516 wrote to memory of 1520 1516 Jjqiok32.exe Kmabqf32.exe PID 1516 wrote to memory of 1520 1516 Jjqiok32.exe Kmabqf32.exe PID 1516 wrote to memory of 1520 1516 Jjqiok32.exe Kmabqf32.exe PID 1520 wrote to memory of 1904 1520 Kmabqf32.exe Kobkbaac.exe PID 1520 wrote to memory of 1904 1520 Kmabqf32.exe Kobkbaac.exe PID 1520 wrote to memory of 1904 1520 Kmabqf32.exe Kobkbaac.exe PID 1520 wrote to memory of 1904 1520 Kmabqf32.exe Kobkbaac.exe PID 1904 wrote to memory of 1652 1904 Kobkbaac.exe Kjhopjqi.exe PID 1904 wrote to memory of 1652 1904 Kobkbaac.exe Kjhopjqi.exe PID 1904 wrote to memory of 1652 1904 Kobkbaac.exe Kjhopjqi.exe PID 1904 wrote to memory of 1652 1904 Kobkbaac.exe Kjhopjqi.exe PID 1652 wrote to memory of 1672 1652 Kjhopjqi.exe Keappgmg.exe PID 1652 wrote to memory of 1672 1652 Kjhopjqi.exe Keappgmg.exe PID 1652 wrote to memory of 1672 1652 Kjhopjqi.exe Keappgmg.exe PID 1652 wrote to memory of 1672 1652 Kjhopjqi.exe Keappgmg.exe PID 1672 wrote to memory of 1312 1672 Keappgmg.exe Lnlaomae.exe PID 1672 wrote to memory of 1312 1672 Keappgmg.exe Lnlaomae.exe PID 1672 wrote to memory of 1312 1672 Keappgmg.exe Lnlaomae.exe PID 1672 wrote to memory of 1312 1672 Keappgmg.exe Lnlaomae.exe PID 1312 wrote to memory of 524 1312 Lnlaomae.exe Llpaha32.exe PID 1312 wrote to memory of 524 1312 Lnlaomae.exe Llpaha32.exe PID 1312 wrote to memory of 524 1312 Lnlaomae.exe Llpaha32.exe PID 1312 wrote to memory of 524 1312 Lnlaomae.exe Llpaha32.exe PID 524 wrote to memory of 1984 524 Llpaha32.exe Lggbmbfc.exe PID 524 wrote to memory of 1984 524 Llpaha32.exe Lggbmbfc.exe PID 524 wrote to memory of 1984 524 Llpaha32.exe Lggbmbfc.exe PID 524 wrote to memory of 1984 524 Llpaha32.exe Lggbmbfc.exe PID 1984 wrote to memory of 1956 1984 Lggbmbfc.exe Lcncbc32.exe PID 1984 wrote to memory of 1956 1984 Lggbmbfc.exe Lcncbc32.exe PID 1984 wrote to memory of 1956 1984 Lggbmbfc.exe Lcncbc32.exe PID 1984 wrote to memory of 1956 1984 Lggbmbfc.exe Lcncbc32.exe PID 1956 wrote to memory of 2568 1956 Lcncbc32.exe Lflonn32.exe PID 1956 wrote to memory of 2568 1956 Lcncbc32.exe Lflonn32.exe PID 1956 wrote to memory of 2568 1956 Lcncbc32.exe Lflonn32.exe PID 1956 wrote to memory of 2568 1956 Lcncbc32.exe Lflonn32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\02ae1a74a38c8a81f0f0ed293ba1235a92699a7f1d08c09f0ec0b9da75a81df9N.exe"C:\Users\Admin\AppData\Local\Temp\02ae1a74a38c8a81f0f0ed293ba1235a92699a7f1d08c09f0ec0b9da75a81df9N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\Igbqdlea.exeC:\Windows\system32\Igbqdlea.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Iciaim32.exeC:\Windows\system32\Iciaim32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\Jfhmehji.exeC:\Windows\system32\Jfhmehji.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\Jdmjfe32.exeC:\Windows\system32\Jdmjfe32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Jhkclc32.exeC:\Windows\system32\Jhkclc32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Jkllnn32.exeC:\Windows\system32\Jkllnn32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\SysWOW64\Jjqiok32.exeC:\Windows\system32\Jjqiok32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\Kmabqf32.exeC:\Windows\system32\Kmabqf32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SysWOW64\Kobkbaac.exeC:\Windows\system32\Kobkbaac.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\SysWOW64\Kjhopjqi.exeC:\Windows\system32\Kjhopjqi.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\Keappgmg.exeC:\Windows\system32\Keappgmg.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\SysWOW64\Lnlaomae.exeC:\Windows\system32\Lnlaomae.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\SysWOW64\Llpaha32.exeC:\Windows\system32\Llpaha32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:524 -
C:\Windows\SysWOW64\Lggbmbfc.exeC:\Windows\system32\Lggbmbfc.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\Lcncbc32.exeC:\Windows\system32\Lcncbc32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\Lflonn32.exeC:\Windows\system32\Lflonn32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2568 -
C:\Windows\SysWOW64\Lfnlcnih.exeC:\Windows\system32\Lfnlcnih.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2440 -
C:\Windows\SysWOW64\Lpgqlc32.exeC:\Windows\system32\Lpgqlc32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1952 -
C:\Windows\SysWOW64\Mioeeifi.exeC:\Windows\system32\Mioeeifi.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:672 -
C:\Windows\SysWOW64\Mddibb32.exeC:\Windows\system32\Mddibb32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:832 -
C:\Windows\SysWOW64\Monjcp32.exeC:\Windows\system32\Monjcp32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1676 -
C:\Windows\SysWOW64\Mlbkmdah.exeC:\Windows\system32\Mlbkmdah.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2248 -
C:\Windows\SysWOW64\Maocekoo.exeC:\Windows\system32\Maocekoo.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2944 -
C:\Windows\SysWOW64\Mldgbcoe.exeC:\Windows\system32\Mldgbcoe.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2848 -
C:\Windows\SysWOW64\Mlgdhcmb.exeC:\Windows\system32\Mlgdhcmb.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2628 -
C:\Windows\SysWOW64\Nmhqokcq.exeC:\Windows\system32\Nmhqokcq.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2872 -
C:\Windows\SysWOW64\Nogmin32.exeC:\Windows\system32\Nogmin32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2908 -
C:\Windows\SysWOW64\Nahfkigd.exeC:\Windows\system32\Nahfkigd.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2776 -
C:\Windows\SysWOW64\Ncjbba32.exeC:\Windows\system32\Ncjbba32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2136 -
C:\Windows\SysWOW64\Ndiomdde.exeC:\Windows\system32\Ndiomdde.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2900 -
C:\Windows\SysWOW64\Nejkdm32.exeC:\Windows\system32\Nejkdm32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2832 -
C:\Windows\SysWOW64\Ohkdfhge.exeC:\Windows\system32\Ohkdfhge.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1452 -
C:\Windows\SysWOW64\Olimlf32.exeC:\Windows\system32\Olimlf32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2492 -
C:\Windows\SysWOW64\Oojfnakl.exeC:\Windows\system32\Oojfnakl.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1164 -
C:\Windows\SysWOW64\Odfofhic.exeC:\Windows\system32\Odfofhic.exe36⤵
- Executes dropped EXE
PID:1136 -
C:\Windows\SysWOW64\Okqgcb32.exeC:\Windows\system32\Okqgcb32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Pqplqile.exeC:\Windows\system32\Pqplqile.exe38⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Pogegeoj.exeC:\Windows\system32\Pogegeoj.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1000 -
C:\Windows\SysWOW64\Pmkfqind.exeC:\Windows\system32\Pmkfqind.exe40⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Pibgfjdh.exeC:\Windows\system32\Pibgfjdh.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:2372 -
C:\Windows\SysWOW64\Qidckjae.exeC:\Windows\system32\Qidckjae.exe42⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Qbmhdp32.exeC:\Windows\system32\Qbmhdp32.exe43⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Qnciiq32.exeC:\Windows\system32\Qnciiq32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:584 -
C:\Windows\SysWOW64\Amkbpm32.exeC:\Windows\system32\Amkbpm32.exe45⤵
- Executes dropped EXE
PID:1448 -
C:\Windows\SysWOW64\Aebjaj32.exeC:\Windows\system32\Aebjaj32.exe46⤵
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\Afecna32.exeC:\Windows\system32\Afecna32.exe47⤵
- Executes dropped EXE
PID:1272 -
C:\Windows\SysWOW64\Aakhkj32.exeC:\Windows\system32\Aakhkj32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Abldccka.exeC:\Windows\system32\Abldccka.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2624 -
C:\Windows\SysWOW64\Bleilh32.exeC:\Windows\system32\Bleilh32.exe50⤵
- Executes dropped EXE
PID:1460 -
C:\Windows\SysWOW64\Bboahbio.exeC:\Windows\system32\Bboahbio.exe51⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Blgeahoo.exeC:\Windows\system32\Blgeahoo.exe52⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Bpbabf32.exeC:\Windows\system32\Bpbabf32.exe53⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Bhnffi32.exeC:\Windows\system32\Bhnffi32.exe54⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Bbcjca32.exeC:\Windows\system32\Bbcjca32.exe55⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Bllomg32.exeC:\Windows\system32\Bllomg32.exe56⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Bojkib32.exeC:\Windows\system32\Bojkib32.exe57⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Bjalndpb.exeC:\Windows\system32\Bjalndpb.exe58⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Bomhnb32.exeC:\Windows\system32\Bomhnb32.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2640 -
C:\Windows\SysWOW64\Cfhlbe32.exeC:\Windows\system32\Cfhlbe32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2864 -
C:\Windows\SysWOW64\Cooddbfh.exeC:\Windows\system32\Cooddbfh.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1192 -
C:\Windows\SysWOW64\Cdlmlidp.exeC:\Windows\system32\Cdlmlidp.exe62⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Ckfeic32.exeC:\Windows\system32\Ckfeic32.exe63⤵
- Executes dropped EXE
PID:772 -
C:\Windows\SysWOW64\Cdnjaibm.exeC:\Windows\system32\Cdnjaibm.exe64⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Cglfndaa.exeC:\Windows\system32\Cglfndaa.exe65⤵
- Executes dropped EXE
PID:1056 -
C:\Windows\SysWOW64\Cbcfbege.exeC:\Windows\system32\Cbcfbege.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1512 -
C:\Windows\SysWOW64\Cimooo32.exeC:\Windows\system32\Cimooo32.exe67⤵
- Drops file in System32 directory
PID:236 -
C:\Windows\SysWOW64\Cojghf32.exeC:\Windows\system32\Cojghf32.exe68⤵
- System Location Discovery: System Language Discovery
PID:588 -
C:\Windows\SysWOW64\Cedpdpdf.exeC:\Windows\system32\Cedpdpdf.exe69⤵PID:2544
-
C:\Windows\SysWOW64\Clnhajlc.exeC:\Windows\system32\Clnhajlc.exe70⤵PID:1252
-
C:\Windows\SysWOW64\Defljp32.exeC:\Windows\system32\Defljp32.exe71⤵
- Drops file in System32 directory
PID:2892 -
C:\Windows\SysWOW64\Dlpdfjjp.exeC:\Windows\system32\Dlpdfjjp.exe72⤵PID:2888
-
C:\Windows\SysWOW64\Dammoahg.exeC:\Windows\system32\Dammoahg.exe73⤵
- Drops file in System32 directory
PID:2796 -
C:\Windows\SysWOW64\Dkeahf32.exeC:\Windows\system32\Dkeahf32.exe74⤵PID:2368
-
C:\Windows\SysWOW64\Ddnfql32.exeC:\Windows\system32\Ddnfql32.exe75⤵PID:928
-
C:\Windows\SysWOW64\Dabfjp32.exeC:\Windows\system32\Dabfjp32.exe76⤵
- Modifies registry class
PID:2984 -
C:\Windows\SysWOW64\Dhlogjko.exeC:\Windows\system32\Dhlogjko.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:264 -
C:\Windows\SysWOW64\Dadcppbp.exeC:\Windows\system32\Dadcppbp.exe78⤵
- System Location Discovery: System Language Discovery
PID:2088 -
C:\Windows\SysWOW64\Dcepgh32.exeC:\Windows\system32\Dcepgh32.exe79⤵PID:2312
-
C:\Windows\SysWOW64\Epipql32.exeC:\Windows\system32\Epipql32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2180 -
C:\Windows\SysWOW64\Effhic32.exeC:\Windows\system32\Effhic32.exe81⤵PID:1988
-
C:\Windows\SysWOW64\Eplmflde.exeC:\Windows\system32\Eplmflde.exe82⤵PID:956
-
C:\Windows\SysWOW64\Ehgaknbp.exeC:\Windows\system32\Ehgaknbp.exe83⤵PID:2708
-
C:\Windows\SysWOW64\Eclfhgaf.exeC:\Windows\system32\Eclfhgaf.exe84⤵PID:2472
-
C:\Windows\SysWOW64\Ehinpnpm.exeC:\Windows\system32\Ehinpnpm.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1112 -
C:\Windows\SysWOW64\Ekhjlioa.exeC:\Windows\system32\Ekhjlioa.exe86⤵PID:1908
-
C:\Windows\SysWOW64\Efmoib32.exeC:\Windows\system32\Efmoib32.exe87⤵PID:2152
-
C:\Windows\SysWOW64\Enhcnd32.exeC:\Windows\system32\Enhcnd32.exe88⤵
- System Location Discovery: System Language Discovery
PID:1600 -
C:\Windows\SysWOW64\Fbfldc32.exeC:\Windows\system32\Fbfldc32.exe89⤵
- System Location Discovery: System Language Discovery
PID:2596 -
C:\Windows\SysWOW64\Fqilppic.exeC:\Windows\system32\Fqilppic.exe90⤵PID:3020
-
C:\Windows\SysWOW64\Fipdqmje.exeC:\Windows\system32\Fipdqmje.exe91⤵PID:3048
-
C:\Windows\SysWOW64\Fbiijb32.exeC:\Windows\system32\Fbiijb32.exe92⤵PID:1816
-
C:\Windows\SysWOW64\Fdgefn32.exeC:\Windows\system32\Fdgefn32.exe93⤵PID:2524
-
C:\Windows\SysWOW64\Fqnfkoen.exeC:\Windows\system32\Fqnfkoen.exe94⤵PID:1924
-
C:\Windows\SysWOW64\Fghngimj.exeC:\Windows\system32\Fghngimj.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1764 -
C:\Windows\SysWOW64\Fpcblkje.exeC:\Windows\system32\Fpcblkje.exe96⤵PID:1940
-
C:\Windows\SysWOW64\Gcakbjpl.exeC:\Windows\system32\Gcakbjpl.exe97⤵PID:1132
-
C:\Windows\SysWOW64\Gllpflng.exeC:\Windows\system32\Gllpflng.exe98⤵PID:2732
-
C:\Windows\SysWOW64\Gbfhcf32.exeC:\Windows\system32\Gbfhcf32.exe99⤵PID:2720
-
C:\Windows\SysWOW64\Gpjilj32.exeC:\Windows\system32\Gpjilj32.exe100⤵PID:1932
-
C:\Windows\SysWOW64\Gbheif32.exeC:\Windows\system32\Gbheif32.exe101⤵PID:1716
-
C:\Windows\SysWOW64\Gibmep32.exeC:\Windows\system32\Gibmep32.exe102⤵PID:2284
-
C:\Windows\SysWOW64\Gplebjbk.exeC:\Windows\system32\Gplebjbk.exe103⤵PID:2768
-
C:\Windows\SysWOW64\Giejkp32.exeC:\Windows\system32\Giejkp32.exe104⤵PID:628
-
C:\Windows\SysWOW64\Glcfgk32.exeC:\Windows\system32\Glcfgk32.exe105⤵PID:1540
-
C:\Windows\SysWOW64\Gdnkkmej.exeC:\Windows\system32\Gdnkkmej.exe106⤵PID:2612
-
C:\Windows\SysWOW64\Hndoifdp.exeC:\Windows\system32\Hndoifdp.exe107⤵PID:1740
-
C:\Windows\SysWOW64\Hadhjaaa.exeC:\Windows\system32\Hadhjaaa.exe108⤵
- Modifies registry class
PID:1256 -
C:\Windows\SysWOW64\Hhopgkin.exeC:\Windows\system32\Hhopgkin.exe109⤵PID:876
-
C:\Windows\SysWOW64\Hmkiobge.exeC:\Windows\system32\Hmkiobge.exe110⤵PID:908
-
C:\Windows\SysWOW64\Hbhagiem.exeC:\Windows\system32\Hbhagiem.exe111⤵
- Drops file in System32 directory
- Modifies registry class
PID:1444 -
C:\Windows\SysWOW64\Hlqfqo32.exeC:\Windows\system32\Hlqfqo32.exe112⤵PID:1820
-
C:\Windows\SysWOW64\Heijidbn.exeC:\Windows\system32\Heijidbn.exe113⤵
- Modifies registry class
PID:1720 -
C:\Windows\SysWOW64\Ibmkbh32.exeC:\Windows\system32\Ibmkbh32.exe114⤵PID:2556
-
C:\Windows\SysWOW64\Iekgod32.exeC:\Windows\system32\Iekgod32.exe115⤵PID:2828
-
C:\Windows\SysWOW64\Iboghh32.exeC:\Windows\system32\Iboghh32.exe116⤵PID:1276
-
C:\Windows\SysWOW64\Ikjlmjmp.exeC:\Windows\system32\Ikjlmjmp.exe117⤵
- Drops file in System32 directory
PID:2036 -
C:\Windows\SysWOW64\Idcqep32.exeC:\Windows\system32\Idcqep32.exe118⤵
- Drops file in System32 directory
PID:2056 -
C:\Windows\SysWOW64\Ikmibjkm.exeC:\Windows\system32\Ikmibjkm.exe119⤵PID:764
-
C:\Windows\SysWOW64\Ihqilnig.exeC:\Windows\system32\Ihqilnig.exe120⤵PID:1832
-
C:\Windows\SysWOW64\Iokahhac.exeC:\Windows\system32\Iokahhac.exe121⤵PID:2324
-
C:\Windows\SysWOW64\Jnbkodci.exeC:\Windows\system32\Jnbkodci.exe122⤵PID:784
-
C:\Windows\SysWOW64\Jndhddaf.exeC:\Windows\system32\Jndhddaf.exe123⤵PID:1836
-
C:\Windows\SysWOW64\Jcaqmkpn.exeC:\Windows\system32\Jcaqmkpn.exe124⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2904 -
C:\Windows\SysWOW64\Jcdmbk32.exeC:\Windows\system32\Jcdmbk32.exe125⤵
- Drops file in System32 directory
PID:2364 -
C:\Windows\SysWOW64\Jojnglco.exeC:\Windows\system32\Jojnglco.exe126⤵PID:2044
-
C:\Windows\SysWOW64\Kfdfdf32.exeC:\Windows\system32\Kfdfdf32.exe127⤵PID:1076
-
C:\Windows\SysWOW64\Klonqpbi.exeC:\Windows\system32\Klonqpbi.exe128⤵
- System Location Discovery: System Language Discovery
PID:1928 -
C:\Windows\SysWOW64\Knpkhhhg.exeC:\Windows\system32\Knpkhhhg.exe129⤵
- Drops file in System32 directory
PID:2404 -
C:\Windows\SysWOW64\Kfgcieii.exeC:\Windows\system32\Kfgcieii.exe130⤵PID:2744
-
C:\Windows\SysWOW64\Kqqdjceh.exeC:\Windows\system32\Kqqdjceh.exe131⤵
- Drops file in System32 directory
PID:2288 -
C:\Windows\SysWOW64\Knddcg32.exeC:\Windows\system32\Knddcg32.exe132⤵
- Modifies registry class
PID:2804 -
C:\Windows\SysWOW64\Kkhdml32.exeC:\Windows\system32\Kkhdml32.exe133⤵PID:2236
-
C:\Windows\SysWOW64\Kdqifajl.exeC:\Windows\system32\Kdqifajl.exe134⤵PID:936
-
C:\Windows\SysWOW64\Kninog32.exeC:\Windows\system32\Kninog32.exe135⤵PID:436
-
C:\Windows\SysWOW64\Lojjfo32.exeC:\Windows\system32\Lojjfo32.exe136⤵PID:1220
-
C:\Windows\SysWOW64\Liboodmk.exeC:\Windows\system32\Liboodmk.exe137⤵PID:1476
-
C:\Windows\SysWOW64\Lkcgapjl.exeC:\Windows\system32\Lkcgapjl.exe138⤵PID:1636
-
C:\Windows\SysWOW64\Lbmpnjai.exeC:\Windows\system32\Lbmpnjai.exe139⤵
- Modifies registry class
PID:3028 -
C:\Windows\SysWOW64\Lighjd32.exeC:\Windows\system32\Lighjd32.exe140⤵PID:320
-
C:\Windows\SysWOW64\Lmcdkbao.exeC:\Windows\system32\Lmcdkbao.exe141⤵PID:808
-
C:\Windows\SysWOW64\Lndqbk32.exeC:\Windows\system32\Lndqbk32.exe142⤵PID:2580
-
C:\Windows\SysWOW64\Lenioenj.exeC:\Windows\system32\Lenioenj.exe143⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2576 -
C:\Windows\SysWOW64\Lpcmlnnp.exeC:\Windows\system32\Lpcmlnnp.exe144⤵PID:1504
-
C:\Windows\SysWOW64\Mljnaocd.exeC:\Windows\system32\Mljnaocd.exe145⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2924 -
C:\Windows\SysWOW64\Mganfp32.exeC:\Windows\system32\Mganfp32.exe146⤵PID:892
-
C:\Windows\SysWOW64\Mjpkbk32.exeC:\Windows\system32\Mjpkbk32.exe147⤵PID:2292
-
C:\Windows\SysWOW64\Mchokq32.exeC:\Windows\system32\Mchokq32.exe148⤵PID:900
-
C:\Windows\SysWOW64\Malpee32.exeC:\Windows\system32\Malpee32.exe149⤵PID:2256
-
C:\Windows\SysWOW64\Mhfhaoec.exeC:\Windows\system32\Mhfhaoec.exe150⤵PID:556
-
C:\Windows\SysWOW64\Migdig32.exeC:\Windows\system32\Migdig32.exe151⤵
- Drops file in System32 directory
PID:2844 -
C:\Windows\SysWOW64\Manljd32.exeC:\Windows\system32\Manljd32.exe152⤵PID:1320
-
C:\Windows\SysWOW64\Mbpibm32.exeC:\Windows\system32\Mbpibm32.exe153⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2608 -
C:\Windows\SysWOW64\Nfmahkhh.exeC:\Windows\system32\Nfmahkhh.exe154⤵
- System Location Discovery: System Language Discovery
PID:1080 -
C:\Windows\SysWOW64\Nljjqbfp.exeC:\Windows\system32\Nljjqbfp.exe155⤵PID:2252
-
C:\Windows\SysWOW64\Nphbfplf.exeC:\Windows\system32\Nphbfplf.exe156⤵
- System Location Discovery: System Language Discovery
PID:2244 -
C:\Windows\SysWOW64\Nbfobllj.exeC:\Windows\system32\Nbfobllj.exe157⤵PID:472
-
C:\Windows\SysWOW64\Neekogkm.exeC:\Windows\system32\Neekogkm.exe158⤵PID:2052
-
C:\Windows\SysWOW64\Nlocka32.exeC:\Windows\system32\Nlocka32.exe159⤵PID:3032
-
C:\Windows\SysWOW64\Nbilhkig.exeC:\Windows\system32\Nbilhkig.exe160⤵PID:1640
-
C:\Windows\SysWOW64\Neghdg32.exeC:\Windows\system32\Neghdg32.exe161⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:968 -
C:\Windows\SysWOW64\Nanhihno.exeC:\Windows\system32\Nanhihno.exe162⤵PID:2108
-
C:\Windows\SysWOW64\Nhhqfb32.exeC:\Windows\system32\Nhhqfb32.exe163⤵
- Drops file in System32 directory
PID:2548 -
C:\Windows\SysWOW64\Oobiclmh.exeC:\Windows\system32\Oobiclmh.exe164⤵
- Drops file in System32 directory
PID:3000 -
C:\Windows\SysWOW64\Opcejd32.exeC:\Windows\system32\Opcejd32.exe165⤵PID:1680
-
C:\Windows\SysWOW64\Ogmngn32.exeC:\Windows\system32\Ogmngn32.exe166⤵PID:1212
-
C:\Windows\SysWOW64\Oiljcj32.exeC:\Windows\system32\Oiljcj32.exe167⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2516 -
C:\Windows\SysWOW64\Ocfkaone.exeC:\Windows\system32\Ocfkaone.exe168⤵PID:1336
-
C:\Windows\SysWOW64\Olopjddf.exeC:\Windows\system32\Olopjddf.exe169⤵PID:2928
-
C:\Windows\SysWOW64\Oegdcj32.exeC:\Windows\system32\Oegdcj32.exe170⤵
- Modifies registry class
PID:2532 -
C:\Windows\SysWOW64\Opmhqc32.exeC:\Windows\system32\Opmhqc32.exe171⤵
- Modifies registry class
PID:692 -
C:\Windows\SysWOW64\Phhmeehg.exeC:\Windows\system32\Phhmeehg.exe172⤵PID:2616
-
C:\Windows\SysWOW64\Plcied32.exeC:\Windows\system32\Plcied32.exe173⤵PID:1936
-
C:\Windows\SysWOW64\Pabncj32.exeC:\Windows\system32\Pabncj32.exe174⤵
- Modifies registry class
PID:1468 -
C:\Windows\SysWOW64\Pofomolo.exeC:\Windows\system32\Pofomolo.exe175⤵PID:2336
-
C:\Windows\SysWOW64\Pgacaaij.exeC:\Windows\system32\Pgacaaij.exe176⤵
- Drops file in System32 directory
PID:2228 -
C:\Windows\SysWOW64\Qgfmlp32.exeC:\Windows\system32\Qgfmlp32.exe177⤵PID:652
-
C:\Windows\SysWOW64\Qmcedg32.exeC:\Windows\system32\Qmcedg32.exe178⤵
- Modifies registry class
PID:952 -
C:\Windows\SysWOW64\Qgiibp32.exeC:\Windows\system32\Qgiibp32.exe179⤵PID:2500
-
C:\Windows\SysWOW64\Amebjgai.exeC:\Windows\system32\Amebjgai.exe180⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3060 -
C:\Windows\SysWOW64\Ailboh32.exeC:\Windows\system32\Ailboh32.exe181⤵PID:3100
-
C:\Windows\SysWOW64\Aoihaa32.exeC:\Windows\system32\Aoihaa32.exe182⤵PID:3140
-
C:\Windows\SysWOW64\Bjiobnbn.exeC:\Windows\system32\Bjiobnbn.exe183⤵PID:3180
-
C:\Windows\SysWOW64\Bgmolb32.exeC:\Windows\system32\Bgmolb32.exe184⤵
- Modifies registry class
PID:3220 -
C:\Windows\SysWOW64\Bfblmofp.exeC:\Windows\system32\Bfblmofp.exe185⤵PID:3264
-
C:\Windows\SysWOW64\Biahijec.exeC:\Windows\system32\Biahijec.exe186⤵
- Drops file in System32 directory
PID:3304 -
C:\Windows\SysWOW64\Behinlkh.exeC:\Windows\system32\Behinlkh.exe187⤵PID:3344
-
C:\Windows\SysWOW64\Cnpnga32.exeC:\Windows\system32\Cnpnga32.exe188⤵PID:3384
-
C:\Windows\SysWOW64\Cbljgpja.exeC:\Windows\system32\Cbljgpja.exe189⤵PID:3428
-
C:\Windows\SysWOW64\Cbnfmo32.exeC:\Windows\system32\Cbnfmo32.exe190⤵PID:3468
-
C:\Windows\SysWOW64\Celbik32.exeC:\Windows\system32\Celbik32.exe191⤵PID:3508
-
C:\Windows\SysWOW64\Cjikaa32.exeC:\Windows\system32\Cjikaa32.exe192⤵PID:3548
-
C:\Windows\SysWOW64\Cfbhlb32.exeC:\Windows\system32\Cfbhlb32.exe193⤵
- Drops file in System32 directory
PID:3588 -
C:\Windows\SysWOW64\Dfdeab32.exeC:\Windows\system32\Dfdeab32.exe194⤵PID:3628
-
C:\Windows\SysWOW64\Dajiok32.exeC:\Windows\system32\Dajiok32.exe195⤵PID:3668
-
C:\Windows\SysWOW64\Dbkffc32.exeC:\Windows\system32\Dbkffc32.exe196⤵
- System Location Discovery: System Language Discovery
PID:3708 -
C:\Windows\SysWOW64\Dpofpg32.exeC:\Windows\system32\Dpofpg32.exe197⤵PID:3748
-
C:\Windows\SysWOW64\Dmcgik32.exeC:\Windows\system32\Dmcgik32.exe198⤵PID:3788
-
C:\Windows\SysWOW64\Dcpoab32.exeC:\Windows\system32\Dcpoab32.exe199⤵PID:3828
-
C:\Windows\SysWOW64\Dijgnm32.exeC:\Windows\system32\Dijgnm32.exe200⤵PID:3872
-
C:\Windows\SysWOW64\Dpdpkfga.exeC:\Windows\system32\Dpdpkfga.exe201⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3912 -
C:\Windows\SysWOW64\Dcblgbfe.exeC:\Windows\system32\Dcblgbfe.exe202⤵PID:3952
-
C:\Windows\SysWOW64\Dlkqpg32.exeC:\Windows\system32\Dlkqpg32.exe203⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3992 -
C:\Windows\SysWOW64\Ehaaei32.exeC:\Windows\system32\Ehaaei32.exe204⤵PID:4032
-
C:\Windows\SysWOW64\Eeeanm32.exeC:\Windows\system32\Eeeanm32.exe205⤵PID:4072
-
C:\Windows\SysWOW64\Eonfgbhc.exeC:\Windows\system32\Eonfgbhc.exe206⤵PID:3080
-
C:\Windows\SysWOW64\Eehndm32.exeC:\Windows\system32\Eehndm32.exe207⤵PID:3112
-
C:\Windows\SysWOW64\Ekdglcmh.exeC:\Windows\system32\Ekdglcmh.exe208⤵PID:3176
-
C:\Windows\SysWOW64\Encchoml.exeC:\Windows\system32\Encchoml.exe209⤵PID:3208
-
C:\Windows\SysWOW64\Egkgad32.exeC:\Windows\system32\Egkgad32.exe210⤵PID:3272
-
C:\Windows\SysWOW64\Fjlqcppm.exeC:\Windows\system32\Fjlqcppm.exe211⤵PID:3276
-
C:\Windows\SysWOW64\Fgpalcog.exeC:\Windows\system32\Fgpalcog.exe212⤵PID:3380
-
C:\Windows\SysWOW64\Fokfqflb.exeC:\Windows\system32\Fokfqflb.exe213⤵
- System Location Discovery: System Language Discovery
PID:3420 -
C:\Windows\SysWOW64\Ffenmp32.exeC:\Windows\system32\Ffenmp32.exe214⤵
- Modifies registry class
PID:3488 -
C:\Windows\SysWOW64\Fqkbkicd.exeC:\Windows\system32\Fqkbkicd.exe215⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3524 -
C:\Windows\SysWOW64\Fjcfco32.exeC:\Windows\system32\Fjcfco32.exe216⤵
- Modifies registry class
PID:3572 -
C:\Windows\SysWOW64\Fhfgokap.exeC:\Windows\system32\Fhfgokap.exe217⤵PID:3636
-
C:\Windows\SysWOW64\Fopole32.exeC:\Windows\system32\Fopole32.exe218⤵PID:3676
-
C:\Windows\SysWOW64\Ffjghppi.exeC:\Windows\system32\Ffjghppi.exe219⤵PID:3680
-
C:\Windows\SysWOW64\Foblaefj.exeC:\Windows\system32\Foblaefj.exe220⤵PID:3772
-
C:\Windows\SysWOW64\Gkimff32.exeC:\Windows\system32\Gkimff32.exe221⤵PID:3812
-
C:\Windows\SysWOW64\Gbcecpck.exeC:\Windows\system32\Gbcecpck.exe222⤵
- Drops file in System32 directory
PID:3888 -
C:\Windows\SysWOW64\Gkkilfjk.exeC:\Windows\system32\Gkkilfjk.exe223⤵
- Drops file in System32 directory
PID:3932 -
C:\Windows\SysWOW64\Gednek32.exeC:\Windows\system32\Gednek32.exe224⤵PID:3980
-
C:\Windows\SysWOW64\Gmobin32.exeC:\Windows\system32\Gmobin32.exe225⤵PID:4028
-
C:\Windows\SysWOW64\Gjccbb32.exeC:\Windows\system32\Gjccbb32.exe226⤵
- Modifies registry class
PID:4080 -
C:\Windows\SysWOW64\Gamkol32.exeC:\Windows\system32\Gamkol32.exe227⤵PID:3084
-
C:\Windows\SysWOW64\Gihpcn32.exeC:\Windows\system32\Gihpcn32.exe228⤵
- System Location Discovery: System Language Discovery
PID:3156 -
C:\Windows\SysWOW64\Hcndag32.exeC:\Windows\system32\Hcndag32.exe229⤵PID:3172
-
C:\Windows\SysWOW64\Hliieioi.exeC:\Windows\system32\Hliieioi.exe230⤵PID:3288
-
C:\Windows\SysWOW64\Heamno32.exeC:\Windows\system32\Heamno32.exe231⤵PID:3340
-
C:\Windows\SysWOW64\Hbengc32.exeC:\Windows\system32\Hbengc32.exe232⤵PID:3392
-
C:\Windows\SysWOW64\Hlnbqijd.exeC:\Windows\system32\Hlnbqijd.exe233⤵
- Modifies registry class
PID:3456 -
C:\Windows\SysWOW64\Hefginae.exeC:\Windows\system32\Hefginae.exe234⤵PID:3528
-
C:\Windows\SysWOW64\Hamgno32.exeC:\Windows\system32\Hamgno32.exe235⤵PID:3608
-
C:\Windows\SysWOW64\Ihgpkinf.exeC:\Windows\system32\Ihgpkinf.exe236⤵PID:3232
-
C:\Windows\SysWOW64\Idnppjcj.exeC:\Windows\system32\Idnppjcj.exe237⤵PID:3716
-
C:\Windows\SysWOW64\Iocdmccp.exeC:\Windows\system32\Iocdmccp.exe238⤵PID:3776
-
C:\Windows\SysWOW64\Ihkifi32.exeC:\Windows\system32\Ihkifi32.exe239⤵PID:3852
-
C:\Windows\SysWOW64\Iimenapo.exeC:\Windows\system32\Iimenapo.exe240⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3896 -
C:\Windows\SysWOW64\Ifqfge32.exeC:\Windows\system32\Ifqfge32.exe241⤵
- Modifies registry class
PID:3924 -
C:\Windows\SysWOW64\Ilmool32.exeC:\Windows\system32\Ilmool32.exe242⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:4044