Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 01:23
Static task
static1
Behavioral task
behavioral1
Sample
a6adf3b735688fc5247918f6af0337d4905b574a256032870a4072779cd75e06.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
a6adf3b735688fc5247918f6af0337d4905b574a256032870a4072779cd75e06.exe
Resource
win10v2004-20241007-en
General
-
Target
a6adf3b735688fc5247918f6af0337d4905b574a256032870a4072779cd75e06.exe
-
Size
844KB
-
MD5
5ca2e7b55c179a5ab443cfa62b814995
-
SHA1
e9cbdedf8a2a71fbf3762d56e26af536cd7b092b
-
SHA256
a6adf3b735688fc5247918f6af0337d4905b574a256032870a4072779cd75e06
-
SHA512
e47dc0ec7c42f5dc74555b2eb3af5191957924f1ffb29875b3c6fe9432be203ba8df5656459a1105c3aabba8f31fc40c541c4039451656131a14a8c284839520
-
SSDEEP
24576:5PH5W3TnbQihMpQnqrdX72LbY6x46uR/qYglMi:5PH5W3TbQihw+cdX2x46uhqllMi
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Dkmljcdh.exeMhhiiloh.exeKgdgpfnf.exeKjhopjqi.exeFdgefn32.exeIomcpe32.exeLhlbbg32.exeGpjilj32.exeNcgcdi32.exeCchdpbog.exeMfceom32.exeDakpiajj.exeIgqhpj32.exeKngekdnf.exeImcfjg32.exeJnjhjj32.exeMpphdpcf.exeEcoihm32.exeJknicnpf.exeOhbjgg32.exeIeibdnnp.exePpdfimji.exeAfgnkilf.exeBhpqcpkm.exeOcfiif32.exeFopnpaba.exeAcohnhab.exeIofhmi32.exeLbmpnjai.exeLidgcclp.exeMjlejl32.exeEjohdbok.exeHfodmhbk.exeIngmmn32.exeJoppeeif.exeNgqeha32.exeJllakpdk.exeCogfqe32.exePnfnajed.exeCooddbfh.exePcqebd32.exeNalldh32.exeFdpgph32.exeHdbpekam.exeAokckm32.exeChlgid32.exeKjcedj32.exeEdidqf32.exeCbpbgk32.exeGhoijebj.exeNgpcohbm.exeLpddgd32.exeGeqlnjcf.exeOgmkne32.exeKdbepm32.exeOoofcg32.exeHjoiiffo.exeEacghhkd.exeLbjjekhl.exeBnhncclq.exeFmfocnjg.exeKlecfkff.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dkmljcdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhhiiloh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgdgpfnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjhopjqi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdgefn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iomcpe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhlbbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gpjilj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ncgcdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cchdpbog.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfceom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dakpiajj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Igqhpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kngekdnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mhhiiloh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imcfjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jnjhjj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpphdpcf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecoihm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jknicnpf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohbjgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ieibdnnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ppdfimji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afgnkilf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhpqcpkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ocfiif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fopnpaba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acohnhab.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iofhmi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbmpnjai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lidgcclp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjlejl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ejohdbok.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfodmhbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ingmmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Joppeeif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ngqeha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jllakpdk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cogfqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pnfnajed.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cooddbfh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcqebd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nalldh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdpgph32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdbpekam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aokckm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chlgid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjcedj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edidqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbpbgk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghoijebj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngpcohbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lpddgd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geqlnjcf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogmkne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdbepm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ooofcg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjoiiffo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eacghhkd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbjjekhl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnhncclq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejohdbok.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmfocnjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Klecfkff.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Cjhabndo.exeCogfqe32.exeCiokijfd.exeDnqlmq32.exeDfhdnn32.exeDlifadkk.exeDahkok32.exeEdidqf32.exeEmdeok32.exeElkofg32.exeFeddombd.exeFlnlkgjq.exeFmohco32.exeFdiqpigl.exeFooembgb.exeFamaimfe.exeFhgifgnb.exeFgjjad32.exeFihfnp32.exeFpbnjjkm.exeFdnjkh32.exeFglfgd32.exeFmfocnjg.exeFliook32.exeFdpgph32.exeFgocmc32.exeFimoiopk.exeGlklejoo.exeGojhafnb.exeGgapbcne.exeGiolnomh.exeGlnhjjml.exeGcgqgd32.exeGefmcp32.exeGhdiokbq.exeGkcekfad.exeGamnhq32.exeGdkjdl32.exeGoqnae32.exeGekfnoog.exeGkgoff32.exeGaagcpdl.exeHgnokgcc.exeHnhgha32.exeHdbpekam.exeHgqlafap.exeHjohmbpd.exeHqiqjlga.exeHgciff32.exeHmpaom32.exeHcjilgdb.exeHifbdnbi.exeHclfag32.exeHiioin32.exeIcncgf32.exeIeponofk.exeIoeclg32.exeIfolhann.exeIgqhpj32.exeIbfmmb32.exeIipejmko.exeInmmbc32.exeIegeonpc.exeIjcngenj.exepid process 2740 Cjhabndo.exe 2544 Cogfqe32.exe 2848 Ciokijfd.exe 2540 Dnqlmq32.exe 2964 Dfhdnn32.exe 2352 Dlifadkk.exe 2140 Dahkok32.exe 1864 Edidqf32.exe 1380 Emdeok32.exe 2980 Elkofg32.exe 264 Feddombd.exe 1728 Flnlkgjq.exe 280 Fmohco32.exe 596 Fdiqpigl.exe 692 Fooembgb.exe 896 Famaimfe.exe 2872 Fhgifgnb.exe 1812 Fgjjad32.exe 296 Fihfnp32.exe 1824 Fpbnjjkm.exe 1984 Fdnjkh32.exe 988 Fglfgd32.exe 688 Fmfocnjg.exe 1464 Fliook32.exe 1732 Fdpgph32.exe 2800 Fgocmc32.exe 2144 Fimoiopk.exe 2856 Glklejoo.exe 2968 Gojhafnb.exe 2976 Ggapbcne.exe 2216 Giolnomh.exe 1292 Glnhjjml.exe 1868 Gcgqgd32.exe 2024 Gefmcp32.exe 2936 Ghdiokbq.exe 400 Gkcekfad.exe 1816 Gamnhq32.exe 1296 Gdkjdl32.exe 1556 Goqnae32.exe 2732 Gekfnoog.exe 3004 Gkgoff32.exe 1700 Gaagcpdl.exe 316 Hgnokgcc.exe 2880 Hnhgha32.exe 2676 Hdbpekam.exe 2764 Hgqlafap.exe 2568 Hjohmbpd.exe 2148 Hqiqjlga.exe 1004 Hgciff32.exe 624 Hmpaom32.exe 1660 Hcjilgdb.exe 2896 Hifbdnbi.exe 572 Hclfag32.exe 2932 Hiioin32.exe 2416 Icncgf32.exe 2404 Ieponofk.exe 2752 Ioeclg32.exe 2644 Ifolhann.exe 2996 Igqhpj32.exe 2044 Ibfmmb32.exe 532 Iipejmko.exe 2124 Inmmbc32.exe 876 Iegeonpc.exe 1620 Ijcngenj.exe -
Loads dropped DLL 64 IoCs
Processes:
a6adf3b735688fc5247918f6af0337d4905b574a256032870a4072779cd75e06.exeCjhabndo.exeCogfqe32.exeCiokijfd.exeDnqlmq32.exeDfhdnn32.exeDlifadkk.exeDahkok32.exeEdidqf32.exeEmdeok32.exeElkofg32.exeFeddombd.exeFlnlkgjq.exeFmohco32.exeFdiqpigl.exeFooembgb.exeFamaimfe.exeFhgifgnb.exeFgjjad32.exeFihfnp32.exeFpbnjjkm.exeFdnjkh32.exeFglfgd32.exeFmfocnjg.exeFliook32.exeFdpgph32.exeFgocmc32.exeFimoiopk.exeGlklejoo.exeGojhafnb.exeGgapbcne.exeGiolnomh.exepid process 3068 a6adf3b735688fc5247918f6af0337d4905b574a256032870a4072779cd75e06.exe 3068 a6adf3b735688fc5247918f6af0337d4905b574a256032870a4072779cd75e06.exe 2740 Cjhabndo.exe 2740 Cjhabndo.exe 2544 Cogfqe32.exe 2544 Cogfqe32.exe 2848 Ciokijfd.exe 2848 Ciokijfd.exe 2540 Dnqlmq32.exe 2540 Dnqlmq32.exe 2964 Dfhdnn32.exe 2964 Dfhdnn32.exe 2352 Dlifadkk.exe 2352 Dlifadkk.exe 2140 Dahkok32.exe 2140 Dahkok32.exe 1864 Edidqf32.exe 1864 Edidqf32.exe 1380 Emdeok32.exe 1380 Emdeok32.exe 2980 Elkofg32.exe 2980 Elkofg32.exe 264 Feddombd.exe 264 Feddombd.exe 1728 Flnlkgjq.exe 1728 Flnlkgjq.exe 280 Fmohco32.exe 280 Fmohco32.exe 596 Fdiqpigl.exe 596 Fdiqpigl.exe 692 Fooembgb.exe 692 Fooembgb.exe 896 Famaimfe.exe 896 Famaimfe.exe 2872 Fhgifgnb.exe 2872 Fhgifgnb.exe 1812 Fgjjad32.exe 1812 Fgjjad32.exe 296 Fihfnp32.exe 296 Fihfnp32.exe 1824 Fpbnjjkm.exe 1824 Fpbnjjkm.exe 1984 Fdnjkh32.exe 1984 Fdnjkh32.exe 988 Fglfgd32.exe 988 Fglfgd32.exe 688 Fmfocnjg.exe 688 Fmfocnjg.exe 1464 Fliook32.exe 1464 Fliook32.exe 1732 Fdpgph32.exe 1732 Fdpgph32.exe 2800 Fgocmc32.exe 2800 Fgocmc32.exe 2144 Fimoiopk.exe 2144 Fimoiopk.exe 2856 Glklejoo.exe 2856 Glklejoo.exe 2968 Gojhafnb.exe 2968 Gojhafnb.exe 2976 Ggapbcne.exe 2976 Ggapbcne.exe 2216 Giolnomh.exe 2216 Giolnomh.exe -
Drops file in System32 directory 64 IoCs
Processes:
Mfceom32.exeBhbmip32.exePjbjjc32.exeGoqnae32.exePmpdmfff.exeQigebglj.exeCnipak32.exeJcdadhjb.exeLglmefcg.exeLbmpnjai.exeMgcjpkak.exeJacibm32.exeOdacbpee.exeMmdkfmjc.exeAfmbak32.exeMcidkf32.exeImcfjg32.exeBooiep32.exeIqfiii32.exeAmoibc32.exeEnhcnd32.exePjlgle32.exeAldfcpjn.exeEdofbpja.exeFmnahilc.exePbglpg32.exeJknicnpf.exeImogcj32.exeKnfopnkk.exeKbcddlnd.exeLffohikd.exeChjjde32.exeKamlhl32.exeAjamfh32.exeIgeddb32.exeNjhilimb.exeLaodmoep.exeAjldkhjh.exeMbdcepcm.exeEocfmh32.exeHjoiiffo.exeKqqdjceh.exeJapciodd.exeMpphdpcf.exeOepjoa32.exeInepgn32.exeBefnbd32.exeJobocn32.exeBdobdc32.exeMclqqeaq.exeCnflae32.exeBbikig32.exeNdbile32.exePfcjiodd.exeGpjmnh32.exeDhleaq32.exeOolbcaij.exeDeiipp32.exeFacfpddd.exeAbaaoodq.exeFgjkmijh.exeMilaecdp.exeJoppeeif.exeMhhiiloh.exedescription ioc process File created C:\Windows\SysWOW64\Miokdmmk.dll Mfceom32.exe File created C:\Windows\SysWOW64\Bkqiek32.exe Bhbmip32.exe File created C:\Windows\SysWOW64\Mfhdke32.dll Pjbjjc32.exe File created C:\Windows\SysWOW64\Gekfnoog.exe Goqnae32.exe File created C:\Windows\SysWOW64\Allapi32.dll Pmpdmfff.exe File created C:\Windows\SysWOW64\Aqfnlp32.dll Qigebglj.exe File opened for modification C:\Windows\SysWOW64\Chocodch.exe Cnipak32.exe File created C:\Windows\SysWOW64\Jkkjeeke.exe Jcdadhjb.exe File opened for modification C:\Windows\SysWOW64\Lijiaabk.exe Lglmefcg.exe File opened for modification C:\Windows\SysWOW64\Lmcdkbao.exe Lbmpnjai.exe File created C:\Windows\SysWOW64\Ocoadgfn.dll Mgcjpkak.exe File opened for modification C:\Windows\SysWOW64\Jijacjnc.exe Jacibm32.exe File created C:\Windows\SysWOW64\Omhkcnfg.exe Odacbpee.exe File opened for modification C:\Windows\SysWOW64\Mlgkbi32.exe Mmdkfmjc.exe File created C:\Windows\SysWOW64\Fhiiop32.dll Afmbak32.exe File created C:\Windows\SysWOW64\Efpmmn32.dll Mcidkf32.exe File opened for modification C:\Windows\SysWOW64\Ipabfcdm.exe Imcfjg32.exe File created C:\Windows\SysWOW64\Ogomoj32.dll Booiep32.exe File created C:\Windows\SysWOW64\Icdeee32.exe Iqfiii32.exe File created C:\Windows\SysWOW64\Apnfno32.exe Amoibc32.exe File created C:\Windows\SysWOW64\Hcdifkdm.dll Enhcnd32.exe File created C:\Windows\SysWOW64\Fimelc32.dll Pjlgle32.exe File opened for modification C:\Windows\SysWOW64\Aocbokia.exe Aldfcpjn.exe File created C:\Windows\SysWOW64\Coblakbp.dll Edofbpja.exe File created C:\Windows\SysWOW64\Fopnpaba.exe Fmnahilc.exe File created C:\Windows\SysWOW64\Gnokee32.dll Pbglpg32.exe File opened for modification C:\Windows\SysWOW64\Jnlepioj.exe Jknicnpf.exe File opened for modification C:\Windows\SysWOW64\Iomcpe32.exe Imogcj32.exe File opened for modification C:\Windows\SysWOW64\Kepgmh32.exe Knfopnkk.exe File created C:\Windows\SysWOW64\Iaalhl32.dll Kbcddlnd.exe File opened for modification C:\Windows\SysWOW64\Loocanbe.exe Lffohikd.exe File created C:\Windows\SysWOW64\Ckhfpp32.exe Chjjde32.exe File created C:\Windows\SysWOW64\Kckhdg32.exe Kamlhl32.exe File created C:\Windows\SysWOW64\Amoibc32.exe Ajamfh32.exe File opened for modification C:\Windows\SysWOW64\Inplqlng.exe Igeddb32.exe File created C:\Windows\SysWOW64\Nbpqmfmd.exe Njhilimb.exe File opened for modification C:\Windows\SysWOW64\Ldmaijdc.exe Laodmoep.exe File created C:\Windows\SysWOW64\Amjpgdik.exe Ajldkhjh.exe File opened for modification C:\Windows\SysWOW64\Mhalngad.exe Mbdcepcm.exe File created C:\Windows\SysWOW64\Efmoib32.exe Eocfmh32.exe File created C:\Windows\SysWOW64\Hmneebeb.exe Hjoiiffo.exe File created C:\Windows\SysWOW64\Mcicjgkh.dll Kqqdjceh.exe File opened for modification C:\Windows\SysWOW64\Jgjkfi32.exe Japciodd.exe File opened for modification C:\Windows\SysWOW64\Mcodqkbi.exe Mpphdpcf.exe File opened for modification C:\Windows\SysWOW64\Ogofkm32.exe Oepjoa32.exe File opened for modification C:\Windows\SysWOW64\Iqcmcj32.exe Inepgn32.exe File created C:\Windows\SysWOW64\Bhdjno32.exe Befnbd32.exe File created C:\Windows\SysWOW64\Pjohgc32.dll Jobocn32.exe File created C:\Windows\SysWOW64\Bkhjamcf.exe Bdobdc32.exe File opened for modification C:\Windows\SysWOW64\Mejmmqpd.exe Mclqqeaq.exe File created C:\Windows\SysWOW64\Cpdhna32.exe Cnflae32.exe File opened for modification C:\Windows\SysWOW64\Bpmkbl32.exe Bbikig32.exe File opened for modification C:\Windows\SysWOW64\Ngqeha32.exe Ndbile32.exe File created C:\Windows\SysWOW64\Pkpcbecl.exe Pfcjiodd.exe File opened for modification C:\Windows\SysWOW64\Gdfiofhn.exe Gpjmnh32.exe File created C:\Windows\SysWOW64\Dcbjni32.exe Dhleaq32.exe File created C:\Windows\SysWOW64\Ohdglfoj.exe Oolbcaij.exe File created C:\Windows\SysWOW64\Dlbaljhn.exe Deiipp32.exe File opened for modification C:\Windows\SysWOW64\Fijnabef.exe Facfpddd.exe File opened for modification C:\Windows\SysWOW64\Akjfhdka.exe Abaaoodq.exe File opened for modification C:\Windows\SysWOW64\Fjhgidjk.exe Fgjkmijh.exe File created C:\Windows\SysWOW64\Hohegbcn.dll Milaecdp.exe File created C:\Windows\SysWOW64\Jbnlaqhi.exe Joppeeif.exe File opened for modification C:\Windows\SysWOW64\Mkgeehnl.exe Mhhiiloh.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5016 3244 WerFault.exe Ockdmn32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Bacefpbg.exeDlbaljhn.exeEmdeok32.exeFgjjad32.exeIqcmcj32.exeQnqjkh32.exeLehdhn32.exeAbnopj32.exeDkmljcdh.exeObjmgd32.exeKdjceb32.exeKbppdfmk.exeLoocanbe.exeLcohahpn.exeChlgid32.exeLjplkonl.exeKpgdnp32.exeKmklak32.exeElndpnnn.exeFijnabef.exeCpdhna32.exeNommodjj.exeIfolhann.exeDghjkpck.exeGajjhkgh.exeJacibm32.exePfcjiodd.exeDilchhgg.exeCccdjl32.exePioamlkk.exeNdbile32.exeOpjkpo32.exePmpdmfff.exeJgbjjf32.exeOpmhqc32.exeKadica32.exeBefnbd32.exeIfhgcgjq.exePnfnajed.exeLkbpke32.exeAmmmlcgi.exeEhaolpke.exeBgokfnij.exeAldfcpjn.exeFgcdlj32.exeKbncof32.exeOgbgbn32.exeMhdpnm32.exeEnhcnd32.exeFfkncf32.exeNpffaq32.exeIljifm32.exeNmnojp32.exeOninhgae.exeAjociq32.exeCpgglifo.exeIjampgde.exeJgnchplb.exeCbpbgk32.exeChocodch.exeNnlhab32.exeLbmnea32.exeNddcimag.exeIhpgce32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bacefpbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlbaljhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emdeok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgjjad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqcmcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnqjkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lehdhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abnopj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkmljcdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Objmgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdjceb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbppdfmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loocanbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcohahpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chlgid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljplkonl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpgdnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmklak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elndpnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fijnabef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpdhna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nommodjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifolhann.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dghjkpck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gajjhkgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jacibm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfcjiodd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dilchhgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cccdjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pioamlkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndbile32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opjkpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmpdmfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgbjjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opmhqc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kadica32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Befnbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifhgcgjq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnfnajed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkbpke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ammmlcgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehaolpke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgokfnij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aldfcpjn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgcdlj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbncof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogbgbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhdpnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enhcnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffkncf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npffaq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iljifm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmnojp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oninhgae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajociq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpgglifo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijampgde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgnchplb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbpbgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chocodch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnlhab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbmnea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nddcimag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihpgce32.exe -
Modifies registry class 64 IoCs
Processes:
Mpphdpcf.exeMecglbfl.exePmkdhq32.exeBinikb32.exeKflcok32.exeNalldh32.exeOhengmcf.exeCabaec32.exeKjihci32.exePljnkodm.exeLcffgnnc.exeHqiqjlga.exeKkjpggkn.exePnkglj32.exeQjgjpi32.exeLlpaha32.exeAkgibd32.exeMdmhfpkg.exeLgfjggll.exeNjnokdaq.exeCdfgmnpa.exeDdpbfl32.exeIkoehj32.exeKlonqpbi.exeGibbgmfe.exeKaholp32.exeBnofaf32.exeIhpgce32.exeHbghdj32.exeIcdhnn32.exeCpgglifo.exeDkmljcdh.exeEmeobj32.exeOdacbpee.exeJghqia32.exeNlldmimi.exeIciaim32.exeHpjeknfi.exeKbncof32.exeMmpcdfem.exeIgqhpj32.exeOibohdmd.exeGgfbpaeo.exeHdjoii32.exeAiaqle32.exeKenjgi32.exeOqepgk32.exeIigcobid.exeOpaqpn32.exeFenphjei.exeJngilalk.exeApilcoho.exeCgnpjkhj.exeIphhgb32.exeEclfhgaf.exeAldfcpjn.exeBhkghqpb.exeJgjmoace.exeKjcedj32.exeEplmflde.exeHadhjaaa.exeBjembh32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djepnq32.dll" Mpphdpcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mecglbfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hajdhd32.dll" Pmkdhq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Binikb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kflcok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmlibo32.dll" Nalldh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ohengmcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cabaec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kjihci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pljnkodm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmqddn32.dll" Lcffgnnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggegqe32.dll" Hqiqjlga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kkjpggkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pnkglj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qjgjpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjchollj.dll" Llpaha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdpcdjii.dll" Akgibd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mdmhfpkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lgfjggll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Njnokdaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inehcind.dll" Njnokdaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfhenelp.dll" Cdfgmnpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ddpbfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ikoehj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Klonqpbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gibbgmfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kaholp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akbieg32.dll" Bnofaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbnjdf32.dll" Ihpgce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hbghdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcaopfhd.dll" Icdhnn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cpgglifo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dkmljcdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Emeobj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Odacbpee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jghqia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jojdce32.dll" Nlldmimi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iciaim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eacmfp32.dll" Iciaim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hpjeknfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhmbnh32.dll" Kbncof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mmpcdfem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Igqhpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oibohdmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ggfbpaeo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hdjoii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgagag32.dll" Aiaqle32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kenjgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oqepgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iigcobid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Opaqpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omjefg32.dll" Fenphjei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jngilalk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Apilcoho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckpmmabh.dll" Cgnpjkhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iphhgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbiboe32.dll" Eclfhgaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgmicg32.dll" Aldfcpjn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bhkghqpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poajppaa.dll" Jgjmoace.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfnnkkc.dll" Kjcedj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eplmflde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcdpd32.dll" Hadhjaaa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bjembh32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a6adf3b735688fc5247918f6af0337d4905b574a256032870a4072779cd75e06.exeCjhabndo.exeCogfqe32.exeCiokijfd.exeDnqlmq32.exeDfhdnn32.exeDlifadkk.exeDahkok32.exeEdidqf32.exeEmdeok32.exeElkofg32.exeFeddombd.exeFlnlkgjq.exeFmohco32.exeFdiqpigl.exeFooembgb.exedescription pid process target process PID 3068 wrote to memory of 2740 3068 a6adf3b735688fc5247918f6af0337d4905b574a256032870a4072779cd75e06.exe Cjhabndo.exe PID 3068 wrote to memory of 2740 3068 a6adf3b735688fc5247918f6af0337d4905b574a256032870a4072779cd75e06.exe Cjhabndo.exe PID 3068 wrote to memory of 2740 3068 a6adf3b735688fc5247918f6af0337d4905b574a256032870a4072779cd75e06.exe Cjhabndo.exe PID 3068 wrote to memory of 2740 3068 a6adf3b735688fc5247918f6af0337d4905b574a256032870a4072779cd75e06.exe Cjhabndo.exe PID 2740 wrote to memory of 2544 2740 Cjhabndo.exe Cogfqe32.exe PID 2740 wrote to memory of 2544 2740 Cjhabndo.exe Cogfqe32.exe PID 2740 wrote to memory of 2544 2740 Cjhabndo.exe Cogfqe32.exe PID 2740 wrote to memory of 2544 2740 Cjhabndo.exe Cogfqe32.exe PID 2544 wrote to memory of 2848 2544 Cogfqe32.exe Ciokijfd.exe PID 2544 wrote to memory of 2848 2544 Cogfqe32.exe Ciokijfd.exe PID 2544 wrote to memory of 2848 2544 Cogfqe32.exe Ciokijfd.exe PID 2544 wrote to memory of 2848 2544 Cogfqe32.exe Ciokijfd.exe PID 2848 wrote to memory of 2540 2848 Ciokijfd.exe Dnqlmq32.exe PID 2848 wrote to memory of 2540 2848 Ciokijfd.exe Dnqlmq32.exe PID 2848 wrote to memory of 2540 2848 Ciokijfd.exe Dnqlmq32.exe PID 2848 wrote to memory of 2540 2848 Ciokijfd.exe Dnqlmq32.exe PID 2540 wrote to memory of 2964 2540 Dnqlmq32.exe Dfhdnn32.exe PID 2540 wrote to memory of 2964 2540 Dnqlmq32.exe Dfhdnn32.exe PID 2540 wrote to memory of 2964 2540 Dnqlmq32.exe Dfhdnn32.exe PID 2540 wrote to memory of 2964 2540 Dnqlmq32.exe Dfhdnn32.exe PID 2964 wrote to memory of 2352 2964 Dfhdnn32.exe Dlifadkk.exe PID 2964 wrote to memory of 2352 2964 Dfhdnn32.exe Dlifadkk.exe PID 2964 wrote to memory of 2352 2964 Dfhdnn32.exe Dlifadkk.exe PID 2964 wrote to memory of 2352 2964 Dfhdnn32.exe Dlifadkk.exe PID 2352 wrote to memory of 2140 2352 Dlifadkk.exe Dahkok32.exe PID 2352 wrote to memory of 2140 2352 Dlifadkk.exe Dahkok32.exe PID 2352 wrote to memory of 2140 2352 Dlifadkk.exe Dahkok32.exe PID 2352 wrote to memory of 2140 2352 Dlifadkk.exe Dahkok32.exe PID 2140 wrote to memory of 1864 2140 Dahkok32.exe Edidqf32.exe PID 2140 wrote to memory of 1864 2140 Dahkok32.exe Edidqf32.exe PID 2140 wrote to memory of 1864 2140 Dahkok32.exe Edidqf32.exe PID 2140 wrote to memory of 1864 2140 Dahkok32.exe Edidqf32.exe PID 1864 wrote to memory of 1380 1864 Edidqf32.exe Emdeok32.exe PID 1864 wrote to memory of 1380 1864 Edidqf32.exe Emdeok32.exe PID 1864 wrote to memory of 1380 1864 Edidqf32.exe Emdeok32.exe PID 1864 wrote to memory of 1380 1864 Edidqf32.exe Emdeok32.exe PID 1380 wrote to memory of 2980 1380 Emdeok32.exe Elkofg32.exe PID 1380 wrote to memory of 2980 1380 Emdeok32.exe Elkofg32.exe PID 1380 wrote to memory of 2980 1380 Emdeok32.exe Elkofg32.exe PID 1380 wrote to memory of 2980 1380 Emdeok32.exe Elkofg32.exe PID 2980 wrote to memory of 264 2980 Elkofg32.exe Feddombd.exe PID 2980 wrote to memory of 264 2980 Elkofg32.exe Feddombd.exe PID 2980 wrote to memory of 264 2980 Elkofg32.exe Feddombd.exe PID 2980 wrote to memory of 264 2980 Elkofg32.exe Feddombd.exe PID 264 wrote to memory of 1728 264 Feddombd.exe Flnlkgjq.exe PID 264 wrote to memory of 1728 264 Feddombd.exe Flnlkgjq.exe PID 264 wrote to memory of 1728 264 Feddombd.exe Flnlkgjq.exe PID 264 wrote to memory of 1728 264 Feddombd.exe Flnlkgjq.exe PID 1728 wrote to memory of 280 1728 Flnlkgjq.exe Fmohco32.exe PID 1728 wrote to memory of 280 1728 Flnlkgjq.exe Fmohco32.exe PID 1728 wrote to memory of 280 1728 Flnlkgjq.exe Fmohco32.exe PID 1728 wrote to memory of 280 1728 Flnlkgjq.exe Fmohco32.exe PID 280 wrote to memory of 596 280 Fmohco32.exe Fdiqpigl.exe PID 280 wrote to memory of 596 280 Fmohco32.exe Fdiqpigl.exe PID 280 wrote to memory of 596 280 Fmohco32.exe Fdiqpigl.exe PID 280 wrote to memory of 596 280 Fmohco32.exe Fdiqpigl.exe PID 596 wrote to memory of 692 596 Fdiqpigl.exe Fooembgb.exe PID 596 wrote to memory of 692 596 Fdiqpigl.exe Fooembgb.exe PID 596 wrote to memory of 692 596 Fdiqpigl.exe Fooembgb.exe PID 596 wrote to memory of 692 596 Fdiqpigl.exe Fooembgb.exe PID 692 wrote to memory of 896 692 Fooembgb.exe Famaimfe.exe PID 692 wrote to memory of 896 692 Fooembgb.exe Famaimfe.exe PID 692 wrote to memory of 896 692 Fooembgb.exe Famaimfe.exe PID 692 wrote to memory of 896 692 Fooembgb.exe Famaimfe.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a6adf3b735688fc5247918f6af0337d4905b574a256032870a4072779cd75e06.exe"C:\Users\Admin\AppData\Local\Temp\a6adf3b735688fc5247918f6af0337d4905b574a256032870a4072779cd75e06.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\Cjhabndo.exeC:\Windows\system32\Cjhabndo.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Cogfqe32.exeC:\Windows\system32\Cogfqe32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Ciokijfd.exeC:\Windows\system32\Ciokijfd.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Dnqlmq32.exeC:\Windows\system32\Dnqlmq32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Dfhdnn32.exeC:\Windows\system32\Dfhdnn32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Dlifadkk.exeC:\Windows\system32\Dlifadkk.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Dahkok32.exeC:\Windows\system32\Dahkok32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\Edidqf32.exeC:\Windows\system32\Edidqf32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\Emdeok32.exeC:\Windows\system32\Emdeok32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\SysWOW64\Elkofg32.exeC:\Windows\system32\Elkofg32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Feddombd.exeC:\Windows\system32\Feddombd.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:264 -
C:\Windows\SysWOW64\Flnlkgjq.exeC:\Windows\system32\Flnlkgjq.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\Fmohco32.exeC:\Windows\system32\Fmohco32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:280 -
C:\Windows\SysWOW64\Fdiqpigl.exeC:\Windows\system32\Fdiqpigl.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:596 -
C:\Windows\SysWOW64\Fooembgb.exeC:\Windows\system32\Fooembgb.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:692 -
C:\Windows\SysWOW64\Famaimfe.exeC:\Windows\system32\Famaimfe.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:896 -
C:\Windows\SysWOW64\Fhgifgnb.exeC:\Windows\system32\Fhgifgnb.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2872 -
C:\Windows\SysWOW64\Fgjjad32.exeC:\Windows\system32\Fgjjad32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1812 -
C:\Windows\SysWOW64\Fihfnp32.exeC:\Windows\system32\Fihfnp32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:296 -
C:\Windows\SysWOW64\Fpbnjjkm.exeC:\Windows\system32\Fpbnjjkm.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1824 -
C:\Windows\SysWOW64\Fdnjkh32.exeC:\Windows\system32\Fdnjkh32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1984 -
C:\Windows\SysWOW64\Fglfgd32.exeC:\Windows\system32\Fglfgd32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:988 -
C:\Windows\SysWOW64\Fmfocnjg.exeC:\Windows\system32\Fmfocnjg.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:688 -
C:\Windows\SysWOW64\Fliook32.exeC:\Windows\system32\Fliook32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1464 -
C:\Windows\SysWOW64\Fdpgph32.exeC:\Windows\system32\Fdpgph32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1732 -
C:\Windows\SysWOW64\Fgocmc32.exeC:\Windows\system32\Fgocmc32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2800 -
C:\Windows\SysWOW64\Fimoiopk.exeC:\Windows\system32\Fimoiopk.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2144 -
C:\Windows\SysWOW64\Glklejoo.exeC:\Windows\system32\Glklejoo.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2856 -
C:\Windows\SysWOW64\Gojhafnb.exeC:\Windows\system32\Gojhafnb.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2968 -
C:\Windows\SysWOW64\Ggapbcne.exeC:\Windows\system32\Ggapbcne.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2976 -
C:\Windows\SysWOW64\Giolnomh.exeC:\Windows\system32\Giolnomh.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2216 -
C:\Windows\SysWOW64\Glnhjjml.exeC:\Windows\system32\Glnhjjml.exe33⤵
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\Gcgqgd32.exeC:\Windows\system32\Gcgqgd32.exe34⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Gefmcp32.exeC:\Windows\system32\Gefmcp32.exe35⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Ghdiokbq.exeC:\Windows\system32\Ghdiokbq.exe36⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Gkcekfad.exeC:\Windows\system32\Gkcekfad.exe37⤵
- Executes dropped EXE
PID:400 -
C:\Windows\SysWOW64\Gamnhq32.exeC:\Windows\system32\Gamnhq32.exe38⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Gdkjdl32.exeC:\Windows\system32\Gdkjdl32.exe39⤵
- Executes dropped EXE
PID:1296 -
C:\Windows\SysWOW64\Goqnae32.exeC:\Windows\system32\Goqnae32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1556 -
C:\Windows\SysWOW64\Gekfnoog.exeC:\Windows\system32\Gekfnoog.exe41⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Gkgoff32.exeC:\Windows\system32\Gkgoff32.exe42⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Gaagcpdl.exeC:\Windows\system32\Gaagcpdl.exe43⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Hgnokgcc.exeC:\Windows\system32\Hgnokgcc.exe44⤵
- Executes dropped EXE
PID:316 -
C:\Windows\SysWOW64\Hnhgha32.exeC:\Windows\system32\Hnhgha32.exe45⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Hdbpekam.exeC:\Windows\system32\Hdbpekam.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Hgqlafap.exeC:\Windows\system32\Hgqlafap.exe47⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Hjohmbpd.exeC:\Windows\system32\Hjohmbpd.exe48⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Hqiqjlga.exeC:\Windows\system32\Hqiqjlga.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:2148 -
C:\Windows\SysWOW64\Hgciff32.exeC:\Windows\system32\Hgciff32.exe50⤵
- Executes dropped EXE
PID:1004 -
C:\Windows\SysWOW64\Hmpaom32.exeC:\Windows\system32\Hmpaom32.exe51⤵
- Executes dropped EXE
PID:624 -
C:\Windows\SysWOW64\Hcjilgdb.exeC:\Windows\system32\Hcjilgdb.exe52⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Hifbdnbi.exeC:\Windows\system32\Hifbdnbi.exe53⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Hclfag32.exeC:\Windows\system32\Hclfag32.exe54⤵
- Executes dropped EXE
PID:572 -
C:\Windows\SysWOW64\Hiioin32.exeC:\Windows\system32\Hiioin32.exe55⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Icncgf32.exeC:\Windows\system32\Icncgf32.exe56⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Ieponofk.exeC:\Windows\system32\Ieponofk.exe57⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Ioeclg32.exeC:\Windows\system32\Ioeclg32.exe58⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Ifolhann.exeC:\Windows\system32\Ifolhann.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2644 -
C:\Windows\SysWOW64\Igqhpj32.exeC:\Windows\system32\Igqhpj32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2996 -
C:\Windows\SysWOW64\Ibfmmb32.exeC:\Windows\system32\Ibfmmb32.exe61⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Iipejmko.exeC:\Windows\system32\Iipejmko.exe62⤵
- Executes dropped EXE
PID:532 -
C:\Windows\SysWOW64\Inmmbc32.exeC:\Windows\system32\Inmmbc32.exe63⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Iegeonpc.exeC:\Windows\system32\Iegeonpc.exe64⤵
- Executes dropped EXE
PID:876 -
C:\Windows\SysWOW64\Ijcngenj.exeC:\Windows\system32\Ijcngenj.exe65⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Ieibdnnp.exeC:\Windows\system32\Ieibdnnp.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2096 -
C:\Windows\SysWOW64\Jfjolf32.exeC:\Windows\system32\Jfjolf32.exe67⤵PID:1608
-
C:\Windows\SysWOW64\Japciodd.exeC:\Windows\system32\Japciodd.exe68⤵
- Drops file in System32 directory
PID:3024 -
C:\Windows\SysWOW64\Jgjkfi32.exeC:\Windows\system32\Jgjkfi32.exe69⤵PID:2444
-
C:\Windows\SysWOW64\Jmfcop32.exeC:\Windows\system32\Jmfcop32.exe70⤵PID:2808
-
C:\Windows\SysWOW64\Jcqlkjae.exeC:\Windows\system32\Jcqlkjae.exe71⤵PID:2552
-
C:\Windows\SysWOW64\Jimdcqom.exeC:\Windows\system32\Jimdcqom.exe72⤵PID:1712
-
C:\Windows\SysWOW64\Jpgmpk32.exeC:\Windows\system32\Jpgmpk32.exe73⤵PID:1644
-
C:\Windows\SysWOW64\Jfaeme32.exeC:\Windows\system32\Jfaeme32.exe74⤵PID:712
-
C:\Windows\SysWOW64\Jlnmel32.exeC:\Windows\system32\Jlnmel32.exe75⤵PID:2356
-
C:\Windows\SysWOW64\Jnmiag32.exeC:\Windows\system32\Jnmiag32.exe76⤵PID:1080
-
C:\Windows\SysWOW64\Jefbnacn.exeC:\Windows\system32\Jefbnacn.exe77⤵PID:2120
-
C:\Windows\SysWOW64\Jibnop32.exeC:\Windows\system32\Jibnop32.exe78⤵PID:1508
-
C:\Windows\SysWOW64\Jplfkjbd.exeC:\Windows\system32\Jplfkjbd.exe79⤵PID:2172
-
C:\Windows\SysWOW64\Keioca32.exeC:\Windows\system32\Keioca32.exe80⤵PID:2988
-
C:\Windows\SysWOW64\Khgkpl32.exeC:\Windows\system32\Khgkpl32.exe81⤵PID:2688
-
C:\Windows\SysWOW64\Kjeglh32.exeC:\Windows\system32\Kjeglh32.exe82⤵PID:2736
-
C:\Windows\SysWOW64\Kbmome32.exeC:\Windows\system32\Kbmome32.exe83⤵PID:2928
-
C:\Windows\SysWOW64\Kdnkdmec.exeC:\Windows\system32\Kdnkdmec.exe84⤵PID:2376
-
C:\Windows\SysWOW64\Klecfkff.exeC:\Windows\system32\Klecfkff.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2364 -
C:\Windows\SysWOW64\Kocpbfei.exeC:\Windows\system32\Kocpbfei.exe86⤵PID:2224
-
C:\Windows\SysWOW64\Kenhopmf.exeC:\Windows\system32\Kenhopmf.exe87⤵PID:2488
-
C:\Windows\SysWOW64\Khldkllj.exeC:\Windows\system32\Khldkllj.exe88⤵PID:3008
-
C:\Windows\SysWOW64\Kkjpggkn.exeC:\Windows\system32\Kkjpggkn.exe89⤵
- Modifies registry class
PID:2460 -
C:\Windows\SysWOW64\Kadica32.exeC:\Windows\system32\Kadica32.exe90⤵
- System Location Discovery: System Language Discovery
PID:2624 -
C:\Windows\SysWOW64\Kdbepm32.exeC:\Windows\system32\Kdbepm32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1544 -
C:\Windows\SysWOW64\Kkmmlgik.exeC:\Windows\system32\Kkmmlgik.exe92⤵PID:1840
-
C:\Windows\SysWOW64\Kmkihbho.exeC:\Windows\system32\Kmkihbho.exe93⤵PID:2960
-
C:\Windows\SysWOW64\Kpieengb.exeC:\Windows\system32\Kpieengb.exe94⤵PID:2040
-
C:\Windows\SysWOW64\Kbhbai32.exeC:\Windows\system32\Kbhbai32.exe95⤵PID:2100
-
C:\Windows\SysWOW64\Lmmfnb32.exeC:\Windows\system32\Lmmfnb32.exe96⤵PID:2912
-
C:\Windows\SysWOW64\Ldgnklmi.exeC:\Windows\system32\Ldgnklmi.exe97⤵PID:2504
-
C:\Windows\SysWOW64\Lgfjggll.exeC:\Windows\system32\Lgfjggll.exe98⤵
- Modifies registry class
PID:2372 -
C:\Windows\SysWOW64\Lidgcclp.exeC:\Windows\system32\Lidgcclp.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2656 -
C:\Windows\SysWOW64\Llbconkd.exeC:\Windows\system32\Llbconkd.exe100⤵PID:2344
-
C:\Windows\SysWOW64\Loaokjjg.exeC:\Windows\system32\Loaokjjg.exe101⤵PID:344
-
C:\Windows\SysWOW64\Lekghdad.exeC:\Windows\system32\Lekghdad.exe102⤵PID:3080
-
C:\Windows\SysWOW64\Lhiddoph.exeC:\Windows\system32\Lhiddoph.exe103⤵PID:3144
-
C:\Windows\SysWOW64\Lcohahpn.exeC:\Windows\system32\Lcohahpn.exe104⤵
- System Location Discovery: System Language Discovery
PID:3204 -
C:\Windows\SysWOW64\Lhlqjone.exeC:\Windows\system32\Lhlqjone.exe105⤵PID:3268
-
C:\Windows\SysWOW64\Lkjmfjmi.exeC:\Windows\system32\Lkjmfjmi.exe106⤵PID:3328
-
C:\Windows\SysWOW64\Ladebd32.exeC:\Windows\system32\Ladebd32.exe107⤵PID:3392
-
C:\Windows\SysWOW64\Lhnmoo32.exeC:\Windows\system32\Lhnmoo32.exe108⤵PID:3452
-
C:\Windows\SysWOW64\Lohelidp.exeC:\Windows\system32\Lohelidp.exe109⤵PID:3516
-
C:\Windows\SysWOW64\Mdendpbg.exeC:\Windows\system32\Mdendpbg.exe110⤵PID:3576
-
C:\Windows\SysWOW64\Mgcjpkak.exeC:\Windows\system32\Mgcjpkak.exe111⤵
- Drops file in System32 directory
PID:3636 -
C:\Windows\SysWOW64\Mnmbme32.exeC:\Windows\system32\Mnmbme32.exe112⤵PID:3688
-
C:\Windows\SysWOW64\Mploiq32.exeC:\Windows\system32\Mploiq32.exe113⤵PID:3752
-
C:\Windows\SysWOW64\Mkacfiga.exeC:\Windows\system32\Mkacfiga.exe114⤵PID:3812
-
C:\Windows\SysWOW64\Mnpobefe.exeC:\Windows\system32\Mnpobefe.exe115⤵PID:3876
-
C:\Windows\SysWOW64\Mclgklel.exeC:\Windows\system32\Mclgklel.exe116⤵PID:3936
-
C:\Windows\SysWOW64\Mpphdpcf.exeC:\Windows\system32\Mpphdpcf.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:3992 -
C:\Windows\SysWOW64\Mcodqkbi.exeC:\Windows\system32\Mcodqkbi.exe118⤵PID:4052
-
C:\Windows\SysWOW64\Mfmqmgbm.exeC:\Windows\system32\Mfmqmgbm.exe119⤵PID:2360
-
C:\Windows\SysWOW64\Mqbejp32.exeC:\Windows\system32\Mqbejp32.exe120⤵PID:1228
-
C:\Windows\SysWOW64\Mcaafk32.exeC:\Windows\system32\Mcaafk32.exe121⤵PID:1944
-
C:\Windows\SysWOW64\Mjkibehc.exeC:\Windows\system32\Mjkibehc.exe122⤵PID:2916
-
C:\Windows\SysWOW64\Mlieoqgg.exeC:\Windows\system32\Mlieoqgg.exe123⤵PID:2492
-
C:\Windows\SysWOW64\Nccnlk32.exeC:\Windows\system32\Nccnlk32.exe124⤵PID:2200
-
C:\Windows\SysWOW64\Nllbdp32.exeC:\Windows\system32\Nllbdp32.exe125⤵PID:1768
-
C:\Windows\SysWOW64\Nojnql32.exeC:\Windows\system32\Nojnql32.exe126⤵PID:3096
-
C:\Windows\SysWOW64\Nbhkmg32.exeC:\Windows\system32\Nbhkmg32.exe127⤵PID:3168
-
C:\Windows\SysWOW64\Nmnojp32.exeC:\Windows\system32\Nmnojp32.exe128⤵
- System Location Discovery: System Language Discovery
PID:3296 -
C:\Windows\SysWOW64\Nomkfk32.exeC:\Windows\system32\Nomkfk32.exe129⤵PID:3236
-
C:\Windows\SysWOW64\Ndicnb32.exeC:\Windows\system32\Ndicnb32.exe130⤵PID:1876
-
C:\Windows\SysWOW64\Nkclkl32.exeC:\Windows\system32\Nkclkl32.exe131⤵PID:3372
-
C:\Windows\SysWOW64\Nnahgh32.exeC:\Windows\system32\Nnahgh32.exe132⤵PID:3436
-
C:\Windows\SysWOW64\Nqpdcc32.exeC:\Windows\system32\Nqpdcc32.exe133⤵PID:3468
-
C:\Windows\SysWOW64\Ngjlpmnn.exeC:\Windows\system32\Ngjlpmnn.exe134⤵PID:2572
-
C:\Windows\SysWOW64\Njhilimb.exeC:\Windows\system32\Njhilimb.exe135⤵
- Drops file in System32 directory
PID:3572 -
C:\Windows\SysWOW64\Nbpqmfmd.exeC:\Windows\system32\Nbpqmfmd.exe136⤵PID:3652
-
C:\Windows\SysWOW64\Okhefl32.exeC:\Windows\system32\Okhefl32.exe137⤵PID:3612
-
C:\Windows\SysWOW64\Ojkeah32.exeC:\Windows\system32\Ojkeah32.exe138⤵PID:1384
-
C:\Windows\SysWOW64\Oepjoa32.exeC:\Windows\system32\Oepjoa32.exe139⤵
- Drops file in System32 directory
PID:3724 -
C:\Windows\SysWOW64\Ogofkm32.exeC:\Windows\system32\Ogofkm32.exe140⤵PID:3804
-
C:\Windows\SysWOW64\Oninhgae.exeC:\Windows\system32\Oninhgae.exe141⤵
- System Location Discovery: System Language Discovery
PID:2600 -
C:\Windows\SysWOW64\Opjkpo32.exeC:\Windows\system32\Opjkpo32.exe142⤵
- System Location Discovery: System Language Discovery
PID:3892 -
C:\Windows\SysWOW64\Ogabql32.exeC:\Windows\system32\Ogabql32.exe143⤵PID:3872
-
C:\Windows\SysWOW64\Oibohdmd.exeC:\Windows\system32\Oibohdmd.exe144⤵
- Modifies registry class
PID:4000 -
C:\Windows\SysWOW64\Ochcem32.exeC:\Windows\system32\Ochcem32.exe145⤵PID:4040
-
C:\Windows\SysWOW64\Ojblbgdg.exeC:\Windows\system32\Ojblbgdg.exe146⤵PID:3976
-
C:\Windows\SysWOW64\Omphocck.exeC:\Windows\system32\Omphocck.exe147⤵PID:1396
-
C:\Windows\SysWOW64\Opodknco.exeC:\Windows\system32\Opodknco.exe148⤵PID:2196
-
C:\Windows\SysWOW64\Ofilgh32.exeC:\Windows\system32\Ofilgh32.exe149⤵PID:2952
-
C:\Windows\SysWOW64\Oighcd32.exeC:\Windows\system32\Oighcd32.exe150⤵PID:1760
-
C:\Windows\SysWOW64\Opaqpn32.exeC:\Windows\system32\Opaqpn32.exe151⤵
- Modifies registry class
PID:2276 -
C:\Windows\SysWOW64\Pbomli32.exeC:\Windows\system32\Pbomli32.exe152⤵PID:2744
-
C:\Windows\SysWOW64\Penihe32.exeC:\Windows\system32\Penihe32.exe153⤵PID:1580
-
C:\Windows\SysWOW64\Phledp32.exeC:\Windows\system32\Phledp32.exe154⤵PID:2888
-
C:\Windows\SysWOW64\Pnfnajed.exeC:\Windows\system32\Pnfnajed.exe155⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2924 -
C:\Windows\SysWOW64\Pepfnd32.exeC:\Windows\system32\Pepfnd32.exe156⤵PID:1076
-
C:\Windows\SysWOW64\Pljnkodm.exeC:\Windows\system32\Pljnkodm.exe157⤵
- Modifies registry class
PID:3132 -
C:\Windows\SysWOW64\Pbdfgilj.exeC:\Windows\system32\Pbdfgilj.exe158⤵PID:3288
-
C:\Windows\SysWOW64\Pdecoa32.exeC:\Windows\system32\Pdecoa32.exe159⤵PID:3224
-
C:\Windows\SysWOW64\Pnkglj32.exeC:\Windows\system32\Pnkglj32.exe160⤵
- Modifies registry class
PID:3316 -
C:\Windows\SysWOW64\Peeoidik.exeC:\Windows\system32\Peeoidik.exe161⤵PID:3336
-
C:\Windows\SysWOW64\Pjahakgb.exeC:\Windows\system32\Pjahakgb.exe162⤵PID:3408
-
C:\Windows\SysWOW64\Pmpdmfff.exeC:\Windows\system32\Pmpdmfff.exe163⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2168 -
C:\Windows\SysWOW64\Ppopja32.exeC:\Windows\system32\Ppopja32.exe164⤵PID:3524
-
C:\Windows\SysWOW64\Phehko32.exeC:\Windows\system32\Phehko32.exe165⤵PID:3548
-
C:\Windows\SysWOW64\Qigebglj.exeC:\Windows\system32\Qigebglj.exe166⤵
- Drops file in System32 directory
PID:3664 -
C:\Windows\SysWOW64\Qpamoa32.exeC:\Windows\system32\Qpamoa32.exe167⤵PID:3680
-
C:\Windows\SysWOW64\Qboikm32.exeC:\Windows\system32\Qboikm32.exe168⤵PID:3740
-
C:\Windows\SysWOW64\Qjfalj32.exeC:\Windows\system32\Qjfalj32.exe169⤵PID:3792
-
C:\Windows\SysWOW64\Qlgndbil.exeC:\Windows\system32\Qlgndbil.exe170⤵PID:3844
-
C:\Windows\SysWOW64\Afmbak32.exeC:\Windows\system32\Afmbak32.exe171⤵
- Drops file in System32 directory
PID:2704 -
C:\Windows\SysWOW64\Amgjnepn.exeC:\Windows\system32\Amgjnepn.exe172⤵PID:3952
-
C:\Windows\SysWOW64\Apefjqob.exeC:\Windows\system32\Apefjqob.exe173⤵PID:3972
-
C:\Windows\SysWOW64\Abdbflnf.exeC:\Windows\system32\Abdbflnf.exe174⤵PID:4060
-
C:\Windows\SysWOW64\Ainkcf32.exeC:\Windows\system32\Ainkcf32.exe175⤵PID:1744
-
C:\Windows\SysWOW64\Aokckm32.exeC:\Windows\system32\Aokckm32.exe176⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1096 -
C:\Windows\SysWOW64\Aaipghcn.exeC:\Windows\system32\Aaipghcn.exe177⤵PID:1484
-
C:\Windows\SysWOW64\Aipgifcp.exeC:\Windows\system32\Aipgifcp.exe178⤵PID:2092
-
C:\Windows\SysWOW64\Alodeacc.exeC:\Windows\system32\Alodeacc.exe179⤵PID:2328
-
C:\Windows\SysWOW64\Abhlak32.exeC:\Windows\system32\Abhlak32.exe180⤵PID:1780
-
C:\Windows\SysWOW64\Aeghng32.exeC:\Windows\system32\Aeghng32.exe181⤵PID:3052
-
C:\Windows\SysWOW64\Alaqjaaa.exeC:\Windows\system32\Alaqjaaa.exe182⤵PID:2596
-
C:\Windows\SysWOW64\Anbmbi32.exeC:\Windows\system32\Anbmbi32.exe183⤵PID:3160
-
C:\Windows\SysWOW64\Adleoc32.exeC:\Windows\system32\Adleoc32.exe184⤵PID:3276
-
C:\Windows\SysWOW64\Agkako32.exeC:\Windows\system32\Agkako32.exe185⤵PID:3220
-
C:\Windows\SysWOW64\Aoaill32.exeC:\Windows\system32\Aoaill32.exe186⤵PID:2484
-
C:\Windows\SysWOW64\Bapfhg32.exeC:\Windows\system32\Bapfhg32.exe187⤵PID:3400
-
C:\Windows\SysWOW64\Bdobdc32.exeC:\Windows\system32\Bdobdc32.exe188⤵
- Drops file in System32 directory
PID:3448 -
C:\Windows\SysWOW64\Bkhjamcf.exeC:\Windows\system32\Bkhjamcf.exe189⤵PID:3560
-
C:\Windows\SysWOW64\Babbng32.exeC:\Windows\system32\Babbng32.exe190⤵PID:1268
-
C:\Windows\SysWOW64\Bdaojbjf.exeC:\Windows\system32\Bdaojbjf.exe191⤵PID:3676
-
C:\Windows\SysWOW64\Bgokfnij.exeC:\Windows\system32\Bgokfnij.exe192⤵
- System Location Discovery: System Language Discovery
PID:3716 -
C:\Windows\SysWOW64\Bnicbh32.exeC:\Windows\system32\Bnicbh32.exe193⤵PID:1668
-
C:\Windows\SysWOW64\Bphooc32.exeC:\Windows\system32\Bphooc32.exe194⤵PID:3908
-
C:\Windows\SysWOW64\Bedhgj32.exeC:\Windows\system32\Bedhgj32.exe195⤵PID:3944
-
C:\Windows\SysWOW64\Bnlphh32.exeC:\Windows\system32\Bnlphh32.exe196⤵PID:2264
-
C:\Windows\SysWOW64\Bomlppdb.exeC:\Windows\system32\Bomlppdb.exe197⤵PID:3056
-
C:\Windows\SysWOW64\Bgddam32.exeC:\Windows\system32\Bgddam32.exe198⤵PID:1980
-
C:\Windows\SysWOW64\Bjbqmi32.exeC:\Windows\system32\Bjbqmi32.exe199⤵PID:2512
-
C:\Windows\SysWOW64\Bplijcle.exeC:\Windows\system32\Bplijcle.exe200⤵PID:2724
-
C:\Windows\SysWOW64\Booiep32.exeC:\Windows\system32\Booiep32.exe201⤵
- Drops file in System32 directory
PID:1740 -
C:\Windows\SysWOW64\Baneak32.exeC:\Windows\system32\Baneak32.exe202⤵PID:3076
-
C:\Windows\SysWOW64\Bjembh32.exeC:\Windows\system32\Bjembh32.exe203⤵
- Modifies registry class
PID:2776 -
C:\Windows\SysWOW64\Chgnneiq.exeC:\Windows\system32\Chgnneiq.exe204⤵PID:3128
-
C:\Windows\SysWOW64\Cbpbgk32.exeC:\Windows\system32\Cbpbgk32.exe205⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3244 -
C:\Windows\SysWOW64\Chjjde32.exeC:\Windows\system32\Chjjde32.exe206⤵
- Drops file in System32 directory
PID:756 -
C:\Windows\SysWOW64\Ckhfpp32.exeC:\Windows\system32\Ckhfpp32.exe207⤵PID:3464
-
C:\Windows\SysWOW64\Cbbomjnn.exeC:\Windows\system32\Cbbomjnn.exe208⤵PID:3504
-
C:\Windows\SysWOW64\Chlgid32.exeC:\Windows\system32\Chlgid32.exe209⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3584 -
C:\Windows\SysWOW64\Cofofolh.exeC:\Windows\system32\Cofofolh.exe210⤵PID:3632
-
C:\Windows\SysWOW64\Cnipak32.exeC:\Windows\system32\Cnipak32.exe211⤵
- Drops file in System32 directory
PID:3780 -
C:\Windows\SysWOW64\Chocodch.exeC:\Windows\system32\Chocodch.exe212⤵
- System Location Discovery: System Language Discovery
PID:3848 -
C:\Windows\SysWOW64\Ckmpkpbl.exeC:\Windows\system32\Ckmpkpbl.exe213⤵PID:3928
-
C:\Windows\SysWOW64\Cbghhj32.exeC:\Windows\system32\Cbghhj32.exe214⤵PID:4032
-
C:\Windows\SysWOW64\Cchdpbog.exeC:\Windows\system32\Cchdpbog.exe215⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3000 -
C:\Windows\SysWOW64\Cgdqpq32.exeC:\Windows\system32\Cgdqpq32.exe216⤵PID:1872
-
C:\Windows\SysWOW64\Cmqihg32.exeC:\Windows\system32\Cmqihg32.exe217⤵PID:800
-
C:\Windows\SysWOW64\Dcjaeamd.exeC:\Windows\system32\Dcjaeamd.exe218⤵PID:1996
-
C:\Windows\SysWOW64\Djdjalea.exeC:\Windows\system32\Djdjalea.exe219⤵PID:2792
-
C:\Windows\SysWOW64\Dqobnf32.exeC:\Windows\system32\Dqobnf32.exe220⤵PID:2036
-
C:\Windows\SysWOW64\Dghjkpck.exeC:\Windows\system32\Dghjkpck.exe221⤵
- System Location Discovery: System Language Discovery
PID:3248 -
C:\Windows\SysWOW64\Dijfch32.exeC:\Windows\system32\Dijfch32.exe222⤵PID:2508
-
C:\Windows\SysWOW64\Dqaode32.exeC:\Windows\system32\Dqaode32.exe223⤵PID:3416
-
C:\Windows\SysWOW64\Dcokpa32.exeC:\Windows\system32\Dcokpa32.exe224⤵PID:3544
-
C:\Windows\SysWOW64\Dfngll32.exeC:\Windows\system32\Dfngll32.exe225⤵PID:3672
-
C:\Windows\SysWOW64\Dilchhgg.exeC:\Windows\system32\Dilchhgg.exe226⤵
- System Location Discovery: System Language Discovery
PID:3532 -
C:\Windows\SysWOW64\Dpfkeb32.exeC:\Windows\system32\Dpfkeb32.exe227⤵PID:3840
-
C:\Windows\SysWOW64\Dfpcblfp.exeC:\Windows\system32\Dfpcblfp.exe228⤵PID:2340
-
C:\Windows\SysWOW64\Dinpnged.exeC:\Windows\system32\Dinpnged.exe229⤵PID:3904
-
C:\Windows\SysWOW64\Dkmljcdh.exeC:\Windows\system32\Dkmljcdh.exe230⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2948 -
C:\Windows\SysWOW64\Dnkhfnck.exeC:\Windows\system32\Dnkhfnck.exe231⤵PID:2796
-
C:\Windows\SysWOW64\Deeqch32.exeC:\Windows\system32\Deeqch32.exe232⤵PID:3176
-
C:\Windows\SysWOW64\Dgcmod32.exeC:\Windows\system32\Dgcmod32.exe233⤵PID:2252
-
C:\Windows\SysWOW64\Epkepakn.exeC:\Windows\system32\Epkepakn.exe234⤵PID:1420
-
C:\Windows\SysWOW64\Ebialmjb.exeC:\Windows\system32\Ebialmjb.exe235⤵PID:3404
-
C:\Windows\SysWOW64\Eiciig32.exeC:\Windows\system32\Eiciig32.exe236⤵PID:2152
-
C:\Windows\SysWOW64\Egfjdchi.exeC:\Windows\system32\Egfjdchi.exe237⤵PID:3720
-
C:\Windows\SysWOW64\Ejdfqogm.exeC:\Windows\system32\Ejdfqogm.exe238⤵PID:3732
-
C:\Windows\SysWOW64\Eejjnhgc.exeC:\Windows\system32\Eejjnhgc.exe239⤵PID:3860
-
C:\Windows\SysWOW64\Ehhfjcff.exeC:\Windows\system32\Ehhfjcff.exe240⤵PID:3240
-
C:\Windows\SysWOW64\Eldbkbop.exeC:\Windows\system32\Eldbkbop.exe241⤵PID:2616
-
C:\Windows\SysWOW64\Emeobj32.exeC:\Windows\system32\Emeobj32.exe242⤵
- Modifies registry class
PID:2920