Analysis
-
max time kernel
122s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 01:24
Static task
static1
Behavioral task
behavioral1
Sample
a6f43f9d499d1215af648ce2e5228c1e81b2feecace59aa16824a3629a56b046.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
a6f43f9d499d1215af648ce2e5228c1e81b2feecace59aa16824a3629a56b046.exe
Resource
win10v2004-20241007-en
General
-
Target
a6f43f9d499d1215af648ce2e5228c1e81b2feecace59aa16824a3629a56b046.exe
-
Size
79KB
-
MD5
9e2d2fce33d9391cc79aaea1023b57ff
-
SHA1
4f9d2d3e4114ccd02f85a5521aa7f28fd8ae3d34
-
SHA256
a6f43f9d499d1215af648ce2e5228c1e81b2feecace59aa16824a3629a56b046
-
SHA512
98de92dd255d03f7149d8f4c5c9f091f90862846b100db9bf5c134db3d47fc072344ee856cc61a4b1aecad283e27f0f16f90dbc03e7468f7618006853429e822
-
SSDEEP
1536:QvqJBuieQixkXMtc2fHllVMlWN8UEbiFkSIgiItKq9v6DK:UqJXqkaHld8UEbixtBtKq9vV
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Hechkfkc.exeLfnlcnih.exeMoccnoni.exeEqnillbb.exeImmjnj32.exeCcgnelll.exeGjjafkpe.exeChhpgn32.exeEjlnjg32.exeMlbkmdah.exeDammoahg.exeDdpbfl32.exeHofqpc32.exeNpkdnnfk.exeJempcgad.exeNbbegl32.exeIciaim32.exeCppakj32.exeGgfbpaeo.exeAfpapcnc.exeJojloc32.exeBllomg32.exeEbabicfn.exeHlcbfnjk.exeHnmcli32.exeDkhnmfle.exeFgeabi32.exeGhgjflof.exeIifghk32.exeAgnjge32.exeAglmbfdk.exeBclqme32.exeCpidai32.exeDapjdq32.exePimkbbpi.exeMdepmh32.exeMifkfhpa.exeDhgelk32.exeJcmgal32.exeEiilge32.exeLefikg32.exeDnnkec32.exeNpffaq32.exeNjhbabif.exeIohbjpkb.exeNhmbdl32.exeGbjpem32.exePajeanhf.exeBopknhjd.exeDhobgp32.exeCdqfgh32.exeIfgklp32.exeKaholp32.exeKgoebmip.exePqgilnji.exePncljmko.exeFjfjcdln.exeHbhagiem.exeMokkegmm.exeJkllnn32.exeJbedkhie.exeQonlhd32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hechkfkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfnlcnih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moccnoni.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqnillbb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Immjnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccgnelll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjjafkpe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chhpgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejlnjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlbkmdah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dammoahg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddpbfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hofqpc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npkdnnfk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jempcgad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbbegl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iciaim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cppakj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggfbpaeo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afpapcnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jojloc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bllomg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebabicfn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlcbfnjk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccgnelll.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnmcli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkhnmfle.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgeabi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghgjflof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iifghk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agnjge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aglmbfdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bclqme32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpidai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dapjdq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pimkbbpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdepmh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mifkfhpa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhgelk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcmgal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eiilge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lefikg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnnkec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npffaq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njhbabif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iohbjpkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhmbdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbjpem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pajeanhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bopknhjd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhobgp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdqfgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifgklp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kaholp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgoebmip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pqgilnji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pncljmko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjfjcdln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbhagiem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mokkegmm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjjafkpe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkllnn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbedkhie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qonlhd32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Eaqkcimg.exeEjioln32.exeEdcqjc32.exeFmlecinf.exeFbimkpmm.exeFlabdecn.exeFejfmk32.exeFacdgl32.exeGagmbkik.exeGgfbpaeo.exeGcmcebkc.exeGpacogjm.exeHofqpc32.exeHhoeii32.exeHhaanh32.exeHnpgloog.exeHkdgecna.exeIqcmcj32.exeImjmhkpj.exeImmjnj32.exeIjqjgo32.exeIfgklp32.exeIifghk32.exeJnbpqb32.exeJngilalk.exeJjnjqb32.exeJpmooind.exeKjbclamj.exeKppldhla.exeKpbhjh32.exeKngekdnf.exeKaholp32.exeLdhgnk32.exeLmalgq32.exeLmeebpkd.exeLbbnjgik.exeMokkegmm.exeMpkhoj32.exeMlahdkjc.exeMdmmhn32.exeMoenkf32.exeNhmbdl32.exeNcgcdi32.exeNpkdnnfk.exeNjchfc32.exeNggipg32.exeNobndj32.exeNjhbabif.exeOcpfkh32.exeOmhkcnfg.exeOddphp32.exeOgbldk32.exeOqkpmaif.exeOjceef32.exeOggeokoq.exeOnamle32.exePgibdjln.exePmfjmake.exePglojj32.exePimkbbpi.exePcbookpp.exePmkdhq32.exePbglpg32.exePmmqmpdm.exepid process 2792 Eaqkcimg.exe 3016 Ejioln32.exe 2804 Edcqjc32.exe 2668 Fmlecinf.exe 2168 Fbimkpmm.exe 2000 Flabdecn.exe 2456 Fejfmk32.exe 2968 Facdgl32.exe 2812 Gagmbkik.exe 2376 Ggfbpaeo.exe 576 Gcmcebkc.exe 2460 Gpacogjm.exe 1124 Hofqpc32.exe 2148 Hhoeii32.exe 2352 Hhaanh32.exe 2232 Hnpgloog.exe 2468 Hkdgecna.exe 2380 Iqcmcj32.exe 1288 Imjmhkpj.exe 940 Immjnj32.exe 884 Ijqjgo32.exe 1072 Ifgklp32.exe 1684 Iifghk32.exe 1720 Jnbpqb32.exe 2284 Jngilalk.exe 2876 Jjnjqb32.exe 3020 Jpmooind.exe 2068 Kjbclamj.exe 2664 Kppldhla.exe 2684 Kpbhjh32.exe 572 Kngekdnf.exe 2676 Kaholp32.exe 964 Ldhgnk32.exe 2988 Lmalgq32.exe 436 Lmeebpkd.exe 2980 Lbbnjgik.exe 2348 Mokkegmm.exe 2248 Mpkhoj32.exe 2392 Mlahdkjc.exe 2128 Mdmmhn32.exe 2132 Moenkf32.exe 2400 Nhmbdl32.exe 1388 Ncgcdi32.exe 1728 Npkdnnfk.exe 1696 Njchfc32.exe 812 Nggipg32.exe 1396 Nobndj32.exe 1908 Njhbabif.exe 1936 Ocpfkh32.exe 1880 Omhkcnfg.exe 2760 Oddphp32.exe 2900 Ogbldk32.exe 2116 Oqkpmaif.exe 1588 Ojceef32.exe 1972 Oggeokoq.exe 2904 Onamle32.exe 1208 Pgibdjln.exe 2396 Pmfjmake.exe 568 Pglojj32.exe 2076 Pimkbbpi.exe 1792 Pcbookpp.exe 900 Pmkdhq32.exe 1992 Pbglpg32.exe 1568 Pmmqmpdm.exe -
Loads dropped DLL 64 IoCs
Processes:
a6f43f9d499d1215af648ce2e5228c1e81b2feecace59aa16824a3629a56b046.exeEaqkcimg.exeEjioln32.exeEdcqjc32.exeFmlecinf.exeFbimkpmm.exeFlabdecn.exeFejfmk32.exeFacdgl32.exeGagmbkik.exeGgfbpaeo.exeGcmcebkc.exeGpacogjm.exeHofqpc32.exeHhoeii32.exeHhaanh32.exeHnpgloog.exeHkdgecna.exeIqcmcj32.exeImjmhkpj.exeImmjnj32.exeIjqjgo32.exeIfgklp32.exeIifghk32.exeJnbpqb32.exeJngilalk.exeJjnjqb32.exeJpmooind.exeKjbclamj.exeKppldhla.exeKpbhjh32.exeKngekdnf.exepid process 2880 a6f43f9d499d1215af648ce2e5228c1e81b2feecace59aa16824a3629a56b046.exe 2880 a6f43f9d499d1215af648ce2e5228c1e81b2feecace59aa16824a3629a56b046.exe 2792 Eaqkcimg.exe 2792 Eaqkcimg.exe 3016 Ejioln32.exe 3016 Ejioln32.exe 2804 Edcqjc32.exe 2804 Edcqjc32.exe 2668 Fmlecinf.exe 2668 Fmlecinf.exe 2168 Fbimkpmm.exe 2168 Fbimkpmm.exe 2000 Flabdecn.exe 2000 Flabdecn.exe 2456 Fejfmk32.exe 2456 Fejfmk32.exe 2968 Facdgl32.exe 2968 Facdgl32.exe 2812 Gagmbkik.exe 2812 Gagmbkik.exe 2376 Ggfbpaeo.exe 2376 Ggfbpaeo.exe 576 Gcmcebkc.exe 576 Gcmcebkc.exe 2460 Gpacogjm.exe 2460 Gpacogjm.exe 1124 Hofqpc32.exe 1124 Hofqpc32.exe 2148 Hhoeii32.exe 2148 Hhoeii32.exe 2352 Hhaanh32.exe 2352 Hhaanh32.exe 2232 Hnpgloog.exe 2232 Hnpgloog.exe 2468 Hkdgecna.exe 2468 Hkdgecna.exe 2380 Iqcmcj32.exe 2380 Iqcmcj32.exe 1288 Imjmhkpj.exe 1288 Imjmhkpj.exe 940 Immjnj32.exe 940 Immjnj32.exe 884 Ijqjgo32.exe 884 Ijqjgo32.exe 1072 Ifgklp32.exe 1072 Ifgklp32.exe 1684 Iifghk32.exe 1684 Iifghk32.exe 1720 Jnbpqb32.exe 1720 Jnbpqb32.exe 2284 Jngilalk.exe 2284 Jngilalk.exe 2876 Jjnjqb32.exe 2876 Jjnjqb32.exe 3020 Jpmooind.exe 3020 Jpmooind.exe 2068 Kjbclamj.exe 2068 Kjbclamj.exe 2664 Kppldhla.exe 2664 Kppldhla.exe 2684 Kpbhjh32.exe 2684 Kpbhjh32.exe 572 Kngekdnf.exe 572 Kngekdnf.exe -
Drops file in System32 directory 64 IoCs
Processes:
Hghdjn32.exeEfeoedjo.exeLgbibb32.exeGfadcemm.exePglojj32.exeAdblnnbk.exeJojloc32.exeCelpqbon.exeOogiha32.exeAifjgdkj.exeHofjem32.exeQmepanje.exeCcgnelll.exeJqpebg32.exeGlijnmdj.exeAebjaj32.exeFmlecinf.exeEikimeff.exeHadfah32.exePbpoebgc.exeLkcgapjl.exeLdhgnk32.exeOmhkcnfg.exeBmelpa32.exeEqnillbb.exeJgmlmj32.exeAjamfh32.exeIohbjpkb.exeDlhaaogd.exeHnmcli32.exeKeiqlihp.exeOibpdico.exeLmalgq32.exeAdmgglep.exeAglmbfdk.exeApilcoho.exeAhpddmia.exeAlbjnplq.exeJfojpn32.exeLpoaheja.exeOjdjqp32.exeBknfeege.exeMlbkmdah.exeJnbpqb32.exeDkhnmfle.exeMdepmh32.exeDgfpni32.exeDbggpfci.exeGjbqjiem.exeAnfeop32.exeIainddpg.exea6f43f9d499d1215af648ce2e5228c1e81b2feecace59aa16824a3629a56b046.exeGbhcpmkm.exeApkihofl.exeMjbghkfi.exeEbabicfn.exeMpimbcnf.exeEplmflde.exePnnfkb32.exeIjampgde.exeNknnnoph.exedescription ioc process File created C:\Windows\SysWOW64\Jllaig32.dll Hghdjn32.exe File created C:\Windows\SysWOW64\Qoemceeo.dll Efeoedjo.exe File opened for modification C:\Windows\SysWOW64\Lefikg32.exe Lgbibb32.exe File created C:\Windows\SysWOW64\Gnmihgkh.exe Gfadcemm.exe File opened for modification C:\Windows\SysWOW64\Pimkbbpi.exe Pglojj32.exe File created C:\Windows\SysWOW64\Ajldkhjh.exe Adblnnbk.exe File created C:\Windows\SysWOW64\Jbhhkn32.exe Jojloc32.exe File created C:\Windows\SysWOW64\Amljgema.dll Celpqbon.exe File created C:\Windows\SysWOW64\Jogacc32.dll Oogiha32.exe File created C:\Windows\SysWOW64\Appbcn32.exe Aifjgdkj.exe File created C:\Windows\SysWOW64\Hadfah32.exe Hofjem32.exe File opened for modification C:\Windows\SysWOW64\Abbhje32.exe Qmepanje.exe File created C:\Windows\SysWOW64\Inhcgajk.dll Ccgnelll.exe File created C:\Windows\SysWOW64\Joebccpp.exe Jqpebg32.exe File opened for modification C:\Windows\SysWOW64\Gaebfdba.exe Glijnmdj.exe File created C:\Windows\SysWOW64\Ajociq32.exe Aebjaj32.exe File opened for modification C:\Windows\SysWOW64\Fbimkpmm.exe Fmlecinf.exe File opened for modification C:\Windows\SysWOW64\Einebddd.exe Eikimeff.exe File created C:\Windows\SysWOW64\Hhnnnbaj.exe Hadfah32.exe File created C:\Windows\SysWOW64\Pjibmbqj.dll Pbpoebgc.exe File opened for modification C:\Windows\SysWOW64\Lckpbm32.exe Lkcgapjl.exe File created C:\Windows\SysWOW64\Hipnaoog.dll Ldhgnk32.exe File created C:\Windows\SysWOW64\Oddphp32.exe Omhkcnfg.exe File created C:\Windows\SysWOW64\Kipdmjne.dll Bmelpa32.exe File created C:\Windows\SysWOW64\Ejfnda32.exe Eqnillbb.exe File created C:\Windows\SysWOW64\Dapchl32.dll Jgmlmj32.exe File created C:\Windows\SysWOW64\Albjnplq.exe Ajamfh32.exe File opened for modification C:\Windows\SysWOW64\Ihbdhepp.exe Iohbjpkb.exe File created C:\Windows\SysWOW64\Dbejjfek.exe Dlhaaogd.exe File created C:\Windows\SysWOW64\Hqaiha32.dll Hnmcli32.exe File created C:\Windows\SysWOW64\Gmkakd32.dll Keiqlihp.exe File created C:\Windows\SysWOW64\Ockdmn32.exe Oibpdico.exe File opened for modification C:\Windows\SysWOW64\Lmeebpkd.exe Lmalgq32.exe File created C:\Windows\SysWOW64\Bhhjdb32.dll Admgglep.exe File opened for modification C:\Windows\SysWOW64\Joebccpp.exe Jqpebg32.exe File created C:\Windows\SysWOW64\Cklkcgfb.dll Aglmbfdk.exe File created C:\Windows\SysWOW64\Enkcccnb.dll Apilcoho.exe File opened for modification C:\Windows\SysWOW64\Apkihofl.exe Ahpddmia.exe File created C:\Windows\SysWOW64\Jmdaehpn.dll Albjnplq.exe File created C:\Windows\SysWOW64\Johoic32.exe Jfojpn32.exe File created C:\Windows\SysWOW64\Ligfakaa.exe Lpoaheja.exe File created C:\Windows\SysWOW64\Gdnipekj.dll Ojdjqp32.exe File created C:\Windows\SysWOW64\Jggdmb32.dll Bknfeege.exe File created C:\Windows\SysWOW64\Mifkfhpa.exe Mlbkmdah.exe File created C:\Windows\SysWOW64\Amoaeb32.dll Jnbpqb32.exe File created C:\Windows\SysWOW64\Aifjgdkj.exe Albjnplq.exe File created C:\Windows\SysWOW64\Ddpbfl32.exe Dkhnmfle.exe File created C:\Windows\SysWOW64\Apkihofl.exe Ahpddmia.exe File created C:\Windows\SysWOW64\Mllhne32.exe Mdepmh32.exe File created C:\Windows\SysWOW64\Dlchfp32.exe Dgfpni32.exe File created C:\Windows\SysWOW64\Gmkiol32.dll Dbggpfci.exe File created C:\Windows\SysWOW64\Hmefad32.exe Gjbqjiem.exe File created C:\Windows\SysWOW64\Hjmjhgbh.dll Anfeop32.exe File created C:\Windows\SysWOW64\Ejccaofe.dll Iainddpg.exe File opened for modification C:\Windows\SysWOW64\Eaqkcimg.exe a6f43f9d499d1215af648ce2e5228c1e81b2feecace59aa16824a3629a56b046.exe File opened for modification C:\Windows\SysWOW64\Ghekhd32.exe Gbhcpmkm.exe File created C:\Windows\SysWOW64\Dodohnaa.dll Apkihofl.exe File created C:\Windows\SysWOW64\Pddiabfi.dll Mjbghkfi.exe File opened for modification C:\Windows\SysWOW64\Ekjgbi32.exe Ebabicfn.exe File created C:\Windows\SysWOW64\Miaaki32.exe Mpimbcnf.exe File created C:\Windows\SysWOW64\Bpecpkfk.dll Eplmflde.exe File opened for modification C:\Windows\SysWOW64\Qgfkchmp.exe Pnnfkb32.exe File created C:\Windows\SysWOW64\Qnekmihd.dll Ijampgde.exe File opened for modification C:\Windows\SysWOW64\Npkfff32.exe Nknnnoph.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2572 4744 WerFault.exe Ockdmn32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Oqkpmaif.exeDlchfp32.exeEomdoj32.exeIilceh32.exeMokkegmm.exeOjdjqp32.exeNpppaejj.exeOnocon32.exeEnenef32.exeJngilalk.exeJqpebg32.exeCapmemci.exeMganfp32.exeNmbmii32.exeOddphp32.exeAifjgdkj.exeGagmbkik.exeChhpgn32.exeNpkfff32.exeHeijidbn.exeGidhbgag.exeMdmmhn32.exePbglpg32.exeDfhgggim.exeNknnnoph.exeJpmooind.exeGbjpem32.exeAbbhje32.exeBphaglgo.exeAjociq32.exeFqnfkoen.exeMdmhfpkg.exeHchoop32.exeKmnlhg32.exeMoccnoni.exeNkqjdo32.exeKfdfdf32.exeFabmmejd.exeJoebccpp.exeDgkiih32.exeBllomg32.exeBmgifa32.exePmfjmake.exeDjmiejji.exeLodnjboi.exeQmcclolh.exeDjmknb32.exeHdcdfmqe.exeHhoeii32.exeMdepmh32.exeAebjaj32.exeCfhlbe32.exeCpidai32.exeIainddpg.exeOmqjgl32.exeAiflpm32.exeBbcjca32.exeGcmcebkc.exeJnbpqb32.exeGkhaooec.exeKkciic32.exeLfnlcnih.exeHipkfkgh.exePmiikipg.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqkpmaif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlchfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eomdoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iilceh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mokkegmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojdjqp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npppaejj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onocon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enenef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jngilalk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqpebg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Capmemci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mganfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmbmii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oddphp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aifjgdkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gagmbkik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chhpgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npkfff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Heijidbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gidhbgag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdmmhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbglpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfhgggim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nknnnoph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpmooind.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbjpem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abbhje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bphaglgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajociq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqnfkoen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdmhfpkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hchoop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmnlhg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Moccnoni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkqjdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfdfdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fabmmejd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joebccpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgkiih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bllomg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmgifa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmfjmake.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djmiejji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lodnjboi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmcclolh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djmknb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdcdfmqe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhoeii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdepmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aebjaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfhlbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpidai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iainddpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omqjgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aiflpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbcjca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcmcebkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnbpqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkhaooec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkciic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfnlcnih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hipkfkgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmiikipg.exe -
Modifies registry class 64 IoCs
Processes:
Ogbldk32.exeCceapl32.exeFappgflg.exeGbhcpmkm.exeGoapjnoo.exeFnmjpk32.exeLpoaheja.exeIlmlfcel.exeLfnlcnih.exeHjhchg32.exeFnjnkkbk.exeBlnkbg32.exeHdkaabnh.exeOggeokoq.exeApkihofl.exeDjmiejji.exeJbhhkn32.exeKkciic32.exeCgbfcjag.exeFheoiqgi.exeCglfndaa.exeKkaolm32.exeMdmhfpkg.exeCdfgmnpa.exeDgfpni32.exeNpkfff32.exePmiikipg.exeDhgelk32.exeJohaalea.exeCnflae32.exeBakdjn32.exeNeghdg32.exeLmeebpkd.exeAdblnnbk.exeJjmcfl32.exeJkllnn32.exeJnlepioj.exeOahbjmjp.exeEaqkcimg.exeJnbpqb32.exeOcpfkh32.exeNpnclf32.exeDjmknb32.exeHnflnfbm.exeLckpbm32.exeGpacogjm.exeBhpqcpkm.exeMllhne32.exeBopknhjd.exeKpgdnp32.exeCelpqbon.exeMpkhoj32.exePbglpg32.exeGjjafkpe.exeKeiqlihp.exeBdfjnkne.exeCppakj32.exeCgnpjkhj.exeOknjmb32.exeMbdfni32.exeNjhbabif.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdokfc32.dll" Ogbldk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cceapl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llmhgcfd.dll" Fappgflg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbhcpmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cinefnpo.dll" Goapjnoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnmjpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpoaheja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilmlfcel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dapaph32.dll" Lfnlcnih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjhchg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnjnkkbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blnkbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkpnjeha.dll" Hdkaabnh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oggeokoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apkihofl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djmiejji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nomklqkm.dll" Jbhhkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkciic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgfien32.dll" Cgbfcjag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djmiejji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjblfjdp.dll" Fheoiqgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agfnig32.dll" Cglfndaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkaolm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honblmaq.dll" Mdmhfpkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdfgmnpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phgjeonp.dll" Dgfpni32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npkfff32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmiikipg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhgelk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kddpplhi.dll" Johaalea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ienjoljk.dll" Cnflae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bakdjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Neghdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmeebpkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkcmnk32.dll" Adblnnbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nelgfoke.dll" Jjmcfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkllnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lodpeepd.dll" Jnlepioj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgaimd32.dll" Oahbjmjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knqcng32.dll" Eaqkcimg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnbpqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ocpfkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npnclf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djmknb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcdpd32.dll" Hnflnfbm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lckpbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpacogjm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhpqcpkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mllhne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bopknhjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgbfcjag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpgdnp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocpfkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Celpqbon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpkhoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbglpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gjjafkpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Keiqlihp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdfjnkne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cppakj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nliqma32.dll" Cgnpjkhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmnbbmon.dll" Oknjmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbdfni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njhbabif.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a6f43f9d499d1215af648ce2e5228c1e81b2feecace59aa16824a3629a56b046.exeEaqkcimg.exeEjioln32.exeEdcqjc32.exeFmlecinf.exeFbimkpmm.exeFlabdecn.exeFejfmk32.exeFacdgl32.exeGagmbkik.exeGgfbpaeo.exeGcmcebkc.exeGpacogjm.exeHofqpc32.exeHhoeii32.exeHhaanh32.exedescription pid process target process PID 2880 wrote to memory of 2792 2880 a6f43f9d499d1215af648ce2e5228c1e81b2feecace59aa16824a3629a56b046.exe Eaqkcimg.exe PID 2880 wrote to memory of 2792 2880 a6f43f9d499d1215af648ce2e5228c1e81b2feecace59aa16824a3629a56b046.exe Eaqkcimg.exe PID 2880 wrote to memory of 2792 2880 a6f43f9d499d1215af648ce2e5228c1e81b2feecace59aa16824a3629a56b046.exe Eaqkcimg.exe PID 2880 wrote to memory of 2792 2880 a6f43f9d499d1215af648ce2e5228c1e81b2feecace59aa16824a3629a56b046.exe Eaqkcimg.exe PID 2792 wrote to memory of 3016 2792 Eaqkcimg.exe Ejioln32.exe PID 2792 wrote to memory of 3016 2792 Eaqkcimg.exe Ejioln32.exe PID 2792 wrote to memory of 3016 2792 Eaqkcimg.exe Ejioln32.exe PID 2792 wrote to memory of 3016 2792 Eaqkcimg.exe Ejioln32.exe PID 3016 wrote to memory of 2804 3016 Ejioln32.exe Edcqjc32.exe PID 3016 wrote to memory of 2804 3016 Ejioln32.exe Edcqjc32.exe PID 3016 wrote to memory of 2804 3016 Ejioln32.exe Edcqjc32.exe PID 3016 wrote to memory of 2804 3016 Ejioln32.exe Edcqjc32.exe PID 2804 wrote to memory of 2668 2804 Edcqjc32.exe Fmlecinf.exe PID 2804 wrote to memory of 2668 2804 Edcqjc32.exe Fmlecinf.exe PID 2804 wrote to memory of 2668 2804 Edcqjc32.exe Fmlecinf.exe PID 2804 wrote to memory of 2668 2804 Edcqjc32.exe Fmlecinf.exe PID 2668 wrote to memory of 2168 2668 Fmlecinf.exe Fbimkpmm.exe PID 2668 wrote to memory of 2168 2668 Fmlecinf.exe Fbimkpmm.exe PID 2668 wrote to memory of 2168 2668 Fmlecinf.exe Fbimkpmm.exe PID 2668 wrote to memory of 2168 2668 Fmlecinf.exe Fbimkpmm.exe PID 2168 wrote to memory of 2000 2168 Fbimkpmm.exe Flabdecn.exe PID 2168 wrote to memory of 2000 2168 Fbimkpmm.exe Flabdecn.exe PID 2168 wrote to memory of 2000 2168 Fbimkpmm.exe Flabdecn.exe PID 2168 wrote to memory of 2000 2168 Fbimkpmm.exe Flabdecn.exe PID 2000 wrote to memory of 2456 2000 Flabdecn.exe Fejfmk32.exe PID 2000 wrote to memory of 2456 2000 Flabdecn.exe Fejfmk32.exe PID 2000 wrote to memory of 2456 2000 Flabdecn.exe Fejfmk32.exe PID 2000 wrote to memory of 2456 2000 Flabdecn.exe Fejfmk32.exe PID 2456 wrote to memory of 2968 2456 Fejfmk32.exe Facdgl32.exe PID 2456 wrote to memory of 2968 2456 Fejfmk32.exe Facdgl32.exe PID 2456 wrote to memory of 2968 2456 Fejfmk32.exe Facdgl32.exe PID 2456 wrote to memory of 2968 2456 Fejfmk32.exe Facdgl32.exe PID 2968 wrote to memory of 2812 2968 Facdgl32.exe Gagmbkik.exe PID 2968 wrote to memory of 2812 2968 Facdgl32.exe Gagmbkik.exe PID 2968 wrote to memory of 2812 2968 Facdgl32.exe Gagmbkik.exe PID 2968 wrote to memory of 2812 2968 Facdgl32.exe Gagmbkik.exe PID 2812 wrote to memory of 2376 2812 Gagmbkik.exe Ggfbpaeo.exe PID 2812 wrote to memory of 2376 2812 Gagmbkik.exe Ggfbpaeo.exe PID 2812 wrote to memory of 2376 2812 Gagmbkik.exe Ggfbpaeo.exe PID 2812 wrote to memory of 2376 2812 Gagmbkik.exe Ggfbpaeo.exe PID 2376 wrote to memory of 576 2376 Ggfbpaeo.exe Gcmcebkc.exe PID 2376 wrote to memory of 576 2376 Ggfbpaeo.exe Gcmcebkc.exe PID 2376 wrote to memory of 576 2376 Ggfbpaeo.exe Gcmcebkc.exe PID 2376 wrote to memory of 576 2376 Ggfbpaeo.exe Gcmcebkc.exe PID 576 wrote to memory of 2460 576 Gcmcebkc.exe Gpacogjm.exe PID 576 wrote to memory of 2460 576 Gcmcebkc.exe Gpacogjm.exe PID 576 wrote to memory of 2460 576 Gcmcebkc.exe Gpacogjm.exe PID 576 wrote to memory of 2460 576 Gcmcebkc.exe Gpacogjm.exe PID 2460 wrote to memory of 1124 2460 Gpacogjm.exe Hofqpc32.exe PID 2460 wrote to memory of 1124 2460 Gpacogjm.exe Hofqpc32.exe PID 2460 wrote to memory of 1124 2460 Gpacogjm.exe Hofqpc32.exe PID 2460 wrote to memory of 1124 2460 Gpacogjm.exe Hofqpc32.exe PID 1124 wrote to memory of 2148 1124 Hofqpc32.exe Hhoeii32.exe PID 1124 wrote to memory of 2148 1124 Hofqpc32.exe Hhoeii32.exe PID 1124 wrote to memory of 2148 1124 Hofqpc32.exe Hhoeii32.exe PID 1124 wrote to memory of 2148 1124 Hofqpc32.exe Hhoeii32.exe PID 2148 wrote to memory of 2352 2148 Hhoeii32.exe Hhaanh32.exe PID 2148 wrote to memory of 2352 2148 Hhoeii32.exe Hhaanh32.exe PID 2148 wrote to memory of 2352 2148 Hhoeii32.exe Hhaanh32.exe PID 2148 wrote to memory of 2352 2148 Hhoeii32.exe Hhaanh32.exe PID 2352 wrote to memory of 2232 2352 Hhaanh32.exe Hnpgloog.exe PID 2352 wrote to memory of 2232 2352 Hhaanh32.exe Hnpgloog.exe PID 2352 wrote to memory of 2232 2352 Hhaanh32.exe Hnpgloog.exe PID 2352 wrote to memory of 2232 2352 Hhaanh32.exe Hnpgloog.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a6f43f9d499d1215af648ce2e5228c1e81b2feecace59aa16824a3629a56b046.exe"C:\Users\Admin\AppData\Local\Temp\a6f43f9d499d1215af648ce2e5228c1e81b2feecace59aa16824a3629a56b046.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Eaqkcimg.exeC:\Windows\system32\Eaqkcimg.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Ejioln32.exeC:\Windows\system32\Ejioln32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Edcqjc32.exeC:\Windows\system32\Edcqjc32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Fmlecinf.exeC:\Windows\system32\Fmlecinf.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Fbimkpmm.exeC:\Windows\system32\Fbimkpmm.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\Flabdecn.exeC:\Windows\system32\Flabdecn.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\Fejfmk32.exeC:\Windows\system32\Fejfmk32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Facdgl32.exeC:\Windows\system32\Facdgl32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Gagmbkik.exeC:\Windows\system32\Gagmbkik.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Ggfbpaeo.exeC:\Windows\system32\Ggfbpaeo.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\Gcmcebkc.exeC:\Windows\system32\Gcmcebkc.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Windows\SysWOW64\Gpacogjm.exeC:\Windows\system32\Gpacogjm.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\Hofqpc32.exeC:\Windows\system32\Hofqpc32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\SysWOW64\Hhoeii32.exeC:\Windows\system32\Hhoeii32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\Hhaanh32.exeC:\Windows\system32\Hhaanh32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Hnpgloog.exeC:\Windows\system32\Hnpgloog.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2232 -
C:\Windows\SysWOW64\Hkdgecna.exeC:\Windows\system32\Hkdgecna.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2468 -
C:\Windows\SysWOW64\Iqcmcj32.exeC:\Windows\system32\Iqcmcj32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2380 -
C:\Windows\SysWOW64\Imjmhkpj.exeC:\Windows\system32\Imjmhkpj.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1288 -
C:\Windows\SysWOW64\Immjnj32.exeC:\Windows\system32\Immjnj32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:940 -
C:\Windows\SysWOW64\Ijqjgo32.exeC:\Windows\system32\Ijqjgo32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:884 -
C:\Windows\SysWOW64\Ifgklp32.exeC:\Windows\system32\Ifgklp32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1072 -
C:\Windows\SysWOW64\Iifghk32.exeC:\Windows\system32\Iifghk32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1684 -
C:\Windows\SysWOW64\Jnbpqb32.exeC:\Windows\system32\Jnbpqb32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1720 -
C:\Windows\SysWOW64\Jngilalk.exeC:\Windows\system32\Jngilalk.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2284 -
C:\Windows\SysWOW64\Jjnjqb32.exeC:\Windows\system32\Jjnjqb32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2876 -
C:\Windows\SysWOW64\Jpmooind.exeC:\Windows\system32\Jpmooind.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3020 -
C:\Windows\SysWOW64\Kjbclamj.exeC:\Windows\system32\Kjbclamj.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2068 -
C:\Windows\SysWOW64\Kppldhla.exeC:\Windows\system32\Kppldhla.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2664 -
C:\Windows\SysWOW64\Kpbhjh32.exeC:\Windows\system32\Kpbhjh32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2684 -
C:\Windows\SysWOW64\Kngekdnf.exeC:\Windows\system32\Kngekdnf.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:572 -
C:\Windows\SysWOW64\Kaholp32.exeC:\Windows\system32\Kaholp32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Ldhgnk32.exeC:\Windows\system32\Ldhgnk32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:964 -
C:\Windows\SysWOW64\Lmalgq32.exeC:\Windows\system32\Lmalgq32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2988 -
C:\Windows\SysWOW64\Lmeebpkd.exeC:\Windows\system32\Lmeebpkd.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:436 -
C:\Windows\SysWOW64\Lbbnjgik.exeC:\Windows\system32\Lbbnjgik.exe37⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Mokkegmm.exeC:\Windows\system32\Mokkegmm.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2348 -
C:\Windows\SysWOW64\Mpkhoj32.exeC:\Windows\system32\Mpkhoj32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:2248 -
C:\Windows\SysWOW64\Mlahdkjc.exeC:\Windows\system32\Mlahdkjc.exe40⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Mdmmhn32.exeC:\Windows\system32\Mdmmhn32.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2128 -
C:\Windows\SysWOW64\Moenkf32.exeC:\Windows\system32\Moenkf32.exe42⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Nhmbdl32.exeC:\Windows\system32\Nhmbdl32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Ncgcdi32.exeC:\Windows\system32\Ncgcdi32.exe44⤵
- Executes dropped EXE
PID:1388 -
C:\Windows\SysWOW64\Npkdnnfk.exeC:\Windows\system32\Npkdnnfk.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Njchfc32.exeC:\Windows\system32\Njchfc32.exe46⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Nggipg32.exeC:\Windows\system32\Nggipg32.exe47⤵
- Executes dropped EXE
PID:812 -
C:\Windows\SysWOW64\Nobndj32.exeC:\Windows\system32\Nobndj32.exe48⤵
- Executes dropped EXE
PID:1396 -
C:\Windows\SysWOW64\Njhbabif.exeC:\Windows\system32\Njhbabif.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1908 -
C:\Windows\SysWOW64\Ocpfkh32.exeC:\Windows\system32\Ocpfkh32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:1936 -
C:\Windows\SysWOW64\Omhkcnfg.exeC:\Windows\system32\Omhkcnfg.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1880 -
C:\Windows\SysWOW64\Oddphp32.exeC:\Windows\system32\Oddphp32.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2760 -
C:\Windows\SysWOW64\Ogbldk32.exeC:\Windows\system32\Ogbldk32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2900 -
C:\Windows\SysWOW64\Oqkpmaif.exeC:\Windows\system32\Oqkpmaif.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2116 -
C:\Windows\SysWOW64\Ojceef32.exeC:\Windows\system32\Ojceef32.exe55⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Oggeokoq.exeC:\Windows\system32\Oggeokoq.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:1972 -
C:\Windows\SysWOW64\Onamle32.exeC:\Windows\system32\Onamle32.exe57⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Pgibdjln.exeC:\Windows\system32\Pgibdjln.exe58⤵
- Executes dropped EXE
PID:1208 -
C:\Windows\SysWOW64\Pmfjmake.exeC:\Windows\system32\Pmfjmake.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2396 -
C:\Windows\SysWOW64\Pglojj32.exeC:\Windows\system32\Pglojj32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:568 -
C:\Windows\SysWOW64\Pimkbbpi.exeC:\Windows\system32\Pimkbbpi.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Pcbookpp.exeC:\Windows\system32\Pcbookpp.exe62⤵
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\Pmkdhq32.exeC:\Windows\system32\Pmkdhq32.exe63⤵
- Executes dropped EXE
PID:900 -
C:\Windows\SysWOW64\Pbglpg32.exeC:\Windows\system32\Pbglpg32.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1992 -
C:\Windows\SysWOW64\Pmmqmpdm.exeC:\Windows\system32\Pmmqmpdm.exe65⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Pfeeff32.exeC:\Windows\system32\Pfeeff32.exe66⤵PID:1940
-
C:\Windows\SysWOW64\Phgannal.exeC:\Windows\system32\Phgannal.exe67⤵PID:1920
-
C:\Windows\SysWOW64\Qblfkgqb.exeC:\Windows\system32\Qblfkgqb.exe68⤵PID:2540
-
C:\Windows\SysWOW64\Qldjdlgb.exeC:\Windows\system32\Qldjdlgb.exe69⤵PID:888
-
C:\Windows\SysWOW64\Qaablcej.exeC:\Windows\system32\Qaablcej.exe70⤵PID:1668
-
C:\Windows\SysWOW64\Qlggjlep.exeC:\Windows\system32\Qlggjlep.exe71⤵PID:2800
-
C:\Windows\SysWOW64\Adblnnbk.exeC:\Windows\system32\Adblnnbk.exe72⤵
- Drops file in System32 directory
- Modifies registry class
PID:2748 -
C:\Windows\SysWOW64\Ajldkhjh.exeC:\Windows\system32\Ajldkhjh.exe73⤵PID:2616
-
C:\Windows\SysWOW64\Apilcoho.exeC:\Windows\system32\Apilcoho.exe74⤵
- Drops file in System32 directory
PID:1780 -
C:\Windows\SysWOW64\Ahpddmia.exeC:\Windows\system32\Ahpddmia.exe75⤵
- Drops file in System32 directory
PID:2496 -
C:\Windows\SysWOW64\Apkihofl.exeC:\Windows\system32\Apkihofl.exe76⤵
- Drops file in System32 directory
- Modifies registry class
PID:1664 -
C:\Windows\SysWOW64\Ajamfh32.exeC:\Windows\system32\Ajamfh32.exe77⤵
- Drops file in System32 directory
PID:1140 -
C:\Windows\SysWOW64\Albjnplq.exeC:\Windows\system32\Albjnplq.exe78⤵
- Drops file in System32 directory
PID:332 -
C:\Windows\SysWOW64\Aifjgdkj.exeC:\Windows\system32\Aifjgdkj.exe79⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2188 -
C:\Windows\SysWOW64\Appbcn32.exeC:\Windows\system32\Appbcn32.exe80⤵PID:1964
-
C:\Windows\SysWOW64\Bfjkphjd.exeC:\Windows\system32\Bfjkphjd.exe81⤵PID:1188
-
C:\Windows\SysWOW64\Blgcio32.exeC:\Windows\system32\Blgcio32.exe82⤵PID:1980
-
C:\Windows\SysWOW64\Beogaenl.exeC:\Windows\system32\Beogaenl.exe83⤵PID:112
-
C:\Windows\SysWOW64\Bbchkime.exeC:\Windows\system32\Bbchkime.exe84⤵PID:2432
-
C:\Windows\SysWOW64\Bhpqcpkm.exeC:\Windows\system32\Bhpqcpkm.exe85⤵
- Modifies registry class
PID:960 -
C:\Windows\SysWOW64\Bedamd32.exeC:\Windows\system32\Bedamd32.exe86⤵PID:2428
-
C:\Windows\SysWOW64\Blniinac.exeC:\Windows\system32\Blniinac.exe87⤵PID:1576
-
C:\Windows\SysWOW64\Bdinnqon.exeC:\Windows\system32\Bdinnqon.exe88⤵PID:2660
-
C:\Windows\SysWOW64\Boobki32.exeC:\Windows\system32\Boobki32.exe89⤵PID:1928
-
C:\Windows\SysWOW64\Chggdoee.exeC:\Windows\system32\Chggdoee.exe90⤵PID:2112
-
C:\Windows\SysWOW64\Caokmd32.exeC:\Windows\system32\Caokmd32.exe91⤵PID:2732
-
C:\Windows\SysWOW64\Ckhpejbf.exeC:\Windows\system32\Ckhpejbf.exe92⤵PID:2260
-
C:\Windows\SysWOW64\Cnflae32.exeC:\Windows\system32\Cnflae32.exe93⤵
- Modifies registry class
PID:1740 -
C:\Windows\SysWOW64\Cgnpjkhj.exeC:\Windows\system32\Cgnpjkhj.exe94⤵
- Modifies registry class
PID:1264 -
C:\Windows\SysWOW64\Cceapl32.exeC:\Windows\system32\Cceapl32.exe95⤵
- Modifies registry class
PID:1592 -
C:\Windows\SysWOW64\Chbihc32.exeC:\Windows\system32\Chbihc32.exe96⤵PID:2152
-
C:\Windows\SysWOW64\Ccgnelll.exeC:\Windows\system32\Ccgnelll.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2236 -
C:\Windows\SysWOW64\Dkbbinig.exeC:\Windows\system32\Dkbbinig.exe98⤵PID:2564
-
C:\Windows\SysWOW64\Dfhgggim.exeC:\Windows\system32\Dfhgggim.exe99⤵
- System Location Discovery: System Language Discovery
PID:892 -
C:\Windows\SysWOW64\Doqkpl32.exeC:\Windows\system32\Doqkpl32.exe100⤵PID:2328
-
C:\Windows\SysWOW64\Dkgldm32.exeC:\Windows\system32\Dkgldm32.exe101⤵PID:2796
-
C:\Windows\SysWOW64\Dqddmd32.exeC:\Windows\system32\Dqddmd32.exe102⤵PID:2492
-
C:\Windows\SysWOW64\Djmiejji.exeC:\Windows\system32\Djmiejji.exe103⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1624 -
C:\Windows\SysWOW64\Dqfabdaf.exeC:\Windows\system32\Dqfabdaf.exe104⤵PID:2932
-
C:\Windows\SysWOW64\Egebjmdn.exeC:\Windows\system32\Egebjmdn.exe105⤵PID:1736
-
C:\Windows\SysWOW64\Eiilge32.exeC:\Windows\system32\Eiilge32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:524 -
C:\Windows\SysWOW64\Eikimeff.exeC:\Windows\system32\Eikimeff.exe107⤵
- Drops file in System32 directory
PID:2192 -
C:\Windows\SysWOW64\Einebddd.exeC:\Windows\system32\Einebddd.exe108⤵PID:2136
-
C:\Windows\SysWOW64\Fnjnkkbk.exeC:\Windows\system32\Fnjnkkbk.exe109⤵
- Modifies registry class
PID:1256 -
C:\Windows\SysWOW64\Fhbbcail.exeC:\Windows\system32\Fhbbcail.exe110⤵PID:1708
-
C:\Windows\SysWOW64\Fnmjpk32.exeC:\Windows\system32\Fnmjpk32.exe111⤵
- Modifies registry class
PID:1948 -
C:\Windows\SysWOW64\Fheoiqgi.exeC:\Windows\system32\Fheoiqgi.exe112⤵
- Modifies registry class
PID:1828 -
C:\Windows\SysWOW64\Fjckelfm.exeC:\Windows\system32\Fjckelfm.exe113⤵PID:2948
-
C:\Windows\SysWOW64\Feipbefb.exeC:\Windows\system32\Feipbefb.exe114⤵PID:2952
-
C:\Windows\SysWOW64\Fjfhkl32.exeC:\Windows\system32\Fjfhkl32.exe115⤵PID:2596
-
C:\Windows\SysWOW64\Fappgflg.exeC:\Windows\system32\Fappgflg.exe116⤵
- Modifies registry class
PID:2680 -
C:\Windows\SysWOW64\Fhjhdp32.exeC:\Windows\system32\Fhjhdp32.exe117⤵PID:2984
-
C:\Windows\SysWOW64\Fikelhib.exeC:\Windows\system32\Fikelhib.exe118⤵PID:1616
-
C:\Windows\SysWOW64\Fabmmejd.exeC:\Windows\system32\Fabmmejd.exe119⤵
- System Location Discovery: System Language Discovery
PID:2372 -
C:\Windows\SysWOW64\Gjjafkpe.exeC:\Windows\system32\Gjjafkpe.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1504 -
C:\Windows\SysWOW64\Gpgjnbnl.exeC:\Windows\system32\Gpgjnbnl.exe121⤵PID:1476
-
C:\Windows\SysWOW64\Gbffjmmp.exeC:\Windows\system32\Gbffjmmp.exe122⤵PID:2420
-
C:\Windows\SysWOW64\Glnkcc32.exeC:\Windows\system32\Glnkcc32.exe123⤵PID:2892
-
C:\Windows\SysWOW64\Gbhcpmkm.exeC:\Windows\system32\Gbhcpmkm.exe124⤵
- Drops file in System32 directory
- Modifies registry class
PID:2204 -
C:\Windows\SysWOW64\Ghekhd32.exeC:\Windows\system32\Ghekhd32.exe125⤵PID:2336
-
C:\Windows\SysWOW64\Gbjpem32.exeC:\Windows\system32\Gbjpem32.exe126⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2936 -
C:\Windows\SysWOW64\Gidhbgag.exeC:\Windows\system32\Gidhbgag.exe127⤵
- System Location Discovery: System Language Discovery
PID:2124 -
C:\Windows\SysWOW64\Goapjnoo.exeC:\Windows\system32\Goapjnoo.exe128⤵
- Modifies registry class
PID:1344 -
C:\Windows\SysWOW64\Gkhaooec.exeC:\Windows\system32\Gkhaooec.exe129⤵
- System Location Discovery: System Language Discovery
PID:1952 -
C:\Windows\SysWOW64\Hhlaiccm.exeC:\Windows\system32\Hhlaiccm.exe130⤵PID:1112
-
C:\Windows\SysWOW64\Hofjem32.exeC:\Windows\system32\Hofjem32.exe131⤵
- Drops file in System32 directory
PID:2040 -
C:\Windows\SysWOW64\Hadfah32.exeC:\Windows\system32\Hadfah32.exe132⤵
- Drops file in System32 directory
PID:2060 -
C:\Windows\SysWOW64\Hhnnnbaj.exeC:\Windows\system32\Hhnnnbaj.exe133⤵PID:2644
-
C:\Windows\SysWOW64\Hipkfkgh.exeC:\Windows\system32\Hipkfkgh.exe134⤵
- System Location Discovery: System Language Discovery
PID:2448 -
C:\Windows\SysWOW64\Hpicbe32.exeC:\Windows\system32\Hpicbe32.exe135⤵PID:1976
-
C:\Windows\SysWOW64\Hchoop32.exeC:\Windows\system32\Hchoop32.exe136⤵
- System Location Discovery: System Language Discovery
PID:1148 -
C:\Windows\SysWOW64\Hnmcli32.exeC:\Windows\system32\Hnmcli32.exe137⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1628 -
C:\Windows\SysWOW64\Hehhqk32.exeC:\Windows\system32\Hehhqk32.exe138⤵PID:472
-
C:\Windows\SysWOW64\Hghdjn32.exeC:\Windows\system32\Hghdjn32.exe139⤵
- Drops file in System32 directory
PID:2556 -
C:\Windows\SysWOW64\Ilemce32.exeC:\Windows\system32\Ilemce32.exe140⤵PID:1876
-
C:\Windows\SysWOW64\Icoepohq.exeC:\Windows\system32\Icoepohq.exe141⤵PID:2708
-
C:\Windows\SysWOW64\Ihlnhffh.exeC:\Windows\system32\Ihlnhffh.exe142⤵PID:2252
-
C:\Windows\SysWOW64\Ifpnaj32.exeC:\Windows\system32\Ifpnaj32.exe143⤵PID:2964
-
C:\Windows\SysWOW64\Iohbjpkb.exeC:\Windows\system32\Iohbjpkb.exe144⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3064 -
C:\Windows\SysWOW64\Ihbdhepp.exeC:\Windows\system32\Ihbdhepp.exe145⤵PID:1640
-
C:\Windows\SysWOW64\Jkcmjpma.exeC:\Windows\system32\Jkcmjpma.exe146⤵PID:1136
-
C:\Windows\SysWOW64\Jqpebg32.exeC:\Windows\system32\Jqpebg32.exe147⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1700 -
C:\Windows\SysWOW64\Joebccpp.exeC:\Windows\system32\Joebccpp.exe148⤵
- System Location Discovery: System Language Discovery
PID:1900 -
C:\Windows\SysWOW64\Jfojpn32.exeC:\Windows\system32\Jfojpn32.exe149⤵
- Drops file in System32 directory
PID:2808 -
C:\Windows\SysWOW64\Johoic32.exeC:\Windows\system32\Johoic32.exe150⤵PID:1128
-
C:\Windows\SysWOW64\Jjmcfl32.exeC:\Windows\system32\Jjmcfl32.exe151⤵
- Modifies registry class
PID:2356 -
C:\Windows\SysWOW64\Jojloc32.exeC:\Windows\system32\Jojloc32.exe152⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1532 -
C:\Windows\SysWOW64\Jbhhkn32.exeC:\Windows\system32\Jbhhkn32.exe153⤵
- Modifies registry class
PID:1156 -
C:\Windows\SysWOW64\Kmnlhg32.exeC:\Windows\system32\Kmnlhg32.exe154⤵
- System Location Discovery: System Language Discovery
PID:1392 -
C:\Windows\SysWOW64\Keiqlihp.exeC:\Windows\system32\Keiqlihp.exe155⤵
- Drops file in System32 directory
- Modifies registry class
PID:2452 -
C:\Windows\SysWOW64\Kkciic32.exeC:\Windows\system32\Kkciic32.exe156⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1636 -
C:\Windows\SysWOW64\Kelmbifm.exeC:\Windows\system32\Kelmbifm.exe157⤵PID:1600
-
C:\Windows\SysWOW64\Kjhfjpdd.exeC:\Windows\system32\Kjhfjpdd.exe158⤵PID:2332
-
C:\Windows\SysWOW64\Kmiolk32.exeC:\Windows\system32\Kmiolk32.exe159⤵PID:2552
-
C:\Windows\SysWOW64\Kgocid32.exeC:\Windows\system32\Kgocid32.exe160⤵PID:2172
-
C:\Windows\SysWOW64\Kaggbihl.exeC:\Windows\system32\Kaggbihl.exe161⤵PID:2120
-
C:\Windows\SysWOW64\Lpldcfmd.exeC:\Windows\system32\Lpldcfmd.exe162⤵PID:2896
-
C:\Windows\SysWOW64\Lffmpp32.exeC:\Windows\system32\Lffmpp32.exe163⤵PID:2764
-
C:\Windows\SysWOW64\Lpoaheja.exeC:\Windows\system32\Lpoaheja.exe164⤵
- Drops file in System32 directory
- Modifies registry class
PID:1744 -
C:\Windows\SysWOW64\Ligfakaa.exeC:\Windows\system32\Ligfakaa.exe165⤵PID:2736
-
C:\Windows\SysWOW64\Lodnjboi.exeC:\Windows\system32\Lodnjboi.exe166⤵
- System Location Discovery: System Language Discovery
PID:2612 -
C:\Windows\SysWOW64\Liibgkoo.exeC:\Windows\system32\Liibgkoo.exe167⤵PID:1248
-
C:\Windows\SysWOW64\Ladgkmlj.exeC:\Windows\system32\Ladgkmlj.exe168⤵PID:832
-
C:\Windows\SysWOW64\Mbdcepcm.exeC:\Windows\system32\Mbdcepcm.exe169⤵PID:632
-
C:\Windows\SysWOW64\Mdepmh32.exeC:\Windows\system32\Mdepmh32.exe170⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1472 -
C:\Windows\SysWOW64\Mllhne32.exeC:\Windows\system32\Mllhne32.exe171⤵
- Modifies registry class
PID:2636 -
C:\Windows\SysWOW64\Mgfiocfl.exeC:\Windows\system32\Mgfiocfl.exe172⤵PID:1924
-
C:\Windows\SysWOW64\Mghfdcdi.exeC:\Windows\system32\Mghfdcdi.exe173⤵PID:1160
-
C:\Windows\SysWOW64\Manjaldo.exeC:\Windows\system32\Manjaldo.exe174⤵PID:3004
-
C:\Windows\SysWOW64\Mkfojakp.exeC:\Windows\system32\Mkfojakp.exe175⤵PID:2436
-
C:\Windows\SysWOW64\Mpcgbhig.exeC:\Windows\system32\Mpcgbhig.exe176⤵PID:1552
-
C:\Windows\SysWOW64\Nohddd32.exeC:\Windows\system32\Nohddd32.exe177⤵PID:3068
-
C:\Windows\SysWOW64\Ocfiif32.exeC:\Windows\system32\Ocfiif32.exe178⤵PID:784
-
C:\Windows\SysWOW64\Omqjgl32.exeC:\Windows\system32\Omqjgl32.exe179⤵
- System Location Discovery: System Language Discovery
PID:1760 -
C:\Windows\SysWOW64\Ojdjqp32.exeC:\Windows\system32\Ojdjqp32.exe180⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2652 -
C:\Windows\SysWOW64\Pbpoebgc.exeC:\Windows\system32\Pbpoebgc.exe181⤵
- Drops file in System32 directory
PID:1812 -
C:\Windows\SysWOW64\Podpoffm.exeC:\Windows\system32\Podpoffm.exe182⤵PID:2640
-
C:\Windows\SysWOW64\Pildgl32.exeC:\Windows\system32\Pildgl32.exe183⤵PID:3100
-
C:\Windows\SysWOW64\Pofldf32.exeC:\Windows\system32\Pofldf32.exe184⤵PID:3140
-
C:\Windows\SysWOW64\Pqgilnji.exeC:\Windows\system32\Pqgilnji.exe185⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3180 -
C:\Windows\SysWOW64\Pgaahh32.exeC:\Windows\system32\Pgaahh32.exe186⤵PID:3220
-
C:\Windows\SysWOW64\Pajeanhf.exeC:\Windows\system32\Pajeanhf.exe187⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3260 -
C:\Windows\SysWOW64\Pkojoghl.exeC:\Windows\system32\Pkojoghl.exe188⤵PID:3300
-
C:\Windows\SysWOW64\Pnnfkb32.exeC:\Windows\system32\Pnnfkb32.exe189⤵
- Drops file in System32 directory
PID:3340 -
C:\Windows\SysWOW64\Qgfkchmp.exeC:\Windows\system32\Qgfkchmp.exe190⤵PID:3380
-
C:\Windows\SysWOW64\Qmcclolh.exeC:\Windows\system32\Qmcclolh.exe191⤵
- System Location Discovery: System Language Discovery
PID:3428 -
C:\Windows\SysWOW64\Qmepanje.exeC:\Windows\system32\Qmepanje.exe192⤵
- Drops file in System32 directory
PID:3468 -
C:\Windows\SysWOW64\Abbhje32.exeC:\Windows\system32\Abbhje32.exe193⤵
- System Location Discovery: System Language Discovery
PID:3508 -
C:\Windows\SysWOW64\Amglgn32.exeC:\Windows\system32\Amglgn32.exe194⤵PID:3548
-
C:\Windows\SysWOW64\Afpapcnc.exeC:\Windows\system32\Afpapcnc.exe195⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3588 -
C:\Windows\SysWOW64\Abgaeddg.exeC:\Windows\system32\Abgaeddg.exe196⤵PID:3628
-
C:\Windows\SysWOW64\Aiqjao32.exeC:\Windows\system32\Aiqjao32.exe197⤵PID:3668
-
C:\Windows\SysWOW64\Alaccj32.exeC:\Windows\system32\Alaccj32.exe198⤵PID:3712
-
C:\Windows\SysWOW64\Admgglep.exeC:\Windows\system32\Admgglep.exe199⤵
- Drops file in System32 directory
PID:3752 -
C:\Windows\SysWOW64\Bmelpa32.exeC:\Windows\system32\Bmelpa32.exe200⤵
- Drops file in System32 directory
PID:3792 -
C:\Windows\SysWOW64\Bjiljf32.exeC:\Windows\system32\Bjiljf32.exe201⤵PID:3832
-
C:\Windows\SysWOW64\Bmgifa32.exeC:\Windows\system32\Bmgifa32.exe202⤵
- System Location Discovery: System Language Discovery
PID:3872 -
C:\Windows\SysWOW64\Bfpmog32.exeC:\Windows\system32\Bfpmog32.exe203⤵PID:3912
-
C:\Windows\SysWOW64\Bphaglgo.exeC:\Windows\system32\Bphaglgo.exe204⤵
- System Location Discovery: System Language Discovery
PID:3956 -
C:\Windows\SysWOW64\Bknfeege.exeC:\Windows\system32\Bknfeege.exe205⤵
- Drops file in System32 directory
PID:3996 -
C:\Windows\SysWOW64\Bdfjnkne.exeC:\Windows\system32\Bdfjnkne.exe206⤵
- Modifies registry class
PID:4036 -
C:\Windows\SysWOW64\Bopknhjd.exeC:\Windows\system32\Bopknhjd.exe207⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4076 -
C:\Windows\SysWOW64\Chhpgn32.exeC:\Windows\system32\Chhpgn32.exe208⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:288 -
C:\Windows\SysWOW64\Celpqbon.exeC:\Windows\system32\Celpqbon.exe209⤵
- Drops file in System32 directory
- Modifies registry class
PID:3136 -
C:\Windows\SysWOW64\Codeih32.exeC:\Windows\system32\Codeih32.exe210⤵PID:3172
-
C:\Windows\SysWOW64\Cenmfbml.exeC:\Windows\system32\Cenmfbml.exe211⤵PID:3204
-
C:\Windows\SysWOW64\Clhecl32.exeC:\Windows\system32\Clhecl32.exe212⤵PID:3272
-
C:\Windows\SysWOW64\Cgbfcjag.exeC:\Windows\system32\Cgbfcjag.exe213⤵
- Modifies registry class
PID:3328 -
C:\Windows\SysWOW64\Cdfgmnpa.exeC:\Windows\system32\Cdfgmnpa.exe214⤵
- Modifies registry class
PID:3372 -
C:\Windows\SysWOW64\Dnnkec32.exeC:\Windows\system32\Dnnkec32.exe215⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3392 -
C:\Windows\SysWOW64\Dgfpni32.exeC:\Windows\system32\Dgfpni32.exe216⤵
- Drops file in System32 directory
- Modifies registry class
PID:3476 -
C:\Windows\SysWOW64\Dlchfp32.exeC:\Windows\system32\Dlchfp32.exe217⤵
- System Location Discovery: System Language Discovery
PID:1884 -
C:\Windows\SysWOW64\Dncdqcbl.exeC:\Windows\system32\Dncdqcbl.exe218⤵PID:3560
-
C:\Windows\SysWOW64\Dgkiih32.exeC:\Windows\system32\Dgkiih32.exe219⤵
- System Location Discovery: System Language Discovery
PID:3620 -
C:\Windows\SysWOW64\Dlhaaogd.exeC:\Windows\system32\Dlhaaogd.exe220⤵
- Drops file in System32 directory
PID:3664 -
C:\Windows\SysWOW64\Dbejjfek.exeC:\Windows\system32\Dbejjfek.exe221⤵PID:3728
-
C:\Windows\SysWOW64\Dhobgp32.exeC:\Windows\system32\Dhobgp32.exe222⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3776 -
C:\Windows\SysWOW64\Dbggpfci.exeC:\Windows\system32\Dbggpfci.exe223⤵
- Drops file in System32 directory
PID:3816 -
C:\Windows\SysWOW64\Ekpkhkji.exeC:\Windows\system32\Ekpkhkji.exe224⤵PID:3880
-
C:\Windows\SysWOW64\Efeoedjo.exeC:\Windows\system32\Efeoedjo.exe225⤵
- Drops file in System32 directory
PID:3932 -
C:\Windows\SysWOW64\Eomdoj32.exeC:\Windows\system32\Eomdoj32.exe226⤵
- System Location Discovery: System Language Discovery
PID:3924 -
C:\Windows\SysWOW64\Eqopfbfn.exeC:\Windows\system32\Eqopfbfn.exe227⤵PID:4024
-
C:\Windows\SysWOW64\Ehfhgogp.exeC:\Windows\system32\Ehfhgogp.exe228⤵PID:4072
-
C:\Windows\SysWOW64\Edmilpld.exeC:\Windows\system32\Edmilpld.exe229⤵PID:2712
-
C:\Windows\SysWOW64\Enenef32.exeC:\Windows\system32\Enenef32.exe230⤵
- System Location Discovery: System Language Discovery
PID:3112 -
C:\Windows\SysWOW64\Ecbfmm32.exeC:\Windows\system32\Ecbfmm32.exe231⤵PID:3228
-
C:\Windows\SysWOW64\Ejlnjg32.exeC:\Windows\system32\Ejlnjg32.exe232⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3268 -
C:\Windows\SysWOW64\Fcdbcloi.exeC:\Windows\system32\Fcdbcloi.exe233⤵PID:1548
-
C:\Windows\SysWOW64\Fiakkcma.exeC:\Windows\system32\Fiakkcma.exe234⤵PID:3396
-
C:\Windows\SysWOW64\Fjqhef32.exeC:\Windows\system32\Fjqhef32.exe235⤵PID:3456
-
C:\Windows\SysWOW64\Fnejdiep.exeC:\Windows\system32\Fnejdiep.exe236⤵PID:3516
-
C:\Windows\SysWOW64\Glijnmdj.exeC:\Windows\system32\Glijnmdj.exe237⤵
- Drops file in System32 directory
PID:3568 -
C:\Windows\SysWOW64\Gaebfdba.exeC:\Windows\system32\Gaebfdba.exe238⤵PID:3644
-
C:\Windows\SysWOW64\Gecklbih.exeC:\Windows\system32\Gecklbih.exe239⤵PID:3688
-
C:\Windows\SysWOW64\Gjbqjiem.exeC:\Windows\system32\Gjbqjiem.exe240⤵
- Drops file in System32 directory
PID:3784 -
C:\Windows\SysWOW64\Hmefad32.exeC:\Windows\system32\Hmefad32.exe241⤵PID:3824
-
C:\Windows\SysWOW64\Hogcil32.exeC:\Windows\system32\Hogcil32.exe242⤵PID:3900