Analysis
-
max time kernel
104s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 01:27
Static task
static1
Behavioral task
behavioral1
Sample
a8754c4dc2ac433e749f5251f171780a5cbcf3ecc7a5e698210d90bf8e1f9434.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
a8754c4dc2ac433e749f5251f171780a5cbcf3ecc7a5e698210d90bf8e1f9434.exe
Resource
win10v2004-20241007-en
General
-
Target
a8754c4dc2ac433e749f5251f171780a5cbcf3ecc7a5e698210d90bf8e1f9434.exe
-
Size
92KB
-
MD5
b0f194d837108df394fb9f9552c3adce
-
SHA1
b2e5c8c2e185b0f8c39a08fe9b061a0e7f81b322
-
SHA256
a8754c4dc2ac433e749f5251f171780a5cbcf3ecc7a5e698210d90bf8e1f9434
-
SHA512
3e4512c383100d26717123de30f1178aa140821ad50dba822cbc829d80c382464bbf092231de8d5165c13d4486e7799b6df14a0cd056882e762268d5ea1e72de
-
SSDEEP
1536:pJDwvBNjndB3tpL4mOp9XT3layJycc5MOQOUJMXJJkLzxX144OynKQrUoR24HsUs:YBRdBl09XTrw1UqZJkLB144U6THsR
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Cmimif32.exeCkopch32.exeKmiolk32.exeLmbabj32.exeDfnjqifb.exeNqamaeii.exeEghdanac.exeCjfjjd32.exeEcfcle32.exeMfqiingf.exeJllakpdk.exeEkjgbi32.exeMemncbmj.exeFoidii32.exeQmomelml.exeLlbnnq32.exeGeddoa32.exeCaqfiloi.exeJgnflmia.exeNabcog32.exeHcghffen.exeNmmjjk32.exeBneancnc.exePojdem32.exePjndca32.exeCgjjdijo.exeEabeal32.exeIfkfap32.exePlfhdlfb.exePjfdpckc.exePglacbbo.exeCahmik32.exeBhoikfbb.exeEgihcl32.exeKnpkhhhg.exeIdnppjcj.exeBokcom32.exeCkilmfke.exeHcndag32.exeGdfmccfm.exeBeignlig.exeKmnlhg32.exeFgqhgjbb.exeNjobpa32.exePeqhgmdd.exeCaccnllf.exeOjnhdn32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmimif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckopch32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmiolk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmbabj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfnjqifb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nqamaeii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eghdanac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjfjjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ecfcle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mfqiingf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jllakpdk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ekjgbi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Memncbmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Foidii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmomelml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llbnnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Geddoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Caqfiloi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgnflmia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nabcog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hcghffen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nmmjjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bneancnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pojdem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjndca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cgjjdijo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eabeal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ifkfap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plfhdlfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjfdpckc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pglacbbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cahmik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhoikfbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Egihcl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knpkhhhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Idnppjcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bokcom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckilmfke.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hcndag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Plfhdlfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gdfmccfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Beignlig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmnlhg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgqhgjbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njobpa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peqhgmdd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caccnllf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojnhdn32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Fnjnkkbk.exeFcichb32.exeFhglop32.exeFdnlcakk.exeFmfalg32.exeGllnnc32.exeGedbfimc.exeGefolhja.exeGeilah32.exeGdnibdmf.exeGkhaooec.exeHpgfmeag.exeHdeoccgn.exeHdgkicek.exeHghdjn32.exeIcoepohq.exeIfpnaj32.exeIdekbgji.exeIkocoa32.exeIdghhf32.exeJqnhmgmk.exeJghqia32.exeJndflk32.exeJohoic32.exeJmlobg32.exeJfddkmch.exeKmnlhg32.exeKghmhegc.exeKapaaj32.exeKjhfjpdd.exeKbpnkm32.exeKmiolk32.exeKaggbihl.exeLdjmidcj.exeLmbabj32.exeLilomj32.exeMebpakbq.exeMdgmbhgh.exeMcacochk.exeNeblqoel.exeNaimepkp.exeNkaane32.exeNkdndeon.exeNanfqo32.exeNgjoif32.exeNndgeplo.exeOpccallb.exeOkhgod32.exeOabplobe.exeOcclcg32.exeOjndpqpq.exeOcfiif32.exeOchenfdn.exeOjbnkp32.exeObnbpb32.exePfkkeq32.exePodpoffm.exePeqhgmdd.exePofldf32.exePioamlkk.exePchbmigj.exePmqffonj.exeQgfkchmp.exeQmcclolh.exepid process 2904 Fnjnkkbk.exe 2780 Fcichb32.exe 2688 Fhglop32.exe 1208 Fdnlcakk.exe 1416 Fmfalg32.exe 2208 Gllnnc32.exe 1676 Gedbfimc.exe 1844 Gefolhja.exe 2332 Geilah32.exe 2956 Gdnibdmf.exe 3024 Gkhaooec.exe 700 Hpgfmeag.exe 1756 Hdeoccgn.exe 2488 Hdgkicek.exe 1804 Hghdjn32.exe 2508 Icoepohq.exe 904 Ifpnaj32.exe 652 Idekbgji.exe 1464 Ikocoa32.exe 2116 Idghhf32.exe 1296 Jqnhmgmk.exe 1508 Jghqia32.exe 2340 Jndflk32.exe 1436 Johoic32.exe 2032 Jmlobg32.exe 2808 Jfddkmch.exe 2932 Kmnlhg32.exe 2696 Kghmhegc.exe 2840 Kapaaj32.exe 1912 Kjhfjpdd.exe 612 Kbpnkm32.exe 2192 Kmiolk32.exe 1056 Kaggbihl.exe 2112 Ldjmidcj.exe 1696 Lmbabj32.exe 2980 Lilomj32.exe 3036 Mebpakbq.exe 2312 Mdgmbhgh.exe 428 Mcacochk.exe 2520 Neblqoel.exe 2164 Naimepkp.exe 2492 Nkaane32.exe 1612 Nkdndeon.exe 1348 Nanfqo32.exe 1080 Ngjoif32.exe 1668 Nndgeplo.exe 2036 Opccallb.exe 2612 Okhgod32.exe 1752 Oabplobe.exe 1456 Occlcg32.exe 1704 Ojndpqpq.exe 2496 Ocfiif32.exe 2872 Ochenfdn.exe 2800 Ojbnkp32.exe 1788 Obnbpb32.exe 1928 Pfkkeq32.exe 2640 Podpoffm.exe 2204 Peqhgmdd.exe 2392 Pofldf32.exe 2528 Pioamlkk.exe 2992 Pchbmigj.exe 932 Pmqffonj.exe 1812 Qgfkchmp.exe 1904 Qmcclolh.exe -
Loads dropped DLL 64 IoCs
Processes:
a8754c4dc2ac433e749f5251f171780a5cbcf3ecc7a5e698210d90bf8e1f9434.exeFnjnkkbk.exeFcichb32.exeFhglop32.exeFdnlcakk.exeFmfalg32.exeGllnnc32.exeGedbfimc.exeGefolhja.exeGeilah32.exeGdnibdmf.exeGkhaooec.exeHpgfmeag.exeHdeoccgn.exeHdgkicek.exeHghdjn32.exeIcoepohq.exeIfpnaj32.exeIdekbgji.exeIkocoa32.exeIdghhf32.exeJqnhmgmk.exeJghqia32.exeJndflk32.exeJohoic32.exeJmlobg32.exeJfddkmch.exeKmnlhg32.exeKghmhegc.exeKapaaj32.exeKjhfjpdd.exeKbpnkm32.exepid process 2476 a8754c4dc2ac433e749f5251f171780a5cbcf3ecc7a5e698210d90bf8e1f9434.exe 2476 a8754c4dc2ac433e749f5251f171780a5cbcf3ecc7a5e698210d90bf8e1f9434.exe 2904 Fnjnkkbk.exe 2904 Fnjnkkbk.exe 2780 Fcichb32.exe 2780 Fcichb32.exe 2688 Fhglop32.exe 2688 Fhglop32.exe 1208 Fdnlcakk.exe 1208 Fdnlcakk.exe 1416 Fmfalg32.exe 1416 Fmfalg32.exe 2208 Gllnnc32.exe 2208 Gllnnc32.exe 1676 Gedbfimc.exe 1676 Gedbfimc.exe 1844 Gefolhja.exe 1844 Gefolhja.exe 2332 Geilah32.exe 2332 Geilah32.exe 2956 Gdnibdmf.exe 2956 Gdnibdmf.exe 3024 Gkhaooec.exe 3024 Gkhaooec.exe 700 Hpgfmeag.exe 700 Hpgfmeag.exe 1756 Hdeoccgn.exe 1756 Hdeoccgn.exe 2488 Hdgkicek.exe 2488 Hdgkicek.exe 1804 Hghdjn32.exe 1804 Hghdjn32.exe 2508 Icoepohq.exe 2508 Icoepohq.exe 904 Ifpnaj32.exe 904 Ifpnaj32.exe 652 Idekbgji.exe 652 Idekbgji.exe 1464 Ikocoa32.exe 1464 Ikocoa32.exe 2116 Idghhf32.exe 2116 Idghhf32.exe 1296 Jqnhmgmk.exe 1296 Jqnhmgmk.exe 1508 Jghqia32.exe 1508 Jghqia32.exe 2340 Jndflk32.exe 2340 Jndflk32.exe 1436 Johoic32.exe 1436 Johoic32.exe 2032 Jmlobg32.exe 2032 Jmlobg32.exe 2808 Jfddkmch.exe 2808 Jfddkmch.exe 2932 Kmnlhg32.exe 2932 Kmnlhg32.exe 2696 Kghmhegc.exe 2696 Kghmhegc.exe 2840 Kapaaj32.exe 2840 Kapaaj32.exe 1912 Kjhfjpdd.exe 1912 Kjhfjpdd.exe 612 Kbpnkm32.exe 612 Kbpnkm32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Ecgeba32.exeFpoleilj.exeHdkaabnh.exeHcndag32.exeFjaqhe32.exeNdeifbfj.exeNqlikc32.exeAolihc32.exeBdmklico.exeNmmjjk32.exeKalkjh32.exeAdmgglep.exeDjeljd32.exeGpjilj32.exeFclkldqe.exeKbcddlnd.exeJlmddi32.exeOecnkk32.exeMgbcha32.exePejnpe32.exePchbmigj.exeEnhcnd32.exeJpalmaad.exeQhdabemb.exeFplgljbm.exeNkdndeon.exeHlnbqijd.exeGheola32.exeGojkecka.exeHfmbfkhf.exeDndahokk.exeEjcohe32.exeBhlmef32.exeOikcicfl.exeCappnf32.exeAjpgkb32.exeNgfhbd32.exeIgdqmeke.exeIlpkel32.exeBplofekp.exeHpgfmeag.exePofldf32.exeBpjnmlel.exeDndndbnl.exeNkbcgnie.exeHohfmi32.exePcjbfbmm.exeCogdhpkp.exedescription ioc process File created C:\Windows\SysWOW64\Eonfgbhc.exe Ecgeba32.exe File created C:\Windows\SysWOW64\Bboqgikn.dll Fpoleilj.exe File opened for modification C:\Windows\SysWOW64\Jcpglhpo.exe File opened for modification C:\Windows\SysWOW64\Iccqedfa.exe File opened for modification C:\Windows\SysWOW64\Kgaejeoc.exe File created C:\Windows\SysWOW64\Bhalab32.dll Hdkaabnh.exe File created C:\Windows\SysWOW64\Hliieioi.exe Hcndag32.exe File created C:\Windows\SysWOW64\Pfganlfn.dll File created C:\Windows\SysWOW64\Fbiijb32.exe Fjaqhe32.exe File opened for modification C:\Windows\SysWOW64\Nqlikc32.exe Ndeifbfj.exe File created C:\Windows\SysWOW64\Npcogj32.dll Nqlikc32.exe File created C:\Windows\SysWOW64\Kcpcjl32.exe File created C:\Windows\SysWOW64\Fgmncb32.dll Aolihc32.exe File opened for modification C:\Windows\SysWOW64\Bnfodojp.exe Bdmklico.exe File opened for modification C:\Windows\SysWOW64\Nickoldp.exe Nmmjjk32.exe File opened for modification C:\Windows\SysWOW64\Klapha32.exe Kalkjh32.exe File created C:\Windows\SysWOW64\Jnfdlpje.exe File created C:\Windows\SysWOW64\Ndjhjkfi.dll Admgglep.exe File opened for modification C:\Windows\SysWOW64\Dpodgocb.exe Djeljd32.exe File created C:\Windows\SysWOW64\Fbankjel.dll File opened for modification C:\Windows\SysWOW64\Gibmep32.exe Gpjilj32.exe File opened for modification C:\Windows\SysWOW64\Fmdpejgf.exe Fclkldqe.exe File created C:\Windows\SysWOW64\Fcinia32.exe File opened for modification C:\Windows\SysWOW64\Kmhhae32.exe Kbcddlnd.exe File created C:\Windows\SysWOW64\Poialihj.dll Jlmddi32.exe File opened for modification C:\Windows\SysWOW64\Pglacbbo.exe Oecnkk32.exe File created C:\Windows\SysWOW64\Hcmmoflm.dll Mgbcha32.exe File created C:\Windows\SysWOW64\Gamfncdb.dll File opened for modification C:\Windows\SysWOW64\Oepjmbka.exe File created C:\Windows\SysWOW64\Paqoef32.exe Pejnpe32.exe File opened for modification C:\Windows\SysWOW64\Jbpcgo32.exe File created C:\Windows\SysWOW64\Nilacmgb.dll Pchbmigj.exe File opened for modification C:\Windows\SysWOW64\Fgqhgjbb.exe Enhcnd32.exe File created C:\Windows\SysWOW64\Jjgpjjak.exe Jpalmaad.exe File created C:\Windows\SysWOW64\Dmjmmehk.dll Qhdabemb.exe File opened for modification C:\Windows\SysWOW64\Flbgak32.exe Fplgljbm.exe File opened for modification C:\Windows\SysWOW64\Nanfqo32.exe Nkdndeon.exe File created C:\Windows\SysWOW64\Abfjga32.dll Hlnbqijd.exe File opened for modification C:\Windows\SysWOW64\Hnbgdh32.exe Gheola32.exe File created C:\Windows\SysWOW64\Kcfgobbh.dll File created C:\Windows\SysWOW64\Gmnlog32.exe Gojkecka.exe File created C:\Windows\SysWOW64\Hmfkbeoc.exe Hfmbfkhf.exe File created C:\Windows\SysWOW64\Ekiaac32.exe Dndahokk.exe File created C:\Windows\SysWOW64\Eamgeo32.exe Ejcohe32.exe File created C:\Windows\SysWOW64\Hjchpk32.dll Bhlmef32.exe File opened for modification C:\Windows\SysWOW64\Dlmqip32.exe File created C:\Windows\SysWOW64\Lohoingl.dll Oikcicfl.exe File opened for modification C:\Windows\SysWOW64\Cabldeik.exe Cappnf32.exe File created C:\Windows\SysWOW64\Mbnjnnie.dll Ajpgkb32.exe File opened for modification C:\Windows\SysWOW64\Oblmom32.exe Ngfhbd32.exe File opened for modification C:\Windows\SysWOW64\Ihfmdm32.exe Igdqmeke.exe File created C:\Windows\SysWOW64\Mfkkek32.dll File created C:\Windows\SysWOW64\Kigkmmql.exe File created C:\Windows\SysWOW64\Dnjqcn32.dll Ilpkel32.exe File created C:\Windows\SysWOW64\Beignlig.exe Bplofekp.exe File opened for modification C:\Windows\SysWOW64\Hdeoccgn.exe Hpgfmeag.exe File opened for modification C:\Windows\SysWOW64\Pioamlkk.exe Pofldf32.exe File created C:\Windows\SysWOW64\Bmnofp32.exe Bpjnmlel.exe File opened for modification C:\Windows\SysWOW64\Docjne32.exe Dndndbnl.exe File created C:\Windows\SysWOW64\Agpmcpfm.dll Nkbcgnie.exe File created C:\Windows\SysWOW64\Qabojbcg.dll Hohfmi32.exe File created C:\Windows\SysWOW64\Ldbpcn32.dll Pcjbfbmm.exe File opened for modification C:\Windows\SysWOW64\Enomam32.exe File created C:\Windows\SysWOW64\Cealdjcm.exe Cogdhpkp.exe -
Program crash 1 IoCs
Processes:
pid pid_target process target process 4272 4972 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Mjeffc32.exeKlgpmgod.exePejnpe32.exeBcopkn32.exeIclfccmq.exeFjdnne32.exeIhjcko32.exeBaiingae.exeAanonj32.exeEfbbba32.exeFflehp32.exeHghdjn32.exeOcclcg32.exeLlomhllh.exeEojoelcm.exeNqamaeii.exeGhddnnfi.exeIhdmld32.exeHghhngjb.exeCikbjpqd.exeDkekmp32.exeKmhhae32.exeFfhkcpal.exePbdhbnnp.exeBelcck32.exeJghqia32.exePofldf32.exeBocfch32.exeLmolkg32.exeGlbcpokl.exeNkdndeon.exeBqopmbed.exePpcmhj32.exeNpgppdpc.exeEcgeba32.exeLngpac32.exeJlmddi32.exeFholmo32.exeFioajqmb.exeCcoplcii.exeGeilah32.exeLqmliqfj.exeCogdhpkp.exeElmkmo32.exeMlbkmdah.exeKkomepon.exeFkpeojha.exeFeklja32.exeClfhml32.exeGjbqjiem.exeEhdpcahk.exeGdmekg32.exeIgdqmeke.exeJfpmifoa.exeCaccnllf.exeJaamhb32.exeMipgnbnn.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjeffc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klgpmgod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pejnpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcopkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iclfccmq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjdnne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihjcko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baiingae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aanonj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efbbba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fflehp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hghdjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Occlcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llomhllh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eojoelcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqamaeii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghddnnfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihdmld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hghhngjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cikbjpqd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkekmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmhhae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffhkcpal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbdhbnnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Belcck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jghqia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pofldf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bocfch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmolkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glbcpokl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkdndeon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqopmbed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppcmhj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npgppdpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecgeba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lngpac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlmddi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fholmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fioajqmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccoplcii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geilah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqmliqfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cogdhpkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elmkmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlbkmdah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkomepon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkpeojha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feklja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clfhml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjbqjiem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehdpcahk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdmekg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igdqmeke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfpmifoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caccnllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaamhb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mipgnbnn.exe -
Modifies registry class 64 IoCs
Processes:
Edfqclni.exeJiiikq32.exeHdeoccgn.exeHengep32.exeLddjmb32.exeHadece32.exeGedbfimc.exeKjhfjpdd.exeCaccnllf.exeHlnbqijd.exeJlmddi32.exeEcoihm32.exeCooddbfh.exeKlbfbg32.exeNkaane32.exeFeklja32.exeGdkebolm.exeLkfdfo32.exeJjbdfbnl.exeDjcbib32.exeQlpadaac.exeMgbcha32.exeGjbqjiem.exeIlpkel32.exeAbnbccia.exeChhbpfhi.exeGdnibdmf.exeAdncoc32.exeBjiljf32.exeDodahk32.exeGodhgedg.exeCcmanjch.exeKlgpmgod.exeNkjggmal.exeFgpalcog.exeOnbkle32.exeHilghaqq.exeJhndcd32.exeEnagnc32.exeQlaffbqk.exePiemih32.exeFmfalg32.exePjppmlhm.exeLmolkg32.exeOkgnna32.exeBhoikfbb.exeBafkookd.exeLcqdidim.exeBcpiombe.exeGpkckneh.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Edfqclni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcdggbbn.dll" Jiiikq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjamab32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdhifd32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hdeoccgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hengep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lddjmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hadece32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gedbfimc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnnfllod.dll" Kjhfjpdd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Caccnllf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abfjga32.dll" Hlnbqijd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jlmddi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gldakn32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ecoihm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cooddbfh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Klbfbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aphgbo32.dll" Nkaane32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Feklja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gdkebolm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lkfdfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amkmognm.dll" Jjbdfbnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Djcbib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llhjoj32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qlpadaac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcmmoflm.dll" Mgbcha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgidhgbh.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gjbqjiem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ilpkel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdklbpaj.dll" Abnbccia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opcknl32.dll" Chhbpfhi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gdnibdmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Adncoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bjiljf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dodahk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pppiae32.dll" Godhgedg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpmmd32.dll" Ccmanjch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Klgpmgod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nkjggmal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fgpalcog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhalelik.dll" Onbkle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfdgpj32.dll" Hilghaqq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nakjff32.dll" Jhndcd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Enagnc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qlaffbqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cimjoaod.dll" Piemih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkcjcede.dll" Fmfalg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pjppmlhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcohglnm.dll" Lmolkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Okgnna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Infomg32.dll" Bhoikfbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bafkookd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmlffcog.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhoqqojp.dll" Lcqdidim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Licidced.dll" Bcpiombe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gpkckneh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a8754c4dc2ac433e749f5251f171780a5cbcf3ecc7a5e698210d90bf8e1f9434.exeFnjnkkbk.exeFcichb32.exeFhglop32.exeFdnlcakk.exeFmfalg32.exeGllnnc32.exeGedbfimc.exeGefolhja.exeGeilah32.exeGdnibdmf.exeGkhaooec.exeHpgfmeag.exeHdeoccgn.exeHdgkicek.exeHghdjn32.exedescription pid process target process PID 2476 wrote to memory of 2904 2476 a8754c4dc2ac433e749f5251f171780a5cbcf3ecc7a5e698210d90bf8e1f9434.exe Fnjnkkbk.exe PID 2476 wrote to memory of 2904 2476 a8754c4dc2ac433e749f5251f171780a5cbcf3ecc7a5e698210d90bf8e1f9434.exe Fnjnkkbk.exe PID 2476 wrote to memory of 2904 2476 a8754c4dc2ac433e749f5251f171780a5cbcf3ecc7a5e698210d90bf8e1f9434.exe Fnjnkkbk.exe PID 2476 wrote to memory of 2904 2476 a8754c4dc2ac433e749f5251f171780a5cbcf3ecc7a5e698210d90bf8e1f9434.exe Fnjnkkbk.exe PID 2904 wrote to memory of 2780 2904 Fnjnkkbk.exe Fcichb32.exe PID 2904 wrote to memory of 2780 2904 Fnjnkkbk.exe Fcichb32.exe PID 2904 wrote to memory of 2780 2904 Fnjnkkbk.exe Fcichb32.exe PID 2904 wrote to memory of 2780 2904 Fnjnkkbk.exe Fcichb32.exe PID 2780 wrote to memory of 2688 2780 Fcichb32.exe Fhglop32.exe PID 2780 wrote to memory of 2688 2780 Fcichb32.exe Fhglop32.exe PID 2780 wrote to memory of 2688 2780 Fcichb32.exe Fhglop32.exe PID 2780 wrote to memory of 2688 2780 Fcichb32.exe Fhglop32.exe PID 2688 wrote to memory of 1208 2688 Fhglop32.exe Fdnlcakk.exe PID 2688 wrote to memory of 1208 2688 Fhglop32.exe Fdnlcakk.exe PID 2688 wrote to memory of 1208 2688 Fhglop32.exe Fdnlcakk.exe PID 2688 wrote to memory of 1208 2688 Fhglop32.exe Fdnlcakk.exe PID 1208 wrote to memory of 1416 1208 Fdnlcakk.exe Fmfalg32.exe PID 1208 wrote to memory of 1416 1208 Fdnlcakk.exe Fmfalg32.exe PID 1208 wrote to memory of 1416 1208 Fdnlcakk.exe Fmfalg32.exe PID 1208 wrote to memory of 1416 1208 Fdnlcakk.exe Fmfalg32.exe PID 1416 wrote to memory of 2208 1416 Fmfalg32.exe Gllnnc32.exe PID 1416 wrote to memory of 2208 1416 Fmfalg32.exe Gllnnc32.exe PID 1416 wrote to memory of 2208 1416 Fmfalg32.exe Gllnnc32.exe PID 1416 wrote to memory of 2208 1416 Fmfalg32.exe Gllnnc32.exe PID 2208 wrote to memory of 1676 2208 Gllnnc32.exe Gedbfimc.exe PID 2208 wrote to memory of 1676 2208 Gllnnc32.exe Gedbfimc.exe PID 2208 wrote to memory of 1676 2208 Gllnnc32.exe Gedbfimc.exe PID 2208 wrote to memory of 1676 2208 Gllnnc32.exe Gedbfimc.exe PID 1676 wrote to memory of 1844 1676 Gedbfimc.exe Gefolhja.exe PID 1676 wrote to memory of 1844 1676 Gedbfimc.exe Gefolhja.exe PID 1676 wrote to memory of 1844 1676 Gedbfimc.exe Gefolhja.exe PID 1676 wrote to memory of 1844 1676 Gedbfimc.exe Gefolhja.exe PID 1844 wrote to memory of 2332 1844 Gefolhja.exe Geilah32.exe PID 1844 wrote to memory of 2332 1844 Gefolhja.exe Geilah32.exe PID 1844 wrote to memory of 2332 1844 Gefolhja.exe Geilah32.exe PID 1844 wrote to memory of 2332 1844 Gefolhja.exe Geilah32.exe PID 2332 wrote to memory of 2956 2332 Geilah32.exe Gdnibdmf.exe PID 2332 wrote to memory of 2956 2332 Geilah32.exe Gdnibdmf.exe PID 2332 wrote to memory of 2956 2332 Geilah32.exe Gdnibdmf.exe PID 2332 wrote to memory of 2956 2332 Geilah32.exe Gdnibdmf.exe PID 2956 wrote to memory of 3024 2956 Gdnibdmf.exe Gkhaooec.exe PID 2956 wrote to memory of 3024 2956 Gdnibdmf.exe Gkhaooec.exe PID 2956 wrote to memory of 3024 2956 Gdnibdmf.exe Gkhaooec.exe PID 2956 wrote to memory of 3024 2956 Gdnibdmf.exe Gkhaooec.exe PID 3024 wrote to memory of 700 3024 Gkhaooec.exe Hpgfmeag.exe PID 3024 wrote to memory of 700 3024 Gkhaooec.exe Hpgfmeag.exe PID 3024 wrote to memory of 700 3024 Gkhaooec.exe Hpgfmeag.exe PID 3024 wrote to memory of 700 3024 Gkhaooec.exe Hpgfmeag.exe PID 700 wrote to memory of 1756 700 Hpgfmeag.exe Hdeoccgn.exe PID 700 wrote to memory of 1756 700 Hpgfmeag.exe Hdeoccgn.exe PID 700 wrote to memory of 1756 700 Hpgfmeag.exe Hdeoccgn.exe PID 700 wrote to memory of 1756 700 Hpgfmeag.exe Hdeoccgn.exe PID 1756 wrote to memory of 2488 1756 Hdeoccgn.exe Hdgkicek.exe PID 1756 wrote to memory of 2488 1756 Hdeoccgn.exe Hdgkicek.exe PID 1756 wrote to memory of 2488 1756 Hdeoccgn.exe Hdgkicek.exe PID 1756 wrote to memory of 2488 1756 Hdeoccgn.exe Hdgkicek.exe PID 2488 wrote to memory of 1804 2488 Hdgkicek.exe Hghdjn32.exe PID 2488 wrote to memory of 1804 2488 Hdgkicek.exe Hghdjn32.exe PID 2488 wrote to memory of 1804 2488 Hdgkicek.exe Hghdjn32.exe PID 2488 wrote to memory of 1804 2488 Hdgkicek.exe Hghdjn32.exe PID 1804 wrote to memory of 2508 1804 Hghdjn32.exe Icoepohq.exe PID 1804 wrote to memory of 2508 1804 Hghdjn32.exe Icoepohq.exe PID 1804 wrote to memory of 2508 1804 Hghdjn32.exe Icoepohq.exe PID 1804 wrote to memory of 2508 1804 Hghdjn32.exe Icoepohq.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8754c4dc2ac433e749f5251f171780a5cbcf3ecc7a5e698210d90bf8e1f9434.exe"C:\Users\Admin\AppData\Local\Temp\a8754c4dc2ac433e749f5251f171780a5cbcf3ecc7a5e698210d90bf8e1f9434.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Fnjnkkbk.exeC:\Windows\system32\Fnjnkkbk.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Fcichb32.exeC:\Windows\system32\Fcichb32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Fhglop32.exeC:\Windows\system32\Fhglop32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Fdnlcakk.exeC:\Windows\system32\Fdnlcakk.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\SysWOW64\Fmfalg32.exeC:\Windows\system32\Fmfalg32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\SysWOW64\Gllnnc32.exeC:\Windows\system32\Gllnnc32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Gedbfimc.exeC:\Windows\system32\Gedbfimc.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\Gefolhja.exeC:\Windows\system32\Gefolhja.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\SysWOW64\Geilah32.exeC:\Windows\system32\Geilah32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\Gdnibdmf.exeC:\Windows\system32\Gdnibdmf.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Gkhaooec.exeC:\Windows\system32\Gkhaooec.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\Hpgfmeag.exeC:\Windows\system32\Hpgfmeag.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:700 -
C:\Windows\SysWOW64\Hdeoccgn.exeC:\Windows\system32\Hdeoccgn.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\Hdgkicek.exeC:\Windows\system32\Hdgkicek.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\Hghdjn32.exeC:\Windows\system32\Hghdjn32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\SysWOW64\Icoepohq.exeC:\Windows\system32\Icoepohq.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2508 -
C:\Windows\SysWOW64\Ifpnaj32.exeC:\Windows\system32\Ifpnaj32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:904 -
C:\Windows\SysWOW64\Idekbgji.exeC:\Windows\system32\Idekbgji.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:652 -
C:\Windows\SysWOW64\Ikocoa32.exeC:\Windows\system32\Ikocoa32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1464 -
C:\Windows\SysWOW64\Idghhf32.exeC:\Windows\system32\Idghhf32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2116 -
C:\Windows\SysWOW64\Jqnhmgmk.exeC:\Windows\system32\Jqnhmgmk.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1296 -
C:\Windows\SysWOW64\Jghqia32.exeC:\Windows\system32\Jghqia32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1508 -
C:\Windows\SysWOW64\Jndflk32.exeC:\Windows\system32\Jndflk32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2340 -
C:\Windows\SysWOW64\Johoic32.exeC:\Windows\system32\Johoic32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1436 -
C:\Windows\SysWOW64\Jmlobg32.exeC:\Windows\system32\Jmlobg32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2032 -
C:\Windows\SysWOW64\Jfddkmch.exeC:\Windows\system32\Jfddkmch.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2808 -
C:\Windows\SysWOW64\Kmnlhg32.exeC:\Windows\system32\Kmnlhg32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2932 -
C:\Windows\SysWOW64\Kghmhegc.exeC:\Windows\system32\Kghmhegc.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2696 -
C:\Windows\SysWOW64\Kapaaj32.exeC:\Windows\system32\Kapaaj32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2840 -
C:\Windows\SysWOW64\Kjhfjpdd.exeC:\Windows\system32\Kjhfjpdd.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1912 -
C:\Windows\SysWOW64\Kbpnkm32.exeC:\Windows\system32\Kbpnkm32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:612 -
C:\Windows\SysWOW64\Kmiolk32.exeC:\Windows\system32\Kmiolk32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Kaggbihl.exeC:\Windows\system32\Kaggbihl.exe34⤵
- Executes dropped EXE
PID:1056 -
C:\Windows\SysWOW64\Ldjmidcj.exeC:\Windows\system32\Ldjmidcj.exe35⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Lmbabj32.exeC:\Windows\system32\Lmbabj32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Lilomj32.exeC:\Windows\system32\Lilomj32.exe37⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Mebpakbq.exeC:\Windows\system32\Mebpakbq.exe38⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Mdgmbhgh.exeC:\Windows\system32\Mdgmbhgh.exe39⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Mcacochk.exeC:\Windows\system32\Mcacochk.exe40⤵
- Executes dropped EXE
PID:428 -
C:\Windows\SysWOW64\Neblqoel.exeC:\Windows\system32\Neblqoel.exe41⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Naimepkp.exeC:\Windows\system32\Naimepkp.exe42⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Nkaane32.exeC:\Windows\system32\Nkaane32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:2492 -
C:\Windows\SysWOW64\Nkdndeon.exeC:\Windows\system32\Nkdndeon.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1612 -
C:\Windows\SysWOW64\Nanfqo32.exeC:\Windows\system32\Nanfqo32.exe45⤵
- Executes dropped EXE
PID:1348 -
C:\Windows\SysWOW64\Ngjoif32.exeC:\Windows\system32\Ngjoif32.exe46⤵
- Executes dropped EXE
PID:1080 -
C:\Windows\SysWOW64\Nndgeplo.exeC:\Windows\system32\Nndgeplo.exe47⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Opccallb.exeC:\Windows\system32\Opccallb.exe48⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Okhgod32.exeC:\Windows\system32\Okhgod32.exe49⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Oabplobe.exeC:\Windows\system32\Oabplobe.exe50⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Occlcg32.exeC:\Windows\system32\Occlcg32.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1456 -
C:\Windows\SysWOW64\Ojndpqpq.exeC:\Windows\system32\Ojndpqpq.exe52⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Ocfiif32.exeC:\Windows\system32\Ocfiif32.exe53⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Ochenfdn.exeC:\Windows\system32\Ochenfdn.exe54⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Ojbnkp32.exeC:\Windows\system32\Ojbnkp32.exe55⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Obnbpb32.exeC:\Windows\system32\Obnbpb32.exe56⤵
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\Pfkkeq32.exeC:\Windows\system32\Pfkkeq32.exe57⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Podpoffm.exeC:\Windows\system32\Podpoffm.exe58⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Peqhgmdd.exeC:\Windows\system32\Peqhgmdd.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Pofldf32.exeC:\Windows\system32\Pofldf32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2392 -
C:\Windows\SysWOW64\Pioamlkk.exeC:\Windows\system32\Pioamlkk.exe61⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Pchbmigj.exeC:\Windows\system32\Pchbmigj.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2992 -
C:\Windows\SysWOW64\Pmqffonj.exeC:\Windows\system32\Pmqffonj.exe63⤵
- Executes dropped EXE
PID:932 -
C:\Windows\SysWOW64\Qgfkchmp.exeC:\Windows\system32\Qgfkchmp.exe64⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Qmcclolh.exeC:\Windows\system32\Qmcclolh.exe65⤵
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Qmepanje.exeC:\Windows\system32\Qmepanje.exe66⤵PID:704
-
C:\Windows\SysWOW64\Abbhje32.exeC:\Windows\system32\Abbhje32.exe67⤵PID:1552
-
C:\Windows\SysWOW64\Afndjdpe.exeC:\Windows\system32\Afndjdpe.exe68⤵PID:2076
-
C:\Windows\SysWOW64\Afpapcnc.exeC:\Windows\system32\Afpapcnc.exe69⤵PID:2348
-
C:\Windows\SysWOW64\Almihjlj.exeC:\Windows\system32\Almihjlj.exe70⤵PID:3068
-
C:\Windows\SysWOW64\Afbnec32.exeC:\Windows\system32\Afbnec32.exe71⤵PID:884
-
C:\Windows\SysWOW64\Aalofa32.exeC:\Windows\system32\Aalofa32.exe72⤵PID:2820
-
C:\Windows\SysWOW64\Alaccj32.exeC:\Windows\system32\Alaccj32.exe73⤵PID:3060
-
C:\Windows\SysWOW64\Admgglep.exeC:\Windows\system32\Admgglep.exe74⤵
- Drops file in System32 directory
PID:2144 -
C:\Windows\SysWOW64\Bjfpdf32.exeC:\Windows\system32\Bjfpdf32.exe75⤵PID:2712
-
C:\Windows\SysWOW64\Bdodmlcm.exeC:\Windows\system32\Bdodmlcm.exe76⤵PID:3012
-
C:\Windows\SysWOW64\Bjiljf32.exeC:\Windows\system32\Bjiljf32.exe77⤵
- Modifies registry class
PID:2172 -
C:\Windows\SysWOW64\Bmgifa32.exeC:\Windows\system32\Bmgifa32.exe78⤵PID:2372
-
C:\Windows\SysWOW64\Bfpmog32.exeC:\Windows\system32\Bfpmog32.exe79⤵PID:2988
-
C:\Windows\SysWOW64\Baealp32.exeC:\Windows\system32\Baealp32.exe80⤵PID:2444
-
C:\Windows\SysWOW64\Bfbjdf32.exeC:\Windows\system32\Bfbjdf32.exe81⤵PID:592
-
C:\Windows\SysWOW64\Bpjnmlel.exeC:\Windows\system32\Bpjnmlel.exe82⤵
- Drops file in System32 directory
PID:2428 -
C:\Windows\SysWOW64\Bmnofp32.exeC:\Windows\system32\Bmnofp32.exe83⤵PID:672
-
C:\Windows\SysWOW64\Cggcofkf.exeC:\Windows\system32\Cggcofkf.exe84⤵PID:956
-
C:\Windows\SysWOW64\Ciepkajj.exeC:\Windows\system32\Ciepkajj.exe85⤵PID:812
-
C:\Windows\SysWOW64\Capdpcge.exeC:\Windows\system32\Capdpcge.exe86⤵PID:800
-
C:\Windows\SysWOW64\Clfhml32.exeC:\Windows\system32\Clfhml32.exe87⤵
- System Location Discovery: System Language Discovery
PID:1608 -
C:\Windows\SysWOW64\Cdamao32.exeC:\Windows\system32\Cdamao32.exe88⤵PID:2260
-
C:\Windows\SysWOW64\Clhecl32.exeC:\Windows\system32\Clhecl32.exe89⤵PID:2160
-
C:\Windows\SysWOW64\Cdcjgnbc.exeC:\Windows\system32\Cdcjgnbc.exe90⤵PID:2052
-
C:\Windows\SysWOW64\Cnlnpd32.exeC:\Windows\system32\Cnlnpd32.exe91⤵PID:2824
-
C:\Windows\SysWOW64\Cgdciiod.exeC:\Windows\system32\Cgdciiod.exe92⤵PID:2672
-
C:\Windows\SysWOW64\Cjboeenh.exeC:\Windows\system32\Cjboeenh.exe93⤵PID:1892
-
C:\Windows\SysWOW64\Djeljd32.exeC:\Windows\system32\Djeljd32.exe94⤵
- Drops file in System32 directory
PID:384 -
C:\Windows\SysWOW64\Dpodgocb.exeC:\Windows\system32\Dpodgocb.exe95⤵PID:2532
-
C:\Windows\SysWOW64\Dncdqcbl.exeC:\Windows\system32\Dncdqcbl.exe96⤵PID:2964
-
C:\Windows\SysWOW64\Dodahk32.exeC:\Windows\system32\Dodahk32.exe97⤵
- Modifies registry class
PID:2756 -
C:\Windows\SysWOW64\Dhleaq32.exeC:\Windows\system32\Dhleaq32.exe98⤵PID:2448
-
C:\Windows\SysWOW64\Dpcnbn32.exeC:\Windows\system32\Dpcnbn32.exe99⤵PID:1420
-
C:\Windows\SysWOW64\Dfpfke32.exeC:\Windows\system32\Dfpfke32.exe100⤵PID:1248
-
C:\Windows\SysWOW64\Dkmncl32.exeC:\Windows\system32\Dkmncl32.exe101⤵PID:1540
-
C:\Windows\SysWOW64\Edeclabl.exeC:\Windows\system32\Edeclabl.exe102⤵PID:1740
-
C:\Windows\SysWOW64\Elmkmo32.exeC:\Windows\system32\Elmkmo32.exe103⤵
- System Location Discovery: System Language Discovery
PID:888 -
C:\Windows\SysWOW64\Edhpaa32.exeC:\Windows\system32\Edhpaa32.exe104⤵PID:1604
-
C:\Windows\SysWOW64\Egflml32.exeC:\Windows\system32\Egflml32.exe105⤵PID:2868
-
C:\Windows\SysWOW64\Edjlgq32.exeC:\Windows\system32\Edjlgq32.exe106⤵PID:2708
-
C:\Windows\SysWOW64\Egihcl32.exeC:\Windows\system32\Egihcl32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2216 -
C:\Windows\SysWOW64\Enbapf32.exeC:\Windows\system32\Enbapf32.exe108⤵PID:2748
-
C:\Windows\SysWOW64\Ecoihm32.exeC:\Windows\system32\Ecoihm32.exe109⤵
- Modifies registry class
PID:2232 -
C:\Windows\SysWOW64\Enenef32.exeC:\Windows\system32\Enenef32.exe110⤵PID:1388
-
C:\Windows\SysWOW64\Egmbnkie.exeC:\Windows\system32\Egmbnkie.exe111⤵PID:2404
-
C:\Windows\SysWOW64\Fiedfb32.exeC:\Windows\system32\Fiedfb32.exe112⤵PID:1392
-
C:\Windows\SysWOW64\Flfnhnfm.exeC:\Windows\system32\Flfnhnfm.exe113⤵PID:1116
-
C:\Windows\SysWOW64\Glijnmdj.exeC:\Windows\system32\Glijnmdj.exe114⤵PID:2092
-
C:\Windows\SysWOW64\Gddobpbe.exeC:\Windows\system32\Gddobpbe.exe115⤵PID:764
-
C:\Windows\SysWOW64\Gmoppefc.exeC:\Windows\system32\Gmoppefc.exe116⤵PID:2140
-
C:\Windows\SysWOW64\Ghddnnfi.exeC:\Windows\system32\Ghddnnfi.exe117⤵
- System Location Discovery: System Language Discovery
PID:2108 -
C:\Windows\SysWOW64\Gjbqjiem.exeC:\Windows\system32\Gjbqjiem.exe118⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2836 -
C:\Windows\SysWOW64\Gdkebolm.exeC:\Windows\system32\Gdkebolm.exe119⤵
- Modifies registry class
PID:2132 -
C:\Windows\SysWOW64\Gihnkejd.exeC:\Windows\system32\Gihnkejd.exe120⤵PID:1488
-
C:\Windows\SysWOW64\Glfjgaih.exeC:\Windows\system32\Glfjgaih.exe121⤵PID:3004
-
C:\Windows\SysWOW64\Hbpbck32.exeC:\Windows\system32\Hbpbck32.exe122⤵PID:948
-
C:\Windows\SysWOW64\Heonpf32.exeC:\Windows\system32\Heonpf32.exe123⤵PID:2540
-
C:\Windows\SysWOW64\Hpdbmooo.exeC:\Windows\system32\Hpdbmooo.exe124⤵PID:1648
-
C:\Windows\SysWOW64\Hlkcbp32.exeC:\Windows\system32\Hlkcbp32.exe125⤵PID:776
-
C:\Windows\SysWOW64\Hlmphp32.exeC:\Windows\system32\Hlmphp32.exe126⤵PID:1096
-
C:\Windows\SysWOW64\Heedqe32.exeC:\Windows\system32\Heedqe32.exe127⤵PID:2816
-
C:\Windows\SysWOW64\Hdkaabnh.exeC:\Windows\system32\Hdkaabnh.exe128⤵
- Drops file in System32 directory
PID:1876 -
C:\Windows\SysWOW64\Hkejnl32.exeC:\Windows\system32\Hkejnl32.exe129⤵PID:2284
-
C:\Windows\SysWOW64\Igkjcm32.exeC:\Windows\system32\Igkjcm32.exe130⤵PID:2764
-
C:\Windows\SysWOW64\Iijfoh32.exeC:\Windows\system32\Iijfoh32.exe131⤵PID:520
-
C:\Windows\SysWOW64\Icbkhnan.exeC:\Windows\system32\Icbkhnan.exe132⤵PID:2400
-
C:\Windows\SysWOW64\Ikicikap.exeC:\Windows\system32\Ikicikap.exe133⤵PID:2256
-
C:\Windows\SysWOW64\Idbgbahq.exeC:\Windows\system32\Idbgbahq.exe134⤵PID:1632
-
C:\Windows\SysWOW64\Igpdnlgd.exeC:\Windows\system32\Igpdnlgd.exe135⤵PID:752
-
C:\Windows\SysWOW64\Injlkf32.exeC:\Windows\system32\Injlkf32.exe136⤵PID:1600
-
C:\Windows\SysWOW64\Iphhgb32.exeC:\Windows\system32\Iphhgb32.exe137⤵PID:2792
-
C:\Windows\SysWOW64\Igbqdlea.exeC:\Windows\system32\Igbqdlea.exe138⤵PID:852
-
C:\Windows\SysWOW64\Ihdmld32.exeC:\Windows\system32\Ihdmld32.exe139⤵
- System Location Discovery: System Language Discovery
PID:3020 -
C:\Windows\SysWOW64\Ialadj32.exeC:\Windows\system32\Ialadj32.exe140⤵PID:2000
-
C:\Windows\SysWOW64\Jobocn32.exeC:\Windows\system32\Jobocn32.exe141⤵PID:2056
-
C:\Windows\SysWOW64\Jgnchplb.exeC:\Windows\system32\Jgnchplb.exe142⤵PID:112
-
C:\Windows\SysWOW64\Jqfhqe32.exeC:\Windows\system32\Jqfhqe32.exe143⤵PID:2552
-
C:\Windows\SysWOW64\Jkllnn32.exeC:\Windows\system32\Jkllnn32.exe144⤵PID:2016
-
C:\Windows\SysWOW64\Jgbmco32.exeC:\Windows\system32\Jgbmco32.exe145⤵PID:2376
-
C:\Windows\SysWOW64\Kqkalenn.exeC:\Windows\system32\Kqkalenn.exe146⤵PID:1144
-
C:\Windows\SysWOW64\Kmabqf32.exeC:\Windows\system32\Kmabqf32.exe147⤵PID:2676
-
C:\Windows\SysWOW64\Kfjfik32.exeC:\Windows\system32\Kfjfik32.exe148⤵PID:2064
-
C:\Windows\SysWOW64\Kcngcp32.exeC:\Windows\system32\Kcngcp32.exe149⤵PID:2844
-
C:\Windows\SysWOW64\Kjhopjqi.exeC:\Windows\system32\Kjhopjqi.exe150⤵PID:2976
-
C:\Windows\SysWOW64\Kbcddlnd.exeC:\Windows\system32\Kbcddlnd.exe151⤵
- Drops file in System32 directory
PID:2564 -
C:\Windows\SysWOW64\Kmhhae32.exeC:\Windows\system32\Kmhhae32.exe152⤵
- System Location Discovery: System Language Discovery
PID:1808 -
C:\Windows\SysWOW64\Lajmkhai.exeC:\Windows\system32\Lajmkhai.exe153⤵PID:2268
-
C:\Windows\SysWOW64\Ljcbcngi.exeC:\Windows\system32\Ljcbcngi.exe154⤵PID:1596
-
C:\Windows\SysWOW64\Lbjjekhl.exeC:\Windows\system32\Lbjjekhl.exe155⤵PID:1896
-
C:\Windows\SysWOW64\Llbnnq32.exeC:\Windows\system32\Llbnnq32.exe156⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2968 -
C:\Windows\SysWOW64\Laogfg32.exeC:\Windows\system32\Laogfg32.exe157⤵PID:2440
-
C:\Windows\SysWOW64\Lmfgkh32.exeC:\Windows\system32\Lmfgkh32.exe158⤵PID:436
-
C:\Windows\SysWOW64\Limhpihl.exeC:\Windows\system32\Limhpihl.exe159⤵PID:1732
-
C:\Windows\SysWOW64\Mfqiingf.exeC:\Windows\system32\Mfqiingf.exe160⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1952 -
C:\Windows\SysWOW64\Mlmaad32.exeC:\Windows\system32\Mlmaad32.exe161⤵PID:2940
-
C:\Windows\SysWOW64\Monjcp32.exeC:\Windows\system32\Monjcp32.exe162⤵PID:2104
-
C:\Windows\SysWOW64\Mlbkmdah.exeC:\Windows\system32\Mlbkmdah.exe163⤵
- System Location Discovery: System Language Discovery
PID:2684 -
C:\Windows\SysWOW64\Mhikae32.exeC:\Windows\system32\Mhikae32.exe164⤵PID:1872
-
C:\Windows\SysWOW64\Mbopon32.exeC:\Windows\system32\Mbopon32.exe165⤵PID:1560
-
C:\Windows\SysWOW64\Mdplfflp.exeC:\Windows\system32\Mdplfflp.exe166⤵PID:2024
-
C:\Windows\SysWOW64\Noepdo32.exeC:\Windows\system32\Noepdo32.exe167⤵PID:616
-
C:\Windows\SysWOW64\Ndbile32.exeC:\Windows\system32\Ndbile32.exe168⤵PID:1932
-
C:\Windows\SysWOW64\Nmjmekan.exeC:\Windows\system32\Nmjmekan.exe169⤵PID:2396
-
C:\Windows\SysWOW64\Nmmjjk32.exeC:\Windows\system32\Nmmjjk32.exe170⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2324 -
C:\Windows\SysWOW64\Nickoldp.exeC:\Windows\system32\Nickoldp.exe171⤵PID:1568
-
C:\Windows\SysWOW64\Ndiomdde.exeC:\Windows\system32\Ndiomdde.exe172⤵PID:1700
-
C:\Windows\SysWOW64\Nldcagaq.exeC:\Windows\system32\Nldcagaq.exe173⤵PID:2468
-
C:\Windows\SysWOW64\Oihdjk32.exeC:\Windows\system32\Oihdjk32.exe174⤵PID:2668
-
C:\Windows\SysWOW64\Oeoeplfn.exeC:\Windows\system32\Oeoeplfn.exe175⤵PID:1888
-
C:\Windows\SysWOW64\Oogiha32.exeC:\Windows\system32\Oogiha32.exe176⤵PID:2692
-
C:\Windows\SysWOW64\Oecnkk32.exeC:\Windows\system32\Oecnkk32.exe177⤵
- Drops file in System32 directory
PID:2504 -
C:\Windows\SysWOW64\Pglacbbo.exeC:\Windows\system32\Pglacbbo.exe178⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:848 -
C:\Windows\SysWOW64\Pqdelh32.exeC:\Windows\system32\Pqdelh32.exe179⤵PID:2996
-
C:\Windows\SysWOW64\Pfando32.exeC:\Windows\system32\Pfando32.exe180⤵PID:1924
-
C:\Windows\SysWOW64\Pcenmcea.exeC:\Windows\system32\Pcenmcea.exe181⤵PID:3032
-
C:\Windows\SysWOW64\Pibgfjdh.exeC:\Windows\system32\Pibgfjdh.exe182⤵PID:2228
-
C:\Windows\SysWOW64\Qidckjae.exeC:\Windows\system32\Qidckjae.exe183⤵PID:1984
-
C:\Windows\SysWOW64\Qnalcqpm.exeC:\Windows\system32\Qnalcqpm.exe184⤵PID:2248
-
C:\Windows\SysWOW64\Qgiplffm.exeC:\Windows\system32\Qgiplffm.exe185⤵PID:2380
-
C:\Windows\SysWOW64\Qnciiq32.exeC:\Windows\system32\Qnciiq32.exe186⤵PID:1444
-
C:\Windows\SysWOW64\Ajjinaco.exeC:\Windows\system32\Ajjinaco.exe187⤵PID:2136
-
C:\Windows\SysWOW64\Acbnggjo.exeC:\Windows\system32\Acbnggjo.exe188⤵PID:3080
-
C:\Windows\SysWOW64\Acejlfhl.exeC:\Windows\system32\Acejlfhl.exe189⤵PID:3120
-
C:\Windows\SysWOW64\Agccbenc.exeC:\Windows\system32\Agccbenc.exe190⤵PID:3160
-
C:\Windows\SysWOW64\Ambhpljg.exeC:\Windows\system32\Ambhpljg.exe191⤵PID:3208
-
C:\Windows\SysWOW64\Bemmenhb.exeC:\Windows\system32\Bemmenhb.exe192⤵PID:3248
-
C:\Windows\SysWOW64\Bneancnc.exeC:\Windows\system32\Bneancnc.exe193⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3288 -
C:\Windows\SysWOW64\Blibghmm.exeC:\Windows\system32\Blibghmm.exe194⤵PID:3328
-
C:\Windows\SysWOW64\Bafkookd.exeC:\Windows\system32\Bafkookd.exe195⤵
- Modifies registry class
PID:3372 -
C:\Windows\SysWOW64\Baigen32.exeC:\Windows\system32\Baigen32.exe196⤵PID:3412
-
C:\Windows\SysWOW64\Bjalndpb.exeC:\Windows\system32\Bjalndpb.exe197⤵PID:3452
-
C:\Windows\SysWOW64\Befpkmph.exeC:\Windows\system32\Befpkmph.exe198⤵PID:3492
-
C:\Windows\SysWOW64\Cooddbfh.exeC:\Windows\system32\Cooddbfh.exe199⤵
- Modifies registry class
PID:3532 -
C:\Windows\SysWOW64\Cdlmlidp.exeC:\Windows\system32\Cdlmlidp.exe200⤵PID:3572
-
C:\Windows\SysWOW64\Cmdaeo32.exeC:\Windows\system32\Cmdaeo32.exe201⤵PID:3612
-
C:\Windows\SysWOW64\Cdnjaibm.exeC:\Windows\system32\Cdnjaibm.exe202⤵PID:3652
-
C:\Windows\SysWOW64\Cikbjpqd.exeC:\Windows\system32\Cikbjpqd.exe203⤵
- System Location Discovery: System Language Discovery
PID:3692 -
C:\Windows\SysWOW64\Cgobcd32.exeC:\Windows\system32\Cgobcd32.exe204⤵PID:3732
-
C:\Windows\SysWOW64\Cojghf32.exeC:\Windows\system32\Cojghf32.exe205⤵PID:3772
-
C:\Windows\SysWOW64\Clnhajlc.exeC:\Windows\system32\Clnhajlc.exe206⤵PID:3812
-
C:\Windows\SysWOW64\Dibhjokm.exeC:\Windows\system32\Dibhjokm.exe207⤵PID:3852
-
C:\Windows\SysWOW64\Dcjmcd32.exeC:\Windows\system32\Dcjmcd32.exe208⤵PID:3892
-
C:\Windows\SysWOW64\Dlbaljhn.exeC:\Windows\system32\Dlbaljhn.exe209⤵PID:3932
-
C:\Windows\SysWOW64\Dndndbnl.exeC:\Windows\system32\Dndndbnl.exe210⤵
- Drops file in System32 directory
PID:3972 -
C:\Windows\SysWOW64\Docjne32.exeC:\Windows\system32\Docjne32.exe211⤵PID:4016
-
C:\Windows\SysWOW64\Dgoobg32.exeC:\Windows\system32\Dgoobg32.exe212⤵PID:4056
-
C:\Windows\SysWOW64\Dpgckm32.exeC:\Windows\system32\Dpgckm32.exe213⤵PID:3076
-
C:\Windows\SysWOW64\Epipql32.exeC:\Windows\system32\Epipql32.exe214⤵PID:3112
-
C:\Windows\SysWOW64\Egchmfnd.exeC:\Windows\system32\Egchmfnd.exe215⤵PID:3156
-
C:\Windows\SysWOW64\Eoomai32.exeC:\Windows\system32\Eoomai32.exe216⤵PID:1060
-
C:\Windows\SysWOW64\Eqnillbb.exeC:\Windows\system32\Eqnillbb.exe217⤵PID:3264
-
C:\Windows\SysWOW64\Ejfnda32.exeC:\Windows\system32\Ejfnda32.exe218⤵PID:3312
-
C:\Windows\SysWOW64\Ecobmg32.exeC:\Windows\system32\Ecobmg32.exe219⤵PID:3356
-
C:\Windows\SysWOW64\Ekjgbi32.exeC:\Windows\system32\Ekjgbi32.exe220⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3400 -
C:\Windows\SysWOW64\Enhcnd32.exeC:\Windows\system32\Enhcnd32.exe221⤵
- Drops file in System32 directory
PID:3464 -
C:\Windows\SysWOW64\Fgqhgjbb.exeC:\Windows\system32\Fgqhgjbb.exe222⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3508 -
C:\Windows\SysWOW64\Fdehpn32.exeC:\Windows\system32\Fdehpn32.exe223⤵PID:3564
-
C:\Windows\SysWOW64\Fjaqhe32.exeC:\Windows\system32\Fjaqhe32.exe224⤵
- Drops file in System32 directory
PID:3608 -
C:\Windows\SysWOW64\Fbiijb32.exeC:\Windows\system32\Fbiijb32.exe225⤵PID:3664
-
C:\Windows\SysWOW64\Fjdnne32.exeC:\Windows\system32\Fjdnne32.exe226⤵
- System Location Discovery: System Language Discovery
PID:3720 -
C:\Windows\SysWOW64\Ffkncf32.exeC:\Windows\system32\Ffkncf32.exe227⤵PID:3764
-
C:\Windows\SysWOW64\Fmdfppkb.exeC:\Windows\system32\Fmdfppkb.exe228⤵PID:3800
-
C:\Windows\SysWOW64\Fgjkmijh.exeC:\Windows\system32\Fgjkmijh.exe229⤵PID:3868
-
C:\Windows\SysWOW64\Fikgda32.exeC:\Windows\system32\Fikgda32.exe230⤵PID:3904
-
C:\Windows\SysWOW64\Gmipko32.exeC:\Windows\system32\Gmipko32.exe231⤵PID:3952
-
C:\Windows\SysWOW64\Geddoa32.exeC:\Windows\system32\Geddoa32.exe232⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4008 -
C:\Windows\SysWOW64\Gpjilj32.exeC:\Windows\system32\Gpjilj32.exe233⤵
- Drops file in System32 directory
PID:4064 -
C:\Windows\SysWOW64\Gibmep32.exeC:\Windows\system32\Gibmep32.exe234⤵PID:1980
-
C:\Windows\SysWOW64\Gbkaneao.exeC:\Windows\system32\Gbkaneao.exe235⤵PID:3148
-
C:\Windows\SysWOW64\Geinjapb.exeC:\Windows\system32\Geinjapb.exe236⤵PID:3200
-
C:\Windows\SysWOW64\Gbmoceol.exeC:\Windows\system32\Gbmoceol.exe237⤵PID:3256
-
C:\Windows\SysWOW64\Gdnkkmej.exeC:\Windows\system32\Gdnkkmej.exe238⤵PID:3324
-
C:\Windows\SysWOW64\Hengep32.exeC:\Windows\system32\Hengep32.exe239⤵
- Modifies registry class
PID:3392 -
C:\Windows\SysWOW64\Hbhagiem.exeC:\Windows\system32\Hbhagiem.exe240⤵PID:3460
-
C:\Windows\SysWOW64\Hffjng32.exeC:\Windows\system32\Hffjng32.exe241⤵PID:3520
-
C:\Windows\SysWOW64\Hpoofm32.exeC:\Windows\system32\Hpoofm32.exe242⤵PID:3580