Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 01:32
Static task
static1
Behavioral task
behavioral1
Sample
aafa0367215635ce3bf9e446950d3ab10e3d84d1231c43ce2019a4494aa17c7f.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
aafa0367215635ce3bf9e446950d3ab10e3d84d1231c43ce2019a4494aa17c7f.exe
Resource
win10v2004-20241007-en
General
-
Target
aafa0367215635ce3bf9e446950d3ab10e3d84d1231c43ce2019a4494aa17c7f.exe
-
Size
57KB
-
MD5
46254a50fdf45284c66816422a42f0ab
-
SHA1
1f5bb8382fd559293c819bb7c023d00213de3a07
-
SHA256
aafa0367215635ce3bf9e446950d3ab10e3d84d1231c43ce2019a4494aa17c7f
-
SHA512
40376aedbb65657e573fa646317839d9897f1a32e7a098192cddd48c42c667f6838fb1df00b78d9be0c2b580a24d7bfa327fafa264f2899220c128a06341a5a8
-
SSDEEP
768:TfITiDc5Q7q5/EqYbZMGk8y9qKdKPzaGaqwageLDIwuILN/1H5pXdnhg:73DsQ7q5/KeGkccyzaGgaT3I7ILHl
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Ndnlnm32.exePkcpei32.exeCedpbd32.exeKgclio32.exeDlofgj32.exeGpelnb32.exeHibjbgbh.exeCcbphk32.exeDldkmlhl.exeHblgnkdh.exeJedcpi32.exeQjhmfekp.exeMfmndn32.exePadhdm32.exeEinjdb32.exeFodebh32.exeDaipqhdg.exeBfncpcoc.exeGgnmbn32.exeHfegij32.exeMimgeigj.exeCaifjn32.exeaafa0367215635ce3bf9e446950d3ab10e3d84d1231c43ce2019a4494aa17c7f.exeAgljom32.exeHhjcic32.exeMobfgdcl.exeOlebgfao.exeGjpqpl32.exeFdiogq32.exeKnkgpi32.exeNibqqh32.exeMgebdipp.exeDiphbfdi.exeGfhgpg32.exeJdnmma32.exeMjcaimgg.exePepcelel.exePnjfae32.exeOmefkplm.exeElfcbo32.exeAmcbankf.exeAkiobk32.exeDkigoimd.exeGneijien.exePpnnai32.exeGnkoid32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndnlnm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkcpei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cedpbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgclio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlofgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpelnb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hibjbgbh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccbphk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dldkmlhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hblgnkdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jedcpi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjhmfekp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfmndn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Padhdm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Einjdb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fodebh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Daipqhdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfncpcoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggnmbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfegij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mimgeigj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caifjn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" aafa0367215635ce3bf9e446950d3ab10e3d84d1231c43ce2019a4494aa17c7f.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agljom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhjcic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mobfgdcl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olebgfao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjpqpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdiogq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knkgpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nibqqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgebdipp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Diphbfdi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfhgpg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdnmma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjcaimgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pepcelel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnjfae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omefkplm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elfcbo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amcbankf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akiobk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkigoimd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gneijien.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppnnai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnkoid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Lfolaang.exeLgpiij32.exeLpgajgeg.exeLgbeoibb.exeLlnaoh32.exeMeffhnal.exeMgebdipp.exeMjcoqdoc.exeMamgmofp.exeMclcijfd.exeMjekfd32.exeMpbdnk32.exeMhilph32.exeMabphn32.exeMbcmpfhi.exeMfoiqe32.exeMmhamoho.exeMbeiefff.exeMedeaaej.exeMioabp32.exeNlnnnk32.exeNfcbldmm.exeNianhplq.exeNhdocl32.exeNoogpfjh.exeNamclbil.exeNlbgikia.exeNdnlnm32.exeNhiholof.exeNaalga32.exeNhlddkmc.exeNgneph32.exeNadimacd.exeOhnaik32.exeOionacqo.exeOpifnm32.exeOiakgcnl.exeOmmfga32.exeOlpgconp.exeOlbchn32.exeOcllehcj.exeOekhacbn.exeOpplolac.exeOemegc32.exeOhkaco32.exePadeldeo.exePdbahpec.exePlijimee.exePohfehdi.exePnjfae32.exePeanbblf.exePhpjnnki.exePojbkh32.exePnmcfeia.exePahogc32.exePhbgcnig.exePkacpihj.exePnopldgn.exePqnlhpfb.exePclhdl32.exePkcpei32.exePjfpafmb.exePnalad32.exePqphnp32.exepid process 492 Lfolaang.exe 2372 Lgpiij32.exe 2796 Lpgajgeg.exe 2080 Lgbeoibb.exe 2896 Llnaoh32.exe 2588 Meffhnal.exe 2628 Mgebdipp.exe 2728 Mjcoqdoc.exe 2652 Mamgmofp.exe 2560 Mclcijfd.exe 2528 Mjekfd32.exe 2428 Mpbdnk32.exe 1932 Mhilph32.exe 2028 Mabphn32.exe 292 Mbcmpfhi.exe 1592 Mfoiqe32.exe 2212 Mmhamoho.exe 2140 Mbeiefff.exe 1220 Medeaaej.exe 684 Mioabp32.exe 2096 Nlnnnk32.exe 1356 Nfcbldmm.exe 3056 Nianhplq.exe 1276 Nhdocl32.exe 1624 Noogpfjh.exe 2840 Namclbil.exe 2312 Nlbgikia.exe 2792 Ndnlnm32.exe 2108 Nhiholof.exe 2060 Naalga32.exe 1536 Nhlddkmc.exe 2948 Ngneph32.exe 2636 Nadimacd.exe 2672 Ohnaik32.exe 2508 Oionacqo.exe 2500 Opifnm32.exe 2928 Oiakgcnl.exe 776 Ommfga32.exe 2408 Olpgconp.exe 1976 Olbchn32.exe 1776 Ocllehcj.exe 1812 Oekhacbn.exe 2524 Opplolac.exe 2320 Oemegc32.exe 2124 Ohkaco32.exe 1712 Padeldeo.exe 600 Pdbahpec.exe 1032 Plijimee.exe 680 Pohfehdi.exe 1628 Pnjfae32.exe 2348 Peanbblf.exe 1580 Phpjnnki.exe 304 Pojbkh32.exe 2112 Pnmcfeia.exe 2232 Pahogc32.exe 2736 Phbgcnig.exe 1392 Pkacpihj.exe 2596 Pnopldgn.exe 2888 Pqnlhpfb.exe 2444 Pclhdl32.exe 1940 Pkcpei32.exe 1944 Pjfpafmb.exe 1420 Pnalad32.exe 2128 Pqphnp32.exe -
Loads dropped DLL 64 IoCs
Processes:
aafa0367215635ce3bf9e446950d3ab10e3d84d1231c43ce2019a4494aa17c7f.exeLfolaang.exeLgpiij32.exeLpgajgeg.exeLgbeoibb.exeLlnaoh32.exeMeffhnal.exeMgebdipp.exeMjcoqdoc.exeMamgmofp.exeMclcijfd.exeMjekfd32.exeMpbdnk32.exeMhilph32.exeMabphn32.exeMbcmpfhi.exeMfoiqe32.exeMmhamoho.exeMbeiefff.exeMedeaaej.exeMioabp32.exeNlnnnk32.exeNfcbldmm.exeNianhplq.exeNhdocl32.exeNoogpfjh.exeNamclbil.exeNlbgikia.exeNdnlnm32.exeNhiholof.exeNaalga32.exeNhlddkmc.exepid process 2860 aafa0367215635ce3bf9e446950d3ab10e3d84d1231c43ce2019a4494aa17c7f.exe 2860 aafa0367215635ce3bf9e446950d3ab10e3d84d1231c43ce2019a4494aa17c7f.exe 492 Lfolaang.exe 492 Lfolaang.exe 2372 Lgpiij32.exe 2372 Lgpiij32.exe 2796 Lpgajgeg.exe 2796 Lpgajgeg.exe 2080 Lgbeoibb.exe 2080 Lgbeoibb.exe 2896 Llnaoh32.exe 2896 Llnaoh32.exe 2588 Meffhnal.exe 2588 Meffhnal.exe 2628 Mgebdipp.exe 2628 Mgebdipp.exe 2728 Mjcoqdoc.exe 2728 Mjcoqdoc.exe 2652 Mamgmofp.exe 2652 Mamgmofp.exe 2560 Mclcijfd.exe 2560 Mclcijfd.exe 2528 Mjekfd32.exe 2528 Mjekfd32.exe 2428 Mpbdnk32.exe 2428 Mpbdnk32.exe 1932 Mhilph32.exe 1932 Mhilph32.exe 2028 Mabphn32.exe 2028 Mabphn32.exe 292 Mbcmpfhi.exe 292 Mbcmpfhi.exe 1592 Mfoiqe32.exe 1592 Mfoiqe32.exe 2212 Mmhamoho.exe 2212 Mmhamoho.exe 2140 Mbeiefff.exe 2140 Mbeiefff.exe 1220 Medeaaej.exe 1220 Medeaaej.exe 684 Mioabp32.exe 684 Mioabp32.exe 2096 Nlnnnk32.exe 2096 Nlnnnk32.exe 1356 Nfcbldmm.exe 1356 Nfcbldmm.exe 3056 Nianhplq.exe 3056 Nianhplq.exe 1276 Nhdocl32.exe 1276 Nhdocl32.exe 1624 Noogpfjh.exe 1624 Noogpfjh.exe 2840 Namclbil.exe 2840 Namclbil.exe 2312 Nlbgikia.exe 2312 Nlbgikia.exe 2792 Ndnlnm32.exe 2792 Ndnlnm32.exe 2108 Nhiholof.exe 2108 Nhiholof.exe 2060 Naalga32.exe 2060 Naalga32.exe 1536 Nhlddkmc.exe 1536 Nhlddkmc.exe -
Drops file in System32 directory 64 IoCs
Processes:
Hbknkl32.exeCocphf32.exeQogbdl32.exeObdojcef.exeQhmcmk32.exeHcldhnkk.exeAhbekjcf.exeCgoelh32.exeHbfepmmn.exeHhjcic32.exeAmohfo32.exeFcnkhmdp.exeGfejjgli.exeHnpdcf32.exeImleli32.exeImnbbi32.exeAkkoig32.exeKglehp32.exeNlqmmd32.exeOopijc32.exeFogibnha.exeJoiappkp.exeKcdjoaee.exeHfcjdkpg.exeLocjhqpa.exePafdjmkq.exeDklddhka.exeHblgnkdh.exePdbahpec.exeMpamde32.exeFnflke32.exeMbnljqic.exePpkhhjei.exeBgllgedi.exeEkdchf32.exeFlclam32.exeIfoqjo32.exeOdmabj32.exeAgjobffl.exeEhlmljkm.exeMbeiefff.exeNecogkbo.exeEggndi32.exeOpglafab.exeEdaalk32.exeHipmmg32.exeAknlofim.exedescription ioc process File created C:\Windows\SysWOW64\Heikgh32.exe Hbknkl32.exe File opened for modification C:\Windows\SysWOW64\Cbblda32.exe Cocphf32.exe File opened for modification C:\Windows\SysWOW64\Cgnnab32.exe File created C:\Windows\SysWOW64\Abfnpg32.exe Qogbdl32.exe File created C:\Windows\SysWOW64\Hjjpmh32.dll Obdojcef.exe File opened for modification C:\Windows\SysWOW64\Akkoig32.exe Qhmcmk32.exe File opened for modification C:\Windows\SysWOW64\Hboddk32.exe Hcldhnkk.exe File created C:\Windows\SysWOW64\Ageompfe.exe File created C:\Windows\SysWOW64\Adpqglen.dll Ahbekjcf.exe File created C:\Windows\SysWOW64\Cnimiblo.exe Cgoelh32.exe File created C:\Windows\SysWOW64\Gljmpigg.dll File created C:\Windows\SysWOW64\Ebhchpcd.dll Hbfepmmn.exe File opened for modification C:\Windows\SysWOW64\Hjipenda.exe Hhjcic32.exe File opened for modification C:\Windows\SysWOW64\Aqjdgmgd.exe Amohfo32.exe File opened for modification C:\Windows\SysWOW64\Fkecij32.exe Fcnkhmdp.exe File opened for modification C:\Windows\SysWOW64\Mhcmedli.exe File created C:\Windows\SysWOW64\Dohafell.dll Gfejjgli.exe File opened for modification C:\Windows\SysWOW64\Hqnapb32.exe Hnpdcf32.exe File created C:\Windows\SysWOW64\Hcjdjiqp.dll File created C:\Windows\SysWOW64\Ipjahd32.exe Imleli32.exe File created C:\Windows\SysWOW64\Obgneo32.dll Imnbbi32.exe File created C:\Windows\SysWOW64\Lnnibe32.dll Akkoig32.exe File opened for modification C:\Windows\SysWOW64\Kocmim32.exe Kglehp32.exe File created C:\Windows\SysWOW64\Gfdkid32.dll Nlqmmd32.exe File opened for modification C:\Windows\SysWOW64\Omcifpnp.exe Oopijc32.exe File created C:\Windows\SysWOW64\Jncfhkjh.dll Fogibnha.exe File opened for modification C:\Windows\SysWOW64\Mjcjog32.exe File created C:\Windows\SysWOW64\Dbabho32.exe File opened for modification C:\Windows\SysWOW64\Gpggei32.exe File created C:\Windows\SysWOW64\Jnkakl32.exe Joiappkp.exe File created C:\Windows\SysWOW64\Ahqmla32.dll Kcdjoaee.exe File created C:\Windows\SysWOW64\Pbihfb32.dll Hfcjdkpg.exe File opened for modification C:\Windows\SysWOW64\Lcofio32.exe Locjhqpa.exe File created C:\Windows\SysWOW64\Qqmfpqmc.dll Pafdjmkq.exe File created C:\Windows\SysWOW64\Dmjqpdje.exe Dklddhka.exe File created C:\Windows\SysWOW64\Hdhkdkaa.dll Hblgnkdh.exe File opened for modification C:\Windows\SysWOW64\Giolnomh.exe File created C:\Windows\SysWOW64\Plijimee.exe Pdbahpec.exe File created C:\Windows\SysWOW64\Nhmglf32.dll Mpamde32.exe File created C:\Windows\SysWOW64\Fqdiga32.exe Fnflke32.exe File opened for modification C:\Windows\SysWOW64\Hqnjek32.exe File created C:\Windows\SysWOW64\Daadna32.dll File created C:\Windows\SysWOW64\Ekcqmj32.dll File created C:\Windows\SysWOW64\Cbgklp32.dll File created C:\Windows\SysWOW64\Efljhq32.exe File created C:\Windows\SysWOW64\Anjcbljh.dll Mbnljqic.exe File opened for modification C:\Windows\SysWOW64\Pomhcg32.exe Ppkhhjei.exe File created C:\Windows\SysWOW64\Bjkhdacm.exe Bgllgedi.exe File opened for modification C:\Windows\SysWOW64\Eopphehb.exe Ekdchf32.exe File created C:\Windows\SysWOW64\Jamajj32.dll Flclam32.exe File opened for modification C:\Windows\SysWOW64\Ijklknbn.exe Ifoqjo32.exe File created C:\Windows\SysWOW64\Ogknoe32.exe Odmabj32.exe File created C:\Windows\SysWOW64\Gggpgo32.dll Agjobffl.exe File opened for modification C:\Windows\SysWOW64\Ekkjheja.exe Ehlmljkm.exe File opened for modification C:\Windows\SysWOW64\Medeaaej.exe Mbeiefff.exe File created C:\Windows\SysWOW64\Kjohojml.dll Necogkbo.exe File opened for modification C:\Windows\SysWOW64\Eiekpd32.exe Eggndi32.exe File created C:\Windows\SysWOW64\Eiapeffl.dll Opglafab.exe File created C:\Windows\SysWOW64\Ehlmljkm.exe Edaalk32.exe File opened for modification C:\Windows\SysWOW64\Hloiib32.exe Hipmmg32.exe File created C:\Windows\SysWOW64\Cfanmogq.exe File created C:\Windows\SysWOW64\Fimoiopk.exe File created C:\Windows\SysWOW64\Anlhkbhq.exe Aknlofim.exe File created C:\Windows\SysWOW64\Inbnhihl.exe -
Program crash 1 IoCs
Processes:
pid pid_target process target process 1804 2456 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Mabphn32.exeCpnaca32.exeAccqnc32.exeFnipkkdl.exeObdojcef.exeOdgamdef.exeBqeqqk32.exeBceibfgj.exeBgaebe32.exeNmlgfnal.exeNenakoho.exeBfncpcoc.exeEiekpd32.exeNeiaeiii.exeOjmpooah.exeAkqpom32.exeKcdjoaee.exeJdnmma32.exeOpqoge32.exeBnfddp32.exeJenpajfb.exeAciqcifh.exeNipdkieg.exeBchfhfeh.exeQfonkfqd.exeClgbno32.exeDegiggjm.exeHphidanj.exeQppkfhlc.exeQjklenpa.exeOlbchn32.exeIdicbbpi.exeJikeeh32.exeFjegog32.exeGconbj32.exeBfdenafn.exeBmpkqklh.exeEgjbdo32.exePljcllqe.exeFnacpffh.exeHakkgc32.exeIjqoilii.exeNfoghakb.exeEabepp32.exeFdpkbf32.exeMbnljqic.exeNeqnqofm.exeKlngkfge.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mabphn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpnaca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Accqnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnipkkdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obdojcef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odgamdef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqeqqk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bceibfgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgaebe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmlgfnal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nenakoho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfncpcoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiekpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neiaeiii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojmpooah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akqpom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcdjoaee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdnmma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opqoge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnfddp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jenpajfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aciqcifh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nipdkieg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bchfhfeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfonkfqd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clgbno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Degiggjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hphidanj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qppkfhlc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjklenpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olbchn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idicbbpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jikeeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjegog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gconbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfdenafn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmpkqklh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egjbdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pljcllqe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnacpffh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hakkgc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijqoilii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfoghakb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eabepp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdpkbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbnljqic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neqnqofm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klngkfge.exe -
Modifies registry class 64 IoCs
Processes:
Obmnna32.exeJkhldafl.exeAggiigmn.exeCcdmnj32.exeOhncbdbd.exeFchkbg32.exeHhjcic32.exePhfmllbd.exeJimbkh32.exeDlofgj32.exeJlhhndno.exeJkbojpna.exeNbjeinje.exeCgcnghpl.exeHfpfdeon.exeGfhnjm32.exeAeidgbaf.exeBibpad32.exePdmnam32.exeLcjlnpmo.exeEanldqgf.exeaafa0367215635ce3bf9e446950d3ab10e3d84d1231c43ce2019a4494aa17c7f.exeJlkngc32.exeCkolek32.exeNipdkieg.exeAdnpkjde.exePnalad32.exeFnfcel32.exeGmgpbf32.exeBimoloog.exeGeeemeif.exeGoiehm32.exeGpjkeoha.exeFofpoo32.exeGfkkpmko.exeGgnmbn32.exePnbojmmp.exeGpcoib32.exeIbfaopoi.exeAnneqafn.exeGhdgfbkl.exeBjallg32.exeMlhnifmq.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obmnna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkhldafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aggiigmn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccdmnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohncbdbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fchkbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhjcic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phfmllbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jimbkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlofgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlhhndno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nihieggm.dll" Jkbojpna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbjeinje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efeckm32.dll" Cgcnghpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndlaqocp.dll" Hfpfdeon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjapamid.dll" Gfhnjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcahif32.dll" Dlofgj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aeidgbaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bibpad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdmnam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihnijmcj.dll" Lcjlnpmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eanldqgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 aafa0367215635ce3bf9e446950d3ab10e3d84d1231c43ce2019a4494aa17c7f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlkngc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojgidcjn.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckolek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kheoph32.dll" Nipdkieg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjmeignj.dll" Adnpkjde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnalad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Haaemgpd.dll" Fnfcel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmgpbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bimoloog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okjejkao.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefcmp32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Geeemeif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Goiehm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnmdhn32.dll" Gpjkeoha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ildnklen.dll" Fofpoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehebkmgn.dll" Gfkkpmko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggnmbn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnbojmmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjqkek32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inppon32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlbabncd.dll" Gpcoib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibfaopoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anneqafn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbgiha32.dll" Ghdgfbkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akgddhmc.dll" Ggnmbn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lefggi32.dll" Bjallg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlhnifmq.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
aafa0367215635ce3bf9e446950d3ab10e3d84d1231c43ce2019a4494aa17c7f.exeLfolaang.exeLgpiij32.exeLpgajgeg.exeLgbeoibb.exeLlnaoh32.exeMeffhnal.exeMgebdipp.exeMjcoqdoc.exeMamgmofp.exeMclcijfd.exeMjekfd32.exeMpbdnk32.exeMhilph32.exeMabphn32.exeMbcmpfhi.exedescription pid process target process PID 2860 wrote to memory of 492 2860 aafa0367215635ce3bf9e446950d3ab10e3d84d1231c43ce2019a4494aa17c7f.exe Lfolaang.exe PID 2860 wrote to memory of 492 2860 aafa0367215635ce3bf9e446950d3ab10e3d84d1231c43ce2019a4494aa17c7f.exe Lfolaang.exe PID 2860 wrote to memory of 492 2860 aafa0367215635ce3bf9e446950d3ab10e3d84d1231c43ce2019a4494aa17c7f.exe Lfolaang.exe PID 2860 wrote to memory of 492 2860 aafa0367215635ce3bf9e446950d3ab10e3d84d1231c43ce2019a4494aa17c7f.exe Lfolaang.exe PID 492 wrote to memory of 2372 492 Lfolaang.exe Lgpiij32.exe PID 492 wrote to memory of 2372 492 Lfolaang.exe Lgpiij32.exe PID 492 wrote to memory of 2372 492 Lfolaang.exe Lgpiij32.exe PID 492 wrote to memory of 2372 492 Lfolaang.exe Lgpiij32.exe PID 2372 wrote to memory of 2796 2372 Lgpiij32.exe Lpgajgeg.exe PID 2372 wrote to memory of 2796 2372 Lgpiij32.exe Lpgajgeg.exe PID 2372 wrote to memory of 2796 2372 Lgpiij32.exe Lpgajgeg.exe PID 2372 wrote to memory of 2796 2372 Lgpiij32.exe Lpgajgeg.exe PID 2796 wrote to memory of 2080 2796 Lpgajgeg.exe Lgbeoibb.exe PID 2796 wrote to memory of 2080 2796 Lpgajgeg.exe Lgbeoibb.exe PID 2796 wrote to memory of 2080 2796 Lpgajgeg.exe Lgbeoibb.exe PID 2796 wrote to memory of 2080 2796 Lpgajgeg.exe Lgbeoibb.exe PID 2080 wrote to memory of 2896 2080 Lgbeoibb.exe Llnaoh32.exe PID 2080 wrote to memory of 2896 2080 Lgbeoibb.exe Llnaoh32.exe PID 2080 wrote to memory of 2896 2080 Lgbeoibb.exe Llnaoh32.exe PID 2080 wrote to memory of 2896 2080 Lgbeoibb.exe Llnaoh32.exe PID 2896 wrote to memory of 2588 2896 Llnaoh32.exe Meffhnal.exe PID 2896 wrote to memory of 2588 2896 Llnaoh32.exe Meffhnal.exe PID 2896 wrote to memory of 2588 2896 Llnaoh32.exe Meffhnal.exe PID 2896 wrote to memory of 2588 2896 Llnaoh32.exe Meffhnal.exe PID 2588 wrote to memory of 2628 2588 Meffhnal.exe Mgebdipp.exe PID 2588 wrote to memory of 2628 2588 Meffhnal.exe Mgebdipp.exe PID 2588 wrote to memory of 2628 2588 Meffhnal.exe Mgebdipp.exe PID 2588 wrote to memory of 2628 2588 Meffhnal.exe Mgebdipp.exe PID 2628 wrote to memory of 2728 2628 Mgebdipp.exe Mjcoqdoc.exe PID 2628 wrote to memory of 2728 2628 Mgebdipp.exe Mjcoqdoc.exe PID 2628 wrote to memory of 2728 2628 Mgebdipp.exe Mjcoqdoc.exe PID 2628 wrote to memory of 2728 2628 Mgebdipp.exe Mjcoqdoc.exe PID 2728 wrote to memory of 2652 2728 Mjcoqdoc.exe Mamgmofp.exe PID 2728 wrote to memory of 2652 2728 Mjcoqdoc.exe Mamgmofp.exe PID 2728 wrote to memory of 2652 2728 Mjcoqdoc.exe Mamgmofp.exe PID 2728 wrote to memory of 2652 2728 Mjcoqdoc.exe Mamgmofp.exe PID 2652 wrote to memory of 2560 2652 Mamgmofp.exe Mclcijfd.exe PID 2652 wrote to memory of 2560 2652 Mamgmofp.exe Mclcijfd.exe PID 2652 wrote to memory of 2560 2652 Mamgmofp.exe Mclcijfd.exe PID 2652 wrote to memory of 2560 2652 Mamgmofp.exe Mclcijfd.exe PID 2560 wrote to memory of 2528 2560 Mclcijfd.exe Mjekfd32.exe PID 2560 wrote to memory of 2528 2560 Mclcijfd.exe Mjekfd32.exe PID 2560 wrote to memory of 2528 2560 Mclcijfd.exe Mjekfd32.exe PID 2560 wrote to memory of 2528 2560 Mclcijfd.exe Mjekfd32.exe PID 2528 wrote to memory of 2428 2528 Mjekfd32.exe Mpbdnk32.exe PID 2528 wrote to memory of 2428 2528 Mjekfd32.exe Mpbdnk32.exe PID 2528 wrote to memory of 2428 2528 Mjekfd32.exe Mpbdnk32.exe PID 2528 wrote to memory of 2428 2528 Mjekfd32.exe Mpbdnk32.exe PID 2428 wrote to memory of 1932 2428 Mpbdnk32.exe Mhilph32.exe PID 2428 wrote to memory of 1932 2428 Mpbdnk32.exe Mhilph32.exe PID 2428 wrote to memory of 1932 2428 Mpbdnk32.exe Mhilph32.exe PID 2428 wrote to memory of 1932 2428 Mpbdnk32.exe Mhilph32.exe PID 1932 wrote to memory of 2028 1932 Mhilph32.exe Mabphn32.exe PID 1932 wrote to memory of 2028 1932 Mhilph32.exe Mabphn32.exe PID 1932 wrote to memory of 2028 1932 Mhilph32.exe Mabphn32.exe PID 1932 wrote to memory of 2028 1932 Mhilph32.exe Mabphn32.exe PID 2028 wrote to memory of 292 2028 Mabphn32.exe Mbcmpfhi.exe PID 2028 wrote to memory of 292 2028 Mabphn32.exe Mbcmpfhi.exe PID 2028 wrote to memory of 292 2028 Mabphn32.exe Mbcmpfhi.exe PID 2028 wrote to memory of 292 2028 Mabphn32.exe Mbcmpfhi.exe PID 292 wrote to memory of 1592 292 Mbcmpfhi.exe Mfoiqe32.exe PID 292 wrote to memory of 1592 292 Mbcmpfhi.exe Mfoiqe32.exe PID 292 wrote to memory of 1592 292 Mbcmpfhi.exe Mfoiqe32.exe PID 292 wrote to memory of 1592 292 Mbcmpfhi.exe Mfoiqe32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aafa0367215635ce3bf9e446950d3ab10e3d84d1231c43ce2019a4494aa17c7f.exe"C:\Users\Admin\AppData\Local\Temp\aafa0367215635ce3bf9e446950d3ab10e3d84d1231c43ce2019a4494aa17c7f.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Lfolaang.exeC:\Windows\system32\Lfolaang.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:492 -
C:\Windows\SysWOW64\Lgpiij32.exeC:\Windows\system32\Lgpiij32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\Lpgajgeg.exeC:\Windows\system32\Lpgajgeg.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Lgbeoibb.exeC:\Windows\system32\Lgbeoibb.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\Llnaoh32.exeC:\Windows\system32\Llnaoh32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Meffhnal.exeC:\Windows\system32\Meffhnal.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Mgebdipp.exeC:\Windows\system32\Mgebdipp.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Mjcoqdoc.exeC:\Windows\system32\Mjcoqdoc.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Mamgmofp.exeC:\Windows\system32\Mamgmofp.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Mclcijfd.exeC:\Windows\system32\Mclcijfd.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\Mjekfd32.exeC:\Windows\system32\Mjekfd32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\Mpbdnk32.exeC:\Windows\system32\Mpbdnk32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Mhilph32.exeC:\Windows\system32\Mhilph32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\Mabphn32.exeC:\Windows\system32\Mabphn32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Mbcmpfhi.exeC:\Windows\system32\Mbcmpfhi.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:292 -
C:\Windows\SysWOW64\Mfoiqe32.exeC:\Windows\system32\Mfoiqe32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1592 -
C:\Windows\SysWOW64\Mmhamoho.exeC:\Windows\system32\Mmhamoho.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2212 -
C:\Windows\SysWOW64\Mbeiefff.exeC:\Windows\system32\Mbeiefff.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2140 -
C:\Windows\SysWOW64\Medeaaej.exeC:\Windows\system32\Medeaaej.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1220 -
C:\Windows\SysWOW64\Mioabp32.exeC:\Windows\system32\Mioabp32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:684 -
C:\Windows\SysWOW64\Nlnnnk32.exeC:\Windows\system32\Nlnnnk32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2096 -
C:\Windows\SysWOW64\Nfcbldmm.exeC:\Windows\system32\Nfcbldmm.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1356 -
C:\Windows\SysWOW64\Nianhplq.exeC:\Windows\system32\Nianhplq.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3056 -
C:\Windows\SysWOW64\Nhdocl32.exeC:\Windows\system32\Nhdocl32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1276 -
C:\Windows\SysWOW64\Noogpfjh.exeC:\Windows\system32\Noogpfjh.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1624 -
C:\Windows\SysWOW64\Namclbil.exeC:\Windows\system32\Namclbil.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2840 -
C:\Windows\SysWOW64\Nlbgikia.exeC:\Windows\system32\Nlbgikia.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2312 -
C:\Windows\SysWOW64\Ndnlnm32.exeC:\Windows\system32\Ndnlnm32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2792 -
C:\Windows\SysWOW64\Nhiholof.exeC:\Windows\system32\Nhiholof.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2108 -
C:\Windows\SysWOW64\Naalga32.exeC:\Windows\system32\Naalga32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2060 -
C:\Windows\SysWOW64\Nhlddkmc.exeC:\Windows\system32\Nhlddkmc.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1536 -
C:\Windows\SysWOW64\Ngneph32.exeC:\Windows\system32\Ngneph32.exe33⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Nadimacd.exeC:\Windows\system32\Nadimacd.exe34⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Ohnaik32.exeC:\Windows\system32\Ohnaik32.exe35⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Oionacqo.exeC:\Windows\system32\Oionacqo.exe36⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Opifnm32.exeC:\Windows\system32\Opifnm32.exe37⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Oiakgcnl.exeC:\Windows\system32\Oiakgcnl.exe38⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Ommfga32.exeC:\Windows\system32\Ommfga32.exe39⤵
- Executes dropped EXE
PID:776 -
C:\Windows\SysWOW64\Olpgconp.exeC:\Windows\system32\Olpgconp.exe40⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Olbchn32.exeC:\Windows\system32\Olbchn32.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1976 -
C:\Windows\SysWOW64\Ocllehcj.exeC:\Windows\system32\Ocllehcj.exe42⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Oekhacbn.exeC:\Windows\system32\Oekhacbn.exe43⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Opplolac.exeC:\Windows\system32\Opplolac.exe44⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Oemegc32.exeC:\Windows\system32\Oemegc32.exe45⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Ohkaco32.exeC:\Windows\system32\Ohkaco32.exe46⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Padeldeo.exeC:\Windows\system32\Padeldeo.exe47⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Pdbahpec.exeC:\Windows\system32\Pdbahpec.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:600 -
C:\Windows\SysWOW64\Plijimee.exeC:\Windows\system32\Plijimee.exe49⤵
- Executes dropped EXE
PID:1032 -
C:\Windows\SysWOW64\Pohfehdi.exeC:\Windows\system32\Pohfehdi.exe50⤵
- Executes dropped EXE
PID:680 -
C:\Windows\SysWOW64\Pnjfae32.exeC:\Windows\system32\Pnjfae32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Peanbblf.exeC:\Windows\system32\Peanbblf.exe52⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Phpjnnki.exeC:\Windows\system32\Phpjnnki.exe53⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Pojbkh32.exeC:\Windows\system32\Pojbkh32.exe54⤵
- Executes dropped EXE
PID:304 -
C:\Windows\SysWOW64\Pnmcfeia.exeC:\Windows\system32\Pnmcfeia.exe55⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Pahogc32.exeC:\Windows\system32\Pahogc32.exe56⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Phbgcnig.exeC:\Windows\system32\Phbgcnig.exe57⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Pkacpihj.exeC:\Windows\system32\Pkacpihj.exe58⤵
- Executes dropped EXE
PID:1392 -
C:\Windows\SysWOW64\Pnopldgn.exeC:\Windows\system32\Pnopldgn.exe59⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Pqnlhpfb.exeC:\Windows\system32\Pqnlhpfb.exe60⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Pclhdl32.exeC:\Windows\system32\Pclhdl32.exe61⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Pkcpei32.exeC:\Windows\system32\Pkcpei32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Pjfpafmb.exeC:\Windows\system32\Pjfpafmb.exe63⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Pnalad32.exeC:\Windows\system32\Pnalad32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:1420 -
C:\Windows\SysWOW64\Pqphnp32.exeC:\Windows\system32\Pqphnp32.exe65⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Pdldnomh.exeC:\Windows\system32\Pdldnomh.exe66⤵PID:832
-
C:\Windows\SysWOW64\Pcnejk32.exeC:\Windows\system32\Pcnejk32.exe67⤵PID:2164
-
C:\Windows\SysWOW64\Qjhmfekp.exeC:\Windows\system32\Qjhmfekp.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1848 -
C:\Windows\SysWOW64\Qmgibqjc.exeC:\Windows\system32\Qmgibqjc.exe69⤵PID:1232
-
C:\Windows\SysWOW64\Qqbecp32.exeC:\Windows\system32\Qqbecp32.exe70⤵PID:2820
-
C:\Windows\SysWOW64\Qcqaok32.exeC:\Windows\system32\Qcqaok32.exe71⤵PID:2072
-
C:\Windows\SysWOW64\Qfonkfqd.exeC:\Windows\system32\Qfonkfqd.exe72⤵
- System Location Discovery: System Language Discovery
PID:1648 -
C:\Windows\SysWOW64\Qmifhq32.exeC:\Windows\system32\Qmifhq32.exe73⤵PID:2268
-
C:\Windows\SysWOW64\Qogbdl32.exeC:\Windows\system32\Qogbdl32.exe74⤵
- Drops file in System32 directory
PID:2612 -
C:\Windows\SysWOW64\Abfnpg32.exeC:\Windows\system32\Abfnpg32.exe75⤵PID:2752
-
C:\Windows\SysWOW64\Afajafoa.exeC:\Windows\system32\Afajafoa.exe76⤵PID:2572
-
C:\Windows\SysWOW64\Aipfmane.exeC:\Windows\system32\Aipfmane.exe77⤵PID:2692
-
C:\Windows\SysWOW64\Akncimmh.exeC:\Windows\system32\Akncimmh.exe78⤵PID:1668
-
C:\Windows\SysWOW64\Acekjjmk.exeC:\Windows\system32\Acekjjmk.exe79⤵PID:2040
-
C:\Windows\SysWOW64\Afdgfelo.exeC:\Windows\system32\Afdgfelo.exe80⤵PID:2012
-
C:\Windows\SysWOW64\Aeggbbci.exeC:\Windows\system32\Aeggbbci.exe81⤵PID:340
-
C:\Windows\SysWOW64\Amnocpdk.exeC:\Windows\system32\Amnocpdk.exe82⤵PID:2004
-
C:\Windows\SysWOW64\Akqpom32.exeC:\Windows\system32\Akqpom32.exe83⤵
- System Location Discovery: System Language Discovery
PID:2780 -
C:\Windows\SysWOW64\Anolkh32.exeC:\Windows\system32\Anolkh32.exe84⤵PID:872
-
C:\Windows\SysWOW64\Abkhkgbb.exeC:\Windows\system32\Abkhkgbb.exe85⤵PID:264
-
C:\Windows\SysWOW64\Aeidgbaf.exeC:\Windows\system32\Aeidgbaf.exe86⤵
- Modifies registry class
PID:1524 -
C:\Windows\SysWOW64\Aggpdnpj.exeC:\Windows\system32\Aggpdnpj.exe87⤵PID:672
-
C:\Windows\SysWOW64\Akcldl32.exeC:\Windows\system32\Akcldl32.exe88⤵PID:2844
-
C:\Windows\SysWOW64\Anahqh32.exeC:\Windows\system32\Anahqh32.exe89⤵PID:2768
-
C:\Windows\SysWOW64\Aekqmbod.exeC:\Windows\system32\Aekqmbod.exe90⤵PID:2316
-
C:\Windows\SysWOW64\Akeijlfq.exeC:\Windows\system32\Akeijlfq.exe91⤵PID:2740
-
C:\Windows\SysWOW64\Ancefgfd.exeC:\Windows\system32\Ancefgfd.exe92⤵PID:2732
-
C:\Windows\SysWOW64\Aboaff32.exeC:\Windows\system32\Aboaff32.exe93⤵PID:2484
-
C:\Windows\SysWOW64\Aennba32.exeC:\Windows\system32\Aennba32.exe94⤵PID:1908
-
C:\Windows\SysWOW64\Acqnnndl.exeC:\Windows\system32\Acqnnndl.exe95⤵PID:344
-
C:\Windows\SysWOW64\Agljom32.exeC:\Windows\system32\Agljom32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1700 -
C:\Windows\SysWOW64\Bnfblgca.exeC:\Windows\system32\Bnfblgca.exe97⤵PID:1852
-
C:\Windows\SysWOW64\Bmibgd32.exeC:\Windows\system32\Bmibgd32.exe98⤵PID:1124
-
C:\Windows\SysWOW64\Bepjha32.exeC:\Windows\system32\Bepjha32.exe99⤵PID:1740
-
C:\Windows\SysWOW64\Bgnfdm32.exeC:\Windows\system32\Bgnfdm32.exe100⤵PID:892
-
C:\Windows\SysWOW64\Bagkmb32.exeC:\Windows\system32\Bagkmb32.exe101⤵PID:2848
-
C:\Windows\SysWOW64\Bpjkiogm.exeC:\Windows\system32\Bpjkiogm.exe102⤵PID:2368
-
C:\Windows\SysWOW64\Bfccei32.exeC:\Windows\system32\Bfccei32.exe103⤵PID:2056
-
C:\Windows\SysWOW64\Bibpad32.exeC:\Windows\system32\Bibpad32.exe104⤵
- Modifies registry class
PID:1656 -
C:\Windows\SysWOW64\Bplhnoej.exeC:\Windows\system32\Bplhnoej.exe105⤵PID:2440
-
C:\Windows\SysWOW64\Bcgdom32.exeC:\Windows\system32\Bcgdom32.exe106⤵PID:2480
-
C:\Windows\SysWOW64\Bffpki32.exeC:\Windows\system32\Bffpki32.exe107⤵PID:1380
-
C:\Windows\SysWOW64\Bjallg32.exeC:\Windows\system32\Bjallg32.exe108⤵
- Modifies registry class
PID:752 -
C:\Windows\SysWOW64\Bidlgdlk.exeC:\Windows\system32\Bidlgdlk.exe109⤵PID:1788
-
C:\Windows\SysWOW64\Blchcpko.exeC:\Windows\system32\Blchcpko.exe110⤵PID:2724
-
C:\Windows\SysWOW64\Bcjqdmla.exeC:\Windows\system32\Bcjqdmla.exe111⤵PID:1632
-
C:\Windows\SysWOW64\Bfhmqhkd.exeC:\Windows\system32\Bfhmqhkd.exe112⤵PID:2944
-
C:\Windows\SysWOW64\Bigimdjh.exeC:\Windows\system32\Bigimdjh.exe113⤵PID:1692
-
C:\Windows\SysWOW64\Bleeioil.exeC:\Windows\system32\Bleeioil.exe114⤵PID:1588
-
C:\Windows\SysWOW64\Bpqain32.exeC:\Windows\system32\Bpqain32.exe115⤵PID:1752
-
C:\Windows\SysWOW64\Bbonei32.exeC:\Windows\system32\Bbonei32.exe116⤵PID:2992
-
C:\Windows\SysWOW64\Cemjae32.exeC:\Windows\system32\Cemjae32.exe117⤵PID:2656
-
C:\Windows\SysWOW64\Ciifbchf.exeC:\Windows\system32\Ciifbchf.exe118⤵PID:2660
-
C:\Windows\SysWOW64\Clgbno32.exeC:\Windows\system32\Clgbno32.exe119⤵
- System Location Discovery: System Language Discovery
PID:1780 -
C:\Windows\SysWOW64\Cpcnonob.exeC:\Windows\system32\Cpcnonob.exe120⤵PID:1036
-
C:\Windows\SysWOW64\Cbajkiof.exeC:\Windows\system32\Cbajkiof.exe121⤵PID:2784
-
C:\Windows\SysWOW64\Cikbhc32.exeC:\Windows\system32\Cikbhc32.exe122⤵PID:2136
-
C:\Windows\SysWOW64\Cjmopkla.exeC:\Windows\system32\Cjmopkla.exe123⤵PID:944
-
C:\Windows\SysWOW64\Cbdgqimc.exeC:\Windows\system32\Cbdgqimc.exe124⤵PID:964
-
C:\Windows\SysWOW64\Cafgle32.exeC:\Windows\system32\Cafgle32.exe125⤵PID:2284
-
C:\Windows\SysWOW64\Cdecha32.exeC:\Windows\system32\Cdecha32.exe126⤵PID:2576
-
C:\Windows\SysWOW64\Cllkin32.exeC:\Windows\system32\Cllkin32.exe127⤵PID:2360
-
C:\Windows\SysWOW64\Ckolek32.exeC:\Windows\system32\Ckolek32.exe128⤵
- Modifies registry class
PID:2520 -
C:\Windows\SysWOW64\Cmmhaf32.exeC:\Windows\system32\Cmmhaf32.exe129⤵PID:836
-
C:\Windows\SysWOW64\Cedpbd32.exeC:\Windows\system32\Cedpbd32.exe130⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1704 -
C:\Windows\SysWOW64\Chcloo32.exeC:\Windows\system32\Chcloo32.exe131⤵PID:980
-
C:\Windows\SysWOW64\Cffljlpc.exeC:\Windows\system32\Cffljlpc.exe132⤵PID:2296
-
C:\Windows\SysWOW64\Comdkipe.exeC:\Windows\system32\Comdkipe.exe133⤵PID:2088
-
C:\Windows\SysWOW64\Cakqgeoi.exeC:\Windows\system32\Cakqgeoi.exe134⤵PID:2892
-
C:\Windows\SysWOW64\Cpnaca32.exeC:\Windows\system32\Cpnaca32.exe135⤵
- System Location Discovery: System Language Discovery
PID:2648 -
C:\Windows\SysWOW64\Ckcepj32.exeC:\Windows\system32\Ckcepj32.exe136⤵PID:1904
-
C:\Windows\SysWOW64\Cifelgmd.exeC:\Windows\system32\Cifelgmd.exe137⤵PID:1676
-
C:\Windows\SysWOW64\Danmmd32.exeC:\Windows\system32\Danmmd32.exe138⤵PID:1324
-
C:\Windows\SysWOW64\Ddliip32.exeC:\Windows\system32\Ddliip32.exe139⤵PID:1620
-
C:\Windows\SysWOW64\Dgjfek32.exeC:\Windows\system32\Dgjfek32.exe140⤵PID:1688
-
C:\Windows\SysWOW64\Dmdnbecj.exeC:\Windows\system32\Dmdnbecj.exe141⤵PID:2620
-
C:\Windows\SysWOW64\Dlgnmb32.exeC:\Windows\system32\Dlgnmb32.exe142⤵PID:1988
-
C:\Windows\SysWOW64\Dpcjnabn.exeC:\Windows\system32\Dpcjnabn.exe143⤵PID:1920
-
C:\Windows\SysWOW64\Dbafjlaa.exeC:\Windows\system32\Dbafjlaa.exe144⤵PID:1300
-
C:\Windows\SysWOW64\Depbfhpe.exeC:\Windows\system32\Depbfhpe.exe145⤵PID:2776
-
C:\Windows\SysWOW64\Dmgkgeah.exeC:\Windows\system32\Dmgkgeah.exe146⤵PID:2176
-
C:\Windows\SysWOW64\Dpegcq32.exeC:\Windows\system32\Dpegcq32.exe147⤵PID:2340
-
C:\Windows\SysWOW64\Dcccpl32.exeC:\Windows\system32\Dcccpl32.exe148⤵PID:2756
-
C:\Windows\SysWOW64\Dllhhaep.exeC:\Windows\system32\Dllhhaep.exe149⤵PID:572
-
C:\Windows\SysWOW64\Dojddmec.exeC:\Windows\system32\Dojddmec.exe150⤵PID:1968
-
C:\Windows\SysWOW64\Daipqhdg.exeC:\Windows\system32\Daipqhdg.exe151⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1956 -
C:\Windows\SysWOW64\Diphbfdi.exeC:\Windows\system32\Diphbfdi.exe152⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2952 -
C:\Windows\SysWOW64\Dlndnacm.exeC:\Windows\system32\Dlndnacm.exe153⤵PID:2708
-
C:\Windows\SysWOW64\Dkadjn32.exeC:\Windows\system32\Dkadjn32.exe154⤵PID:2744
-
C:\Windows\SysWOW64\Dchmkkkj.exeC:\Windows\system32\Dchmkkkj.exe155⤵PID:1764
-
C:\Windows\SysWOW64\Degiggjm.exeC:\Windows\system32\Degiggjm.exe156⤵
- System Location Discovery: System Language Discovery
PID:2344 -
C:\Windows\SysWOW64\Ddiibc32.exeC:\Windows\system32\Ddiibc32.exe157⤵PID:2880
-
C:\Windows\SysWOW64\Elqaca32.exeC:\Windows\system32\Elqaca32.exe158⤵PID:2424
-
C:\Windows\SysWOW64\Eoompl32.exeC:\Windows\system32\Eoompl32.exe159⤵PID:1896
-
C:\Windows\SysWOW64\Eeielfhk.exeC:\Windows\system32\Eeielfhk.exe160⤵PID:2032
-
C:\Windows\SysWOW64\Ehgbhbgn.exeC:\Windows\system32\Ehgbhbgn.exe161⤵PID:1488
-
C:\Windows\SysWOW64\Egjbdo32.exeC:\Windows\system32\Egjbdo32.exe162⤵
- System Location Discovery: System Language Discovery
PID:2400 -
C:\Windows\SysWOW64\Endjaief.exeC:\Windows\system32\Endjaief.exe163⤵PID:2584
-
C:\Windows\SysWOW64\Eapfagno.exeC:\Windows\system32\Eapfagno.exe164⤵PID:2388
-
C:\Windows\SysWOW64\Ehjona32.exeC:\Windows\system32\Ehjona32.exe165⤵PID:2416
-
C:\Windows\SysWOW64\Ekhkjm32.exeC:\Windows\system32\Ekhkjm32.exe166⤵PID:2904
-
C:\Windows\SysWOW64\Enfgfh32.exeC:\Windows\system32\Enfgfh32.exe167⤵PID:1680
-
C:\Windows\SysWOW64\Epecbd32.exeC:\Windows\system32\Epecbd32.exe168⤵PID:2356
-
C:\Windows\SysWOW64\Eccpoo32.exeC:\Windows\system32\Eccpoo32.exe169⤵PID:1640
-
C:\Windows\SysWOW64\Egokonjc.exeC:\Windows\system32\Egokonjc.exe170⤵PID:1800
-
C:\Windows\SysWOW64\Ejmhkiig.exeC:\Windows\system32\Ejmhkiig.exe171⤵PID:2876
-
C:\Windows\SysWOW64\Elldgehk.exeC:\Windows\system32\Elldgehk.exe172⤵PID:2456
-
C:\Windows\SysWOW64\Edclib32.exeC:\Windows\system32\Edclib32.exe173⤵PID:2748
-
C:\Windows\SysWOW64\Egahen32.exeC:\Windows\system32\Egahen32.exe174⤵PID:748
-
C:\Windows\SysWOW64\Ejpdai32.exeC:\Windows\system32\Ejpdai32.exe175⤵PID:2016
-
C:\Windows\SysWOW64\Elnqmd32.exeC:\Windows\system32\Elnqmd32.exe176⤵PID:1076
-
C:\Windows\SysWOW64\Eolmip32.exeC:\Windows\system32\Eolmip32.exe177⤵PID:2616
-
C:\Windows\SysWOW64\Fchijone.exeC:\Windows\system32\Fchijone.exe178⤵PID:2764
-
C:\Windows\SysWOW64\Fffefjmi.exeC:\Windows\system32\Fffefjmi.exe179⤵PID:2432
-
C:\Windows\SysWOW64\Fheabelm.exeC:\Windows\system32\Fheabelm.exe180⤵PID:2308
-
C:\Windows\SysWOW64\Fqlicclo.exeC:\Windows\system32\Fqlicclo.exe181⤵PID:624
-
C:\Windows\SysWOW64\Foojop32.exeC:\Windows\system32\Foojop32.exe182⤵PID:3084
-
C:\Windows\SysWOW64\Fbmfkkbm.exeC:\Windows\system32\Fbmfkkbm.exe183⤵PID:3124
-
C:\Windows\SysWOW64\Fjdnlhco.exeC:\Windows\system32\Fjdnlhco.exe184⤵PID:3164
-
C:\Windows\SysWOW64\Fmcjhdbc.exeC:\Windows\system32\Fmcjhdbc.exe185⤵PID:3204
-
C:\Windows\SysWOW64\Foafdoag.exeC:\Windows\system32\Foafdoag.exe186⤵PID:3244
-
C:\Windows\SysWOW64\Fbpbpkpj.exeC:\Windows\system32\Fbpbpkpj.exe187⤵PID:3284
-
C:\Windows\SysWOW64\Fdnolfon.exeC:\Windows\system32\Fdnolfon.exe188⤵PID:3324
-
C:\Windows\SysWOW64\Fmegncpp.exeC:\Windows\system32\Fmegncpp.exe189⤵PID:3364
-
C:\Windows\SysWOW64\Foccjood.exeC:\Windows\system32\Foccjood.exe190⤵PID:3404
-
C:\Windows\SysWOW64\Fnfcel32.exeC:\Windows\system32\Fnfcel32.exe191⤵
- Modifies registry class
PID:3444 -
C:\Windows\SysWOW64\Ffmkfifa.exeC:\Windows\system32\Ffmkfifa.exe192⤵PID:3484
-
C:\Windows\SysWOW64\Fdpkbf32.exeC:\Windows\system32\Fdpkbf32.exe193⤵
- System Location Discovery: System Language Discovery
PID:3524 -
C:\Windows\SysWOW64\Fgohna32.exeC:\Windows\system32\Fgohna32.exe194⤵PID:3564
-
C:\Windows\SysWOW64\Fofpoo32.exeC:\Windows\system32\Fofpoo32.exe195⤵
- Modifies registry class
PID:3604 -
C:\Windows\SysWOW64\Fnipkkdl.exeC:\Windows\system32\Fnipkkdl.exe196⤵
- System Location Discovery: System Language Discovery
PID:3644 -
C:\Windows\SysWOW64\Fqglggcp.exeC:\Windows\system32\Fqglggcp.exe197⤵PID:3684
-
C:\Windows\SysWOW64\Findhdcb.exeC:\Windows\system32\Findhdcb.exe198⤵PID:3724
-
C:\Windows\SysWOW64\Fkmqdpce.exeC:\Windows\system32\Fkmqdpce.exe199⤵PID:3776
-
C:\Windows\SysWOW64\Gjpqpl32.exeC:\Windows\system32\Gjpqpl32.exe200⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3816 -
C:\Windows\SysWOW64\Gbfiaj32.exeC:\Windows\system32\Gbfiaj32.exe201⤵PID:3856
-
C:\Windows\SysWOW64\Geeemeif.exeC:\Windows\system32\Geeemeif.exe202⤵
- Modifies registry class
PID:3896 -
C:\Windows\SysWOW64\Ggcaiqhj.exeC:\Windows\system32\Ggcaiqhj.exe203⤵PID:3936
-
C:\Windows\SysWOW64\Gkomjo32.exeC:\Windows\system32\Gkomjo32.exe204⤵PID:3976
-
C:\Windows\SysWOW64\Gnmifk32.exeC:\Windows\system32\Gnmifk32.exe205⤵PID:4016
-
C:\Windows\SysWOW64\Gcjbna32.exeC:\Windows\system32\Gcjbna32.exe206⤵PID:4056
-
C:\Windows\SysWOW64\Gfhnjm32.exeC:\Windows\system32\Gfhnjm32.exe207⤵
- Modifies registry class
PID:2808 -
C:\Windows\SysWOW64\Gjdjklek.exeC:\Windows\system32\Gjdjklek.exe208⤵PID:3112
-
C:\Windows\SysWOW64\Gmbfggdo.exeC:\Windows\system32\Gmbfggdo.exe209⤵PID:3156
-
C:\Windows\SysWOW64\Gpabcbdb.exeC:\Windows\system32\Gpabcbdb.exe210⤵PID:3216
-
C:\Windows\SysWOW64\Gghkdp32.exeC:\Windows\system32\Gghkdp32.exe211⤵PID:3256
-
C:\Windows\SysWOW64\Gfkkpmko.exeC:\Windows\system32\Gfkkpmko.exe212⤵
- Modifies registry class
PID:3320 -
C:\Windows\SysWOW64\Giiglhjb.exeC:\Windows\system32\Giiglhjb.exe213⤵PID:3360
-
C:\Windows\SysWOW64\Gmecmg32.exeC:\Windows\system32\Gmecmg32.exe214⤵PID:3420
-
C:\Windows\SysWOW64\Gpcoib32.exeC:\Windows\system32\Gpcoib32.exe215⤵
- Modifies registry class
PID:3460 -
C:\Windows\SysWOW64\Gbaken32.exeC:\Windows\system32\Gbaken32.exe216⤵PID:3512
-
C:\Windows\SysWOW64\Gfmgelil.exeC:\Windows\system32\Gfmgelil.exe217⤵PID:3572
-
C:\Windows\SysWOW64\Gjicfk32.exeC:\Windows\system32\Gjicfk32.exe218⤵PID:3624
-
C:\Windows\SysWOW64\Gmgpbf32.exeC:\Windows\system32\Gmgpbf32.exe219⤵
- Modifies registry class
PID:3668 -
C:\Windows\SysWOW64\Gpelnb32.exeC:\Windows\system32\Gpelnb32.exe220⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3716 -
C:\Windows\SysWOW64\Gbdhjm32.exeC:\Windows\system32\Gbdhjm32.exe221⤵PID:3756
-
C:\Windows\SysWOW64\Hfpdkl32.exeC:\Windows\system32\Hfpdkl32.exe222⤵PID:3800
-
C:\Windows\SysWOW64\Hinqgg32.exeC:\Windows\system32\Hinqgg32.exe223⤵PID:3868
-
C:\Windows\SysWOW64\Hmjlhfof.exeC:\Windows\system32\Hmjlhfof.exe224⤵PID:3908
-
C:\Windows\SysWOW64\Hphidanj.exeC:\Windows\system32\Hphidanj.exe225⤵
- System Location Discovery: System Language Discovery
PID:3984 -
C:\Windows\SysWOW64\Hbfepmmn.exeC:\Windows\system32\Hbfepmmn.exe226⤵
- Drops file in System32 directory
PID:4012 -
C:\Windows\SysWOW64\Heealhla.exeC:\Windows\system32\Heealhla.exe227⤵PID:4064
-
C:\Windows\SysWOW64\Hipmmg32.exeC:\Windows\system32\Hipmmg32.exe228⤵
- Drops file in System32 directory
PID:3092 -
C:\Windows\SysWOW64\Hloiib32.exeC:\Windows\system32\Hloiib32.exe229⤵PID:3140
-
C:\Windows\SysWOW64\Hpjeialg.exeC:\Windows\system32\Hpjeialg.exe230⤵PID:3200
-
C:\Windows\SysWOW64\Hbiaemkk.exeC:\Windows\system32\Hbiaemkk.exe231⤵PID:3272
-
C:\Windows\SysWOW64\Halbai32.exeC:\Windows\system32\Halbai32.exe232⤵PID:3340
-
C:\Windows\SysWOW64\Hibjbgbh.exeC:\Windows\system32\Hibjbgbh.exe233⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3400 -
C:\Windows\SysWOW64\Hlafnbal.exeC:\Windows\system32\Hlafnbal.exe234⤵PID:3464
-
C:\Windows\SysWOW64\Hnpbjnpo.exeC:\Windows\system32\Hnpbjnpo.exe235⤵PID:3496
-
C:\Windows\SysWOW64\Hbknkl32.exeC:\Windows\system32\Hbknkl32.exe236⤵
- Drops file in System32 directory
PID:3592 -
C:\Windows\SysWOW64\Heikgh32.exeC:\Windows\system32\Heikgh32.exe237⤵PID:3652
-
C:\Windows\SysWOW64\Hjfcpo32.exeC:\Windows\system32\Hjfcpo32.exe238⤵PID:3720
-
C:\Windows\SysWOW64\Hmeolj32.exeC:\Windows\system32\Hmeolj32.exe239⤵PID:3748
-
C:\Windows\SysWOW64\Hapklimq.exeC:\Windows\system32\Hapklimq.exe240⤵PID:3828
-
C:\Windows\SysWOW64\Helgmg32.exeC:\Windows\system32\Helgmg32.exe241⤵PID:3904
-
C:\Windows\SysWOW64\Hhjcic32.exeC:\Windows\system32\Hhjcic32.exe242⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:3956