Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 01:32
Static task
static1
Behavioral task
behavioral1
Sample
604e1b75082932c6ab77e178627ed257404b17b2f530be4af722091a6be431daN.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
604e1b75082932c6ab77e178627ed257404b17b2f530be4af722091a6be431daN.exe
Resource
win10v2004-20241007-en
General
-
Target
604e1b75082932c6ab77e178627ed257404b17b2f530be4af722091a6be431daN.exe
-
Size
273KB
-
MD5
a776ba8c9e9a9c33ef2efb14b74a2b80
-
SHA1
5cceae3aa3052553a7290377ffb24361dcc81e1d
-
SHA256
604e1b75082932c6ab77e178627ed257404b17b2f530be4af722091a6be431da
-
SHA512
719724165beb24c9cf54a70859c7f8028683b309ea6beac517dbbd529da068a7d608f46ebe4dc65907c325fe2089f958dfa891cdf9c98d4ca11607e573c15954
-
SSDEEP
6144:9G32j/Ztyg3jrcibfvlsZRkTebwBhGv4dC+1R8pvBgL0eXkUbGKl9veOPSV3uo9W:F
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Kdphjm32.exeAcfmcc32.exeGjgiidkl.exeNjeccjcd.exePehcij32.exeEeagimdf.exeLlpfjomf.exeJlfnangf.exeNbpghl32.exeLpcoeb32.exeNjpihk32.exeKilgoe32.exeBkbdabog.exeNlefhcnc.exeDjiqdb32.exeMklcadfn.exeNjgpij32.exeFhljkm32.exeMphiqbon.exeFakdcnhh.exeKmkihbho.exeNgealejo.exeOemgplgo.exeOdmckcmq.exeMfmndn32.exeIfgicg32.exeDifqji32.exeJbclgf32.exeJnofgg32.exeBmpkqklh.exeFcpacf32.exeKidjdpie.exeGkebafoa.exeJimdcqom.exeKbmome32.exeNnmlcp32.exeCceogcfj.exeNmofdf32.exeBogjaamh.exeEhhdaj32.exeFmnopp32.exeEhnfpifm.exeFkefbcmf.exeNpdhaq32.exeQiflohqk.exeHddmjk32.exeDokfme32.exeEdcnakpa.exeJfgebjnm.exeOniebmda.exeQlfdac32.exeFgocmc32.exeGoqnae32.exeHjcaha32.exePghfnc32.exeDfbnoc32.exeIamfdo32.exeFkhbgbkc.exeJlqjkk32.exeKpgionie.exeDnpciaef.exeMgmdapml.exeHiclkp32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdphjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acfmcc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjgiidkl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njeccjcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pehcij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eeagimdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llpfjomf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlfnangf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbpghl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpcoeb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njpihk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kilgoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkbdabog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlefhcnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djiqdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mklcadfn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njgpij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhljkm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mphiqbon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fakdcnhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fakdcnhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmkihbho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngealejo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oemgplgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odmckcmq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfmndn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifgicg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Difqji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbclgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnofgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmpkqklh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcpacf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kidjdpie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkebafoa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jimdcqom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbmome32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnmlcp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cceogcfj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmofdf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bogjaamh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehhdaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmnopp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehnfpifm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkefbcmf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npdhaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qiflohqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hddmjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dokfme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edcnakpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfgebjnm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oniebmda.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlfdac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgocmc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goqnae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjcaha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pghfnc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfbnoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iamfdo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkhbgbkc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlqjkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpgionie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnpciaef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgmdapml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hiclkp32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Mmdjkhdh.exeMcnbhb32.exeMfmndn32.exeMklcadfn.exeNipdkieg.exeNnmlcp32.exeNgealejo.exeNameek32.exeNeknki32.exeNlefhcnc.exeNncbdomg.exeNdqkleln.exeOadkej32.exeOjmpooah.exeOlpilg32.exeOeindm32.exeOfhjopbg.exeOlebgfao.exeOemgplgo.exePlgolf32.exePhnpagdp.exePkmlmbcd.exePafdjmkq.exePgcmbcih.exePojecajj.exePkaehb32.exePghfnc32.exePifbjn32.exeQkfocaki.exeQndkpmkm.exeQpbglhjq.exeQgmpibam.exeQnghel32.exeAccqnc32.exeAjmijmnn.exeApgagg32.exeAcfmcc32.exeAjpepm32.exeAlnalh32.exeAchjibcl.exeAhebaiac.exeAkcomepg.exeAficjnpm.exeAgjobffl.exeAoagccfn.exeBhjlli32.exeBdqlajbb.exeBkjdndjo.exeBjmeiq32.exeBdcifi32.exeBceibfgj.exeBfdenafn.exeBnknoogp.exeBqijljfd.exeBoljgg32.exeBgcbhd32.exeBjbndpmd.exeBmpkqklh.exeBoogmgkl.exeBfioia32.exeBigkel32.exeCenljmgq.exeCiihklpj.exeCmedlk32.exepid process 1816 Mmdjkhdh.exe 2060 Mcnbhb32.exe 1952 Mfmndn32.exe 3012 Mklcadfn.exe 2996 Nipdkieg.exe 2668 Nnmlcp32.exe 1708 Ngealejo.exe 2196 Nameek32.exe 2784 Neknki32.exe 1860 Nlefhcnc.exe 2000 Nncbdomg.exe 1128 Ndqkleln.exe 2628 Oadkej32.exe 2980 Ojmpooah.exe 448 Olpilg32.exe 1244 Oeindm32.exe 3032 Ofhjopbg.exe 2144 Olebgfao.exe 1368 Oemgplgo.exe 316 Plgolf32.exe 3036 Phnpagdp.exe 344 Pkmlmbcd.exe 984 Pafdjmkq.exe 2156 Pgcmbcih.exe 1612 Pojecajj.exe 2276 Pkaehb32.exe 2480 Pghfnc32.exe 2828 Pifbjn32.exe 1928 Qkfocaki.exe 2556 Qndkpmkm.exe 2544 Qpbglhjq.exe 1288 Qgmpibam.exe 2224 Qnghel32.exe 1596 Accqnc32.exe 2836 Ajmijmnn.exe 1264 Apgagg32.exe 1176 Acfmcc32.exe 2620 Ajpepm32.exe 2348 Alnalh32.exe 2004 Achjibcl.exe 1660 Ahebaiac.exe 2512 Akcomepg.exe 736 Aficjnpm.exe 1728 Agjobffl.exe 1544 Aoagccfn.exe 1404 Bhjlli32.exe 2612 Bdqlajbb.exe 2460 Bkjdndjo.exe 2320 Bjmeiq32.exe 476 Bdcifi32.exe 2832 Bceibfgj.exe 2820 Bfdenafn.exe 2576 Bnknoogp.exe 2608 Bqijljfd.exe 1940 Boljgg32.exe 2752 Bgcbhd32.exe 1228 Bjbndpmd.exe 2028 Bmpkqklh.exe 1480 Boogmgkl.exe 688 Bfioia32.exe 568 Bigkel32.exe 1672 Cenljmgq.exe 2120 Ciihklpj.exe 108 Cmedlk32.exe -
Loads dropped DLL 64 IoCs
Processes:
604e1b75082932c6ab77e178627ed257404b17b2f530be4af722091a6be431daN.exeMmdjkhdh.exeMcnbhb32.exeMfmndn32.exeMklcadfn.exeNipdkieg.exeNnmlcp32.exeNgealejo.exeNameek32.exeNeknki32.exeNlefhcnc.exeNncbdomg.exeNdqkleln.exeOadkej32.exeOjmpooah.exeOlpilg32.exeOeindm32.exeOfhjopbg.exeOlebgfao.exeOemgplgo.exePlgolf32.exePhnpagdp.exePkmlmbcd.exePafdjmkq.exePgcmbcih.exePojecajj.exePkaehb32.exePghfnc32.exePifbjn32.exeQkfocaki.exeQndkpmkm.exeQpbglhjq.exepid process 2412 604e1b75082932c6ab77e178627ed257404b17b2f530be4af722091a6be431daN.exe 2412 604e1b75082932c6ab77e178627ed257404b17b2f530be4af722091a6be431daN.exe 1816 Mmdjkhdh.exe 1816 Mmdjkhdh.exe 2060 Mcnbhb32.exe 2060 Mcnbhb32.exe 1952 Mfmndn32.exe 1952 Mfmndn32.exe 3012 Mklcadfn.exe 3012 Mklcadfn.exe 2996 Nipdkieg.exe 2996 Nipdkieg.exe 2668 Nnmlcp32.exe 2668 Nnmlcp32.exe 1708 Ngealejo.exe 1708 Ngealejo.exe 2196 Nameek32.exe 2196 Nameek32.exe 2784 Neknki32.exe 2784 Neknki32.exe 1860 Nlefhcnc.exe 1860 Nlefhcnc.exe 2000 Nncbdomg.exe 2000 Nncbdomg.exe 1128 Ndqkleln.exe 1128 Ndqkleln.exe 2628 Oadkej32.exe 2628 Oadkej32.exe 2980 Ojmpooah.exe 2980 Ojmpooah.exe 448 Olpilg32.exe 448 Olpilg32.exe 1244 Oeindm32.exe 1244 Oeindm32.exe 3032 Ofhjopbg.exe 3032 Ofhjopbg.exe 2144 Olebgfao.exe 2144 Olebgfao.exe 1368 Oemgplgo.exe 1368 Oemgplgo.exe 316 Plgolf32.exe 316 Plgolf32.exe 3036 Phnpagdp.exe 3036 Phnpagdp.exe 344 Pkmlmbcd.exe 344 Pkmlmbcd.exe 984 Pafdjmkq.exe 984 Pafdjmkq.exe 2156 Pgcmbcih.exe 2156 Pgcmbcih.exe 1612 Pojecajj.exe 1612 Pojecajj.exe 2276 Pkaehb32.exe 2276 Pkaehb32.exe 2480 Pghfnc32.exe 2480 Pghfnc32.exe 2828 Pifbjn32.exe 2828 Pifbjn32.exe 1928 Qkfocaki.exe 1928 Qkfocaki.exe 2556 Qndkpmkm.exe 2556 Qndkpmkm.exe 2544 Qpbglhjq.exe 2544 Qpbglhjq.exe -
Drops file in System32 directory 64 IoCs
Processes:
Jibnop32.exeKjhcag32.exeDfpaic32.exeQoeamo32.exeAahfdihn.exeEmoldlmc.exeCgfkmgnj.exeGpjkeoha.exePaaddgkj.exeEpeoaffo.exeGdkjdl32.exeEbklic32.exeKkpqlm32.exeAgeompfe.exeBacihmoo.exeCkjamgmk.exeQobdgo32.exeHbofmcij.exeJpbcek32.exeOeindm32.exeJmnqje32.exeHfjbmb32.exeJfcabd32.exePeefcjlg.exeBgdkkc32.exeCjhabndo.exeDhbdleol.exeLgngbmjp.exeNqokpd32.exeJggoqimd.exeKoflgf32.exeCnimiblo.exeNdcapd32.exeOdmckcmq.exeQbnphngk.exeDaaenlng.exeBdcifi32.exeJoidhh32.exePmmneg32.exePonklpcg.exePbemboof.exeCjjnhnbl.exeCdmepgce.exeFgjjad32.exeKindeddf.exeBkbdabog.exeGhbljk32.exeFchkbg32.exeFennoa32.exeGagkjbaf.exeIfgicg32.exeAphjjf32.exeColpld32.exeBmpkqklh.exeJpmmfp32.exeHkahgk32.exeJndjmifj.exeJedehaea.exeEblelb32.exeQejpoi32.exeGdnfjl32.exeIjaaae32.exeLibjncnc.exeFhljkm32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Jlqjkk32.exe Jibnop32.exe File opened for modification C:\Windows\SysWOW64\Kocpbfei.exe Kjhcag32.exe File opened for modification C:\Windows\SysWOW64\Dinneo32.exe Dfpaic32.exe File created C:\Windows\SysWOW64\Ahfalc32.dll Qoeamo32.exe File opened for modification C:\Windows\SysWOW64\Adfbpega.exe Aahfdihn.exe File opened for modification C:\Windows\SysWOW64\Epnhpglg.exe Emoldlmc.exe File created C:\Windows\SysWOW64\Pmiljc32.dll Cgfkmgnj.exe File opened for modification C:\Windows\SysWOW64\Ghacfmic.exe Gpjkeoha.exe File opened for modification C:\Windows\SysWOW64\Ppddpd32.exe Paaddgkj.exe File created C:\Windows\SysWOW64\Dokggo32.dll Epeoaffo.exe File created C:\Windows\SysWOW64\Pblmdj32.dll Gdkjdl32.exe File created C:\Windows\SysWOW64\Eanldqgf.exe Ebklic32.exe File created C:\Windows\SysWOW64\Kokmmkcm.exe Kkpqlm32.exe File created C:\Windows\SysWOW64\Akpkmo32.exe Ageompfe.exe File created C:\Windows\SysWOW64\Bjjaikoa.exe Bacihmoo.exe File created C:\Windows\SysWOW64\Cnimiblo.exe Ckjamgmk.exe File created C:\Windows\SysWOW64\Qbnphngk.exe Qobdgo32.exe File opened for modification C:\Windows\SysWOW64\Hfjbmb32.exe Hbofmcij.exe File created C:\Windows\SysWOW64\Jpbpbbdb.dll Jpbcek32.exe File opened for modification C:\Windows\SysWOW64\Ofhjopbg.exe Oeindm32.exe File created C:\Windows\SysWOW64\Jpmmfp32.exe Jmnqje32.exe File created C:\Windows\SysWOW64\Dgmjmajn.dll Hfjbmb32.exe File opened for modification C:\Windows\SysWOW64\Jibnop32.exe Jfcabd32.exe File created C:\Windows\SysWOW64\Okmjae32.dll Peefcjlg.exe File created C:\Windows\SysWOW64\Gnmbpf32.dll Bgdkkc32.exe File created C:\Windows\SysWOW64\Cncmcm32.exe Cjhabndo.exe File created C:\Windows\SysWOW64\Efedga32.exe Dhbdleol.exe File opened for modification C:\Windows\SysWOW64\Ljldnhid.exe Lgngbmjp.exe File created C:\Windows\SysWOW64\Ncmglp32.exe Nqokpd32.exe File created C:\Windows\SysWOW64\Jjfkmdlg.exe Jggoqimd.exe File created C:\Windows\SysWOW64\Kadica32.exe Koflgf32.exe File opened for modification C:\Windows\SysWOW64\Cbdiia32.exe Cnimiblo.exe File created C:\Windows\SysWOW64\Aodcbn32.dll Ndcapd32.exe File opened for modification C:\Windows\SysWOW64\Oflpgnld.exe Odmckcmq.exe File created C:\Windows\SysWOW64\Qdompf32.exe Qbnphngk.exe File created C:\Windows\SysWOW64\Eckfklnl.dll Daaenlng.exe File opened for modification C:\Windows\SysWOW64\Bceibfgj.exe Bdcifi32.exe File created C:\Windows\SysWOW64\Jagpdd32.exe Joidhh32.exe File created C:\Windows\SysWOW64\Hlklph32.dll Pmmneg32.exe File opened for modification C:\Windows\SysWOW64\Pbigmn32.exe Ponklpcg.exe File opened for modification C:\Windows\SysWOW64\Pfpibn32.exe Pbemboof.exe File created C:\Windows\SysWOW64\Fdeonhfo.dll Cjjnhnbl.exe File opened for modification C:\Windows\SysWOW64\Cglalbbi.exe Cdmepgce.exe File opened for modification C:\Windows\SysWOW64\Fkefbcmf.exe Fgjjad32.exe File opened for modification C:\Windows\SysWOW64\Kkpqlm32.exe Kindeddf.exe File opened for modification C:\Windows\SysWOW64\Bnapnm32.exe Bkbdabog.exe File created C:\Windows\SysWOW64\Ffadkgnl.dll Ghbljk32.exe File created C:\Windows\SysWOW64\Fibcoalf.exe Fchkbg32.exe File created C:\Windows\SysWOW64\Nfnidhlj.dll Fennoa32.exe File created C:\Windows\SysWOW64\Gpjkeoha.exe Gagkjbaf.exe File created C:\Windows\SysWOW64\Iejiodbl.exe Ifgicg32.exe File created C:\Windows\SysWOW64\Aihgmjad.dll Aphjjf32.exe File created C:\Windows\SysWOW64\Ccgklc32.exe Colpld32.exe File opened for modification C:\Windows\SysWOW64\Boogmgkl.exe Bmpkqklh.exe File created C:\Windows\SysWOW64\Ahknna32.dll Jpmmfp32.exe File created C:\Windows\SysWOW64\Belhfdmi.dll Hkahgk32.exe File created C:\Windows\SysWOW64\Jenbjc32.exe Jndjmifj.exe File opened for modification C:\Windows\SysWOW64\Jmkmjoec.exe Jedehaea.exe File created C:\Windows\SysWOW64\Ejcmmp32.exe Eblelb32.exe File created C:\Windows\SysWOW64\Gefcmp32.dll Qejpoi32.exe File created C:\Windows\SysWOW64\Baajep32.dll Gdnfjl32.exe File created C:\Windows\SysWOW64\Ibhicbao.exe Ijaaae32.exe File created C:\Windows\SysWOW64\Llpfjomf.exe Libjncnc.exe File created C:\Windows\SysWOW64\Fkkfgi32.exe Fhljkm32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 6668 6608 WerFault.exe Lbjofi32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Jnofgg32.exeLibjncnc.exeBoogmgkl.exeEanldqgf.exePbigmn32.exeFhdmph32.exeEmaijk32.exeMklcadfn.exeQgmpibam.exeKokmmkcm.exeOalkih32.exeQbnphngk.exeAddfkeid.exeAjmijmnn.exeCnfqccna.exeFmlbjq32.exeEhnfpifm.exeDbiocd32.exeLjnqdhga.exeObeacl32.exeIaimipjl.exeBceibfgj.exeEmifeqid.exeIbkmchbh.exeKlhgfq32.exeQiflohqk.exeFglfgd32.exePhnpagdp.exeNmofdf32.exeOiafee32.exeQobdgo32.exeCdmepgce.exeHqnjek32.exeKoflgf32.exeDlofgj32.exeHbggif32.exeIjibng32.exeNdcapd32.exeFolhgbid.exeGhdiokbq.exeEgajnfoe.exeNgdjaofc.exeBddbjhlp.exeBdkhjgeh.exeNmflee32.exePbemboof.exeBnochnpm.exeEogolc32.exeHgeelf32.exeEpbbkf32.exeKpgionie.exeFgfdie32.exeMmccqbpm.exeOhbikbkb.exePhfoee32.exePopgboae.exeEmoldlmc.exeGqlhkofn.exeJoggci32.exeKilgoe32.exeLpcoeb32.exeGecpnp32.exeQpbglhjq.exeFcmdnfad.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnofgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Libjncnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boogmgkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eanldqgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbigmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhdmph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emaijk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mklcadfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgmpibam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kokmmkcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oalkih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qbnphngk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Addfkeid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajmijmnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnfqccna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmlbjq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehnfpifm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbiocd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljnqdhga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obeacl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iaimipjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bceibfgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emifeqid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibkmchbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klhgfq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qiflohqk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fglfgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phnpagdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmofdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiafee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qobdgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdmepgce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqnjek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koflgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlofgj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbggif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijibng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndcapd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Folhgbid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghdiokbq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egajnfoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngdjaofc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bddbjhlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdkhjgeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmflee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbemboof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnochnpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eogolc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgeelf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epbbkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpgionie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgfdie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmccqbpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohbikbkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phfoee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Popgboae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emoldlmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqlhkofn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joggci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kilgoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpcoeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gecpnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpbglhjq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcmdnfad.exe -
Modifies registry class 64 IoCs
Processes:
Ckjamgmk.exeKindeddf.exePiliii32.exeHfjbmb32.exeEphbal32.exeKmqmod32.exeOnnnml32.exeFgjjad32.exeGonale32.exeLdahkaij.exeOhfcfb32.exeFgocmc32.exeKgcnahoo.exeMbqkiind.exePpddpd32.exeCkbpqe32.exeHqnjek32.exeBmlael32.exeCnfqccna.exeGhacfmic.exeAjmijmnn.exeDpeiligo.exeCfckcoen.exeOadkej32.exeBoogmgkl.exeEogolc32.exePlgolf32.exeFimoiopk.exeDhckfkbh.exeFhljkm32.exeEpnhpglg.exeIgceej32.exeLngpog32.exeAlageg32.exeJjjdhc32.exeCgfkmgnj.exeEjcmmp32.exePafdjmkq.exeHddmjk32.exeDfkhndca.exeOecmogln.exeDeakjjbk.exeCiihklpj.exeFkkfgi32.exeBdfooh32.exeCglalbbi.exeDaaenlng.exeNmofdf32.exeBdcifi32.exeDcllbhdn.exeDfmeccao.exeQbnphngk.exeDokfme32.exeEdaalk32.exeGagkjbaf.exeIfdlng32.exeGecpnp32.exeJpmmfp32.exeLnqjnhge.exeAdipfd32.exeAnadojlo.exeIlcalnii.exeHjcaha32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckjamgmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kindeddf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Piliii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfjbmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ephbal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmqmod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onnnml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgdokbck.dll" Fgjjad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eickphoo.dll" Gonale32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldahkaij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohfcfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plcpehgf.dll" Fgocmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgcnahoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbqkiind.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppddpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Finlmjmi.dll" Ckbpqe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hqnjek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmlael32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnfqccna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjgkoeaq.dll" Ghacfmic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Incjbkig.dll" Ajmijmnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpeiligo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkhkagoh.dll" Cfckcoen.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oadkej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Boogmgkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eogolc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecinnn32.dll" Plgolf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fimoiopk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhckfkbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhljkm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epnhpglg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkaobghp.dll" Igceej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lngpog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Alageg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjjdhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgfkmgnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejcmmp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pafdjmkq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hddmjk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfkhndca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nijjkf32.dll" Oecmogln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Deakjjbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ciihklpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkkfgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdhjoc32.dll" Bdfooh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cglalbbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Daaenlng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmofdf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdcifi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcllbhdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfmeccao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qbnphngk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbmmpj32.dll" Dokfme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edaalk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gagkjbaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifdlng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gecpnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahknna32.dll" Jpmmfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnqjnhge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adipfd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Anadojlo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Daaenlng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilcalnii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjcaha32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
604e1b75082932c6ab77e178627ed257404b17b2f530be4af722091a6be431daN.exeMmdjkhdh.exeMcnbhb32.exeMfmndn32.exeMklcadfn.exeNipdkieg.exeNnmlcp32.exeNgealejo.exeNameek32.exeNeknki32.exeNlefhcnc.exeNncbdomg.exeNdqkleln.exeOadkej32.exeOjmpooah.exeOlpilg32.exedescription pid process target process PID 2412 wrote to memory of 1816 2412 604e1b75082932c6ab77e178627ed257404b17b2f530be4af722091a6be431daN.exe Mmdjkhdh.exe PID 2412 wrote to memory of 1816 2412 604e1b75082932c6ab77e178627ed257404b17b2f530be4af722091a6be431daN.exe Mmdjkhdh.exe PID 2412 wrote to memory of 1816 2412 604e1b75082932c6ab77e178627ed257404b17b2f530be4af722091a6be431daN.exe Mmdjkhdh.exe PID 2412 wrote to memory of 1816 2412 604e1b75082932c6ab77e178627ed257404b17b2f530be4af722091a6be431daN.exe Mmdjkhdh.exe PID 1816 wrote to memory of 2060 1816 Mmdjkhdh.exe Mcnbhb32.exe PID 1816 wrote to memory of 2060 1816 Mmdjkhdh.exe Mcnbhb32.exe PID 1816 wrote to memory of 2060 1816 Mmdjkhdh.exe Mcnbhb32.exe PID 1816 wrote to memory of 2060 1816 Mmdjkhdh.exe Mcnbhb32.exe PID 2060 wrote to memory of 1952 2060 Mcnbhb32.exe Mfmndn32.exe PID 2060 wrote to memory of 1952 2060 Mcnbhb32.exe Mfmndn32.exe PID 2060 wrote to memory of 1952 2060 Mcnbhb32.exe Mfmndn32.exe PID 2060 wrote to memory of 1952 2060 Mcnbhb32.exe Mfmndn32.exe PID 1952 wrote to memory of 3012 1952 Mfmndn32.exe Mklcadfn.exe PID 1952 wrote to memory of 3012 1952 Mfmndn32.exe Mklcadfn.exe PID 1952 wrote to memory of 3012 1952 Mfmndn32.exe Mklcadfn.exe PID 1952 wrote to memory of 3012 1952 Mfmndn32.exe Mklcadfn.exe PID 3012 wrote to memory of 2996 3012 Mklcadfn.exe Nipdkieg.exe PID 3012 wrote to memory of 2996 3012 Mklcadfn.exe Nipdkieg.exe PID 3012 wrote to memory of 2996 3012 Mklcadfn.exe Nipdkieg.exe PID 3012 wrote to memory of 2996 3012 Mklcadfn.exe Nipdkieg.exe PID 2996 wrote to memory of 2668 2996 Nipdkieg.exe Nnmlcp32.exe PID 2996 wrote to memory of 2668 2996 Nipdkieg.exe Nnmlcp32.exe PID 2996 wrote to memory of 2668 2996 Nipdkieg.exe Nnmlcp32.exe PID 2996 wrote to memory of 2668 2996 Nipdkieg.exe Nnmlcp32.exe PID 2668 wrote to memory of 1708 2668 Nnmlcp32.exe Ngealejo.exe PID 2668 wrote to memory of 1708 2668 Nnmlcp32.exe Ngealejo.exe PID 2668 wrote to memory of 1708 2668 Nnmlcp32.exe Ngealejo.exe PID 2668 wrote to memory of 1708 2668 Nnmlcp32.exe Ngealejo.exe PID 1708 wrote to memory of 2196 1708 Ngealejo.exe Nameek32.exe PID 1708 wrote to memory of 2196 1708 Ngealejo.exe Nameek32.exe PID 1708 wrote to memory of 2196 1708 Ngealejo.exe Nameek32.exe PID 1708 wrote to memory of 2196 1708 Ngealejo.exe Nameek32.exe PID 2196 wrote to memory of 2784 2196 Nameek32.exe Neknki32.exe PID 2196 wrote to memory of 2784 2196 Nameek32.exe Neknki32.exe PID 2196 wrote to memory of 2784 2196 Nameek32.exe Neknki32.exe PID 2196 wrote to memory of 2784 2196 Nameek32.exe Neknki32.exe PID 2784 wrote to memory of 1860 2784 Neknki32.exe Nlefhcnc.exe PID 2784 wrote to memory of 1860 2784 Neknki32.exe Nlefhcnc.exe PID 2784 wrote to memory of 1860 2784 Neknki32.exe Nlefhcnc.exe PID 2784 wrote to memory of 1860 2784 Neknki32.exe Nlefhcnc.exe PID 1860 wrote to memory of 2000 1860 Nlefhcnc.exe Nncbdomg.exe PID 1860 wrote to memory of 2000 1860 Nlefhcnc.exe Nncbdomg.exe PID 1860 wrote to memory of 2000 1860 Nlefhcnc.exe Nncbdomg.exe PID 1860 wrote to memory of 2000 1860 Nlefhcnc.exe Nncbdomg.exe PID 2000 wrote to memory of 1128 2000 Nncbdomg.exe Ndqkleln.exe PID 2000 wrote to memory of 1128 2000 Nncbdomg.exe Ndqkleln.exe PID 2000 wrote to memory of 1128 2000 Nncbdomg.exe Ndqkleln.exe PID 2000 wrote to memory of 1128 2000 Nncbdomg.exe Ndqkleln.exe PID 1128 wrote to memory of 2628 1128 Ndqkleln.exe Oadkej32.exe PID 1128 wrote to memory of 2628 1128 Ndqkleln.exe Oadkej32.exe PID 1128 wrote to memory of 2628 1128 Ndqkleln.exe Oadkej32.exe PID 1128 wrote to memory of 2628 1128 Ndqkleln.exe Oadkej32.exe PID 2628 wrote to memory of 2980 2628 Oadkej32.exe Ojmpooah.exe PID 2628 wrote to memory of 2980 2628 Oadkej32.exe Ojmpooah.exe PID 2628 wrote to memory of 2980 2628 Oadkej32.exe Ojmpooah.exe PID 2628 wrote to memory of 2980 2628 Oadkej32.exe Ojmpooah.exe PID 2980 wrote to memory of 448 2980 Ojmpooah.exe Olpilg32.exe PID 2980 wrote to memory of 448 2980 Ojmpooah.exe Olpilg32.exe PID 2980 wrote to memory of 448 2980 Ojmpooah.exe Olpilg32.exe PID 2980 wrote to memory of 448 2980 Ojmpooah.exe Olpilg32.exe PID 448 wrote to memory of 1244 448 Olpilg32.exe Oeindm32.exe PID 448 wrote to memory of 1244 448 Olpilg32.exe Oeindm32.exe PID 448 wrote to memory of 1244 448 Olpilg32.exe Oeindm32.exe PID 448 wrote to memory of 1244 448 Olpilg32.exe Oeindm32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\604e1b75082932c6ab77e178627ed257404b17b2f530be4af722091a6be431daN.exe"C:\Users\Admin\AppData\Local\Temp\604e1b75082932c6ab77e178627ed257404b17b2f530be4af722091a6be431daN.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Mmdjkhdh.exeC:\Windows\system32\Mmdjkhdh.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\Mcnbhb32.exeC:\Windows\system32\Mcnbhb32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\Mfmndn32.exeC:\Windows\system32\Mfmndn32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\Mklcadfn.exeC:\Windows\system32\Mklcadfn.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\Nipdkieg.exeC:\Windows\system32\Nipdkieg.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\Nnmlcp32.exeC:\Windows\system32\Nnmlcp32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Ngealejo.exeC:\Windows\system32\Ngealejo.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\Nameek32.exeC:\Windows\system32\Nameek32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Neknki32.exeC:\Windows\system32\Neknki32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Nlefhcnc.exeC:\Windows\system32\Nlefhcnc.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\Nncbdomg.exeC:\Windows\system32\Nncbdomg.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\Ndqkleln.exeC:\Windows\system32\Ndqkleln.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Windows\SysWOW64\Oadkej32.exeC:\Windows\system32\Oadkej32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Ojmpooah.exeC:\Windows\system32\Ojmpooah.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Olpilg32.exeC:\Windows\system32\Olpilg32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Windows\SysWOW64\Oeindm32.exeC:\Windows\system32\Oeindm32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1244 -
C:\Windows\SysWOW64\Ofhjopbg.exeC:\Windows\system32\Ofhjopbg.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3032 -
C:\Windows\SysWOW64\Olebgfao.exeC:\Windows\system32\Olebgfao.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2144 -
C:\Windows\SysWOW64\Oemgplgo.exeC:\Windows\system32\Oemgplgo.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1368 -
C:\Windows\SysWOW64\Plgolf32.exeC:\Windows\system32\Plgolf32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:316 -
C:\Windows\SysWOW64\Phnpagdp.exeC:\Windows\system32\Phnpagdp.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3036 -
C:\Windows\SysWOW64\Pkmlmbcd.exeC:\Windows\system32\Pkmlmbcd.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:344 -
C:\Windows\SysWOW64\Pafdjmkq.exeC:\Windows\system32\Pafdjmkq.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:984 -
C:\Windows\SysWOW64\Pgcmbcih.exeC:\Windows\system32\Pgcmbcih.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2156 -
C:\Windows\SysWOW64\Pojecajj.exeC:\Windows\system32\Pojecajj.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1612 -
C:\Windows\SysWOW64\Pkaehb32.exeC:\Windows\system32\Pkaehb32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2276 -
C:\Windows\SysWOW64\Pghfnc32.exeC:\Windows\system32\Pghfnc32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2480 -
C:\Windows\SysWOW64\Pifbjn32.exeC:\Windows\system32\Pifbjn32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2828 -
C:\Windows\SysWOW64\Qkfocaki.exeC:\Windows\system32\Qkfocaki.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1928 -
C:\Windows\SysWOW64\Qndkpmkm.exeC:\Windows\system32\Qndkpmkm.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2556 -
C:\Windows\SysWOW64\Qpbglhjq.exeC:\Windows\system32\Qpbglhjq.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2544 -
C:\Windows\SysWOW64\Qgmpibam.exeC:\Windows\system32\Qgmpibam.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1288 -
C:\Windows\SysWOW64\Qnghel32.exeC:\Windows\system32\Qnghel32.exe34⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Accqnc32.exeC:\Windows\system32\Accqnc32.exe35⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Ajmijmnn.exeC:\Windows\system32\Ajmijmnn.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2836 -
C:\Windows\SysWOW64\Apgagg32.exeC:\Windows\system32\Apgagg32.exe37⤵
- Executes dropped EXE
PID:1264 -
C:\Windows\SysWOW64\Acfmcc32.exeC:\Windows\system32\Acfmcc32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1176 -
C:\Windows\SysWOW64\Ajpepm32.exeC:\Windows\system32\Ajpepm32.exe39⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Alnalh32.exeC:\Windows\system32\Alnalh32.exe40⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Achjibcl.exeC:\Windows\system32\Achjibcl.exe41⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Ahebaiac.exeC:\Windows\system32\Ahebaiac.exe42⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Akcomepg.exeC:\Windows\system32\Akcomepg.exe43⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Aficjnpm.exeC:\Windows\system32\Aficjnpm.exe44⤵
- Executes dropped EXE
PID:736 -
C:\Windows\SysWOW64\Agjobffl.exeC:\Windows\system32\Agjobffl.exe45⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Aoagccfn.exeC:\Windows\system32\Aoagccfn.exe46⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Bhjlli32.exeC:\Windows\system32\Bhjlli32.exe47⤵
- Executes dropped EXE
PID:1404 -
C:\Windows\SysWOW64\Bdqlajbb.exeC:\Windows\system32\Bdqlajbb.exe48⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Bkjdndjo.exeC:\Windows\system32\Bkjdndjo.exe49⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Bjmeiq32.exeC:\Windows\system32\Bjmeiq32.exe50⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Bmlael32.exeC:\Windows\system32\Bmlael32.exe51⤵
- Modifies registry class
PID:1792 -
C:\Windows\SysWOW64\Bdcifi32.exeC:\Windows\system32\Bdcifi32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:476 -
C:\Windows\SysWOW64\Bceibfgj.exeC:\Windows\system32\Bceibfgj.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2832 -
C:\Windows\SysWOW64\Bfdenafn.exeC:\Windows\system32\Bfdenafn.exe54⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Bnknoogp.exeC:\Windows\system32\Bnknoogp.exe55⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Bqijljfd.exeC:\Windows\system32\Bqijljfd.exe56⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Boljgg32.exeC:\Windows\system32\Boljgg32.exe57⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Bgcbhd32.exeC:\Windows\system32\Bgcbhd32.exe58⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Bjbndpmd.exeC:\Windows\system32\Bjbndpmd.exe59⤵
- Executes dropped EXE
PID:1228 -
C:\Windows\SysWOW64\Bmpkqklh.exeC:\Windows\system32\Bmpkqklh.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2028 -
C:\Windows\SysWOW64\Boogmgkl.exeC:\Windows\system32\Boogmgkl.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1480 -
C:\Windows\SysWOW64\Bfioia32.exeC:\Windows\system32\Bfioia32.exe62⤵
- Executes dropped EXE
PID:688 -
C:\Windows\SysWOW64\Bigkel32.exeC:\Windows\system32\Bigkel32.exe63⤵
- Executes dropped EXE
PID:568 -
C:\Windows\SysWOW64\Cenljmgq.exeC:\Windows\system32\Cenljmgq.exe64⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Ciihklpj.exeC:\Windows\system32\Ciihklpj.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:2120 -
C:\Windows\SysWOW64\Cmedlk32.exeC:\Windows\system32\Cmedlk32.exe66⤵
- Executes dropped EXE
PID:108 -
C:\Windows\SysWOW64\Cocphf32.exeC:\Windows\system32\Cocphf32.exe67⤵PID:1668
-
C:\Windows\SysWOW64\Cnfqccna.exeC:\Windows\system32\Cnfqccna.exe68⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2448 -
C:\Windows\SysWOW64\Cfmhdpnc.exeC:\Windows\system32\Cfmhdpnc.exe69⤵PID:1972
-
C:\Windows\SysWOW64\Cileqlmg.exeC:\Windows\system32\Cileqlmg.exe70⤵PID:2388
-
C:\Windows\SysWOW64\Ckjamgmk.exeC:\Windows\system32\Ckjamgmk.exe71⤵
- Drops file in System32 directory
- Modifies registry class
PID:2792 -
C:\Windows\SysWOW64\Cnimiblo.exeC:\Windows\system32\Cnimiblo.exe72⤵
- Drops file in System32 directory
PID:2536 -
C:\Windows\SysWOW64\Cbdiia32.exeC:\Windows\system32\Cbdiia32.exe73⤵PID:2636
-
C:\Windows\SysWOW64\Cinafkkd.exeC:\Windows\system32\Cinafkkd.exe74⤵PID:2152
-
C:\Windows\SysWOW64\Cgaaah32.exeC:\Windows\system32\Cgaaah32.exe75⤵PID:2604
-
C:\Windows\SysWOW64\Cjonncab.exeC:\Windows\system32\Cjonncab.exe76⤵PID:1636
-
C:\Windows\SysWOW64\Cbffoabe.exeC:\Windows\system32\Cbffoabe.exe77⤵PID:1784
-
C:\Windows\SysWOW64\Caifjn32.exeC:\Windows\system32\Caifjn32.exe78⤵PID:1196
-
C:\Windows\SysWOW64\Cchbgi32.exeC:\Windows\system32\Cchbgi32.exe79⤵PID:2492
-
C:\Windows\SysWOW64\Clojhf32.exeC:\Windows\system32\Clojhf32.exe80⤵PID:2508
-
C:\Windows\SysWOW64\Cmpgpond.exeC:\Windows\system32\Cmpgpond.exe81⤵PID:2500
-
C:\Windows\SysWOW64\Cgfkmgnj.exeC:\Windows\system32\Cgfkmgnj.exe82⤵
- Drops file in System32 directory
- Modifies registry class
PID:748 -
C:\Windows\SysWOW64\Dnpciaef.exeC:\Windows\system32\Dnpciaef.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1564 -
C:\Windows\SysWOW64\Danpemej.exeC:\Windows\system32\Danpemej.exe84⤵PID:2308
-
C:\Windows\SysWOW64\Dcllbhdn.exeC:\Windows\system32\Dcllbhdn.exe85⤵
- Modifies registry class
PID:2248 -
C:\Windows\SysWOW64\Dfkhndca.exeC:\Windows\system32\Dfkhndca.exe86⤵
- Modifies registry class
PID:1740 -
C:\Windows\SysWOW64\Diidjpbe.exeC:\Windows\system32\Diidjpbe.exe87⤵PID:1756
-
C:\Windows\SysWOW64\Daplkmbg.exeC:\Windows\system32\Daplkmbg.exe88⤵PID:2440
-
C:\Windows\SysWOW64\Dpcmgi32.exeC:\Windows\system32\Dpcmgi32.exe89⤵PID:2496
-
C:\Windows\SysWOW64\Dfmeccao.exeC:\Windows\system32\Dfmeccao.exe90⤵
- Modifies registry class
PID:2380 -
C:\Windows\SysWOW64\Djiqdb32.exeC:\Windows\system32\Djiqdb32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2844 -
C:\Windows\SysWOW64\Dmgmpnhl.exeC:\Windows\system32\Dmgmpnhl.exe92⤵PID:1992
-
C:\Windows\SysWOW64\Dpeiligo.exeC:\Windows\system32\Dpeiligo.exe93⤵
- Modifies registry class
PID:2572 -
C:\Windows\SysWOW64\Dfpaic32.exeC:\Windows\system32\Dfpaic32.exe94⤵
- Drops file in System32 directory
PID:2528 -
C:\Windows\SysWOW64\Dinneo32.exeC:\Windows\system32\Dinneo32.exe95⤵PID:1532
-
C:\Windows\SysWOW64\Dmijfmfi.exeC:\Windows\system32\Dmijfmfi.exe96⤵PID:2592
-
C:\Windows\SysWOW64\Dphfbiem.exeC:\Windows\system32\Dphfbiem.exe97⤵PID:780
-
C:\Windows\SysWOW64\Dokfme32.exeC:\Windows\system32\Dokfme32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2888 -
C:\Windows\SysWOW64\Dfbnoc32.exeC:\Windows\system32\Dfbnoc32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1096 -
C:\Windows\SysWOW64\Deenjpcd.exeC:\Windows\system32\Deenjpcd.exe100⤵PID:2948
-
C:\Windows\SysWOW64\Dhckfkbh.exeC:\Windows\system32\Dhckfkbh.exe101⤵
- Modifies registry class
PID:2944 -
C:\Windows\SysWOW64\Dlofgj32.exeC:\Windows\system32\Dlofgj32.exe102⤵
- System Location Discovery: System Language Discovery
PID:3016 -
C:\Windows\SysWOW64\Dpjbgh32.exeC:\Windows\system32\Dpjbgh32.exe103⤵PID:1716
-
C:\Windows\SysWOW64\Dbiocd32.exeC:\Windows\system32\Dbiocd32.exe104⤵
- System Location Discovery: System Language Discovery
PID:1540 -
C:\Windows\SysWOW64\Eakooqih.exeC:\Windows\system32\Eakooqih.exe105⤵PID:348
-
C:\Windows\SysWOW64\Eibgpnjk.exeC:\Windows\system32\Eibgpnjk.exe106⤵PID:1056
-
C:\Windows\SysWOW64\Elacliin.exeC:\Windows\system32\Elacliin.exe107⤵PID:1600
-
C:\Windows\SysWOW64\Ebklic32.exeC:\Windows\system32\Ebklic32.exe108⤵
- Drops file in System32 directory
PID:1604 -
C:\Windows\SysWOW64\Eanldqgf.exeC:\Windows\system32\Eanldqgf.exe109⤵
- System Location Discovery: System Language Discovery
PID:2816 -
C:\Windows\SysWOW64\Ehhdaj32.exeC:\Windows\system32\Ehhdaj32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2660 -
C:\Windows\SysWOW64\Elcpbigl.exeC:\Windows\system32\Elcpbigl.exe111⤵PID:2648
-
C:\Windows\SysWOW64\Eoblnd32.exeC:\Windows\system32\Eoblnd32.exe112⤵PID:2860
-
C:\Windows\SysWOW64\Eaphjp32.exeC:\Windows\system32\Eaphjp32.exe113⤵PID:1640
-
C:\Windows\SysWOW64\Egmabg32.exeC:\Windows\system32\Egmabg32.exe114⤵PID:1432
-
C:\Windows\SysWOW64\Ekhmcelc.exeC:\Windows\system32\Ekhmcelc.exe115⤵PID:1396
-
C:\Windows\SysWOW64\Emgioakg.exeC:\Windows\system32\Emgioakg.exe116⤵PID:804
-
C:\Windows\SysWOW64\Eabepp32.exeC:\Windows\system32\Eabepp32.exe117⤵PID:1300
-
C:\Windows\SysWOW64\Edaalk32.exeC:\Windows\system32\Edaalk32.exe118⤵
- Modifies registry class
PID:1960 -
C:\Windows\SysWOW64\Egonhf32.exeC:\Windows\system32\Egonhf32.exe119⤵PID:1076
-
C:\Windows\SysWOW64\Einjdb32.exeC:\Windows\system32\Einjdb32.exe120⤵PID:2164
-
C:\Windows\SysWOW64\Emifeqid.exeC:\Windows\system32\Emifeqid.exe121⤵
- System Location Discovery: System Language Discovery
PID:1316 -
C:\Windows\SysWOW64\Ephbal32.exeC:\Windows\system32\Ephbal32.exe122⤵
- Modifies registry class
PID:2368 -
C:\Windows\SysWOW64\Edcnakpa.exeC:\Windows\system32\Edcnakpa.exe123⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2300 -
C:\Windows\SysWOW64\Egajnfoe.exeC:\Windows\system32\Egajnfoe.exe124⤵
- System Location Discovery: System Language Discovery
PID:2848 -
C:\Windows\SysWOW64\Ekmfne32.exeC:\Windows\system32\Ekmfne32.exe125⤵PID:2552
-
C:\Windows\SysWOW64\Fmlbjq32.exeC:\Windows\system32\Fmlbjq32.exe126⤵
- System Location Discovery: System Language Discovery
PID:2596 -
C:\Windows\SysWOW64\Flocfmnl.exeC:\Windows\system32\Flocfmnl.exe127⤵PID:1684
-
C:\Windows\SysWOW64\Fdekgjno.exeC:\Windows\system32\Fdekgjno.exe128⤵PID:2760
-
C:\Windows\SysWOW64\Fchkbg32.exeC:\Windows\system32\Fchkbg32.exe129⤵
- Drops file in System32 directory
PID:380 -
C:\Windows\SysWOW64\Fibcoalf.exeC:\Windows\system32\Fibcoalf.exe130⤵PID:1428
-
C:\Windows\SysWOW64\Fmnopp32.exeC:\Windows\system32\Fmnopp32.exe131⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1324 -
C:\Windows\SysWOW64\Fplllkdc.exeC:\Windows\system32\Fplllkdc.exe132⤵PID:1284
-
C:\Windows\SysWOW64\Fgfdie32.exeC:\Windows\system32\Fgfdie32.exe133⤵
- System Location Discovery: System Language Discovery
PID:1560 -
C:\Windows\SysWOW64\Fiepea32.exeC:\Windows\system32\Fiepea32.exe134⤵PID:2312
-
C:\Windows\SysWOW64\Fhgppnan.exeC:\Windows\system32\Fhgppnan.exe135⤵PID:2804
-
C:\Windows\SysWOW64\Foahmh32.exeC:\Windows\system32\Foahmh32.exe136⤵PID:2188
-
C:\Windows\SysWOW64\Fcmdnfad.exeC:\Windows\system32\Fcmdnfad.exe137⤵
- System Location Discovery: System Language Discovery
PID:1528 -
C:\Windows\SysWOW64\Figmjq32.exeC:\Windows\system32\Figmjq32.exe138⤵PID:1392
-
C:\Windows\SysWOW64\Fhjmfnok.exeC:\Windows\system32\Fhjmfnok.exe139⤵PID:960
-
C:\Windows\SysWOW64\Fodebh32.exeC:\Windows\system32\Fodebh32.exe140⤵PID:3068
-
C:\Windows\SysWOW64\Fcpacf32.exeC:\Windows\system32\Fcpacf32.exe141⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1124 -
C:\Windows\SysWOW64\Fennoa32.exeC:\Windows\system32\Fennoa32.exe142⤵
- Drops file in System32 directory
PID:2992 -
C:\Windows\SysWOW64\Fhljkm32.exeC:\Windows\system32\Fhljkm32.exe143⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1508 -
C:\Windows\SysWOW64\Fkkfgi32.exeC:\Windows\system32\Fkkfgi32.exe144⤵
- Modifies registry class
PID:1920 -
C:\Windows\SysWOW64\Fofbhgde.exeC:\Windows\system32\Fofbhgde.exe145⤵PID:2808
-
C:\Windows\SysWOW64\Fadndbci.exeC:\Windows\system32\Fadndbci.exe146⤵PID:2568
-
C:\Windows\SysWOW64\Gdcjpncm.exeC:\Windows\system32\Gdcjpncm.exe147⤵PID:2780
-
C:\Windows\SysWOW64\Ggagmjbq.exeC:\Windows\system32\Ggagmjbq.exe148⤵PID:2748
-
C:\Windows\SysWOW64\Gkmbmh32.exeC:\Windows\system32\Gkmbmh32.exe149⤵PID:1328
-
C:\Windows\SysWOW64\Gagkjbaf.exeC:\Windows\system32\Gagkjbaf.exe150⤵
- Drops file in System32 directory
- Modifies registry class
PID:600 -
C:\Windows\SysWOW64\Gpjkeoha.exeC:\Windows\system32\Gpjkeoha.exe151⤵
- Drops file in System32 directory
PID:3044 -
C:\Windows\SysWOW64\Ghacfmic.exeC:\Windows\system32\Ghacfmic.exe152⤵
- Modifies registry class
PID:2072 -
C:\Windows\SysWOW64\Gkoobhhg.exeC:\Windows\system32\Gkoobhhg.exe153⤵PID:836
-
C:\Windows\SysWOW64\Gnnlocgk.exeC:\Windows\system32\Gnnlocgk.exe154⤵PID:1080
-
C:\Windows\SysWOW64\Gqlhkofn.exeC:\Windows\system32\Gqlhkofn.exe155⤵
- System Location Discovery: System Language Discovery
PID:1848 -
C:\Windows\SysWOW64\Gckdgjeb.exeC:\Windows\system32\Gckdgjeb.exe156⤵PID:1052
-
C:\Windows\SysWOW64\Ggfpgi32.exeC:\Windows\system32\Ggfpgi32.exe157⤵PID:1748
-
C:\Windows\SysWOW64\Gjdldd32.exeC:\Windows\system32\Gjdldd32.exe158⤵PID:2176
-
C:\Windows\SysWOW64\Gnphdceh.exeC:\Windows\system32\Gnphdceh.exe159⤵PID:1032
-
C:\Windows\SysWOW64\Gdjqamme.exeC:\Windows\system32\Gdjqamme.exe160⤵PID:2772
-
C:\Windows\SysWOW64\Gcmamj32.exeC:\Windows\system32\Gcmamj32.exe161⤵PID:1712
-
C:\Windows\SysWOW64\Gjgiidkl.exeC:\Windows\system32\Gjgiidkl.exe162⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2452 -
C:\Windows\SysWOW64\Gnbejb32.exeC:\Windows\system32\Gnbejb32.exe163⤵PID:2656
-
C:\Windows\SysWOW64\Gqaafn32.exeC:\Windows\system32\Gqaafn32.exe164⤵PID:2584
-
C:\Windows\SysWOW64\Godaakic.exeC:\Windows\system32\Godaakic.exe165⤵PID:2952
-
C:\Windows\SysWOW64\Ggkibhjf.exeC:\Windows\system32\Ggkibhjf.exe166⤵PID:1144
-
C:\Windows\SysWOW64\Gfnjne32.exeC:\Windows\system32\Gfnjne32.exe167⤵PID:2824
-
C:\Windows\SysWOW64\Gmhbkohm.exeC:\Windows\system32\Gmhbkohm.exe168⤵PID:2684
-
C:\Windows\SysWOW64\Hofngkga.exeC:\Windows\system32\Hofngkga.exe169⤵PID:2124
-
C:\Windows\SysWOW64\Hcajhi32.exeC:\Windows\system32\Hcajhi32.exe170⤵PID:2736
-
C:\Windows\SysWOW64\Hfpfdeon.exeC:\Windows\system32\Hfpfdeon.exe171⤵PID:2956
-
C:\Windows\SysWOW64\Hjlbdc32.exeC:\Windows\system32\Hjlbdc32.exe172⤵PID:1932
-
C:\Windows\SysWOW64\Hinbppna.exeC:\Windows\system32\Hinbppna.exe173⤵PID:2272
-
C:\Windows\SysWOW64\Hohkmj32.exeC:\Windows\system32\Hohkmj32.exe174⤵PID:1620
-
C:\Windows\SysWOW64\Hbggif32.exeC:\Windows\system32\Hbggif32.exe175⤵
- System Location Discovery: System Language Discovery
PID:916 -
C:\Windows\SysWOW64\Hdecea32.exeC:\Windows\system32\Hdecea32.exe176⤵PID:2212
-
C:\Windows\SysWOW64\Hiqoeplo.exeC:\Windows\system32\Hiqoeplo.exe177⤵PID:1696
-
C:\Windows\SysWOW64\Hkolakkb.exeC:\Windows\system32\Hkolakkb.exe178⤵PID:2324
-
C:\Windows\SysWOW64\Hnnhngjf.exeC:\Windows\system32\Hnnhngjf.exe179⤵PID:2404
-
C:\Windows\SysWOW64\Hfepod32.exeC:\Windows\system32\Hfepod32.exe180⤵PID:844
-
C:\Windows\SysWOW64\Hiclkp32.exeC:\Windows\system32\Hiclkp32.exe181⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2724 -
C:\Windows\SysWOW64\Hkahgk32.exeC:\Windows\system32\Hkahgk32.exe182⤵
- Drops file in System32 directory
PID:3112 -
C:\Windows\SysWOW64\Homdhjai.exeC:\Windows\system32\Homdhjai.exe183⤵PID:3152
-
C:\Windows\SysWOW64\Hejmpqop.exeC:\Windows\system32\Hejmpqop.exe184⤵PID:3192
-
C:\Windows\SysWOW64\Hieiqo32.exeC:\Windows\system32\Hieiqo32.exe185⤵PID:3236
-
C:\Windows\SysWOW64\Hkdemk32.exeC:\Windows\system32\Hkdemk32.exe186⤵PID:3280
-
C:\Windows\SysWOW64\Hnbaif32.exeC:\Windows\system32\Hnbaif32.exe187⤵PID:3320
-
C:\Windows\SysWOW64\Haqnea32.exeC:\Windows\system32\Haqnea32.exe188⤵PID:3360
-
C:\Windows\SysWOW64\Heliepmn.exeC:\Windows\system32\Heliepmn.exe189⤵PID:3400
-
C:\Windows\SysWOW64\Ikfbbjdj.exeC:\Windows\system32\Ikfbbjdj.exe190⤵PID:3440
-
C:\Windows\SysWOW64\Ijibng32.exeC:\Windows\system32\Ijibng32.exe191⤵
- System Location Discovery: System Language Discovery
PID:3480 -
C:\Windows\SysWOW64\Imgnjb32.exeC:\Windows\system32\Imgnjb32.exe192⤵PID:3520
-
C:\Windows\SysWOW64\Iacjjacb.exeC:\Windows\system32\Iacjjacb.exe193⤵PID:3560
-
C:\Windows\SysWOW64\Icafgmbe.exeC:\Windows\system32\Icafgmbe.exe194⤵PID:3600
-
C:\Windows\SysWOW64\Igmbgk32.exeC:\Windows\system32\Igmbgk32.exe195⤵PID:3640
-
C:\Windows\SysWOW64\Ingkdeak.exeC:\Windows\system32\Ingkdeak.exe196⤵PID:3680
-
C:\Windows\SysWOW64\Imjkpb32.exeC:\Windows\system32\Imjkpb32.exe197⤵PID:3720
-
C:\Windows\SysWOW64\Iphgln32.exeC:\Windows\system32\Iphgln32.exe198⤵PID:3760
-
C:\Windows\SysWOW64\Icdcllpc.exeC:\Windows\system32\Icdcllpc.exe199⤵PID:3800
-
C:\Windows\SysWOW64\Ifbphh32.exeC:\Windows\system32\Ifbphh32.exe200⤵PID:3840
-
C:\Windows\SysWOW64\Ijnkifgp.exeC:\Windows\system32\Ijnkifgp.exe201⤵PID:3880
-
C:\Windows\SysWOW64\Imlhebfc.exeC:\Windows\system32\Imlhebfc.exe202⤵PID:3920
-
C:\Windows\SysWOW64\Ipjdameg.exeC:\Windows\system32\Ipjdameg.exe203⤵PID:3960
-
C:\Windows\SysWOW64\Ibipmiek.exeC:\Windows\system32\Ibipmiek.exe204⤵PID:4000
-
C:\Windows\SysWOW64\Ifdlng32.exeC:\Windows\system32\Ifdlng32.exe205⤵
- Modifies registry class
PID:4040 -
C:\Windows\SysWOW64\Imodkadq.exeC:\Windows\system32\Imodkadq.exe206⤵PID:4080
-
C:\Windows\SysWOW64\Iladfn32.exeC:\Windows\system32\Iladfn32.exe207⤵PID:1828
-
C:\Windows\SysWOW64\Ipmqgmcd.exeC:\Windows\system32\Ipmqgmcd.exe208⤵PID:3140
-
C:\Windows\SysWOW64\Ibkmchbh.exeC:\Windows\system32\Ibkmchbh.exe209⤵
- System Location Discovery: System Language Discovery
PID:3180 -
C:\Windows\SysWOW64\Ifgicg32.exeC:\Windows\system32\Ifgicg32.exe210⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3224 -
C:\Windows\SysWOW64\Iejiodbl.exeC:\Windows\system32\Iejiodbl.exe211⤵PID:3292
-
C:\Windows\SysWOW64\Ilcalnii.exeC:\Windows\system32\Ilcalnii.exe212⤵
- Modifies registry class
PID:3344 -
C:\Windows\SysWOW64\Ipomlm32.exeC:\Windows\system32\Ipomlm32.exe213⤵PID:3392
-
C:\Windows\SysWOW64\Jbnjhh32.exeC:\Windows\system32\Jbnjhh32.exe214⤵PID:3448
-
C:\Windows\SysWOW64\Jelfdc32.exeC:\Windows\system32\Jelfdc32.exe215⤵PID:3500
-
C:\Windows\SysWOW64\Jigbebhb.exeC:\Windows\system32\Jigbebhb.exe216⤵PID:3544
-
C:\Windows\SysWOW64\Jlfnangf.exeC:\Windows\system32\Jlfnangf.exe217⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3592 -
C:\Windows\SysWOW64\Jndjmifj.exeC:\Windows\system32\Jndjmifj.exe218⤵
- Drops file in System32 directory
PID:3648 -
C:\Windows\SysWOW64\Jenbjc32.exeC:\Windows\system32\Jenbjc32.exe219⤵PID:3700
-
C:\Windows\SysWOW64\Jhmofo32.exeC:\Windows\system32\Jhmofo32.exe220⤵PID:3744
-
C:\Windows\SysWOW64\Jlhkgm32.exeC:\Windows\system32\Jlhkgm32.exe221⤵PID:3792
-
C:\Windows\SysWOW64\Joggci32.exeC:\Windows\system32\Joggci32.exe222⤵
- System Location Discovery: System Language Discovery
PID:3848 -
C:\Windows\SysWOW64\Jaecod32.exeC:\Windows\system32\Jaecod32.exe223⤵PID:3908
-
C:\Windows\SysWOW64\Jdcpkp32.exeC:\Windows\system32\Jdcpkp32.exe224⤵PID:3952
-
C:\Windows\SysWOW64\Jhoklnkg.exeC:\Windows\system32\Jhoklnkg.exe225⤵PID:4008
-
C:\Windows\SysWOW64\Joidhh32.exeC:\Windows\system32\Joidhh32.exe226⤵
- Drops file in System32 directory
PID:4060 -
C:\Windows\SysWOW64\Jagpdd32.exeC:\Windows\system32\Jagpdd32.exe227⤵PID:3092
-
C:\Windows\SysWOW64\Jdflqo32.exeC:\Windows\system32\Jdflqo32.exe228⤵PID:3148
-
C:\Windows\SysWOW64\Jhahanie.exeC:\Windows\system32\Jhahanie.exe229⤵PID:3184
-
C:\Windows\SysWOW64\Jokqnhpa.exeC:\Windows\system32\Jokqnhpa.exe230⤵PID:3264
-
C:\Windows\SysWOW64\Jmnqje32.exeC:\Windows\system32\Jmnqje32.exe231⤵
- Drops file in System32 directory
PID:3336 -
C:\Windows\SysWOW64\Jpmmfp32.exeC:\Windows\system32\Jpmmfp32.exe232⤵
- Drops file in System32 directory
- Modifies registry class
PID:3388 -
C:\Windows\SysWOW64\Jfgebjnm.exeC:\Windows\system32\Jfgebjnm.exe233⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3464 -
C:\Windows\SysWOW64\Jkbaci32.exeC:\Windows\system32\Jkbaci32.exe234⤵PID:3412
-
C:\Windows\SysWOW64\Kmqmod32.exeC:\Windows\system32\Kmqmod32.exe235⤵
- Modifies registry class
PID:3584 -
C:\Windows\SysWOW64\Kpojkp32.exeC:\Windows\system32\Kpojkp32.exe236⤵PID:3636
-
C:\Windows\SysWOW64\Kbmfgk32.exeC:\Windows\system32\Kbmfgk32.exe237⤵PID:3708
-
C:\Windows\SysWOW64\Kkdnhi32.exeC:\Windows\system32\Kkdnhi32.exe238⤵PID:3756
-
C:\Windows\SysWOW64\Kigndekn.exeC:\Windows\system32\Kigndekn.exe239⤵PID:3828
-
C:\Windows\SysWOW64\Klfjpa32.exeC:\Windows\system32\Klfjpa32.exe240⤵PID:3888
-
C:\Windows\SysWOW64\Kdmban32.exeC:\Windows\system32\Kdmban32.exe241⤵PID:3944
-
C:\Windows\SysWOW64\Kbpbmkan.exeC:\Windows\system32\Kbpbmkan.exe242⤵PID:4016