Analysis
-
max time kernel
112s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:33
Static task
static1
Behavioral task
behavioral1
Sample
be925f50b7b51a2ce19d778ad81e7e22c2868c6af6da9c55f8f60719639795abN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
be925f50b7b51a2ce19d778ad81e7e22c2868c6af6da9c55f8f60719639795abN.exe
Resource
win10v2004-20241007-en
General
-
Target
be925f50b7b51a2ce19d778ad81e7e22c2868c6af6da9c55f8f60719639795abN.exe
-
Size
320KB
-
MD5
da4b8118700cc4d28c87771239ac3de0
-
SHA1
514879900fb5ccfbfdb0bf4d93cb98fd403e5d20
-
SHA256
be925f50b7b51a2ce19d778ad81e7e22c2868c6af6da9c55f8f60719639795ab
-
SHA512
e574d87a8bc4e30067522007bd44e1d5c774ce09661607977fc853b33ef27733530ee2108799e5d7941c90f8a3196e37fe12c80b601ac3deae3c8bd050be4a56
-
SSDEEP
6144:bLI1jmwrqpaHTCPQv5Sz593HGyZ6YugQdjGG1wsKm06D4:beCgGPN5hGyXu1jGG1ws54
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Ldipha32.exeAlkijdci.exeBlqllqqa.exeOoibkpmi.exeCcppmc32.exeGdiakp32.exeGdcliikj.exeHmpjmn32.exePonfka32.exeFlkdfh32.exeDckdjomg.exeFfclcgfn.exeAjmladbl.exeIjpepcfj.exePmpolgoi.exeGeanfelc.exeLjpaqmgb.exeFffhifdk.exeCmnnimak.exeLoighj32.exeGdknpp32.exeDbjkkl32.exeIgdgglfl.exeAnclbkbp.exeBochmn32.exeEiloco32.exeJlbejloe.exePpdbgncl.exeAlqjpi32.exePehngkcg.exeDeqcbpld.exePmblagmf.exeHpmhdmea.exeQcnjijoe.exeBjhkmbho.exeDjqblj32.exeEclmamod.exeKcpjnjii.exeKidben32.exeCjjlkk32.exeCfqmpl32.exeIkpjbq32.exeMalpia32.exeEbimgcfi.exeBkdcbd32.exeCkilmcgb.exeOkjnnj32.exeKemhei32.exeDkndie32.exeJgkdbacp.exePlbfdekd.exeGqpapacd.exeCbgnemjj.exeEqmlccdi.exeBhpofl32.exeMlljnf32.exeLddgmbpb.exeOplfkeob.exeEgcaod32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldipha32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alkijdci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Blqllqqa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooibkpmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ccppmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gdiakp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gdcliikj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmpjmn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ponfka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Flkdfh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dckdjomg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffclcgfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajmladbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijpepcfj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmpolgoi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geanfelc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljpaqmgb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fffhifdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmnnimak.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loighj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdknpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbjkkl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igdgglfl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anclbkbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bochmn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiloco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jlbejloe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ppdbgncl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alqjpi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pehngkcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Deqcbpld.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmblagmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hpmhdmea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qcnjijoe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjhkmbho.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djqblj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eclmamod.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcpjnjii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kidben32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjjlkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfqmpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ikpjbq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Malpia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebimgcfi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkdcbd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckilmcgb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okjnnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kemhei32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkndie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jgkdbacp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Plbfdekd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqpapacd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbgnemjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eqmlccdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhpofl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mlljnf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lddgmbpb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oplfkeob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Egcaod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Okgaijaj.exeOaajed32.exeOihagaji.exeOkjnnj32.exeOiknlagg.exeOhnohn32.exeOlijhmgj.exeOafcqcea.exeOimkbaed.exePllgnl32.exePahpfc32.exePiphgq32.exePlndcl32.exePibdmp32.exePhedhmhi.exePoomegpf.exePamiaboj.exePeieba32.exePlbmokop.exePekbga32.exePifnhpmi.exePlejdkmm.exePcobaedj.exePabblb32.exeQhlkilba.exeQofcff32.exeQadoba32.exeQikgco32.exeQkmdkgob.exeQcclld32.exeAjndioga.exeAhqddk32.exeAojlaeei.exeAeddnp32.exeAhcajk32.exeAkamff32.exeAchegd32.exeAfgacokc.exeAjbmdn32.exeAlqjpi32.exeAkcjkfij.exeAckbmcjl.exeAfinioip.exeAhgjejhd.exeAkffafgg.exeAoabad32.exeAbponp32.exeAfkknogn.exeAhjgjj32.exeAleckinj.exeAkhcfe32.exeAcokhc32.exeAbbkcpma.exeBjicdmmd.exeBhldpj32.exeBkkple32.exeBoflmdkk.exeBbdhiojo.exeBfpdin32.exeBkmmaeap.exeBbgeno32.exeBjnmpl32.exeBmlilh32.exeBkoigdom.exepid process 4604 Okgaijaj.exe 2664 Oaajed32.exe 1848 Oihagaji.exe 1008 Okjnnj32.exe 208 Oiknlagg.exe 2868 Ohnohn32.exe 764 Olijhmgj.exe 4328 Oafcqcea.exe 4700 Oimkbaed.exe 544 Pllgnl32.exe 1380 Pahpfc32.exe 460 Piphgq32.exe 1476 Plndcl32.exe 3132 Pibdmp32.exe 2356 Phedhmhi.exe 2908 Poomegpf.exe 388 Pamiaboj.exe 2584 Peieba32.exe 2552 Plbmokop.exe 2088 Pekbga32.exe 1644 Pifnhpmi.exe 4836 Plejdkmm.exe 1756 Pcobaedj.exe 3476 Pabblb32.exe 1840 Qhlkilba.exe 3432 Qofcff32.exe 1188 Qadoba32.exe 3692 Qikgco32.exe 4880 Qkmdkgob.exe 436 Qcclld32.exe 3956 Ajndioga.exe 840 Ahqddk32.exe 4672 Aojlaeei.exe 1904 Aeddnp32.exe 2164 Ahcajk32.exe 4944 Akamff32.exe 4652 Achegd32.exe 1160 Afgacokc.exe 3088 Ajbmdn32.exe 3568 Alqjpi32.exe 4496 Akcjkfij.exe 4376 Ackbmcjl.exe 2280 Afinioip.exe 1564 Ahgjejhd.exe 1608 Akffafgg.exe 4080 Aoabad32.exe 392 Abponp32.exe 4492 Afkknogn.exe 2172 Ahjgjj32.exe 872 Aleckinj.exe 4372 Akhcfe32.exe 4148 Acokhc32.exe 2480 Abbkcpma.exe 2184 Bjicdmmd.exe 4588 Bhldpj32.exe 2224 Bkkple32.exe 3656 Boflmdkk.exe 1264 Bbdhiojo.exe 2540 Bfpdin32.exe 532 Bkmmaeap.exe 4000 Bbgeno32.exe 2896 Bjnmpl32.exe 228 Bmlilh32.exe 1892 Bkoigdom.exe -
Drops file in System32 directory 64 IoCs
Processes:
Kgninn32.exeIebngial.exeOkgaijaj.exePoomegpf.exeFfobhg32.exeGdobnj32.exeHlegnjbm.exeIlmmni32.exeDkndie32.exeNiojoeel.exeEddnic32.exeMmbanbmg.exeFihnomjp.exeJcdjbk32.exeJnpjlajn.exeNkcmjlio.exeIbqnkh32.exeQmdblp32.exeDlkbjqgm.exeKglmio32.exeNnbnhedj.exeEkmhejao.exeHbhboolf.exeHiipmhmk.exeDdmhhd32.exeBpkdjofm.exeBjbfklei.exeHbhijepa.exeJdodkebj.exeBnfihkqm.exeEiokinbk.exeEejeiocj.exeHbenoi32.exeNimmifgo.exeDjjebh32.exeEjchhgid.exeGojiiafp.exeHedafk32.exeQhhpop32.exeEgkddo32.exeEjagaj32.exeIcachjbb.exeKidben32.exeOqhoeb32.exeDmoohe32.exeGlgjlm32.exePkpmdbfd.exeEokqkh32.exeEnpfan32.exeHbnaeh32.exeOpbean32.exeJhkljfok.exeDbocfo32.exeGeanfelc.exeKefiopki.exeCmpjoloh.exeMhiabbdi.exeOqoefand.exeAbfdpfaj.exeBmlilh32.exeKmkbfeab.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Kjmfjj32.exe Kgninn32.exe File created C:\Windows\SysWOW64\Iojbpo32.exe Iebngial.exe File created C:\Windows\SysWOW64\Oaajed32.exe Okgaijaj.exe File created C:\Windows\SysWOW64\Pamiaboj.exe Poomegpf.exe File created C:\Windows\SysWOW64\Fjjnifbl.exe Ffobhg32.exe File opened for modification C:\Windows\SysWOW64\Gfmojenc.exe Gdobnj32.exe File created C:\Windows\SysWOW64\Mknjbg32.dll Hlegnjbm.exe File opened for modification C:\Windows\SysWOW64\Idcepgmg.exe Ilmmni32.exe File created C:\Windows\SysWOW64\Dahmfpap.exe Dkndie32.exe File created C:\Windows\SysWOW64\Ocgjojai.dll Niojoeel.exe File created C:\Windows\SysWOW64\Egbken32.exe Eddnic32.exe File created C:\Windows\SysWOW64\Bomfgoah.dll Mmbanbmg.exe File created C:\Windows\SysWOW64\Flfkkhid.exe Fihnomjp.exe File created C:\Windows\SysWOW64\Hpidaqmj.dll Jcdjbk32.exe File created C:\Windows\SysWOW64\Mnpkiqbe.dll Jnpjlajn.exe File opened for modification C:\Windows\SysWOW64\Ncjdki32.exe Nkcmjlio.exe File created C:\Windows\SysWOW64\Ieojgc32.exe Ibqnkh32.exe File created C:\Windows\SysWOW64\Pafpga32.dll Qmdblp32.exe File opened for modification C:\Windows\SysWOW64\Eiobceef.exe Dlkbjqgm.exe File created C:\Windows\SysWOW64\Kqdaadln.exe Kglmio32.exe File opened for modification C:\Windows\SysWOW64\Nelfeo32.exe Nnbnhedj.exe File opened for modification C:\Windows\SysWOW64\Eoideh32.exe Ekmhejao.exe File created C:\Windows\SysWOW64\Hlpfhe32.exe Hbhboolf.exe File opened for modification C:\Windows\SysWOW64\Ibaeen32.exe Hiipmhmk.exe File created C:\Windows\SysWOW64\Egkddo32.exe Ddmhhd32.exe File created C:\Windows\SysWOW64\Bkphhgfc.exe Bpkdjofm.exe File created C:\Windows\SysWOW64\Cjpqjh32.dll Bjbfklei.exe File created C:\Windows\SysWOW64\Backpf32.dll Hbhijepa.exe File created C:\Windows\SysWOW64\Ldcadhpd.dll Jdodkebj.exe File created C:\Windows\SysWOW64\Boeebnhp.exe Bnfihkqm.exe File created C:\Windows\SysWOW64\Lfipab32.dll Eiokinbk.exe File created C:\Windows\SysWOW64\Emanjldl.exe Eejeiocj.exe File created C:\Windows\SysWOW64\Hecjke32.exe Hbenoi32.exe File created C:\Windows\SysWOW64\Jclnjo32.dll Nimmifgo.exe File created C:\Windows\SysWOW64\Dmhand32.exe Djjebh32.exe File created C:\Windows\SysWOW64\Embddb32.exe Ejchhgid.exe File opened for modification C:\Windows\SysWOW64\Jgnqgqan.exe Jdodkebj.exe File created C:\Windows\SysWOW64\Lfebfnqn.dll Gojiiafp.exe File opened for modification C:\Windows\SysWOW64\Hbhboolf.exe Hedafk32.exe File opened for modification C:\Windows\SysWOW64\Qpcecb32.exe Qhhpop32.exe File opened for modification C:\Windows\SysWOW64\Ekgqennl.exe Egkddo32.exe File opened for modification C:\Windows\SysWOW64\Eahobg32.exe Ejagaj32.exe File created C:\Windows\SysWOW64\Iojnef32.dll Icachjbb.exe File created C:\Windows\SysWOW64\Oijflc32.dll File opened for modification C:\Windows\SysWOW64\Klbnajqc.exe Kidben32.exe File created C:\Windows\SysWOW64\Ghaeocdd.dll Oqhoeb32.exe File created C:\Windows\SysWOW64\Dpnkdq32.exe Dmoohe32.exe File created C:\Windows\SysWOW64\Ifhahnbj.dll Glgjlm32.exe File created C:\Windows\SysWOW64\Hnnhejgh.dll Pkpmdbfd.exe File opened for modification C:\Windows\SysWOW64\Ebimgcfi.exe Eokqkh32.exe File created C:\Windows\SysWOW64\Eghkjdoa.exe Enpfan32.exe File opened for modification C:\Windows\SysWOW64\Hemmac32.exe Hbnaeh32.exe File created C:\Windows\SysWOW64\Obqanjdb.exe Opbean32.exe File opened for modification C:\Windows\SysWOW64\Jjihfbno.exe Jhkljfok.exe File created C:\Windows\SysWOW64\Dhikci32.exe Dbocfo32.exe File created C:\Windows\SysWOW64\Ghojbq32.exe Geanfelc.exe File opened for modification C:\Windows\SysWOW64\Kheekkjl.exe Kefiopki.exe File created C:\Windows\SysWOW64\Cdjblf32.exe Cmpjoloh.exe File created C:\Windows\SysWOW64\Eoggpbpn.dll Mhiabbdi.exe File created C:\Windows\SysWOW64\Pmhkflnj.exe File created C:\Windows\SysWOW64\Opbean32.exe Oqoefand.exe File created C:\Windows\SysWOW64\Ajmladbl.exe Abfdpfaj.exe File opened for modification C:\Windows\SysWOW64\Bkoigdom.exe Bmlilh32.exe File created C:\Windows\SysWOW64\Lafnnj32.dll Kmkbfeab.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Fideeaco.exePhedhmhi.exeEoepebho.exeDbpjaeoc.exeFecadghc.exeGgmmlamj.exeNhegig32.exeNiojoeel.exeEnfckp32.exeHlambk32.exeOanokhdb.exeEgegjn32.exeKkbkmqed.exeLaffpi32.exeHibafp32.exeQjffpe32.exeMjokgg32.exeAkffafgg.exeHplicjok.exeAdjjeieh.exePoomegpf.exeIgpdfb32.exeHpfbcn32.exeKefiopki.exeDcnlnaom.exeFlinkojm.exeEejeiocj.exeEkjded32.exeNeqopnhb.exeKgninn32.exeLdgccb32.exeOaqbkn32.exePpgegd32.exeAaoaic32.exeLeoejh32.exePiphgq32.exeKadpdp32.exeJknfcofa.exeHmlpaoaj.exeMgobel32.exeBpedeiff.exeCfqmpl32.exeEmoadlfo.exeEbfign32.exeHicpgc32.exeJnbgaa32.exeCmjemflb.exeLnmkfh32.exeFkcpql32.exeAkcjkfij.exeNelfeo32.exeGpaihooo.exeBphqji32.exeCmpjoloh.exeMaaekg32.exeBhldpj32.exeHcblpdgg.exeLdipha32.exeLkiamp32.exeDlkbjqgm.exeGaloohke.exeAfhfaddk.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fideeaco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phedhmhi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoepebho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbpjaeoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fecadghc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggmmlamj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhegig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Niojoeel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enfckp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlambk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oanokhdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egegjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkbkmqed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laffpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hibafp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjffpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjokgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akffafgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hplicjok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adjjeieh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poomegpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igpdfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpfbcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kefiopki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcnlnaom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flinkojm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eejeiocj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekjded32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neqopnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgninn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldgccb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaqbkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppgegd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaoaic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Leoejh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piphgq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kadpdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jknfcofa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmlpaoaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgobel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpedeiff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfqmpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emoadlfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebfign32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hicpgc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnbgaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmjemflb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnmkfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkcpql32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akcjkfij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nelfeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpaihooo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bphqji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmpjoloh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maaekg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhldpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcblpdgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldipha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkiamp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlkbjqgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Galoohke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afhfaddk.exe -
Modifies registry class 64 IoCs
Processes:
Hlcjhkdp.exeQpcecb32.exeIbdplaho.exePjjfdfbb.exeAoabad32.exeDfdpad32.exeDeqcbpld.exeMmhgmmbf.exeAggpfkjj.exeCnjdpaki.exeGmbmkpie.exeIialhaad.exeJpgdai32.exeQclmck32.exeJgnqgqan.exeOaqbkn32.exeDbpjaeoc.exeIeccbbkn.exeHeepfn32.exePhigif32.exePmblagmf.exeBpqjjjjl.exeGdgdeppb.exeDfglfdkb.exeDdnfmqng.exeQofcff32.exeAhcajk32.exeCkfphc32.exeHdhedh32.exeHdokdg32.exeMadjhb32.exeEblimcdf.exeEdbiniff.exeMjnnbk32.exeDgpeha32.exeAlqjpi32.exeLjpaqmgb.exeKbnlim32.exeLlimgb32.exeJddiegbm.exeKoljgppp.exeHcpojd32.exeNnfgcd32.exeAkccap32.exeLjnlecmp.exeAknbkjfh.exeJjihfbno.exeMahklf32.exeNheqnpjk.exebe925f50b7b51a2ce19d778ad81e7e22c2868c6af6da9c55f8f60719639795abN.exeBmlilh32.exeCmjemflb.exeIljpij32.exeHpioin32.exeEgpnooan.exeAaoaic32.exeLikhem32.exeMaaekg32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hlcjhkdp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qpcecb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ibdplaho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Haafdi32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pjjfdfbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honmnc32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igliicdk.dll" Aoabad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Angdnk32.dll" Dfdpad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npdpachh.dll" Deqcbpld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mmhgmmbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aggpfkjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnpofk32.dll" Cnjdpaki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gmbmkpie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iialhaad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jpgdai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcomgibl.dll" Qclmck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jgnqgqan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhghaf32.dll" Oaqbkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dbpjaeoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ieccbbkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Heepfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihbjebjh.dll" Phigif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pmblagmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caaimlpo.dll" Bpqjjjjl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gdgdeppb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dfglfdkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhjamhbn.dll" Ddnfmqng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlgcl32.dll" Qofcff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ahcajk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieneofbo.dll" Ckfphc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hdhedh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooaafghm.dll" Hdokdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odgpqgeo.dll" Madjhb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eblimcdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Edbiniff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlqgpnjq.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mjnnbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dgpeha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdhfnche.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nonhbi32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Alqjpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeeaodnk.dll" Ljpaqmgb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kbnlim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Llimgb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jddiegbm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Koljgppp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hcpojd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jebiel32.dll" Nnfgcd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Akccap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ljnlecmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aknbkjfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jjihfbno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mahklf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdejagg.dll" Nheqnpjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} be925f50b7b51a2ce19d778ad81e7e22c2868c6af6da9c55f8f60719639795abN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bmlilh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cmjemflb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keaebdpc.dll" Iljpij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blnfhilh.dll" Hpioin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Binfdh32.dll" Egpnooan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aaoaic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Likhem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdghfg32.dll" Maaekg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmmppdij.dll" -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
be925f50b7b51a2ce19d778ad81e7e22c2868c6af6da9c55f8f60719639795abN.exeOkgaijaj.exeOaajed32.exeOihagaji.exeOkjnnj32.exeOiknlagg.exeOhnohn32.exeOlijhmgj.exeOafcqcea.exeOimkbaed.exePllgnl32.exePahpfc32.exePiphgq32.exePlndcl32.exePibdmp32.exePhedhmhi.exePoomegpf.exePamiaboj.exePeieba32.exePlbmokop.exePekbga32.exePifnhpmi.exedescription pid process target process PID 4920 wrote to memory of 4604 4920 be925f50b7b51a2ce19d778ad81e7e22c2868c6af6da9c55f8f60719639795abN.exe Okgaijaj.exe PID 4920 wrote to memory of 4604 4920 be925f50b7b51a2ce19d778ad81e7e22c2868c6af6da9c55f8f60719639795abN.exe Okgaijaj.exe PID 4920 wrote to memory of 4604 4920 be925f50b7b51a2ce19d778ad81e7e22c2868c6af6da9c55f8f60719639795abN.exe Okgaijaj.exe PID 4604 wrote to memory of 2664 4604 Okgaijaj.exe Oaajed32.exe PID 4604 wrote to memory of 2664 4604 Okgaijaj.exe Oaajed32.exe PID 4604 wrote to memory of 2664 4604 Okgaijaj.exe Oaajed32.exe PID 2664 wrote to memory of 1848 2664 Oaajed32.exe Oihagaji.exe PID 2664 wrote to memory of 1848 2664 Oaajed32.exe Oihagaji.exe PID 2664 wrote to memory of 1848 2664 Oaajed32.exe Oihagaji.exe PID 1848 wrote to memory of 1008 1848 Oihagaji.exe Okjnnj32.exe PID 1848 wrote to memory of 1008 1848 Oihagaji.exe Okjnnj32.exe PID 1848 wrote to memory of 1008 1848 Oihagaji.exe Okjnnj32.exe PID 1008 wrote to memory of 208 1008 Okjnnj32.exe Oiknlagg.exe PID 1008 wrote to memory of 208 1008 Okjnnj32.exe Oiknlagg.exe PID 1008 wrote to memory of 208 1008 Okjnnj32.exe Oiknlagg.exe PID 208 wrote to memory of 2868 208 Oiknlagg.exe Ohnohn32.exe PID 208 wrote to memory of 2868 208 Oiknlagg.exe Ohnohn32.exe PID 208 wrote to memory of 2868 208 Oiknlagg.exe Ohnohn32.exe PID 2868 wrote to memory of 764 2868 Ohnohn32.exe Olijhmgj.exe PID 2868 wrote to memory of 764 2868 Ohnohn32.exe Olijhmgj.exe PID 2868 wrote to memory of 764 2868 Ohnohn32.exe Olijhmgj.exe PID 764 wrote to memory of 4328 764 Olijhmgj.exe Oafcqcea.exe PID 764 wrote to memory of 4328 764 Olijhmgj.exe Oafcqcea.exe PID 764 wrote to memory of 4328 764 Olijhmgj.exe Oafcqcea.exe PID 4328 wrote to memory of 4700 4328 Oafcqcea.exe Oimkbaed.exe PID 4328 wrote to memory of 4700 4328 Oafcqcea.exe Oimkbaed.exe PID 4328 wrote to memory of 4700 4328 Oafcqcea.exe Oimkbaed.exe PID 4700 wrote to memory of 544 4700 Oimkbaed.exe Pllgnl32.exe PID 4700 wrote to memory of 544 4700 Oimkbaed.exe Pllgnl32.exe PID 4700 wrote to memory of 544 4700 Oimkbaed.exe Pllgnl32.exe PID 544 wrote to memory of 1380 544 Pllgnl32.exe Pahpfc32.exe PID 544 wrote to memory of 1380 544 Pllgnl32.exe Pahpfc32.exe PID 544 wrote to memory of 1380 544 Pllgnl32.exe Pahpfc32.exe PID 1380 wrote to memory of 460 1380 Pahpfc32.exe Piphgq32.exe PID 1380 wrote to memory of 460 1380 Pahpfc32.exe Piphgq32.exe PID 1380 wrote to memory of 460 1380 Pahpfc32.exe Piphgq32.exe PID 460 wrote to memory of 1476 460 Piphgq32.exe Plndcl32.exe PID 460 wrote to memory of 1476 460 Piphgq32.exe Plndcl32.exe PID 460 wrote to memory of 1476 460 Piphgq32.exe Plndcl32.exe PID 1476 wrote to memory of 3132 1476 Plndcl32.exe Pibdmp32.exe PID 1476 wrote to memory of 3132 1476 Plndcl32.exe Pibdmp32.exe PID 1476 wrote to memory of 3132 1476 Plndcl32.exe Pibdmp32.exe PID 3132 wrote to memory of 2356 3132 Pibdmp32.exe Phedhmhi.exe PID 3132 wrote to memory of 2356 3132 Pibdmp32.exe Phedhmhi.exe PID 3132 wrote to memory of 2356 3132 Pibdmp32.exe Phedhmhi.exe PID 2356 wrote to memory of 2908 2356 Phedhmhi.exe Poomegpf.exe PID 2356 wrote to memory of 2908 2356 Phedhmhi.exe Poomegpf.exe PID 2356 wrote to memory of 2908 2356 Phedhmhi.exe Poomegpf.exe PID 2908 wrote to memory of 388 2908 Poomegpf.exe Pamiaboj.exe PID 2908 wrote to memory of 388 2908 Poomegpf.exe Pamiaboj.exe PID 2908 wrote to memory of 388 2908 Poomegpf.exe Pamiaboj.exe PID 388 wrote to memory of 2584 388 Pamiaboj.exe Peieba32.exe PID 388 wrote to memory of 2584 388 Pamiaboj.exe Peieba32.exe PID 388 wrote to memory of 2584 388 Pamiaboj.exe Peieba32.exe PID 2584 wrote to memory of 2552 2584 Peieba32.exe Plbmokop.exe PID 2584 wrote to memory of 2552 2584 Peieba32.exe Plbmokop.exe PID 2584 wrote to memory of 2552 2584 Peieba32.exe Plbmokop.exe PID 2552 wrote to memory of 2088 2552 Plbmokop.exe Pekbga32.exe PID 2552 wrote to memory of 2088 2552 Plbmokop.exe Pekbga32.exe PID 2552 wrote to memory of 2088 2552 Plbmokop.exe Pekbga32.exe PID 2088 wrote to memory of 1644 2088 Pekbga32.exe Pifnhpmi.exe PID 2088 wrote to memory of 1644 2088 Pekbga32.exe Pifnhpmi.exe PID 2088 wrote to memory of 1644 2088 Pekbga32.exe Pifnhpmi.exe PID 1644 wrote to memory of 4836 1644 Pifnhpmi.exe Plejdkmm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\be925f50b7b51a2ce19d778ad81e7e22c2868c6af6da9c55f8f60719639795abN.exe"C:\Users\Admin\AppData\Local\Temp\be925f50b7b51a2ce19d778ad81e7e22c2868c6af6da9c55f8f60719639795abN.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\SysWOW64\Okgaijaj.exeC:\Windows\system32\Okgaijaj.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Windows\SysWOW64\Oaajed32.exeC:\Windows\system32\Oaajed32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Oihagaji.exeC:\Windows\system32\Oihagaji.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\Okjnnj32.exeC:\Windows\system32\Okjnnj32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Windows\SysWOW64\Oiknlagg.exeC:\Windows\system32\Oiknlagg.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:208 -
C:\Windows\SysWOW64\Ohnohn32.exeC:\Windows\system32\Ohnohn32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Olijhmgj.exeC:\Windows\system32\Olijhmgj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\SysWOW64\Oafcqcea.exeC:\Windows\system32\Oafcqcea.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4328 -
C:\Windows\SysWOW64\Oimkbaed.exeC:\Windows\system32\Oimkbaed.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Windows\SysWOW64\Pllgnl32.exeC:\Windows\system32\Pllgnl32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Windows\SysWOW64\Pahpfc32.exeC:\Windows\system32\Pahpfc32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\SysWOW64\Piphgq32.exeC:\Windows\system32\Piphgq32.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:460 -
C:\Windows\SysWOW64\Plndcl32.exeC:\Windows\system32\Plndcl32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\SysWOW64\Pibdmp32.exeC:\Windows\system32\Pibdmp32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3132 -
C:\Windows\SysWOW64\Phedhmhi.exeC:\Windows\system32\Phedhmhi.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\Poomegpf.exeC:\Windows\system32\Poomegpf.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Pamiaboj.exeC:\Windows\system32\Pamiaboj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:388 -
C:\Windows\SysWOW64\Peieba32.exeC:\Windows\system32\Peieba32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Plbmokop.exeC:\Windows\system32\Plbmokop.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Pekbga32.exeC:\Windows\system32\Pekbga32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Pifnhpmi.exeC:\Windows\system32\Pifnhpmi.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\Plejdkmm.exeC:\Windows\system32\Plejdkmm.exe23⤵
- Executes dropped EXE
PID:4836 -
C:\Windows\SysWOW64\Pcobaedj.exeC:\Windows\system32\Pcobaedj.exe24⤵
- Executes dropped EXE
PID:1756 -
C:\Windows\SysWOW64\Pabblb32.exeC:\Windows\system32\Pabblb32.exe25⤵
- Executes dropped EXE
PID:3476 -
C:\Windows\SysWOW64\Qhlkilba.exeC:\Windows\system32\Qhlkilba.exe26⤵
- Executes dropped EXE
PID:1840 -
C:\Windows\SysWOW64\Qofcff32.exeC:\Windows\system32\Qofcff32.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:3432 -
C:\Windows\SysWOW64\Qadoba32.exeC:\Windows\system32\Qadoba32.exe28⤵
- Executes dropped EXE
PID:1188 -
C:\Windows\SysWOW64\Qikgco32.exeC:\Windows\system32\Qikgco32.exe29⤵
- Executes dropped EXE
PID:3692 -
C:\Windows\SysWOW64\Qkmdkgob.exeC:\Windows\system32\Qkmdkgob.exe30⤵
- Executes dropped EXE
PID:4880 -
C:\Windows\SysWOW64\Qcclld32.exeC:\Windows\system32\Qcclld32.exe31⤵
- Executes dropped EXE
PID:436 -
C:\Windows\SysWOW64\Ajndioga.exeC:\Windows\system32\Ajndioga.exe32⤵
- Executes dropped EXE
PID:3956 -
C:\Windows\SysWOW64\Ahqddk32.exeC:\Windows\system32\Ahqddk32.exe33⤵
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\Aojlaeei.exeC:\Windows\system32\Aojlaeei.exe34⤵
- Executes dropped EXE
PID:4672 -
C:\Windows\SysWOW64\Aeddnp32.exeC:\Windows\system32\Aeddnp32.exe35⤵
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Ahcajk32.exeC:\Windows\system32\Ahcajk32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2164 -
C:\Windows\SysWOW64\Akamff32.exeC:\Windows\system32\Akamff32.exe37⤵
- Executes dropped EXE
PID:4944 -
C:\Windows\SysWOW64\Achegd32.exeC:\Windows\system32\Achegd32.exe38⤵
- Executes dropped EXE
PID:4652 -
C:\Windows\SysWOW64\Afgacokc.exeC:\Windows\system32\Afgacokc.exe39⤵
- Executes dropped EXE
PID:1160 -
C:\Windows\SysWOW64\Ajbmdn32.exeC:\Windows\system32\Ajbmdn32.exe40⤵
- Executes dropped EXE
PID:3088 -
C:\Windows\SysWOW64\Alqjpi32.exeC:\Windows\system32\Alqjpi32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3568 -
C:\Windows\SysWOW64\Akcjkfij.exeC:\Windows\system32\Akcjkfij.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4496 -
C:\Windows\SysWOW64\Ackbmcjl.exeC:\Windows\system32\Ackbmcjl.exe43⤵
- Executes dropped EXE
PID:4376 -
C:\Windows\SysWOW64\Afinioip.exeC:\Windows\system32\Afinioip.exe44⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Ahgjejhd.exeC:\Windows\system32\Ahgjejhd.exe45⤵
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\Akffafgg.exeC:\Windows\system32\Akffafgg.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1608 -
C:\Windows\SysWOW64\Aoabad32.exeC:\Windows\system32\Aoabad32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:4080 -
C:\Windows\SysWOW64\Abponp32.exeC:\Windows\system32\Abponp32.exe48⤵
- Executes dropped EXE
PID:392 -
C:\Windows\SysWOW64\Afkknogn.exeC:\Windows\system32\Afkknogn.exe49⤵
- Executes dropped EXE
PID:4492 -
C:\Windows\SysWOW64\Ahjgjj32.exeC:\Windows\system32\Ahjgjj32.exe50⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Aleckinj.exeC:\Windows\system32\Aleckinj.exe51⤵
- Executes dropped EXE
PID:872 -
C:\Windows\SysWOW64\Akhcfe32.exeC:\Windows\system32\Akhcfe32.exe52⤵
- Executes dropped EXE
PID:4372 -
C:\Windows\SysWOW64\Acokhc32.exeC:\Windows\system32\Acokhc32.exe53⤵
- Executes dropped EXE
PID:4148 -
C:\Windows\SysWOW64\Abbkcpma.exeC:\Windows\system32\Abbkcpma.exe54⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Bjicdmmd.exeC:\Windows\system32\Bjicdmmd.exe55⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Bhldpj32.exeC:\Windows\system32\Bhldpj32.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4588 -
C:\Windows\SysWOW64\Bkkple32.exeC:\Windows\system32\Bkkple32.exe57⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Boflmdkk.exeC:\Windows\system32\Boflmdkk.exe58⤵
- Executes dropped EXE
PID:3656 -
C:\Windows\SysWOW64\Bbdhiojo.exeC:\Windows\system32\Bbdhiojo.exe59⤵
- Executes dropped EXE
PID:1264 -
C:\Windows\SysWOW64\Bfpdin32.exeC:\Windows\system32\Bfpdin32.exe60⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Bkmmaeap.exeC:\Windows\system32\Bkmmaeap.exe61⤵
- Executes dropped EXE
PID:532 -
C:\Windows\SysWOW64\Bbgeno32.exeC:\Windows\system32\Bbgeno32.exe62⤵
- Executes dropped EXE
PID:4000 -
C:\Windows\SysWOW64\Bjnmpl32.exeC:\Windows\system32\Bjnmpl32.exe63⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Bmlilh32.exeC:\Windows\system32\Bmlilh32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:228 -
C:\Windows\SysWOW64\Bkoigdom.exeC:\Windows\system32\Bkoigdom.exe65⤵
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\Bcfahbpo.exeC:\Windows\system32\Bcfahbpo.exe66⤵PID:3124
-
C:\Windows\SysWOW64\Bfendmoc.exeC:\Windows\system32\Bfendmoc.exe67⤵PID:812
-
C:\Windows\SysWOW64\Bjpjel32.exeC:\Windows\system32\Bjpjel32.exe68⤵PID:3100
-
C:\Windows\SysWOW64\Bmofagfp.exeC:\Windows\system32\Bmofagfp.exe69⤵PID:4568
-
C:\Windows\SysWOW64\Bombmcec.exeC:\Windows\system32\Bombmcec.exe70⤵PID:896
-
C:\Windows\SysWOW64\Bjbfklei.exeC:\Windows\system32\Bjbfklei.exe71⤵
- Drops file in System32 directory
PID:2192 -
C:\Windows\SysWOW64\Bkdcbd32.exeC:\Windows\system32\Bkdcbd32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2556 -
C:\Windows\SysWOW64\Bbnkonbd.exeC:\Windows\system32\Bbnkonbd.exe73⤵PID:3584
-
C:\Windows\SysWOW64\Cihclh32.exeC:\Windows\system32\Cihclh32.exe74⤵PID:4356
-
C:\Windows\SysWOW64\Ckfphc32.exeC:\Windows\system32\Ckfphc32.exe75⤵
- Modifies registry class
PID:1196 -
C:\Windows\SysWOW64\Cbphdn32.exeC:\Windows\system32\Cbphdn32.exe76⤵PID:4520
-
C:\Windows\SysWOW64\Cijpahho.exeC:\Windows\system32\Cijpahho.exe77⤵PID:5012
-
C:\Windows\SysWOW64\Ckilmcgb.exeC:\Windows\system32\Ckilmcgb.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4980 -
C:\Windows\SysWOW64\Ccpdoqgd.exeC:\Windows\system32\Ccpdoqgd.exe79⤵PID:2260
-
C:\Windows\SysWOW64\Cbbdjm32.exeC:\Windows\system32\Cbbdjm32.exe80⤵PID:2208
-
C:\Windows\SysWOW64\Cjjlkk32.exeC:\Windows\system32\Cjjlkk32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:220 -
C:\Windows\SysWOW64\Cmhigf32.exeC:\Windows\system32\Cmhigf32.exe82⤵PID:3676
-
C:\Windows\SysWOW64\Cofecami.exeC:\Windows\system32\Cofecami.exe83⤵PID:1484
-
C:\Windows\SysWOW64\Ccbadp32.exeC:\Windows\system32\Ccbadp32.exe84⤵PID:1296
-
C:\Windows\SysWOW64\Cfqmpl32.exeC:\Windows\system32\Cfqmpl32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:928 -
C:\Windows\SysWOW64\Cmjemflb.exeC:\Windows\system32\Cmjemflb.exe86⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4688 -
C:\Windows\SysWOW64\Ckmehb32.exeC:\Windows\system32\Ckmehb32.exe87⤵PID:2512
-
C:\Windows\SysWOW64\Cbgnemjj.exeC:\Windows\system32\Cbgnemjj.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1224 -
C:\Windows\SysWOW64\Cjnffjkl.exeC:\Windows\system32\Cjnffjkl.exe89⤵PID:4264
-
C:\Windows\SysWOW64\Cmmbbejp.exeC:\Windows\system32\Cmmbbejp.exe90⤵PID:2148
-
C:\Windows\SysWOW64\Coknoaic.exeC:\Windows\system32\Coknoaic.exe91⤵PID:3140
-
C:\Windows\SysWOW64\Dbjkkl32.exeC:\Windows\system32\Dbjkkl32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:648 -
C:\Windows\SysWOW64\Djqblj32.exeC:\Windows\system32\Djqblj32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1252 -
C:\Windows\SysWOW64\Dmoohe32.exeC:\Windows\system32\Dmoohe32.exe94⤵
- Drops file in System32 directory
PID:716 -
C:\Windows\SysWOW64\Dpnkdq32.exeC:\Windows\system32\Dpnkdq32.exe95⤵PID:1920
-
C:\Windows\SysWOW64\Dblgpl32.exeC:\Windows\system32\Dblgpl32.exe96⤵PID:4540
-
C:\Windows\SysWOW64\Dfgcakon.exeC:\Windows\system32\Dfgcakon.exe97⤵PID:3000
-
C:\Windows\SysWOW64\Difpmfna.exeC:\Windows\system32\Difpmfna.exe98⤵PID:4696
-
C:\Windows\SysWOW64\Dkdliame.exeC:\Windows\system32\Dkdliame.exe99⤵PID:2000
-
C:\Windows\SysWOW64\Dckdjomg.exeC:\Windows\system32\Dckdjomg.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4128 -
C:\Windows\SysWOW64\Dbndfl32.exeC:\Windows\system32\Dbndfl32.exe101⤵PID:2012
-
C:\Windows\SysWOW64\Dihlbf32.exeC:\Windows\system32\Dihlbf32.exe102⤵PID:2724
-
C:\Windows\SysWOW64\Dlghoa32.exeC:\Windows\system32\Dlghoa32.exe103⤵PID:3784
-
C:\Windows\SysWOW64\Dcnqpo32.exeC:\Windows\system32\Dcnqpo32.exe104⤵PID:5132
-
C:\Windows\SysWOW64\Dbqqkkbo.exeC:\Windows\system32\Dbqqkkbo.exe105⤵PID:5196
-
C:\Windows\SysWOW64\Djhimica.exeC:\Windows\system32\Djhimica.exe106⤵PID:5256
-
C:\Windows\SysWOW64\Dikihe32.exeC:\Windows\system32\Dikihe32.exe107⤵PID:5300
-
C:\Windows\SysWOW64\Dlieda32.exeC:\Windows\system32\Dlieda32.exe108⤵PID:5344
-
C:\Windows\SysWOW64\Dcpmen32.exeC:\Windows\system32\Dcpmen32.exe109⤵PID:5388
-
C:\Windows\SysWOW64\Dfoiaj32.exeC:\Windows\system32\Dfoiaj32.exe110⤵PID:5432
-
C:\Windows\SysWOW64\Djjebh32.exeC:\Windows\system32\Djjebh32.exe111⤵
- Drops file in System32 directory
PID:5476 -
C:\Windows\SysWOW64\Dmhand32.exeC:\Windows\system32\Dmhand32.exe112⤵PID:5520
-
C:\Windows\SysWOW64\Dlkbjqgm.exeC:\Windows\system32\Dlkbjqgm.exe113⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5560 -
C:\Windows\SysWOW64\Eiobceef.exeC:\Windows\system32\Eiobceef.exe114⤵PID:5600
-
C:\Windows\SysWOW64\Emkndc32.exeC:\Windows\system32\Emkndc32.exe115⤵PID:5644
-
C:\Windows\SysWOW64\Ecefqnel.exeC:\Windows\system32\Ecefqnel.exe116⤵PID:5688
-
C:\Windows\SysWOW64\Ejoomhmi.exeC:\Windows\system32\Ejoomhmi.exe117⤵PID:5732
-
C:\Windows\SysWOW64\Emmkiclm.exeC:\Windows\system32\Emmkiclm.exe118⤵PID:5772
-
C:\Windows\SysWOW64\Eplgeokq.exeC:\Windows\system32\Eplgeokq.exe119⤵PID:5816
-
C:\Windows\SysWOW64\Ebjcajjd.exeC:\Windows\system32\Ebjcajjd.exe120⤵PID:5860
-
C:\Windows\SysWOW64\Ejalcgkg.exeC:\Windows\system32\Ejalcgkg.exe121⤵PID:5904
-
C:\Windows\SysWOW64\Eidlnd32.exeC:\Windows\system32\Eidlnd32.exe122⤵PID:5948
-
C:\Windows\SysWOW64\Elbhjp32.exeC:\Windows\system32\Elbhjp32.exe123⤵PID:5992
-
C:\Windows\SysWOW64\Eciplm32.exeC:\Windows\system32\Eciplm32.exe124⤵PID:6036
-
C:\Windows\SysWOW64\Efhlhh32.exeC:\Windows\system32\Efhlhh32.exe125⤵PID:6080
-
C:\Windows\SysWOW64\Ejchhgid.exeC:\Windows\system32\Ejchhgid.exe126⤵
- Drops file in System32 directory
PID:6124 -
C:\Windows\SysWOW64\Embddb32.exeC:\Windows\system32\Embddb32.exe127⤵PID:5144
-
C:\Windows\SysWOW64\Eleepoob.exeC:\Windows\system32\Eleepoob.exe128⤵PID:1896
-
C:\Windows\SysWOW64\Eclmamod.exeC:\Windows\system32\Eclmamod.exe129⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5328 -
C:\Windows\SysWOW64\Efjimhnh.exeC:\Windows\system32\Efjimhnh.exe130⤵PID:5400
-
C:\Windows\SysWOW64\Ejfeng32.exeC:\Windows\system32\Ejfeng32.exe131⤵PID:5472
-
C:\Windows\SysWOW64\Emdajb32.exeC:\Windows\system32\Emdajb32.exe132⤵PID:5372
-
C:\Windows\SysWOW64\Fpbmfn32.exeC:\Windows\system32\Fpbmfn32.exe133⤵PID:5624
-
C:\Windows\SysWOW64\Fcniglmb.exeC:\Windows\system32\Fcniglmb.exe134⤵PID:1688
-
C:\Windows\SysWOW64\Ffmfchle.exeC:\Windows\system32\Ffmfchle.exe135⤵PID:1052
-
C:\Windows\SysWOW64\Fjhacf32.exeC:\Windows\system32\Fjhacf32.exe136⤵PID:5740
-
C:\Windows\SysWOW64\Fikbocki.exeC:\Windows\system32\Fikbocki.exe137⤵PID:5808
-
C:\Windows\SysWOW64\Flinkojm.exeC:\Windows\system32\Flinkojm.exe138⤵
- System Location Discovery: System Language Discovery
PID:5872 -
C:\Windows\SysWOW64\Fpejlmcf.exeC:\Windows\system32\Fpejlmcf.exe139⤵PID:5936
-
C:\Windows\SysWOW64\Ffobhg32.exeC:\Windows\system32\Ffobhg32.exe140⤵
- Drops file in System32 directory
PID:6028 -
C:\Windows\SysWOW64\Fjjnifbl.exeC:\Windows\system32\Fjjnifbl.exe141⤵PID:6100
-
C:\Windows\SysWOW64\Fllkqn32.exeC:\Windows\system32\Fllkqn32.exe142⤵PID:5220
-
C:\Windows\SysWOW64\Fbfcmhpg.exeC:\Windows\system32\Fbfcmhpg.exe143⤵PID:5376
-
C:\Windows\SysWOW64\Fjmkoeqi.exeC:\Windows\system32\Fjmkoeqi.exe144⤵PID:5552
-
C:\Windows\SysWOW64\Fpjcgm32.exeC:\Windows\system32\Fpjcgm32.exe145⤵PID:1852
-
C:\Windows\SysWOW64\Fdepgkgj.exeC:\Windows\system32\Fdepgkgj.exe146⤵PID:5720
-
C:\Windows\SysWOW64\Ffclcgfn.exeC:\Windows\system32\Ffclcgfn.exe147⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5868 -
C:\Windows\SysWOW64\Fibhpbea.exeC:\Windows\system32\Fibhpbea.exe148⤵PID:6088
-
C:\Windows\SysWOW64\Flqdlnde.exeC:\Windows\system32\Flqdlnde.exe149⤵PID:5252
-
C:\Windows\SysWOW64\Fdglmkeg.exeC:\Windows\system32\Fdglmkeg.exe150⤵PID:5608
-
C:\Windows\SysWOW64\Fffhifdk.exeC:\Windows\system32\Fffhifdk.exe151⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4444 -
C:\Windows\SysWOW64\Fideeaco.exeC:\Windows\system32\Fideeaco.exe152⤵
- System Location Discovery: System Language Discovery
PID:6092 -
C:\Windows\SysWOW64\Gdjibj32.exeC:\Windows\system32\Gdjibj32.exe153⤵PID:5516
-
C:\Windows\SysWOW64\Gfheof32.exeC:\Windows\system32\Gfheof32.exe154⤵PID:5848
-
C:\Windows\SysWOW64\Gmbmkpie.exeC:\Windows\system32\Gmbmkpie.exe155⤵
- Modifies registry class
PID:5332 -
C:\Windows\SysWOW64\Gpqjglii.exeC:\Windows\system32\Gpqjglii.exe156⤵PID:5204
-
C:\Windows\SysWOW64\Gdlfhj32.exeC:\Windows\system32\Gdlfhj32.exe157⤵PID:5188
-
C:\Windows\SysWOW64\Gfkbde32.exeC:\Windows\system32\Gfkbde32.exe158⤵PID:6168
-
C:\Windows\SysWOW64\Gjfnedho.exeC:\Windows\system32\Gjfnedho.exe159⤵PID:6212
-
C:\Windows\SysWOW64\Gmdjapgb.exeC:\Windows\system32\Gmdjapgb.exe160⤵PID:6256
-
C:\Windows\SysWOW64\Glgjlm32.exeC:\Windows\system32\Glgjlm32.exe161⤵
- Drops file in System32 directory
PID:6300 -
C:\Windows\SysWOW64\Gdobnj32.exeC:\Windows\system32\Gdobnj32.exe162⤵
- Drops file in System32 directory
PID:6344 -
C:\Windows\SysWOW64\Gfmojenc.exeC:\Windows\system32\Gfmojenc.exe163⤵PID:6388
-
C:\Windows\SysWOW64\Gkhkjd32.exeC:\Windows\system32\Gkhkjd32.exe164⤵PID:6432
-
C:\Windows\SysWOW64\Gmggfp32.exeC:\Windows\system32\Gmggfp32.exe165⤵PID:6476
-
C:\Windows\SysWOW64\Gljgbllj.exeC:\Windows\system32\Gljgbllj.exe166⤵PID:6520
-
C:\Windows\SysWOW64\Gdaociml.exeC:\Windows\system32\Gdaociml.exe167⤵PID:6564
-
C:\Windows\SysWOW64\Gbdoof32.exeC:\Windows\system32\Gbdoof32.exe168⤵PID:6608
-
C:\Windows\SysWOW64\Gfokoelp.exeC:\Windows\system32\Gfokoelp.exe169⤵PID:6652
-
C:\Windows\SysWOW64\Gingkqkd.exeC:\Windows\system32\Gingkqkd.exe170⤵PID:6696
-
C:\Windows\SysWOW64\Gmiclo32.exeC:\Windows\system32\Gmiclo32.exe171⤵PID:6740
-
C:\Windows\SysWOW64\Gphphj32.exeC:\Windows\system32\Gphphj32.exe172⤵PID:6784
-
C:\Windows\SysWOW64\Gdcliikj.exeC:\Windows\system32\Gdcliikj.exe173⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6824 -
C:\Windows\SysWOW64\Gbfldf32.exeC:\Windows\system32\Gbfldf32.exe174⤵PID:6868
-
C:\Windows\SysWOW64\Ggahedjn.exeC:\Windows\system32\Ggahedjn.exe175⤵PID:6908
-
C:\Windows\SysWOW64\Gipdap32.exeC:\Windows\system32\Gipdap32.exe176⤵PID:6952
-
C:\Windows\SysWOW64\Hmlpaoaj.exeC:\Windows\system32\Hmlpaoaj.exe177⤵
- System Location Discovery: System Language Discovery
PID:6996 -
C:\Windows\SysWOW64\Hloqml32.exeC:\Windows\system32\Hloqml32.exe178⤵PID:7040
-
C:\Windows\SysWOW64\Hpjmnjqn.exeC:\Windows\system32\Hpjmnjqn.exe179⤵PID:7084
-
C:\Windows\SysWOW64\Hbhijepa.exeC:\Windows\system32\Hbhijepa.exe180⤵
- Drops file in System32 directory
PID:7128 -
C:\Windows\SysWOW64\Hgdejd32.exeC:\Windows\system32\Hgdejd32.exe181⤵PID:6060
-
C:\Windows\SysWOW64\Hkpqkcpd.exeC:\Windows\system32\Hkpqkcpd.exe182⤵PID:6208
-
C:\Windows\SysWOW64\Hibafp32.exeC:\Windows\system32\Hibafp32.exe183⤵
- System Location Discovery: System Language Discovery
PID:6284 -
C:\Windows\SysWOW64\Hlambk32.exeC:\Windows\system32\Hlambk32.exe184⤵
- System Location Discovery: System Language Discovery
PID:6352 -
C:\Windows\SysWOW64\Hplicjok.exeC:\Windows\system32\Hplicjok.exe185⤵
- System Location Discovery: System Language Discovery
PID:6420 -
C:\Windows\SysWOW64\Hdhedh32.exeC:\Windows\system32\Hdhedh32.exe186⤵
- Modifies registry class
PID:6488 -
C:\Windows\SysWOW64\Hgfapd32.exeC:\Windows\system32\Hgfapd32.exe187⤵PID:6560
-
C:\Windows\SysWOW64\Hienlpel.exeC:\Windows\system32\Hienlpel.exe188⤵PID:6624
-
C:\Windows\SysWOW64\Hmpjmn32.exeC:\Windows\system32\Hmpjmn32.exe189⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6704 -
C:\Windows\SysWOW64\Hlcjhkdp.exeC:\Windows\system32\Hlcjhkdp.exe190⤵
- Modifies registry class
PID:6768 -
C:\Windows\SysWOW64\Hpofii32.exeC:\Windows\system32\Hpofii32.exe191⤵PID:6836
-
C:\Windows\SysWOW64\Hcmbee32.exeC:\Windows\system32\Hcmbee32.exe192⤵PID:6904
-
C:\Windows\SysWOW64\Hginecde.exeC:\Windows\system32\Hginecde.exe193⤵PID:6116
-
C:\Windows\SysWOW64\Higjaoci.exeC:\Windows\system32\Higjaoci.exe194⤵PID:7048
-
C:\Windows\SysWOW64\Hmbfbn32.exeC:\Windows\system32\Hmbfbn32.exe195⤵PID:7116
-
C:\Windows\SysWOW64\Hlegnjbm.exeC:\Windows\system32\Hlegnjbm.exe196⤵
- Drops file in System32 directory
PID:6188 -
C:\Windows\SysWOW64\Hpabni32.exeC:\Windows\system32\Hpabni32.exe197⤵PID:6268
-
C:\Windows\SysWOW64\Hcpojd32.exeC:\Windows\system32\Hcpojd32.exe198⤵
- Modifies registry class
PID:6376 -
C:\Windows\SysWOW64\Hkfglb32.exeC:\Windows\system32\Hkfglb32.exe199⤵PID:6484
-
C:\Windows\SysWOW64\Hiiggoaf.exeC:\Windows\system32\Hiiggoaf.exe200⤵PID:6596
-
C:\Windows\SysWOW64\Hmechmip.exeC:\Windows\system32\Hmechmip.exe201⤵PID:6688
-
C:\Windows\SysWOW64\Hpcodihc.exeC:\Windows\system32\Hpcodihc.exe202⤵PID:6796
-
C:\Windows\SysWOW64\Hdokdg32.exeC:\Windows\system32\Hdokdg32.exe203⤵
- Modifies registry class
PID:6900 -
C:\Windows\SysWOW64\Hcblpdgg.exeC:\Windows\system32\Hcblpdgg.exe204⤵
- System Location Discovery: System Language Discovery
PID:7024 -
C:\Windows\SysWOW64\Hgmgqc32.exeC:\Windows\system32\Hgmgqc32.exe205⤵PID:7124
-
C:\Windows\SysWOW64\Hildmn32.exeC:\Windows\system32\Hildmn32.exe206⤵PID:6252
-
C:\Windows\SysWOW64\Iljpij32.exeC:\Windows\system32\Iljpij32.exe207⤵
- Modifies registry class
PID:6412 -
C:\Windows\SysWOW64\Ipflihfq.exeC:\Windows\system32\Ipflihfq.exe208⤵PID:6576
-
C:\Windows\SysWOW64\Idahjg32.exeC:\Windows\system32\Idahjg32.exe209⤵PID:6732
-
C:\Windows\SysWOW64\Icdheded.exeC:\Windows\system32\Icdheded.exe210⤵PID:6896
-
C:\Windows\SysWOW64\Igpdfb32.exeC:\Windows\system32\Igpdfb32.exe211⤵
- System Location Discovery: System Language Discovery
PID:7092 -
C:\Windows\SysWOW64\Iinqbn32.exeC:\Windows\system32\Iinqbn32.exe212⤵PID:6264
-
C:\Windows\SysWOW64\Injmcmej.exeC:\Windows\system32\Injmcmej.exe213⤵PID:6512
-
C:\Windows\SysWOW64\Ilmmni32.exeC:\Windows\system32\Ilmmni32.exe214⤵
- Drops file in System32 directory
PID:6776 -
C:\Windows\SysWOW64\Idcepgmg.exeC:\Windows\system32\Idcepgmg.exe215⤵PID:7036
-
C:\Windows\SysWOW64\Icfekc32.exeC:\Windows\system32\Icfekc32.exe216⤵PID:6364
-
C:\Windows\SysWOW64\Iknmla32.exeC:\Windows\system32\Iknmla32.exe217⤵PID:6820
-
C:\Windows\SysWOW64\Ijqmhnko.exeC:\Windows\system32\Ijqmhnko.exe218⤵PID:2728
-
C:\Windows\SysWOW64\Iloidijb.exeC:\Windows\system32\Iloidijb.exe219⤵PID:7112
-
C:\Windows\SysWOW64\Ipjedh32.exeC:\Windows\system32\Ipjedh32.exe220⤵PID:6864
-
C:\Windows\SysWOW64\Ikpjbq32.exeC:\Windows\system32\Ikpjbq32.exe221⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7176 -
C:\Windows\SysWOW64\Innfnl32.exeC:\Windows\system32\Innfnl32.exe222⤵PID:7220
-
C:\Windows\SysWOW64\Ilafiihp.exeC:\Windows\system32\Ilafiihp.exe223⤵PID:7264
-
C:\Windows\SysWOW64\Idhnkf32.exeC:\Windows\system32\Idhnkf32.exe224⤵PID:7308
-
C:\Windows\SysWOW64\Icknfcol.exeC:\Windows\system32\Icknfcol.exe225⤵PID:7352
-
C:\Windows\SysWOW64\Ikbfgppo.exeC:\Windows\system32\Ikbfgppo.exe226⤵PID:7396
-
C:\Windows\SysWOW64\Ijegcm32.exeC:\Windows\system32\Ijegcm32.exe227⤵PID:7444
-
C:\Windows\SysWOW64\Ilccoh32.exeC:\Windows\system32\Ilccoh32.exe228⤵PID:7492
-
C:\Windows\SysWOW64\Ipoopgnf.exeC:\Windows\system32\Ipoopgnf.exe229⤵PID:7536
-
C:\Windows\SysWOW64\Icnklbmj.exeC:\Windows\system32\Icnklbmj.exe230⤵PID:7580
-
C:\Windows\SysWOW64\Igigla32.exeC:\Windows\system32\Igigla32.exe231⤵PID:7620
-
C:\Windows\SysWOW64\Ikdcmpnl.exeC:\Windows\system32\Ikdcmpnl.exe232⤵PID:7664
-
C:\Windows\SysWOW64\Jncoikmp.exeC:\Windows\system32\Jncoikmp.exe233⤵PID:7708
-
C:\Windows\SysWOW64\Jpaleglc.exeC:\Windows\system32\Jpaleglc.exe234⤵PID:7752
-
C:\Windows\SysWOW64\Jdmgfedl.exeC:\Windows\system32\Jdmgfedl.exe235⤵PID:7796
-
C:\Windows\SysWOW64\Jgkdbacp.exeC:\Windows\system32\Jgkdbacp.exe236⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7840 -
C:\Windows\SysWOW64\Jkgpbp32.exeC:\Windows\system32\Jkgpbp32.exe237⤵PID:7884
-
C:\Windows\SysWOW64\Jjjpnlbd.exeC:\Windows\system32\Jjjpnlbd.exe238⤵PID:7928
-
C:\Windows\SysWOW64\Jlhljhbg.exeC:\Windows\system32\Jlhljhbg.exe239⤵PID:7972
-
C:\Windows\SysWOW64\Jpdhkf32.exeC:\Windows\system32\Jpdhkf32.exe240⤵PID:8016
-
C:\Windows\SysWOW64\Jdodkebj.exeC:\Windows\system32\Jdodkebj.exe241⤵
- Drops file in System32 directory
PID:8060 -
C:\Windows\SysWOW64\Jgnqgqan.exeC:\Windows\system32\Jgnqgqan.exe242⤵
- Modifies registry class
PID:8104