Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:34
Behavioral task
behavioral1
Sample
ae56308137532b400f3771ddca3302ee8935ec41b2c5202a6deed79be130b91dN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ae56308137532b400f3771ddca3302ee8935ec41b2c5202a6deed79be130b91dN.exe
Resource
win10v2004-20241007-en
General
-
Target
ae56308137532b400f3771ddca3302ee8935ec41b2c5202a6deed79be130b91dN.exe
-
Size
181KB
-
MD5
3a9b381c115eb0b9568a56039c19df70
-
SHA1
b9226d5449ef9eede915607d304f2f8d77ec0dbd
-
SHA256
ae56308137532b400f3771ddca3302ee8935ec41b2c5202a6deed79be130b91d
-
SHA512
1993c337efd593e49640ec14f1e75b6c0d248f3ba52a89a8c9eba436f95d8654cd5386420ef4db9a3c92bc2986067968c1642b501a79956da2d61db779148a4e
-
SSDEEP
3072:IW15bVVOoIDrFDHZtOg5BOFyxZZhgyv3wDrFDHZtOgB:IWHV/A5tT5CABgkI5tTB
Malware Config
Extracted
berbew
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Meepdp32.exeFligqhga.exeNcchae32.exeCnindhpg.exeDmennnni.exeBkibgh32.exeIgajal32.exeGjdaodja.exeLddgmbpb.exeAnmfbl32.exeGimqajgh.exeIkkpgafg.exeOacoqnci.exeHefnkkkj.exeDomdjj32.exeFdqfll32.exePmcclm32.exeBadanigc.exeCponen32.exeIdahjg32.exeEbgpad32.exeGfeaopqo.exeHlepcdoa.exeNnfpinmi.exeKomhll32.exeLgbloglj.exeAdcjop32.exeLjhnlb32.exeAokkahlo.exeAajhndkb.exePfiddm32.exePmlmkn32.exeNmlddqem.exeNjkkbehl.exeOaplqh32.exePaiogf32.exeDpiplm32.exeEmoadlfo.exeOjomcopk.exeQodeajbg.exeFlqdlnde.exeKnfeeimj.exeLnmkfh32.exeChqogq32.exeHlglidlo.exeJdmgfedl.exeJlkipgpe.exeOakbehfe.exeCaageq32.exeGdobnj32.exeEblimcdf.exeFiodpl32.exeMcifkf32.exeOgekbb32.exeDmoohe32.exeDjjebh32.exeLfjfecno.exeGbofcghl.exeAnaomkdb.exeIipfmggc.exeCnaaib32.exeEblpgjha.exeJlmfeg32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Meepdp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fligqhga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncchae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnindhpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmennnni.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkibgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igajal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjdaodja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lddgmbpb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anmfbl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gimqajgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikkpgafg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oacoqnci.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hefnkkkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Domdjj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdqfll32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmcclm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Badanigc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cponen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idahjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebgpad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfeaopqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlepcdoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnfpinmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Komhll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgbloglj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adcjop32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljhnlb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aokkahlo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aajhndkb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfiddm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmlmkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmlddqem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njkkbehl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gimqajgh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaplqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Paiogf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpiplm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emoadlfo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojomcopk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qodeajbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flqdlnde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knfeeimj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnmkfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chqogq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlglidlo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdmgfedl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlkipgpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oakbehfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Caageq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdobnj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eblimcdf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fiodpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcifkf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogekbb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmoohe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djjebh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfjfecno.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbofcghl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anaomkdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iipfmggc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnaaib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eblpgjha.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlmfeg32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Ccgjopal.exeDmoohe32.exeDkbocbog.exeDfgcakon.exeDifpmfna.exeDpphjp32.exeDbndfl32.exeDihlbf32.exeDpbdopck.exeDbqqkkbo.exeDjhimica.exeDlieda32.exeDjjebh32.exeDlkbjqgm.exeEcbjkngo.exeEiobceef.exeEcefqnel.exeEjoomhmi.exeElpkep32.exeEfepbi32.exeEjalcgkg.exeElbhjp32.exeEblpgjha.exeEjchhgid.exeEppqqn32.exeEjfeng32.exeElgaeolp.exeFcniglmb.exeFikbocki.exeFdqfll32.exeFimodc32.exeFmikeaap.exeFpggamqc.exeFjmkoeqi.exeFipkjb32.exeFlngfn32.exeFdepgkgj.exeFfclcgfn.exeFibhpbea.exeFlqdlnde.exeFdglmkeg.exeFffhifdk.exeFideeaco.exeGpnmbl32.exeGdjibj32.exeGfheof32.exeGjdaodja.exeGmbmkpie.exeGpqjglii.exeGbofcghl.exeGiinpa32.exeGlgjlm32.exeGdobnj32.exeGfmojenc.exeGikkfqmf.exeGpecbk32.exeGbdoof32.exeGingkqkd.exeGmiclo32.exeGphphj32.exeGipdap32.exeHbhijepa.exeHibafp32.exeHckeoeno.exepid process 1600 Ccgjopal.exe 1516 Dmoohe32.exe 2980 Dkbocbog.exe 2360 Dfgcakon.exe 2452 Difpmfna.exe 3588 Dpphjp32.exe 2652 Dbndfl32.exe 4992 Dihlbf32.exe 1740 Dpbdopck.exe 2236 Dbqqkkbo.exe 5032 Djhimica.exe 4480 Dlieda32.exe 968 Djjebh32.exe 420 Dlkbjqgm.exe 808 Ecbjkngo.exe 2620 Eiobceef.exe 1308 Ecefqnel.exe 4476 Ejoomhmi.exe 3216 Elpkep32.exe 868 Efepbi32.exe 3680 Ejalcgkg.exe 3116 Elbhjp32.exe 1136 Eblpgjha.exe 3384 Ejchhgid.exe 3268 Eppqqn32.exe 460 Ejfeng32.exe 4540 Elgaeolp.exe 3108 Fcniglmb.exe 4748 Fikbocki.exe 1368 Fdqfll32.exe 4384 Fimodc32.exe 1072 Fmikeaap.exe 4308 Fpggamqc.exe 3124 Fjmkoeqi.exe 1500 Fipkjb32.exe 4868 Flngfn32.exe 2640 Fdepgkgj.exe 1172 Ffclcgfn.exe 2524 Fibhpbea.exe 1264 Flqdlnde.exe 4296 Fdglmkeg.exe 3644 Fffhifdk.exe 3924 Fideeaco.exe 2028 Gpnmbl32.exe 1548 Gdjibj32.exe 1852 Gfheof32.exe 5084 Gjdaodja.exe 2704 Gmbmkpie.exe 716 Gpqjglii.exe 4588 Gbofcghl.exe 3316 Giinpa32.exe 908 Glgjlm32.exe 1608 Gdobnj32.exe 5088 Gfmojenc.exe 3204 Gikkfqmf.exe 3048 Gpecbk32.exe 4516 Gbdoof32.exe 3456 Gingkqkd.exe 920 Gmiclo32.exe 4352 Gphphj32.exe 472 Gipdap32.exe 3888 Hbhijepa.exe 1656 Hibafp32.exe 3708 Hckeoeno.exe -
Drops file in System32 directory 64 IoCs
Processes:
Onocomdo.exeAdcjop32.exeJjgchm32.exeJddnfd32.exeNnfgcd32.exeIfomll32.exeMfeeabda.exeAdkqoohc.exeBoldhf32.exeCdimqm32.exeNnbnhedj.exeNlkgmh32.exePhaahggp.exePhfjcf32.exeLfjfecno.exeCkgohf32.exeJokkgl32.exeNnfpinmi.exeHmechmip.exeOhcegi32.exeCkhecmcf.exeCnindhpg.exeGoglcahb.exeIbhkfm32.exeOaplqh32.exeBklomh32.exeDihlbf32.exeFcniglmb.exeJjafok32.exeFmcjpl32.exeHpnoncim.exeCljobphg.exePhajna32.exeOhmhmh32.exeAhpmjejp.exeAnmfbl32.exeOjomcopk.exeOclkgccf.exeOfkgcobj.exeOalipoiq.exeFlkdfh32.exeGfeaopqo.exeJoahqn32.exeCogddd32.exeElpkep32.exeAnclbkbp.exeJgpfbjlo.exeNglhld32.exeHoclopne.exeAkdilipp.exeBkibgh32.exeGfmojenc.exeIpjedh32.exeQhkdof32.exeCdbfab32.exeHlepcdoa.exeBoenhgdd.exeBhblllfo.exeCacckp32.exeDnmaea32.exeChkobkod.exedescription ioc process File created C:\Windows\SysWOW64\Ombcji32.exe Onocomdo.exe File opened for modification C:\Windows\SysWOW64\Aknbkjfh.exe Adcjop32.exe File created C:\Windows\SysWOW64\Jlfpdh32.exe Jjgchm32.exe File created C:\Windows\SysWOW64\Jabdjc32.dll Jddnfd32.exe File created C:\Windows\SysWOW64\Oanjomjp.dll Nnfgcd32.exe File created C:\Windows\SysWOW64\Nnfiop32.dll Ifomll32.exe File opened for modification C:\Windows\SysWOW64\Mmpmnl32.exe Mfeeabda.exe File opened for modification C:\Windows\SysWOW64\Akdilipp.exe Adkqoohc.exe File opened for modification C:\Windows\SysWOW64\Bajqda32.exe Boldhf32.exe File created C:\Windows\SysWOW64\Jlobem32.dll Cdimqm32.exe File created C:\Windows\SysWOW64\Gdencf32.dll Nnbnhedj.exe File created C:\Windows\SysWOW64\Gbfnhm32.dll Nlkgmh32.exe File created C:\Windows\SysWOW64\Pdhbmh32.exe Phaahggp.exe File created C:\Windows\SysWOW64\Hffpdd32.dll Phfjcf32.exe File created C:\Windows\SysWOW64\Lmdnbn32.exe Lfjfecno.exe File created C:\Windows\SysWOW64\Mcdibc32.dll Ckgohf32.exe File opened for modification C:\Windows\SysWOW64\Jgbchj32.exe Jokkgl32.exe File opened for modification C:\Windows\SysWOW64\Nadleilm.exe Nnfpinmi.exe File created C:\Windows\SysWOW64\Ljeffhcd.dll Hmechmip.exe File opened for modification C:\Windows\SysWOW64\Ojbacd32.exe Ohcegi32.exe File created C:\Windows\SysWOW64\Eadhip32.dll Ckhecmcf.exe File opened for modification C:\Windows\SysWOW64\Cdbfab32.exe Cnindhpg.exe File created C:\Windows\SysWOW64\Gfodeohd.exe Goglcahb.exe File created C:\Windows\SysWOW64\Iibccgep.exe Ibhkfm32.exe File created C:\Windows\SysWOW64\Ogjdmbil.exe Oaplqh32.exe File created C:\Windows\SysWOW64\Bphgeo32.exe Bklomh32.exe File created C:\Windows\SysWOW64\Lepglifa.dll Dihlbf32.exe File opened for modification C:\Windows\SysWOW64\Fikbocki.exe Fcniglmb.exe File created C:\Windows\SysWOW64\Jqknkedi.exe Jjafok32.exe File created C:\Windows\SysWOW64\Fneggdhg.exe Fmcjpl32.exe File created C:\Windows\SysWOW64\Hblkjo32.exe Hpnoncim.exe File created C:\Windows\SysWOW64\Abklmb32.dll Cljobphg.exe File opened for modification C:\Windows\SysWOW64\Pmnbfhal.exe Phajna32.exe File opened for modification C:\Windows\SysWOW64\Oogpjbbb.exe Ohmhmh32.exe File created C:\Windows\SysWOW64\Amoljp32.dll Ahpmjejp.exe File opened for modification C:\Windows\SysWOW64\Ahbjoe32.exe Anmfbl32.exe File created C:\Windows\SysWOW64\Oaifpi32.exe Ojomcopk.exe File opened for modification C:\Windows\SysWOW64\Ofkgcobj.exe Oclkgccf.exe File created C:\Windows\SysWOW64\Oaplqh32.exe Ofkgcobj.exe File created C:\Windows\SysWOW64\Ncofplba.exe Nnbnhedj.exe File created C:\Windows\SysWOW64\Gaakdpkj.dll Oalipoiq.exe File created C:\Windows\SysWOW64\Fbelcblk.exe Flkdfh32.exe File opened for modification C:\Windows\SysWOW64\Gnqfcbnj.exe Gfeaopqo.exe File created C:\Windows\SysWOW64\Jiglnf32.exe Joahqn32.exe File created C:\Windows\SysWOW64\Ennamn32.dll Cogddd32.exe File created C:\Windows\SysWOW64\Efepbi32.exe Elpkep32.exe File created C:\Windows\SysWOW64\Bdcebook.dll Anclbkbp.exe File created C:\Windows\SysWOW64\Eemnff32.dll Jgpfbjlo.exe File created C:\Windows\SysWOW64\Nnfpinmi.exe Nglhld32.exe File opened for modification C:\Windows\SysWOW64\Oaifpi32.exe Ojomcopk.exe File opened for modification C:\Windows\SysWOW64\Hfjdqmng.exe Hoclopne.exe File created C:\Windows\SysWOW64\Aaoaic32.exe Akdilipp.exe File created C:\Windows\SysWOW64\Boenhgdd.exe Bkibgh32.exe File created C:\Windows\SysWOW64\Gikkfqmf.exe Gfmojenc.exe File created C:\Windows\SysWOW64\Leabba32.dll Ipjedh32.exe File opened for modification C:\Windows\SysWOW64\Qkipkani.exe Qhkdof32.exe File created C:\Windows\SysWOW64\Iojmqe32.dll Cdbfab32.exe File opened for modification C:\Windows\SysWOW64\Hoclopne.exe Hlepcdoa.exe File created C:\Windows\SysWOW64\Lqppgj32.dll Boenhgdd.exe File opened for modification C:\Windows\SysWOW64\Boldhf32.exe Bhblllfo.exe File created C:\Windows\SysWOW64\Ekiapmnp.dll Cacckp32.exe File created C:\Windows\SysWOW64\Omjbpn32.dll Dnmaea32.exe File created C:\Windows\SysWOW64\Idfaefkd.exe Ipjedh32.exe File created C:\Windows\SysWOW64\Aamebb32.dll Chkobkod.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 10688 11200 WerFault.exe Dkqaoe32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Qemhbj32.exeFlpmagqi.exeJokkgl32.exeLgbloglj.exeChkobkod.exeJlkipgpe.exeEjchhgid.exeKkgiimng.exeCamddhoi.exeQpcecb32.exeFjmkoeqi.exeOabhfg32.exeJqknkedi.exeDnmaea32.exeCncnob32.exeAlbpkc32.exeMjjkaabc.exeCnjdpaki.exeDbqqkkbo.exeEjalcgkg.exeGdjibj32.exeGfmojenc.exeAnclbkbp.exeQodeajbg.exeCgifbhid.exeElpkep32.exeFideeaco.exeGpqjglii.exeOanfen32.exeGoglcahb.exeBdojjo32.exeDihlbf32.exeAknbkjfh.exeCoadnlnb.exeJgpfbjlo.exeae56308137532b400f3771ddca3302ee8935ec41b2c5202a6deed79be130b91dN.exeHmkigh32.exePalklf32.exeMkadfj32.exeFdepgkgj.exeNnfgcd32.exeAnmfbl32.exeEbimgcfi.exeFiodpl32.exeGlkmmefl.exeJilfifme.exeNnafno32.exeEcbjkngo.exeDkqaoe32.exeOjomcopk.exeMeiioonj.exeIfomll32.exePpgegd32.exeJdmgfedl.exeCfnjpfcl.exeLoighj32.exeQhjmdp32.exeAoioli32.exeKmaopfjm.exeHmechmip.exeInnfnl32.exeJlfpdh32.exeKjhloj32.exeOdoogi32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qemhbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flpmagqi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jokkgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgbloglj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chkobkod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlkipgpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejchhgid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkgiimng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Camddhoi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpcecb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjmkoeqi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oabhfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqknkedi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnmaea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cncnob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Albpkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjjkaabc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnjdpaki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbqqkkbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejalcgkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdjibj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfmojenc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anclbkbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qodeajbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgifbhid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elpkep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fideeaco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpqjglii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oanfen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goglcahb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdojjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dihlbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aknbkjfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coadnlnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgpfbjlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ae56308137532b400f3771ddca3302ee8935ec41b2c5202a6deed79be130b91dN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmkigh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Palklf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkadfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdepgkgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnfgcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anmfbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebimgcfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fiodpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glkmmefl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jilfifme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnafno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecbjkngo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkqaoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojomcopk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meiioonj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifomll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppgegd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdmgfedl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfnjpfcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loighj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhjmdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoioli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmaopfjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmechmip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Innfnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlfpdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjhloj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odoogi32.exe -
Modifies registry class 64 IoCs
Processes:
Lkalplel.exeMkmkkjko.exeNeclenfo.exePjmjdm32.exeQodeajbg.exeEcbjkngo.exeFdqfll32.exeJlfpdh32.exeAnmfbl32.exeOgekbb32.exeDbndfl32.exeFihnomjp.exeLgdidgjg.exeNnfpinmi.exeCcgjopal.exeChkobkod.exeGphphj32.exeMeepdp32.exeHfjdqmng.exeBoihcf32.exeOaplqh32.exeEjalcgkg.exeHbhijepa.exeKkpbin32.exeKnenkbio.exeHpjmnjqn.exeNmlddqem.exeOakbehfe.exeBajqda32.exeCogddd32.exeLnjnqh32.exeOhcegi32.exeMqfpckhm.exeCggimh32.exeDnmaea32.exeQobhkjdi.exeEblpgjha.exeGdjibj32.exeIjqmhnko.exeJjgchm32.exeJcbdgb32.exeKomhll32.exeAkdilipp.exeBhblllfo.exeEcefqnel.exeEppqqn32.exeJniood32.exeAaenbd32.exeCaageq32.exeFdglmkeg.exePmlmkn32.exeNclbpf32.exeFdepgkgj.exeFlkdfh32.exeKmfhkf32.exeNnbnhedj.exePmaffnce.exeCoadnlnb.exeKmaopfjm.exeLjhnlb32.exePalklf32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkalplel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlihmi32.dll" Mkmkkjko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Neclenfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjmjdm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qodeajbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecbjkngo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdqfll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbeojn32.dll" Jlfpdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oddfcg32.dll" Anmfbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogekbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfifmo32.dll" Dbndfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebcneqod.dll" Fihnomjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgdidgjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgagea32.dll" Nnfpinmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccgjopal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aamebb32.dll" Chkobkod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gphphj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Meepdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfjdqmng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkmmde32.dll" Boihcf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oaplqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gckdpj32.dll" Ejalcgkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbhijepa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkpbin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iooogokm.dll" Knenkbio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpjmnjqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmlddqem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flbfjl32.dll" Oakbehfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kolfbd32.dll" Bajqda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ennamn32.dll" Cogddd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnjnqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohcegi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgnnai32.dll" Mqfpckhm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cggimh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omjbpn32.dll" Dnmaea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qobhkjdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eblpgjha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdjibj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijqmhnko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjgchm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inngdb32.dll" Jcbdgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Komhll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfdqcn32.dll" Pjmjdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phlepppi.dll" Akdilipp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciipkkdj.dll" Bhblllfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecefqnel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eppqqn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jniood32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfgomdnj.dll" Aaenbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Caageq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Momkkhch.dll" Fdglmkeg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmlmkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akfiji32.dll" Nclbpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdepgkgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Meepdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdblhj32.dll" Flkdfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmfhkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdencf32.dll" Nnbnhedj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmaffnce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ineedcfb.dll" Coadnlnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ememkjeq.dll" Kmaopfjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljhnlb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Palklf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcbdgb32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ae56308137532b400f3771ddca3302ee8935ec41b2c5202a6deed79be130b91dN.exeCcgjopal.exeDmoohe32.exeDkbocbog.exeDfgcakon.exeDifpmfna.exeDpphjp32.exeDbndfl32.exeDihlbf32.exeDpbdopck.exeDbqqkkbo.exeDjhimica.exeDlieda32.exeDjjebh32.exeDlkbjqgm.exeEcbjkngo.exeEiobceef.exeEcefqnel.exeEjoomhmi.exeElpkep32.exeEfepbi32.exeEjalcgkg.exedescription pid process target process PID 4864 wrote to memory of 1600 4864 ae56308137532b400f3771ddca3302ee8935ec41b2c5202a6deed79be130b91dN.exe Ccgjopal.exe PID 4864 wrote to memory of 1600 4864 ae56308137532b400f3771ddca3302ee8935ec41b2c5202a6deed79be130b91dN.exe Ccgjopal.exe PID 4864 wrote to memory of 1600 4864 ae56308137532b400f3771ddca3302ee8935ec41b2c5202a6deed79be130b91dN.exe Ccgjopal.exe PID 1600 wrote to memory of 1516 1600 Ccgjopal.exe Dmoohe32.exe PID 1600 wrote to memory of 1516 1600 Ccgjopal.exe Dmoohe32.exe PID 1600 wrote to memory of 1516 1600 Ccgjopal.exe Dmoohe32.exe PID 1516 wrote to memory of 2980 1516 Dmoohe32.exe Dkbocbog.exe PID 1516 wrote to memory of 2980 1516 Dmoohe32.exe Dkbocbog.exe PID 1516 wrote to memory of 2980 1516 Dmoohe32.exe Dkbocbog.exe PID 2980 wrote to memory of 2360 2980 Dkbocbog.exe Dfgcakon.exe PID 2980 wrote to memory of 2360 2980 Dkbocbog.exe Dfgcakon.exe PID 2980 wrote to memory of 2360 2980 Dkbocbog.exe Dfgcakon.exe PID 2360 wrote to memory of 2452 2360 Dfgcakon.exe Difpmfna.exe PID 2360 wrote to memory of 2452 2360 Dfgcakon.exe Difpmfna.exe PID 2360 wrote to memory of 2452 2360 Dfgcakon.exe Difpmfna.exe PID 2452 wrote to memory of 3588 2452 Difpmfna.exe Dpphjp32.exe PID 2452 wrote to memory of 3588 2452 Difpmfna.exe Dpphjp32.exe PID 2452 wrote to memory of 3588 2452 Difpmfna.exe Dpphjp32.exe PID 3588 wrote to memory of 2652 3588 Dpphjp32.exe Dbndfl32.exe PID 3588 wrote to memory of 2652 3588 Dpphjp32.exe Dbndfl32.exe PID 3588 wrote to memory of 2652 3588 Dpphjp32.exe Dbndfl32.exe PID 2652 wrote to memory of 4992 2652 Dbndfl32.exe Dihlbf32.exe PID 2652 wrote to memory of 4992 2652 Dbndfl32.exe Dihlbf32.exe PID 2652 wrote to memory of 4992 2652 Dbndfl32.exe Dihlbf32.exe PID 4992 wrote to memory of 1740 4992 Dihlbf32.exe Dpbdopck.exe PID 4992 wrote to memory of 1740 4992 Dihlbf32.exe Dpbdopck.exe PID 4992 wrote to memory of 1740 4992 Dihlbf32.exe Dpbdopck.exe PID 1740 wrote to memory of 2236 1740 Dpbdopck.exe Dbqqkkbo.exe PID 1740 wrote to memory of 2236 1740 Dpbdopck.exe Dbqqkkbo.exe PID 1740 wrote to memory of 2236 1740 Dpbdopck.exe Dbqqkkbo.exe PID 2236 wrote to memory of 5032 2236 Dbqqkkbo.exe Djhimica.exe PID 2236 wrote to memory of 5032 2236 Dbqqkkbo.exe Djhimica.exe PID 2236 wrote to memory of 5032 2236 Dbqqkkbo.exe Djhimica.exe PID 5032 wrote to memory of 4480 5032 Djhimica.exe Dlieda32.exe PID 5032 wrote to memory of 4480 5032 Djhimica.exe Dlieda32.exe PID 5032 wrote to memory of 4480 5032 Djhimica.exe Dlieda32.exe PID 4480 wrote to memory of 968 4480 Dlieda32.exe Djjebh32.exe PID 4480 wrote to memory of 968 4480 Dlieda32.exe Djjebh32.exe PID 4480 wrote to memory of 968 4480 Dlieda32.exe Djjebh32.exe PID 968 wrote to memory of 420 968 Djjebh32.exe Dlkbjqgm.exe PID 968 wrote to memory of 420 968 Djjebh32.exe Dlkbjqgm.exe PID 968 wrote to memory of 420 968 Djjebh32.exe Dlkbjqgm.exe PID 420 wrote to memory of 808 420 Dlkbjqgm.exe Ecbjkngo.exe PID 420 wrote to memory of 808 420 Dlkbjqgm.exe Ecbjkngo.exe PID 420 wrote to memory of 808 420 Dlkbjqgm.exe Ecbjkngo.exe PID 808 wrote to memory of 2620 808 Ecbjkngo.exe Eiobceef.exe PID 808 wrote to memory of 2620 808 Ecbjkngo.exe Eiobceef.exe PID 808 wrote to memory of 2620 808 Ecbjkngo.exe Eiobceef.exe PID 2620 wrote to memory of 1308 2620 Eiobceef.exe Ecefqnel.exe PID 2620 wrote to memory of 1308 2620 Eiobceef.exe Ecefqnel.exe PID 2620 wrote to memory of 1308 2620 Eiobceef.exe Ecefqnel.exe PID 1308 wrote to memory of 4476 1308 Ecefqnel.exe Ejoomhmi.exe PID 1308 wrote to memory of 4476 1308 Ecefqnel.exe Ejoomhmi.exe PID 1308 wrote to memory of 4476 1308 Ecefqnel.exe Ejoomhmi.exe PID 4476 wrote to memory of 3216 4476 Ejoomhmi.exe Elpkep32.exe PID 4476 wrote to memory of 3216 4476 Ejoomhmi.exe Elpkep32.exe PID 4476 wrote to memory of 3216 4476 Ejoomhmi.exe Elpkep32.exe PID 3216 wrote to memory of 868 3216 Elpkep32.exe Efepbi32.exe PID 3216 wrote to memory of 868 3216 Elpkep32.exe Efepbi32.exe PID 3216 wrote to memory of 868 3216 Elpkep32.exe Efepbi32.exe PID 868 wrote to memory of 3680 868 Efepbi32.exe Ejalcgkg.exe PID 868 wrote to memory of 3680 868 Efepbi32.exe Ejalcgkg.exe PID 868 wrote to memory of 3680 868 Efepbi32.exe Ejalcgkg.exe PID 3680 wrote to memory of 3116 3680 Ejalcgkg.exe Elbhjp32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ae56308137532b400f3771ddca3302ee8935ec41b2c5202a6deed79be130b91dN.exe"C:\Users\Admin\AppData\Local\Temp\ae56308137532b400f3771ddca3302ee8935ec41b2c5202a6deed79be130b91dN.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\SysWOW64\Ccgjopal.exeC:\Windows\system32\Ccgjopal.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\SysWOW64\Dmoohe32.exeC:\Windows\system32\Dmoohe32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\Dkbocbog.exeC:\Windows\system32\Dkbocbog.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Dfgcakon.exeC:\Windows\system32\Dfgcakon.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\Difpmfna.exeC:\Windows\system32\Difpmfna.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\Dpphjp32.exeC:\Windows\system32\Dpphjp32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Windows\SysWOW64\Dbndfl32.exeC:\Windows\system32\Dbndfl32.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Dihlbf32.exeC:\Windows\system32\Dihlbf32.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Windows\SysWOW64\Dpbdopck.exeC:\Windows\system32\Dpbdopck.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\Dbqqkkbo.exeC:\Windows\system32\Dbqqkkbo.exe11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Djhimica.exeC:\Windows\system32\Djhimica.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\SysWOW64\Dlieda32.exeC:\Windows\system32\Dlieda32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Windows\SysWOW64\Djjebh32.exeC:\Windows\system32\Djjebh32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Windows\SysWOW64\Dlkbjqgm.exeC:\Windows\system32\Dlkbjqgm.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:420 -
C:\Windows\SysWOW64\Ecbjkngo.exeC:\Windows\system32\Ecbjkngo.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Windows\SysWOW64\Eiobceef.exeC:\Windows\system32\Eiobceef.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Ecefqnel.exeC:\Windows\system32\Ecefqnel.exe18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Windows\SysWOW64\Ejoomhmi.exeC:\Windows\system32\Ejoomhmi.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Windows\SysWOW64\Elpkep32.exeC:\Windows\system32\Elpkep32.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Windows\SysWOW64\Efepbi32.exeC:\Windows\system32\Efepbi32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\SysWOW64\Ejalcgkg.exeC:\Windows\system32\Ejalcgkg.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3680 -
C:\Windows\SysWOW64\Elbhjp32.exeC:\Windows\system32\Elbhjp32.exe23⤵
- Executes dropped EXE
PID:3116 -
C:\Windows\SysWOW64\Eblpgjha.exeC:\Windows\system32\Eblpgjha.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1136 -
C:\Windows\SysWOW64\Ejchhgid.exeC:\Windows\system32\Ejchhgid.exe25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3384 -
C:\Windows\SysWOW64\Eppqqn32.exeC:\Windows\system32\Eppqqn32.exe26⤵
- Executes dropped EXE
- Modifies registry class
PID:3268 -
C:\Windows\SysWOW64\Ejfeng32.exeC:\Windows\system32\Ejfeng32.exe27⤵
- Executes dropped EXE
PID:460 -
C:\Windows\SysWOW64\Elgaeolp.exeC:\Windows\system32\Elgaeolp.exe28⤵
- Executes dropped EXE
PID:4540 -
C:\Windows\SysWOW64\Fcniglmb.exeC:\Windows\system32\Fcniglmb.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3108 -
C:\Windows\SysWOW64\Fikbocki.exeC:\Windows\system32\Fikbocki.exe30⤵
- Executes dropped EXE
PID:4748 -
C:\Windows\SysWOW64\Fdqfll32.exeC:\Windows\system32\Fdqfll32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1368 -
C:\Windows\SysWOW64\Fimodc32.exeC:\Windows\system32\Fimodc32.exe32⤵
- Executes dropped EXE
PID:4384 -
C:\Windows\SysWOW64\Fmikeaap.exeC:\Windows\system32\Fmikeaap.exe33⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\Fpggamqc.exeC:\Windows\system32\Fpggamqc.exe34⤵
- Executes dropped EXE
PID:4308 -
C:\Windows\SysWOW64\Fjmkoeqi.exeC:\Windows\system32\Fjmkoeqi.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3124 -
C:\Windows\SysWOW64\Fipkjb32.exeC:\Windows\system32\Fipkjb32.exe36⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Flngfn32.exeC:\Windows\system32\Flngfn32.exe37⤵
- Executes dropped EXE
PID:4868 -
C:\Windows\SysWOW64\Fdepgkgj.exeC:\Windows\system32\Fdepgkgj.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2640 -
C:\Windows\SysWOW64\Ffclcgfn.exeC:\Windows\system32\Ffclcgfn.exe39⤵
- Executes dropped EXE
PID:1172 -
C:\Windows\SysWOW64\Fibhpbea.exeC:\Windows\system32\Fibhpbea.exe40⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Flqdlnde.exeC:\Windows\system32\Flqdlnde.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1264 -
C:\Windows\SysWOW64\Fdglmkeg.exeC:\Windows\system32\Fdglmkeg.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:4296 -
C:\Windows\SysWOW64\Fffhifdk.exeC:\Windows\system32\Fffhifdk.exe43⤵
- Executes dropped EXE
PID:3644 -
C:\Windows\SysWOW64\Fideeaco.exeC:\Windows\system32\Fideeaco.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3924 -
C:\Windows\SysWOW64\Gpnmbl32.exeC:\Windows\system32\Gpnmbl32.exe45⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Gdjibj32.exeC:\Windows\system32\Gdjibj32.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1548 -
C:\Windows\SysWOW64\Gfheof32.exeC:\Windows\system32\Gfheof32.exe47⤵
- Executes dropped EXE
PID:1852 -
C:\Windows\SysWOW64\Gjdaodja.exeC:\Windows\system32\Gjdaodja.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5084 -
C:\Windows\SysWOW64\Gmbmkpie.exeC:\Windows\system32\Gmbmkpie.exe49⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Gpqjglii.exeC:\Windows\system32\Gpqjglii.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:716 -
C:\Windows\SysWOW64\Gbofcghl.exeC:\Windows\system32\Gbofcghl.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4588 -
C:\Windows\SysWOW64\Giinpa32.exeC:\Windows\system32\Giinpa32.exe52⤵
- Executes dropped EXE
PID:3316 -
C:\Windows\SysWOW64\Glgjlm32.exeC:\Windows\system32\Glgjlm32.exe53⤵
- Executes dropped EXE
PID:908 -
C:\Windows\SysWOW64\Gdobnj32.exeC:\Windows\system32\Gdobnj32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Gfmojenc.exeC:\Windows\system32\Gfmojenc.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5088 -
C:\Windows\SysWOW64\Gikkfqmf.exeC:\Windows\system32\Gikkfqmf.exe56⤵
- Executes dropped EXE
PID:3204 -
C:\Windows\SysWOW64\Gpecbk32.exeC:\Windows\system32\Gpecbk32.exe57⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Gbdoof32.exeC:\Windows\system32\Gbdoof32.exe58⤵
- Executes dropped EXE
PID:4516 -
C:\Windows\SysWOW64\Gingkqkd.exeC:\Windows\system32\Gingkqkd.exe59⤵
- Executes dropped EXE
PID:3456 -
C:\Windows\SysWOW64\Gmiclo32.exeC:\Windows\system32\Gmiclo32.exe60⤵
- Executes dropped EXE
PID:920 -
C:\Windows\SysWOW64\Gphphj32.exeC:\Windows\system32\Gphphj32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:4352 -
C:\Windows\SysWOW64\Gipdap32.exeC:\Windows\system32\Gipdap32.exe62⤵
- Executes dropped EXE
PID:472 -
C:\Windows\SysWOW64\Hpjmnjqn.exeC:\Windows\system32\Hpjmnjqn.exe63⤵
- Modifies registry class
PID:1812 -
C:\Windows\SysWOW64\Hbhijepa.exeC:\Windows\system32\Hbhijepa.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:3888 -
C:\Windows\SysWOW64\Hibafp32.exeC:\Windows\system32\Hibafp32.exe65⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Hckeoeno.exeC:\Windows\system32\Hckeoeno.exe66⤵
- Executes dropped EXE
PID:3708 -
C:\Windows\SysWOW64\Hienlpel.exeC:\Windows\system32\Hienlpel.exe67⤵PID:2492
-
C:\Windows\SysWOW64\Hlcjhkdp.exeC:\Windows\system32\Hlcjhkdp.exe68⤵PID:4208
-
C:\Windows\SysWOW64\Hcmbee32.exeC:\Windows\system32\Hcmbee32.exe69⤵PID:4732
-
C:\Windows\SysWOW64\Hkdjfb32.exeC:\Windows\system32\Hkdjfb32.exe70⤵PID:2332
-
C:\Windows\SysWOW64\Hmbfbn32.exeC:\Windows\system32\Hmbfbn32.exe71⤵PID:3880
-
C:\Windows\SysWOW64\Hdmoohbo.exeC:\Windows\system32\Hdmoohbo.exe72⤵PID:3612
-
C:\Windows\SysWOW64\Hgkkkcbc.exeC:\Windows\system32\Hgkkkcbc.exe73⤵PID:5000
-
C:\Windows\SysWOW64\Hmechmip.exeC:\Windows\system32\Hmechmip.exe74⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1268 -
C:\Windows\SysWOW64\Hpcodihc.exeC:\Windows\system32\Hpcodihc.exe75⤵PID:2868
-
C:\Windows\SysWOW64\Hcblpdgg.exeC:\Windows\system32\Hcblpdgg.exe76⤵PID:1672
-
C:\Windows\SysWOW64\Hildmn32.exeC:\Windows\system32\Hildmn32.exe77⤵PID:4344
-
C:\Windows\SysWOW64\Idahjg32.exeC:\Windows\system32\Idahjg32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:532 -
C:\Windows\SysWOW64\Ikkpgafg.exeC:\Windows\system32\Ikkpgafg.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4280 -
C:\Windows\SysWOW64\Iinqbn32.exeC:\Windows\system32\Iinqbn32.exe80⤵PID:4932
-
C:\Windows\SysWOW64\Iphioh32.exeC:\Windows\system32\Iphioh32.exe81⤵PID:5072
-
C:\Windows\SysWOW64\Icfekc32.exeC:\Windows\system32\Icfekc32.exe82⤵PID:764
-
C:\Windows\SysWOW64\Ijqmhnko.exeC:\Windows\system32\Ijqmhnko.exe83⤵
- Modifies registry class
PID:2624 -
C:\Windows\SysWOW64\Ipjedh32.exeC:\Windows\system32\Ipjedh32.exe84⤵
- Drops file in System32 directory
PID:3692 -
C:\Windows\SysWOW64\Idfaefkd.exeC:\Windows\system32\Idfaefkd.exe85⤵PID:1120
-
C:\Windows\SysWOW64\Ikpjbq32.exeC:\Windows\system32\Ikpjbq32.exe86⤵PID:4112
-
C:\Windows\SysWOW64\Innfnl32.exeC:\Windows\system32\Innfnl32.exe87⤵
- System Location Discovery: System Language Discovery
PID:540 -
C:\Windows\SysWOW64\Idhnkf32.exeC:\Windows\system32\Idhnkf32.exe88⤵PID:1116
-
C:\Windows\SysWOW64\Ijegcm32.exeC:\Windows\system32\Ijegcm32.exe89⤵PID:4804
-
C:\Windows\SysWOW64\Ipoopgnf.exeC:\Windows\system32\Ipoopgnf.exe90⤵PID:4856
-
C:\Windows\SysWOW64\Icnklbmj.exeC:\Windows\system32\Icnklbmj.exe91⤵PID:1816
-
C:\Windows\SysWOW64\Igigla32.exeC:\Windows\system32\Igigla32.exe92⤵PID:4120
-
C:\Windows\SysWOW64\Jjgchm32.exeC:\Windows\system32\Jjgchm32.exe93⤵
- Drops file in System32 directory
- Modifies registry class
PID:3848 -
C:\Windows\SysWOW64\Jlfpdh32.exeC:\Windows\system32\Jlfpdh32.exe94⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1784 -
C:\Windows\SysWOW64\Jdmgfedl.exeC:\Windows\system32\Jdmgfedl.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1468 -
C:\Windows\SysWOW64\Jgkdbacp.exeC:\Windows\system32\Jgkdbacp.exe96⤵PID:3304
-
C:\Windows\SysWOW64\Jjjpnlbd.exeC:\Windows\system32\Jjjpnlbd.exe97⤵PID:5128
-
C:\Windows\SysWOW64\Jlhljhbg.exeC:\Windows\system32\Jlhljhbg.exe98⤵PID:5176
-
C:\Windows\SysWOW64\Jdodkebj.exeC:\Windows\system32\Jdodkebj.exe99⤵PID:5232
-
C:\Windows\SysWOW64\Jcbdgb32.exeC:\Windows\system32\Jcbdgb32.exe100⤵
- Modifies registry class
PID:5284 -
C:\Windows\SysWOW64\Jkimho32.exeC:\Windows\system32\Jkimho32.exe101⤵PID:5356
-
C:\Windows\SysWOW64\Jnhidk32.exeC:\Windows\system32\Jnhidk32.exe102⤵PID:5404
-
C:\Windows\SysWOW64\Jlkipgpe.exeC:\Windows\system32\Jlkipgpe.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5460 -
C:\Windows\SysWOW64\Jdaaaeqg.exeC:\Windows\system32\Jdaaaeqg.exe104⤵PID:5508
-
C:\Windows\SysWOW64\Jgpmmp32.exeC:\Windows\system32\Jgpmmp32.exe105⤵PID:5556
-
C:\Windows\SysWOW64\Jklinohd.exeC:\Windows\system32\Jklinohd.exe106⤵PID:5600
-
C:\Windows\SysWOW64\Jjoiil32.exeC:\Windows\system32\Jjoiil32.exe107⤵PID:5648
-
C:\Windows\SysWOW64\Jlmfeg32.exeC:\Windows\system32\Jlmfeg32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5696 -
C:\Windows\SysWOW64\Jddnfd32.exeC:\Windows\system32\Jddnfd32.exe109⤵
- Drops file in System32 directory
PID:5752 -
C:\Windows\SysWOW64\Jjafok32.exeC:\Windows\system32\Jjafok32.exe110⤵
- Drops file in System32 directory
PID:5796 -
C:\Windows\SysWOW64\Jqknkedi.exeC:\Windows\system32\Jqknkedi.exe111⤵
- System Location Discovery: System Language Discovery
PID:5840 -
C:\Windows\SysWOW64\Jdfjld32.exeC:\Windows\system32\Jdfjld32.exe112⤵PID:5884
-
C:\Windows\SysWOW64\Jgeghp32.exeC:\Windows\system32\Jgeghp32.exe113⤵PID:5928
-
C:\Windows\SysWOW64\Kkpbin32.exeC:\Windows\system32\Kkpbin32.exe114⤵
- Modifies registry class
PID:5968 -
C:\Windows\SysWOW64\Kmaopfjm.exeC:\Windows\system32\Kmaopfjm.exe115⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:6012 -
C:\Windows\SysWOW64\Kqmkae32.exeC:\Windows\system32\Kqmkae32.exe116⤵PID:6056
-
C:\Windows\SysWOW64\Kclgmq32.exeC:\Windows\system32\Kclgmq32.exe117⤵PID:6100
-
C:\Windows\SysWOW64\Kkconn32.exeC:\Windows\system32\Kkconn32.exe118⤵PID:3792
-
C:\Windows\SysWOW64\Knalji32.exeC:\Windows\system32\Knalji32.exe119⤵PID:5184
-
C:\Windows\SysWOW64\Kqphfe32.exeC:\Windows\system32\Kqphfe32.exe120⤵PID:5276
-
C:\Windows\SysWOW64\Kcndbp32.exeC:\Windows\system32\Kcndbp32.exe121⤵PID:5372
-
C:\Windows\SysWOW64\Kgipcogp.exeC:\Windows\system32\Kgipcogp.exe122⤵PID:5452
-
C:\Windows\SysWOW64\Kjhloj32.exeC:\Windows\system32\Kjhloj32.exe123⤵
- System Location Discovery: System Language Discovery
PID:5564 -
C:\Windows\SysWOW64\Kmfhkf32.exeC:\Windows\system32\Kmfhkf32.exe124⤵
- Modifies registry class
PID:5616 -
C:\Windows\SysWOW64\Kqbdldnq.exeC:\Windows\system32\Kqbdldnq.exe125⤵PID:5688
-
C:\Windows\SysWOW64\Kcpahpmd.exeC:\Windows\system32\Kcpahpmd.exe126⤵PID:5764
-
C:\Windows\SysWOW64\Kkgiimng.exeC:\Windows\system32\Kkgiimng.exe127⤵
- System Location Discovery: System Language Discovery
PID:5832 -
C:\Windows\SysWOW64\Knfeeimj.exeC:\Windows\system32\Knfeeimj.exe128⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5924 -
C:\Windows\SysWOW64\Kqdaadln.exeC:\Windows\system32\Kqdaadln.exe129⤵PID:5976
-
C:\Windows\SysWOW64\Kcbnnpka.exeC:\Windows\system32\Kcbnnpka.exe130⤵PID:6040
-
C:\Windows\SysWOW64\Kjmfjj32.exeC:\Windows\system32\Kjmfjj32.exe131⤵PID:6080
-
C:\Windows\SysWOW64\Kmkbfeab.exeC:\Windows\system32\Kmkbfeab.exe132⤵PID:5172
-
C:\Windows\SysWOW64\Kdbjhbbd.exeC:\Windows\system32\Kdbjhbbd.exe133⤵PID:5344
-
C:\Windows\SysWOW64\Lgqfdnah.exeC:\Windows\system32\Lgqfdnah.exe134⤵PID:5340
-
C:\Windows\SysWOW64\Lnjnqh32.exeC:\Windows\system32\Lnjnqh32.exe135⤵
- Modifies registry class
PID:5612 -
C:\Windows\SysWOW64\Lddgmbpb.exeC:\Windows\system32\Lddgmbpb.exe136⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5708 -
C:\Windows\SysWOW64\Lknojl32.exeC:\Windows\system32\Lknojl32.exe137⤵PID:5836
-
C:\Windows\SysWOW64\Lnmkfh32.exeC:\Windows\system32\Lnmkfh32.exe138⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5960 -
C:\Windows\SysWOW64\Ldgccb32.exeC:\Windows\system32\Ldgccb32.exe139⤵PID:6064
-
C:\Windows\SysWOW64\Lkalplel.exeC:\Windows\system32\Lkalplel.exe140⤵
- Modifies registry class
PID:4900 -
C:\Windows\SysWOW64\Lqndhcdc.exeC:\Windows\system32\Lqndhcdc.exe141⤵PID:5416
-
C:\Windows\SysWOW64\Lggldm32.exeC:\Windows\system32\Lggldm32.exe142⤵PID:5552
-
C:\Windows\SysWOW64\Lnadagbm.exeC:\Windows\system32\Lnadagbm.exe143⤵PID:5780
-
C:\Windows\SysWOW64\Lmdemd32.exeC:\Windows\system32\Lmdemd32.exe144⤵PID:5952
-
C:\Windows\SysWOW64\Lkeekk32.exeC:\Windows\system32\Lkeekk32.exe145⤵PID:6136
-
C:\Windows\SysWOW64\Lndagg32.exeC:\Windows\system32\Lndagg32.exe146⤵PID:5484
-
C:\Windows\SysWOW64\Mcqjon32.exeC:\Windows\system32\Mcqjon32.exe147⤵PID:5744
-
C:\Windows\SysWOW64\Mkhapk32.exeC:\Windows\system32\Mkhapk32.exe148⤵PID:6028
-
C:\Windows\SysWOW64\Mnfnlf32.exeC:\Windows\system32\Mnfnlf32.exe149⤵PID:6128
-
C:\Windows\SysWOW64\Madjhb32.exeC:\Windows\system32\Madjhb32.exe150⤵PID:6024
-
C:\Windows\SysWOW64\Mccfdmmo.exeC:\Windows\system32\Mccfdmmo.exe151⤵PID:5516
-
C:\Windows\SysWOW64\Mkjnfkma.exeC:\Windows\system32\Mkjnfkma.exe152⤵PID:5348
-
C:\Windows\SysWOW64\Mnhkbfme.exeC:\Windows\system32\Mnhkbfme.exe153⤵PID:5856
-
C:\Windows\SysWOW64\Mebcop32.exeC:\Windows\system32\Mebcop32.exe154⤵PID:5716
-
C:\Windows\SysWOW64\Mkmkkjko.exeC:\Windows\system32\Mkmkkjko.exe155⤵
- Modifies registry class
PID:6188 -
C:\Windows\SysWOW64\Meepdp32.exeC:\Windows\system32\Meepdp32.exe156⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6228 -
C:\Windows\SysWOW64\Mnmdme32.exeC:\Windows\system32\Mnmdme32.exe157⤵PID:6272
-
C:\Windows\SysWOW64\Malpia32.exeC:\Windows\system32\Malpia32.exe158⤵PID:6316
-
C:\Windows\SysWOW64\Mkadfj32.exeC:\Windows\system32\Mkadfj32.exe159⤵
- System Location Discovery: System Language Discovery
PID:6360 -
C:\Windows\SysWOW64\Mmbanbmg.exeC:\Windows\system32\Mmbanbmg.exe160⤵PID:6408
-
C:\Windows\SysWOW64\Meiioonj.exeC:\Windows\system32\Meiioonj.exe161⤵
- System Location Discovery: System Language Discovery
PID:6452 -
C:\Windows\SysWOW64\Nclikl32.exeC:\Windows\system32\Nclikl32.exe162⤵PID:6496
-
C:\Windows\SysWOW64\Nnbnhedj.exeC:\Windows\system32\Nnbnhedj.exe163⤵
- Drops file in System32 directory
- Modifies registry class
PID:6540 -
C:\Windows\SysWOW64\Ncofplba.exeC:\Windows\system32\Ncofplba.exe164⤵PID:6584
-
C:\Windows\SysWOW64\Nabfjpak.exeC:\Windows\system32\Nabfjpak.exe165⤵PID:6628
-
C:\Windows\SysWOW64\Ncabfkqo.exeC:\Windows\system32\Ncabfkqo.exe166⤵PID:6672
-
C:\Windows\SysWOW64\Njkkbehl.exeC:\Windows\system32\Njkkbehl.exe167⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6716 -
C:\Windows\SysWOW64\Nnfgcd32.exeC:\Windows\system32\Nnfgcd32.exe168⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:6760 -
C:\Windows\SysWOW64\Nccokk32.exeC:\Windows\system32\Nccokk32.exe169⤵PID:6804
-
C:\Windows\SysWOW64\Nlkgmh32.exeC:\Windows\system32\Nlkgmh32.exe170⤵
- Drops file in System32 directory
PID:6848 -
C:\Windows\SysWOW64\Nmlddqem.exeC:\Windows\system32\Nmlddqem.exe171⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6892 -
C:\Windows\SysWOW64\Neclenfo.exeC:\Windows\system32\Neclenfo.exe172⤵
- Modifies registry class
PID:6936 -
C:\Windows\SysWOW64\Nlmdbh32.exeC:\Windows\system32\Nlmdbh32.exe173⤵PID:6980
-
C:\Windows\SysWOW64\Nnkpnclp.exeC:\Windows\system32\Nnkpnclp.exe174⤵PID:7024
-
C:\Windows\SysWOW64\Ohcegi32.exeC:\Windows\system32\Ohcegi32.exe175⤵
- Drops file in System32 directory
- Modifies registry class
PID:7084 -
C:\Windows\SysWOW64\Ojbacd32.exeC:\Windows\system32\Ojbacd32.exe176⤵PID:7144
-
C:\Windows\SysWOW64\Oalipoiq.exeC:\Windows\system32\Oalipoiq.exe177⤵
- Drops file in System32 directory
PID:6184 -
C:\Windows\SysWOW64\Ojdnid32.exeC:\Windows\system32\Ojdnid32.exe178⤵PID:6256
-
C:\Windows\SysWOW64\Oanfen32.exeC:\Windows\system32\Oanfen32.exe179⤵
- System Location Discovery: System Language Discovery
PID:6332 -
C:\Windows\SysWOW64\Ojgjndno.exeC:\Windows\system32\Ojgjndno.exe180⤵PID:6400
-
C:\Windows\SysWOW64\Odoogi32.exeC:\Windows\system32\Odoogi32.exe181⤵
- System Location Discovery: System Language Discovery
PID:6484 -
C:\Windows\SysWOW64\Oodcdb32.exeC:\Windows\system32\Oodcdb32.exe182⤵PID:6552
-
C:\Windows\SysWOW64\Oacoqnci.exeC:\Windows\system32\Oacoqnci.exe183⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6616 -
C:\Windows\SysWOW64\Ohmhmh32.exeC:\Windows\system32\Ohmhmh32.exe184⤵
- Drops file in System32 directory
PID:6684 -
C:\Windows\SysWOW64\Oogpjbbb.exeC:\Windows\system32\Oogpjbbb.exe185⤵PID:6752
-
C:\Windows\SysWOW64\Phodcg32.exeC:\Windows\system32\Phodcg32.exe186⤵PID:6816
-
C:\Windows\SysWOW64\Pmlmkn32.exeC:\Windows\system32\Pmlmkn32.exe187⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6884 -
C:\Windows\SysWOW64\Phaahggp.exeC:\Windows\system32\Phaahggp.exe188⤵
- Drops file in System32 directory
PID:6964 -
C:\Windows\SysWOW64\Pdhbmh32.exeC:\Windows\system32\Pdhbmh32.exe189⤵PID:7032
-
C:\Windows\SysWOW64\Pkbjjbda.exeC:\Windows\system32\Pkbjjbda.exe190⤵PID:7128
-
C:\Windows\SysWOW64\Pmaffnce.exeC:\Windows\system32\Pmaffnce.exe191⤵
- Modifies registry class
PID:6220 -
C:\Windows\SysWOW64\Phfjcf32.exeC:\Windows\system32\Phfjcf32.exe192⤵
- Drops file in System32 directory
PID:6300 -
C:\Windows\SysWOW64\Pmcclm32.exeC:\Windows\system32\Pmcclm32.exe193⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6424 -
C:\Windows\SysWOW64\Pdmkhgho.exeC:\Windows\system32\Pdmkhgho.exe194⤵PID:6532
-
C:\Windows\SysWOW64\Pldcjeia.exeC:\Windows\system32\Pldcjeia.exe195⤵PID:3168
-
C:\Windows\SysWOW64\Qemhbj32.exeC:\Windows\system32\Qemhbj32.exe196⤵
- System Location Discovery: System Language Discovery
PID:1652 -
C:\Windows\SysWOW64\Qhkdof32.exeC:\Windows\system32\Qhkdof32.exe197⤵
- Drops file in System32 directory
PID:4060 -
C:\Windows\SysWOW64\Qkipkani.exeC:\Windows\system32\Qkipkani.exe198⤵PID:6792
-
C:\Windows\SysWOW64\Qachgk32.exeC:\Windows\system32\Qachgk32.exe199⤵PID:6864
-
C:\Windows\SysWOW64\Qhmqdemc.exeC:\Windows\system32\Qhmqdemc.exe200⤵PID:7040
-
C:\Windows\SysWOW64\Aogiap32.exeC:\Windows\system32\Aogiap32.exe201⤵PID:6176
-
C:\Windows\SysWOW64\Ahpmjejp.exeC:\Windows\system32\Ahpmjejp.exe202⤵
- Drops file in System32 directory
PID:6344 -
C:\Windows\SysWOW64\Anmfbl32.exeC:\Windows\system32\Anmfbl32.exe203⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:6480 -
C:\Windows\SysWOW64\Ahbjoe32.exeC:\Windows\system32\Ahbjoe32.exe204⤵PID:6644
-
C:\Windows\SysWOW64\Aolblopj.exeC:\Windows\system32\Aolblopj.exe205⤵PID:6704
-
C:\Windows\SysWOW64\Adikdfna.exeC:\Windows\system32\Adikdfna.exe206⤵PID:6836
-
C:\Windows\SysWOW64\Anaomkdb.exeC:\Windows\system32\Anaomkdb.exe207⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7060 -
C:\Windows\SysWOW64\Adkgje32.exeC:\Windows\system32\Adkgje32.exe208⤵PID:6328
-
C:\Windows\SysWOW64\Albpkc32.exeC:\Windows\system32\Albpkc32.exe209⤵
- System Location Discovery: System Language Discovery
PID:6512 -
C:\Windows\SysWOW64\Anclbkbp.exeC:\Windows\system32\Anclbkbp.exe210⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:6680 -
C:\Windows\SysWOW64\Aekddhcb.exeC:\Windows\system32\Aekddhcb.exe211⤵PID:6908
-
C:\Windows\SysWOW64\Alelqb32.exeC:\Windows\system32\Alelqb32.exe212⤵PID:6200
-
C:\Windows\SysWOW64\Bochmn32.exeC:\Windows\system32\Bochmn32.exe213⤵PID:6572
-
C:\Windows\SysWOW64\Baadiiif.exeC:\Windows\system32\Baadiiif.exe214⤵PID:6820
-
C:\Windows\SysWOW64\Boeebnhp.exeC:\Windows\system32\Boeebnhp.exe215⤵PID:6568
-
C:\Windows\SysWOW64\Badanigc.exeC:\Windows\system32\Badanigc.exe216⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7012 -
C:\Windows\SysWOW64\Bnkbcj32.exeC:\Windows\system32\Bnkbcj32.exe217⤵PID:6932
-
C:\Windows\SysWOW64\Bebjdgmj.exeC:\Windows\system32\Bebjdgmj.exe218⤵PID:6284
-
C:\Windows\SysWOW64\Bahkih32.exeC:\Windows\system32\Bahkih32.exe219⤵PID:7020
-
C:\Windows\SysWOW64\Bdgged32.exeC:\Windows\system32\Bdgged32.exe220⤵PID:7208
-
C:\Windows\SysWOW64\Bomkcm32.exeC:\Windows\system32\Bomkcm32.exe221⤵PID:7252
-
C:\Windows\SysWOW64\Blqllqqa.exeC:\Windows\system32\Blqllqqa.exe222⤵PID:7300
-
C:\Windows\SysWOW64\Camddhoi.exeC:\Windows\system32\Camddhoi.exe223⤵
- System Location Discovery: System Language Discovery
PID:7344 -
C:\Windows\SysWOW64\Clchbqoo.exeC:\Windows\system32\Clchbqoo.exe224⤵PID:7388
-
C:\Windows\SysWOW64\Coadnlnb.exeC:\Windows\system32\Coadnlnb.exe225⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:7432 -
C:\Windows\SysWOW64\Cbpajgmf.exeC:\Windows\system32\Cbpajgmf.exe226⤵PID:7476
-
C:\Windows\SysWOW64\Chiigadc.exeC:\Windows\system32\Chiigadc.exe227⤵PID:7520
-
C:\Windows\SysWOW64\Ckhecmcf.exeC:\Windows\system32\Ckhecmcf.exe228⤵
- Drops file in System32 directory
PID:7564 -
C:\Windows\SysWOW64\Cnfaohbj.exeC:\Windows\system32\Cnfaohbj.exe229⤵PID:7608
-
C:\Windows\SysWOW64\Cfnjpfcl.exeC:\Windows\system32\Cfnjpfcl.exe230⤵
- System Location Discovery: System Language Discovery
PID:7652 -
C:\Windows\SysWOW64\Clgbmp32.exeC:\Windows\system32\Clgbmp32.exe231⤵PID:7708
-
C:\Windows\SysWOW64\Cnindhpg.exeC:\Windows\system32\Cnindhpg.exe232⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:7784 -
C:\Windows\SysWOW64\Cdbfab32.exeC:\Windows\system32\Cdbfab32.exe233⤵
- Drops file in System32 directory
PID:7852 -
C:\Windows\SysWOW64\Cljobphg.exeC:\Windows\system32\Cljobphg.exe234⤵
- Drops file in System32 directory
PID:7896 -
C:\Windows\SysWOW64\Cohkokgj.exeC:\Windows\system32\Cohkokgj.exe235⤵PID:7976
-
C:\Windows\SysWOW64\Cbfgkffn.exeC:\Windows\system32\Cbfgkffn.exe236⤵PID:8024
-
C:\Windows\SysWOW64\Cfbcke32.exeC:\Windows\system32\Cfbcke32.exe237⤵PID:8080
-
C:\Windows\SysWOW64\Chqogq32.exeC:\Windows\system32\Chqogq32.exe238⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:8132 -
C:\Windows\SysWOW64\Dmlkhofd.exeC:\Windows\system32\Dmlkhofd.exe239⤵PID:8168
-
C:\Windows\SysWOW64\Dnmhpg32.exeC:\Windows\system32\Dnmhpg32.exe240⤵PID:7016
-
C:\Windows\SysWOW64\Dfdpad32.exeC:\Windows\system32\Dfdpad32.exe241⤵PID:7284
-
C:\Windows\SysWOW64\Dhclmp32.exeC:\Windows\system32\Dhclmp32.exe242⤵PID:7372