Analysis
-
max time kernel
90s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
16-09-2024 11:19
Static task
static1
Behavioral task
behavioral1
Sample
virussign.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
virussign.exe
Resource
win10v2004-20240802-en
General
-
Target
virussign.exe
-
Size
45KB
-
MD5
d61ea4496a62956bcd6fd6eb8cf98180
-
SHA1
8d96176d76da5acc632a376eae2c7b831ee33b43
-
SHA256
c7795a9e6722e5d4612290e9721571c22230eb205f1fbe64e8ccd42f9f9dd781
-
SHA512
7cd39c7804fe1bfb60a18baf5b76fa8bb2d6c0cd03642adf6bc958b176c9c7dfd82dcdf78abe3243eaa9f5e8c398a9b6b86137b78e121d28090f35849b52f42b
-
SSDEEP
768:DOse59+P08ten96l27TLkBN3Kp/rKNuZAKdJNGr//1H5p:DOX9+P0SksIsBN3u/ekJNsRv
Malware Config
Extracted
berbew
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Hoaojp32.exeAlqjpi32.exeEfafgifc.exeGikkfqmf.exeHiiggoaf.exeFpdcag32.exeDckdjomg.exeAolblopj.exeBddjpd32.exeJekqmhia.exeMoipoh32.exeLoighj32.exeLjnlecmp.exeQmgelf32.exeOadfkdgd.exeEmbddb32.exeMgobel32.exeNnbnhedj.exeKodnmkap.exeEkaapi32.exeMgnlkfal.exeNcchae32.exeBbnkonbd.exeFmkgkapm.exeKkjeomld.exeLgccinoe.exeOdjeljhd.exeIoolkncg.exePfoann32.exePapfgbmg.exeDpbdopck.exeIljpij32.exeOodcdb32.exeBheplb32.exeOaifpi32.exeOcohmc32.exeCkpbnb32.exeFpjcgm32.exeHginecde.exeGmimai32.exeNncccnol.exeIefgbh32.exeIidphgcn.exeLqojclne.exeMcpcdg32.exeCogddd32.exeMcecjmkl.exeMmbanbmg.exeNhmofj32.exeFdglmkeg.exeGipdap32.exeIlccoh32.exeMadjhb32.exePldcjeia.exeNggnadib.exeCkebcg32.exeMqafhl32.exeOghghb32.exePifnhpmi.exeCnfaohbj.exeHlnjbedi.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hoaojp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alqjpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efafgifc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gikkfqmf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiiggoaf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpdcag32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dckdjomg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aolblopj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bddjpd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jekqmhia.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moipoh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loighj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljnlecmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qmgelf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oadfkdgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Embddb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgobel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnbnhedj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kodnmkap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekaapi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgnlkfal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncchae32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbnkonbd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmkgkapm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkjeomld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgccinoe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odjeljhd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmgelf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioolkncg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfoann32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Papfgbmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpbdopck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iljpij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oodcdb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bheplb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oaifpi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocohmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckpbnb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpjcgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hginecde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmimai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nncccnol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iefgbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iidphgcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lqojclne.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcpcdg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cogddd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcecjmkl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmbanbmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhmofj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdglmkeg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gipdap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gipdap32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilccoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Madjhb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pldcjeia.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iidphgcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nggnadib.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckebcg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqafhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oghghb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pifnhpmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnfaohbj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlnjbedi.exe -
Executes dropped EXE 64 IoCs
Processes:
Mlbkap32.exeMnphmkji.exeMblcnj32.exeMifljdjo.exeNjghbl32.exeNbnpcj32.exeNihipdhl.exeNlfelogp.exeNoeahkfc.exeNeoieenp.exeNliaao32.exeNbcjnilj.exeNeafjdkn.exeNhpbfpka.exeNknobkje.exeNiooqcad.exeNolgijpk.exeNiakfbpa.exeNhdlao32.exeOampjeml.exeOlbdhn32.exeOoqqdi32.exeOekiqccc.exeOldamm32.exeOkgaijaj.exeOaajed32.exeOhkbbn32.exeOkjnnj32.exeOadfkdgd.exeOiknlagg.exeOklkdi32.exeObcceg32.exeOeaoab32.exeOhpkmn32.exePllgnl32.exePahpfc32.exePhbhcmjl.exePchlpfjb.exePefhlaie.exePkcadhgm.exePcjiff32.exePidabppl.exePlbmokop.exePoajkgnc.exePapfgbmg.exePifnhpmi.exePlejdkmm.exePocfpf32.exePabblb32.exePiijno32.exeQlggjk32.exeQkjgegae.exeQofcff32.exeQikgco32.exeQkmdkgob.exeQohpkf32.exeQaflgago.exeAjndioga.exeAllpejfe.exeAojlaeei.exeAaiimadl.exeAakebqbj.exeAlqjpi32.exeAoofle32.exepid process 1592 Mlbkap32.exe 3692 Mnphmkji.exe 3032 Mblcnj32.exe 1744 Mifljdjo.exe 4868 Njghbl32.exe 4204 Nbnpcj32.exe 1204 Nihipdhl.exe 3772 Nlfelogp.exe 4412 Noeahkfc.exe 4696 Neoieenp.exe 1356 Nliaao32.exe 1760 Nbcjnilj.exe 3220 Neafjdkn.exe 3688 Nhpbfpka.exe 4104 Nknobkje.exe 2312 Niooqcad.exe 336 Nolgijpk.exe 4388 Niakfbpa.exe 4660 Nhdlao32.exe 4692 Oampjeml.exe 4100 Olbdhn32.exe 1128 Ooqqdi32.exe 2232 Oekiqccc.exe 3424 Oldamm32.exe 4140 Okgaijaj.exe 2568 Oaajed32.exe 4860 Ohkbbn32.exe 2848 Okjnnj32.exe 1080 Oadfkdgd.exe 1796 Oiknlagg.exe 1212 Oklkdi32.exe 2688 Obcceg32.exe 1868 Oeaoab32.exe 756 Ohpkmn32.exe 3496 Pllgnl32.exe 5036 Pahpfc32.exe 1172 Phbhcmjl.exe 1828 Pchlpfjb.exe 4632 Pefhlaie.exe 2660 Pkcadhgm.exe 1888 Pcjiff32.exe 4984 Pidabppl.exe 2164 Plbmokop.exe 3588 Poajkgnc.exe 1448 Papfgbmg.exe 4296 Pifnhpmi.exe 1932 Plejdkmm.exe 3568 Pocfpf32.exe 4236 Pabblb32.exe 1584 Piijno32.exe 2460 Qlggjk32.exe 4444 Qkjgegae.exe 2576 Qofcff32.exe 2028 Qikgco32.exe 2680 Qkmdkgob.exe 3212 Qohpkf32.exe 1556 Qaflgago.exe 5060 Ajndioga.exe 2860 Allpejfe.exe 4712 Aojlaeei.exe 3248 Aaiimadl.exe 1360 Aakebqbj.exe 2188 Alqjpi32.exe 1432 Aoofle32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Phcgcqab.exeMoipoh32.exeBlnoga32.exeMnkggfkb.exeDheibpje.exeEkaapi32.exeFmkgkapm.exeNlhkgi32.exeDmcain32.exeIefgbh32.exeNggnadib.exeGkkgpc32.exeEbhglj32.exeChqogq32.exeHpqldc32.exeDpkmal32.exeNknobkje.exeGdcliikj.exeQeodhjmo.exeGpgind32.exeChiblk32.exeDnmaea32.exeDkbocbog.exeDooaoj32.exeBkibgh32.exeMegljppl.exeOhkbbn32.exeIloidijb.exeKnnhjcog.exeNeoieenp.exeMcifkf32.exeEmphocjj.exeMcecjmkl.exePddhbipj.exeLljklo32.exeOcjoadei.exeOjfcdnjc.exeCglbhhga.exeAojlaeei.exeJdfjld32.exeCnahdi32.exeMfeeabda.exeBpkdjofm.exeAlqjpi32.exePlmmif32.exeEfgemb32.exeLcggio32.exeMnmdme32.exeMeiioonj.exeGppcmeem.exeNqpcjj32.exeAaiimadl.exeIgpdfb32.exeMmkkmc32.exeBhkmec32.exeBnmoijje.exeLlodgnja.exeAagkhd32.exeAajhndkb.exeOhpkmn32.exeFikbocki.exeIidphgcn.exeJocefm32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Ppolhcnm.exe Phcgcqab.exe File opened for modification C:\Windows\SysWOW64\Mcelpggq.exe Moipoh32.exe File created C:\Windows\SysWOW64\Bkaobnio.exe Blnoga32.exe File opened for modification C:\Windows\SysWOW64\Mmnhcb32.exe Mnkggfkb.exe File created C:\Windows\SysWOW64\Dmadco32.exe Dheibpje.exe File created C:\Windows\SysWOW64\Pjpbba32.dll Ekaapi32.exe File created C:\Windows\SysWOW64\Fpjcgm32.exe Fmkgkapm.exe File created C:\Windows\SysWOW64\Naecop32.exe Nlhkgi32.exe File opened for modification C:\Windows\SysWOW64\Dndnpf32.exe Dmcain32.exe File created C:\Windows\SysWOW64\Dahcld32.dll Iefgbh32.exe File created C:\Windows\SysWOW64\Njfkmphe.exe Nggnadib.exe File created C:\Windows\SysWOW64\Ackhdo32.dll Gkkgpc32.exe File opened for modification C:\Windows\SysWOW64\Efccmidp.exe Ebhglj32.exe File created C:\Windows\SysWOW64\Oqadgkdb.dll Chqogq32.exe File created C:\Windows\SysWOW64\Bgaclkia.dll Hpqldc32.exe File opened for modification C:\Windows\SysWOW64\Iibccgep.exe Iefgbh32.exe File opened for modification C:\Windows\SysWOW64\Dhbebj32.exe Dpkmal32.exe File created C:\Windows\SysWOW64\Niooqcad.exe Nknobkje.exe File created C:\Windows\SysWOW64\Glaecb32.dll Gdcliikj.exe File created C:\Windows\SysWOW64\Qjalckog.dll Qeodhjmo.exe File opened for modification C:\Windows\SysWOW64\Gbeejp32.exe Gpgind32.exe File opened for modification C:\Windows\SysWOW64\Cglbhhga.exe Chiblk32.exe File opened for modification C:\Windows\SysWOW64\Dpkmal32.exe Dnmaea32.exe File created C:\Windows\SysWOW64\Jfhepbll.dll Dkbocbog.exe File created C:\Windows\SysWOW64\Dfiildio.exe Dooaoj32.exe File opened for modification C:\Windows\SysWOW64\Boenhgdd.exe Bkibgh32.exe File opened for modification C:\Windows\SysWOW64\Mgehfkop.exe Megljppl.exe File created C:\Windows\SysWOW64\Okjnnj32.exe Ohkbbn32.exe File created C:\Windows\SysWOW64\Leabba32.dll Iloidijb.exe File created C:\Windows\SysWOW64\Klahfp32.exe Knnhjcog.exe File created C:\Windows\SysWOW64\Nliaao32.exe Neoieenp.exe File opened for modification C:\Windows\SysWOW64\Mfhbga32.exe Mcifkf32.exe File opened for modification C:\Windows\SysWOW64\Elbhjp32.exe Emphocjj.exe File created C:\Windows\SysWOW64\Mkmkkjko.exe Mcecjmkl.exe File opened for modification C:\Windows\SysWOW64\Plkpcfal.exe Pddhbipj.exe File created C:\Windows\SysWOW64\Jkjpda32.dll Lljklo32.exe File created C:\Windows\SysWOW64\Flbfjl32.dll Ocjoadei.exe File created C:\Windows\SysWOW64\Omdppiif.exe Ojfcdnjc.exe File created C:\Windows\SysWOW64\Cocjiehd.exe Cglbhhga.exe File created C:\Windows\SysWOW64\Aaiimadl.exe Aojlaeei.exe File opened for modification C:\Windows\SysWOW64\Jgeghp32.exe Jdfjld32.exe File opened for modification C:\Windows\SysWOW64\Cfipef32.exe Cnahdi32.exe File opened for modification C:\Windows\SysWOW64\Mmpmnl32.exe Mfeeabda.exe File opened for modification C:\Windows\SysWOW64\Bhblllfo.exe Bpkdjofm.exe File opened for modification C:\Windows\SysWOW64\Aoofle32.exe Alqjpi32.exe File created C:\Windows\SysWOW64\Pmoiqneg.exe Plmmif32.exe File opened for modification C:\Windows\SysWOW64\Eejeiocj.exe Efgemb32.exe File created C:\Windows\SysWOW64\Pdnjmc32.dll Lcggio32.exe File opened for modification C:\Windows\SysWOW64\Malpia32.exe Mnmdme32.exe File created C:\Windows\SysWOW64\Kjeqge32.dll Meiioonj.exe File created C:\Windows\SysWOW64\Ilmjim32.dll Gppcmeem.exe File created C:\Windows\SysWOW64\Mpolbbim.dll Nqpcjj32.exe File opened for modification C:\Windows\SysWOW64\Aakebqbj.exe Aaiimadl.exe File created C:\Windows\SysWOW64\Aobbbd32.dll Igpdfb32.exe File created C:\Windows\SysWOW64\Maggnali.exe Mmkkmc32.exe File opened for modification C:\Windows\SysWOW64\Blgifbil.exe Bhkmec32.exe File created C:\Windows\SysWOW64\Iibjhgbi.dll Bnmoijje.exe File created C:\Windows\SysWOW64\Lomqcjie.exe Llodgnja.exe File created C:\Windows\SysWOW64\Geqnma32.dll Aagkhd32.exe File created C:\Windows\SysWOW64\Kajimagp.dll Aajhndkb.exe File opened for modification C:\Windows\SysWOW64\Pllgnl32.exe Ohpkmn32.exe File created C:\Windows\SysWOW64\Qglmjp32.dll Fikbocki.exe File created C:\Windows\SysWOW64\Ilcldb32.exe Iidphgcn.exe File created C:\Windows\SysWOW64\Pmcckk32.dll Jocefm32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 15392 15296 WerFault.exe Dkqaoe32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Ckeimm32.exeOcohmc32.exePmiikh32.exeNihipdhl.exeCiafbg32.exeMgobel32.exeOeokal32.exeAhfmpnql.exeAlelqb32.exeKoodbl32.exeLlodgnja.exeNopfpgip.exeKfpcoefj.exeMmfkhmdi.exeNmdgikhi.exePjpfjl32.exeJnelok32.exeLqpamb32.exeOnnmdcjm.exeHoaojp32.exeGingkqkd.exeMfeeabda.exeDhphmj32.exeHmnmgnoh.exeQjiipk32.exeCaageq32.exeFiodpl32.exeHblkjo32.exeLlmhaold.exeAkblfj32.exeCmjemflb.exeJlobkg32.exePkbjjbda.exeEbimgcfi.exePmaffnce.exeAekddhcb.exeQhhpop32.exeBoenhgdd.exeMnphmkji.exeOhkbbn32.exeOodcdb32.exePmoiqneg.exeBddjpd32.exeEicedn32.exeKpoalo32.exePpgegd32.exeCihclh32.exeCimmggfl.exeGlldgljg.exeGkmdecbg.exeDbkqfe32.exeLomqcjie.exeAkffafgg.exeKmieae32.exeLjfhqh32.exeCfnjpfcl.exeNenbjo32.exeOpeiadfg.exeMcpcdg32.exeGbmingjo.exeHibafp32.exeBomkcm32.exeHidgai32.exeEfccmidp.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckeimm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocohmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmiikh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nihipdhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciafbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgobel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeokal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahfmpnql.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alelqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koodbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llodgnja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nopfpgip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfpcoefj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmfkhmdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmdgikhi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjpfjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnelok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqpamb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onnmdcjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoaojp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gingkqkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfeeabda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhphmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmnmgnoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjiipk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caageq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fiodpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hblkjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llmhaold.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akblfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmjemflb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlobkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkbjjbda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebimgcfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmaffnce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aekddhcb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhhpop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boenhgdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnphmkji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohkbbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oodcdb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmoiqneg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bddjpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eicedn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpoalo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppgegd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cihclh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cimmggfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glldgljg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkmdecbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbkqfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lomqcjie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akffafgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmieae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljfhqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfnjpfcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nenbjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opeiadfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcpcdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbmingjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hibafp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bomkcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hidgai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efccmidp.exe -
Modifies registry class 64 IoCs
Processes:
Cihclh32.exeEnbjad32.exeFpdcag32.exePoajkgnc.exeJjgchm32.exeBnoddcef.exeHienlpel.exePocpfphe.exeHedafk32.exeKfnfjehl.exeCpmapodj.exeOkjnnj32.exeCcbadp32.exeGingkqkd.exeKmaopfjm.exeBnhenj32.exeEpmmqheb.exeHblkjo32.exeJlolpq32.exeOoqqdi32.exeBaannc32.exeEnkdaepb.exeNihipdhl.exeNagpeo32.exePfoann32.exeChkobkod.exeJklinohd.exeIkbfgppo.exeObcceg32.exeKkjeomld.exeBfendmoc.exeOcjoadei.exeMmnhcb32.exeGbabigfj.exeLcggio32.exeCkbemgcp.exeNbnpcj32.exeAehgnied.exeDmohno32.exeBhblllfo.exePlbfdekd.exeLqojclne.exeQmgelf32.exeAoioli32.exeDkdliame.exeDiccgfpd.exeJknfcofa.exePkbjjbda.exeMgnlkfal.exeQdoacabq.exePhbhcmjl.exeBdgged32.exeMcpcdg32.exeNopfpgip.exeMeiioonj.exeMcqjon32.exeLgdidgjg.exePmiikh32.exeCcdnjp32.exeMkjnfkma.exeNcabfkqo.exeEicedn32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cihclh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohofdmkm.dll" Enbjad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpdcag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Poajkgnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjgchm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnoddcef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kideagnd.dll" Hienlpel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jocgnlha.dll" Pocpfphe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hedafk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfnfjehl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpmapodj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcoobn32.dll" Okjnnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccbadp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gingkqkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmaopfjm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnhenj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epmmqheb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hblkjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlolpq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ooqqdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccoecbmi.dll" Baannc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enkdaepb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nihipdhl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nagpeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfoann32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chkobkod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nddbqe32.dll" Jklinohd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikbfgppo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obcceg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjajmpkj.dll" Ikbfgppo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkjeomld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhgcme32.dll" Bnhenj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfendmoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocjoadei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmnhcb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbabigfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcggio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckbemgcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jofabneq.dll" Nbnpcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpmbai32.dll" Aehgnied.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmohno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhblllfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plbfdekd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lqojclne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qmgelf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aoioli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkdliame.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Diccgfpd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jknfcofa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fklenm32.dll" Pkbjjbda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgnlkfal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qdoacabq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phbhcmjl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdgged32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcpcdg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nopfpgip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Meiioonj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejnocehc.dll" Mcqjon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgdidgjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmiikh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccdnjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fedbbjgh.dll" Mkjnfkma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onlche32.dll" Ncabfkqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ialjan32.dll" Eicedn32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
virussign.exeMlbkap32.exeMnphmkji.exeMblcnj32.exeMifljdjo.exeNjghbl32.exeNbnpcj32.exeNihipdhl.exeNlfelogp.exeNoeahkfc.exeNeoieenp.exeNliaao32.exeNbcjnilj.exeNeafjdkn.exeNhpbfpka.exeNknobkje.exeNiooqcad.exeNolgijpk.exeNiakfbpa.exeNhdlao32.exeOampjeml.exeOlbdhn32.exedescription pid process target process PID 2504 wrote to memory of 1592 2504 virussign.exe Mlbkap32.exe PID 2504 wrote to memory of 1592 2504 virussign.exe Mlbkap32.exe PID 2504 wrote to memory of 1592 2504 virussign.exe Mlbkap32.exe PID 1592 wrote to memory of 3692 1592 Mlbkap32.exe Mnphmkji.exe PID 1592 wrote to memory of 3692 1592 Mlbkap32.exe Mnphmkji.exe PID 1592 wrote to memory of 3692 1592 Mlbkap32.exe Mnphmkji.exe PID 3692 wrote to memory of 3032 3692 Mnphmkji.exe Mblcnj32.exe PID 3692 wrote to memory of 3032 3692 Mnphmkji.exe Mblcnj32.exe PID 3692 wrote to memory of 3032 3692 Mnphmkji.exe Mblcnj32.exe PID 3032 wrote to memory of 1744 3032 Mblcnj32.exe Mifljdjo.exe PID 3032 wrote to memory of 1744 3032 Mblcnj32.exe Mifljdjo.exe PID 3032 wrote to memory of 1744 3032 Mblcnj32.exe Mifljdjo.exe PID 1744 wrote to memory of 4868 1744 Mifljdjo.exe Njghbl32.exe PID 1744 wrote to memory of 4868 1744 Mifljdjo.exe Njghbl32.exe PID 1744 wrote to memory of 4868 1744 Mifljdjo.exe Njghbl32.exe PID 4868 wrote to memory of 4204 4868 Njghbl32.exe Nbnpcj32.exe PID 4868 wrote to memory of 4204 4868 Njghbl32.exe Nbnpcj32.exe PID 4868 wrote to memory of 4204 4868 Njghbl32.exe Nbnpcj32.exe PID 4204 wrote to memory of 1204 4204 Nbnpcj32.exe Nihipdhl.exe PID 4204 wrote to memory of 1204 4204 Nbnpcj32.exe Nihipdhl.exe PID 4204 wrote to memory of 1204 4204 Nbnpcj32.exe Nihipdhl.exe PID 1204 wrote to memory of 3772 1204 Nihipdhl.exe Nlfelogp.exe PID 1204 wrote to memory of 3772 1204 Nihipdhl.exe Nlfelogp.exe PID 1204 wrote to memory of 3772 1204 Nihipdhl.exe Nlfelogp.exe PID 3772 wrote to memory of 4412 3772 Nlfelogp.exe Noeahkfc.exe PID 3772 wrote to memory of 4412 3772 Nlfelogp.exe Noeahkfc.exe PID 3772 wrote to memory of 4412 3772 Nlfelogp.exe Noeahkfc.exe PID 4412 wrote to memory of 4696 4412 Noeahkfc.exe Neoieenp.exe PID 4412 wrote to memory of 4696 4412 Noeahkfc.exe Neoieenp.exe PID 4412 wrote to memory of 4696 4412 Noeahkfc.exe Neoieenp.exe PID 4696 wrote to memory of 1356 4696 Neoieenp.exe Nliaao32.exe PID 4696 wrote to memory of 1356 4696 Neoieenp.exe Nliaao32.exe PID 4696 wrote to memory of 1356 4696 Neoieenp.exe Nliaao32.exe PID 1356 wrote to memory of 1760 1356 Nliaao32.exe Nbcjnilj.exe PID 1356 wrote to memory of 1760 1356 Nliaao32.exe Nbcjnilj.exe PID 1356 wrote to memory of 1760 1356 Nliaao32.exe Nbcjnilj.exe PID 1760 wrote to memory of 3220 1760 Nbcjnilj.exe Neafjdkn.exe PID 1760 wrote to memory of 3220 1760 Nbcjnilj.exe Neafjdkn.exe PID 1760 wrote to memory of 3220 1760 Nbcjnilj.exe Neafjdkn.exe PID 3220 wrote to memory of 3688 3220 Neafjdkn.exe Nhpbfpka.exe PID 3220 wrote to memory of 3688 3220 Neafjdkn.exe Nhpbfpka.exe PID 3220 wrote to memory of 3688 3220 Neafjdkn.exe Nhpbfpka.exe PID 3688 wrote to memory of 4104 3688 Nhpbfpka.exe Nknobkje.exe PID 3688 wrote to memory of 4104 3688 Nhpbfpka.exe Nknobkje.exe PID 3688 wrote to memory of 4104 3688 Nhpbfpka.exe Nknobkje.exe PID 4104 wrote to memory of 2312 4104 Nknobkje.exe Niooqcad.exe PID 4104 wrote to memory of 2312 4104 Nknobkje.exe Niooqcad.exe PID 4104 wrote to memory of 2312 4104 Nknobkje.exe Niooqcad.exe PID 2312 wrote to memory of 336 2312 Niooqcad.exe Nolgijpk.exe PID 2312 wrote to memory of 336 2312 Niooqcad.exe Nolgijpk.exe PID 2312 wrote to memory of 336 2312 Niooqcad.exe Nolgijpk.exe PID 336 wrote to memory of 4388 336 Nolgijpk.exe Niakfbpa.exe PID 336 wrote to memory of 4388 336 Nolgijpk.exe Niakfbpa.exe PID 336 wrote to memory of 4388 336 Nolgijpk.exe Niakfbpa.exe PID 4388 wrote to memory of 4660 4388 Niakfbpa.exe Nhdlao32.exe PID 4388 wrote to memory of 4660 4388 Niakfbpa.exe Nhdlao32.exe PID 4388 wrote to memory of 4660 4388 Niakfbpa.exe Nhdlao32.exe PID 4660 wrote to memory of 4692 4660 Nhdlao32.exe Oampjeml.exe PID 4660 wrote to memory of 4692 4660 Nhdlao32.exe Oampjeml.exe PID 4660 wrote to memory of 4692 4660 Nhdlao32.exe Oampjeml.exe PID 4692 wrote to memory of 4100 4692 Oampjeml.exe Olbdhn32.exe PID 4692 wrote to memory of 4100 4692 Oampjeml.exe Olbdhn32.exe PID 4692 wrote to memory of 4100 4692 Oampjeml.exe Olbdhn32.exe PID 4100 wrote to memory of 1128 4100 Olbdhn32.exe Ooqqdi32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\virussign.exe"C:\Users\Admin\AppData\Local\Temp\virussign.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Mlbkap32.exeC:\Windows\system32\Mlbkap32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\SysWOW64\Mnphmkji.exeC:\Windows\system32\Mnphmkji.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Windows\SysWOW64\Mblcnj32.exeC:\Windows\system32\Mblcnj32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\Mifljdjo.exeC:\Windows\system32\Mifljdjo.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\Njghbl32.exeC:\Windows\system32\Njghbl32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Windows\SysWOW64\Nbnpcj32.exeC:\Windows\system32\Nbnpcj32.exe7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4204 -
C:\Windows\SysWOW64\Nihipdhl.exeC:\Windows\system32\Nihipdhl.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\SysWOW64\Nlfelogp.exeC:\Windows\system32\Nlfelogp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3772 -
C:\Windows\SysWOW64\Noeahkfc.exeC:\Windows\system32\Noeahkfc.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Windows\SysWOW64\Neoieenp.exeC:\Windows\system32\Neoieenp.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Windows\SysWOW64\Nliaao32.exeC:\Windows\system32\Nliaao32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\SysWOW64\Nbcjnilj.exeC:\Windows\system32\Nbcjnilj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\Neafjdkn.exeC:\Windows\system32\Neafjdkn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Windows\SysWOW64\Nhpbfpka.exeC:\Windows\system32\Nhpbfpka.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3688 -
C:\Windows\SysWOW64\Nknobkje.exeC:\Windows\system32\Nknobkje.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Windows\SysWOW64\Niooqcad.exeC:\Windows\system32\Niooqcad.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\Nolgijpk.exeC:\Windows\system32\Nolgijpk.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:336 -
C:\Windows\SysWOW64\Niakfbpa.exeC:\Windows\system32\Niakfbpa.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Windows\SysWOW64\Nhdlao32.exeC:\Windows\system32\Nhdlao32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Windows\SysWOW64\Oampjeml.exeC:\Windows\system32\Oampjeml.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Windows\SysWOW64\Olbdhn32.exeC:\Windows\system32\Olbdhn32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4100 -
C:\Windows\SysWOW64\Ooqqdi32.exeC:\Windows\system32\Ooqqdi32.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:1128 -
C:\Windows\SysWOW64\Oekiqccc.exeC:\Windows\system32\Oekiqccc.exe24⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Oldamm32.exeC:\Windows\system32\Oldamm32.exe25⤵
- Executes dropped EXE
PID:3424 -
C:\Windows\SysWOW64\Okgaijaj.exeC:\Windows\system32\Okgaijaj.exe26⤵
- Executes dropped EXE
PID:4140 -
C:\Windows\SysWOW64\Oaajed32.exeC:\Windows\system32\Oaajed32.exe27⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Ohkbbn32.exeC:\Windows\system32\Ohkbbn32.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4860 -
C:\Windows\SysWOW64\Okjnnj32.exeC:\Windows\system32\Okjnnj32.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:2848 -
C:\Windows\SysWOW64\Oadfkdgd.exeC:\Windows\system32\Oadfkdgd.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1080 -
C:\Windows\SysWOW64\Oiknlagg.exeC:\Windows\system32\Oiknlagg.exe31⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Oklkdi32.exeC:\Windows\system32\Oklkdi32.exe32⤵
- Executes dropped EXE
PID:1212 -
C:\Windows\SysWOW64\Obcceg32.exeC:\Windows\system32\Obcceg32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2688 -
C:\Windows\SysWOW64\Oeaoab32.exeC:\Windows\system32\Oeaoab32.exe34⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Ohpkmn32.exeC:\Windows\system32\Ohpkmn32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:756 -
C:\Windows\SysWOW64\Pllgnl32.exeC:\Windows\system32\Pllgnl32.exe36⤵
- Executes dropped EXE
PID:3496 -
C:\Windows\SysWOW64\Pahpfc32.exeC:\Windows\system32\Pahpfc32.exe37⤵
- Executes dropped EXE
PID:5036 -
C:\Windows\SysWOW64\Phbhcmjl.exeC:\Windows\system32\Phbhcmjl.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:1172 -
C:\Windows\SysWOW64\Pchlpfjb.exeC:\Windows\system32\Pchlpfjb.exe39⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Pefhlaie.exeC:\Windows\system32\Pefhlaie.exe40⤵
- Executes dropped EXE
PID:4632 -
C:\Windows\SysWOW64\Pkcadhgm.exeC:\Windows\system32\Pkcadhgm.exe41⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Pcjiff32.exeC:\Windows\system32\Pcjiff32.exe42⤵
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\Pidabppl.exeC:\Windows\system32\Pidabppl.exe43⤵
- Executes dropped EXE
PID:4984 -
C:\Windows\SysWOW64\Plbmokop.exeC:\Windows\system32\Plbmokop.exe44⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Poajkgnc.exeC:\Windows\system32\Poajkgnc.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:3588 -
C:\Windows\SysWOW64\Papfgbmg.exeC:\Windows\system32\Papfgbmg.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1448 -
C:\Windows\SysWOW64\Pifnhpmi.exeC:\Windows\system32\Pifnhpmi.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4296 -
C:\Windows\SysWOW64\Plejdkmm.exeC:\Windows\system32\Plejdkmm.exe48⤵
- Executes dropped EXE
PID:1932 -
C:\Windows\SysWOW64\Pocfpf32.exeC:\Windows\system32\Pocfpf32.exe49⤵
- Executes dropped EXE
PID:3568 -
C:\Windows\SysWOW64\Pabblb32.exeC:\Windows\system32\Pabblb32.exe50⤵
- Executes dropped EXE
PID:4236 -
C:\Windows\SysWOW64\Piijno32.exeC:\Windows\system32\Piijno32.exe51⤵
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\Qlggjk32.exeC:\Windows\system32\Qlggjk32.exe52⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Qkjgegae.exeC:\Windows\system32\Qkjgegae.exe53⤵
- Executes dropped EXE
PID:4444 -
C:\Windows\SysWOW64\Qofcff32.exeC:\Windows\system32\Qofcff32.exe54⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Qikgco32.exeC:\Windows\system32\Qikgco32.exe55⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Qkmdkgob.exeC:\Windows\system32\Qkmdkgob.exe56⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Qohpkf32.exeC:\Windows\system32\Qohpkf32.exe57⤵
- Executes dropped EXE
PID:3212 -
C:\Windows\SysWOW64\Qaflgago.exeC:\Windows\system32\Qaflgago.exe58⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Ajndioga.exeC:\Windows\system32\Ajndioga.exe59⤵
- Executes dropped EXE
PID:5060 -
C:\Windows\SysWOW64\Allpejfe.exeC:\Windows\system32\Allpejfe.exe60⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Aojlaeei.exeC:\Windows\system32\Aojlaeei.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4712 -
C:\Windows\SysWOW64\Aaiimadl.exeC:\Windows\system32\Aaiimadl.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3248 -
C:\Windows\SysWOW64\Aakebqbj.exeC:\Windows\system32\Aakebqbj.exe63⤵
- Executes dropped EXE
PID:1360 -
C:\Windows\SysWOW64\Alqjpi32.exeC:\Windows\system32\Alqjpi32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2188 -
C:\Windows\SysWOW64\Aoofle32.exeC:\Windows\system32\Aoofle32.exe65⤵
- Executes dropped EXE
PID:1432 -
C:\Windows\SysWOW64\Afinioip.exeC:\Windows\system32\Afinioip.exe66⤵PID:4880
-
C:\Windows\SysWOW64\Ahgjejhd.exeC:\Windows\system32\Ahgjejhd.exe67⤵PID:1720
-
C:\Windows\SysWOW64\Akffafgg.exeC:\Windows\system32\Akffafgg.exe68⤵
- System Location Discovery: System Language Discovery
PID:552 -
C:\Windows\SysWOW64\Aoabad32.exeC:\Windows\system32\Aoabad32.exe69⤵PID:4484
-
C:\Windows\SysWOW64\Afkknogn.exeC:\Windows\system32\Afkknogn.exe70⤵PID:4504
-
C:\Windows\SysWOW64\Ahjgjj32.exeC:\Windows\system32\Ahjgjj32.exe71⤵PID:3192
-
C:\Windows\SysWOW64\Akhcfe32.exeC:\Windows\system32\Akhcfe32.exe72⤵PID:2548
-
C:\Windows\SysWOW64\Abbkcpma.exeC:\Windows\system32\Abbkcpma.exe73⤵PID:1588
-
C:\Windows\SysWOW64\Blhpqhlh.exeC:\Windows\system32\Blhpqhlh.exe74⤵PID:3892
-
C:\Windows\SysWOW64\Boflmdkk.exeC:\Windows\system32\Boflmdkk.exe75⤵PID:1956
-
C:\Windows\SysWOW64\Bfpdin32.exeC:\Windows\system32\Bfpdin32.exe76⤵PID:3976
-
C:\Windows\SysWOW64\Bjlpjm32.exeC:\Windows\system32\Bjlpjm32.exe77⤵PID:3500
-
C:\Windows\SysWOW64\Bkmmaeap.exeC:\Windows\system32\Bkmmaeap.exe78⤵PID:564
-
C:\Windows\SysWOW64\Bohibc32.exeC:\Windows\system32\Bohibc32.exe79⤵PID:2240
-
C:\Windows\SysWOW64\Bkoigdom.exeC:\Windows\system32\Bkoigdom.exe80⤵PID:2572
-
C:\Windows\SysWOW64\Bfendmoc.exeC:\Windows\system32\Bfendmoc.exe81⤵
- Modifies registry class
PID:4432 -
C:\Windows\SysWOW64\Bhcjqinf.exeC:\Windows\system32\Bhcjqinf.exe82⤵PID:548
-
C:\Windows\SysWOW64\Bcinna32.exeC:\Windows\system32\Bcinna32.exe83⤵PID:1264
-
C:\Windows\SysWOW64\Bfgjjm32.exeC:\Windows\system32\Bfgjjm32.exe84⤵PID:5104
-
C:\Windows\SysWOW64\Bkdcbd32.exeC:\Windows\system32\Bkdcbd32.exe85⤵PID:3608
-
C:\Windows\SysWOW64\Bbnkonbd.exeC:\Windows\system32\Bbnkonbd.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2648 -
C:\Windows\SysWOW64\Cihclh32.exeC:\Windows\system32\Cihclh32.exe87⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4324 -
C:\Windows\SysWOW64\Cobkhb32.exeC:\Windows\system32\Cobkhb32.exe88⤵PID:2928
-
C:\Windows\SysWOW64\Cbphdn32.exeC:\Windows\system32\Cbphdn32.exe89⤵PID:1104
-
C:\Windows\SysWOW64\Cijpahho.exeC:\Windows\system32\Cijpahho.exe90⤵PID:2212
-
C:\Windows\SysWOW64\Ckilmcgb.exeC:\Windows\system32\Ckilmcgb.exe91⤵PID:3028
-
C:\Windows\SysWOW64\Ccpdoqgd.exeC:\Windows\system32\Ccpdoqgd.exe92⤵PID:4872
-
C:\Windows\SysWOW64\Cfnqklgh.exeC:\Windows\system32\Cfnqklgh.exe93⤵PID:2960
-
C:\Windows\SysWOW64\Cimmggfl.exeC:\Windows\system32\Cimmggfl.exe94⤵
- System Location Discovery: System Language Discovery
PID:216 -
C:\Windows\SysWOW64\Ckkiccep.exeC:\Windows\system32\Ckkiccep.exe95⤵PID:2032
-
C:\Windows\SysWOW64\Ccbadp32.exeC:\Windows\system32\Ccbadp32.exe96⤵
- Modifies registry class
PID:408 -
C:\Windows\SysWOW64\Cbeapmll.exeC:\Windows\system32\Cbeapmll.exe97⤵PID:988
-
C:\Windows\SysWOW64\Cioilg32.exeC:\Windows\system32\Cioilg32.exe98⤵PID:3152
-
C:\Windows\SysWOW64\Cmjemflb.exeC:\Windows\system32\Cmjemflb.exe99⤵
- System Location Discovery: System Language Discovery
PID:4400 -
C:\Windows\SysWOW64\Ccdnjp32.exeC:\Windows\system32\Ccdnjp32.exe100⤵
- Modifies registry class
PID:3796 -
C:\Windows\SysWOW64\Cfcjfk32.exeC:\Windows\system32\Cfcjfk32.exe101⤵PID:1872
-
C:\Windows\SysWOW64\Ciafbg32.exeC:\Windows\system32\Ciafbg32.exe102⤵
- System Location Discovery: System Language Discovery
PID:3280 -
C:\Windows\SysWOW64\Ckpbnb32.exeC:\Windows\system32\Ckpbnb32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1708 -
C:\Windows\SysWOW64\Ccgjopal.exeC:\Windows\system32\Ccgjopal.exe104⤵PID:1188
-
C:\Windows\SysWOW64\Dbjkkl32.exeC:\Windows\system32\Dbjkkl32.exe105⤵PID:4152
-
C:\Windows\SysWOW64\Djqblj32.exeC:\Windows\system32\Djqblj32.exe106⤵PID:1896
-
C:\Windows\SysWOW64\Diccgfpd.exeC:\Windows\system32\Diccgfpd.exe107⤵
- Modifies registry class
PID:1216 -
C:\Windows\SysWOW64\Dkbocbog.exeC:\Windows\system32\Dkbocbog.exe108⤵
- Drops file in System32 directory
PID:2728 -
C:\Windows\SysWOW64\Dblgpl32.exeC:\Windows\system32\Dblgpl32.exe109⤵PID:4780
-
C:\Windows\SysWOW64\Djcoai32.exeC:\Windows\system32\Djcoai32.exe110⤵PID:5176
-
C:\Windows\SysWOW64\Difpmfna.exeC:\Windows\system32\Difpmfna.exe111⤵PID:5240
-
C:\Windows\SysWOW64\Dkdliame.exeC:\Windows\system32\Dkdliame.exe112⤵
- Modifies registry class
PID:5300 -
C:\Windows\SysWOW64\Dpphjp32.exeC:\Windows\system32\Dpphjp32.exe113⤵PID:5344
-
C:\Windows\SysWOW64\Dckdjomg.exeC:\Windows\system32\Dckdjomg.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5392 -
C:\Windows\SysWOW64\Dfjpfj32.exeC:\Windows\system32\Dfjpfj32.exe115⤵PID:5440
-
C:\Windows\SysWOW64\Dihlbf32.exeC:\Windows\system32\Dihlbf32.exe116⤵PID:5488
-
C:\Windows\SysWOW64\Dmdhcddh.exeC:\Windows\system32\Dmdhcddh.exe117⤵PID:5532
-
C:\Windows\SysWOW64\Dpbdopck.exeC:\Windows\system32\Dpbdopck.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5592 -
C:\Windows\SysWOW64\Dbqqkkbo.exeC:\Windows\system32\Dbqqkkbo.exe119⤵PID:5640
-
C:\Windows\SysWOW64\Djhimica.exeC:\Windows\system32\Djhimica.exe120⤵PID:5688
-
C:\Windows\SysWOW64\Dmfeidbe.exeC:\Windows\system32\Dmfeidbe.exe121⤵PID:5744
-
C:\Windows\SysWOW64\Dbcmakpl.exeC:\Windows\system32\Dbcmakpl.exe122⤵PID:5788
-
C:\Windows\SysWOW64\Ecbjkngo.exeC:\Windows\system32\Ecbjkngo.exe123⤵PID:5840
-
C:\Windows\SysWOW64\Efafgifc.exeC:\Windows\system32\Efafgifc.exe124⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5884 -
C:\Windows\SysWOW64\Emkndc32.exeC:\Windows\system32\Emkndc32.exe125⤵PID:5928
-
C:\Windows\SysWOW64\Elnoopdj.exeC:\Windows\system32\Elnoopdj.exe126⤵PID:5972
-
C:\Windows\SysWOW64\Ebhglj32.exeC:\Windows\system32\Ebhglj32.exe127⤵
- Drops file in System32 directory
PID:6016 -
C:\Windows\SysWOW64\Efccmidp.exeC:\Windows\system32\Efccmidp.exe128⤵
- System Location Discovery: System Language Discovery
PID:6060 -
C:\Windows\SysWOW64\Eiaoid32.exeC:\Windows\system32\Eiaoid32.exe129⤵PID:6104
-
C:\Windows\SysWOW64\Elpkep32.exeC:\Windows\system32\Elpkep32.exe130⤵PID:5136
-
C:\Windows\SysWOW64\Emphocjj.exeC:\Windows\system32\Emphocjj.exe131⤵
- Drops file in System32 directory
PID:5216 -
C:\Windows\SysWOW64\Elbhjp32.exeC:\Windows\system32\Elbhjp32.exe132⤵PID:5336
-
C:\Windows\SysWOW64\Efhlhh32.exeC:\Windows\system32\Efhlhh32.exe133⤵PID:5404
-
C:\Windows\SysWOW64\Ejchhgid.exeC:\Windows\system32\Ejchhgid.exe134⤵PID:5480
-
C:\Windows\SysWOW64\Embddb32.exeC:\Windows\system32\Embddb32.exe135⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5544 -
C:\Windows\SysWOW64\Eppqqn32.exeC:\Windows\system32\Eppqqn32.exe136⤵PID:5636
-
C:\Windows\SysWOW64\Eclmamod.exeC:\Windows\system32\Eclmamod.exe137⤵PID:5740
-
C:\Windows\SysWOW64\Ejfeng32.exeC:\Windows\system32\Ejfeng32.exe138⤵PID:5796
-
C:\Windows\SysWOW64\Eiieicml.exeC:\Windows\system32\Eiieicml.exe139⤵PID:5868
-
C:\Windows\SysWOW64\Fpbmfn32.exeC:\Windows\system32\Fpbmfn32.exe140⤵PID:5968
-
C:\Windows\SysWOW64\Fcniglmb.exeC:\Windows\system32\Fcniglmb.exe141⤵PID:6004
-
C:\Windows\SysWOW64\Fjhacf32.exeC:\Windows\system32\Fjhacf32.exe142⤵PID:6068
-
C:\Windows\SysWOW64\Fikbocki.exeC:\Windows\system32\Fikbocki.exe143⤵
- Drops file in System32 directory
PID:6136 -
C:\Windows\SysWOW64\Fmfnpa32.exeC:\Windows\system32\Fmfnpa32.exe144⤵PID:5256
-
C:\Windows\SysWOW64\Fbcfhibj.exeC:\Windows\system32\Fbcfhibj.exe145⤵PID:5380
-
C:\Windows\SysWOW64\Fjjnifbl.exeC:\Windows\system32\Fjjnifbl.exe146⤵PID:5548
-
C:\Windows\SysWOW64\Fpggamqc.exeC:\Windows\system32\Fpggamqc.exe147⤵PID:5616
-
C:\Windows\SysWOW64\Fdccbl32.exeC:\Windows\system32\Fdccbl32.exe148⤵PID:5772
-
C:\Windows\SysWOW64\Fjmkoeqi.exeC:\Windows\system32\Fjmkoeqi.exe149⤵PID:5876
-
C:\Windows\SysWOW64\Fmkgkapm.exeC:\Windows\system32\Fmkgkapm.exe150⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5984 -
C:\Windows\SysWOW64\Fpjcgm32.exeC:\Windows\system32\Fpjcgm32.exe151⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6052 -
C:\Windows\SysWOW64\Fdepgkgj.exeC:\Windows\system32\Fdepgkgj.exe152⤵PID:5188
-
C:\Windows\SysWOW64\Fjohde32.exeC:\Windows\system32\Fjohde32.exe153⤵PID:5416
-
C:\Windows\SysWOW64\Fibhpbea.exeC:\Windows\system32\Fibhpbea.exe154⤵PID:5624
-
C:\Windows\SysWOW64\Flqdlnde.exeC:\Windows\system32\Flqdlnde.exe155⤵PID:5804
-
C:\Windows\SysWOW64\Fdglmkeg.exeC:\Windows\system32\Fdglmkeg.exe156⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1948 -
C:\Windows\SysWOW64\Fffhifdk.exeC:\Windows\system32\Fffhifdk.exe157⤵PID:5124
-
C:\Windows\SysWOW64\Fmpqfq32.exeC:\Windows\system32\Fmpqfq32.exe158⤵PID:5476
-
C:\Windows\SysWOW64\Glcaambb.exeC:\Windows\system32\Glcaambb.exe159⤵PID:5728
-
C:\Windows\SysWOW64\Gbmingjo.exeC:\Windows\system32\Gbmingjo.exe160⤵
- System Location Discovery: System Language Discovery
PID:6028 -
C:\Windows\SysWOW64\Gjdaodja.exeC:\Windows\system32\Gjdaodja.exe161⤵PID:5376
-
C:\Windows\SysWOW64\Gmbmkpie.exeC:\Windows\system32\Gmbmkpie.exe162⤵PID:6056
-
C:\Windows\SysWOW64\Gpqjglii.exeC:\Windows\system32\Gpqjglii.exe163⤵PID:5512
-
C:\Windows\SysWOW64\Gbofcghl.exeC:\Windows\system32\Gbofcghl.exe164⤵PID:5472
-
C:\Windows\SysWOW64\Gjfnedho.exeC:\Windows\system32\Gjfnedho.exe165⤵PID:5964
-
C:\Windows\SysWOW64\Glgjlm32.exeC:\Windows\system32\Glgjlm32.exe166⤵PID:6160
-
C:\Windows\SysWOW64\Gdobnj32.exeC:\Windows\system32\Gdobnj32.exe167⤵PID:6204
-
C:\Windows\SysWOW64\Gbabigfj.exeC:\Windows\system32\Gbabigfj.exe168⤵
- Modifies registry class
PID:6248 -
C:\Windows\SysWOW64\Gikkfqmf.exeC:\Windows\system32\Gikkfqmf.exe169⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6292 -
C:\Windows\SysWOW64\Gljgbllj.exeC:\Windows\system32\Gljgbllj.exe170⤵PID:6336
-
C:\Windows\SysWOW64\Gdaociml.exeC:\Windows\system32\Gdaociml.exe171⤵PID:6380
-
C:\Windows\SysWOW64\Gkkgpc32.exeC:\Windows\system32\Gkkgpc32.exe172⤵
- Drops file in System32 directory
PID:6424 -
C:\Windows\SysWOW64\Gingkqkd.exeC:\Windows\system32\Gingkqkd.exe173⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:6468 -
C:\Windows\SysWOW64\Glldgljg.exeC:\Windows\system32\Glldgljg.exe174⤵
- System Location Discovery: System Language Discovery
PID:6512 -
C:\Windows\SysWOW64\Gdcliikj.exeC:\Windows\system32\Gdcliikj.exe175⤵
- Drops file in System32 directory
PID:6556 -
C:\Windows\SysWOW64\Gkmdecbg.exeC:\Windows\system32\Gkmdecbg.exe176⤵
- System Location Discovery: System Language Discovery
PID:6596 -
C:\Windows\SysWOW64\Gipdap32.exeC:\Windows\system32\Gipdap32.exe177⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6640 -
C:\Windows\SysWOW64\Hdehni32.exeC:\Windows\system32\Hdehni32.exe178⤵PID:6684
-
C:\Windows\SysWOW64\Hibafp32.exeC:\Windows\system32\Hibafp32.exe179⤵
- System Location Discovery: System Language Discovery
PID:6728 -
C:\Windows\SysWOW64\Hmnmgnoh.exeC:\Windows\system32\Hmnmgnoh.exe180⤵
- System Location Discovery: System Language Discovery
PID:6772 -
C:\Windows\SysWOW64\Hplicjok.exeC:\Windows\system32\Hplicjok.exe181⤵PID:6816
-
C:\Windows\SysWOW64\Hckeoeno.exeC:\Windows\system32\Hckeoeno.exe182⤵PID:6880
-
C:\Windows\SysWOW64\Hienlpel.exeC:\Windows\system32\Hienlpel.exe183⤵
- Modifies registry class
PID:6924 -
C:\Windows\SysWOW64\Hmpjmn32.exeC:\Windows\system32\Hmpjmn32.exe184⤵PID:6964
-
C:\Windows\SysWOW64\Hpofii32.exeC:\Windows\system32\Hpofii32.exe185⤵PID:7008
-
C:\Windows\SysWOW64\Hdjbiheb.exeC:\Windows\system32\Hdjbiheb.exe186⤵PID:7052
-
C:\Windows\SysWOW64\Hginecde.exeC:\Windows\system32\Hginecde.exe187⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7096 -
C:\Windows\SysWOW64\Higjaoci.exeC:\Windows\system32\Higjaoci.exe188⤵PID:7140
-
C:\Windows\SysWOW64\Hlegnjbm.exeC:\Windows\system32\Hlegnjbm.exe189⤵PID:6168
-
C:\Windows\SysWOW64\Hdmoohbo.exeC:\Windows\system32\Hdmoohbo.exe190⤵PID:6236
-
C:\Windows\SysWOW64\Hgkkkcbc.exeC:\Windows\system32\Hgkkkcbc.exe191⤵PID:6304
-
C:\Windows\SysWOW64\Hiiggoaf.exeC:\Windows\system32\Hiiggoaf.exe192⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6376 -
C:\Windows\SysWOW64\Hlhccj32.exeC:\Windows\system32\Hlhccj32.exe193⤵PID:6452
-
C:\Windows\SysWOW64\Hdokdg32.exeC:\Windows\system32\Hdokdg32.exe194⤵PID:6544
-
C:\Windows\SysWOW64\Hgmgqc32.exeC:\Windows\system32\Hgmgqc32.exe195⤵PID:6588
-
C:\Windows\SysWOW64\Hildmn32.exeC:\Windows\system32\Hildmn32.exe196⤵PID:6668
-
C:\Windows\SysWOW64\Iljpij32.exeC:\Windows\system32\Iljpij32.exe197⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6792 -
C:\Windows\SysWOW64\Idahjg32.exeC:\Windows\system32\Idahjg32.exe198⤵PID:6868
-
C:\Windows\SysWOW64\Igpdfb32.exeC:\Windows\system32\Igpdfb32.exe199⤵
- Drops file in System32 directory
PID:6940 -
C:\Windows\SysWOW64\Iinqbn32.exeC:\Windows\system32\Iinqbn32.exe200⤵PID:6992
-
C:\Windows\SysWOW64\Injmcmej.exeC:\Windows\system32\Injmcmej.exe201⤵PID:7084
-
C:\Windows\SysWOW64\Idcepgmg.exeC:\Windows\system32\Idcepgmg.exe202⤵PID:7156
-
C:\Windows\SysWOW64\Igbalblk.exeC:\Windows\system32\Igbalblk.exe203⤵PID:6220
-
C:\Windows\SysWOW64\Ijqmhnko.exeC:\Windows\system32\Ijqmhnko.exe204⤵PID:6324
-
C:\Windows\SysWOW64\Iloidijb.exeC:\Windows\system32\Iloidijb.exe205⤵
- Drops file in System32 directory
PID:6444 -
C:\Windows\SysWOW64\Idfaefkd.exeC:\Windows\system32\Idfaefkd.exe206⤵PID:6564
-
C:\Windows\SysWOW64\Igdnabjh.exeC:\Windows\system32\Igdnabjh.exe207⤵PID:6672
-
C:\Windows\SysWOW64\Ijcjmmil.exeC:\Windows\system32\Ijcjmmil.exe208⤵PID:6836
-
C:\Windows\SysWOW64\Innfnl32.exeC:\Windows\system32\Innfnl32.exe209⤵PID:6952
-
C:\Windows\SysWOW64\Ipmbjgpi.exeC:\Windows\system32\Ipmbjgpi.exe210⤵PID:7060
-
C:\Windows\SysWOW64\Icknfcol.exeC:\Windows\system32\Icknfcol.exe211⤵PID:6156
-
C:\Windows\SysWOW64\Ikbfgppo.exeC:\Windows\system32\Ikbfgppo.exe212⤵
- Modifies registry class
PID:6284 -
C:\Windows\SysWOW64\Inqbclob.exeC:\Windows\system32\Inqbclob.exe213⤵PID:6476
-
C:\Windows\SysWOW64\Ilccoh32.exeC:\Windows\system32\Ilccoh32.exe214⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6620 -
C:\Windows\SysWOW64\Icnklbmj.exeC:\Windows\system32\Icnklbmj.exe215⤵PID:6828
-
C:\Windows\SysWOW64\Igigla32.exeC:\Windows\system32\Igigla32.exe216⤵PID:7020
-
C:\Windows\SysWOW64\Jjgchm32.exeC:\Windows\system32\Jjgchm32.exe217⤵
- Modifies registry class
PID:6244 -
C:\Windows\SysWOW64\Jlfpdh32.exeC:\Windows\system32\Jlfpdh32.exe218⤵PID:6524
-
C:\Windows\SysWOW64\Jdmgfedl.exeC:\Windows\system32\Jdmgfedl.exe219⤵PID:6804
-
C:\Windows\SysWOW64\Jjjpnlbd.exeC:\Windows\system32\Jjjpnlbd.exe220⤵PID:7128
-
C:\Windows\SysWOW64\Jnelok32.exeC:\Windows\system32\Jnelok32.exe221⤵
- System Location Discovery: System Language Discovery
PID:6408 -
C:\Windows\SysWOW64\Jpdhkf32.exeC:\Windows\system32\Jpdhkf32.exe222⤵PID:6980
-
C:\Windows\SysWOW64\Jcbdgb32.exeC:\Windows\system32\Jcbdgb32.exe223⤵PID:6692
-
C:\Windows\SysWOW64\Jjlmclqa.exeC:\Windows\system32\Jjlmclqa.exe224⤵PID:6348
-
C:\Windows\SysWOW64\Jnhidk32.exeC:\Windows\system32\Jnhidk32.exe225⤵PID:6300
-
C:\Windows\SysWOW64\Jpfepf32.exeC:\Windows\system32\Jpfepf32.exe226⤵PID:7176
-
C:\Windows\SysWOW64\Jdaaaeqg.exeC:\Windows\system32\Jdaaaeqg.exe227⤵PID:7220
-
C:\Windows\SysWOW64\Jklinohd.exeC:\Windows\system32\Jklinohd.exe228⤵
- Modifies registry class
PID:7264 -
C:\Windows\SysWOW64\Jnjejjgh.exeC:\Windows\system32\Jnjejjgh.exe229⤵PID:7308
-
C:\Windows\SysWOW64\Jqhafffk.exeC:\Windows\system32\Jqhafffk.exe230⤵PID:7352
-
C:\Windows\SysWOW64\Jcgnbaeo.exeC:\Windows\system32\Jcgnbaeo.exe231⤵PID:7396
-
C:\Windows\SysWOW64\Jknfcofa.exeC:\Windows\system32\Jknfcofa.exe232⤵
- Modifies registry class
PID:7440 -
C:\Windows\SysWOW64\Jjafok32.exeC:\Windows\system32\Jjafok32.exe233⤵PID:7484
-
C:\Windows\SysWOW64\Jlobkg32.exeC:\Windows\system32\Jlobkg32.exe234⤵
- System Location Discovery: System Language Discovery
PID:7532 -
C:\Windows\SysWOW64\Jdfjld32.exeC:\Windows\system32\Jdfjld32.exe235⤵
- Drops file in System32 directory
PID:7576 -
C:\Windows\SysWOW64\Jgeghp32.exeC:\Windows\system32\Jgeghp32.exe236⤵PID:7620
-
C:\Windows\SysWOW64\Kkpbin32.exeC:\Windows\system32\Kkpbin32.exe237⤵PID:7664
-
C:\Windows\SysWOW64\Kmaopfjm.exeC:\Windows\system32\Kmaopfjm.exe238⤵
- Modifies registry class
PID:7708 -
C:\Windows\SysWOW64\Kdigadjo.exeC:\Windows\system32\Kdigadjo.exe239⤵PID:7752
-
C:\Windows\SysWOW64\Kggcnoic.exeC:\Windows\system32\Kggcnoic.exe240⤵PID:7796
-
C:\Windows\SysWOW64\Kjepjkhf.exeC:\Windows\system32\Kjepjkhf.exe241⤵PID:7840
-
C:\Windows\SysWOW64\Kmdlffhj.exeC:\Windows\system32\Kmdlffhj.exe242⤵PID:7884