Analysis
-
max time kernel
120s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
15/10/2024, 03:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8cfe3d0af3d0ee6916a4942957dbe3651ea5bcba53fc495239271024af44932aN.exe
Resource
win7-20241010-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
8cfe3d0af3d0ee6916a4942957dbe3651ea5bcba53fc495239271024af44932aN.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
8cfe3d0af3d0ee6916a4942957dbe3651ea5bcba53fc495239271024af44932aN.exe
-
Size
92KB
-
MD5
5d1e7b843c4c6c234441fe8bafac75c0
-
SHA1
b73f4f745022c6930c7c0260acba38ea49778dc2
-
SHA256
8cfe3d0af3d0ee6916a4942957dbe3651ea5bcba53fc495239271024af44932a
-
SHA512
bb4ebe058fe1f79fad02030bcccb663e773054aa78eb83314dd4e299b5d9e736fa2776ede4dafdc7158e7c54ecbc743fdd07e34ef7ed78eed0883fac9f31afde
-
SSDEEP
1536:PT6DeY7Rw7pdE5yFVnowfbk7Bvr4pjn5hDT5OsnKQrUoR24HsUs:b6DZwdC5yFGP9rOj5tT5a6THsR
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mkbhco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbbfmqdm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnqanbcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdlqjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gpkckneh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lobgah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nliqoofa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgqmhk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbcofobg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfpflenm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oehmamnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plbbmjhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qnkdeagl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hncjiecj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mkgllndq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jkfkjemd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejqmahdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fqnhcgma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jlgcncli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Amdmkb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgfqii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dghjmlnm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnfodojp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Khpaidpk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Choejien.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ehlqao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggeiooea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oceaql32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjfhgp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmabaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lgqmhk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfobjdoe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddgcdjip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnjonpgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bilkhbcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afebpmal.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdebladb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdnmda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gfjicd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lbgkhoml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qokhjjbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ccjbobnf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phckglbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hkidclbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jcodcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kanhph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmgekh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ainhln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Badlln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found -
Executes dropped EXE 64 IoCs
pid Process 2608 Bocckoom.exe 2476 Bedene32.exe 2940 Ccjbobnf.exe 2776 Ccloea32.exe 2964 Cfmhfm32.exe 676 Ccceeqfl.exe 2720 Dmljnfll.exe 2212 Dlqgob32.exe 2924 Dhggdcgh.exe 592 Dodlfmlb.exe 2312 Dkkmln32.exe 2040 Ekmjanpd.exe 1280 Emncci32.exe 2256 Eekdmk32.exe 2416 Ecodfogg.exe 768 Fhnjdfcl.exe 1672 Fagnmkjm.exe 2544 Fgfckbfa.exe 2716 Fqnhcgma.exe 916 Fdlqjf32.exe 936 Gjiibm32.exe 304 Gfpjgn32.exe 2632 Ghnfci32.exe 548 Gdgcnj32.exe 2220 Gnphfppi.exe 2324 Gghloe32.exe 2616 Hndaao32.exe 2204 Hfbckagm.exe 3008 Hcfceeff.exe 2060 Ilceog32.exe 2580 Ieligmho.exe 2772 Ilhnjfmi.exe 1384 Jfiekc32.exe 940 Jpcfih32.exe 1496 Jinghn32.exe 1500 Kiqdmm32.exe 2316 Kaliaphd.exe 1040 Kkdnke32.exe 1140 Kpcbhlki.exe 1760 Kpeonkig.exe 2920 Ljpqlqmd.exe 2136 Llainlje.exe 1980 Llcfck32.exe 1420 Ldokhn32.exe 2376 Lodoefed.exe 2052 Mfngbq32.exe 3060 Moflkfca.exe 1684 Mdcdcmai.exe 1696 Mbgela32.exe 2084 Mgdmeh32.exe 2684 Mmafmo32.exe 1824 Mcknjidn.exe 1148 Mmcbbo32.exe 2892 Mgigpgkd.exe 3052 Npdkdjhp.exe 2796 Nilpmo32.exe 2864 Nbddfe32.exe 2096 Nmjicn32.exe 2844 Nbgakd32.exe 2552 Niaihojk.exe 2560 Nnnbqeib.exe 1364 Nicfnn32.exe 2456 Nbljfdoh.exe 1628 Onbkle32.exe -
Loads dropped DLL 64 IoCs
pid Process 2340 8cfe3d0af3d0ee6916a4942957dbe3651ea5bcba53fc495239271024af44932aN.exe 2340 8cfe3d0af3d0ee6916a4942957dbe3651ea5bcba53fc495239271024af44932aN.exe 2608 Bocckoom.exe 2608 Bocckoom.exe 2476 Bedene32.exe 2476 Bedene32.exe 2940 Ccjbobnf.exe 2940 Ccjbobnf.exe 2776 Ccloea32.exe 2776 Ccloea32.exe 2964 Cfmhfm32.exe 2964 Cfmhfm32.exe 676 Ccceeqfl.exe 676 Ccceeqfl.exe 2720 Dmljnfll.exe 2720 Dmljnfll.exe 2212 Dlqgob32.exe 2212 Dlqgob32.exe 2924 Dhggdcgh.exe 2924 Dhggdcgh.exe 592 Dodlfmlb.exe 592 Dodlfmlb.exe 2312 Dkkmln32.exe 2312 Dkkmln32.exe 2040 Ekmjanpd.exe 2040 Ekmjanpd.exe 1280 Emncci32.exe 1280 Emncci32.exe 2256 Eekdmk32.exe 2256 Eekdmk32.exe 2416 Ecodfogg.exe 2416 Ecodfogg.exe 768 Fhnjdfcl.exe 768 Fhnjdfcl.exe 1672 Fagnmkjm.exe 1672 Fagnmkjm.exe 2544 Fgfckbfa.exe 2544 Fgfckbfa.exe 2716 Fqnhcgma.exe 2716 Fqnhcgma.exe 916 Fdlqjf32.exe 916 Fdlqjf32.exe 936 Gjiibm32.exe 936 Gjiibm32.exe 304 Gfpjgn32.exe 304 Gfpjgn32.exe 2632 Ghnfci32.exe 2632 Ghnfci32.exe 548 Gdgcnj32.exe 548 Gdgcnj32.exe 2220 Gnphfppi.exe 2220 Gnphfppi.exe 2324 Gghloe32.exe 2324 Gghloe32.exe 2616 Hndaao32.exe 2616 Hndaao32.exe 2204 Hfbckagm.exe 2204 Hfbckagm.exe 3008 Hcfceeff.exe 3008 Hcfceeff.exe 2060 Ilceog32.exe 2060 Ilceog32.exe 2580 Ieligmho.exe 2580 Ieligmho.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dkfqcd32.dll Apjdin32.exe File opened for modification C:\Windows\SysWOW64\Iianjl32.exe Process not Found File created C:\Windows\SysWOW64\Annpaq32.exe Adekhkng.exe File created C:\Windows\SysWOW64\Lgcooh32.exe Lbffga32.exe File created C:\Windows\SysWOW64\Gmcogf32.exe Ggfgoo32.exe File created C:\Windows\SysWOW64\Lgibjo32.dll Fffckf32.exe File opened for modification C:\Windows\SysWOW64\Kkkigf32.exe Process not Found File created C:\Windows\SysWOW64\Aadfahob.dll Process not Found File opened for modification C:\Windows\SysWOW64\Mboekp32.exe Lpnlid32.exe File created C:\Windows\SysWOW64\Femlbjee.exe Process not Found File created C:\Windows\SysWOW64\Pcllam32.dll Mafmhcam.exe File created C:\Windows\SysWOW64\Npjonlee.exe Nipgab32.exe File created C:\Windows\SysWOW64\Bkpdpg32.dll Bjlnaghp.exe File created C:\Windows\SysWOW64\Mkqnghfk.exe Mmlmmdga.exe File opened for modification C:\Windows\SysWOW64\Fpliec32.exe Fbhhlo32.exe File created C:\Windows\SysWOW64\Anjqdd32.exe Ainhln32.exe File opened for modification C:\Windows\SysWOW64\Efihcpqk.exe Eiehilaa.exe File created C:\Windows\SysWOW64\Kgaejeoc.exe Kqgmnk32.exe File opened for modification C:\Windows\SysWOW64\Ijfadkbm.exe Ianmke32.exe File created C:\Windows\SysWOW64\Cfjfal32.exe Process not Found File created C:\Windows\SysWOW64\Oibanm32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fanlbekb.exe Process not Found File created C:\Windows\SysWOW64\Pefjbknh.exe Process not Found File created C:\Windows\SysWOW64\Lclijeeg.dll Mfngbq32.exe File created C:\Windows\SysWOW64\Mhpigk32.exe Mnfhfmhc.exe File created C:\Windows\SysWOW64\Adekhkng.exe Adcobk32.exe File opened for modification C:\Windows\SysWOW64\Mpbfddef.exe Mboekp32.exe File created C:\Windows\SysWOW64\Ahbfnhja.dll Process not Found File created C:\Windows\SysWOW64\Ccfoah32.exe Cbebjpaa.exe File created C:\Windows\SysWOW64\Qoipflcf.exe Process not Found File created C:\Windows\SysWOW64\Dqcqgc32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Lodoefed.exe Ldokhn32.exe File opened for modification C:\Windows\SysWOW64\Eenckc32.exe Eigbfb32.exe File opened for modification C:\Windows\SysWOW64\Ikcpmieg.exe Ibklddof.exe File created C:\Windows\SysWOW64\Cadincif.dll Bhoikfbb.exe File created C:\Windows\SysWOW64\Fdieagcj.dll Onmkhlph.exe File created C:\Windows\SysWOW64\Bghaabdg.exe Process not Found File opened for modification C:\Windows\SysWOW64\Gdiode32.exe Process not Found File created C:\Windows\SysWOW64\Miijkkno.dll Ghnfci32.exe File created C:\Windows\SysWOW64\Dhkpjknd.dll Oahpahel.exe File created C:\Windows\SysWOW64\Nlfdjphd.exe Nelkme32.exe File opened for modification C:\Windows\SysWOW64\Mdjppnkk.exe Process not Found File opened for modification C:\Windows\SysWOW64\Cbhahigb.exe Process not Found File created C:\Windows\SysWOW64\Mdigakic.exe Mfdjpo32.exe File opened for modification C:\Windows\SysWOW64\Dpiobh32.exe Deckeo32.exe File opened for modification C:\Windows\SysWOW64\Fgaibb32.exe Process not Found File created C:\Windows\SysWOW64\Dddkng32.dll Process not Found File created C:\Windows\SysWOW64\Icohfi32.exe Process not Found File created C:\Windows\SysWOW64\Ddnaonia.exe Dlfina32.exe File created C:\Windows\SysWOW64\Kmocck32.dll Mnfhfmhc.exe File opened for modification C:\Windows\SysWOW64\Npecjdaf.exe Nocgbl32.exe File created C:\Windows\SysWOW64\Cpcaeghc.exe Cdlppf32.exe File opened for modification C:\Windows\SysWOW64\Poapbn32.exe Poocmo32.exe File created C:\Windows\SysWOW64\Bqpejh32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Dmklikob.exe Process not Found File opened for modification C:\Windows\SysWOW64\Nfhefc32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Hobeipoc.exe Process not Found File opened for modification C:\Windows\SysWOW64\Hgjdcghp.exe Hghhngjb.exe File created C:\Windows\SysWOW64\Aahljedc.dll Flhnqf32.exe File opened for modification C:\Windows\SysWOW64\Plbbmjhf.exe Ponadfim.exe File created C:\Windows\SysWOW64\Cdjcmcoc.exe Process not Found File created C:\Windows\SysWOW64\Lbffga32.exe Lebemmbk.exe File created C:\Windows\SysWOW64\Iihhmhng.exe Ildhcd32.exe File created C:\Windows\SysWOW64\Hpgeedcn.dll Process not Found -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocpakg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aacjba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daqoafkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbchfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fiopah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lljolodf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djnbdlla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbbfmqdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieglfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enmbeehg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgljfmkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okgnna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmjicn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnfnlk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Necandjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqnjml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehpjmoio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Folknlae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epmcqf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeqmek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cleaebna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akhopj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqmmhdka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oahpahel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipipllec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddmohbln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcpidagc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbafel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kplfmfmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajqoqm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bikemiik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmgekh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogldfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjjlfjoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkpkepnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmcbbo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nidoamch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjchjcmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gngdadoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Liaggk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mboekp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddbegmqm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phckglbq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjhjlm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pieobaiq.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbmaah32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Amfcfk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnbigjmn.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iblcjohm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kceganoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plmdeaaf.dll" Pghmeikh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mhklfbcj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Djcpqidc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cghmni32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jgljfmkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jnqanbcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pgnhiaof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ipipllec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Onognkne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcgdnd32.dll" Ilhnjfmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmengo32.dll" Pieobaiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdhbhf32.dll" Qnagbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmcelehb.dll" Cbebjpaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbgekp32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opohmhnb.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eolljk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bofbih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnelkg32.dll" Boppmf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bedene32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hacdjlag.dll" Nidoamch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kchhholk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aihjpman.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hafbid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlngdfab.dll" Ikhlaaif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Amfcfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Emieflec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kililk32.dll" Pfhghgie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bbmggp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lbffga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cfmhfm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Acnpjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dbfaopqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lheilofe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nekbjf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qedjib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ioopon32.dll" Kdefdjnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Niqijkel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fcbjon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Apbblg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ehilgikj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmqbqb32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkmmh32.dll" Oeqmek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Klipfpeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgaijn32.dll" Klipfpeh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eemded32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2340 wrote to memory of 2608 2340 8cfe3d0af3d0ee6916a4942957dbe3651ea5bcba53fc495239271024af44932aN.exe 29 PID 2340 wrote to memory of 2608 2340 8cfe3d0af3d0ee6916a4942957dbe3651ea5bcba53fc495239271024af44932aN.exe 29 PID 2340 wrote to memory of 2608 2340 8cfe3d0af3d0ee6916a4942957dbe3651ea5bcba53fc495239271024af44932aN.exe 29 PID 2340 wrote to memory of 2608 2340 8cfe3d0af3d0ee6916a4942957dbe3651ea5bcba53fc495239271024af44932aN.exe 29 PID 2608 wrote to memory of 2476 2608 Bocckoom.exe 30 PID 2608 wrote to memory of 2476 2608 Bocckoom.exe 30 PID 2608 wrote to memory of 2476 2608 Bocckoom.exe 30 PID 2608 wrote to memory of 2476 2608 Bocckoom.exe 30 PID 2476 wrote to memory of 2940 2476 Bedene32.exe 31 PID 2476 wrote to memory of 2940 2476 Bedene32.exe 31 PID 2476 wrote to memory of 2940 2476 Bedene32.exe 31 PID 2476 wrote to memory of 2940 2476 Bedene32.exe 31 PID 2940 wrote to memory of 2776 2940 Ccjbobnf.exe 32 PID 2940 wrote to memory of 2776 2940 Ccjbobnf.exe 32 PID 2940 wrote to memory of 2776 2940 Ccjbobnf.exe 32 PID 2940 wrote to memory of 2776 2940 Ccjbobnf.exe 32 PID 2776 wrote to memory of 2964 2776 Ccloea32.exe 33 PID 2776 wrote to memory of 2964 2776 Ccloea32.exe 33 PID 2776 wrote to memory of 2964 2776 Ccloea32.exe 33 PID 2776 wrote to memory of 2964 2776 Ccloea32.exe 33 PID 2964 wrote to memory of 676 2964 Cfmhfm32.exe 34 PID 2964 wrote to memory of 676 2964 Cfmhfm32.exe 34 PID 2964 wrote to memory of 676 2964 Cfmhfm32.exe 34 PID 2964 wrote to memory of 676 2964 Cfmhfm32.exe 34 PID 676 wrote to memory of 2720 676 Ccceeqfl.exe 35 PID 676 wrote to memory of 2720 676 Ccceeqfl.exe 35 PID 676 wrote to memory of 2720 676 Ccceeqfl.exe 35 PID 676 wrote to memory of 2720 676 Ccceeqfl.exe 35 PID 2720 wrote to memory of 2212 2720 Dmljnfll.exe 36 PID 2720 wrote to memory of 2212 2720 Dmljnfll.exe 36 PID 2720 wrote to memory of 2212 2720 Dmljnfll.exe 36 PID 2720 wrote to memory of 2212 2720 Dmljnfll.exe 36 PID 2212 wrote to memory of 2924 2212 Dlqgob32.exe 37 PID 2212 wrote to memory of 2924 2212 Dlqgob32.exe 37 PID 2212 wrote to memory of 2924 2212 Dlqgob32.exe 37 PID 2212 wrote to memory of 2924 2212 Dlqgob32.exe 37 PID 2924 wrote to memory of 592 2924 Dhggdcgh.exe 38 PID 2924 wrote to memory of 592 2924 Dhggdcgh.exe 38 PID 2924 wrote to memory of 592 2924 Dhggdcgh.exe 38 PID 2924 wrote to memory of 592 2924 Dhggdcgh.exe 38 PID 592 wrote to memory of 2312 592 Dodlfmlb.exe 39 PID 592 wrote to memory of 2312 592 Dodlfmlb.exe 39 PID 592 wrote to memory of 2312 592 Dodlfmlb.exe 39 PID 592 wrote to memory of 2312 592 Dodlfmlb.exe 39 PID 2312 wrote to memory of 2040 2312 Dkkmln32.exe 40 PID 2312 wrote to memory of 2040 2312 Dkkmln32.exe 40 PID 2312 wrote to memory of 2040 2312 Dkkmln32.exe 40 PID 2312 wrote to memory of 2040 2312 Dkkmln32.exe 40 PID 2040 wrote to memory of 1280 2040 Ekmjanpd.exe 41 PID 2040 wrote to memory of 1280 2040 Ekmjanpd.exe 41 PID 2040 wrote to memory of 1280 2040 Ekmjanpd.exe 41 PID 2040 wrote to memory of 1280 2040 Ekmjanpd.exe 41 PID 1280 wrote to memory of 2256 1280 Emncci32.exe 42 PID 1280 wrote to memory of 2256 1280 Emncci32.exe 42 PID 1280 wrote to memory of 2256 1280 Emncci32.exe 42 PID 1280 wrote to memory of 2256 1280 Emncci32.exe 42 PID 2256 wrote to memory of 2416 2256 Eekdmk32.exe 43 PID 2256 wrote to memory of 2416 2256 Eekdmk32.exe 43 PID 2256 wrote to memory of 2416 2256 Eekdmk32.exe 43 PID 2256 wrote to memory of 2416 2256 Eekdmk32.exe 43 PID 2416 wrote to memory of 768 2416 Ecodfogg.exe 44 PID 2416 wrote to memory of 768 2416 Ecodfogg.exe 44 PID 2416 wrote to memory of 768 2416 Ecodfogg.exe 44 PID 2416 wrote to memory of 768 2416 Ecodfogg.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\8cfe3d0af3d0ee6916a4942957dbe3651ea5bcba53fc495239271024af44932aN.exe"C:\Users\Admin\AppData\Local\Temp\8cfe3d0af3d0ee6916a4942957dbe3651ea5bcba53fc495239271024af44932aN.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\Bocckoom.exeC:\Windows\system32\Bocckoom.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Bedene32.exeC:\Windows\system32\Bedene32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Ccjbobnf.exeC:\Windows\system32\Ccjbobnf.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Ccloea32.exeC:\Windows\system32\Ccloea32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Cfmhfm32.exeC:\Windows\system32\Cfmhfm32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Ccceeqfl.exeC:\Windows\system32\Ccceeqfl.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Windows\SysWOW64\Dmljnfll.exeC:\Windows\system32\Dmljnfll.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Dlqgob32.exeC:\Windows\system32\Dlqgob32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Dhggdcgh.exeC:\Windows\system32\Dhggdcgh.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Dodlfmlb.exeC:\Windows\system32\Dodlfmlb.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Windows\SysWOW64\Dkkmln32.exeC:\Windows\system32\Dkkmln32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\Ekmjanpd.exeC:\Windows\system32\Ekmjanpd.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\Emncci32.exeC:\Windows\system32\Emncci32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\SysWOW64\Eekdmk32.exeC:\Windows\system32\Eekdmk32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\Ecodfogg.exeC:\Windows\system32\Ecodfogg.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Fhnjdfcl.exeC:\Windows\system32\Fhnjdfcl.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:768 -
C:\Windows\SysWOW64\Fagnmkjm.exeC:\Windows\system32\Fagnmkjm.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1672 -
C:\Windows\SysWOW64\Fgfckbfa.exeC:\Windows\system32\Fgfckbfa.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2544 -
C:\Windows\SysWOW64\Fqnhcgma.exeC:\Windows\system32\Fqnhcgma.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2716 -
C:\Windows\SysWOW64\Fdlqjf32.exeC:\Windows\system32\Fdlqjf32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:916 -
C:\Windows\SysWOW64\Gjiibm32.exeC:\Windows\system32\Gjiibm32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:936 -
C:\Windows\SysWOW64\Gfpjgn32.exeC:\Windows\system32\Gfpjgn32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:304 -
C:\Windows\SysWOW64\Ghnfci32.exeC:\Windows\system32\Ghnfci32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2632 -
C:\Windows\SysWOW64\Gdgcnj32.exeC:\Windows\system32\Gdgcnj32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:548 -
C:\Windows\SysWOW64\Gnphfppi.exeC:\Windows\system32\Gnphfppi.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2220 -
C:\Windows\SysWOW64\Gghloe32.exeC:\Windows\system32\Gghloe32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2324 -
C:\Windows\SysWOW64\Hndaao32.exeC:\Windows\system32\Hndaao32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2616 -
C:\Windows\SysWOW64\Hfbckagm.exeC:\Windows\system32\Hfbckagm.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2204 -
C:\Windows\SysWOW64\Hcfceeff.exeC:\Windows\system32\Hcfceeff.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3008 -
C:\Windows\SysWOW64\Ilceog32.exeC:\Windows\system32\Ilceog32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2060 -
C:\Windows\SysWOW64\Ieligmho.exeC:\Windows\system32\Ieligmho.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2580 -
C:\Windows\SysWOW64\Ilhnjfmi.exeC:\Windows\system32\Ilhnjfmi.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2772 -
C:\Windows\SysWOW64\Jfiekc32.exeC:\Windows\system32\Jfiekc32.exe34⤵
- Executes dropped EXE
PID:1384 -
C:\Windows\SysWOW64\Jpcfih32.exeC:\Windows\system32\Jpcfih32.exe35⤵
- Executes dropped EXE
PID:940 -
C:\Windows\SysWOW64\Jinghn32.exeC:\Windows\system32\Jinghn32.exe36⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Kiqdmm32.exeC:\Windows\system32\Kiqdmm32.exe37⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Kaliaphd.exeC:\Windows\system32\Kaliaphd.exe38⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Kkdnke32.exeC:\Windows\system32\Kkdnke32.exe39⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Kpcbhlki.exeC:\Windows\system32\Kpcbhlki.exe40⤵
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\Kpeonkig.exeC:\Windows\system32\Kpeonkig.exe41⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Ljpqlqmd.exeC:\Windows\system32\Ljpqlqmd.exe42⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Llainlje.exeC:\Windows\system32\Llainlje.exe43⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Llcfck32.exeC:\Windows\system32\Llcfck32.exe44⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Ldokhn32.exeC:\Windows\system32\Ldokhn32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1420 -
C:\Windows\SysWOW64\Lodoefed.exeC:\Windows\system32\Lodoefed.exe46⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Mfngbq32.exeC:\Windows\system32\Mfngbq32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2052 -
C:\Windows\SysWOW64\Moflkfca.exeC:\Windows\system32\Moflkfca.exe48⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Mdcdcmai.exeC:\Windows\system32\Mdcdcmai.exe49⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Mbgela32.exeC:\Windows\system32\Mbgela32.exe50⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Mgdmeh32.exeC:\Windows\system32\Mgdmeh32.exe51⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Mmafmo32.exeC:\Windows\system32\Mmafmo32.exe52⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Mcknjidn.exeC:\Windows\system32\Mcknjidn.exe53⤵
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Mmcbbo32.exeC:\Windows\system32\Mmcbbo32.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1148 -
C:\Windows\SysWOW64\Mgigpgkd.exeC:\Windows\system32\Mgigpgkd.exe55⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Npdkdjhp.exeC:\Windows\system32\Npdkdjhp.exe56⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Nilpmo32.exeC:\Windows\system32\Nilpmo32.exe57⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Nbddfe32.exeC:\Windows\system32\Nbddfe32.exe58⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Nmjicn32.exeC:\Windows\system32\Nmjicn32.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2096 -
C:\Windows\SysWOW64\Nbgakd32.exeC:\Windows\system32\Nbgakd32.exe60⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Niaihojk.exeC:\Windows\system32\Niaihojk.exe61⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Nnnbqeib.exeC:\Windows\system32\Nnnbqeib.exe62⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Nicfnn32.exeC:\Windows\system32\Nicfnn32.exe63⤵
- Executes dropped EXE
PID:1364 -
C:\Windows\SysWOW64\Nbljfdoh.exeC:\Windows\system32\Nbljfdoh.exe64⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Onbkle32.exeC:\Windows\system32\Onbkle32.exe65⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Ojilqf32.exeC:\Windows\system32\Ojilqf32.exe66⤵PID:2536
-
C:\Windows\SysWOW64\Oacdmpan.exeC:\Windows\system32\Oacdmpan.exe67⤵PID:1880
-
C:\Windows\SysWOW64\Oiniaboi.exeC:\Windows\system32\Oiniaboi.exe68⤵PID:848
-
C:\Windows\SysWOW64\Oddmokoo.exeC:\Windows\system32\Oddmokoo.exe69⤵PID:2304
-
C:\Windows\SysWOW64\Opkndldc.exeC:\Windows\system32\Opkndldc.exe70⤵PID:1156
-
C:\Windows\SysWOW64\Oicbma32.exeC:\Windows\system32\Oicbma32.exe71⤵PID:1220
-
C:\Windows\SysWOW64\Popkeh32.exeC:\Windows\system32\Popkeh32.exe72⤵PID:2604
-
C:\Windows\SysWOW64\Pieobaiq.exeC:\Windows\system32\Pieobaiq.exe73⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1632 -
C:\Windows\SysWOW64\Pbnckg32.exeC:\Windows\system32\Pbnckg32.exe74⤵PID:2636
-
C:\Windows\SysWOW64\Phklcn32.exeC:\Windows\system32\Phklcn32.exe75⤵PID:2976
-
C:\Windows\SysWOW64\Peolmb32.exeC:\Windows\system32\Peolmb32.exe76⤵PID:1740
-
C:\Windows\SysWOW64\Phmiimlf.exeC:\Windows\system32\Phmiimlf.exe77⤵PID:2576
-
C:\Windows\SysWOW64\Pmjaadjm.exeC:\Windows\system32\Pmjaadjm.exe78⤵PID:2332
-
C:\Windows\SysWOW64\Phoeomjc.exeC:\Windows\system32\Phoeomjc.exe79⤵PID:620
-
C:\Windows\SysWOW64\Qnagbc32.exeC:\Windows\system32\Qnagbc32.exe80⤵
- Modifies registry class
PID:1900 -
C:\Windows\SysWOW64\Acnpjj32.exeC:\Windows\system32\Acnpjj32.exe81⤵
- Modifies registry class
PID:2360 -
C:\Windows\SysWOW64\Aellfe32.exeC:\Windows\system32\Aellfe32.exe82⤵PID:2288
-
C:\Windows\SysWOW64\Aodqok32.exeC:\Windows\system32\Aodqok32.exe83⤵PID:2520
-
C:\Windows\SysWOW64\Apdminod.exeC:\Windows\system32\Apdminod.exe84⤵PID:2092
-
C:\Windows\SysWOW64\Afqeaemk.exeC:\Windows\system32\Afqeaemk.exe85⤵PID:1544
-
C:\Windows\SysWOW64\Aknnil32.exeC:\Windows\system32\Aknnil32.exe86⤵PID:1328
-
C:\Windows\SysWOW64\Afcbgd32.exeC:\Windows\system32\Afcbgd32.exe87⤵PID:1556
-
C:\Windows\SysWOW64\Akpkok32.exeC:\Windows\system32\Akpkok32.exe88⤵PID:1096
-
C:\Windows\SysWOW64\Adhohapp.exeC:\Windows\system32\Adhohapp.exe89⤵PID:1724
-
C:\Windows\SysWOW64\Bblpae32.exeC:\Windows\system32\Bblpae32.exe90⤵PID:2620
-
C:\Windows\SysWOW64\Bdklnq32.exeC:\Windows\system32\Bdklnq32.exe91⤵PID:2572
-
C:\Windows\SysWOW64\Bjgdfg32.exeC:\Windows\system32\Bjgdfg32.exe92⤵PID:572
-
C:\Windows\SysWOW64\Bnemlf32.exeC:\Windows\system32\Bnemlf32.exe93⤵PID:2788
-
C:\Windows\SysWOW64\Bdoeipjh.exeC:\Windows\system32\Bdoeipjh.exe94⤵PID:2816
-
C:\Windows\SysWOW64\Bjlnaghp.exeC:\Windows\system32\Bjlnaghp.exe95⤵
- Drops file in System32 directory
PID:1976 -
C:\Windows\SysWOW64\Boifinfg.exeC:\Windows\system32\Boifinfg.exe96⤵PID:3044
-
C:\Windows\SysWOW64\Ckgmon32.exeC:\Windows\system32\Ckgmon32.exe97⤵PID:1100
-
C:\Windows\SysWOW64\Cneiki32.exeC:\Windows\system32\Cneiki32.exe98⤵PID:956
-
C:\Windows\SysWOW64\Ckijdm32.exeC:\Windows\system32\Ckijdm32.exe99⤵PID:2692
-
C:\Windows\SysWOW64\Cbcbag32.exeC:\Windows\system32\Cbcbag32.exe100⤵PID:2696
-
C:\Windows\SysWOW64\Ceanmc32.exeC:\Windows\system32\Ceanmc32.exe101⤵PID:1700
-
C:\Windows\SysWOW64\Cmmcae32.exeC:\Windows\system32\Cmmcae32.exe102⤵PID:2512
-
C:\Windows\SysWOW64\Dedkbb32.exeC:\Windows\system32\Dedkbb32.exe103⤵PID:1172
-
C:\Windows\SysWOW64\Dfegjknm.exeC:\Windows\system32\Dfegjknm.exe104⤵PID:2676
-
C:\Windows\SysWOW64\Dajlhc32.exeC:\Windows\system32\Dajlhc32.exe105⤵PID:2948
-
C:\Windows\SysWOW64\Djcpqidc.exeC:\Windows\system32\Djcpqidc.exe106⤵
- Modifies registry class
PID:2956 -
C:\Windows\SysWOW64\Damhmc32.exeC:\Windows\system32\Damhmc32.exe107⤵PID:2760
-
C:\Windows\SysWOW64\Dfjaej32.exeC:\Windows\system32\Dfjaej32.exe108⤵PID:2764
-
C:\Windows\SysWOW64\Dlfina32.exeC:\Windows\system32\Dlfina32.exe109⤵
- Drops file in System32 directory
PID:2148 -
C:\Windows\SysWOW64\Ddnaonia.exeC:\Windows\system32\Ddnaonia.exe110⤵PID:1180
-
C:\Windows\SysWOW64\Dogbolep.exeC:\Windows\system32\Dogbolep.exe111⤵PID:2424
-
C:\Windows\SysWOW64\Ebekej32.exeC:\Windows\system32\Ebekej32.exe112⤵PID:2120
-
C:\Windows\SysWOW64\Eiocbd32.exeC:\Windows\system32\Eiocbd32.exe113⤵PID:2460
-
C:\Windows\SysWOW64\Eolljk32.exeC:\Windows\system32\Eolljk32.exe114⤵
- Modifies registry class
PID:2500 -
C:\Windows\SysWOW64\Edidcb32.exeC:\Windows\system32\Edidcb32.exe115⤵PID:972
-
C:\Windows\SysWOW64\Eamdlf32.exeC:\Windows\system32\Eamdlf32.exe116⤵PID:2680
-
C:\Windows\SysWOW64\Ehgmiq32.exeC:\Windows\system32\Ehgmiq32.exe117⤵PID:1588
-
C:\Windows\SysWOW64\Eoqeekme.exeC:\Windows\system32\Eoqeekme.exe118⤵PID:2936
-
C:\Windows\SysWOW64\Eaoaafli.exeC:\Windows\system32\Eaoaafli.exe119⤵PID:2628
-
C:\Windows\SysWOW64\Egljjmkp.exeC:\Windows\system32\Egljjmkp.exe120⤵PID:2804
-
C:\Windows\SysWOW64\Emfbgg32.exeC:\Windows\system32\Emfbgg32.exe121⤵PID:2704
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-