Analysis
-
max time kernel
143s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
31-10-2024 01:38
Static task
static1
Behavioral task
behavioral1
Sample
8297f97433396dd9c8612248af2eaafe2e5ce7dbe3bd7f14878926a14bfe7597.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
8297f97433396dd9c8612248af2eaafe2e5ce7dbe3bd7f14878926a14bfe7597.exe
Resource
win10v2004-20241007-en
General
-
Target
8297f97433396dd9c8612248af2eaafe2e5ce7dbe3bd7f14878926a14bfe7597.exe
-
Size
304KB
-
MD5
0d8106344897808c5c55836376dec1af
-
SHA1
0aa8b506c7111a700a71f95c9fbaa6300d1acc51
-
SHA256
8297f97433396dd9c8612248af2eaafe2e5ce7dbe3bd7f14878926a14bfe7597
-
SHA512
8ed410834cc3c841d197902159c4f23ff6365b4786f0891b31d1c395e74add1affb2e7d7583d8c5fc63eaafc66fb0aa9f061dabd98231301a4dc1cb0b8a774e9
-
SSDEEP
3072:YrnSjm1Zkjo4IqBi2Km64n4ebejz+k5rD0LZSnulc0VP7SnHjg:MMjk0bEKIrD0Lu
Malware Config
Extracted
berbew
http://viruslist.com/wcmd.txt
http://viruslist.com/ppslog.php
http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Ddadpdmn.exeHhiajmod.exeMhafeb32.exeJjlmclqa.exeCfbcke32.exeNgndaccj.exeLjbnfleo.exePcmlfl32.exeNobdbkhf.exeDnpdegjp.exeNcnofeof.exeAphnnafb.exeKapfiqoj.exeMiofjepg.exeMminhceb.exeOmdppiif.exePeieba32.exeCbgnemjj.exeFmpqfq32.exeGnqfcbnj.exeMoipoh32.exeEnpfan32.exeOcgkan32.exeNhpbfpka.exeIkdcmpnl.exeJgkdbacp.exeAhpmjejp.exeGmfplibd.exeHlepcdoa.exeIgajal32.exeFgjhpcmo.exeDcjnoece.exeOehlkc32.exeNghekkmn.exeBafndi32.exeDbicpfdk.exeDdjmba32.exeNbebbk32.exeJglklggl.exeBcahmb32.exeBhamkipi.exeDlkbjqgm.exeEfccmidp.exePnmopk32.exeFnkfmm32.exeCoknoaic.exeDiccgfpd.exeNnhmnn32.exePfdjinjo.exeCoegoe32.exeIinjhh32.exeLlodgnja.exeOplfkeob.exeAdfgdpmi.exeKnkekn32.exeHdjbiheb.exeMofmobmo.exeBfjnjcni.exePcbkml32.exeAjcdnd32.exeGnhnaf32.exeBkmmaeap.exeEleepoob.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ddadpdmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hhiajmod.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhafeb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjlmclqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cfbcke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ngndaccj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljbnfleo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pcmlfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nobdbkhf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnpdegjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ncnofeof.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aphnnafb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kapfiqoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Miofjepg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mminhceb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Omdppiif.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peieba32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbgnemjj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmpqfq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnqfcbnj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moipoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Enpfan32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocgkan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nhpbfpka.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikdcmpnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jgkdbacp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ahpmjejp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gmfplibd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlepcdoa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igajal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fgjhpcmo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcjnoece.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oehlkc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nghekkmn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bafndi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dbicpfdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ddjmba32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbebbk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jglklggl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcahmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bhamkipi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dlkbjqgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Efccmidp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnmopk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnkfmm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oehlkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Coknoaic.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Diccgfpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nnhmnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pfdjinjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Coegoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iinjhh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llodgnja.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oplfkeob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Adfgdpmi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knkekn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdjbiheb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mofmobmo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfjnjcni.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcbkml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ajcdnd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnhnaf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkmmaeap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eleepoob.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Leadnm32.exeMbedga32.exeMlnipg32.exeMlpeff32.exeMffjcopi.exeMblkhq32.exeMleoafmn.exeNlglfe32.exeNhnlkfpp.exeNgomin32.exeNojanpej.exeNlnbgddc.exeNchjdo32.exeNookip32.exeOidofh32.exeOekpkigo.exeOgklelna.exeOcamjm32.exeOpemca32.exeOjnblg32.exeOllnhb32.exePjpobg32.exePhelcc32.exePgflqkdd.exePoaqemao.exePcmlfl32.exePfnegggi.exePqcjepfo.exeQhonib32.exeQcdbfk32.exeQhakoa32.exeAgbkmijg.exeAqkpeopg.exeAgdhbi32.exeAjcdnd32.exeAmaqjp32.exeAckigjmh.exeAjeadd32.exeAobilkcl.exeAgiamhdo.exeAjhniccb.exeAqaffn32.exeAcpbbi32.exeAjjjocap.exeBqdblmhl.exeBogcgj32.exeBfqkddfd.exeBmkcqn32.exeBjodjb32.exeBqilgmdg.exeBcghch32.exeBfedoc32.exeBmomlnjk.exeBpnihiio.exeBjcmebie.exeBqmeal32.exeBclang32.exeBfjnjcni.exeCmdfgm32.exeCpbbch32.exeCflkpblf.exeCikglnkj.exeCpeohh32.exeCcqkigkp.exepid process 5008 Leadnm32.exe 4560 Mbedga32.exe 4080 Mlnipg32.exe 4792 Mlpeff32.exe 4616 Mffjcopi.exe 4572 Mblkhq32.exe 3620 Mleoafmn.exe 2076 Nlglfe32.exe 5080 Nhnlkfpp.exe 4160 Ngomin32.exe 2728 Nojanpej.exe 3320 Nlnbgddc.exe 3296 Nchjdo32.exe 2752 Nookip32.exe 4592 Oidofh32.exe 1044 Oekpkigo.exe 520 Ogklelna.exe 3680 Ocamjm32.exe 1372 Opemca32.exe 2900 Ojnblg32.exe 3024 Ollnhb32.exe 4884 Pjpobg32.exe 1540 Phelcc32.exe 884 Pgflqkdd.exe 4996 Poaqemao.exe 3952 Pcmlfl32.exe 3940 Pfnegggi.exe 4360 Pqcjepfo.exe 616 Qhonib32.exe 3304 Qcdbfk32.exe 3892 Qhakoa32.exe 4516 Agbkmijg.exe 3744 Aqkpeopg.exe 4044 Agdhbi32.exe 4032 Ajcdnd32.exe 4556 Amaqjp32.exe 2688 Ackigjmh.exe 704 Ajeadd32.exe 3752 Aobilkcl.exe 2340 Agiamhdo.exe 2224 Ajhniccb.exe 3020 Aqaffn32.exe 2580 Acpbbi32.exe 4852 Ajjjocap.exe 732 Bqdblmhl.exe 948 Bogcgj32.exe 2780 Bfqkddfd.exe 4432 Bmkcqn32.exe 4272 Bjodjb32.exe 4776 Bqilgmdg.exe 4568 Bcghch32.exe 2120 Bfedoc32.exe 3004 Bmomlnjk.exe 4752 Bpnihiio.exe 4520 Bjcmebie.exe 4324 Bqmeal32.exe 508 Bclang32.exe 4220 Bfjnjcni.exe 4356 Cmdfgm32.exe 4984 Cpbbch32.exe 3900 Cflkpblf.exe 2104 Cikglnkj.exe 4660 Cpeohh32.exe 1836 Ccqkigkp.exe -
Drops file in System32 directory 64 IoCs
Processes:
Abbkcpma.exeMbedga32.exeJbagbebm.exePcbkml32.exeQebhhp32.exeCfqmpl32.exeAhjgjj32.exeEkdnei32.exeCbgnemjj.exeDnajppda.exeOqmhqapg.exeDkbocbog.exeJjlmclqa.exeKodnmkap.exeJekjcaef.exeMlnipg32.exeFacqkg32.exeJgogbgei.exeOkedcjcm.exeQdoacabq.exeBmeandma.exeBlielbfi.exeLcnfohmi.exePafkgphl.exeFpeafcfa.exeJcgnbaeo.exeKmfhkf32.exeMalpia32.exeCacckp32.exeLomjicei.exeAgbkmijg.exeDiicml32.exeHdhedh32.exeCnfaohbj.exeOcjoadei.exeMhoahh32.exeGdafnpqh.exePlpqil32.exeQcaofebg.exeBllbaa32.exeNlfnaicd.exeIpjoja32.exeLnldla32.exeNcnofeof.exeBfjnjcni.exeDlkbjqgm.exeEhbnigjj.exeBafndi32.exeCikglnkj.exeDpckjfgg.exeNaecop32.exeNeclenfo.exeLnjgfb32.exeCocjiehd.exeLfgipd32.exePpjbmc32.exeCibmlmeb.exeDbndfl32.exeEmdajb32.exedescription ioc process File created C:\Windows\SysWOW64\Kemilf32.dll Abbkcpma.exe File created C:\Windows\SysWOW64\Mlnipg32.exe Mbedga32.exe File opened for modification C:\Windows\SysWOW64\Jeocna32.exe Jbagbebm.exe File created C:\Windows\SysWOW64\Pjlcjf32.exe Pcbkml32.exe File created C:\Windows\SysWOW64\Dbkjdh32.dll Qebhhp32.exe File created C:\Windows\SysWOW64\Egqbff32.dll Cfqmpl32.exe File created C:\Windows\SysWOW64\Achnlqjp.dll Ahjgjj32.exe File opened for modification C:\Windows\SysWOW64\Fmcjpl32.exe Ekdnei32.exe File created C:\Windows\SysWOW64\Cmmbbejp.exe Cbgnemjj.exe File opened for modification C:\Windows\SysWOW64\Damfao32.exe Dnajppda.exe File opened for modification C:\Windows\SysWOW64\Ockdmmoj.exe Oqmhqapg.exe File created C:\Windows\SysWOW64\Dcigeooj.exe Dkbocbog.exe File created C:\Windows\SysWOW64\Jpfepf32.exe Jjlmclqa.exe File created C:\Windows\SysWOW64\Kjjbjd32.exe Kodnmkap.exe File opened for modification C:\Windows\SysWOW64\Jldbpl32.exe Jekjcaef.exe File created C:\Windows\SysWOW64\Afkicf32.dll Mlnipg32.exe File created C:\Windows\SysWOW64\Fpeafcfa.exe Facqkg32.exe File created C:\Windows\SysWOW64\Jjmcnbdm.exe Jgogbgei.exe File opened for modification C:\Windows\SysWOW64\Oaompd32.exe Okedcjcm.exe File created C:\Windows\SysWOW64\Hiebgmkm.dll Qdoacabq.exe File opened for modification C:\Windows\SysWOW64\Bdojjo32.exe Bmeandma.exe File created C:\Windows\SysWOW64\Mnknop32.dll Jbagbebm.exe File created C:\Windows\SysWOW64\Qdhogopn.dll Blielbfi.exe File created C:\Windows\SysWOW64\Bmgagk32.dll Lcnfohmi.exe File created C:\Windows\SysWOW64\Jeocna32.exe Jbagbebm.exe File created C:\Windows\SysWOW64\Hejeak32.dll Pafkgphl.exe File opened for modification C:\Windows\SysWOW64\Fhmigagd.exe Fpeafcfa.exe File created C:\Windows\SysWOW64\Jnlbojee.exe Jcgnbaeo.exe File created C:\Windows\SysWOW64\Nbnimm32.dll Kmfhkf32.exe File opened for modification C:\Windows\SysWOW64\Mcjmel32.exe Malpia32.exe File created C:\Windows\SysWOW64\Biafno32.dll Cacckp32.exe File created C:\Windows\SysWOW64\Ljbnfleo.exe Lomjicei.exe File created C:\Windows\SysWOW64\Dfljoa32.dll Agbkmijg.exe File opened for modification C:\Windows\SysWOW64\Dpckjfgg.exe Diicml32.exe File created C:\Windows\SysWOW64\Hmpjmn32.exe Hdhedh32.exe File created C:\Windows\SysWOW64\Cofnik32.exe Cnfaohbj.exe File created C:\Windows\SysWOW64\Ofhknodl.exe Ocjoadei.exe File created C:\Windows\SysWOW64\Mcdeeq32.exe Mhoahh32.exe File opened for modification C:\Windows\SysWOW64\Ginnfgop.exe Gdafnpqh.exe File created C:\Windows\SysWOW64\Dpifba32.dll Plpqil32.exe File opened for modification C:\Windows\SysWOW64\Qljcoj32.exe Qcaofebg.exe File created C:\Windows\SysWOW64\Bkobmnka.exe Bllbaa32.exe File created C:\Windows\SysWOW64\Nndjndbh.exe Nlfnaicd.exe File created C:\Windows\SysWOW64\Iefgbh32.exe Ipjoja32.exe File created C:\Windows\SysWOW64\Llodgnja.exe Lnldla32.exe File created C:\Windows\SysWOW64\Nqbpojnp.exe Ncnofeof.exe File opened for modification C:\Windows\SysWOW64\Cmdfgm32.exe Bfjnjcni.exe File created C:\Windows\SysWOW64\Akoqpg32.exe Qebhhp32.exe File opened for modification C:\Windows\SysWOW64\Akoqpg32.exe Qebhhp32.exe File opened for modification C:\Windows\SysWOW64\Ejlbhh32.exe Dlkbjqgm.exe File created C:\Windows\SysWOW64\Jpbhgp32.dll Ehbnigjj.exe File created C:\Windows\SysWOW64\Neiqnh32.dll Bafndi32.exe File created C:\Windows\SysWOW64\Cpeohh32.exe Cikglnkj.exe File created C:\Windows\SysWOW64\Egcjff32.dll Dpckjfgg.exe File created C:\Windows\SysWOW64\Lccahg32.dll Jjlmclqa.exe File created C:\Windows\SysWOW64\Nlkgmh32.exe Naecop32.exe File created C:\Windows\SysWOW64\Njpdnedf.exe Neclenfo.exe File created C:\Windows\SysWOW64\Lfeljd32.exe Lnjgfb32.exe File created C:\Windows\SysWOW64\Cpdgqmnb.exe Cocjiehd.exe File created C:\Windows\SysWOW64\Lmaamn32.exe Lfgipd32.exe File created C:\Windows\SysWOW64\Jnfpnk32.dll Ppjbmc32.exe File created C:\Windows\SysWOW64\Caienjfd.exe Cibmlmeb.exe File created C:\Windows\SysWOW64\Aplhmakj.dll Dbndfl32.exe File created C:\Windows\SysWOW64\Fikbocki.exe Emdajb32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 6216 6764 WerFault.exe Pififb32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Hiiggoaf.exeIgajal32.exeOpclldhj.exePgflqkdd.exeIqpfjnba.exeDjcoai32.exeCbbdjm32.exeNaecop32.exeNnfpinmi.exeOmgmeigd.exeOpeiadfg.exeMifljdjo.exeNliaao32.exeOhpkmn32.exeEnfckp32.exeIplkpa32.exeFqbliicp.exeJpnakk32.exeOqklkbbi.exeFdffbake.exeMhafeb32.exeLqikmc32.exeOnnmdcjm.exeAkdilipp.exeNhhdnf32.exePcbkml32.exeIcknfcol.exeMkjnfkma.exeNndjndbh.exeAdikdfna.exeHfcnpn32.exeKjblje32.exeDdifgk32.exeLebijnak.exeMbighjdd.exePedlgbkh.exeGlengm32.exeEmmkiclm.exeGgbook32.exeHpmpnp32.exeHpdfnolo.exeAogiap32.exeAednci32.exePnmopk32.exeCacckp32.exeDpkmal32.exeOkedcjcm.exeKgninn32.exeQeodhjmo.exeHaodle32.exeNofefp32.exeElbhjp32.exePocpfphe.exeBdgged32.exePfepdg32.exeGdafnpqh.exePlpqil32.exeDcnqpo32.exeOfhknodl.exeDgcihgaj.exeNcpeaoih.exePqbala32.exeOcamjm32.exeHkeaqi32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiiggoaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igajal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opclldhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgflqkdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqpfjnba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djcoai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbbdjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Naecop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnfpinmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omgmeigd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opeiadfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mifljdjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nliaao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohpkmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enfckp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iplkpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqbliicp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpnakk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqklkbbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdffbake.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhafeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqikmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onnmdcjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akdilipp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhhdnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcbkml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icknfcol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkjnfkma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nndjndbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adikdfna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfcnpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjblje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddifgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lebijnak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbighjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pedlgbkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glengm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emmkiclm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggbook32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpmpnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpdfnolo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aogiap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aednci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnmopk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cacckp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpkmal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okedcjcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgninn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qeodhjmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Haodle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nofefp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elbhjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pocpfphe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdgged32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfepdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdafnpqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plpqil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcnqpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofhknodl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgcihgaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncpeaoih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqbala32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocamjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkeaqi32.exe -
Modifies registry class 64 IoCs
Processes:
Mhdckaeo.exeIphioh32.exeHpiecd32.exeEdbiniff.exeJldbpl32.exeJgogbgei.exeLnnbqnjn.exeMminhceb.exePmcclm32.exeAhpmjejp.exeDkceokii.exeDmalne32.exeJjlmclqa.exeNqbpojnp.exeFgoakc32.exeMbighjdd.exeAhjgjj32.exeEnkdaepb.exeDmcain32.exeNggnadib.exeEmbkoi32.exeHgdejd32.exeDmohno32.exeDdjmba32.exeGpnfge32.exeEnpfan32.exeFdkpma32.exePddhbipj.exeFipbdikp.exeAoabad32.exeNajmjokc.exeIpgkjlmg.exeBogcgj32.exeMblcnj32.exeElbhjp32.exeOjcpdg32.exeAjhniccb.exeCponen32.exeDpkmal32.exeLklbdm32.exeJgbchj32.exeCnaaib32.exeNqcejcha.exeIqmidndd.exeGlkmmefl.exeCkgohf32.exeOcnabm32.exeDokgdkeh.exeGbpedjnb.exeCfkmkf32.exeFechomko.exeIqbbpm32.exeJbaojpgb.exeMahnhhod.exeNhpbfpka.exeEmdajb32.exeAolblopj.exeFbjena32.exePcpnhl32.exePcbkml32.exeNlnbgddc.exeAoofle32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mhdckaeo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iphioh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hpiecd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oncelonn.dll" Edbiniff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jldbpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jgogbgei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lnnbqnjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hflkamml.dll" Mminhceb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihbjebjh.dll" Pmcclm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ahpmjejp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dkceokii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dmalne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lccahg32.dll" Jjlmclqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nqbpojnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fgoakc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mbighjdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ahjgjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghcjeh32.dll" Enkdaepb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dmcain32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndqojdee.dll" Nggnadib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Embkoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bojlop32.dll" Hgdejd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dmohno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdecba32.dll" Ddjmba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gpnfge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Begfqa32.dll" Enpfan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fdkpma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdflmg32.dll" Pddhbipj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fipbdikp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aoabad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Najmjokc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dagdgfkf.dll" Ipgkjlmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bogcgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faaigehd.dll" Mblcnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfmioc32.dll" Elbhjp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ojcpdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ajhniccb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okhbek32.dll" Cponen32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dpkmal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lklbdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jgbchj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cnaaib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlhego32.dll" Nqcejcha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnjjdmoc.dll" Iqmidndd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Glkmmefl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cnaaib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ckgohf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljgmjm32.dll" Ocnabm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nohffe32.dll" Dokgdkeh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gbpedjnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Effkpc32.dll" Cfkmkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fechomko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iqbbpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgnnnnod.dll" Jbaojpgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bionkjfo.dll" Mahnhhod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nhpbfpka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Emdajb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmpmfmao.dll" Aolblopj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ambfbo32.dll" Fbjena32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ipgkjlmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqkplq32.dll" Pcpnhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pcbkml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oejbgd32.dll" Nlnbgddc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iafkni32.dll" Aoofle32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
8297f97433396dd9c8612248af2eaafe2e5ce7dbe3bd7f14878926a14bfe7597.exeLeadnm32.exeMbedga32.exeMlnipg32.exeMlpeff32.exeMffjcopi.exeMblkhq32.exeMleoafmn.exeNlglfe32.exeNhnlkfpp.exeNgomin32.exeNojanpej.exeNlnbgddc.exeNchjdo32.exeNookip32.exeOidofh32.exeOekpkigo.exeOgklelna.exeOcamjm32.exeOpemca32.exeOjnblg32.exeOllnhb32.exedescription pid process target process PID 2380 wrote to memory of 5008 2380 8297f97433396dd9c8612248af2eaafe2e5ce7dbe3bd7f14878926a14bfe7597.exe Leadnm32.exe PID 2380 wrote to memory of 5008 2380 8297f97433396dd9c8612248af2eaafe2e5ce7dbe3bd7f14878926a14bfe7597.exe Leadnm32.exe PID 2380 wrote to memory of 5008 2380 8297f97433396dd9c8612248af2eaafe2e5ce7dbe3bd7f14878926a14bfe7597.exe Leadnm32.exe PID 5008 wrote to memory of 4560 5008 Leadnm32.exe Mbedga32.exe PID 5008 wrote to memory of 4560 5008 Leadnm32.exe Mbedga32.exe PID 5008 wrote to memory of 4560 5008 Leadnm32.exe Mbedga32.exe PID 4560 wrote to memory of 4080 4560 Mbedga32.exe Mlnipg32.exe PID 4560 wrote to memory of 4080 4560 Mbedga32.exe Mlnipg32.exe PID 4560 wrote to memory of 4080 4560 Mbedga32.exe Mlnipg32.exe PID 4080 wrote to memory of 4792 4080 Mlnipg32.exe Mlpeff32.exe PID 4080 wrote to memory of 4792 4080 Mlnipg32.exe Mlpeff32.exe PID 4080 wrote to memory of 4792 4080 Mlnipg32.exe Mlpeff32.exe PID 4792 wrote to memory of 4616 4792 Mlpeff32.exe Mffjcopi.exe PID 4792 wrote to memory of 4616 4792 Mlpeff32.exe Mffjcopi.exe PID 4792 wrote to memory of 4616 4792 Mlpeff32.exe Mffjcopi.exe PID 4616 wrote to memory of 4572 4616 Mffjcopi.exe Mblkhq32.exe PID 4616 wrote to memory of 4572 4616 Mffjcopi.exe Mblkhq32.exe PID 4616 wrote to memory of 4572 4616 Mffjcopi.exe Mblkhq32.exe PID 4572 wrote to memory of 3620 4572 Mblkhq32.exe Mleoafmn.exe PID 4572 wrote to memory of 3620 4572 Mblkhq32.exe Mleoafmn.exe PID 4572 wrote to memory of 3620 4572 Mblkhq32.exe Mleoafmn.exe PID 3620 wrote to memory of 2076 3620 Mleoafmn.exe Nlglfe32.exe PID 3620 wrote to memory of 2076 3620 Mleoafmn.exe Nlglfe32.exe PID 3620 wrote to memory of 2076 3620 Mleoafmn.exe Nlglfe32.exe PID 2076 wrote to memory of 5080 2076 Nlglfe32.exe Nhnlkfpp.exe PID 2076 wrote to memory of 5080 2076 Nlglfe32.exe Nhnlkfpp.exe PID 2076 wrote to memory of 5080 2076 Nlglfe32.exe Nhnlkfpp.exe PID 5080 wrote to memory of 4160 5080 Nhnlkfpp.exe Ngomin32.exe PID 5080 wrote to memory of 4160 5080 Nhnlkfpp.exe Ngomin32.exe PID 5080 wrote to memory of 4160 5080 Nhnlkfpp.exe Ngomin32.exe PID 4160 wrote to memory of 2728 4160 Ngomin32.exe Nojanpej.exe PID 4160 wrote to memory of 2728 4160 Ngomin32.exe Nojanpej.exe PID 4160 wrote to memory of 2728 4160 Ngomin32.exe Nojanpej.exe PID 2728 wrote to memory of 3320 2728 Nojanpej.exe Nlnbgddc.exe PID 2728 wrote to memory of 3320 2728 Nojanpej.exe Nlnbgddc.exe PID 2728 wrote to memory of 3320 2728 Nojanpej.exe Nlnbgddc.exe PID 3320 wrote to memory of 3296 3320 Nlnbgddc.exe Nchjdo32.exe PID 3320 wrote to memory of 3296 3320 Nlnbgddc.exe Nchjdo32.exe PID 3320 wrote to memory of 3296 3320 Nlnbgddc.exe Nchjdo32.exe PID 3296 wrote to memory of 2752 3296 Nchjdo32.exe Nookip32.exe PID 3296 wrote to memory of 2752 3296 Nchjdo32.exe Nookip32.exe PID 3296 wrote to memory of 2752 3296 Nchjdo32.exe Nookip32.exe PID 2752 wrote to memory of 4592 2752 Nookip32.exe Oidofh32.exe PID 2752 wrote to memory of 4592 2752 Nookip32.exe Oidofh32.exe PID 2752 wrote to memory of 4592 2752 Nookip32.exe Oidofh32.exe PID 4592 wrote to memory of 1044 4592 Oidofh32.exe Oekpkigo.exe PID 4592 wrote to memory of 1044 4592 Oidofh32.exe Oekpkigo.exe PID 4592 wrote to memory of 1044 4592 Oidofh32.exe Oekpkigo.exe PID 1044 wrote to memory of 520 1044 Oekpkigo.exe Ogklelna.exe PID 1044 wrote to memory of 520 1044 Oekpkigo.exe Ogklelna.exe PID 1044 wrote to memory of 520 1044 Oekpkigo.exe Ogklelna.exe PID 520 wrote to memory of 3680 520 Ogklelna.exe Ocamjm32.exe PID 520 wrote to memory of 3680 520 Ogklelna.exe Ocamjm32.exe PID 520 wrote to memory of 3680 520 Ogklelna.exe Ocamjm32.exe PID 3680 wrote to memory of 1372 3680 Ocamjm32.exe Opemca32.exe PID 3680 wrote to memory of 1372 3680 Ocamjm32.exe Opemca32.exe PID 3680 wrote to memory of 1372 3680 Ocamjm32.exe Opemca32.exe PID 1372 wrote to memory of 2900 1372 Opemca32.exe Ojnblg32.exe PID 1372 wrote to memory of 2900 1372 Opemca32.exe Ojnblg32.exe PID 1372 wrote to memory of 2900 1372 Opemca32.exe Ojnblg32.exe PID 2900 wrote to memory of 3024 2900 Ojnblg32.exe Ollnhb32.exe PID 2900 wrote to memory of 3024 2900 Ojnblg32.exe Ollnhb32.exe PID 2900 wrote to memory of 3024 2900 Ojnblg32.exe Ollnhb32.exe PID 3024 wrote to memory of 4884 3024 Ollnhb32.exe Pjpobg32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8297f97433396dd9c8612248af2eaafe2e5ce7dbe3bd7f14878926a14bfe7597.exe"C:\Users\Admin\AppData\Local\Temp\8297f97433396dd9c8612248af2eaafe2e5ce7dbe3bd7f14878926a14bfe7597.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Leadnm32.exeC:\Windows\system32\Leadnm32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Windows\SysWOW64\Mbedga32.exeC:\Windows\system32\Mbedga32.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\SysWOW64\Mlnipg32.exeC:\Windows\system32\Mlnipg32.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Windows\SysWOW64\Mlpeff32.exeC:\Windows\system32\Mlpeff32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Windows\SysWOW64\Mffjcopi.exeC:\Windows\system32\Mffjcopi.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Windows\SysWOW64\Mblkhq32.exeC:\Windows\system32\Mblkhq32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Windows\SysWOW64\Mleoafmn.exeC:\Windows\system32\Mleoafmn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3620 -
C:\Windows\SysWOW64\Nlglfe32.exeC:\Windows\system32\Nlglfe32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\Nhnlkfpp.exeC:\Windows\system32\Nhnlkfpp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Windows\SysWOW64\Ngomin32.exeC:\Windows\system32\Ngomin32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4160 -
C:\Windows\SysWOW64\Nojanpej.exeC:\Windows\system32\Nojanpej.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Nlnbgddc.exeC:\Windows\system32\Nlnbgddc.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3320 -
C:\Windows\SysWOW64\Nchjdo32.exeC:\Windows\system32\Nchjdo32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3296 -
C:\Windows\SysWOW64\Nookip32.exeC:\Windows\system32\Nookip32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Oidofh32.exeC:\Windows\system32\Oidofh32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Windows\SysWOW64\Oekpkigo.exeC:\Windows\system32\Oekpkigo.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\SysWOW64\Ogklelna.exeC:\Windows\system32\Ogklelna.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:520 -
C:\Windows\SysWOW64\Ocamjm32.exeC:\Windows\system32\Ocamjm32.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3680 -
C:\Windows\SysWOW64\Opemca32.exeC:\Windows\system32\Opemca32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\SysWOW64\Ojnblg32.exeC:\Windows\system32\Ojnblg32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Ollnhb32.exeC:\Windows\system32\Ollnhb32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\Pjpobg32.exeC:\Windows\system32\Pjpobg32.exe23⤵
- Executes dropped EXE
PID:4884 -
C:\Windows\SysWOW64\Phelcc32.exeC:\Windows\system32\Phelcc32.exe24⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Pgflqkdd.exeC:\Windows\system32\Pgflqkdd.exe25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:884 -
C:\Windows\SysWOW64\Poaqemao.exeC:\Windows\system32\Poaqemao.exe26⤵
- Executes dropped EXE
PID:4996 -
C:\Windows\SysWOW64\Pcmlfl32.exeC:\Windows\system32\Pcmlfl32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3952 -
C:\Windows\SysWOW64\Pfnegggi.exeC:\Windows\system32\Pfnegggi.exe28⤵
- Executes dropped EXE
PID:3940 -
C:\Windows\SysWOW64\Pqcjepfo.exeC:\Windows\system32\Pqcjepfo.exe29⤵
- Executes dropped EXE
PID:4360 -
C:\Windows\SysWOW64\Qhonib32.exeC:\Windows\system32\Qhonib32.exe30⤵
- Executes dropped EXE
PID:616 -
C:\Windows\SysWOW64\Qcdbfk32.exeC:\Windows\system32\Qcdbfk32.exe31⤵
- Executes dropped EXE
PID:3304 -
C:\Windows\SysWOW64\Qhakoa32.exeC:\Windows\system32\Qhakoa32.exe32⤵
- Executes dropped EXE
PID:3892 -
C:\Windows\SysWOW64\Agbkmijg.exeC:\Windows\system32\Agbkmijg.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4516 -
C:\Windows\SysWOW64\Aqkpeopg.exeC:\Windows\system32\Aqkpeopg.exe34⤵
- Executes dropped EXE
PID:3744 -
C:\Windows\SysWOW64\Agdhbi32.exeC:\Windows\system32\Agdhbi32.exe35⤵
- Executes dropped EXE
PID:4044 -
C:\Windows\SysWOW64\Ajcdnd32.exeC:\Windows\system32\Ajcdnd32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4032 -
C:\Windows\SysWOW64\Amaqjp32.exeC:\Windows\system32\Amaqjp32.exe37⤵
- Executes dropped EXE
PID:4556 -
C:\Windows\SysWOW64\Ackigjmh.exeC:\Windows\system32\Ackigjmh.exe38⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Ajeadd32.exeC:\Windows\system32\Ajeadd32.exe39⤵
- Executes dropped EXE
PID:704 -
C:\Windows\SysWOW64\Aobilkcl.exeC:\Windows\system32\Aobilkcl.exe40⤵
- Executes dropped EXE
PID:3752 -
C:\Windows\SysWOW64\Agiamhdo.exeC:\Windows\system32\Agiamhdo.exe41⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Ajhniccb.exeC:\Windows\system32\Ajhniccb.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2224 -
C:\Windows\SysWOW64\Aqaffn32.exeC:\Windows\system32\Aqaffn32.exe43⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Acpbbi32.exeC:\Windows\system32\Acpbbi32.exe44⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Ajjjocap.exeC:\Windows\system32\Ajjjocap.exe45⤵
- Executes dropped EXE
PID:4852 -
C:\Windows\SysWOW64\Bqdblmhl.exeC:\Windows\system32\Bqdblmhl.exe46⤵
- Executes dropped EXE
PID:732 -
C:\Windows\SysWOW64\Bogcgj32.exeC:\Windows\system32\Bogcgj32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:948 -
C:\Windows\SysWOW64\Bfqkddfd.exeC:\Windows\system32\Bfqkddfd.exe48⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Bmkcqn32.exeC:\Windows\system32\Bmkcqn32.exe49⤵
- Executes dropped EXE
PID:4432 -
C:\Windows\SysWOW64\Bjodjb32.exeC:\Windows\system32\Bjodjb32.exe50⤵
- Executes dropped EXE
PID:4272 -
C:\Windows\SysWOW64\Bqilgmdg.exeC:\Windows\system32\Bqilgmdg.exe51⤵
- Executes dropped EXE
PID:4776 -
C:\Windows\SysWOW64\Bcghch32.exeC:\Windows\system32\Bcghch32.exe52⤵
- Executes dropped EXE
PID:4568 -
C:\Windows\SysWOW64\Bfedoc32.exeC:\Windows\system32\Bfedoc32.exe53⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Bmomlnjk.exeC:\Windows\system32\Bmomlnjk.exe54⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Bpnihiio.exeC:\Windows\system32\Bpnihiio.exe55⤵
- Executes dropped EXE
PID:4752 -
C:\Windows\SysWOW64\Bjcmebie.exeC:\Windows\system32\Bjcmebie.exe56⤵
- Executes dropped EXE
PID:4520 -
C:\Windows\SysWOW64\Bqmeal32.exeC:\Windows\system32\Bqmeal32.exe57⤵
- Executes dropped EXE
PID:4324 -
C:\Windows\SysWOW64\Bclang32.exeC:\Windows\system32\Bclang32.exe58⤵
- Executes dropped EXE
PID:508 -
C:\Windows\SysWOW64\Bfjnjcni.exeC:\Windows\system32\Bfjnjcni.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4220 -
C:\Windows\SysWOW64\Cmdfgm32.exeC:\Windows\system32\Cmdfgm32.exe60⤵
- Executes dropped EXE
PID:4356 -
C:\Windows\SysWOW64\Cpbbch32.exeC:\Windows\system32\Cpbbch32.exe61⤵
- Executes dropped EXE
PID:4984 -
C:\Windows\SysWOW64\Cflkpblf.exeC:\Windows\system32\Cflkpblf.exe62⤵
- Executes dropped EXE
PID:3900 -
C:\Windows\SysWOW64\Cikglnkj.exeC:\Windows\system32\Cikglnkj.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2104 -
C:\Windows\SysWOW64\Cpeohh32.exeC:\Windows\system32\Cpeohh32.exe64⤵
- Executes dropped EXE
PID:4660 -
C:\Windows\SysWOW64\Ccqkigkp.exeC:\Windows\system32\Ccqkigkp.exe65⤵
- Executes dropped EXE
PID:1836 -
C:\Windows\SysWOW64\Cjjcfabm.exeC:\Windows\system32\Cjjcfabm.exe66⤵PID:4964
-
C:\Windows\SysWOW64\Cmipblaq.exeC:\Windows\system32\Cmipblaq.exe67⤵PID:1112
-
C:\Windows\SysWOW64\Ccchof32.exeC:\Windows\system32\Ccchof32.exe68⤵PID:1952
-
C:\Windows\SysWOW64\Cmklglpn.exeC:\Windows\system32\Cmklglpn.exe69⤵PID:3140
-
C:\Windows\SysWOW64\Caghhk32.exeC:\Windows\system32\Caghhk32.exe70⤵PID:4476
-
C:\Windows\SysWOW64\Cgqqdeod.exeC:\Windows\system32\Cgqqdeod.exe71⤵PID:4180
-
C:\Windows\SysWOW64\Cibmlmeb.exeC:\Windows\system32\Cibmlmeb.exe72⤵
- Drops file in System32 directory
PID:4628 -
C:\Windows\SysWOW64\Caienjfd.exeC:\Windows\system32\Caienjfd.exe73⤵PID:2916
-
C:\Windows\SysWOW64\Cgcmjd32.exeC:\Windows\system32\Cgcmjd32.exe74⤵PID:220
-
C:\Windows\SysWOW64\Cidjbmcp.exeC:\Windows\system32\Cidjbmcp.exe75⤵PID:2524
-
C:\Windows\SysWOW64\Dcjnoece.exeC:\Windows\system32\Dcjnoece.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3996 -
C:\Windows\SysWOW64\Dannij32.exeC:\Windows\system32\Dannij32.exe77⤵PID:4468
-
C:\Windows\SysWOW64\Diicml32.exeC:\Windows\system32\Diicml32.exe78⤵
- Drops file in System32 directory
PID:2268 -
C:\Windows\SysWOW64\Dpckjfgg.exeC:\Windows\system32\Dpckjfgg.exe79⤵
- Drops file in System32 directory
PID:1984 -
C:\Windows\SysWOW64\Dmglcj32.exeC:\Windows\system32\Dmglcj32.exe80⤵PID:4756
-
C:\Windows\SysWOW64\Ddadpdmn.exeC:\Windows\system32\Ddadpdmn.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4720 -
C:\Windows\SysWOW64\Dmihij32.exeC:\Windows\system32\Dmihij32.exe82⤵PID:2652
-
C:\Windows\SysWOW64\Epjajeqo.exeC:\Windows\system32\Epjajeqo.exe83⤵PID:964
-
C:\Windows\SysWOW64\Eplnpeol.exeC:\Windows\system32\Eplnpeol.exe84⤵PID:3780
-
C:\Windows\SysWOW64\Empoiimf.exeC:\Windows\system32\Empoiimf.exe85⤵PID:4056
-
C:\Windows\SysWOW64\Ehfcfb32.exeC:\Windows\system32\Ehfcfb32.exe86⤵PID:4176
-
C:\Windows\SysWOW64\Embkoi32.exeC:\Windows\system32\Embkoi32.exe87⤵
- Modifies registry class
PID:2352 -
C:\Windows\SysWOW64\Ejflhm32.exeC:\Windows\system32\Ejflhm32.exe88⤵PID:1480
-
C:\Windows\SysWOW64\Filiii32.exeC:\Windows\system32\Filiii32.exe89⤵PID:4472
-
C:\Windows\SysWOW64\Facqkg32.exeC:\Windows\system32\Facqkg32.exe90⤵
- Drops file in System32 directory
PID:2636 -
C:\Windows\SysWOW64\Fpeafcfa.exeC:\Windows\system32\Fpeafcfa.exe91⤵
- Drops file in System32 directory
PID:2812 -
C:\Windows\SysWOW64\Fhmigagd.exeC:\Windows\system32\Fhmigagd.exe92⤵PID:4248
-
C:\Windows\SysWOW64\Ffpicn32.exeC:\Windows\system32\Ffpicn32.exe93⤵PID:3664
-
C:\Windows\SysWOW64\Fipbdikp.exeC:\Windows\system32\Fipbdikp.exe94⤵
- Modifies registry class
PID:1736 -
C:\Windows\SysWOW64\Fdffbake.exeC:\Windows\system32\Fdffbake.exe95⤵
- System Location Discovery: System Language Discovery
PID:3256 -
C:\Windows\SysWOW64\Fpmggb32.exeC:\Windows\system32\Fpmggb32.exe96⤵PID:1420
-
C:\Windows\SysWOW64\Fmqgpgoc.exeC:\Windows\system32\Fmqgpgoc.exe97⤵PID:5136
-
C:\Windows\SysWOW64\Fdkpma32.exeC:\Windows\system32\Fdkpma32.exe98⤵
- Modifies registry class
PID:5180 -
C:\Windows\SysWOW64\Ggilil32.exeC:\Windows\system32\Ggilil32.exe99⤵PID:5224
-
C:\Windows\SysWOW64\Gigheh32.exeC:\Windows\system32\Gigheh32.exe100⤵PID:5268
-
C:\Windows\SysWOW64\Gdmmbq32.exeC:\Windows\system32\Gdmmbq32.exe101⤵PID:5312
-
C:\Windows\SysWOW64\Ghkeio32.exeC:\Windows\system32\Ghkeio32.exe102⤵PID:5352
-
C:\Windows\SysWOW64\Gnhnaf32.exeC:\Windows\system32\Gnhnaf32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5396 -
C:\Windows\SysWOW64\Gdafnpqh.exeC:\Windows\system32\Gdafnpqh.exe104⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5440 -
C:\Windows\SysWOW64\Ginnfgop.exeC:\Windows\system32\Ginnfgop.exe105⤵PID:5484
-
C:\Windows\SysWOW64\Gaefgd32.exeC:\Windows\system32\Gaefgd32.exe106⤵PID:5528
-
C:\Windows\SysWOW64\Ggbook32.exeC:\Windows\system32\Ggbook32.exe107⤵
- System Location Discovery: System Language Discovery
PID:5568 -
C:\Windows\SysWOW64\Giqkkf32.exeC:\Windows\system32\Giqkkf32.exe108⤵PID:5624
-
C:\Windows\SysWOW64\Gahcmd32.exeC:\Windows\system32\Gahcmd32.exe109⤵PID:5672
-
C:\Windows\SysWOW64\Hgelek32.exeC:\Windows\system32\Hgelek32.exe110⤵PID:5716
-
C:\Windows\SysWOW64\Hnodaecc.exeC:\Windows\system32\Hnodaecc.exe111⤵PID:5760
-
C:\Windows\SysWOW64\Hpmpnp32.exeC:\Windows\system32\Hpmpnp32.exe112⤵
- System Location Discovery: System Language Discovery
PID:5804 -
C:\Windows\SysWOW64\Hhdhon32.exeC:\Windows\system32\Hhdhon32.exe113⤵PID:5852
-
C:\Windows\SysWOW64\Hkbdki32.exeC:\Windows\system32\Hkbdki32.exe114⤵PID:5896
-
C:\Windows\SysWOW64\Hdkidohn.exeC:\Windows\system32\Hdkidohn.exe115⤵PID:5940
-
C:\Windows\SysWOW64\Hkeaqi32.exeC:\Windows\system32\Hkeaqi32.exe116⤵
- System Location Discovery: System Language Discovery
PID:5984 -
C:\Windows\SysWOW64\Haoimcgg.exeC:\Windows\system32\Haoimcgg.exe117⤵PID:6028
-
C:\Windows\SysWOW64\Hhiajmod.exeC:\Windows\system32\Hhiajmod.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6072 -
C:\Windows\SysWOW64\Hnfjbdmk.exeC:\Windows\system32\Hnfjbdmk.exe119⤵PID:6116
-
C:\Windows\SysWOW64\Hpdfnolo.exeC:\Windows\system32\Hpdfnolo.exe120⤵
- System Location Discovery: System Language Discovery
PID:5144 -
C:\Windows\SysWOW64\Hgnoki32.exeC:\Windows\system32\Hgnoki32.exe121⤵PID:5208
-
C:\Windows\SysWOW64\Hnhghcki.exeC:\Windows\system32\Hnhghcki.exe122⤵PID:5280
-
C:\Windows\SysWOW64\Iklgah32.exeC:\Windows\system32\Iklgah32.exe123⤵PID:5344
-
C:\Windows\SysWOW64\Iqipio32.exeC:\Windows\system32\Iqipio32.exe124⤵PID:5432
-
C:\Windows\SysWOW64\Iddljmpc.exeC:\Windows\system32\Iddljmpc.exe125⤵PID:5504
-
C:\Windows\SysWOW64\Ijadbdoj.exeC:\Windows\system32\Ijadbdoj.exe126⤵PID:5576
-
C:\Windows\SysWOW64\Idghpmnp.exeC:\Windows\system32\Idghpmnp.exe127⤵PID:5656
-
C:\Windows\SysWOW64\Igedlh32.exeC:\Windows\system32\Igedlh32.exe128⤵PID:5724
-
C:\Windows\SysWOW64\Ijcahd32.exeC:\Windows\system32\Ijcahd32.exe129⤵PID:5792
-
C:\Windows\SysWOW64\Iakiia32.exeC:\Windows\system32\Iakiia32.exe130⤵PID:5864
-
C:\Windows\SysWOW64\Iqmidndd.exeC:\Windows\system32\Iqmidndd.exe131⤵
- Modifies registry class
PID:5932 -
C:\Windows\SysWOW64\Ihdafkdg.exeC:\Windows\system32\Ihdafkdg.exe132⤵PID:6004
-
C:\Windows\SysWOW64\Ikcmbfcj.exeC:\Windows\system32\Ikcmbfcj.exe133⤵PID:6064
-
C:\Windows\SysWOW64\Inainbcn.exeC:\Windows\system32\Inainbcn.exe134⤵PID:6136
-
C:\Windows\SysWOW64\Iqpfjnba.exeC:\Windows\system32\Iqpfjnba.exe135⤵
- System Location Discovery: System Language Discovery
PID:5220 -
C:\Windows\SysWOW64\Ihgnkkbd.exeC:\Windows\system32\Ihgnkkbd.exe136⤵PID:5296
-
C:\Windows\SysWOW64\Ikejgf32.exeC:\Windows\system32\Ikejgf32.exe137⤵PID:5360
-
C:\Windows\SysWOW64\Indfca32.exeC:\Windows\system32\Indfca32.exe138⤵PID:5520
-
C:\Windows\SysWOW64\Iqbbpm32.exeC:\Windows\system32\Iqbbpm32.exe139⤵
- Modifies registry class
PID:5632 -
C:\Windows\SysWOW64\Jglklggl.exeC:\Windows\system32\Jglklggl.exe140⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5732 -
C:\Windows\SysWOW64\Jjjghcfp.exeC:\Windows\system32\Jjjghcfp.exe141⤵PID:5840
-
C:\Windows\SysWOW64\Jbaojpgb.exeC:\Windows\system32\Jbaojpgb.exe142⤵
- Modifies registry class
PID:5948 -
C:\Windows\SysWOW64\Jdpkflfe.exeC:\Windows\system32\Jdpkflfe.exe143⤵PID:6056
-
C:\Windows\SysWOW64\Jgogbgei.exeC:\Windows\system32\Jgogbgei.exe144⤵
- Drops file in System32 directory
- Modifies registry class
PID:5132 -
C:\Windows\SysWOW64\Jjmcnbdm.exeC:\Windows\system32\Jjmcnbdm.exe145⤵PID:5340
-
C:\Windows\SysWOW64\Jqglkmlj.exeC:\Windows\system32\Jqglkmlj.exe146⤵PID:5476
-
C:\Windows\SysWOW64\Jhndljll.exeC:\Windows\system32\Jhndljll.exe147⤵PID:5636
-
C:\Windows\SysWOW64\Jklphekp.exeC:\Windows\system32\Jklphekp.exe148⤵PID:5800
-
C:\Windows\SysWOW64\Jbfheo32.exeC:\Windows\system32\Jbfheo32.exe149⤵PID:5980
-
C:\Windows\SysWOW64\Jhpqaiji.exeC:\Windows\system32\Jhpqaiji.exe150⤵PID:5128
-
C:\Windows\SysWOW64\Jgcamf32.exeC:\Windows\system32\Jgcamf32.exe151⤵PID:5452
-
C:\Windows\SysWOW64\Jjamia32.exeC:\Windows\system32\Jjamia32.exe152⤵PID:5616
-
C:\Windows\SysWOW64\Jdgafjpn.exeC:\Windows\system32\Jdgafjpn.exe153⤵PID:5884
-
C:\Windows\SysWOW64\Jibmgi32.exeC:\Windows\system32\Jibmgi32.exe154⤵PID:5188
-
C:\Windows\SysWOW64\Jkaicd32.exeC:\Windows\system32\Jkaicd32.exe155⤵PID:5584
-
C:\Windows\SysWOW64\Jbkbpoog.exeC:\Windows\system32\Jbkbpoog.exe156⤵PID:6048
-
C:\Windows\SysWOW64\Kiejmi32.exeC:\Windows\system32\Kiejmi32.exe157⤵PID:2788
-
C:\Windows\SysWOW64\Kbmoen32.exeC:\Windows\system32\Kbmoen32.exe158⤵PID:2760
-
C:\Windows\SysWOW64\Kiggbhda.exeC:\Windows\system32\Kiggbhda.exe159⤵PID:5700
-
C:\Windows\SysWOW64\Kqbkfkal.exeC:\Windows\system32\Kqbkfkal.exe160⤵PID:2988
-
C:\Windows\SysWOW64\Kaehljpj.exeC:\Windows\system32\Kaehljpj.exe161⤵PID:3148
-
C:\Windows\SysWOW64\Kgopidgf.exeC:\Windows\system32\Kgopidgf.exe162⤵PID:5448
-
C:\Windows\SysWOW64\Kniieo32.exeC:\Windows\system32\Kniieo32.exe163⤵PID:1624
-
C:\Windows\SysWOW64\Kjpijpdg.exeC:\Windows\system32\Kjpijpdg.exe164⤵PID:1568
-
C:\Windows\SysWOW64\Knkekn32.exeC:\Windows\system32\Knkekn32.exe165⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5492 -
C:\Windows\SysWOW64\Lnnbqnjn.exeC:\Windows\system32\Lnnbqnjn.exe166⤵
- Modifies registry class
PID:6156 -
C:\Windows\SysWOW64\Lalnmiia.exeC:\Windows\system32\Lalnmiia.exe167⤵PID:6200
-
C:\Windows\SysWOW64\Lnpofnhk.exeC:\Windows\system32\Lnpofnhk.exe168⤵PID:6244
-
C:\Windows\SysWOW64\Ljgpkonp.exeC:\Windows\system32\Ljgpkonp.exe169⤵PID:6296
-
C:\Windows\SysWOW64\Lgkpdcmi.exeC:\Windows\system32\Lgkpdcmi.exe170⤵PID:6344
-
C:\Windows\SysWOW64\Lbpdblmo.exeC:\Windows\system32\Lbpdblmo.exe171⤵PID:6388
-
C:\Windows\SysWOW64\Lhmmjbkf.exeC:\Windows\system32\Lhmmjbkf.exe172⤵PID:6432
-
C:\Windows\SysWOW64\Llhikacp.exeC:\Windows\system32\Llhikacp.exe173⤵PID:6476
-
C:\Windows\SysWOW64\Mngegmbc.exeC:\Windows\system32\Mngegmbc.exe174⤵PID:6524
-
C:\Windows\SysWOW64\Maeachag.exeC:\Windows\system32\Maeachag.exe175⤵PID:6568
-
C:\Windows\SysWOW64\Milidebi.exeC:\Windows\system32\Milidebi.exe176⤵PID:6620
-
C:\Windows\SysWOW64\Mjneln32.exeC:\Windows\system32\Mjneln32.exe177⤵PID:6664
-
C:\Windows\SysWOW64\Mbenmk32.exeC:\Windows\system32\Mbenmk32.exe178⤵PID:6708
-
C:\Windows\SysWOW64\Mahnhhod.exeC:\Windows\system32\Mahnhhod.exe179⤵
- Modifies registry class
PID:6752 -
C:\Windows\SysWOW64\Miofjepg.exeC:\Windows\system32\Miofjepg.exe180⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6804 -
C:\Windows\SysWOW64\Mhafeb32.exeC:\Windows\system32\Mhafeb32.exe181⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:6836 -
C:\Windows\SysWOW64\Mnlnbl32.exeC:\Windows\system32\Mnlnbl32.exe182⤵PID:6880
-
C:\Windows\SysWOW64\Miaboe32.exeC:\Windows\system32\Miaboe32.exe183⤵PID:6940
-
C:\Windows\SysWOW64\Mhdckaeo.exeC:\Windows\system32\Mhdckaeo.exe184⤵
- Modifies registry class
PID:6972 -
C:\Windows\SysWOW64\Mjbogmdb.exeC:\Windows\system32\Mjbogmdb.exe185⤵PID:7032
-
C:\Windows\SysWOW64\Mbighjdd.exeC:\Windows\system32\Mbighjdd.exe186⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:7084 -
C:\Windows\SysWOW64\Mehcdfch.exeC:\Windows\system32\Mehcdfch.exe187⤵PID:7128
-
C:\Windows\SysWOW64\Mjellmbp.exeC:\Windows\system32\Mjellmbp.exe188⤵PID:5000
-
C:\Windows\SysWOW64\Mblcnj32.exeC:\Windows\system32\Mblcnj32.exe189⤵
- Modifies registry class
PID:6212 -
C:\Windows\SysWOW64\Mifljdjo.exeC:\Windows\system32\Mifljdjo.exe190⤵
- System Location Discovery: System Language Discovery
PID:6292 -
C:\Windows\SysWOW64\Nobdbkhf.exeC:\Windows\system32\Nobdbkhf.exe191⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6376 -
C:\Windows\SysWOW64\Nhkikq32.exeC:\Windows\system32\Nhkikq32.exe192⤵PID:6444
-
C:\Windows\SysWOW64\Nliaao32.exeC:\Windows\system32\Nliaao32.exe193⤵
- System Location Discovery: System Language Discovery
PID:6520 -
C:\Windows\SysWOW64\Nhpbfpka.exeC:\Windows\system32\Nhpbfpka.exe194⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6608 -
C:\Windows\SysWOW64\Nknobkje.exeC:\Windows\system32\Nknobkje.exe195⤵PID:6684
-
C:\Windows\SysWOW64\Nbefdijg.exeC:\Windows\system32\Nbefdijg.exe196⤵PID:6764
-
C:\Windows\SysWOW64\Nhbolp32.exeC:\Windows\system32\Nhbolp32.exe197⤵PID:6824
-
C:\Windows\SysWOW64\Nlphbnoe.exeC:\Windows\system32\Nlphbnoe.exe198⤵PID:6892
-
C:\Windows\SysWOW64\Oampjeml.exeC:\Windows\system32\Oampjeml.exe199⤵PID:6956
-
C:\Windows\SysWOW64\Oehlkc32.exeC:\Windows\system32\Oehlkc32.exe200⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7028 -
C:\Windows\SysWOW64\Okedcjcm.exeC:\Windows\system32\Okedcjcm.exe201⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:7120 -
C:\Windows\SysWOW64\Oaompd32.exeC:\Windows\system32\Oaompd32.exe202⤵PID:6168
-
C:\Windows\SysWOW64\Oekiqccc.exeC:\Windows\system32\Oekiqccc.exe203⤵PID:6284
-
C:\Windows\SysWOW64\Ohiemobf.exeC:\Windows\system32\Ohiemobf.exe204⤵PID:6396
-
C:\Windows\SysWOW64\Okgaijaj.exeC:\Windows\system32\Okgaijaj.exe205⤵PID:6460
-
C:\Windows\SysWOW64\Oboijgbl.exeC:\Windows\system32\Oboijgbl.exe206⤵PID:6628
-
C:\Windows\SysWOW64\Oihagaji.exeC:\Windows\system32\Oihagaji.exe207⤵PID:6716
-
C:\Windows\SysWOW64\Obafpg32.exeC:\Windows\system32\Obafpg32.exe208⤵PID:6828
-
C:\Windows\SysWOW64\Oiknlagg.exeC:\Windows\system32\Oiknlagg.exe209⤵PID:6948
-
C:\Windows\SysWOW64\Oklkdi32.exeC:\Windows\system32\Oklkdi32.exe210⤵PID:7048
-
C:\Windows\SysWOW64\Ohpkmn32.exeC:\Windows\system32\Ohpkmn32.exe211⤵
- System Location Discovery: System Language Discovery
PID:6152 -
C:\Windows\SysWOW64\Pedlgbkh.exeC:\Windows\system32\Pedlgbkh.exe212⤵
- System Location Discovery: System Language Discovery
PID:6352 -
C:\Windows\SysWOW64\Pkadoiip.exeC:\Windows\system32\Pkadoiip.exe213⤵PID:6484
-
C:\Windows\SysWOW64\Pibdmp32.exeC:\Windows\system32\Pibdmp32.exe214⤵PID:6700
-
C:\Windows\SysWOW64\Plpqil32.exeC:\Windows\system32\Plpqil32.exe215⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:6848 -
C:\Windows\SysWOW64\Pamiaboj.exeC:\Windows\system32\Pamiaboj.exe216⤵PID:7020
-
C:\Windows\SysWOW64\Peieba32.exeC:\Windows\system32\Peieba32.exe217⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7152 -
C:\Windows\SysWOW64\Plbmokop.exeC:\Windows\system32\Plbmokop.exe218⤵PID:6452
-
C:\Windows\SysWOW64\Poajkgnc.exeC:\Windows\system32\Poajkgnc.exe219⤵PID:6340
-
C:\Windows\SysWOW64\Pifnhpmi.exeC:\Windows\system32\Pifnhpmi.exe220⤵PID:6084
-
C:\Windows\SysWOW64\Pocfpf32.exeC:\Windows\system32\Pocfpf32.exe221⤵PID:6192
-
C:\Windows\SysWOW64\Pcobaedj.exeC:\Windows\system32\Pcobaedj.exe222⤵PID:6640
-
C:\Windows\SysWOW64\Pemomqcn.exeC:\Windows\system32\Pemomqcn.exe223⤵PID:6988
-
C:\Windows\SysWOW64\Qkjgegae.exeC:\Windows\system32\Qkjgegae.exe224⤵PID:6508
-
C:\Windows\SysWOW64\Qcaofebg.exeC:\Windows\system32\Qcaofebg.exe225⤵
- Drops file in System32 directory
PID:7136 -
C:\Windows\SysWOW64\Qljcoj32.exeC:\Windows\system32\Qljcoj32.exe226⤵PID:320
-
C:\Windows\SysWOW64\Qebhhp32.exeC:\Windows\system32\Qebhhp32.exe227⤵
- Drops file in System32 directory
PID:6472 -
C:\Windows\SysWOW64\Akoqpg32.exeC:\Windows\system32\Akoqpg32.exe228⤵PID:7196
-
C:\Windows\SysWOW64\Acfhad32.exeC:\Windows\system32\Acfhad32.exe229⤵PID:7240
-
C:\Windows\SysWOW64\Aomifecf.exeC:\Windows\system32\Aomifecf.exe230⤵PID:7284
-
C:\Windows\SysWOW64\Aakebqbj.exeC:\Windows\system32\Aakebqbj.exe231⤵PID:7332
-
C:\Windows\SysWOW64\Aoofle32.exeC:\Windows\system32\Aoofle32.exe232⤵
- Modifies registry class
PID:7372 -
C:\Windows\SysWOW64\Aanbhp32.exeC:\Windows\system32\Aanbhp32.exe233⤵PID:7416
-
C:\Windows\SysWOW64\Ahgjejhd.exeC:\Windows\system32\Ahgjejhd.exe234⤵PID:7468
-
C:\Windows\SysWOW64\Aoabad32.exeC:\Windows\system32\Aoabad32.exe235⤵
- Modifies registry class
PID:7512 -
C:\Windows\SysWOW64\Abponp32.exeC:\Windows\system32\Abponp32.exe236⤵PID:7556
-
C:\Windows\SysWOW64\Ahjgjj32.exeC:\Windows\system32\Ahjgjj32.exe237⤵
- Drops file in System32 directory
- Modifies registry class
PID:7600 -
C:\Windows\SysWOW64\Abbkcpma.exeC:\Windows\system32\Abbkcpma.exe238⤵
- Drops file in System32 directory
PID:7660 -
C:\Windows\SysWOW64\Bjicdmmd.exeC:\Windows\system32\Bjicdmmd.exe239⤵PID:7712
-
C:\Windows\SysWOW64\Bcahmb32.exeC:\Windows\system32\Bcahmb32.exe240⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7776 -
C:\Windows\SysWOW64\Bkmmaeap.exeC:\Windows\system32\Bkmmaeap.exe241⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7820 -
C:\Windows\SysWOW64\Bhamkipi.exeC:\Windows\system32\Bhamkipi.exe242⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7864