Analysis
-
max time kernel
93s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:41
Static task
static1
Behavioral task
behavioral1
Sample
1528fa1fca6c2db0984a913b9fea07ff034775038c9c2267862d94d9e404e6ffN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
1528fa1fca6c2db0984a913b9fea07ff034775038c9c2267862d94d9e404e6ffN.exe
Resource
win10v2004-20241007-en
General
-
Target
1528fa1fca6c2db0984a913b9fea07ff034775038c9c2267862d94d9e404e6ffN.exe
-
Size
100KB
-
MD5
d4f8e25b60088eff3ef72ddea78cab20
-
SHA1
d6e3bc4df6334410855a6264e781ad1d61dedd99
-
SHA256
1528fa1fca6c2db0984a913b9fea07ff034775038c9c2267862d94d9e404e6ff
-
SHA512
ab68a775493b071ee86249239a0311ec253311dea50def683886e6c47428b5bcb91a566f60a88d7ec91d4ecba27311f47d355eeb751459cef2905b708e7140bc
-
SSDEEP
3072:v6IkG9sxKkvWr2h95bTcZz5oqJ7gb3a3+X13XRzT:v5kG9mK2OJE7aOl3BzT
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Lbngllob.exeKkgiimng.exeKgdpni32.exeCgklmacf.exeNhlpfgbb.exeEmbkoi32.exeOfhknodl.exeDpkmal32.exeAompak32.exeFpeafcfa.exeAhcajk32.exeFdglmkeg.exeHipmfjee.exeAdjjeieh.exeAahbbkaq.exeOaplqh32.exeInqbclob.exeEkjded32.exePidlqb32.exeKlfjijgq.exeNeclenfo.exeChiblk32.exeEhpadhll.exeMjnnbk32.exeMhdjehhj.exeMgaokl32.exeMeepdp32.exeJeocna32.exeAflaie32.exeNfnamjhk.exeAmcmpodi.exeLajagj32.exeAcmobchj.exeAonoao32.exePbhgoh32.exeGgnedlao.exeHdkidohn.exeFbjena32.exeHifcgion.exeEjagaj32.exeAmfjeobf.exeNacmdf32.exeHbihjifh.exeFajgkfio.exeKgmcce32.exeEbejfk32.exeDkhnjk32.exeJqhafffk.exeDbbffdlq.exeBojomm32.exeKpqggh32.exePibdmp32.exePdenmbkk.exeOcgkan32.exeFklcgk32.exeOgmijllo.exeAcnemi32.exeBkmmaeap.exeKnchpiom.exeBhkfkmmg.exeEiekog32.exeQmgelf32.exeAfcmfe32.exeNjinmf32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lbngllob.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkgiimng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgdpni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cgklmacf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhlpfgbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Embkoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ofhknodl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpkmal32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aompak32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpeafcfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahcajk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdglmkeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hipmfjee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Adjjeieh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aahbbkaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oaplqh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inqbclob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ekjded32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pidlqb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klfjijgq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neclenfo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chiblk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ehpadhll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjnnbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mhdjehhj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgaokl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Meepdp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jeocna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aflaie32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfnamjhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Amcmpodi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lajagj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acmobchj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aonoao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pbhgoh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggnedlao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdkidohn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbjena32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hifcgion.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejagaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Amfjeobf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nacmdf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbihjifh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fajgkfio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgmcce32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebejfk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkhnjk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqhafffk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dbbffdlq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bojomm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kpqggh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pibdmp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdenmbkk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocgkan32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fklcgk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogmijllo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acnemi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bkmmaeap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knchpiom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhkfkmmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eiekog32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmgelf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afcmfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njinmf32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Jejefqaf.exeKppici32.exeKelalp32.exeKlfjijgq.exeKflnfcgg.exeKijjbofj.exeKpdboimg.exeKimghn32.exeKnippe32.exeKechmoil.exeKhbdikip.exeKfcdfbqo.exeLhdqnj32.exeLfealaol.exeLidmhmnp.exeLhfmdj32.exeLfhnaa32.exeLldfjh32.exeLfjjga32.exeLlgcph32.exeLbqklb32.exeLikcilhh.exeLpekef32.exeLbchba32.exeMimpolee.exeMpghkf32.exeMhbmphjm.exeMlnipg32.exeMbhamajc.exeMhdjehhj.exeMoobbb32.exeMehjol32.exeMlbbkfoq.exeMblkhq32.exeMifcejnj.exeMhicpg32.exeMockmala.exeNemcjk32.exeNhlpfgbb.exeNoehba32.exeNgmpcn32.exeNhnlkfpp.exeNohehq32.exeNgomin32.exeNhpiafnm.exeNojanpej.exeNgaionfl.exeNpjnhc32.exeNgdfdmdi.exeNheble32.exeNplkmckj.exeOeicejia.exeOhgoaehe.exeOoagno32.exeOigllh32.exeOhjlgefb.exeOcopdn32.exeOiihahme.exeOpcqnb32.exeOgmijllo.exeOepifi32.exeOohnonij.exeOjnblg32.exeOhqbhdpj.exepid process 4144 Jejefqaf.exe 2772 Kppici32.exe 1428 Kelalp32.exe 2256 Klfjijgq.exe 4344 Kflnfcgg.exe 4936 Kijjbofj.exe 860 Kpdboimg.exe 232 Kimghn32.exe 2428 Knippe32.exe 4980 Kechmoil.exe 2400 Khbdikip.exe 1068 Kfcdfbqo.exe 3912 Lhdqnj32.exe 3872 Lfealaol.exe 1484 Lidmhmnp.exe 1700 Lhfmdj32.exe 4676 Lfhnaa32.exe 1332 Lldfjh32.exe 3740 Lfjjga32.exe 2472 Llgcph32.exe 5064 Lbqklb32.exe 380 Likcilhh.exe 1188 Lpekef32.exe 1780 Lbchba32.exe 4272 Mimpolee.exe 1256 Mpghkf32.exe 3568 Mhbmphjm.exe 4348 Mlnipg32.exe 4052 Mbhamajc.exe 1020 Mhdjehhj.exe 960 Moobbb32.exe 4552 Mehjol32.exe 4580 Mlbbkfoq.exe 4796 Mblkhq32.exe 1944 Mifcejnj.exe 2832 Mhicpg32.exe 1952 Mockmala.exe 4260 Nemcjk32.exe 2268 Nhlpfgbb.exe 1456 Noehba32.exe 3864 Ngmpcn32.exe 216 Nhnlkfpp.exe 4320 Nohehq32.exe 2856 Ngomin32.exe 4776 Nhpiafnm.exe 3460 Nojanpej.exe 4792 Ngaionfl.exe 3036 Npjnhc32.exe 2684 Ngdfdmdi.exe 4516 Nheble32.exe 2348 Nplkmckj.exe 1824 Oeicejia.exe 3492 Ohgoaehe.exe 744 Ooagno32.exe 1876 Oigllh32.exe 1120 Ohjlgefb.exe 2784 Ocopdn32.exe 3504 Oiihahme.exe 4456 Opcqnb32.exe 5016 Ogmijllo.exe 644 Oepifi32.exe 4836 Oohnonij.exe 4236 Ojnblg32.exe 4932 Ohqbhdpj.exe -
Drops file in System32 directory 64 IoCs
Processes:
Ahqddk32.exeAlpbecod.exeIlnbicff.exeLikhem32.exeLindkm32.exeKlfjijgq.exeEpjajeqo.exeMjellmbp.exeOeheqm32.exeGimqajgh.exeNgmpcn32.exeJkjcbe32.exeHifcgion.exePhajna32.exeAhdpjn32.exeBkibgh32.exeLpjjmg32.exeKechmoil.exePcjiff32.exeEnbjad32.exeAdjjeieh.exeHlnjbedi.exeOmpfej32.exeBkmeha32.exeIkcmbfcj.exeOhpkmn32.exeNccokk32.exePiocecgj.exeDpjfgf32.exeAlelqb32.exeCfnjpfcl.exeJohnamkm.exeMqhfoebo.exeFklcgk32.exePgkelj32.exeOkkdic32.exePldcjeia.exeOanfen32.exeEehicoel.exeIbaeen32.exeAmfjeobf.exeFiliii32.exePibdmp32.exePhbhcmjl.exeFnipbc32.exeLjeafb32.exePnkbkk32.exePhelcc32.exeMilidebi.exeGingkqkd.exeJjoiil32.exePalbgl32.exeEofgpikj.exeOpeiadfg.exeKgopidgf.exeFjjnifbl.exeGfkbde32.exeIbjqaf32.exeLakfeodm.exePfojdh32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Acfhad32.exe Ahqddk32.exe File opened for modification C:\Windows\SysWOW64\Aonoao32.exe Alpbecod.exe File created C:\Windows\SysWOW64\Iomoenej.exe Ilnbicff.exe File created C:\Windows\SysWOW64\Mhbacd32.dll Likhem32.exe File opened for modification C:\Windows\SysWOW64\Lojmcdgl.exe Lindkm32.exe File opened for modification C:\Windows\SysWOW64\Kflnfcgg.exe Klfjijgq.exe File opened for modification C:\Windows\SysWOW64\Efdjgo32.exe Epjajeqo.exe File opened for modification C:\Windows\SysWOW64\Maodigil.exe Mjellmbp.exe File opened for modification C:\Windows\SysWOW64\Ojdnid32.exe Oeheqm32.exe File created C:\Windows\SysWOW64\Klkfenfk.dll Gimqajgh.exe File opened for modification C:\Windows\SysWOW64\Nhnlkfpp.exe Ngmpcn32.exe File created C:\Windows\SysWOW64\Jlacji32.dll Epjajeqo.exe File created C:\Windows\SysWOW64\Jqglkmlj.exe Jkjcbe32.exe File opened for modification C:\Windows\SysWOW64\Hoclopne.exe Hifcgion.exe File created C:\Windows\SysWOW64\Pnkbkk32.exe Phajna32.exe File created C:\Windows\SysWOW64\Amqhbe32.exe Ahdpjn32.exe File created C:\Windows\SysWOW64\Bacjdbch.exe Bkibgh32.exe File created C:\Windows\SysWOW64\Hnekbm32.dll Lpjjmg32.exe File created C:\Windows\SysWOW64\Dmjhenbq.dll Kechmoil.exe File opened for modification C:\Windows\SysWOW64\Pamiaboj.exe Pcjiff32.exe File created C:\Windows\SysWOW64\Felbnn32.exe Enbjad32.exe File created C:\Windows\SysWOW64\Qgdcdg32.dll Adjjeieh.exe File created C:\Windows\SysWOW64\Lobpkihi.dll Hlnjbedi.exe File created C:\Windows\SysWOW64\Oakbehfe.exe Ompfej32.exe File created C:\Windows\SysWOW64\Iponmakp.dll Bkmeha32.exe File created C:\Windows\SysWOW64\Kbglnn32.dll Ikcmbfcj.exe File opened for modification C:\Windows\SysWOW64\Pkogiikb.exe Ohpkmn32.exe File created C:\Windows\SysWOW64\Oodlnfco.dll Nccokk32.exe File created C:\Windows\SysWOW64\Oajgdm32.dll Piocecgj.exe File created C:\Windows\SysWOW64\Abocgb32.dll Dpjfgf32.exe File opened for modification C:\Windows\SysWOW64\Baadiiif.exe Alelqb32.exe File created C:\Windows\SysWOW64\Heeeiopa.dll Cfnjpfcl.exe File created C:\Windows\SysWOW64\Jcdjbk32.exe Johnamkm.exe File created C:\Windows\SysWOW64\Mokfja32.exe Mqhfoebo.exe File created C:\Windows\SysWOW64\Fbfkceca.exe Fklcgk32.exe File created C:\Windows\SysWOW64\Elcenjob.dll Pgkelj32.exe File opened for modification C:\Windows\SysWOW64\Paelfmaf.exe Okkdic32.exe File created C:\Windows\SysWOW64\Pocpfphe.exe Pldcjeia.exe File created C:\Windows\SysWOW64\Odmbaj32.exe Oanfen32.exe File created C:\Windows\SysWOW64\Pjpbba32.dll Eehicoel.exe File created C:\Windows\SysWOW64\Egbcih32.dll Ibaeen32.exe File created C:\Windows\SysWOW64\Bgolif32.dll Amfjeobf.exe File opened for modification C:\Windows\SysWOW64\Facqkg32.exe Filiii32.exe File created C:\Windows\SysWOW64\Poomegpf.exe Pibdmp32.exe File created C:\Windows\SysWOW64\Kckefh32.dll Phbhcmjl.exe File created C:\Windows\SysWOW64\Fmlbhekk.dll Fnipbc32.exe File created C:\Windows\SysWOW64\Dolqpa32.dll Ljeafb32.exe File opened for modification C:\Windows\SysWOW64\Paiogf32.exe Pnkbkk32.exe File opened for modification C:\Windows\SysWOW64\Poodpmca.exe Phelcc32.exe File opened for modification C:\Windows\SysWOW64\Mhoipb32.exe Milidebi.exe File created C:\Windows\SysWOW64\Fndchiip.dll Mjellmbp.exe File opened for modification C:\Windows\SysWOW64\Hgdejd32.exe Gingkqkd.exe File opened for modification C:\Windows\SysWOW64\Jqhafffk.exe Jjoiil32.exe File created C:\Windows\SysWOW64\Hhbdbmfg.dll Palbgl32.exe File opened for modification C:\Windows\SysWOW64\Eecphp32.exe Eofgpikj.exe File opened for modification C:\Windows\SysWOW64\Ocaebc32.exe Opeiadfg.exe File opened for modification C:\Windows\SysWOW64\Kkjlic32.exe Kgopidgf.exe File opened for modification C:\Windows\SysWOW64\Fllkqn32.exe Fjjnifbl.exe File created C:\Windows\SysWOW64\Gbabigfj.exe Gfkbde32.exe File opened for modification C:\Windows\SysWOW64\Bacjdbch.exe Bkibgh32.exe File created C:\Windows\SysWOW64\Ekjali32.dll Ibjqaf32.exe File opened for modification C:\Windows\SysWOW64\Pmkofa32.exe Piocecgj.exe File opened for modification C:\Windows\SysWOW64\Loofnccf.exe Lakfeodm.exe File opened for modification C:\Windows\SysWOW64\Pmhbqbae.exe Pfojdh32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 10104 9568 WerFault.exe Gddgpqbe.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Ngmpcn32.exeBhpfqcln.exeAagdnn32.exePofjpl32.exeCkmehb32.exeJppnpjel.exeFnhbmgmk.exeMoobbb32.exeCnkkjh32.exeLejgch32.exeNjghbl32.exeKelalp32.exeDbcmakpl.exeAlelqb32.exeKgnbdh32.exeOpnbae32.exeCpacqg32.exeDjegekil.exePejkmk32.exeGejopl32.exeLgdidgjg.exeKlekfinp.exeEhjlaaig.exeOblhcj32.exeLbchba32.exeFphnlcdo.exeJgkdbacp.exeKdmqmc32.exeEkmhejao.exeIgfclkdj.exeGbpedjnb.exeBmkcqn32.exeHjjnae32.exeEofgpikj.exeQjhbfd32.exeNpjnhc32.exeNfohgqlg.exeBhldpj32.exeJcoaglhk.exeMjlalkmd.exeBdlfjh32.exeGihgfk32.exeCamddhoi.exeEiloco32.exeAhdpjn32.exeKgflcifg.exeOjnfihmo.exeKfcdfbqo.exeBlqllqqa.exeEbfign32.exeGgpbjkpl.exePiijno32.exeFmmmfj32.exeGnblnlhl.exeBfolacnc.exeLikcilhh.exePedbahod.exeFpeafcfa.exeGigaka32.exeMcelpggq.exeNmaciefp.exeDajbaika.exeNhnlkfpp.exeHjchaf32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngmpcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhpfqcln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aagdnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pofjpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckmehb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jppnpjel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnhbmgmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Moobbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnkkjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lejgch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njghbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kelalp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbcmakpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alelqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgnbdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opnbae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpacqg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djegekil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pejkmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gejopl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgdidgjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klekfinp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehjlaaig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oblhcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbchba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fphnlcdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgkdbacp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdmqmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekmhejao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igfclkdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbpedjnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmkcqn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjjnae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eofgpikj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjhbfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npjnhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfohgqlg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhldpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcoaglhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjlalkmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdlfjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gihgfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Camddhoi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiloco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahdpjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgflcifg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojnfihmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfcdfbqo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blqllqqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebfign32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggpbjkpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piijno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmmmfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnblnlhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfolacnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Likcilhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pedbahod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpeafcfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gigaka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcelpggq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmaciefp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dajbaika.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhnlkfpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjchaf32.exe -
Modifies registry class 64 IoCs
Processes:
Cfadkb32.exeFineoi32.exeBojomm32.exeHehkajig.exeFmkgkapm.exeOjigdcll.exeQhmqdemc.exeBafndi32.exeGbchdp32.exeBjcmebie.exeOihagaji.exeMcifkf32.exeMhckcgpj.exeBckkca32.exeNelfeo32.exeAlpbecod.exeQjfmkk32.exeCbkfbcpb.exeGgnedlao.exeKkjlic32.exeKkconn32.exeBkgeainn.exeCdaile32.exeQlmgopjq.exeNeccpd32.exeOblmdhdo.exeAahbbkaq.exeBdbnjdfg.exePhajna32.exeEkjded32.exeEipinkib.exeAogbfi32.exeEiekog32.exeFnalmh32.exeQqhcpo32.exeBklfgo32.exeCdnmfclj.exeImpliekg.exeMqfpckhm.exeBgdemb32.exeOoagno32.exeNoeahkfc.exeAnclbkbp.exeQaqegecm.exeDpkmal32.exeEnmjlojd.exeMcfbkpab.exeNmhijd32.exeOohgdhfn.exeDnmaea32.exeKfcdfbqo.exeNgmpcn32.exeDjmibn32.exeMaodigil.exeNojjcj32.exePdhbmh32.exeAogiap32.exeHifcgion.exeMgphpe32.exeKolabf32.exeLhfmdj32.exeFhofmq32.exeJpenfp32.exeBhpofl32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgnilk32.dll" Cfadkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llelopkl.dll" Fineoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bojomm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hehkajig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fmkgkapm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ojigdcll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qhmqdemc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bafndi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gbchdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeocld32.dll" Bjcmebie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oihagaji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obqhpfck.dll" Mcifkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqobhgmh.dll" Mhckcgpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnbmqiee.dll" Bckkca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nelfeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Alpbecod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qjfmkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cbkfbcpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ggnedlao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkganhnq.dll" Kkjlic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kkconn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bkgeainn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cdaile32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qlmgopjq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Neccpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oblmdhdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oddfcg32.dll" Aahbbkaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bdbnjdfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilgonc32.dll" Phajna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfhmgagf.dll" Ekjded32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eipinkib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aogbfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eiekog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fnalmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qqhcpo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bklfgo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cdnmfclj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcghdkpf.dll" Impliekg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mqfpckhm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bgdemb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ooagno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Noeahkfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqdkac32.dll" Anclbkbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qaqegecm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dpkmal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akcjcnpe.dll" Enmjlojd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mcfbkpab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpfohk32.dll" Nmhijd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oohgdhfn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dnmaea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kfcdfbqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmlgah32.dll" Ngmpcn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Djmibn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faaigehd.dll" Maodigil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nojjcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pdhbmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aogiap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogmlp32.dll" Hifcgion.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mgphpe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kolabf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbpebh32.dll" Lhfmdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fhofmq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jpenfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bhpofl32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1528fa1fca6c2db0984a913b9fea07ff034775038c9c2267862d94d9e404e6ffN.exeJejefqaf.exeKppici32.exeKelalp32.exeKlfjijgq.exeKflnfcgg.exeKijjbofj.exeKpdboimg.exeKimghn32.exeKnippe32.exeKechmoil.exeKhbdikip.exeKfcdfbqo.exeLhdqnj32.exeLfealaol.exeLidmhmnp.exeLhfmdj32.exeLfhnaa32.exeLldfjh32.exeLfjjga32.exeLlgcph32.exeLbqklb32.exedescription pid process target process PID 116 wrote to memory of 4144 116 1528fa1fca6c2db0984a913b9fea07ff034775038c9c2267862d94d9e404e6ffN.exe Jejefqaf.exe PID 116 wrote to memory of 4144 116 1528fa1fca6c2db0984a913b9fea07ff034775038c9c2267862d94d9e404e6ffN.exe Jejefqaf.exe PID 116 wrote to memory of 4144 116 1528fa1fca6c2db0984a913b9fea07ff034775038c9c2267862d94d9e404e6ffN.exe Jejefqaf.exe PID 4144 wrote to memory of 2772 4144 Jejefqaf.exe Kppici32.exe PID 4144 wrote to memory of 2772 4144 Jejefqaf.exe Kppici32.exe PID 4144 wrote to memory of 2772 4144 Jejefqaf.exe Kppici32.exe PID 2772 wrote to memory of 1428 2772 Kppici32.exe Kelalp32.exe PID 2772 wrote to memory of 1428 2772 Kppici32.exe Kelalp32.exe PID 2772 wrote to memory of 1428 2772 Kppici32.exe Kelalp32.exe PID 1428 wrote to memory of 2256 1428 Kelalp32.exe Klfjijgq.exe PID 1428 wrote to memory of 2256 1428 Kelalp32.exe Klfjijgq.exe PID 1428 wrote to memory of 2256 1428 Kelalp32.exe Klfjijgq.exe PID 2256 wrote to memory of 4344 2256 Klfjijgq.exe Kflnfcgg.exe PID 2256 wrote to memory of 4344 2256 Klfjijgq.exe Kflnfcgg.exe PID 2256 wrote to memory of 4344 2256 Klfjijgq.exe Kflnfcgg.exe PID 4344 wrote to memory of 4936 4344 Kflnfcgg.exe Kijjbofj.exe PID 4344 wrote to memory of 4936 4344 Kflnfcgg.exe Kijjbofj.exe PID 4344 wrote to memory of 4936 4344 Kflnfcgg.exe Kijjbofj.exe PID 4936 wrote to memory of 860 4936 Kijjbofj.exe Kpdboimg.exe PID 4936 wrote to memory of 860 4936 Kijjbofj.exe Kpdboimg.exe PID 4936 wrote to memory of 860 4936 Kijjbofj.exe Kpdboimg.exe PID 860 wrote to memory of 232 860 Kpdboimg.exe Kimghn32.exe PID 860 wrote to memory of 232 860 Kpdboimg.exe Kimghn32.exe PID 860 wrote to memory of 232 860 Kpdboimg.exe Kimghn32.exe PID 232 wrote to memory of 2428 232 Kimghn32.exe Knippe32.exe PID 232 wrote to memory of 2428 232 Kimghn32.exe Knippe32.exe PID 232 wrote to memory of 2428 232 Kimghn32.exe Knippe32.exe PID 2428 wrote to memory of 4980 2428 Knippe32.exe Kechmoil.exe PID 2428 wrote to memory of 4980 2428 Knippe32.exe Kechmoil.exe PID 2428 wrote to memory of 4980 2428 Knippe32.exe Kechmoil.exe PID 4980 wrote to memory of 2400 4980 Kechmoil.exe Khbdikip.exe PID 4980 wrote to memory of 2400 4980 Kechmoil.exe Khbdikip.exe PID 4980 wrote to memory of 2400 4980 Kechmoil.exe Khbdikip.exe PID 2400 wrote to memory of 1068 2400 Khbdikip.exe Kfcdfbqo.exe PID 2400 wrote to memory of 1068 2400 Khbdikip.exe Kfcdfbqo.exe PID 2400 wrote to memory of 1068 2400 Khbdikip.exe Kfcdfbqo.exe PID 1068 wrote to memory of 3912 1068 Kfcdfbqo.exe Lhdqnj32.exe PID 1068 wrote to memory of 3912 1068 Kfcdfbqo.exe Lhdqnj32.exe PID 1068 wrote to memory of 3912 1068 Kfcdfbqo.exe Lhdqnj32.exe PID 3912 wrote to memory of 3872 3912 Lhdqnj32.exe Lfealaol.exe PID 3912 wrote to memory of 3872 3912 Lhdqnj32.exe Lfealaol.exe PID 3912 wrote to memory of 3872 3912 Lhdqnj32.exe Lfealaol.exe PID 3872 wrote to memory of 1484 3872 Lfealaol.exe Lidmhmnp.exe PID 3872 wrote to memory of 1484 3872 Lfealaol.exe Lidmhmnp.exe PID 3872 wrote to memory of 1484 3872 Lfealaol.exe Lidmhmnp.exe PID 1484 wrote to memory of 1700 1484 Lidmhmnp.exe Lhfmdj32.exe PID 1484 wrote to memory of 1700 1484 Lidmhmnp.exe Lhfmdj32.exe PID 1484 wrote to memory of 1700 1484 Lidmhmnp.exe Lhfmdj32.exe PID 1700 wrote to memory of 4676 1700 Lhfmdj32.exe Lfhnaa32.exe PID 1700 wrote to memory of 4676 1700 Lhfmdj32.exe Lfhnaa32.exe PID 1700 wrote to memory of 4676 1700 Lhfmdj32.exe Lfhnaa32.exe PID 4676 wrote to memory of 1332 4676 Lfhnaa32.exe Lldfjh32.exe PID 4676 wrote to memory of 1332 4676 Lfhnaa32.exe Lldfjh32.exe PID 4676 wrote to memory of 1332 4676 Lfhnaa32.exe Lldfjh32.exe PID 1332 wrote to memory of 3740 1332 Lldfjh32.exe Lfjjga32.exe PID 1332 wrote to memory of 3740 1332 Lldfjh32.exe Lfjjga32.exe PID 1332 wrote to memory of 3740 1332 Lldfjh32.exe Lfjjga32.exe PID 3740 wrote to memory of 2472 3740 Lfjjga32.exe Llgcph32.exe PID 3740 wrote to memory of 2472 3740 Lfjjga32.exe Llgcph32.exe PID 3740 wrote to memory of 2472 3740 Lfjjga32.exe Llgcph32.exe PID 2472 wrote to memory of 5064 2472 Llgcph32.exe Lbqklb32.exe PID 2472 wrote to memory of 5064 2472 Llgcph32.exe Lbqklb32.exe PID 2472 wrote to memory of 5064 2472 Llgcph32.exe Lbqklb32.exe PID 5064 wrote to memory of 380 5064 Lbqklb32.exe Likcilhh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1528fa1fca6c2db0984a913b9fea07ff034775038c9c2267862d94d9e404e6ffN.exe"C:\Users\Admin\AppData\Local\Temp\1528fa1fca6c2db0984a913b9fea07ff034775038c9c2267862d94d9e404e6ffN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Windows\SysWOW64\Jejefqaf.exeC:\Windows\system32\Jejefqaf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4144 -
C:\Windows\SysWOW64\Kppici32.exeC:\Windows\system32\Kppici32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Kelalp32.exeC:\Windows\system32\Kelalp32.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\SysWOW64\Klfjijgq.exeC:\Windows\system32\Klfjijgq.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\Kflnfcgg.exeC:\Windows\system32\Kflnfcgg.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\Windows\SysWOW64\Kijjbofj.exeC:\Windows\system32\Kijjbofj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Windows\SysWOW64\Kpdboimg.exeC:\Windows\system32\Kpdboimg.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\SysWOW64\Kimghn32.exeC:\Windows\system32\Kimghn32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:232 -
C:\Windows\SysWOW64\Knippe32.exeC:\Windows\system32\Knippe32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Kechmoil.exeC:\Windows\system32\Kechmoil.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Windows\SysWOW64\Khbdikip.exeC:\Windows\system32\Khbdikip.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\Kfcdfbqo.exeC:\Windows\system32\Kfcdfbqo.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\SysWOW64\Lhdqnj32.exeC:\Windows\system32\Lhdqnj32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3912 -
C:\Windows\SysWOW64\Lfealaol.exeC:\Windows\system32\Lfealaol.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3872 -
C:\Windows\SysWOW64\Lidmhmnp.exeC:\Windows\system32\Lidmhmnp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\Lhfmdj32.exeC:\Windows\system32\Lhfmdj32.exe17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\Lfhnaa32.exeC:\Windows\system32\Lfhnaa32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Windows\SysWOW64\Lldfjh32.exeC:\Windows\system32\Lldfjh32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Windows\SysWOW64\Lfjjga32.exeC:\Windows\system32\Lfjjga32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3740 -
C:\Windows\SysWOW64\Llgcph32.exeC:\Windows\system32\Llgcph32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\Lbqklb32.exeC:\Windows\system32\Lbqklb32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Windows\SysWOW64\Likcilhh.exeC:\Windows\system32\Likcilhh.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:380 -
C:\Windows\SysWOW64\Lpekef32.exeC:\Windows\system32\Lpekef32.exe24⤵
- Executes dropped EXE
PID:1188 -
C:\Windows\SysWOW64\Lbchba32.exeC:\Windows\system32\Lbchba32.exe25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1780 -
C:\Windows\SysWOW64\Mimpolee.exeC:\Windows\system32\Mimpolee.exe26⤵
- Executes dropped EXE
PID:4272 -
C:\Windows\SysWOW64\Mpghkf32.exeC:\Windows\system32\Mpghkf32.exe27⤵
- Executes dropped EXE
PID:1256 -
C:\Windows\SysWOW64\Mhbmphjm.exeC:\Windows\system32\Mhbmphjm.exe28⤵
- Executes dropped EXE
PID:3568 -
C:\Windows\SysWOW64\Mlnipg32.exeC:\Windows\system32\Mlnipg32.exe29⤵
- Executes dropped EXE
PID:4348 -
C:\Windows\SysWOW64\Mbhamajc.exeC:\Windows\system32\Mbhamajc.exe30⤵
- Executes dropped EXE
PID:4052 -
C:\Windows\SysWOW64\Mhdjehhj.exeC:\Windows\system32\Mhdjehhj.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1020 -
C:\Windows\SysWOW64\Moobbb32.exeC:\Windows\system32\Moobbb32.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:960 -
C:\Windows\SysWOW64\Mehjol32.exeC:\Windows\system32\Mehjol32.exe33⤵
- Executes dropped EXE
PID:4552 -
C:\Windows\SysWOW64\Mlbbkfoq.exeC:\Windows\system32\Mlbbkfoq.exe34⤵
- Executes dropped EXE
PID:4580 -
C:\Windows\SysWOW64\Mblkhq32.exeC:\Windows\system32\Mblkhq32.exe35⤵
- Executes dropped EXE
PID:4796 -
C:\Windows\SysWOW64\Mifcejnj.exeC:\Windows\system32\Mifcejnj.exe36⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Mhicpg32.exeC:\Windows\system32\Mhicpg32.exe37⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Mockmala.exeC:\Windows\system32\Mockmala.exe38⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Nemcjk32.exeC:\Windows\system32\Nemcjk32.exe39⤵
- Executes dropped EXE
PID:4260 -
C:\Windows\SysWOW64\Nhlpfgbb.exeC:\Windows\system32\Nhlpfgbb.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Noehba32.exeC:\Windows\system32\Noehba32.exe41⤵
- Executes dropped EXE
PID:1456 -
C:\Windows\SysWOW64\Ngmpcn32.exeC:\Windows\system32\Ngmpcn32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3864 -
C:\Windows\SysWOW64\Nhnlkfpp.exeC:\Windows\system32\Nhnlkfpp.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:216 -
C:\Windows\SysWOW64\Nohehq32.exeC:\Windows\system32\Nohehq32.exe44⤵
- Executes dropped EXE
PID:4320 -
C:\Windows\SysWOW64\Ngomin32.exeC:\Windows\system32\Ngomin32.exe45⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Nhpiafnm.exeC:\Windows\system32\Nhpiafnm.exe46⤵
- Executes dropped EXE
PID:4776 -
C:\Windows\SysWOW64\Nojanpej.exeC:\Windows\system32\Nojanpej.exe47⤵
- Executes dropped EXE
PID:3460 -
C:\Windows\SysWOW64\Ngaionfl.exeC:\Windows\system32\Ngaionfl.exe48⤵
- Executes dropped EXE
PID:4792 -
C:\Windows\SysWOW64\Npjnhc32.exeC:\Windows\system32\Npjnhc32.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3036 -
C:\Windows\SysWOW64\Ngdfdmdi.exeC:\Windows\system32\Ngdfdmdi.exe50⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Nheble32.exeC:\Windows\system32\Nheble32.exe51⤵
- Executes dropped EXE
PID:4516 -
C:\Windows\SysWOW64\Nplkmckj.exeC:\Windows\system32\Nplkmckj.exe52⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Oeicejia.exeC:\Windows\system32\Oeicejia.exe53⤵
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Ohgoaehe.exeC:\Windows\system32\Ohgoaehe.exe54⤵
- Executes dropped EXE
PID:3492 -
C:\Windows\SysWOW64\Ooagno32.exeC:\Windows\system32\Ooagno32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:744 -
C:\Windows\SysWOW64\Oigllh32.exeC:\Windows\system32\Oigllh32.exe56⤵
- Executes dropped EXE
PID:1876 -
C:\Windows\SysWOW64\Ohjlgefb.exeC:\Windows\system32\Ohjlgefb.exe57⤵
- Executes dropped EXE
PID:1120 -
C:\Windows\SysWOW64\Ocopdn32.exeC:\Windows\system32\Ocopdn32.exe58⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Oiihahme.exeC:\Windows\system32\Oiihahme.exe59⤵
- Executes dropped EXE
PID:3504 -
C:\Windows\SysWOW64\Opcqnb32.exeC:\Windows\system32\Opcqnb32.exe60⤵
- Executes dropped EXE
PID:4456 -
C:\Windows\SysWOW64\Ogmijllo.exeC:\Windows\system32\Ogmijllo.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5016 -
C:\Windows\SysWOW64\Oepifi32.exeC:\Windows\system32\Oepifi32.exe62⤵
- Executes dropped EXE
PID:644 -
C:\Windows\SysWOW64\Oohnonij.exeC:\Windows\system32\Oohnonij.exe63⤵
- Executes dropped EXE
PID:4836 -
C:\Windows\SysWOW64\Ojnblg32.exeC:\Windows\system32\Ojnblg32.exe64⤵
- Executes dropped EXE
PID:4236 -
C:\Windows\SysWOW64\Ohqbhdpj.exeC:\Windows\system32\Ohqbhdpj.exe65⤵
- Executes dropped EXE
PID:4932 -
C:\Windows\SysWOW64\Ocffempp.exeC:\Windows\system32\Ocffempp.exe66⤵PID:624
-
C:\Windows\SysWOW64\Pedbahod.exeC:\Windows\system32\Pedbahod.exe67⤵
- System Location Discovery: System Language Discovery
PID:3600 -
C:\Windows\SysWOW64\Ppjgoaoj.exeC:\Windows\system32\Ppjgoaoj.exe68⤵PID:5068
-
C:\Windows\SysWOW64\Pcicklnn.exeC:\Windows\system32\Pcicklnn.exe69⤵PID:3676
-
C:\Windows\SysWOW64\Phelcc32.exeC:\Windows\system32\Phelcc32.exe70⤵
- Drops file in System32 directory
PID:4536 -
C:\Windows\SysWOW64\Poodpmca.exeC:\Windows\system32\Poodpmca.exe71⤵PID:4480
-
C:\Windows\SysWOW64\Pckppl32.exeC:\Windows\system32\Pckppl32.exe72⤵PID:836
-
C:\Windows\SysWOW64\Phhhhc32.exeC:\Windows\system32\Phhhhc32.exe73⤵PID:2892
-
C:\Windows\SysWOW64\Ppopjp32.exeC:\Windows\system32\Ppopjp32.exe74⤵PID:3736
-
C:\Windows\SysWOW64\Pgihfj32.exeC:\Windows\system32\Pgihfj32.exe75⤵PID:4420
-
C:\Windows\SysWOW64\Pjgebf32.exeC:\Windows\system32\Pjgebf32.exe76⤵PID:3988
-
C:\Windows\SysWOW64\Ppamophb.exeC:\Windows\system32\Ppamophb.exe77⤵PID:3472
-
C:\Windows\SysWOW64\Pgkelj32.exeC:\Windows\system32\Pgkelj32.exe78⤵
- Drops file in System32 directory
PID:2156 -
C:\Windows\SysWOW64\Pofjpl32.exeC:\Windows\system32\Pofjpl32.exe79⤵
- System Location Discovery: System Language Discovery
PID:4540 -
C:\Windows\SysWOW64\Qfpbmfdf.exeC:\Windows\system32\Qfpbmfdf.exe80⤵PID:4508
-
C:\Windows\SysWOW64\Qhonib32.exeC:\Windows\system32\Qhonib32.exe81⤵PID:4416
-
C:\Windows\SysWOW64\Qgpogili.exeC:\Windows\system32\Qgpogili.exe82⤵PID:4696
-
C:\Windows\SysWOW64\Qlmgopjq.exeC:\Windows\system32\Qlmgopjq.exe83⤵
- Modifies registry class
PID:3244 -
C:\Windows\SysWOW64\Qqhcpo32.exeC:\Windows\system32\Qqhcpo32.exe84⤵
- Modifies registry class
PID:4692 -
C:\Windows\SysWOW64\Agbkmijg.exeC:\Windows\system32\Agbkmijg.exe85⤵PID:3324
-
C:\Windows\SysWOW64\Aompak32.exeC:\Windows\system32\Aompak32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4392 -
C:\Windows\SysWOW64\Acilajpk.exeC:\Windows\system32\Acilajpk.exe87⤵PID:1580
-
C:\Windows\SysWOW64\Aopmfk32.exeC:\Windows\system32\Aopmfk32.exe88⤵PID:4028
-
C:\Windows\SysWOW64\Ackigjmh.exeC:\Windows\system32\Ackigjmh.exe89⤵PID:1928
-
C:\Windows\SysWOW64\Aihaoqlp.exeC:\Windows\system32\Aihaoqlp.exe90⤵PID:1572
-
C:\Windows\SysWOW64\Amcmpodi.exeC:\Windows\system32\Amcmpodi.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2936 -
C:\Windows\SysWOW64\Aobilkcl.exeC:\Windows\system32\Aobilkcl.exe92⤵PID:4664
-
C:\Windows\SysWOW64\Acnemi32.exeC:\Windows\system32\Acnemi32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4944 -
C:\Windows\SysWOW64\Aflaie32.exeC:\Windows\system32\Aflaie32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5144 -
C:\Windows\SysWOW64\Ajhniccb.exeC:\Windows\system32\Ajhniccb.exe95⤵PID:5192
-
C:\Windows\SysWOW64\Amfjeobf.exeC:\Windows\system32\Amfjeobf.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5236 -
C:\Windows\SysWOW64\Aqaffn32.exeC:\Windows\system32\Aqaffn32.exe97⤵PID:5284
-
C:\Windows\SysWOW64\Aodfajaj.exeC:\Windows\system32\Aodfajaj.exe98⤵PID:5328
-
C:\Windows\SysWOW64\Acpbbi32.exeC:\Windows\system32\Acpbbi32.exe99⤵PID:5376
-
C:\Windows\SysWOW64\Afnnnd32.exeC:\Windows\system32\Afnnnd32.exe100⤵PID:5420
-
C:\Windows\SysWOW64\Ajjjocap.exeC:\Windows\system32\Ajjjocap.exe101⤵PID:5468
-
C:\Windows\SysWOW64\Aimkjp32.exeC:\Windows\system32\Aimkjp32.exe102⤵PID:5524
-
C:\Windows\SysWOW64\Bgnkhg32.exeC:\Windows\system32\Bgnkhg32.exe103⤵PID:5568
-
C:\Windows\SysWOW64\Bjlgdc32.exeC:\Windows\system32\Bjlgdc32.exe104⤵PID:5612
-
C:\Windows\SysWOW64\Bmkcqn32.exeC:\Windows\system32\Bmkcqn32.exe105⤵
- System Location Discovery: System Language Discovery
PID:5652 -
C:\Windows\SysWOW64\Boipmj32.exeC:\Windows\system32\Boipmj32.exe106⤵PID:5696
-
C:\Windows\SysWOW64\Bjodjb32.exeC:\Windows\system32\Bjodjb32.exe107⤵PID:5736
-
C:\Windows\SysWOW64\Biadeoce.exeC:\Windows\system32\Biadeoce.exe108⤵PID:5780
-
C:\Windows\SysWOW64\Bgbdcgld.exeC:\Windows\system32\Bgbdcgld.exe109⤵PID:5824
-
C:\Windows\SysWOW64\Bjaqpbkh.exeC:\Windows\system32\Bjaqpbkh.exe110⤵PID:5868
-
C:\Windows\SysWOW64\Bpnihiio.exeC:\Windows\system32\Bpnihiio.exe111⤵PID:5904
-
C:\Windows\SysWOW64\Bjcmebie.exeC:\Windows\system32\Bjcmebie.exe112⤵
- Modifies registry class
PID:5956 -
C:\Windows\SysWOW64\Bclang32.exeC:\Windows\system32\Bclang32.exe113⤵PID:6000
-
C:\Windows\SysWOW64\Ccnncgmc.exeC:\Windows\system32\Ccnncgmc.exe114⤵PID:6044
-
C:\Windows\SysWOW64\Cikglnkj.exeC:\Windows\system32\Cikglnkj.exe115⤵PID:6088
-
C:\Windows\SysWOW64\Cjjcfabm.exeC:\Windows\system32\Cjjcfabm.exe116⤵PID:6136
-
C:\Windows\SysWOW64\Cmipblaq.exeC:\Windows\system32\Cmipblaq.exe117⤵PID:5184
-
C:\Windows\SysWOW64\Cfadkb32.exeC:\Windows\system32\Cfadkb32.exe118⤵
- Modifies registry class
PID:5256 -
C:\Windows\SysWOW64\Caghhk32.exeC:\Windows\system32\Caghhk32.exe119⤵PID:5336
-
C:\Windows\SysWOW64\Cjomap32.exeC:\Windows\system32\Cjomap32.exe120⤵PID:5408
-
C:\Windows\SysWOW64\Cibmlmeb.exeC:\Windows\system32\Cibmlmeb.exe121⤵PID:5488
-
C:\Windows\SysWOW64\Cpleig32.exeC:\Windows\system32\Cpleig32.exe122⤵PID:5560
-
C:\Windows\SysWOW64\Cffmfadl.exeC:\Windows\system32\Cffmfadl.exe123⤵PID:5600
-
C:\Windows\SysWOW64\Cidjbmcp.exeC:\Windows\system32\Cidjbmcp.exe124⤵PID:5680
-
C:\Windows\SysWOW64\Dakacjdb.exeC:\Windows\system32\Dakacjdb.exe125⤵PID:5756
-
C:\Windows\SysWOW64\Dcjnoece.exeC:\Windows\system32\Dcjnoece.exe126⤵PID:5832
-
C:\Windows\SysWOW64\Dannij32.exeC:\Windows\system32\Dannij32.exe127⤵PID:5888
-
C:\Windows\SysWOW64\Dfjgaq32.exeC:\Windows\system32\Dfjgaq32.exe128⤵PID:5964
-
C:\Windows\SysWOW64\Dapkni32.exeC:\Windows\system32\Dapkni32.exe129⤵PID:6032
-
C:\Windows\SysWOW64\Dpckjfgg.exeC:\Windows\system32\Dpckjfgg.exe130⤵PID:6104
-
C:\Windows\SysWOW64\Dpehof32.exeC:\Windows\system32\Dpehof32.exe131⤵PID:5168
-
C:\Windows\SysWOW64\Dmihij32.exeC:\Windows\system32\Dmihij32.exe132⤵PID:5292
-
C:\Windows\SysWOW64\Dpgeee32.exeC:\Windows\system32\Dpgeee32.exe133⤵PID:5384
-
C:\Windows\SysWOW64\Djmibn32.exeC:\Windows\system32\Djmibn32.exe134⤵
- Modifies registry class
PID:5540 -
C:\Windows\SysWOW64\Eipinkib.exeC:\Windows\system32\Eipinkib.exe135⤵
- Modifies registry class
PID:5648 -
C:\Windows\SysWOW64\Epjajeqo.exeC:\Windows\system32\Epjajeqo.exe136⤵
- Drops file in System32 directory
PID:5744 -
C:\Windows\SysWOW64\Efdjgo32.exeC:\Windows\system32\Efdjgo32.exe137⤵PID:3920
-
C:\Windows\SysWOW64\Emnbdioi.exeC:\Windows\system32\Emnbdioi.exe138⤵PID:5952
-
C:\Windows\SysWOW64\Eaindh32.exeC:\Windows\system32\Eaindh32.exe139⤵PID:6064
-
C:\Windows\SysWOW64\Ehcfaboo.exeC:\Windows\system32\Ehcfaboo.exe140⤵PID:5136
-
C:\Windows\SysWOW64\Eidbij32.exeC:\Windows\system32\Eidbij32.exe141⤵PID:5396
-
C:\Windows\SysWOW64\Ealkjh32.exeC:\Windows\system32\Ealkjh32.exe142⤵PID:5564
-
C:\Windows\SysWOW64\Efhcbodf.exeC:\Windows\system32\Efhcbodf.exe143⤵PID:5688
-
C:\Windows\SysWOW64\Embkoi32.exeC:\Windows\system32\Embkoi32.exe144⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5852 -
C:\Windows\SysWOW64\Epagkd32.exeC:\Windows\system32\Epagkd32.exe145⤵PID:6012
-
C:\Windows\SysWOW64\Ehhpla32.exeC:\Windows\system32\Ehhpla32.exe146⤵PID:5220
-
C:\Windows\SysWOW64\Eiildjag.exeC:\Windows\system32\Eiildjag.exe147⤵PID:5520
-
C:\Windows\SysWOW64\Eaqdegaj.exeC:\Windows\system32\Eaqdegaj.exe148⤵PID:5848
-
C:\Windows\SysWOW64\Ehjlaaig.exeC:\Windows\system32\Ehjlaaig.exe149⤵
- System Location Discovery: System Language Discovery
PID:6056 -
C:\Windows\SysWOW64\Filiii32.exeC:\Windows\system32\Filiii32.exe150⤵
- Drops file in System32 directory
PID:5432 -
C:\Windows\SysWOW64\Facqkg32.exeC:\Windows\system32\Facqkg32.exe151⤵PID:5944
-
C:\Windows\SysWOW64\Fpeafcfa.exeC:\Windows\system32\Fpeafcfa.exe152⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:4600 -
C:\Windows\SysWOW64\Ffpicn32.exeC:\Windows\system32\Ffpicn32.exe153⤵PID:5596
-
C:\Windows\SysWOW64\Fineoi32.exeC:\Windows\system32\Fineoi32.exe154⤵
- Modifies registry class
PID:5272 -
C:\Windows\SysWOW64\Fmjaphek.exeC:\Windows\system32\Fmjaphek.exe155⤵PID:1264
-
C:\Windows\SysWOW64\Fphnlcdo.exeC:\Windows\system32\Fphnlcdo.exe156⤵
- System Location Discovery: System Language Discovery
PID:1040 -
C:\Windows\SysWOW64\Fhofmq32.exeC:\Windows\system32\Fhofmq32.exe157⤵
- Modifies registry class
PID:6160 -
C:\Windows\SysWOW64\Fgbfhmll.exeC:\Windows\system32\Fgbfhmll.exe158⤵PID:6228
-
C:\Windows\SysWOW64\Fipbdikp.exeC:\Windows\system32\Fipbdikp.exe159⤵PID:6272
-
C:\Windows\SysWOW64\Fdffbake.exeC:\Windows\system32\Fdffbake.exe160⤵PID:6520
-
C:\Windows\SysWOW64\Fgdbnmji.exeC:\Windows\system32\Fgdbnmji.exe161⤵PID:6564
-
C:\Windows\SysWOW64\Fkpool32.exeC:\Windows\system32\Fkpool32.exe162⤵PID:6608
-
C:\Windows\SysWOW64\Fajgkfio.exeC:\Windows\system32\Fajgkfio.exe163⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6652 -
C:\Windows\SysWOW64\Fpmggb32.exeC:\Windows\system32\Fpmggb32.exe164⤵PID:6700
-
C:\Windows\SysWOW64\Fhdohp32.exeC:\Windows\system32\Fhdohp32.exe165⤵PID:6740
-
C:\Windows\SysWOW64\Fggocmhf.exeC:\Windows\system32\Fggocmhf.exe166⤵PID:6796
-
C:\Windows\SysWOW64\Fielph32.exeC:\Windows\system32\Fielph32.exe167⤵PID:6852
-
C:\Windows\SysWOW64\Fdkpma32.exeC:\Windows\system32\Fdkpma32.exe168⤵PID:6904
-
C:\Windows\SysWOW64\Ggilil32.exeC:\Windows\system32\Ggilil32.exe169⤵PID:6948
-
C:\Windows\SysWOW64\Gkdhjknm.exeC:\Windows\system32\Gkdhjknm.exe170⤵PID:6992
-
C:\Windows\SysWOW64\Gigheh32.exeC:\Windows\system32\Gigheh32.exe171⤵PID:7036
-
C:\Windows\SysWOW64\Gpaqbbld.exeC:\Windows\system32\Gpaqbbld.exe172⤵PID:7080
-
C:\Windows\SysWOW64\Gmeakf32.exeC:\Windows\system32\Gmeakf32.exe173⤵PID:7124
-
C:\Windows\SysWOW64\Ggnedlao.exeC:\Windows\system32\Ggnedlao.exe174⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6148 -
C:\Windows\SysWOW64\Ggpbjkpl.exeC:\Windows\system32\Ggpbjkpl.exe175⤵
- System Location Discovery: System Language Discovery
PID:6236 -
C:\Windows\SysWOW64\Ghpocngo.exeC:\Windows\system32\Ghpocngo.exe176⤵PID:6300
-
C:\Windows\SysWOW64\Hjchaf32.exeC:\Windows\system32\Hjchaf32.exe177⤵
- System Location Discovery: System Language Discovery
PID:6424 -
C:\Windows\SysWOW64\Hpmpnp32.exeC:\Windows\system32\Hpmpnp32.exe178⤵PID:6384
-
C:\Windows\SysWOW64\Hjedffig.exeC:\Windows\system32\Hjedffig.exe179⤵PID:6468
-
C:\Windows\SysWOW64\Hdkidohn.exeC:\Windows\system32\Hdkidohn.exe180⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6476 -
C:\Windows\SysWOW64\Hkeaqi32.exeC:\Windows\system32\Hkeaqi32.exe181⤵PID:6560
-
C:\Windows\SysWOW64\Hjjnae32.exeC:\Windows\system32\Hjjnae32.exe182⤵
- System Location Discovery: System Language Discovery
PID:6624 -
C:\Windows\SysWOW64\Hhknpmma.exeC:\Windows\system32\Hhknpmma.exe183⤵PID:6660
-
C:\Windows\SysWOW64\Hacbhb32.exeC:\Windows\system32\Hacbhb32.exe184⤵PID:6692
-
C:\Windows\SysWOW64\Ijogmdqm.exeC:\Windows\system32\Ijogmdqm.exe185⤵PID:6780
-
C:\Windows\SysWOW64\Igchfiof.exeC:\Windows\system32\Igchfiof.exe186⤵PID:6868
-
C:\Windows\SysWOW64\Ihbdplfi.exeC:\Windows\system32\Ihbdplfi.exe187⤵PID:6956
-
C:\Windows\SysWOW64\Ijcahd32.exeC:\Windows\system32\Ijcahd32.exe188⤵PID:7020
-
C:\Windows\SysWOW64\Iakiia32.exeC:\Windows\system32\Iakiia32.exe189⤵PID:6848
-
C:\Windows\SysWOW64\Iqmidndd.exeC:\Windows\system32\Iqmidndd.exe190⤵PID:7096
-
C:\Windows\SysWOW64\Ikcmbfcj.exeC:\Windows\system32\Ikcmbfcj.exe191⤵
- Drops file in System32 directory
PID:7160 -
C:\Windows\SysWOW64\Iqpfjnba.exeC:\Windows\system32\Iqpfjnba.exe192⤵PID:6248
-
C:\Windows\SysWOW64\Ijhjcchb.exeC:\Windows\system32\Ijhjcchb.exe193⤵PID:6416
-
C:\Windows\SysWOW64\Jdnoplhh.exeC:\Windows\system32\Jdnoplhh.exe194⤵PID:6364
-
C:\Windows\SysWOW64\Jkhgmf32.exeC:\Windows\system32\Jkhgmf32.exe195⤵PID:6312
-
C:\Windows\SysWOW64\Jqdoem32.exeC:\Windows\system32\Jqdoem32.exe196⤵PID:6600
-
C:\Windows\SysWOW64\Jgogbgei.exeC:\Windows\system32\Jgogbgei.exe197⤵PID:6280
-
C:\Windows\SysWOW64\Jkjcbe32.exeC:\Windows\system32\Jkjcbe32.exe198⤵
- Drops file in System32 directory
PID:6748 -
C:\Windows\SysWOW64\Jqglkmlj.exeC:\Windows\system32\Jqglkmlj.exe199⤵PID:6892
-
C:\Windows\SysWOW64\Jhndljll.exeC:\Windows\system32\Jhndljll.exe200⤵PID:7000
-
C:\Windows\SysWOW64\Jbfheo32.exeC:\Windows\system32\Jbfheo32.exe201⤵PID:6884
-
C:\Windows\SysWOW64\Jbkbpoog.exeC:\Windows\system32\Jbkbpoog.exe202⤵PID:5748
-
C:\Windows\SysWOW64\Kqnbkl32.exeC:\Windows\system32\Kqnbkl32.exe203⤵PID:6368
-
C:\Windows\SysWOW64\Kdinljnk.exeC:\Windows\system32\Kdinljnk.exe204⤵PID:6448
-
C:\Windows\SysWOW64\Kkcfid32.exeC:\Windows\system32\Kkcfid32.exe205⤵PID:6596
-
C:\Windows\SysWOW64\Kelkaj32.exeC:\Windows\system32\Kelkaj32.exe206⤵PID:6724
-
C:\Windows\SysWOW64\Kgjgne32.exeC:\Windows\system32\Kgjgne32.exe207⤵PID:6988
-
C:\Windows\SysWOW64\Kjhcjq32.exeC:\Windows\system32\Kjhcjq32.exe208⤵PID:7136
-
C:\Windows\SysWOW64\Kbpkkn32.exeC:\Windows\system32\Kbpkkn32.exe209⤵PID:6460
-
C:\Windows\SysWOW64\Kenggi32.exeC:\Windows\system32\Kenggi32.exe210⤵PID:1520
-
C:\Windows\SysWOW64\Kgmcce32.exeC:\Windows\system32\Kgmcce32.exe211⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6392 -
C:\Windows\SysWOW64\Kjkpoq32.exeC:\Windows\system32\Kjkpoq32.exe212⤵PID:6296
-
C:\Windows\SysWOW64\Kaehljpj.exeC:\Windows\system32\Kaehljpj.exe213⤵PID:7172
-
C:\Windows\SysWOW64\Keqdmihc.exeC:\Windows\system32\Keqdmihc.exe214⤵PID:7208
-
C:\Windows\SysWOW64\Kgopidgf.exeC:\Windows\system32\Kgopidgf.exe215⤵
- Drops file in System32 directory
PID:7260 -
C:\Windows\SysWOW64\Kkjlic32.exeC:\Windows\system32\Kkjlic32.exe216⤵
- Modifies registry class
PID:7320 -
C:\Windows\SysWOW64\Kniieo32.exeC:\Windows\system32\Kniieo32.exe217⤵PID:7376
-
C:\Windows\SysWOW64\Kageaj32.exeC:\Windows\system32\Kageaj32.exe218⤵PID:7436
-
C:\Windows\SysWOW64\Kkmioc32.exeC:\Windows\system32\Kkmioc32.exe219⤵PID:7488
-
C:\Windows\SysWOW64\Knkekn32.exeC:\Windows\system32\Knkekn32.exe220⤵PID:7532
-
C:\Windows\SysWOW64\Lajagj32.exeC:\Windows\system32\Lajagj32.exe221⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7580 -
C:\Windows\SysWOW64\Liqihglg.exeC:\Windows\system32\Liqihglg.exe222⤵PID:7624
-
C:\Windows\SysWOW64\Ljbfpo32.exeC:\Windows\system32\Ljbfpo32.exe223⤵PID:7668
-
C:\Windows\SysWOW64\Lnnbqnjn.exeC:\Windows\system32\Lnnbqnjn.exe224⤵PID:7712
-
C:\Windows\SysWOW64\Lbinam32.exeC:\Windows\system32\Lbinam32.exe225⤵PID:7752
-
C:\Windows\SysWOW64\Legjmh32.exeC:\Windows\system32\Legjmh32.exe226⤵PID:7808
-
C:\Windows\SysWOW64\Lgffic32.exeC:\Windows\system32\Lgffic32.exe227⤵PID:7864
-
C:\Windows\SysWOW64\Lnpofnhk.exeC:\Windows\system32\Lnpofnhk.exe228⤵PID:7916
-
C:\Windows\SysWOW64\Lejgch32.exeC:\Windows\system32\Lejgch32.exe229⤵
- System Location Discovery: System Language Discovery
PID:7964 -
C:\Windows\SysWOW64\Lldopb32.exeC:\Windows\system32\Lldopb32.exe230⤵PID:8008
-
C:\Windows\SysWOW64\Ljgpkonp.exeC:\Windows\system32\Ljgpkonp.exe231⤵PID:8052
-
C:\Windows\SysWOW64\Lbngllob.exeC:\Windows\system32\Lbngllob.exe232⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:8100 -
C:\Windows\SysWOW64\Llflea32.exeC:\Windows\system32\Llflea32.exe233⤵PID:8144
-
C:\Windows\SysWOW64\Lndham32.exeC:\Windows\system32\Lndham32.exe234⤵PID:8188
-
C:\Windows\SysWOW64\Lijlof32.exeC:\Windows\system32\Lijlof32.exe235⤵PID:7184
-
C:\Windows\SysWOW64\Mngegmbc.exeC:\Windows\system32\Mngegmbc.exe236⤵PID:7284
-
C:\Windows\SysWOW64\Maeachag.exeC:\Windows\system32\Maeachag.exe237⤵PID:7336
-
C:\Windows\SysWOW64\Milidebi.exeC:\Windows\system32\Milidebi.exe238⤵
- Drops file in System32 directory
PID:7448 -
C:\Windows\SysWOW64\Mhoipb32.exeC:\Windows\system32\Mhoipb32.exe239⤵PID:7524
-
C:\Windows\SysWOW64\Mahnhhod.exeC:\Windows\system32\Mahnhhod.exe240⤵PID:7600
-
C:\Windows\SysWOW64\Mecjif32.exeC:\Windows\system32\Mecjif32.exe241⤵PID:7368
-
C:\Windows\SysWOW64\Mnlnbl32.exeC:\Windows\system32\Mnlnbl32.exe242⤵PID:7676