Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:22
Static task
static1
Behavioral task
behavioral1
Sample
a66fb22183754dac0e3b55491ea6ae0111ac283c1dc13267c81135c06dc2b960.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
a66fb22183754dac0e3b55491ea6ae0111ac283c1dc13267c81135c06dc2b960.exe
Resource
win10v2004-20241007-en
General
-
Target
a66fb22183754dac0e3b55491ea6ae0111ac283c1dc13267c81135c06dc2b960.exe
-
Size
92KB
-
MD5
982afc04e0fc23409e1a941275455b35
-
SHA1
9dcb8a48b20b4fb8b9f2623e5491a5d5d0a06773
-
SHA256
a66fb22183754dac0e3b55491ea6ae0111ac283c1dc13267c81135c06dc2b960
-
SHA512
cc7a57f8b46d6a9d410f93171249f2f6553c8de9d76403b96b79ed9e87d006da885abef3c87b83a4faaf1b90ae34bc08da476fbe01cc61487eae89c38c78c3bc
-
SSDEEP
1536:EeOpv5LV6nisuYwejikD0H7Yd91qq+luJfgR0IOCnKQrUoR24HsUs:Ejl5INwu0H7W1yg5w0I86THsR
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Jokkgl32.exeEigonjcj.exeHpomcp32.exeEblpgjha.exePlmmif32.exeAojefobm.exeBlielbfi.exeQdaniq32.exeOebflhaf.exePlagcbdn.exeJdedak32.exeHmbphg32.exeHbhboolf.exeEjbbmnnb.exePcmeke32.exeIjcjmmil.exeGlgcbf32.exeNgaionfl.exeOohgdhfn.exeIgfclkdj.exeFlngfn32.exeAlkijdci.exeIfmqfm32.exeIbcaknbi.exeCadlbk32.exeDpehof32.exeLbkkgl32.exeCkkiccep.exeBkgeainn.exeBkibgh32.exeNookip32.exeHgmgqc32.exeKpmdfonj.exeMqkiok32.exeHpdfnolo.exeKghjhemo.exeBdbnjdfg.exeFijkdmhn.exeEhfcfb32.exeDmadco32.exeNfohgqlg.exeCkmehb32.exeFjadje32.exeKcndbp32.exeQhjmdp32.exePfgogh32.exeOaompd32.exeDfglfdkb.exePlcdiabk.exeKgmcce32.exeAoofle32.exeBffcpg32.exePqcjepfo.exeOmdppiif.exeBknlbhhe.exeNmbjcljl.exeCmipblaq.exeKjepjkhf.exeLmmolepp.exeJekqmhia.exeFhdohp32.exeKqbdldnq.exeEjlbhh32.exeCippgm32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jokkgl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eigonjcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hpomcp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eblpgjha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Plmmif32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aojefobm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blielbfi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdaniq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oebflhaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Plagcbdn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdedak32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmbphg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbhboolf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ejbbmnnb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcmeke32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijcjmmil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Glgcbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ngaionfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oohgdhfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Igfclkdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Flngfn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alkijdci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ifmqfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibcaknbi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cadlbk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpehof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbkkgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckkiccep.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkgeainn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bkibgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nookip32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgmgqc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpmdfonj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mqkiok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hpdfnolo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kghjhemo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdbnjdfg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fijkdmhn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehfcfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmadco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nfohgqlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckmehb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjadje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcndbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qhjmdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfgogh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaompd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfglfdkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Plcdiabk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgmcce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aoofle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bffcpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pqcjepfo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omdppiif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bknlbhhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nmbjcljl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmipblaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjepjkhf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmmolepp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jekqmhia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhdohp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kqbdldnq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejlbhh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cippgm32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Mplafeil.exeMbjnbqhp.exeMehjol32.exeMpnnle32.exeMfhfhong.exeMifcejnj.exeMpqkad32.exeMbognp32.exeNemcjk32.exeNlglfe32.exeNoehba32.exeNeppokal.exeNlihle32.exeNohehq32.exeNebmekoi.exeNpgabc32.exeNgaionfl.exeNipekiep.exeNlnbgddc.exeNchjdo32.exeNibbqicm.exeNheble32.exeNookip32.exeOeicejia.exeOhgoaehe.exeOpogbbig.exeOekpkigo.exeOigllh32.exeOcopdn32.exeOenlqi32.exeOlgemcli.exeOofaiokl.exeOepifi32.exeOhnebd32.exeOpemca32.exeOcdjpmac.exeOebflhaf.exeOhqbhdpj.exeOphjiaql.exeOcffempp.exePedbahod.exePhcomcng.exePpjgoaoj.exePcicklnn.exePfgogh32.exePjbkgfej.exePlagcbdn.exePoodpmca.exePfillg32.exePhhhhc32.exePlcdiabk.exePcmlfl32.exePflibgil.exePjgebf32.exePleaoa32.exePcpikkge.exePfnegggi.exePqcjepfo.exeQcbfakec.exeQfpbmfdf.exeQljjjqlc.exeQoifflkg.exeQlmgopjq.exeQqhcpo32.exepid process 4856 Mplafeil.exe 4820 Mbjnbqhp.exe 5064 Mehjol32.exe 4072 Mpnnle32.exe 2412 Mfhfhong.exe 4588 Mifcejnj.exe 4016 Mpqkad32.exe 2196 Mbognp32.exe 2720 Nemcjk32.exe 4848 Nlglfe32.exe 4428 Noehba32.exe 1688 Neppokal.exe 2612 Nlihle32.exe 1836 Nohehq32.exe 4656 Nebmekoi.exe 3900 Npgabc32.exe 2460 Ngaionfl.exe 3116 Nipekiep.exe 4940 Nlnbgddc.exe 656 Nchjdo32.exe 1032 Nibbqicm.exe 1768 Nheble32.exe 4604 Nookip32.exe 1040 Oeicejia.exe 1712 Ohgoaehe.exe 1676 Opogbbig.exe 2360 Oekpkigo.exe 4560 Oigllh32.exe 3176 Ocopdn32.exe 3108 Oenlqi32.exe 1144 Olgemcli.exe 4344 Oofaiokl.exe 2236 Oepifi32.exe 2728 Ohnebd32.exe 3164 Opemca32.exe 2640 Ocdjpmac.exe 3404 Oebflhaf.exe 1272 Ohqbhdpj.exe 4324 Ophjiaql.exe 32 Ocffempp.exe 2468 Pedbahod.exe 3548 Phcomcng.exe 2588 Ppjgoaoj.exe 5096 Pcicklnn.exe 1408 Pfgogh32.exe 3988 Pjbkgfej.exe 3868 Plagcbdn.exe 3916 Poodpmca.exe 4000 Pfillg32.exe 4076 Phhhhc32.exe 2480 Plcdiabk.exe 3084 Pcmlfl32.exe 2420 Pflibgil.exe 556 Pjgebf32.exe 3040 Pleaoa32.exe 4784 Pcpikkge.exe 3964 Pfnegggi.exe 4380 Pqcjepfo.exe 4400 Qcbfakec.exe 4956 Qfpbmfdf.exe 4532 Qljjjqlc.exe 2928 Qoifflkg.exe 3664 Qlmgopjq.exe 936 Qqhcpo32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Nlnkmnah.exeHgelek32.exeHgghjjid.exeHcpojd32.exeDooaoj32.exeMfhbga32.exePhcgcqab.exePcmlfl32.exeEidlnd32.exeBhldpj32.exeChfegk32.exePhcomcng.exeKnflpoqf.exeIbobdqid.exeMilidebi.exePidabppl.exeIkkpgafg.exeLmdemd32.exeCnfaohbj.exeAjhniccb.exeIgjngh32.exeHplbickp.exeNpgmpf32.exeEmbddb32.exeJpaleglc.exeNapjdpcn.exeBkgeainn.exeNookip32.exeQofcff32.exeEiildjag.exeAlkijdci.exeKdigadjo.exeClchbqoo.exeMoipoh32.exeOenlqi32.exeAjcdnd32.exeEblpgjha.exeOjdnid32.exePdfehh32.exeMcelpggq.exeAmfjeobf.exeIqbbpm32.exeIjqmhnko.exeJkgpbp32.exePdkoch32.exeJoahqn32.exeBjaqpbkh.exeIdahjg32.exeHlbcnd32.exeJlgepanl.exeMpnnle32.exeEigonjcj.exeCnkkjh32.exeIipfmggc.exeAoioli32.exeKmieae32.exePoimpapp.exeGmdjapgb.exeCkjbhmad.exeIfmqfm32.exeOjhpimhp.exeAgdhbi32.exeFgbfhmll.exedescription ioc process File created C:\Windows\SysWOW64\Hpopgneq.dll Nlnkmnah.exe File opened for modification C:\Windows\SysWOW64\Hjchaf32.exe Hgelek32.exe File opened for modification C:\Windows\SysWOW64\Hpomcp32.exe Hgghjjid.exe File created C:\Windows\SysWOW64\Occgpjdk.dll Hcpojd32.exe File opened for modification C:\Windows\SysWOW64\Dfiildio.exe Dooaoj32.exe File created C:\Windows\SysWOW64\Mjcngpjh.exe Mfhbga32.exe File created C:\Windows\SysWOW64\Ppcbba32.dll Phcgcqab.exe File opened for modification C:\Windows\SysWOW64\Pflibgil.exe Pcmlfl32.exe File created C:\Windows\SysWOW64\Elbhjp32.exe Eidlnd32.exe File opened for modification C:\Windows\SysWOW64\Bkkple32.exe Bhldpj32.exe File opened for modification C:\Windows\SysWOW64\Ckebcg32.exe Chfegk32.exe File created C:\Windows\SysWOW64\Cijnin32.dll Phcomcng.exe File opened for modification C:\Windows\SysWOW64\Kbbhqn32.exe Knflpoqf.exe File created C:\Windows\SysWOW64\Iqbbpm32.exe Ibobdqid.exe File opened for modification C:\Windows\SysWOW64\Mhoipb32.exe Milidebi.exe File opened for modification C:\Windows\SysWOW64\Pkenjh32.exe Pidabppl.exe File created C:\Windows\SysWOW64\Injmcmej.exe Ikkpgafg.exe File created C:\Windows\SysWOW64\Mfhpakim.dll Lmdemd32.exe File created C:\Windows\SysWOW64\Cfnjpfcl.exe Cnfaohbj.exe File created C:\Windows\SysWOW64\Eoefilfc.dll Ajhniccb.exe File created C:\Windows\SysWOW64\Lbkank32.dll Igjngh32.exe File created C:\Windows\SysWOW64\Ndmdae32.dll Hplbickp.exe File created C:\Windows\SysWOW64\Ngndaccj.exe Npgmpf32.exe File created C:\Windows\SysWOW64\Bgmakofh.dll Embddb32.exe File opened for modification C:\Windows\SysWOW64\Jcphab32.exe Jpaleglc.exe File created C:\Windows\SysWOW64\Gdencf32.dll Napjdpcn.exe File opened for modification C:\Windows\SysWOW64\Bmeandma.exe Bkgeainn.exe File created C:\Windows\SysWOW64\Oeicejia.exe Nookip32.exe File created C:\Windows\SysWOW64\Fdlgcl32.dll Qofcff32.exe File created C:\Windows\SysWOW64\Edopabqn.exe Eiildjag.exe File created C:\Windows\SysWOW64\Aojefobm.exe Alkijdci.exe File opened for modification C:\Windows\SysWOW64\Kggcnoic.exe Kdigadjo.exe File created C:\Windows\SysWOW64\Ekfcklij.dll Clchbqoo.exe File created C:\Windows\SysWOW64\Gpkpbaea.dll Moipoh32.exe File created C:\Windows\SysWOW64\Olgemcli.exe Oenlqi32.exe File opened for modification C:\Windows\SysWOW64\Aqmlknnd.exe Ajcdnd32.exe File opened for modification C:\Windows\SysWOW64\Ejchhgid.exe Eblpgjha.exe File created C:\Windows\SysWOW64\Omcjep32.exe Ojdnid32.exe File created C:\Windows\SysWOW64\Plmmif32.exe Pdfehh32.exe File opened for modification C:\Windows\SysWOW64\Mfchlbfd.exe Mcelpggq.exe File opened for modification C:\Windows\SysWOW64\Aqaffn32.exe Amfjeobf.exe File opened for modification C:\Windows\SysWOW64\Jdnoplhh.exe Iqbbpm32.exe File created C:\Windows\SysWOW64\Inlihl32.exe Ijqmhnko.exe File opened for modification C:\Windows\SysWOW64\Jnelok32.exe Jkgpbp32.exe File created C:\Windows\SysWOW64\Plbfdekd.exe Pdkoch32.exe File opened for modification C:\Windows\SysWOW64\Jekqmhia.exe Joahqn32.exe File opened for modification C:\Windows\SysWOW64\Bgeaifia.exe Bjaqpbkh.exe File created C:\Windows\SysWOW64\Gapjhc32.dll Idahjg32.exe File created C:\Windows\SysWOW64\Jiejjepo.dll Hlbcnd32.exe File opened for modification C:\Windows\SysWOW64\Jofalmmp.exe Jlgepanl.exe File opened for modification C:\Windows\SysWOW64\Mfhfhong.exe Mpnnle32.exe File opened for modification C:\Windows\SysWOW64\Eangpgcl.exe Eigonjcj.exe File created C:\Windows\SysWOW64\Cbfgkffn.exe Cnkkjh32.exe File created C:\Windows\SysWOW64\Didmdo32.dll Iipfmggc.exe File created C:\Windows\SysWOW64\Pmpockdl.dll Aoioli32.exe File created C:\Windows\SysWOW64\Kdpmbc32.exe Kmieae32.exe File created C:\Windows\SysWOW64\Ojmcpd32.dll Poimpapp.exe File created C:\Windows\SysWOW64\Hjchaf32.exe Hgelek32.exe File created C:\Windows\SysWOW64\Glgjlm32.exe Gmdjapgb.exe File opened for modification C:\Windows\SysWOW64\Cbdjeg32.exe Ckjbhmad.exe File created C:\Windows\SysWOW64\Imgicgca.exe Ifmqfm32.exe File opened for modification C:\Windows\SysWOW64\Omgmeigd.exe Ojhpimhp.exe File created C:\Windows\SysWOW64\Ajcdnd32.exe Agdhbi32.exe File created C:\Windows\SysWOW64\Fmlneg32.exe Fgbfhmll.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2248 420 WerFault.exe Dkqaoe32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Ocdjpmac.exeHgelek32.exeDikihe32.exePagbaglh.exeAjhniccb.exeCpeohh32.exeGmafajfi.exeJllokajf.exePfillg32.exeHjlkge32.exeGpnmbl32.exeMmkkmc32.exeNjmhhefi.exeNebmekoi.exeInjcmc32.exeBbnkonbd.exeGkmdecbg.exeIphioh32.exePmcclm32.exeHbhboolf.exeDaediilg.exeHlglidlo.exeMjcngpjh.exeBdbnjdfg.exePhajna32.exeAcnemi32.exeKgmcce32.exeMaodigil.exeOidhlb32.exeGlcaambb.exeCibmlmeb.exeAmodep32.exeBfpdin32.exeDifpmfna.exeNmbjcljl.exeNgaionfl.exeOifeab32.exeJlobkg32.exeLlodgnja.exeLqndhcdc.exeHibjli32.exeAagkhd32.exeBqmeal32.exeEfffmo32.exeHpomcp32.exeOhnohn32.exeQofcff32.exeCmklglpn.exeMmbanbmg.exeNchjdo32.exeDiffglam.exeEigonjcj.exePidabppl.exeBfngdn32.exeFmjaphek.exeJbiejoaj.exeFjhacf32.exeFbcfhibj.exeOigllh32.exeIgjngh32.exeIkkpgafg.exeBiadeoce.exePonfka32.exeBjaqpbkh.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocdjpmac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgelek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dikihe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pagbaglh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajhniccb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpeohh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmafajfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jllokajf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfillg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjlkge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpnmbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmkkmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njmhhefi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nebmekoi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Injcmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbnkonbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkmdecbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iphioh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmcclm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbhboolf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daediilg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlglidlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjcngpjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdbnjdfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phajna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acnemi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgmcce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maodigil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oidhlb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glcaambb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cibmlmeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amodep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfpdin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Difpmfna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmbjcljl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngaionfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oifeab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlobkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llodgnja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqndhcdc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hibjli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aagkhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqmeal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efffmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpomcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohnohn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qofcff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmklglpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmbanbmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nchjdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Diffglam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eigonjcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pidabppl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfngdn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmjaphek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbiejoaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjhacf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbcfhibj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oigllh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igjngh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikkpgafg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biadeoce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ponfka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjaqpbkh.exe -
Modifies registry class 64 IoCs
Processes:
Kjjiej32.exeFpdcag32.exeMfchlbfd.exeNoehba32.exeGpcmga32.exeMngegmbc.exeNeccpd32.exeAomifecf.exeGljgbllj.exeIkkpgafg.exeBiadeoce.exeCimcan32.exeCmcolgbj.exeAeaanjkl.exeJcoaglhk.exeAjqgidij.exeOaompd32.exeDlghoa32.exeKcbfcigf.exeNcqlkemc.exeOmgmeigd.exePjpfjl32.exeNjpdnedf.exeJedccfqg.exeMjpbam32.exeBknlbhhe.exePhigif32.exeCdlqqcnl.exeBggnof32.exeOodcdb32.exeInqbclob.exeMjdebfnd.exeNhmofj32.exeCnfkdb32.exeEiildjag.exeIngpmmgm.exeCkclhn32.exePcepkfld.exeFibhpbea.exeEnnqfenp.exeFiodpl32.exeGeohklaa.exeJbkbpoog.exeOldamm32.exeNmbjcljl.exeFlkdfh32.exeNmdgikhi.exeBmeandma.exeOlbdhn32.exeEbommi32.exeMeefofek.exeDlkbjqgm.exeOfkgcobj.exeNookip32.exeKqpoakco.exeInjcmc32.exeNjghbl32.exeDfgcakon.exeKnooej32.exeAihaoqlp.exeFacqkg32.exeCoadnlnb.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfllfd32.dll" Kjjiej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfmifiap.dll" Fpdcag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdbeojmh.dll" Mfchlbfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Noehba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqcmhb32.dll" Gpcmga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mngegmbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Neccpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aomifecf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofgjophm.dll" Gljgbllj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ikkpgafg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Biadeoce.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cimcan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhhmmcaa.dll" Cmcolgbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aeaanjkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jcoaglhk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ajqgidij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oaompd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dlghoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhafck32.dll" Kcbfcigf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ncqlkemc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Omgmeigd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pjpfjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Njpdnedf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ignlbcmf.dll" Jedccfqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omfajq32.dll" Mjpbam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bknlbhhe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Phigif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cdlqqcnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbmjgpgc.dll" Bggnof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfniqp32.dll" Oodcdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empmffib.dll" Inqbclob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mjdebfnd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nhmofj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cnfkdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oihoif32.dll" Eiildjag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgdojhec.dll" Ingpmmgm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oaompd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ckclhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lalbjhdj.dll" Pcepkfld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fibhpbea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ennqfenp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fiodpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adfokn32.dll" Geohklaa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mfchlbfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jbkbpoog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oldamm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nmbjcljl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Flkdfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nmdgikhi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bmeandma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Olbdhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ebommi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Meefofek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dlkbjqgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ofkgcobj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nookip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kqpoakco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Injcmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anbpqqmm.dll" Njghbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kebncn32.dll" Dfgcakon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Knooej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aocfbi32.dll" Aihaoqlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Facqkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Coadnlnb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a66fb22183754dac0e3b55491ea6ae0111ac283c1dc13267c81135c06dc2b960.exeMplafeil.exeMbjnbqhp.exeMehjol32.exeMpnnle32.exeMfhfhong.exeMifcejnj.exeMpqkad32.exeMbognp32.exeNemcjk32.exeNlglfe32.exeNoehba32.exeNeppokal.exeNlihle32.exeNohehq32.exeNebmekoi.exeNpgabc32.exeNgaionfl.exeNipekiep.exeNlnbgddc.exeNchjdo32.exeNibbqicm.exedescription pid process target process PID 4496 wrote to memory of 4856 4496 a66fb22183754dac0e3b55491ea6ae0111ac283c1dc13267c81135c06dc2b960.exe Mplafeil.exe PID 4496 wrote to memory of 4856 4496 a66fb22183754dac0e3b55491ea6ae0111ac283c1dc13267c81135c06dc2b960.exe Mplafeil.exe PID 4496 wrote to memory of 4856 4496 a66fb22183754dac0e3b55491ea6ae0111ac283c1dc13267c81135c06dc2b960.exe Mplafeil.exe PID 4856 wrote to memory of 4820 4856 Mplafeil.exe Mbjnbqhp.exe PID 4856 wrote to memory of 4820 4856 Mplafeil.exe Mbjnbqhp.exe PID 4856 wrote to memory of 4820 4856 Mplafeil.exe Mbjnbqhp.exe PID 4820 wrote to memory of 5064 4820 Mbjnbqhp.exe Mehjol32.exe PID 4820 wrote to memory of 5064 4820 Mbjnbqhp.exe Mehjol32.exe PID 4820 wrote to memory of 5064 4820 Mbjnbqhp.exe Mehjol32.exe PID 5064 wrote to memory of 4072 5064 Mehjol32.exe Mpnnle32.exe PID 5064 wrote to memory of 4072 5064 Mehjol32.exe Mpnnle32.exe PID 5064 wrote to memory of 4072 5064 Mehjol32.exe Mpnnle32.exe PID 4072 wrote to memory of 2412 4072 Mpnnle32.exe Mfhfhong.exe PID 4072 wrote to memory of 2412 4072 Mpnnle32.exe Mfhfhong.exe PID 4072 wrote to memory of 2412 4072 Mpnnle32.exe Mfhfhong.exe PID 2412 wrote to memory of 4588 2412 Mfhfhong.exe Mifcejnj.exe PID 2412 wrote to memory of 4588 2412 Mfhfhong.exe Mifcejnj.exe PID 2412 wrote to memory of 4588 2412 Mfhfhong.exe Mifcejnj.exe PID 4588 wrote to memory of 4016 4588 Mifcejnj.exe Mpqkad32.exe PID 4588 wrote to memory of 4016 4588 Mifcejnj.exe Mpqkad32.exe PID 4588 wrote to memory of 4016 4588 Mifcejnj.exe Mpqkad32.exe PID 4016 wrote to memory of 2196 4016 Mpqkad32.exe Mbognp32.exe PID 4016 wrote to memory of 2196 4016 Mpqkad32.exe Mbognp32.exe PID 4016 wrote to memory of 2196 4016 Mpqkad32.exe Mbognp32.exe PID 2196 wrote to memory of 2720 2196 Mbognp32.exe Nemcjk32.exe PID 2196 wrote to memory of 2720 2196 Mbognp32.exe Nemcjk32.exe PID 2196 wrote to memory of 2720 2196 Mbognp32.exe Nemcjk32.exe PID 2720 wrote to memory of 4848 2720 Nemcjk32.exe Nlglfe32.exe PID 2720 wrote to memory of 4848 2720 Nemcjk32.exe Nlglfe32.exe PID 2720 wrote to memory of 4848 2720 Nemcjk32.exe Nlglfe32.exe PID 4848 wrote to memory of 4428 4848 Nlglfe32.exe Noehba32.exe PID 4848 wrote to memory of 4428 4848 Nlglfe32.exe Noehba32.exe PID 4848 wrote to memory of 4428 4848 Nlglfe32.exe Noehba32.exe PID 4428 wrote to memory of 1688 4428 Noehba32.exe Neppokal.exe PID 4428 wrote to memory of 1688 4428 Noehba32.exe Neppokal.exe PID 4428 wrote to memory of 1688 4428 Noehba32.exe Neppokal.exe PID 1688 wrote to memory of 2612 1688 Neppokal.exe Nlihle32.exe PID 1688 wrote to memory of 2612 1688 Neppokal.exe Nlihle32.exe PID 1688 wrote to memory of 2612 1688 Neppokal.exe Nlihle32.exe PID 2612 wrote to memory of 1836 2612 Nlihle32.exe Nohehq32.exe PID 2612 wrote to memory of 1836 2612 Nlihle32.exe Nohehq32.exe PID 2612 wrote to memory of 1836 2612 Nlihle32.exe Nohehq32.exe PID 1836 wrote to memory of 4656 1836 Nohehq32.exe Nebmekoi.exe PID 1836 wrote to memory of 4656 1836 Nohehq32.exe Nebmekoi.exe PID 1836 wrote to memory of 4656 1836 Nohehq32.exe Nebmekoi.exe PID 4656 wrote to memory of 3900 4656 Nebmekoi.exe Npgabc32.exe PID 4656 wrote to memory of 3900 4656 Nebmekoi.exe Npgabc32.exe PID 4656 wrote to memory of 3900 4656 Nebmekoi.exe Npgabc32.exe PID 3900 wrote to memory of 2460 3900 Npgabc32.exe Ngaionfl.exe PID 3900 wrote to memory of 2460 3900 Npgabc32.exe Ngaionfl.exe PID 3900 wrote to memory of 2460 3900 Npgabc32.exe Ngaionfl.exe PID 2460 wrote to memory of 3116 2460 Ngaionfl.exe Nipekiep.exe PID 2460 wrote to memory of 3116 2460 Ngaionfl.exe Nipekiep.exe PID 2460 wrote to memory of 3116 2460 Ngaionfl.exe Nipekiep.exe PID 3116 wrote to memory of 4940 3116 Nipekiep.exe Nlnbgddc.exe PID 3116 wrote to memory of 4940 3116 Nipekiep.exe Nlnbgddc.exe PID 3116 wrote to memory of 4940 3116 Nipekiep.exe Nlnbgddc.exe PID 4940 wrote to memory of 656 4940 Nlnbgddc.exe Nchjdo32.exe PID 4940 wrote to memory of 656 4940 Nlnbgddc.exe Nchjdo32.exe PID 4940 wrote to memory of 656 4940 Nlnbgddc.exe Nchjdo32.exe PID 656 wrote to memory of 1032 656 Nchjdo32.exe Nibbqicm.exe PID 656 wrote to memory of 1032 656 Nchjdo32.exe Nibbqicm.exe PID 656 wrote to memory of 1032 656 Nchjdo32.exe Nibbqicm.exe PID 1032 wrote to memory of 1768 1032 Nibbqicm.exe Nheble32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a66fb22183754dac0e3b55491ea6ae0111ac283c1dc13267c81135c06dc2b960.exe"C:\Users\Admin\AppData\Local\Temp\a66fb22183754dac0e3b55491ea6ae0111ac283c1dc13267c81135c06dc2b960.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Windows\SysWOW64\Mplafeil.exeC:\Windows\system32\Mplafeil.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\SysWOW64\Mbjnbqhp.exeC:\Windows\system32\Mbjnbqhp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Windows\SysWOW64\Mehjol32.exeC:\Windows\system32\Mehjol32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Windows\SysWOW64\Mpnnle32.exeC:\Windows\system32\Mpnnle32.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Windows\SysWOW64\Mfhfhong.exeC:\Windows\system32\Mfhfhong.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Mifcejnj.exeC:\Windows\system32\Mifcejnj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Windows\SysWOW64\Mpqkad32.exeC:\Windows\system32\Mpqkad32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Windows\SysWOW64\Mbognp32.exeC:\Windows\system32\Mbognp32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Nemcjk32.exeC:\Windows\system32\Nemcjk32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Nlglfe32.exeC:\Windows\system32\Nlglfe32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\SysWOW64\Noehba32.exeC:\Windows\system32\Noehba32.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4428 -
C:\Windows\SysWOW64\Neppokal.exeC:\Windows\system32\Neppokal.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\Nlihle32.exeC:\Windows\system32\Nlihle32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Nohehq32.exeC:\Windows\system32\Nohehq32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\SysWOW64\Nebmekoi.exeC:\Windows\system32\Nebmekoi.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Windows\SysWOW64\Npgabc32.exeC:\Windows\system32\Npgabc32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3900 -
C:\Windows\SysWOW64\Ngaionfl.exeC:\Windows\system32\Ngaionfl.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\Nipekiep.exeC:\Windows\system32\Nipekiep.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Windows\SysWOW64\Nlnbgddc.exeC:\Windows\system32\Nlnbgddc.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Windows\SysWOW64\Nchjdo32.exeC:\Windows\system32\Nchjdo32.exe21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:656 -
C:\Windows\SysWOW64\Nibbqicm.exeC:\Windows\system32\Nibbqicm.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\SysWOW64\Nheble32.exeC:\Windows\system32\Nheble32.exe23⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Nookip32.exeC:\Windows\system32\Nookip32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4604 -
C:\Windows\SysWOW64\Oeicejia.exeC:\Windows\system32\Oeicejia.exe25⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Ohgoaehe.exeC:\Windows\system32\Ohgoaehe.exe26⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Opogbbig.exeC:\Windows\system32\Opogbbig.exe27⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Oekpkigo.exeC:\Windows\system32\Oekpkigo.exe28⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Oigllh32.exeC:\Windows\system32\Oigllh32.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4560 -
C:\Windows\SysWOW64\Ocopdn32.exeC:\Windows\system32\Ocopdn32.exe30⤵
- Executes dropped EXE
PID:3176 -
C:\Windows\SysWOW64\Oenlqi32.exeC:\Windows\system32\Oenlqi32.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3108 -
C:\Windows\SysWOW64\Olgemcli.exeC:\Windows\system32\Olgemcli.exe32⤵
- Executes dropped EXE
PID:1144 -
C:\Windows\SysWOW64\Oofaiokl.exeC:\Windows\system32\Oofaiokl.exe33⤵
- Executes dropped EXE
PID:4344 -
C:\Windows\SysWOW64\Oepifi32.exeC:\Windows\system32\Oepifi32.exe34⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Ohnebd32.exeC:\Windows\system32\Ohnebd32.exe35⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Opemca32.exeC:\Windows\system32\Opemca32.exe36⤵
- Executes dropped EXE
PID:3164 -
C:\Windows\SysWOW64\Ocdjpmac.exeC:\Windows\system32\Ocdjpmac.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2640 -
C:\Windows\SysWOW64\Oebflhaf.exeC:\Windows\system32\Oebflhaf.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3404 -
C:\Windows\SysWOW64\Ohqbhdpj.exeC:\Windows\system32\Ohqbhdpj.exe39⤵
- Executes dropped EXE
PID:1272 -
C:\Windows\SysWOW64\Ophjiaql.exeC:\Windows\system32\Ophjiaql.exe40⤵
- Executes dropped EXE
PID:4324 -
C:\Windows\SysWOW64\Ocffempp.exeC:\Windows\system32\Ocffempp.exe41⤵
- Executes dropped EXE
PID:32 -
C:\Windows\SysWOW64\Pedbahod.exeC:\Windows\system32\Pedbahod.exe42⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Phcomcng.exeC:\Windows\system32\Phcomcng.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3548 -
C:\Windows\SysWOW64\Ppjgoaoj.exeC:\Windows\system32\Ppjgoaoj.exe44⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Pcicklnn.exeC:\Windows\system32\Pcicklnn.exe45⤵
- Executes dropped EXE
PID:5096 -
C:\Windows\SysWOW64\Pfgogh32.exeC:\Windows\system32\Pfgogh32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1408 -
C:\Windows\SysWOW64\Pjbkgfej.exeC:\Windows\system32\Pjbkgfej.exe47⤵
- Executes dropped EXE
PID:3988 -
C:\Windows\SysWOW64\Plagcbdn.exeC:\Windows\system32\Plagcbdn.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3868 -
C:\Windows\SysWOW64\Poodpmca.exeC:\Windows\system32\Poodpmca.exe49⤵
- Executes dropped EXE
PID:3916 -
C:\Windows\SysWOW64\Pfillg32.exeC:\Windows\system32\Pfillg32.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4000 -
C:\Windows\SysWOW64\Phhhhc32.exeC:\Windows\system32\Phhhhc32.exe51⤵
- Executes dropped EXE
PID:4076 -
C:\Windows\SysWOW64\Plcdiabk.exeC:\Windows\system32\Plcdiabk.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Pcmlfl32.exeC:\Windows\system32\Pcmlfl32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3084 -
C:\Windows\SysWOW64\Pflibgil.exeC:\Windows\system32\Pflibgil.exe54⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Pjgebf32.exeC:\Windows\system32\Pjgebf32.exe55⤵
- Executes dropped EXE
PID:556 -
C:\Windows\SysWOW64\Pleaoa32.exeC:\Windows\system32\Pleaoa32.exe56⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Pcpikkge.exeC:\Windows\system32\Pcpikkge.exe57⤵
- Executes dropped EXE
PID:4784 -
C:\Windows\SysWOW64\Pfnegggi.exeC:\Windows\system32\Pfnegggi.exe58⤵
- Executes dropped EXE
PID:3964 -
C:\Windows\SysWOW64\Pqcjepfo.exeC:\Windows\system32\Pqcjepfo.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4380 -
C:\Windows\SysWOW64\Qcbfakec.exeC:\Windows\system32\Qcbfakec.exe60⤵
- Executes dropped EXE
PID:4400 -
C:\Windows\SysWOW64\Qfpbmfdf.exeC:\Windows\system32\Qfpbmfdf.exe61⤵
- Executes dropped EXE
PID:4956 -
C:\Windows\SysWOW64\Qljjjqlc.exeC:\Windows\system32\Qljjjqlc.exe62⤵
- Executes dropped EXE
PID:4532 -
C:\Windows\SysWOW64\Qoifflkg.exeC:\Windows\system32\Qoifflkg.exe63⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Qlmgopjq.exeC:\Windows\system32\Qlmgopjq.exe64⤵
- Executes dropped EXE
PID:3664 -
C:\Windows\SysWOW64\Qqhcpo32.exeC:\Windows\system32\Qqhcpo32.exe65⤵
- Executes dropped EXE
PID:936 -
C:\Windows\SysWOW64\Acgolj32.exeC:\Windows\system32\Acgolj32.exe66⤵PID:4952
-
C:\Windows\SysWOW64\Ajqgidij.exeC:\Windows\system32\Ajqgidij.exe67⤵
- Modifies registry class
PID:2132 -
C:\Windows\SysWOW64\Amodep32.exeC:\Windows\system32\Amodep32.exe68⤵
- System Location Discovery: System Language Discovery
PID:5112 -
C:\Windows\SysWOW64\Agdhbi32.exeC:\Windows\system32\Agdhbi32.exe69⤵
- Drops file in System32 directory
PID:2144 -
C:\Windows\SysWOW64\Ajcdnd32.exeC:\Windows\system32\Ajcdnd32.exe70⤵
- Drops file in System32 directory
PID:4980 -
C:\Windows\SysWOW64\Aqmlknnd.exeC:\Windows\system32\Aqmlknnd.exe71⤵PID:3472
-
C:\Windows\SysWOW64\Ackigjmh.exeC:\Windows\system32\Ackigjmh.exe72⤵PID:3796
-
C:\Windows\SysWOW64\Afjeceml.exeC:\Windows\system32\Afjeceml.exe73⤵PID:2692
-
C:\Windows\SysWOW64\Aihaoqlp.exeC:\Windows\system32\Aihaoqlp.exe74⤵
- Modifies registry class
PID:628 -
C:\Windows\SysWOW64\Aobilkcl.exeC:\Windows\system32\Aobilkcl.exe75⤵PID:1068
-
C:\Windows\SysWOW64\Acnemi32.exeC:\Windows\system32\Acnemi32.exe76⤵
- System Location Discovery: System Language Discovery
PID:1936 -
C:\Windows\SysWOW64\Ajhniccb.exeC:\Windows\system32\Ajhniccb.exe77⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2636 -
C:\Windows\SysWOW64\Amfjeobf.exeC:\Windows\system32\Amfjeobf.exe78⤵
- Drops file in System32 directory
PID:4792 -
C:\Windows\SysWOW64\Aqaffn32.exeC:\Windows\system32\Aqaffn32.exe79⤵PID:2736
-
C:\Windows\SysWOW64\Acpbbi32.exeC:\Windows\system32\Acpbbi32.exe80⤵PID:4948
-
C:\Windows\SysWOW64\Afnnnd32.exeC:\Windows\system32\Afnnnd32.exe81⤵PID:4648
-
C:\Windows\SysWOW64\Bqdblmhl.exeC:\Windows\system32\Bqdblmhl.exe82⤵PID:2272
-
C:\Windows\SysWOW64\Bgnkhg32.exeC:\Windows\system32\Bgnkhg32.exe83⤵PID:3656
-
C:\Windows\SysWOW64\Boipmj32.exeC:\Windows\system32\Boipmj32.exe84⤵PID:1556
-
C:\Windows\SysWOW64\Biadeoce.exeC:\Windows\system32\Biadeoce.exe85⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2760 -
C:\Windows\SysWOW64\Bqilgmdg.exeC:\Windows\system32\Bqilgmdg.exe86⤵PID:3036
-
C:\Windows\SysWOW64\Bjaqpbkh.exeC:\Windows\system32\Bjaqpbkh.exe87⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4736 -
C:\Windows\SysWOW64\Bgeaifia.exeC:\Windows\system32\Bgeaifia.exe88⤵PID:3532
-
C:\Windows\SysWOW64\Bjcmebie.exeC:\Windows\system32\Bjcmebie.exe89⤵PID:1088
-
C:\Windows\SysWOW64\Bqmeal32.exeC:\Windows\system32\Bqmeal32.exe90⤵
- System Location Discovery: System Language Discovery
PID:1100 -
C:\Windows\SysWOW64\Bggnof32.exeC:\Windows\system32\Bggnof32.exe91⤵
- Modifies registry class
PID:4272 -
C:\Windows\SysWOW64\Bjfjka32.exeC:\Windows\system32\Bjfjka32.exe92⤵PID:3936
-
C:\Windows\SysWOW64\Cmdfgm32.exeC:\Windows\system32\Cmdfgm32.exe93⤵PID:4124
-
C:\Windows\SysWOW64\Cflkpblf.exeC:\Windows\system32\Cflkpblf.exe94⤵PID:2148
-
C:\Windows\SysWOW64\Cikglnkj.exeC:\Windows\system32\Cikglnkj.exe95⤵PID:4764
-
C:\Windows\SysWOW64\Cpeohh32.exeC:\Windows\system32\Cpeohh32.exe96⤵
- System Location Discovery: System Language Discovery
PID:5144 -
C:\Windows\SysWOW64\Cglgjeci.exeC:\Windows\system32\Cglgjeci.exe97⤵PID:5228
-
C:\Windows\SysWOW64\Cimcan32.exeC:\Windows\system32\Cimcan32.exe98⤵
- Modifies registry class
PID:5296 -
C:\Windows\SysWOW64\Cmipblaq.exeC:\Windows\system32\Cmipblaq.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5344 -
C:\Windows\SysWOW64\Cadlbk32.exeC:\Windows\system32\Cadlbk32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5396 -
C:\Windows\SysWOW64\Cpglnhad.exeC:\Windows\system32\Cpglnhad.exe101⤵PID:5440
-
C:\Windows\SysWOW64\Cgndoeag.exeC:\Windows\system32\Cgndoeag.exe102⤵PID:5492
-
C:\Windows\SysWOW64\Cjmpkqqj.exeC:\Windows\system32\Cjmpkqqj.exe103⤵PID:5536
-
C:\Windows\SysWOW64\Cippgm32.exeC:\Windows\system32\Cippgm32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5584 -
C:\Windows\SysWOW64\Cmklglpn.exeC:\Windows\system32\Cmklglpn.exe105⤵
- System Location Discovery: System Language Discovery
PID:5640 -
C:\Windows\SysWOW64\Cceddf32.exeC:\Windows\system32\Cceddf32.exe106⤵PID:5680
-
C:\Windows\SysWOW64\Cibmlmeb.exeC:\Windows\system32\Cibmlmeb.exe107⤵
- System Location Discovery: System Language Discovery
PID:5720 -
C:\Windows\SysWOW64\Ccgajfeh.exeC:\Windows\system32\Ccgajfeh.exe108⤵PID:5764
-
C:\Windows\SysWOW64\Cffmfadl.exeC:\Windows\system32\Cffmfadl.exe109⤵PID:5804
-
C:\Windows\SysWOW64\Dakacjdb.exeC:\Windows\system32\Dakacjdb.exe110⤵PID:5848
-
C:\Windows\SysWOW64\Dpnbog32.exeC:\Windows\system32\Dpnbog32.exe111⤵PID:5892
-
C:\Windows\SysWOW64\Diffglam.exeC:\Windows\system32\Diffglam.exe112⤵
- System Location Discovery: System Language Discovery
PID:5936 -
C:\Windows\SysWOW64\Dmbbhkjf.exeC:\Windows\system32\Dmbbhkjf.exe113⤵PID:5980
-
C:\Windows\SysWOW64\Dclkee32.exeC:\Windows\system32\Dclkee32.exe114⤵PID:6024
-
C:\Windows\SysWOW64\Diicml32.exeC:\Windows\system32\Diicml32.exe115⤵PID:6068
-
C:\Windows\SysWOW64\Dpckjfgg.exeC:\Windows\system32\Dpckjfgg.exe116⤵PID:6112
-
C:\Windows\SysWOW64\Dfmcfp32.exeC:\Windows\system32\Dfmcfp32.exe117⤵PID:5128
-
C:\Windows\SysWOW64\Dpehof32.exeC:\Windows\system32\Dpehof32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5236 -
C:\Windows\SysWOW64\Dfoplpla.exeC:\Windows\system32\Dfoplpla.exe119⤵PID:5332
-
C:\Windows\SysWOW64\Daediilg.exeC:\Windows\system32\Daediilg.exe120⤵
- System Location Discovery: System Language Discovery
PID:5412 -
C:\Windows\SysWOW64\Eagaoh32.exeC:\Windows\system32\Eagaoh32.exe121⤵PID:5476
-
C:\Windows\SysWOW64\Edemkd32.exeC:\Windows\system32\Edemkd32.exe122⤵PID:5548
-
C:\Windows\SysWOW64\Eaindh32.exeC:\Windows\system32\Eaindh32.exe123⤵PID:5648
-
C:\Windows\SysWOW64\Efffmo32.exeC:\Windows\system32\Efffmo32.exe124⤵
- System Location Discovery: System Language Discovery
PID:5712 -
C:\Windows\SysWOW64\Ejbbmnnb.exeC:\Windows\system32\Ejbbmnnb.exe125⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5788 -
C:\Windows\SysWOW64\Empoiimf.exeC:\Windows\system32\Empoiimf.exe126⤵PID:5856
-
C:\Windows\SysWOW64\Ealkjh32.exeC:\Windows\system32\Ealkjh32.exe127⤵PID:5904
-
C:\Windows\SysWOW64\Ehfcfb32.exeC:\Windows\system32\Ehfcfb32.exe128⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5988 -
C:\Windows\SysWOW64\Eigonjcj.exeC:\Windows\system32\Eigonjcj.exe129⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:6056 -
C:\Windows\SysWOW64\Eangpgcl.exeC:\Windows\system32\Eangpgcl.exe130⤵PID:6124
-
C:\Windows\SysWOW64\Ehhpla32.exeC:\Windows\system32\Ehhpla32.exe131⤵PID:5216
-
C:\Windows\SysWOW64\Eiildjag.exeC:\Windows\system32\Eiildjag.exe132⤵
- Drops file in System32 directory
- Modifies registry class
PID:5360 -
C:\Windows\SysWOW64\Edopabqn.exeC:\Windows\system32\Edopabqn.exe133⤵PID:5468
-
C:\Windows\SysWOW64\Filiii32.exeC:\Windows\system32\Filiii32.exe134⤵PID:5572
-
C:\Windows\SysWOW64\Facqkg32.exeC:\Windows\system32\Facqkg32.exe135⤵
- Modifies registry class
PID:5692 -
C:\Windows\SysWOW64\Ffpicn32.exeC:\Windows\system32\Ffpicn32.exe136⤵PID:5836
-
C:\Windows\SysWOW64\Fmjaphek.exeC:\Windows\system32\Fmjaphek.exe137⤵
- System Location Discovery: System Language Discovery
PID:5932 -
C:\Windows\SysWOW64\Fgbfhmll.exeC:\Windows\system32\Fgbfhmll.exe138⤵
- Drops file in System32 directory
PID:6040 -
C:\Windows\SysWOW64\Fmlneg32.exeC:\Windows\system32\Fmlneg32.exe139⤵PID:5204
-
C:\Windows\SysWOW64\Fhabbp32.exeC:\Windows\system32\Fhabbp32.exe140⤵PID:5380
-
C:\Windows\SysWOW64\Fibojhim.exeC:\Windows\system32\Fibojhim.exe141⤵PID:5520
-
C:\Windows\SysWOW64\Fhdohp32.exeC:\Windows\system32\Fhdohp32.exe142⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5772 -
C:\Windows\SysWOW64\Fmqgpgoc.exeC:\Windows\system32\Fmqgpgoc.exe143⤵PID:3584
-
C:\Windows\SysWOW64\Gaopfe32.exeC:\Windows\system32\Gaopfe32.exe144⤵PID:5976
-
C:\Windows\SysWOW64\Ghhhcomg.exeC:\Windows\system32\Ghhhcomg.exe145⤵PID:6076
-
C:\Windows\SysWOW64\Gpcmga32.exeC:\Windows\system32\Gpcmga32.exe146⤵
- Modifies registry class
PID:5304 -
C:\Windows\SysWOW64\Ghkeio32.exeC:\Windows\system32\Ghkeio32.exe147⤵PID:5716
-
C:\Windows\SysWOW64\Gilapgqb.exeC:\Windows\system32\Gilapgqb.exe148⤵PID:2080
-
C:\Windows\SysWOW64\Gddbcp32.exeC:\Windows\system32\Gddbcp32.exe149⤵PID:6052
-
C:\Windows\SysWOW64\Giqkkf32.exeC:\Windows\system32\Giqkkf32.exe150⤵PID:5308
-
C:\Windows\SysWOW64\Gpkchqdj.exeC:\Windows\system32\Gpkchqdj.exe151⤵PID:5832
-
C:\Windows\SysWOW64\Hgelek32.exeC:\Windows\system32\Hgelek32.exe152⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5132 -
C:\Windows\SysWOW64\Hjchaf32.exeC:\Windows\system32\Hjchaf32.exe153⤵PID:5968
-
C:\Windows\SysWOW64\Hajpbckl.exeC:\Windows\system32\Hajpbckl.exe154⤵PID:6012
-
C:\Windows\SysWOW64\Hgghjjid.exeC:\Windows\system32\Hgghjjid.exe155⤵
- Drops file in System32 directory
PID:6160 -
C:\Windows\SysWOW64\Hpomcp32.exeC:\Windows\system32\Hpomcp32.exe156⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:6204 -
C:\Windows\SysWOW64\Hjhalefe.exeC:\Windows\system32\Hjhalefe.exe157⤵PID:6252
-
C:\Windows\SysWOW64\Haoimcgg.exeC:\Windows\system32\Haoimcgg.exe158⤵PID:6296
-
C:\Windows\SysWOW64\Hglaej32.exeC:\Windows\system32\Hglaej32.exe159⤵PID:6336
-
C:\Windows\SysWOW64\Hpdfnolo.exeC:\Windows\system32\Hpdfnolo.exe160⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6380 -
C:\Windows\SysWOW64\Hhknpmma.exeC:\Windows\system32\Hhknpmma.exe161⤵PID:6424
-
C:\Windows\SysWOW64\Hjlkge32.exeC:\Windows\system32\Hjlkge32.exe162⤵
- System Location Discovery: System Language Discovery
PID:6468 -
C:\Windows\SysWOW64\Hpfcdojl.exeC:\Windows\system32\Hpfcdojl.exe163⤵PID:6512
-
C:\Windows\SysWOW64\Ihnkel32.exeC:\Windows\system32\Ihnkel32.exe164⤵PID:6560
-
C:\Windows\SysWOW64\Ijogmdqm.exeC:\Windows\system32\Ijogmdqm.exe165⤵PID:6604
-
C:\Windows\SysWOW64\Injcmc32.exeC:\Windows\system32\Injcmc32.exe166⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:6640 -
C:\Windows\SysWOW64\Iddljmpc.exeC:\Windows\system32\Iddljmpc.exe167⤵PID:6692
-
C:\Windows\SysWOW64\Ihphkl32.exeC:\Windows\system32\Ihphkl32.exe168⤵PID:6736
-
C:\Windows\SysWOW64\Ijadbdoj.exeC:\Windows\system32\Ijadbdoj.exe169⤵PID:6780
-
C:\Windows\SysWOW64\Iqklon32.exeC:\Windows\system32\Iqklon32.exe170⤵PID:6824
-
C:\Windows\SysWOW64\Idghpmnp.exeC:\Windows\system32\Idghpmnp.exe171⤵PID:6868
-
C:\Windows\SysWOW64\Ikqqlgem.exeC:\Windows\system32\Ikqqlgem.exe172⤵PID:6912
-
C:\Windows\SysWOW64\Inomhbeq.exeC:\Windows\system32\Inomhbeq.exe173⤵PID:6948
-
C:\Windows\SysWOW64\Idieem32.exeC:\Windows\system32\Idieem32.exe174⤵PID:7000
-
C:\Windows\SysWOW64\Ihdafkdg.exeC:\Windows\system32\Ihdafkdg.exe175⤵PID:7036
-
C:\Windows\SysWOW64\Iggaah32.exeC:\Windows\system32\Iggaah32.exe176⤵PID:7088
-
C:\Windows\SysWOW64\Inainbcn.exeC:\Windows\system32\Inainbcn.exe177⤵PID:7132
-
C:\Windows\SysWOW64\Idkbkl32.exeC:\Windows\system32\Idkbkl32.exe178⤵PID:6152
-
C:\Windows\SysWOW64\Igjngh32.exeC:\Windows\system32\Igjngh32.exe179⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:6212 -
C:\Windows\SysWOW64\Ibobdqid.exeC:\Windows\system32\Ibobdqid.exe180⤵
- Drops file in System32 directory
PID:6292 -
C:\Windows\SysWOW64\Iqbbpm32.exeC:\Windows\system32\Iqbbpm32.exe181⤵
- Drops file in System32 directory
PID:6348 -
C:\Windows\SysWOW64\Jdnoplhh.exeC:\Windows\system32\Jdnoplhh.exe182⤵PID:6432
-
C:\Windows\SysWOW64\Jjjghcfp.exeC:\Windows\system32\Jjjghcfp.exe183⤵PID:6500
-
C:\Windows\SysWOW64\Jbaojpgb.exeC:\Windows\system32\Jbaojpgb.exe184⤵PID:6556
-
C:\Windows\SysWOW64\Jhlgfj32.exeC:\Windows\system32\Jhlgfj32.exe185⤵PID:6652
-
C:\Windows\SysWOW64\Jgogbgei.exeC:\Windows\system32\Jgogbgei.exe186⤵PID:6712
-
C:\Windows\SysWOW64\Jnhpoamf.exeC:\Windows\system32\Jnhpoamf.exe187⤵PID:6776
-
C:\Windows\SysWOW64\Jbdlop32.exeC:\Windows\system32\Jbdlop32.exe188⤵PID:6860
-
C:\Windows\SysWOW64\Jhndljll.exeC:\Windows\system32\Jhndljll.exe189⤵PID:6920
-
C:\Windows\SysWOW64\Jklphekp.exeC:\Windows\system32\Jklphekp.exe190⤵PID:6972
-
C:\Windows\SysWOW64\Jbfheo32.exeC:\Windows\system32\Jbfheo32.exe191⤵PID:7056
-
C:\Windows\SysWOW64\Jdedak32.exeC:\Windows\system32\Jdedak32.exe192⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7116 -
C:\Windows\SysWOW64\Jhpqaiji.exeC:\Windows\system32\Jhpqaiji.exe193⤵PID:6188
-
C:\Windows\SysWOW64\Jjamia32.exeC:\Windows\system32\Jjamia32.exe194⤵PID:6288
-
C:\Windows\SysWOW64\Jbiejoaj.exeC:\Windows\system32\Jbiejoaj.exe195⤵
- System Location Discovery: System Language Discovery
PID:6408 -
C:\Windows\SysWOW64\Jgenbfoa.exeC:\Windows\system32\Jgenbfoa.exe196⤵PID:6508
-
C:\Windows\SysWOW64\Jkaicd32.exeC:\Windows\system32\Jkaicd32.exe197⤵PID:6596
-
C:\Windows\SysWOW64\Jbkbpoog.exeC:\Windows\system32\Jbkbpoog.exe198⤵
- Modifies registry class
PID:6732 -
C:\Windows\SysWOW64\Kiejmi32.exeC:\Windows\system32\Kiejmi32.exe199⤵PID:6836
-
C:\Windows\SysWOW64\Kghjhemo.exeC:\Windows\system32\Kghjhemo.exe200⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6956 -
C:\Windows\SysWOW64\Kjffdalb.exeC:\Windows\system32\Kjffdalb.exe201⤵PID:7032
-
C:\Windows\SysWOW64\Kqpoakco.exeC:\Windows\system32\Kqpoakco.exe202⤵
- Modifies registry class
PID:100 -
C:\Windows\SysWOW64\Kiggbhda.exeC:\Windows\system32\Kiggbhda.exe203⤵PID:6364
-
C:\Windows\SysWOW64\Kgjgne32.exeC:\Windows\system32\Kgjgne32.exe204⤵PID:6488
-
C:\Windows\SysWOW64\Kbpkkn32.exeC:\Windows\system32\Kbpkkn32.exe205⤵PID:6664
-
C:\Windows\SysWOW64\Kqbkfkal.exeC:\Windows\system32\Kqbkfkal.exe206⤵PID:6800
-
C:\Windows\SysWOW64\Kgmcce32.exeC:\Windows\system32\Kgmcce32.exe207⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:6968 -
C:\Windows\SysWOW64\Knflpoqf.exeC:\Windows\system32\Knflpoqf.exe208⤵
- Drops file in System32 directory
PID:7140 -
C:\Windows\SysWOW64\Kbbhqn32.exeC:\Windows\system32\Kbbhqn32.exe209⤵PID:6416
-
C:\Windows\SysWOW64\Kilpmh32.exeC:\Windows\system32\Kilpmh32.exe210⤵PID:6636
-
C:\Windows\SysWOW64\Kkjlic32.exeC:\Windows\system32\Kkjlic32.exe211⤵PID:6936
-
C:\Windows\SysWOW64\Kbddfmgl.exeC:\Windows\system32\Kbddfmgl.exe212⤵PID:6280
-
C:\Windows\SysWOW64\Kecabifp.exeC:\Windows\system32\Kecabifp.exe213⤵PID:6552
-
C:\Windows\SysWOW64\Kgamnded.exeC:\Windows\system32\Kgamnded.exe214⤵PID:7144
-
C:\Windows\SysWOW64\Knkekn32.exeC:\Windows\system32\Knkekn32.exe215⤵PID:6616
-
C:\Windows\SysWOW64\Lbgalmej.exeC:\Windows\system32\Lbgalmej.exe216⤵PID:6240
-
C:\Windows\SysWOW64\Liqihglg.exeC:\Windows\system32\Liqihglg.exe217⤵PID:6772
-
C:\Windows\SysWOW64\Lkofdbkj.exeC:\Windows\system32\Lkofdbkj.exe218⤵PID:7180
-
C:\Windows\SysWOW64\Lbinam32.exeC:\Windows\system32\Lbinam32.exe219⤵PID:7232
-
C:\Windows\SysWOW64\Legjmh32.exeC:\Windows\system32\Legjmh32.exe220⤵PID:7276
-
C:\Windows\SysWOW64\Lgffic32.exeC:\Windows\system32\Lgffic32.exe221⤵PID:7312
-
C:\Windows\SysWOW64\Ljdceo32.exeC:\Windows\system32\Ljdceo32.exe222⤵PID:7364
-
C:\Windows\SysWOW64\Lnpofnhk.exeC:\Windows\system32\Lnpofnhk.exe223⤵PID:7400
-
C:\Windows\SysWOW64\Lbkkgl32.exeC:\Windows\system32\Lbkkgl32.exe224⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7452 -
C:\Windows\SysWOW64\Lghcocol.exeC:\Windows\system32\Lghcocol.exe225⤵PID:7496
-
C:\Windows\SysWOW64\Lldopb32.exeC:\Windows\system32\Lldopb32.exe226⤵PID:7544
-
C:\Windows\SysWOW64\Lbngllob.exeC:\Windows\system32\Lbngllob.exe227⤵PID:7584
-
C:\Windows\SysWOW64\Lihpif32.exeC:\Windows\system32\Lihpif32.exe228⤵PID:7632
-
C:\Windows\SysWOW64\Llflea32.exeC:\Windows\system32\Llflea32.exe229⤵PID:7676
-
C:\Windows\SysWOW64\Lbpdblmo.exeC:\Windows\system32\Lbpdblmo.exe230⤵PID:7720
-
C:\Windows\SysWOW64\Lijlof32.exeC:\Windows\system32\Lijlof32.exe231⤵PID:7764
-
C:\Windows\SysWOW64\Llhikacp.exeC:\Windows\system32\Llhikacp.exe232⤵PID:7808
-
C:\Windows\SysWOW64\Mngegmbc.exeC:\Windows\system32\Mngegmbc.exe233⤵
- Modifies registry class
PID:7860 -
C:\Windows\SysWOW64\Maeachag.exeC:\Windows\system32\Maeachag.exe234⤵PID:7916
-
C:\Windows\SysWOW64\Milidebi.exeC:\Windows\system32\Milidebi.exe235⤵
- Drops file in System32 directory
PID:7996 -
C:\Windows\SysWOW64\Mhoipb32.exeC:\Windows\system32\Mhoipb32.exe236⤵PID:8048
-
C:\Windows\SysWOW64\Mjneln32.exeC:\Windows\system32\Mjneln32.exe237⤵PID:8116
-
C:\Windows\SysWOW64\Mbenmk32.exeC:\Windows\system32\Mbenmk32.exe238⤵PID:8180
-
C:\Windows\SysWOW64\Miofjepg.exeC:\Windows\system32\Miofjepg.exe239⤵PID:7220
-
C:\Windows\SysWOW64\Mlmbfqoj.exeC:\Windows\system32\Mlmbfqoj.exe240⤵PID:7284
-
C:\Windows\SysWOW64\Mjpbam32.exeC:\Windows\system32\Mjpbam32.exe241⤵
- Modifies registry class
PID:7336 -
C:\Windows\SysWOW64\Meefofek.exeC:\Windows\system32\Meefofek.exe242⤵
- Modifies registry class
PID:7428