Analysis
-
max time kernel
95s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:27
Static task
static1
Behavioral task
behavioral1
Sample
b84100cd4b91eb50e7dda9787329f74ff9e27f1aa71d424658260b7f61db254fN.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
b84100cd4b91eb50e7dda9787329f74ff9e27f1aa71d424658260b7f61db254fN.exe
Resource
win10v2004-20241007-en
General
-
Target
b84100cd4b91eb50e7dda9787329f74ff9e27f1aa71d424658260b7f61db254fN.exe
-
Size
74KB
-
MD5
07394d2a9b4b4224ec66bad5b092e310
-
SHA1
00d9412b579ccbf779c72a68373fa9aff1d9bfcc
-
SHA256
b84100cd4b91eb50e7dda9787329f74ff9e27f1aa71d424658260b7f61db254f
-
SHA512
d4dbe7ea2561955f86a3d64f5b64f3ec1e76180054f2485444bc447adb1cbf0654bee476329b71c7931d2a5cb52568a54a9d1b3aef1688756cc71158ca6d630e
-
SSDEEP
1536:QfALph4NquQ7eos4EfgpmpEOSVSL0jyp9Xl4S+pg2yu8yzr4MAbgpRoLyVb:Qf+GNHos4EfgpmedBEhp2yPyP4MtV
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Heegad32.exeHehdfdek.exeJojdlfeo.exePcjiff32.exeJpdhkf32.exeFmhdkknd.exeJoahqn32.exeAkkffkhk.exeKeifdpif.exeKeimof32.exeCaojpaij.exeIdahjg32.exeNmlddqem.exePoliea32.exeCbbnpg32.exeFbelcblk.exeNoppeaed.exeLeenhhdn.exeMnnkgl32.exeBbnkonbd.exeEmphocjj.exeMgobel32.exeFihnomjp.exeOihmedma.exeFpbflg32.exeQpeahb32.exeBgnffj32.exeKenggi32.exeKecabifp.exeKnooej32.exeOogpjbbb.exePmlmkn32.exeFinnef32.exeObjkmkjj.exeLicfngjd.exeMhafeb32.exeKclgmq32.exeOnnmdcjm.exeMjodla32.exeMjmoag32.exeGblbca32.exeDojqjdbl.exeLllagh32.exeLcfidb32.exeNhdlao32.exeDjqblj32.exeLknojl32.exeChlflabp.exePjdpelnc.exeEoideh32.exeIbegfglj.exeAanbhp32.exeCjjlkk32.exeIgigla32.exeOdalmibl.exeDnmhpg32.exeOcnabm32.exeAleckinj.exeDblgpl32.exeMkhapk32.exeDddllkbf.exeOophlo32.exeLnpofnhk.exeMniallpq.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Heegad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hehdfdek.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jojdlfeo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcjiff32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpdhkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmhdkknd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joahqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Akkffkhk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keifdpif.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keimof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Caojpaij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Idahjg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmlddqem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Poliea32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbbnpg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbelcblk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Noppeaed.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leenhhdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mnnkgl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbnkonbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Emphocjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mgobel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fihnomjp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oihmedma.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpbflg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qpeahb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgnffj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kenggi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kecabifp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knooej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oogpjbbb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmlmkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Finnef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Objkmkjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Licfngjd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhafeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kclgmq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Onnmdcjm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjodla32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjmoag32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gblbca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dojqjdbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lllagh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lcfidb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhdlao32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djqblj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lknojl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chlflabp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjdpelnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eoideh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibegfglj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aanbhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjjlkk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igigla32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odalmibl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnmhpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ocnabm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aleckinj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dblgpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mkhapk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dddllkbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oophlo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnpofnhk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mniallpq.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Jjamia32.exeJqlefl32.exeJgenbfoa.exeJnpfop32.exeKdinljnk.exeKkcfid32.exeKnbbep32.exeKelkaj32.exeKgjgne32.exeKjhcjq32.exeKbpkkn32.exeKenggi32.exeKkhpdcab.exeKaehljpj.exeKgopidgf.exeKjmmepfj.exeKbddfmgl.exeKecabifp.exeKkmioc32.exeKnkekn32.exeLeenhhdn.exeLkofdbkj.exeLbinam32.exeLicfngjd.exeLgffic32.exeLnpofnhk.exeLejgch32.exeLldopb32.exeLbngllob.exeLaqhhi32.exeLgkpdcmi.exeLndham32.exeLbpdblmo.exeLeopnglc.exeLijlof32.exeLjkifn32.exeMbbagk32.exeMeamcg32.exeMilidebi.exeMlkepaam.exeMniallpq.exeMahnhhod.exeMecjif32.exeMhafeb32.exeMjpbam32.exeMbgjbkfg.exeMiaboe32.exeMhdckaeo.exeMnnkgl32.exeMalgcg32.exeMhfppabl.exeMlbkap32.exeMnphmkji.exeMaodigil.exeMifljdjo.exeMldhfpib.exeNobdbkhf.exeNemmoe32.exeNhkikq32.exeNoeahkfc.exeNacmdf32.exeNliaao32.exeNognnj32.exeNafjjf32.exepid process 3464 Jjamia32.exe 4196 Jqlefl32.exe 4824 Jgenbfoa.exe 2388 Jnpfop32.exe 4448 Kdinljnk.exe 3444 Kkcfid32.exe 3016 Knbbep32.exe 2132 Kelkaj32.exe 752 Kgjgne32.exe 4432 Kjhcjq32.exe 1792 Kbpkkn32.exe 4412 Kenggi32.exe 4612 Kkhpdcab.exe 3488 Kaehljpj.exe 1364 Kgopidgf.exe 1532 Kjmmepfj.exe 2180 Kbddfmgl.exe 5044 Kecabifp.exe 724 Kkmioc32.exe 1848 Knkekn32.exe 3128 Leenhhdn.exe 3416 Lkofdbkj.exe 3096 Lbinam32.exe 1468 Licfngjd.exe 1112 Lgffic32.exe 4368 Lnpofnhk.exe 3768 Lejgch32.exe 4908 Lldopb32.exe 3564 Lbngllob.exe 3588 Laqhhi32.exe 888 Lgkpdcmi.exe 4216 Lndham32.exe 4880 Lbpdblmo.exe 4348 Leopnglc.exe 4040 Lijlof32.exe 3892 Ljkifn32.exe 1432 Mbbagk32.exe 2156 Meamcg32.exe 3776 Milidebi.exe 2808 Mlkepaam.exe 808 Mniallpq.exe 4652 Mahnhhod.exe 456 Mecjif32.exe 2716 Mhafeb32.exe 3296 Mjpbam32.exe 2688 Mbgjbkfg.exe 1932 Miaboe32.exe 1708 Mhdckaeo.exe 3744 Mnnkgl32.exe 5028 Malgcg32.exe 1608 Mhfppabl.exe 2184 Mlbkap32.exe 3392 Mnphmkji.exe 2324 Maodigil.exe 1644 Mifljdjo.exe 5088 Mldhfpib.exe 4240 Nobdbkhf.exe 4320 Nemmoe32.exe 1216 Nhkikq32.exe 3452 Noeahkfc.exe 4764 Nacmdf32.exe 972 Nliaao32.exe 2432 Nognnj32.exe 3604 Nafjjf32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Mbbagk32.exeNhdlao32.exeLjfhqh32.exeJpcapp32.exeKocgbend.exeOmalpc32.exeQepkbpak.exeGkmdecbg.exeGeaepk32.exeIplkpa32.exeMcoljagj.exeNbebbk32.exeNafjjf32.exeIkbfgppo.exeNcqlkemc.exeQikgco32.exeBljlfh32.exePefabkej.exeEofgpikj.exeCbeapmll.exeDjelgied.exeAhfmpnql.exeBhamkipi.exeFpjcgm32.exeKhlklj32.exeGbchdp32.exePdjgha32.exeFeenjgfq.exeNbbeml32.exeMahnhhod.exeAbbkcpma.exeDkdliame.exeOogpjbbb.exeIlcldb32.exeEghkjdoa.exeIinqbn32.exePlmmif32.exeMcelpggq.exeDolmodpi.exeJllhpkfk.exeKenggi32.exeQdbdcg32.exeLepleocn.exeOhiemobf.exeCjnffjkl.exeMjdebfnd.exeGpaihooo.exePchlpfjb.exeIlnbicff.exeQacameaj.exeFnfmbmbi.exeIpbaol32.exeIiopca32.exeLbinam32.exeHiiggoaf.exeCnfaohbj.exeFnbcgn32.exeLpjjmg32.exeCmhigf32.exePlkpcfal.exeOmpfej32.exeFohfbpgi.exedescription ioc process File created C:\Windows\SysWOW64\Meamcg32.exe Mbbagk32.exe File opened for modification C:\Windows\SysWOW64\Oondnini.exe Nhdlao32.exe File opened for modification C:\Windows\SysWOW64\Lmdemd32.exe Ljfhqh32.exe File created C:\Windows\SysWOW64\Jcanll32.exe Jpcapp32.exe File created C:\Windows\SysWOW64\Kabcopmg.exe Kocgbend.exe File created C:\Windows\SysWOW64\Lodabb32.dll Omalpc32.exe File opened for modification C:\Windows\SysWOW64\Qikgco32.exe Qepkbpak.exe File created C:\Windows\SysWOW64\Hhhjoabm.dll Gkmdecbg.exe File opened for modification C:\Windows\SysWOW64\Gpgind32.exe Geaepk32.exe File opened for modification C:\Windows\SysWOW64\Igfclkdj.exe Iplkpa32.exe File created C:\Windows\SysWOW64\Caecnh32.dll Mcoljagj.exe File created C:\Windows\SysWOW64\Fpgkbmbm.dll Nbebbk32.exe File created C:\Windows\SysWOW64\Nimbkc32.exe Nafjjf32.exe File opened for modification C:\Windows\SysWOW64\Ijegcm32.exe Ikbfgppo.exe File opened for modification C:\Windows\SysWOW64\Njjdho32.exe Ncqlkemc.exe File opened for modification C:\Windows\SysWOW64\Qljcoj32.exe Qikgco32.exe File created C:\Windows\SysWOW64\Capqggce.dll Bljlfh32.exe File opened for modification C:\Windows\SysWOW64\Phdnngdn.exe Pefabkej.exe File created C:\Windows\SysWOW64\Efpomccg.exe Eofgpikj.exe File created C:\Windows\SysWOW64\Qdbpmock.dll Cbeapmll.exe File created C:\Windows\SysWOW64\Ipckmjqi.dll Djelgied.exe File created C:\Windows\SysWOW64\Gdlfcb32.dll Ahfmpnql.exe File created C:\Windows\SysWOW64\Bokehc32.exe Bhamkipi.exe File opened for modification C:\Windows\SysWOW64\Fibhpbea.exe Fpjcgm32.exe File created C:\Windows\SysWOW64\Hghklqmm.dll Khlklj32.exe File created C:\Windows\SysWOW64\Geaepk32.exe Gbchdp32.exe File created C:\Windows\SysWOW64\Pjdpelnc.exe Pdjgha32.exe File created C:\Windows\SysWOW64\Ojehbail.dll Feenjgfq.exe File created C:\Windows\SysWOW64\Njjmni32.exe Nbbeml32.exe File created C:\Windows\SysWOW64\Mecjif32.exe Mahnhhod.exe File created C:\Windows\SysWOW64\Kemilf32.dll Abbkcpma.exe File created C:\Windows\SysWOW64\Mfplpfib.dll Dkdliame.exe File created C:\Windows\SysWOW64\Pddhbipj.exe Oogpjbbb.exe File created C:\Windows\SysWOW64\Joahqn32.exe Ilcldb32.exe File created C:\Windows\SysWOW64\Ghehjh32.dll Eghkjdoa.exe File created C:\Windows\SysWOW64\Ddooacnk.dll Iinqbn32.exe File created C:\Windows\SysWOW64\Ddalgo32.dll Plmmif32.exe File opened for modification C:\Windows\SysWOW64\Mjodla32.exe Mcelpggq.exe File created C:\Windows\SysWOW64\Llobhg32.dll Dolmodpi.exe File created C:\Windows\SysWOW64\Jojdlfeo.exe Jllhpkfk.exe File created C:\Windows\SysWOW64\Kpccmhdg.exe Khlklj32.exe File created C:\Windows\SysWOW64\Pnpban32.dll Kenggi32.exe File created C:\Windows\SysWOW64\Qlimed32.exe Qdbdcg32.exe File created C:\Windows\SysWOW64\Foniaq32.dll Lepleocn.exe File opened for modification C:\Windows\SysWOW64\Okgaijaj.exe Ohiemobf.exe File created C:\Windows\SysWOW64\Gahffo32.dll Qepkbpak.exe File opened for modification C:\Windows\SysWOW64\Ccgjopal.exe Cjnffjkl.exe File opened for modification C:\Windows\SysWOW64\Meiioonj.exe Mjdebfnd.exe File created C:\Windows\SysWOW64\Gacepg32.exe Gpaihooo.exe File created C:\Windows\SysWOW64\Qhkjegqi.dll Pchlpfjb.exe File created C:\Windows\SysWOW64\Iomoenej.exe Ilnbicff.exe File created C:\Windows\SysWOW64\Qpeahb32.exe Qacameaj.exe File created C:\Windows\SysWOW64\Paoinm32.dll Fnfmbmbi.exe File opened for modification C:\Windows\SysWOW64\Ieojgc32.exe Ipbaol32.exe File created C:\Windows\SysWOW64\Ilnlom32.exe Iiopca32.exe File created C:\Windows\SysWOW64\Licfngjd.exe Lbinam32.exe File opened for modification C:\Windows\SysWOW64\Hmechmip.exe Hiiggoaf.exe File created C:\Windows\SysWOW64\Lkhpjc32.dll Cnfaohbj.exe File opened for modification C:\Windows\SysWOW64\Fqppci32.exe Fnbcgn32.exe File created C:\Windows\SysWOW64\Lchfib32.exe Lpjjmg32.exe File created C:\Windows\SysWOW64\Olaqbelh.dll Cmhigf32.exe File opened for modification C:\Windows\SysWOW64\Pmlmkn32.exe Plkpcfal.exe File created C:\Windows\SysWOW64\Lpghll32.dll Ompfej32.exe File opened for modification C:\Windows\SysWOW64\Feenjgfq.exe Fohfbpgi.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4644 5636 WerFault.exe Pififb32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Domdjj32.exeJokkgl32.exeOaplqh32.exePcegclgp.exeb84100cd4b91eb50e7dda9787329f74ff9e27f1aa71d424658260b7f61db254fN.exeMgobel32.exeMjdebfnd.exeEfjbcakl.exeMokmdh32.exeMcgiefen.exePjkmomfn.exeNmaciefp.exeKbpkkn32.exeOeoblb32.exeIknmla32.exeJcphab32.exeOlfghg32.exePfojdh32.exeBbiado32.exeFpjcgm32.exeFmmmfj32.exeKjeiodek.exeKgnbdh32.exeFdnhih32.exeMgaokl32.exeBoeebnhp.exeNncccnol.exeOpqofe32.exeChkobkod.exeDoojec32.exeOokoaokf.exeOblhcj32.exeQhkdof32.exeQklmpalf.exeOophlo32.exeDmcain32.exeDkhnjk32.exeIefphb32.exeKeifdpif.exeMlofcf32.exeKecabifp.exeCbeapmll.exeBedgjgkg.exeCbbnpg32.exeEfpomccg.exeEqdpgk32.exeFeqeog32.exeLicfngjd.exeJcikgacl.exeDjcoai32.exeFbcfhibj.exeKgipcogp.exeNmnqjp32.exeJpaekqhh.exePffgom32.exeLijlof32.exeBmofagfp.exeKhiofk32.exeNgjkfd32.exeAaldccip.exePififb32.exePlmmif32.exeAkglloai.exeIloidijb.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Domdjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jokkgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaplqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcegclgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b84100cd4b91eb50e7dda9787329f74ff9e27f1aa71d424658260b7f61db254fN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgobel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjdebfnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efjbcakl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mokmdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcgiefen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjkmomfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmaciefp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbpkkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeoblb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iknmla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcphab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olfghg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfojdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbiado32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpjcgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmmmfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjeiodek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgnbdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdnhih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgaokl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boeebnhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nncccnol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opqofe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chkobkod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doojec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ookoaokf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oblhcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhkdof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qklmpalf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oophlo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmcain32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkhnjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iefphb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keifdpif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlofcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kecabifp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbeapmll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bedgjgkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbbnpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efpomccg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqdpgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feqeog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Licfngjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcikgacl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djcoai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbcfhibj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgipcogp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmnqjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpaekqhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pffgom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lijlof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmofagfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khiofk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngjkfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaldccip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pififb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plmmif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akglloai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iloidijb.exe -
Modifies registry class 64 IoCs
Processes:
Khbiello.exeOboijgbl.exeBnoknihb.exeDomdjj32.exeFfnknafg.exeCggimh32.exeJoqafgni.exeJocnlg32.exeHlegnjbm.exeHlbcnd32.exeIlnlom32.exeMnfnlf32.exePopbpqjh.exeLqhdbm32.exeAmlogfel.exeLcfidb32.exeNjljch32.exePjoppf32.exeBkkple32.exeBohibc32.exeEppqqn32.exePonfka32.exeIllfdc32.exeHlblcn32.exePcbkml32.exeQhkdof32.exeBnkbcj32.exeMgloefco.exeMhanngbl.exeOidhlb32.exeQklmpalf.exeCleegp32.exeJlolpq32.exeCcgjopal.exeHloqml32.exeOlfghg32.exeGaqhjggp.exeMcoljagj.exePdhkcb32.exeIefphb32.exeJhkbdmbg.exeLlqjbhdc.exeHbldphde.exeAbbkcpma.exeDjhimica.exeIkbfgppo.exeDbnmke32.exeGegkpf32.exeHnlodjpa.exeIondqhpl.exeMkadfj32.exeChlflabp.exePhonha32.exeMlhqcgnk.exeFfaong32.exeIdhnkf32.exeHbnaeh32.exeKgopidgf.exeDkdliame.exeNhahaiec.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehfomc32.dll" Khbiello.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oboijgbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bnoknihb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Domdjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ffnknafg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hikemehi.dll" Cggimh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Joqafgni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jocnlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hlegnjbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hlbcnd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ilnlom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mnfnlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Popbpqjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Minqeaad.dll" Lqhdbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Amlogfel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lcfidb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocgjojai.dll" Njljch32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pjoppf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bkkple32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bohibc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eppqqn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ponfka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dafmjm32.dll" Illfdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpbdco32.dll" Hlblcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pcbkml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockkandf.dll" Qhkdof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bnkbcj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mgloefco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgccelpk.dll" Mhanngbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oidhlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekpped32.dll" Qklmpalf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eadhip32.dll" Cleegp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jlolpq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ccgjopal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hloqml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfniqp32.dll" Olfghg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gaqhjggp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mcoljagj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bnkbcj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cleegp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjehnm32.dll" Pdhkcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcmhel32.dll" Iefphb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jhkbdmbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Llqjbhdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eojpkdah.dll" Hbldphde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Abbkcpma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Djhimica.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ikbfgppo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdpmoppk.dll" Ponfka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpapmqq.dll" Dbnmke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gegkpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hnlodjpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aanfno32.dll" Iondqhpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpdfhgmd.dll" Mkadfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Chlflabp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Phonha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mlhqcgnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ffaong32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Idhnkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hbnaeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kgopidgf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dkdliame.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocdglf32.dll" Nhahaiec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neiqnh32.dll" Bnkbcj32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b84100cd4b91eb50e7dda9787329f74ff9e27f1aa71d424658260b7f61db254fN.exeJjamia32.exeJqlefl32.exeJgenbfoa.exeJnpfop32.exeKdinljnk.exeKkcfid32.exeKnbbep32.exeKelkaj32.exeKgjgne32.exeKjhcjq32.exeKbpkkn32.exeKenggi32.exeKkhpdcab.exeKaehljpj.exeKgopidgf.exeKjmmepfj.exeKbddfmgl.exeKecabifp.exeKkmioc32.exeKnkekn32.exeLeenhhdn.exedescription pid process target process PID 2080 wrote to memory of 3464 2080 b84100cd4b91eb50e7dda9787329f74ff9e27f1aa71d424658260b7f61db254fN.exe Jjamia32.exe PID 2080 wrote to memory of 3464 2080 b84100cd4b91eb50e7dda9787329f74ff9e27f1aa71d424658260b7f61db254fN.exe Jjamia32.exe PID 2080 wrote to memory of 3464 2080 b84100cd4b91eb50e7dda9787329f74ff9e27f1aa71d424658260b7f61db254fN.exe Jjamia32.exe PID 3464 wrote to memory of 4196 3464 Jjamia32.exe Jqlefl32.exe PID 3464 wrote to memory of 4196 3464 Jjamia32.exe Jqlefl32.exe PID 3464 wrote to memory of 4196 3464 Jjamia32.exe Jqlefl32.exe PID 4196 wrote to memory of 4824 4196 Jqlefl32.exe Jgenbfoa.exe PID 4196 wrote to memory of 4824 4196 Jqlefl32.exe Jgenbfoa.exe PID 4196 wrote to memory of 4824 4196 Jqlefl32.exe Jgenbfoa.exe PID 4824 wrote to memory of 2388 4824 Jgenbfoa.exe Jnpfop32.exe PID 4824 wrote to memory of 2388 4824 Jgenbfoa.exe Jnpfop32.exe PID 4824 wrote to memory of 2388 4824 Jgenbfoa.exe Jnpfop32.exe PID 2388 wrote to memory of 4448 2388 Jnpfop32.exe Kdinljnk.exe PID 2388 wrote to memory of 4448 2388 Jnpfop32.exe Kdinljnk.exe PID 2388 wrote to memory of 4448 2388 Jnpfop32.exe Kdinljnk.exe PID 4448 wrote to memory of 3444 4448 Kdinljnk.exe Kkcfid32.exe PID 4448 wrote to memory of 3444 4448 Kdinljnk.exe Kkcfid32.exe PID 4448 wrote to memory of 3444 4448 Kdinljnk.exe Kkcfid32.exe PID 3444 wrote to memory of 3016 3444 Kkcfid32.exe Knbbep32.exe PID 3444 wrote to memory of 3016 3444 Kkcfid32.exe Knbbep32.exe PID 3444 wrote to memory of 3016 3444 Kkcfid32.exe Knbbep32.exe PID 3016 wrote to memory of 2132 3016 Knbbep32.exe Kelkaj32.exe PID 3016 wrote to memory of 2132 3016 Knbbep32.exe Kelkaj32.exe PID 3016 wrote to memory of 2132 3016 Knbbep32.exe Kelkaj32.exe PID 2132 wrote to memory of 752 2132 Kelkaj32.exe Kgjgne32.exe PID 2132 wrote to memory of 752 2132 Kelkaj32.exe Kgjgne32.exe PID 2132 wrote to memory of 752 2132 Kelkaj32.exe Kgjgne32.exe PID 752 wrote to memory of 4432 752 Kgjgne32.exe Kjhcjq32.exe PID 752 wrote to memory of 4432 752 Kgjgne32.exe Kjhcjq32.exe PID 752 wrote to memory of 4432 752 Kgjgne32.exe Kjhcjq32.exe PID 4432 wrote to memory of 1792 4432 Kjhcjq32.exe Kbpkkn32.exe PID 4432 wrote to memory of 1792 4432 Kjhcjq32.exe Kbpkkn32.exe PID 4432 wrote to memory of 1792 4432 Kjhcjq32.exe Kbpkkn32.exe PID 1792 wrote to memory of 4412 1792 Kbpkkn32.exe Kenggi32.exe PID 1792 wrote to memory of 4412 1792 Kbpkkn32.exe Kenggi32.exe PID 1792 wrote to memory of 4412 1792 Kbpkkn32.exe Kenggi32.exe PID 4412 wrote to memory of 4612 4412 Kenggi32.exe Kkhpdcab.exe PID 4412 wrote to memory of 4612 4412 Kenggi32.exe Kkhpdcab.exe PID 4412 wrote to memory of 4612 4412 Kenggi32.exe Kkhpdcab.exe PID 4612 wrote to memory of 3488 4612 Kkhpdcab.exe Kaehljpj.exe PID 4612 wrote to memory of 3488 4612 Kkhpdcab.exe Kaehljpj.exe PID 4612 wrote to memory of 3488 4612 Kkhpdcab.exe Kaehljpj.exe PID 3488 wrote to memory of 1364 3488 Kaehljpj.exe Kgopidgf.exe PID 3488 wrote to memory of 1364 3488 Kaehljpj.exe Kgopidgf.exe PID 3488 wrote to memory of 1364 3488 Kaehljpj.exe Kgopidgf.exe PID 1364 wrote to memory of 1532 1364 Kgopidgf.exe Kjmmepfj.exe PID 1364 wrote to memory of 1532 1364 Kgopidgf.exe Kjmmepfj.exe PID 1364 wrote to memory of 1532 1364 Kgopidgf.exe Kjmmepfj.exe PID 1532 wrote to memory of 2180 1532 Kjmmepfj.exe Kbddfmgl.exe PID 1532 wrote to memory of 2180 1532 Kjmmepfj.exe Kbddfmgl.exe PID 1532 wrote to memory of 2180 1532 Kjmmepfj.exe Kbddfmgl.exe PID 2180 wrote to memory of 5044 2180 Kbddfmgl.exe Kecabifp.exe PID 2180 wrote to memory of 5044 2180 Kbddfmgl.exe Kecabifp.exe PID 2180 wrote to memory of 5044 2180 Kbddfmgl.exe Kecabifp.exe PID 5044 wrote to memory of 724 5044 Kecabifp.exe Kkmioc32.exe PID 5044 wrote to memory of 724 5044 Kecabifp.exe Kkmioc32.exe PID 5044 wrote to memory of 724 5044 Kecabifp.exe Kkmioc32.exe PID 724 wrote to memory of 1848 724 Kkmioc32.exe Knkekn32.exe PID 724 wrote to memory of 1848 724 Kkmioc32.exe Knkekn32.exe PID 724 wrote to memory of 1848 724 Kkmioc32.exe Knkekn32.exe PID 1848 wrote to memory of 3128 1848 Knkekn32.exe Leenhhdn.exe PID 1848 wrote to memory of 3128 1848 Knkekn32.exe Leenhhdn.exe PID 1848 wrote to memory of 3128 1848 Knkekn32.exe Leenhhdn.exe PID 3128 wrote to memory of 3416 3128 Leenhhdn.exe Lkofdbkj.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b84100cd4b91eb50e7dda9787329f74ff9e27f1aa71d424658260b7f61db254fN.exe"C:\Users\Admin\AppData\Local\Temp\b84100cd4b91eb50e7dda9787329f74ff9e27f1aa71d424658260b7f61db254fN.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\Jjamia32.exeC:\Windows\system32\Jjamia32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3464 -
C:\Windows\SysWOW64\Jqlefl32.exeC:\Windows\system32\Jqlefl32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4196 -
C:\Windows\SysWOW64\Jgenbfoa.exeC:\Windows\system32\Jgenbfoa.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Windows\SysWOW64\Jnpfop32.exeC:\Windows\system32\Jnpfop32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\Kdinljnk.exeC:\Windows\system32\Kdinljnk.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Windows\SysWOW64\Kkcfid32.exeC:\Windows\system32\Kkcfid32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3444 -
C:\Windows\SysWOW64\Knbbep32.exeC:\Windows\system32\Knbbep32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Kelkaj32.exeC:\Windows\system32\Kelkaj32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\Kgjgne32.exeC:\Windows\system32\Kgjgne32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Windows\SysWOW64\Kjhcjq32.exeC:\Windows\system32\Kjhcjq32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Windows\SysWOW64\Kbpkkn32.exeC:\Windows\system32\Kbpkkn32.exe12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\Kenggi32.exeC:\Windows\system32\Kenggi32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Windows\SysWOW64\Kkhpdcab.exeC:\Windows\system32\Kkhpdcab.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Windows\SysWOW64\Kaehljpj.exeC:\Windows\system32\Kaehljpj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3488 -
C:\Windows\SysWOW64\Kgopidgf.exeC:\Windows\system32\Kgopidgf.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\SysWOW64\Kjmmepfj.exeC:\Windows\system32\Kjmmepfj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\SysWOW64\Kbddfmgl.exeC:\Windows\system32\Kbddfmgl.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Kecabifp.exeC:\Windows\system32\Kecabifp.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Windows\SysWOW64\Kkmioc32.exeC:\Windows\system32\Kkmioc32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:724 -
C:\Windows\SysWOW64\Knkekn32.exeC:\Windows\system32\Knkekn32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\Leenhhdn.exeC:\Windows\system32\Leenhhdn.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3128 -
C:\Windows\SysWOW64\Lkofdbkj.exeC:\Windows\system32\Lkofdbkj.exe23⤵
- Executes dropped EXE
PID:3416 -
C:\Windows\SysWOW64\Lbinam32.exeC:\Windows\system32\Lbinam32.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3096 -
C:\Windows\SysWOW64\Licfngjd.exeC:\Windows\system32\Licfngjd.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1468 -
C:\Windows\SysWOW64\Lgffic32.exeC:\Windows\system32\Lgffic32.exe26⤵
- Executes dropped EXE
PID:1112 -
C:\Windows\SysWOW64\Lnpofnhk.exeC:\Windows\system32\Lnpofnhk.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4368 -
C:\Windows\SysWOW64\Lejgch32.exeC:\Windows\system32\Lejgch32.exe28⤵
- Executes dropped EXE
PID:3768 -
C:\Windows\SysWOW64\Lldopb32.exeC:\Windows\system32\Lldopb32.exe29⤵
- Executes dropped EXE
PID:4908 -
C:\Windows\SysWOW64\Lbngllob.exeC:\Windows\system32\Lbngllob.exe30⤵
- Executes dropped EXE
PID:3564 -
C:\Windows\SysWOW64\Laqhhi32.exeC:\Windows\system32\Laqhhi32.exe31⤵
- Executes dropped EXE
PID:3588 -
C:\Windows\SysWOW64\Lgkpdcmi.exeC:\Windows\system32\Lgkpdcmi.exe32⤵
- Executes dropped EXE
PID:888 -
C:\Windows\SysWOW64\Lndham32.exeC:\Windows\system32\Lndham32.exe33⤵
- Executes dropped EXE
PID:4216 -
C:\Windows\SysWOW64\Lbpdblmo.exeC:\Windows\system32\Lbpdblmo.exe34⤵
- Executes dropped EXE
PID:4880 -
C:\Windows\SysWOW64\Leopnglc.exeC:\Windows\system32\Leopnglc.exe35⤵
- Executes dropped EXE
PID:4348 -
C:\Windows\SysWOW64\Lijlof32.exeC:\Windows\system32\Lijlof32.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4040 -
C:\Windows\SysWOW64\Ljkifn32.exeC:\Windows\system32\Ljkifn32.exe37⤵
- Executes dropped EXE
PID:3892 -
C:\Windows\SysWOW64\Mbbagk32.exeC:\Windows\system32\Mbbagk32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1432 -
C:\Windows\SysWOW64\Meamcg32.exeC:\Windows\system32\Meamcg32.exe39⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Milidebi.exeC:\Windows\system32\Milidebi.exe40⤵
- Executes dropped EXE
PID:3776 -
C:\Windows\SysWOW64\Mlkepaam.exeC:\Windows\system32\Mlkepaam.exe41⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Mniallpq.exeC:\Windows\system32\Mniallpq.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:808 -
C:\Windows\SysWOW64\Mahnhhod.exeC:\Windows\system32\Mahnhhod.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4652 -
C:\Windows\SysWOW64\Mecjif32.exeC:\Windows\system32\Mecjif32.exe44⤵
- Executes dropped EXE
PID:456 -
C:\Windows\SysWOW64\Mhafeb32.exeC:\Windows\system32\Mhafeb32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Mjpbam32.exeC:\Windows\system32\Mjpbam32.exe46⤵
- Executes dropped EXE
PID:3296 -
C:\Windows\SysWOW64\Mbgjbkfg.exeC:\Windows\system32\Mbgjbkfg.exe47⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Miaboe32.exeC:\Windows\system32\Miaboe32.exe48⤵
- Executes dropped EXE
PID:1932 -
C:\Windows\SysWOW64\Mhdckaeo.exeC:\Windows\system32\Mhdckaeo.exe49⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Mnnkgl32.exeC:\Windows\system32\Mnnkgl32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3744 -
C:\Windows\SysWOW64\Malgcg32.exeC:\Windows\system32\Malgcg32.exe51⤵
- Executes dropped EXE
PID:5028 -
C:\Windows\SysWOW64\Mhfppabl.exeC:\Windows\system32\Mhfppabl.exe52⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Mlbkap32.exeC:\Windows\system32\Mlbkap32.exe53⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Mnphmkji.exeC:\Windows\system32\Mnphmkji.exe54⤵
- Executes dropped EXE
PID:3392 -
C:\Windows\SysWOW64\Maodigil.exeC:\Windows\system32\Maodigil.exe55⤵
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Mifljdjo.exeC:\Windows\system32\Mifljdjo.exe56⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Mldhfpib.exeC:\Windows\system32\Mldhfpib.exe57⤵
- Executes dropped EXE
PID:5088 -
C:\Windows\SysWOW64\Nobdbkhf.exeC:\Windows\system32\Nobdbkhf.exe58⤵
- Executes dropped EXE
PID:4240 -
C:\Windows\SysWOW64\Nemmoe32.exeC:\Windows\system32\Nemmoe32.exe59⤵
- Executes dropped EXE
PID:4320 -
C:\Windows\SysWOW64\Nhkikq32.exeC:\Windows\system32\Nhkikq32.exe60⤵
- Executes dropped EXE
PID:1216 -
C:\Windows\SysWOW64\Noeahkfc.exeC:\Windows\system32\Noeahkfc.exe61⤵
- Executes dropped EXE
PID:3452 -
C:\Windows\SysWOW64\Nacmdf32.exeC:\Windows\system32\Nacmdf32.exe62⤵
- Executes dropped EXE
PID:4764 -
C:\Windows\SysWOW64\Nliaao32.exeC:\Windows\system32\Nliaao32.exe63⤵
- Executes dropped EXE
PID:972 -
C:\Windows\SysWOW64\Nognnj32.exeC:\Windows\system32\Nognnj32.exe64⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Nafjjf32.exeC:\Windows\system32\Nafjjf32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3604 -
C:\Windows\SysWOW64\Nimbkc32.exeC:\Windows\system32\Nimbkc32.exe66⤵PID:4364
-
C:\Windows\SysWOW64\Nojjcj32.exeC:\Windows\system32\Nojjcj32.exe67⤵PID:2076
-
C:\Windows\SysWOW64\Neccpd32.exeC:\Windows\system32\Neccpd32.exe68⤵PID:4168
-
C:\Windows\SysWOW64\Nlnkmnah.exeC:\Windows\system32\Nlnkmnah.exe69⤵PID:2484
-
C:\Windows\SysWOW64\Nolgijpk.exeC:\Windows\system32\Nolgijpk.exe70⤵PID:4032
-
C:\Windows\SysWOW64\Niakfbpa.exeC:\Windows\system32\Niakfbpa.exe71⤵PID:2560
-
C:\Windows\SysWOW64\Nhdlao32.exeC:\Windows\system32\Nhdlao32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4232 -
C:\Windows\SysWOW64\Oondnini.exeC:\Windows\system32\Oondnini.exe73⤵PID:4236
-
C:\Windows\SysWOW64\Oampjeml.exeC:\Windows\system32\Oampjeml.exe74⤵PID:2200
-
C:\Windows\SysWOW64\Oidhlb32.exeC:\Windows\system32\Oidhlb32.exe75⤵
- Modifies registry class
PID:1612 -
C:\Windows\SysWOW64\Okedcjcm.exeC:\Windows\system32\Okedcjcm.exe76⤵PID:4644
-
C:\Windows\SysWOW64\Ooqqdi32.exeC:\Windows\system32\Ooqqdi32.exe77⤵PID:3476
-
C:\Windows\SysWOW64\Oaompd32.exeC:\Windows\system32\Oaompd32.exe78⤵PID:4952
-
C:\Windows\SysWOW64\Ohiemobf.exeC:\Windows\system32\Ohiemobf.exe79⤵
- Drops file in System32 directory
PID:4192 -
C:\Windows\SysWOW64\Okgaijaj.exeC:\Windows\system32\Okgaijaj.exe80⤵PID:5036
-
C:\Windows\SysWOW64\Oboijgbl.exeC:\Windows\system32\Oboijgbl.exe81⤵
- Modifies registry class
PID:736 -
C:\Windows\SysWOW64\Oemefcap.exeC:\Windows\system32\Oemefcap.exe82⤵PID:4436
-
C:\Windows\SysWOW64\Olgncmim.exeC:\Windows\system32\Olgncmim.exe83⤵PID:3668
-
C:\Windows\SysWOW64\Obafpg32.exeC:\Windows\system32\Obafpg32.exe84⤵PID:1500
-
C:\Windows\SysWOW64\Oeoblb32.exeC:\Windows\system32\Oeoblb32.exe85⤵
- System Location Discovery: System Language Discovery
PID:1480 -
C:\Windows\SysWOW64\Olijhmgj.exeC:\Windows\system32\Olijhmgj.exe86⤵PID:4724
-
C:\Windows\SysWOW64\Obcceg32.exeC:\Windows\system32\Obcceg32.exe87⤵PID:4528
-
C:\Windows\SysWOW64\Oeaoab32.exeC:\Windows\system32\Oeaoab32.exe88⤵PID:4328
-
C:\Windows\SysWOW64\Pllgnl32.exeC:\Windows\system32\Pllgnl32.exe89⤵PID:4064
-
C:\Windows\SysWOW64\Pojcjh32.exeC:\Windows\system32\Pojcjh32.exe90⤵PID:4488
-
C:\Windows\SysWOW64\Pahpfc32.exeC:\Windows\system32\Pahpfc32.exe91⤵PID:1908
-
C:\Windows\SysWOW64\Pedlgbkh.exeC:\Windows\system32\Pedlgbkh.exe92⤵PID:3000
-
C:\Windows\SysWOW64\Phbhcmjl.exeC:\Windows\system32\Phbhcmjl.exe93⤵PID:1356
-
C:\Windows\SysWOW64\Pkadoiip.exeC:\Windows\system32\Pkadoiip.exe94⤵PID:1276
-
C:\Windows\SysWOW64\Pchlpfjb.exeC:\Windows\system32\Pchlpfjb.exe95⤵
- Drops file in System32 directory
PID:2144 -
C:\Windows\SysWOW64\Pefhlaie.exeC:\Windows\system32\Pefhlaie.exe96⤵PID:2152
-
C:\Windows\SysWOW64\Phedhmhi.exeC:\Windows\system32\Phedhmhi.exe97⤵PID:5156
-
C:\Windows\SysWOW64\Pkcadhgm.exeC:\Windows\system32\Pkcadhgm.exe98⤵PID:5216
-
C:\Windows\SysWOW64\Pcjiff32.exeC:\Windows\system32\Pcjiff32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5272 -
C:\Windows\SysWOW64\Pamiaboj.exeC:\Windows\system32\Pamiaboj.exe100⤵PID:5324
-
C:\Windows\SysWOW64\Pidabppl.exeC:\Windows\system32\Pidabppl.exe101⤵PID:5372
-
C:\Windows\SysWOW64\Plbmokop.exeC:\Windows\system32\Plbmokop.exe102⤵PID:5420
-
C:\Windows\SysWOW64\Poajkgnc.exeC:\Windows\system32\Poajkgnc.exe103⤵PID:5464
-
C:\Windows\SysWOW64\Papfgbmg.exeC:\Windows\system32\Papfgbmg.exe104⤵PID:5516
-
C:\Windows\SysWOW64\Pkhjph32.exeC:\Windows\system32\Pkhjph32.exe105⤵PID:5572
-
C:\Windows\SysWOW64\Pcobaedj.exeC:\Windows\system32\Pcobaedj.exe106⤵PID:5616
-
C:\Windows\SysWOW64\Pemomqcn.exeC:\Windows\system32\Pemomqcn.exe107⤵PID:5656
-
C:\Windows\SysWOW64\Piijno32.exeC:\Windows\system32\Piijno32.exe108⤵PID:5700
-
C:\Windows\SysWOW64\Qlggjk32.exeC:\Windows\system32\Qlggjk32.exe109⤵PID:5744
-
C:\Windows\SysWOW64\Qofcff32.exeC:\Windows\system32\Qofcff32.exe110⤵PID:5788
-
C:\Windows\SysWOW64\Qcaofebg.exeC:\Windows\system32\Qcaofebg.exe111⤵PID:5832
-
C:\Windows\SysWOW64\Qepkbpak.exeC:\Windows\system32\Qepkbpak.exe112⤵
- Drops file in System32 directory
PID:5876 -
C:\Windows\SysWOW64\Qikgco32.exeC:\Windows\system32\Qikgco32.exe113⤵
- Drops file in System32 directory
PID:5920 -
C:\Windows\SysWOW64\Qljcoj32.exeC:\Windows\system32\Qljcoj32.exe114⤵PID:5964
-
C:\Windows\SysWOW64\Qohpkf32.exeC:\Windows\system32\Qohpkf32.exe115⤵PID:6008
-
C:\Windows\SysWOW64\Qcclld32.exeC:\Windows\system32\Qcclld32.exe116⤵PID:6048
-
C:\Windows\SysWOW64\Qebhhp32.exeC:\Windows\system32\Qebhhp32.exe117⤵PID:6092
-
C:\Windows\SysWOW64\Allpejfe.exeC:\Windows\system32\Allpejfe.exe118⤵PID:6136
-
C:\Windows\SysWOW64\Acfhad32.exeC:\Windows\system32\Acfhad32.exe119⤵PID:5196
-
C:\Windows\SysWOW64\Aaiimadl.exeC:\Windows\system32\Aaiimadl.exe120⤵PID:5296
-
C:\Windows\SysWOW64\Ahcajk32.exeC:\Windows\system32\Ahcajk32.exe121⤵PID:5384
-
C:\Windows\SysWOW64\Aakebqbj.exeC:\Windows\system32\Aakebqbj.exe122⤵PID:5452
-
C:\Windows\SysWOW64\Ahenokjf.exeC:\Windows\system32\Ahenokjf.exe123⤵PID:5528
-
C:\Windows\SysWOW64\Aoofle32.exeC:\Windows\system32\Aoofle32.exe124⤵PID:5596
-
C:\Windows\SysWOW64\Aanbhp32.exeC:\Windows\system32\Aanbhp32.exe125⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5676 -
C:\Windows\SysWOW64\Ahgjejhd.exeC:\Windows\system32\Ahgjejhd.exe126⤵PID:5752
-
C:\Windows\SysWOW64\Alcfei32.exeC:\Windows\system32\Alcfei32.exe127⤵PID:5820
-
C:\Windows\SysWOW64\Acmobchj.exeC:\Windows\system32\Acmobchj.exe128⤵PID:5888
-
C:\Windows\SysWOW64\Aleckinj.exeC:\Windows\system32\Aleckinj.exe129⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5952 -
C:\Windows\SysWOW64\Abbkcpma.exeC:\Windows\system32\Abbkcpma.exe130⤵
- Drops file in System32 directory
- Modifies registry class
PID:6044 -
C:\Windows\SysWOW64\Bjicdmmd.exeC:\Windows\system32\Bjicdmmd.exe131⤵PID:6104
-
C:\Windows\SysWOW64\Bkkple32.exeC:\Windows\system32\Bkkple32.exe132⤵
- Modifies registry class
PID:5200 -
C:\Windows\SysWOW64\Bbdhiojo.exeC:\Windows\system32\Bbdhiojo.exe133⤵PID:5304
-
C:\Windows\SysWOW64\Bljlfh32.exeC:\Windows\system32\Bljlfh32.exe134⤵
- Drops file in System32 directory
PID:5432 -
C:\Windows\SysWOW64\Bohibc32.exeC:\Windows\system32\Bohibc32.exe135⤵
- Modifies registry class
PID:5588 -
C:\Windows\SysWOW64\Bbgeno32.exeC:\Windows\system32\Bbgeno32.exe136⤵PID:5688
-
C:\Windows\SysWOW64\Bjnmpl32.exeC:\Windows\system32\Bjnmpl32.exe137⤵PID:5800
-
C:\Windows\SysWOW64\Bhamkipi.exeC:\Windows\system32\Bhamkipi.exe138⤵
- Drops file in System32 directory
PID:5912 -
C:\Windows\SysWOW64\Bokehc32.exeC:\Windows\system32\Bokehc32.exe139⤵PID:5996
-
C:\Windows\SysWOW64\Bbiado32.exeC:\Windows\system32\Bbiado32.exe140⤵
- System Location Discovery: System Language Discovery
PID:5192 -
C:\Windows\SysWOW64\Bmofagfp.exeC:\Windows\system32\Bmofagfp.exe141⤵
- System Location Discovery: System Language Discovery
PID:5368 -
C:\Windows\SysWOW64\Bcinna32.exeC:\Windows\system32\Bcinna32.exe142⤵PID:5560
-
C:\Windows\SysWOW64\Bblnindg.exeC:\Windows\system32\Bblnindg.exe143⤵PID:5740
-
C:\Windows\SysWOW64\Bmabggdm.exeC:\Windows\system32\Bmabggdm.exe144⤵PID:5904
-
C:\Windows\SysWOW64\Bkdcbd32.exeC:\Windows\system32\Bkdcbd32.exe145⤵PID:6036
-
C:\Windows\SysWOW64\Bbnkonbd.exeC:\Windows\system32\Bbnkonbd.exe146⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5332 -
C:\Windows\SysWOW64\Cihclh32.exeC:\Windows\system32\Cihclh32.exe147⤵PID:5648
-
C:\Windows\SysWOW64\Cobkhb32.exeC:\Windows\system32\Cobkhb32.exe148⤵PID:5960
-
C:\Windows\SysWOW64\Cfldelik.exeC:\Windows\system32\Cfldelik.exe149⤵PID:5300
-
C:\Windows\SysWOW64\Cijpahho.exeC:\Windows\system32\Cijpahho.exe150⤵PID:5644
-
C:\Windows\SysWOW64\Cmflbf32.exeC:\Windows\system32\Cmflbf32.exe151⤵PID:5264
-
C:\Windows\SysWOW64\Codhnb32.exeC:\Windows\system32\Codhnb32.exe152⤵PID:6056
-
C:\Windows\SysWOW64\Cjjlkk32.exeC:\Windows\system32\Cjjlkk32.exe153⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6128 -
C:\Windows\SysWOW64\Cmhigf32.exeC:\Windows\system32\Cmhigf32.exe154⤵
- Drops file in System32 directory
PID:6152 -
C:\Windows\SysWOW64\Cofecami.exeC:\Windows\system32\Cofecami.exe155⤵PID:6196
-
C:\Windows\SysWOW64\Cbeapmll.exeC:\Windows\system32\Cbeapmll.exe156⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:6240 -
C:\Windows\SysWOW64\Cjliajmo.exeC:\Windows\system32\Cjliajmo.exe157⤵PID:6284
-
C:\Windows\SysWOW64\Ckmehb32.exeC:\Windows\system32\Ckmehb32.exe158⤵PID:6328
-
C:\Windows\SysWOW64\Cbgnemjj.exeC:\Windows\system32\Cbgnemjj.exe159⤵PID:6376
-
C:\Windows\SysWOW64\Cjnffjkl.exeC:\Windows\system32\Cjnffjkl.exe160⤵
- Drops file in System32 directory
PID:6420 -
C:\Windows\SysWOW64\Ccgjopal.exeC:\Windows\system32\Ccgjopal.exe161⤵
- Modifies registry class
PID:6464 -
C:\Windows\SysWOW64\Djqblj32.exeC:\Windows\system32\Djqblj32.exe162⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6508 -
C:\Windows\SysWOW64\Dkbocbog.exeC:\Windows\system32\Dkbocbog.exe163⤵PID:6552
-
C:\Windows\SysWOW64\Dblgpl32.exeC:\Windows\system32\Dblgpl32.exe164⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6596 -
C:\Windows\SysWOW64\Djcoai32.exeC:\Windows\system32\Djcoai32.exe165⤵
- System Location Discovery: System Language Discovery
PID:6640 -
C:\Windows\SysWOW64\Dkdliame.exeC:\Windows\system32\Dkdliame.exe166⤵
- Drops file in System32 directory
- Modifies registry class
PID:6684 -
C:\Windows\SysWOW64\Dckdjomg.exeC:\Windows\system32\Dckdjomg.exe167⤵PID:6728
-
C:\Windows\SysWOW64\Djelgied.exeC:\Windows\system32\Djelgied.exe168⤵
- Drops file in System32 directory
PID:6772 -
C:\Windows\SysWOW64\Dmdhcddh.exeC:\Windows\system32\Dmdhcddh.exe169⤵PID:6816
-
C:\Windows\SysWOW64\Dbqqkkbo.exeC:\Windows\system32\Dbqqkkbo.exe170⤵PID:6860
-
C:\Windows\SysWOW64\Djhimica.exeC:\Windows\system32\Djhimica.exe171⤵
- Modifies registry class
PID:6900 -
C:\Windows\SysWOW64\Dpdaepai.exeC:\Windows\system32\Dpdaepai.exe172⤵PID:6956
-
C:\Windows\SysWOW64\Dbcmakpl.exeC:\Windows\system32\Dbcmakpl.exe173⤵PID:7016
-
C:\Windows\SysWOW64\Dimenegi.exeC:\Windows\system32\Dimenegi.exe174⤵PID:7064
-
C:\Windows\SysWOW64\Ecbjkngo.exeC:\Windows\system32\Ecbjkngo.exe175⤵PID:7108
-
C:\Windows\SysWOW64\Ejlbhh32.exeC:\Windows\system32\Ejlbhh32.exe176⤵PID:7152
-
C:\Windows\SysWOW64\Efccmidp.exeC:\Windows\system32\Efccmidp.exe177⤵PID:5624
-
C:\Windows\SysWOW64\Eiaoid32.exeC:\Windows\system32\Eiaoid32.exe178⤵PID:6236
-
C:\Windows\SysWOW64\Eplgeokq.exeC:\Windows\system32\Eplgeokq.exe179⤵PID:6316
-
C:\Windows\SysWOW64\Efepbi32.exeC:\Windows\system32\Efepbi32.exe180⤵PID:6388
-
C:\Windows\SysWOW64\Emphocjj.exeC:\Windows\system32\Emphocjj.exe181⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6456 -
C:\Windows\SysWOW64\Ejchhgid.exeC:\Windows\system32\Ejchhgid.exe182⤵PID:6520
-
C:\Windows\SysWOW64\Eppqqn32.exeC:\Windows\system32\Eppqqn32.exe183⤵
- Modifies registry class
PID:6604 -
C:\Windows\SysWOW64\Ebommi32.exeC:\Windows\system32\Ebommi32.exe184⤵PID:6676
-
C:\Windows\SysWOW64\Eiieicml.exeC:\Windows\system32\Eiieicml.exe185⤵PID:6740
-
C:\Windows\SysWOW64\Fpbmfn32.exeC:\Windows\system32\Fpbmfn32.exe186⤵PID:2608
-
C:\Windows\SysWOW64\Fjhacf32.exeC:\Windows\system32\Fjhacf32.exe187⤵PID:1088
-
C:\Windows\SysWOW64\Fbcfhibj.exeC:\Windows\system32\Fbcfhibj.exe188⤵
- System Location Discovery: System Language Discovery
PID:6876 -
C:\Windows\SysWOW64\Fjjnifbl.exeC:\Windows\system32\Fjjnifbl.exe189⤵PID:6968
-
C:\Windows\SysWOW64\Fmikeaap.exeC:\Windows\system32\Fmikeaap.exe190⤵PID:7052
-
C:\Windows\SysWOW64\Fdccbl32.exeC:\Windows\system32\Fdccbl32.exe191⤵PID:7116
-
C:\Windows\SysWOW64\Ffaong32.exeC:\Windows\system32\Ffaong32.exe192⤵
- Modifies registry class
PID:6160 -
C:\Windows\SysWOW64\Fjmkoeqi.exeC:\Windows\system32\Fjmkoeqi.exe193⤵PID:6272
-
C:\Windows\SysWOW64\Fpjcgm32.exeC:\Windows\system32\Fpjcgm32.exe194⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:6360 -
C:\Windows\SysWOW64\Fibhpbea.exeC:\Windows\system32\Fibhpbea.exe195⤵PID:6476
-
C:\Windows\SysWOW64\Flqdlnde.exeC:\Windows\system32\Flqdlnde.exe196⤵PID:6592
-
C:\Windows\SysWOW64\Fjadje32.exeC:\Windows\system32\Fjadje32.exe197⤵PID:6712
-
C:\Windows\SysWOW64\Fmpqfq32.exeC:\Windows\system32\Fmpqfq32.exe198⤵PID:3264
-
C:\Windows\SysWOW64\Gdjibj32.exeC:\Windows\system32\Gdjibj32.exe199⤵PID:6848
-
C:\Windows\SysWOW64\Gmbmkpie.exeC:\Windows\system32\Gmbmkpie.exe200⤵PID:6976
-
C:\Windows\SysWOW64\Gpqjglii.exeC:\Windows\system32\Gpqjglii.exe201⤵PID:7100
-
C:\Windows\SysWOW64\Gjfnedho.exeC:\Windows\system32\Gjfnedho.exe202⤵PID:6184
-
C:\Windows\SysWOW64\Giinpa32.exeC:\Windows\system32\Giinpa32.exe203⤵PID:6296
-
C:\Windows\SysWOW64\Glgjlm32.exeC:\Windows\system32\Glgjlm32.exe204⤵PID:6560
-
C:\Windows\SysWOW64\Gbabigfj.exeC:\Windows\system32\Gbabigfj.exe205⤵PID:6736
-
C:\Windows\SysWOW64\Gikkfqmf.exeC:\Windows\system32\Gikkfqmf.exe206⤵PID:6800
-
C:\Windows\SysWOW64\Gljgbllj.exeC:\Windows\system32\Gljgbllj.exe207⤵PID:7032
-
C:\Windows\SysWOW64\Gbdoof32.exeC:\Windows\system32\Gbdoof32.exe208⤵PID:7136
-
C:\Windows\SysWOW64\Gmiclo32.exeC:\Windows\system32\Gmiclo32.exe209⤵PID:6412
-
C:\Windows\SysWOW64\Gphphj32.exeC:\Windows\system32\Gphphj32.exe210⤵PID:6780
-
C:\Windows\SysWOW64\Gkmdecbg.exeC:\Windows\system32\Gkmdecbg.exe211⤵
- Drops file in System32 directory
PID:6948 -
C:\Windows\SysWOW64\Hloqml32.exeC:\Windows\system32\Hloqml32.exe212⤵
- Modifies registry class
PID:6584 -
C:\Windows\SysWOW64\Hdehni32.exeC:\Windows\system32\Hdehni32.exe213⤵PID:6724
-
C:\Windows\SysWOW64\Hkpqkcpd.exeC:\Windows\system32\Hkpqkcpd.exe214⤵PID:7024
-
C:\Windows\SysWOW64\Hlambk32.exeC:\Windows\system32\Hlambk32.exe215⤵PID:6524
-
C:\Windows\SysWOW64\Hckeoeno.exeC:\Windows\system32\Hckeoeno.exe216⤵PID:6808
-
C:\Windows\SysWOW64\Hkbmqb32.exeC:\Windows\system32\Hkbmqb32.exe217⤵PID:7140
-
C:\Windows\SysWOW64\Hpofii32.exeC:\Windows\system32\Hpofii32.exe218⤵PID:6460
-
C:\Windows\SysWOW64\Hkdjfb32.exeC:\Windows\system32\Hkdjfb32.exe219⤵PID:7200
-
C:\Windows\SysWOW64\Hlegnjbm.exeC:\Windows\system32\Hlegnjbm.exe220⤵
- Modifies registry class
PID:7244 -
C:\Windows\SysWOW64\Hcpojd32.exeC:\Windows\system32\Hcpojd32.exe221⤵PID:7288
-
C:\Windows\SysWOW64\Hiiggoaf.exeC:\Windows\system32\Hiiggoaf.exe222⤵
- Drops file in System32 directory
PID:7332 -
C:\Windows\SysWOW64\Hmechmip.exeC:\Windows\system32\Hmechmip.exe223⤵PID:7376
-
C:\Windows\SysWOW64\Hcblpdgg.exeC:\Windows\system32\Hcblpdgg.exe224⤵PID:7420
-
C:\Windows\SysWOW64\Ingpmmgm.exeC:\Windows\system32\Ingpmmgm.exe225⤵PID:7464
-
C:\Windows\SysWOW64\Idahjg32.exeC:\Windows\system32\Idahjg32.exe226⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7508 -
C:\Windows\SysWOW64\Iinqbn32.exeC:\Windows\system32\Iinqbn32.exe227⤵
- Drops file in System32 directory
PID:7552 -
C:\Windows\SysWOW64\Ilmmni32.exeC:\Windows\system32\Ilmmni32.exe228⤵PID:7596
-
C:\Windows\SysWOW64\Iknmla32.exeC:\Windows\system32\Iknmla32.exe229⤵
- System Location Discovery: System Language Discovery
PID:7640 -
C:\Windows\SysWOW64\Iloidijb.exeC:\Windows\system32\Iloidijb.exe230⤵
- System Location Discovery: System Language Discovery
PID:7684 -
C:\Windows\SysWOW64\Iciaqc32.exeC:\Windows\system32\Iciaqc32.exe231⤵PID:7728
-
C:\Windows\SysWOW64\Ikpjbq32.exeC:\Windows\system32\Ikpjbq32.exe232⤵PID:7772
-
C:\Windows\SysWOW64\Innfnl32.exeC:\Windows\system32\Innfnl32.exe233⤵PID:7816
-
C:\Windows\SysWOW64\Idhnkf32.exeC:\Windows\system32\Idhnkf32.exe234⤵
- Modifies registry class
PID:7860 -
C:\Windows\SysWOW64\Ikbfgppo.exeC:\Windows\system32\Ikbfgppo.exe235⤵
- Drops file in System32 directory
- Modifies registry class
PID:7924 -
C:\Windows\SysWOW64\Ijegcm32.exeC:\Windows\system32\Ijegcm32.exe236⤵PID:7988
-
C:\Windows\SysWOW64\Ilccoh32.exeC:\Windows\system32\Ilccoh32.exe237⤵PID:8052
-
C:\Windows\SysWOW64\Idkkpf32.exeC:\Windows\system32\Idkkpf32.exe238⤵PID:8100
-
C:\Windows\SysWOW64\Igigla32.exeC:\Windows\system32\Igigla32.exe239⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:8176 -
C:\Windows\SysWOW64\Jjgchm32.exeC:\Windows\system32\Jjgchm32.exe240⤵PID:7228
-
C:\Windows\SysWOW64\Jncoikmp.exeC:\Windows\system32\Jncoikmp.exe241⤵PID:7312
-
C:\Windows\SysWOW64\Jpaleglc.exeC:\Windows\system32\Jpaleglc.exe242⤵PID:7384