Analysis
-
max time kernel
92s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:27
Static task
static1
Behavioral task
behavioral1
Sample
a8754c4dc2ac433e749f5251f171780a5cbcf3ecc7a5e698210d90bf8e1f9434.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
a8754c4dc2ac433e749f5251f171780a5cbcf3ecc7a5e698210d90bf8e1f9434.exe
Resource
win10v2004-20241007-en
General
-
Target
a8754c4dc2ac433e749f5251f171780a5cbcf3ecc7a5e698210d90bf8e1f9434.exe
-
Size
92KB
-
MD5
b0f194d837108df394fb9f9552c3adce
-
SHA1
b2e5c8c2e185b0f8c39a08fe9b061a0e7f81b322
-
SHA256
a8754c4dc2ac433e749f5251f171780a5cbcf3ecc7a5e698210d90bf8e1f9434
-
SHA512
3e4512c383100d26717123de30f1178aa140821ad50dba822cbc829d80c382464bbf092231de8d5165c13d4486e7799b6df14a0cd056882e762268d5ea1e72de
-
SSDEEP
1536:pJDwvBNjndB3tpL4mOp9XT3layJycc5MOQOUJMXJJkLzxX144OynKQrUoR24HsUs:YBRdBl09XTrw1UqZJkLB144U6THsR
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Mhbmphjm.exeBfqkddfd.exeBhldpj32.exeLgibpf32.exeCibain32.exePlhnda32.exeKncaec32.exeAphnnafb.exeGiljfddl.exePjkmomfn.exeBgdemb32.exeDfjgaq32.exePkcadhgm.exeHienlpel.exeKjgeedch.exeAjdbac32.exeNhmeapmd.exeMcpcdg32.exeDhomfc32.exeMkadfj32.exeOjajin32.exeFbhpch32.exeLgccinoe.exeHpfbcn32.exeKolabf32.exeMeamcg32.exeOjigdcll.exeAfcmfe32.exeAibibp32.exeIkbfgppo.exeJnlbojee.exePocpfphe.exeQpcecb32.exeFqgedh32.exeNookip32.exeEbejfk32.exeGgahedjn.exeBlqllqqa.exeOlgemcli.exeOcffempp.exeCfqmpl32.exeNmnqjp32.exeKapfiqoj.exeKpqggh32.exeAbbkcpma.exeNijqcf32.exeCpacqg32.exeMbedga32.exeMmbanbmg.exeEangpgcl.exeLpfgmnfp.exeEghkjdoa.exeGegkpf32.exeAjjjocap.exeDiicml32.exeNbefdijg.exeDqpfmlce.exeNhhdnf32.exeCbbnpg32.exeAogbfi32.exePmblagmf.exePcgdhkem.exeImgicgca.exeMcifkf32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mhbmphjm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfqkddfd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhldpj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgibpf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cibain32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plhnda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kncaec32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aphnnafb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Giljfddl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjkmomfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bgdemb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfjgaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pkcadhgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hienlpel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjgeedch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajdbac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhmeapmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcpcdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhomfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mkadfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojajin32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbhpch32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgccinoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hpfbcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kolabf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meamcg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojigdcll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afcmfe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aibibp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikbfgppo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnlbojee.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pocpfphe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpcecb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqgedh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nookip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebejfk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggahedjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Blqllqqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Olgemcli.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocffempp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfqmpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nmnqjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kapfiqoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpqggh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abbkcpma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nijqcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cpacqg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mbedga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmbanbmg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eangpgcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lpfgmnfp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eghkjdoa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gegkpf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajjjocap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Diicml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbefdijg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqpfmlce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhhdnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbbnpg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aogbfi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmblagmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pcgdhkem.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imgicgca.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcifkf32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Llpmoiof.exeLfealaol.exeLlbidimc.exeLnqeqd32.exeLifjnm32.exeLldfjh32.exeLfjjga32.exeLhkgoiqe.exeLoeolc32.exeLikcilhh.exeLlipehgk.exeLbchba32.exeMlklkgei.exeMbedga32.exeMhbmphjm.exeMbhamajc.exeMefmimif.exeMlpeff32.exeMbjnbqhp.exeMhgfkg32.exeMoaogand.exeMfhfhong.exeMleoafmn.exeMbognp32.exeMfjcnold.exeNlglfe32.exeNbadcpbh.exeNhnlkfpp.exeNohehq32.exeNebmekoi.exeNpgabc32.exeNgaionfl.exeNhbfff32.exeNomncpcg.exeNeffpj32.exeNibbqicm.exeNlqomd32.exeNookip32.exeOidofh32.exeOlckbd32.exeOcmconhk.exeOekpkigo.exeOlehhc32.exeOocddono.exeOgklelna.exeOiihahme.exeOlgemcli.exeOcamjm32.exeOileggkb.exeOpemca32.exeOcdjpmac.exeOebflhaf.exeOllnhb32.exeOcffempp.exePjpobg32.exePloknb32.exePcicklnn.exePhelcc32.exePlagcbdn.exePckppl32.exePjehmfch.exePpopjp32.exePcmlfl32.exePhjenbhp.exepid process 4020 Llpmoiof.exe 1328 Lfealaol.exe 2344 Llbidimc.exe 5020 Lnqeqd32.exe 2588 Lifjnm32.exe 2644 Lldfjh32.exe 4468 Lfjjga32.exe 4640 Lhkgoiqe.exe 1380 Loeolc32.exe 3032 Likcilhh.exe 2308 Llipehgk.exe 2224 Lbchba32.exe 4584 Mlklkgei.exe 1388 Mbedga32.exe 4024 Mhbmphjm.exe 1700 Mbhamajc.exe 1692 Mefmimif.exe 3784 Mlpeff32.exe 4920 Mbjnbqhp.exe 1356 Mhgfkg32.exe 1372 Moaogand.exe 2900 Mfhfhong.exe 3024 Mleoafmn.exe 4632 Mbognp32.exe 1540 Mfjcnold.exe 5052 Nlglfe32.exe 2836 Nbadcpbh.exe 964 Nhnlkfpp.exe 2832 Nohehq32.exe 2016 Nebmekoi.exe 2996 Npgabc32.exe 3624 Ngaionfl.exe 2904 Nhbfff32.exe 2476 Nomncpcg.exe 1192 Neffpj32.exe 1080 Nibbqicm.exe 3788 Nlqomd32.exe 2388 Nookip32.exe 2104 Oidofh32.exe 2688 Olckbd32.exe 3668 Ocmconhk.exe 1464 Oekpkigo.exe 4964 Olehhc32.exe 1188 Oocddono.exe 1984 Ogklelna.exe 4876 Oiihahme.exe 836 Olgemcli.exe 3560 Ocamjm32.exe 5032 Oileggkb.exe 3468 Opemca32.exe 4856 Ocdjpmac.exe 4776 Oebflhaf.exe 4568 Ollnhb32.exe 3144 Ocffempp.exe 2028 Pjpobg32.exe 3660 Ploknb32.exe 3644 Pcicklnn.exe 3940 Phelcc32.exe 3396 Plagcbdn.exe 4156 Pckppl32.exe 4916 Pjehmfch.exe 2788 Ppopjp32.exe 4056 Pcmlfl32.exe 1560 Phjenbhp.exe -
Drops file in System32 directory 64 IoCs
Processes:
Ikbfgppo.exePalbgl32.exePopbpqjh.exeCponen32.exeHbihjifh.exeJllhpkfk.exeJjmcnbdm.exeNknobkje.exeLqojclne.exeCohkokgj.exeJbojlfdp.exeMjpjgj32.exeEangpgcl.exeNeoieenp.exeAlnfpcag.exeDpqodfij.exeAfockelf.exeCigkdmel.exeInmpcc32.exeInjmcmej.exeLikhem32.exeDfhjkabi.exeKcpahpmd.exeDigehphc.exeAlkijdci.exeAcpbbi32.exeNefped32.exeOhfami32.exeCpogkhnl.exeHibafp32.exeNccokk32.exeLchfib32.exeOophlo32.exeDckdjomg.exeEfccmidp.exeGgahedjn.exeMmnhcb32.exeFganqbgg.exeOcgkan32.exePckppl32.exeMlmbfqoj.exeCbphdn32.exePcgdhkem.exeCcppmc32.exeAhmjjoig.exeGihpkd32.exeNbadcpbh.exePhlacbfm.exeDfiildio.exeLaiipofp.exeAdepji32.exeEmphocjj.exeLfeljd32.exeEbkbbmqj.exeJnlbojee.exeAddaif32.exeKofkbk32.exePccahbmn.exeOekpkigo.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Ipoopgnf.exe Ikbfgppo.exe File opened for modification C:\Windows\SysWOW64\Phfjcf32.exe Palbgl32.exe File created C:\Windows\SysWOW64\Paoollik.exe Popbpqjh.exe File opened for modification C:\Windows\SysWOW64\Chfegk32.exe Cponen32.exe File created C:\Windows\SysWOW64\Hhfpbpdo.exe Hbihjifh.exe File created C:\Windows\SysWOW64\Jojdlfeo.exe Jllhpkfk.exe File created C:\Windows\SysWOW64\Hkhiofap.dll Jjmcnbdm.exe File created C:\Windows\SysWOW64\Bcodim32.dll Nknobkje.exe File created C:\Windows\SysWOW64\Lgibpf32.exe Lqojclne.exe File created C:\Windows\SysWOW64\Bgfeip32.dll Cohkokgj.exe File created C:\Windows\SysWOW64\Iokifhcf.dll Jbojlfdp.exe File created C:\Windows\SysWOW64\Mqjbddpl.exe Mjpjgj32.exe File opened for modification C:\Windows\SysWOW64\Edmclccp.exe Eangpgcl.exe File opened for modification C:\Windows\SysWOW64\Nhmeapmd.exe Neoieenp.exe File created C:\Windows\SysWOW64\Hlmkgk32.dll Alnfpcag.exe File opened for modification C:\Windows\SysWOW64\Dclkee32.exe Dpqodfij.exe File created C:\Windows\SysWOW64\Defgao32.dll Afockelf.exe File created C:\Windows\SysWOW64\Cpacqg32.exe Cigkdmel.exe File opened for modification C:\Windows\SysWOW64\Idghpmnp.exe Inmpcc32.exe File opened for modification C:\Windows\SysWOW64\Icfekc32.exe Injmcmej.exe File opened for modification C:\Windows\SysWOW64\Lpepbgbd.exe Likhem32.exe File created C:\Windows\SysWOW64\Djdflp32.exe Dfhjkabi.exe File created C:\Windows\SysWOW64\Kdpmbc32.exe Kcpahpmd.exe File created C:\Windows\SysWOW64\Dndnpf32.exe Digehphc.exe File created C:\Windows\SysWOW64\Amoljp32.dll Alkijdci.exe File created C:\Windows\SysWOW64\Ajjjocap.exe Acpbbi32.exe File created C:\Windows\SysWOW64\Nhdlao32.exe Nefped32.exe File created C:\Windows\SysWOW64\Ojdnid32.exe Ohfami32.exe File created C:\Windows\SysWOW64\Fbcolk32.dll Cpogkhnl.exe File created C:\Windows\SysWOW64\Nmpgal32.dll Hibafp32.exe File created C:\Windows\SysWOW64\Njmhhefi.exe Nccokk32.exe File created C:\Windows\SysWOW64\Hnflfgji.dll Cponen32.exe File opened for modification C:\Windows\SysWOW64\Ljbnfleo.exe Lchfib32.exe File created C:\Windows\SysWOW64\Hpoejj32.dll Oophlo32.exe File opened for modification C:\Windows\SysWOW64\Nhdlao32.exe Nefped32.exe File created C:\Windows\SysWOW64\Dfjpfj32.exe Dckdjomg.exe File opened for modification C:\Windows\SysWOW64\Emphocjj.exe Efccmidp.exe File opened for modification C:\Windows\SysWOW64\Amikgpcc.exe Afockelf.exe File created C:\Windows\SysWOW64\Hnfdcegm.dll Ggahedjn.exe File created C:\Windows\SysWOW64\Paedlhhc.dll Mmnhcb32.exe File opened for modification C:\Windows\SysWOW64\Ojdnid32.exe Ohfami32.exe File created C:\Windows\SysWOW64\Fnkfmm32.exe Fganqbgg.exe File created C:\Windows\SysWOW64\Dkjfaikb.dll Ocgkan32.exe File opened for modification C:\Windows\SysWOW64\Pjehmfch.exe Pckppl32.exe File created C:\Windows\SysWOW64\Hcaihm32.dll Mlmbfqoj.exe File created C:\Windows\SysWOW64\Ambahc32.dll Cbphdn32.exe File opened for modification C:\Windows\SysWOW64\Pidlqb32.exe Pcgdhkem.exe File created C:\Windows\SysWOW64\Fiplni32.dll Ccppmc32.exe File opened for modification C:\Windows\SysWOW64\Akkffkhk.exe Ahmjjoig.exe File created C:\Windows\SysWOW64\Opnaqk32.dll Gihpkd32.exe File created C:\Windows\SysWOW64\Nhnlkfpp.exe Nbadcpbh.exe File opened for modification C:\Windows\SysWOW64\Plhnda32.exe Phlacbfm.exe File created C:\Windows\SysWOW64\Nklinjmj.dll Dfiildio.exe File opened for modification C:\Windows\SysWOW64\Llnnmhfe.exe Laiipofp.exe File opened for modification C:\Windows\SysWOW64\Afcmfe32.exe Adepji32.exe File created C:\Windows\SysWOW64\Eciplm32.exe Emphocjj.exe File created C:\Windows\SysWOW64\Lgdidgjg.exe Lfeljd32.exe File opened for modification C:\Windows\SysWOW64\Eqncnj32.exe Ebkbbmqj.exe File created C:\Windows\SysWOW64\Ejljgqdp.dll Jnlbojee.exe File created C:\Windows\SysWOW64\Hkajlm32.dll Addaif32.exe File created C:\Windows\SysWOW64\Cdecgbfa.exe Cohkokgj.exe File created C:\Windows\SysWOW64\Ekamnhne.dll Kofkbk32.exe File created C:\Windows\SysWOW64\Gbfnjgdn.dll Pccahbmn.exe File created C:\Windows\SysWOW64\Olehhc32.exe Oekpkigo.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 7364 9136 WerFault.exe Diqnjl32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Nolgijpk.exeMkadfj32.exeHejqldci.exeNjghbl32.exeNlphbnoe.exeGnepna32.exeNnafno32.exeCjhfpa32.exeEkodjiol.exeKoodbl32.exeHfaajnfb.exeNpiiffqe.exeIlibdmgp.exeDmadco32.exeEiahnnph.exeFlmqlg32.exeNemmoe32.exeQfjjpf32.exeInjmcmej.exeKpoalo32.exeGgkqgaol.exeBfqkddfd.exeLikhem32.exeLcmodajm.exeJleijb32.exeOabhfg32.exeCgndoeag.exeDhlpqc32.exeJjjghcfp.exeNjljch32.exeIkbfgppo.exeGbpedjnb.exeKadpdp32.exeAoalgn32.exeIlphdlqh.exePkogiikb.exeAlnmjjdb.exeNcofplba.exeAkcjkfij.exeMnfnlf32.exeIeidhh32.exeEnkmfolf.exeLeenhhdn.exeLjilqnlm.exeNhbolp32.exeIbegfglj.exeNohehq32.exeNbnpcj32.exeBohbhmfm.exeMcoljagj.exeGkiaej32.exeFpggamqc.exeNjmhhefi.exePcbkml32.exeHlegnjbm.exeNmnqjp32.exeLnqeqd32.exeBcfahbpo.exeDfjpfj32.exeDnmaea32.exeEciplm32.exeJgkmgk32.exeOmnjojpo.exeEdmclccp.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nolgijpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkadfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hejqldci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njghbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlphbnoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnepna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnafno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjhfpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekodjiol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koodbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfaajnfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npiiffqe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilibdmgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmadco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiahnnph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flmqlg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nemmoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfjjpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Injmcmej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpoalo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggkqgaol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfqkddfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Likhem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcmodajm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jleijb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oabhfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgndoeag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhlpqc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjjghcfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njljch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikbfgppo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbpedjnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kadpdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoalgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilphdlqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkogiikb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alnmjjdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncofplba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akcjkfij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnfnlf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieidhh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enkmfolf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Leenhhdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljilqnlm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhbolp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibegfglj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nohehq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbnpcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bohbhmfm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcoljagj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkiaej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpggamqc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njmhhefi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcbkml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlegnjbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmnqjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnqeqd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcfahbpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfjpfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnmaea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eciplm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgkmgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omnjojpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edmclccp.exe -
Modifies registry class 64 IoCs
Processes:
Njkkbehl.exeDnonkq32.exeGegkpf32.exeObjpoh32.exeOcdjpmac.exeBggnof32.exeDmbbhkjf.exeDcogje32.exeHaafcb32.exeJgbjbp32.exeBemqih32.exeMleoafmn.exePpdbgncl.exeEnkmfolf.exeBaegibae.exeKabcopmg.exeBhnikc32.exeJiglnf32.exePnmopk32.exeAjdbac32.exeCigkdmel.exeDcigeooj.exeKpqggh32.exeCibain32.exeDojqjdbl.exeHkjjlhle.exeOkgaijaj.exeNmlddqem.exeOocddono.exeBmomlnjk.exeHgfapd32.exeOobfob32.exeEkaapi32.exeKplmliko.exeMfjcnold.exeQadoba32.exeHbnaeh32.exeNefped32.exeGlengm32.exeJnlbojee.exeNjmhhefi.exeGehbjm32.exeNcpeaoih.exeDkkaiphj.exeMefmimif.exeGflhoo32.exeKncaec32.exeJllhpkfk.exeOcnabm32.exeDooaoj32.exeHpmpnp32.exeJjopcb32.exeNacmdf32.exeAanbhp32.exeNccokk32.exeNcchae32.exeMhgfkg32.exePhcgcqab.exeBebjdgmj.exeFlmqlg32.exeQacameaj.exeAgimkk32.exeIbegfglj.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Njkkbehl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebjjgd32.dll" Dnonkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gedhfp32.dll" Gegkpf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Objpoh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ocdjpmac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bggnof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dikhjofo.dll" Dmbbhkjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dcogje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moqkim32.dll" Haafcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajfmkfhq.dll" Jgbjbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bemqih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pialao32.dll" Mleoafmn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ppdbgncl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oondonie.dll" Enkmfolf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehojko32.dll" Baegibae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kabcopmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bhnikc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Accimdgp.dll" Jiglnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pnmopk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apmpkall.dll" Ajdbac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghfqhkbn.dll" Cigkdmel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikfghc32.dll" Dcigeooj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kpqggh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejnnldhi.dll" Cibain32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jilpfgkh.dll" Dojqjdbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hkjjlhle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Okgaijaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Miongake.dll" Nmlddqem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gphqhffa.dll" Oocddono.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edogedqq.dll" Bmomlnjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefchq32.dll" Hgfapd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oobfob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ekaapi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kplmliko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mfjcnold.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qadoba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hbnaeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnhmla32.dll" Nefped32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Glengm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jnlbojee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Njmhhefi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jongga32.dll" Gehbjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ncpeaoih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dkkaiphj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mefmimif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gflhoo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kncaec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jllhpkfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ocnabm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dooaoj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hpmpnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejlacgdj.dll" Jjopcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oipckj32.dll" Nacmdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aanbhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oodlnfco.dll" Nccokk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ncchae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ncchae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cllhoapg.dll" Mhgfkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogakfe32.dll" Phcgcqab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bebjdgmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Flmqlg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qacameaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Agimkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ibegfglj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a8754c4dc2ac433e749f5251f171780a5cbcf3ecc7a5e698210d90bf8e1f9434.exeLlpmoiof.exeLfealaol.exeLlbidimc.exeLnqeqd32.exeLifjnm32.exeLldfjh32.exeLfjjga32.exeLhkgoiqe.exeLoeolc32.exeLikcilhh.exeLlipehgk.exeLbchba32.exeMlklkgei.exeMbedga32.exeMhbmphjm.exeMbhamajc.exeMefmimif.exeMlpeff32.exeMbjnbqhp.exeMhgfkg32.exeMoaogand.exedescription pid process target process PID 2800 wrote to memory of 4020 2800 a8754c4dc2ac433e749f5251f171780a5cbcf3ecc7a5e698210d90bf8e1f9434.exe Llpmoiof.exe PID 2800 wrote to memory of 4020 2800 a8754c4dc2ac433e749f5251f171780a5cbcf3ecc7a5e698210d90bf8e1f9434.exe Llpmoiof.exe PID 2800 wrote to memory of 4020 2800 a8754c4dc2ac433e749f5251f171780a5cbcf3ecc7a5e698210d90bf8e1f9434.exe Llpmoiof.exe PID 4020 wrote to memory of 1328 4020 Llpmoiof.exe Lfealaol.exe PID 4020 wrote to memory of 1328 4020 Llpmoiof.exe Lfealaol.exe PID 4020 wrote to memory of 1328 4020 Llpmoiof.exe Lfealaol.exe PID 1328 wrote to memory of 2344 1328 Lfealaol.exe Llbidimc.exe PID 1328 wrote to memory of 2344 1328 Lfealaol.exe Llbidimc.exe PID 1328 wrote to memory of 2344 1328 Lfealaol.exe Llbidimc.exe PID 2344 wrote to memory of 5020 2344 Llbidimc.exe Lnqeqd32.exe PID 2344 wrote to memory of 5020 2344 Llbidimc.exe Lnqeqd32.exe PID 2344 wrote to memory of 5020 2344 Llbidimc.exe Lnqeqd32.exe PID 5020 wrote to memory of 2588 5020 Lnqeqd32.exe Lifjnm32.exe PID 5020 wrote to memory of 2588 5020 Lnqeqd32.exe Lifjnm32.exe PID 5020 wrote to memory of 2588 5020 Lnqeqd32.exe Lifjnm32.exe PID 2588 wrote to memory of 2644 2588 Lifjnm32.exe Lldfjh32.exe PID 2588 wrote to memory of 2644 2588 Lifjnm32.exe Lldfjh32.exe PID 2588 wrote to memory of 2644 2588 Lifjnm32.exe Lldfjh32.exe PID 2644 wrote to memory of 4468 2644 Lldfjh32.exe Lfjjga32.exe PID 2644 wrote to memory of 4468 2644 Lldfjh32.exe Lfjjga32.exe PID 2644 wrote to memory of 4468 2644 Lldfjh32.exe Lfjjga32.exe PID 4468 wrote to memory of 4640 4468 Lfjjga32.exe Lhkgoiqe.exe PID 4468 wrote to memory of 4640 4468 Lfjjga32.exe Lhkgoiqe.exe PID 4468 wrote to memory of 4640 4468 Lfjjga32.exe Lhkgoiqe.exe PID 4640 wrote to memory of 1380 4640 Lhkgoiqe.exe Loeolc32.exe PID 4640 wrote to memory of 1380 4640 Lhkgoiqe.exe Loeolc32.exe PID 4640 wrote to memory of 1380 4640 Lhkgoiqe.exe Loeolc32.exe PID 1380 wrote to memory of 3032 1380 Loeolc32.exe Likcilhh.exe PID 1380 wrote to memory of 3032 1380 Loeolc32.exe Likcilhh.exe PID 1380 wrote to memory of 3032 1380 Loeolc32.exe Likcilhh.exe PID 3032 wrote to memory of 2308 3032 Likcilhh.exe Llipehgk.exe PID 3032 wrote to memory of 2308 3032 Likcilhh.exe Llipehgk.exe PID 3032 wrote to memory of 2308 3032 Likcilhh.exe Llipehgk.exe PID 2308 wrote to memory of 2224 2308 Llipehgk.exe Lbchba32.exe PID 2308 wrote to memory of 2224 2308 Llipehgk.exe Lbchba32.exe PID 2308 wrote to memory of 2224 2308 Llipehgk.exe Lbchba32.exe PID 2224 wrote to memory of 4584 2224 Lbchba32.exe Mlklkgei.exe PID 2224 wrote to memory of 4584 2224 Lbchba32.exe Mlklkgei.exe PID 2224 wrote to memory of 4584 2224 Lbchba32.exe Mlklkgei.exe PID 4584 wrote to memory of 1388 4584 Mlklkgei.exe Mbedga32.exe PID 4584 wrote to memory of 1388 4584 Mlklkgei.exe Mbedga32.exe PID 4584 wrote to memory of 1388 4584 Mlklkgei.exe Mbedga32.exe PID 1388 wrote to memory of 4024 1388 Mbedga32.exe Mhbmphjm.exe PID 1388 wrote to memory of 4024 1388 Mbedga32.exe Mhbmphjm.exe PID 1388 wrote to memory of 4024 1388 Mbedga32.exe Mhbmphjm.exe PID 4024 wrote to memory of 1700 4024 Mhbmphjm.exe Mbhamajc.exe PID 4024 wrote to memory of 1700 4024 Mhbmphjm.exe Mbhamajc.exe PID 4024 wrote to memory of 1700 4024 Mhbmphjm.exe Mbhamajc.exe PID 1700 wrote to memory of 1692 1700 Mbhamajc.exe Mefmimif.exe PID 1700 wrote to memory of 1692 1700 Mbhamajc.exe Mefmimif.exe PID 1700 wrote to memory of 1692 1700 Mbhamajc.exe Mefmimif.exe PID 1692 wrote to memory of 3784 1692 Mefmimif.exe Mlpeff32.exe PID 1692 wrote to memory of 3784 1692 Mefmimif.exe Mlpeff32.exe PID 1692 wrote to memory of 3784 1692 Mefmimif.exe Mlpeff32.exe PID 3784 wrote to memory of 4920 3784 Mlpeff32.exe Mbjnbqhp.exe PID 3784 wrote to memory of 4920 3784 Mlpeff32.exe Mbjnbqhp.exe PID 3784 wrote to memory of 4920 3784 Mlpeff32.exe Mbjnbqhp.exe PID 4920 wrote to memory of 1356 4920 Mbjnbqhp.exe Mhgfkg32.exe PID 4920 wrote to memory of 1356 4920 Mbjnbqhp.exe Mhgfkg32.exe PID 4920 wrote to memory of 1356 4920 Mbjnbqhp.exe Mhgfkg32.exe PID 1356 wrote to memory of 1372 1356 Mhgfkg32.exe Moaogand.exe PID 1356 wrote to memory of 1372 1356 Mhgfkg32.exe Moaogand.exe PID 1356 wrote to memory of 1372 1356 Mhgfkg32.exe Moaogand.exe PID 1372 wrote to memory of 2900 1372 Moaogand.exe Mfhfhong.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8754c4dc2ac433e749f5251f171780a5cbcf3ecc7a5e698210d90bf8e1f9434.exe"C:\Users\Admin\AppData\Local\Temp\a8754c4dc2ac433e749f5251f171780a5cbcf3ecc7a5e698210d90bf8e1f9434.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Llpmoiof.exeC:\Windows\system32\Llpmoiof.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Windows\SysWOW64\Lfealaol.exeC:\Windows\system32\Lfealaol.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Windows\SysWOW64\Llbidimc.exeC:\Windows\system32\Llbidimc.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Lnqeqd32.exeC:\Windows\system32\Lnqeqd32.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Windows\SysWOW64\Lifjnm32.exeC:\Windows\system32\Lifjnm32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Lldfjh32.exeC:\Windows\system32\Lldfjh32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Lfjjga32.exeC:\Windows\system32\Lfjjga32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Windows\SysWOW64\Lhkgoiqe.exeC:\Windows\system32\Lhkgoiqe.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Windows\SysWOW64\Loeolc32.exeC:\Windows\system32\Loeolc32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\SysWOW64\Likcilhh.exeC:\Windows\system32\Likcilhh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\Llipehgk.exeC:\Windows\system32\Llipehgk.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\Lbchba32.exeC:\Windows\system32\Lbchba32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\Mlklkgei.exeC:\Windows\system32\Mlklkgei.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4584 -
C:\Windows\SysWOW64\Mbedga32.exeC:\Windows\system32\Mbedga32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\SysWOW64\Mhbmphjm.exeC:\Windows\system32\Mhbmphjm.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Windows\SysWOW64\Mbhamajc.exeC:\Windows\system32\Mbhamajc.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\Mefmimif.exeC:\Windows\system32\Mefmimif.exe18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\Mlpeff32.exeC:\Windows\system32\Mlpeff32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3784 -
C:\Windows\SysWOW64\Mbjnbqhp.exeC:\Windows\system32\Mbjnbqhp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\SysWOW64\Mhgfkg32.exeC:\Windows\system32\Mhgfkg32.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\SysWOW64\Moaogand.exeC:\Windows\system32\Moaogand.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\SysWOW64\Mfhfhong.exeC:\Windows\system32\Mfhfhong.exe23⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Mleoafmn.exeC:\Windows\system32\Mleoafmn.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:3024 -
C:\Windows\SysWOW64\Mbognp32.exeC:\Windows\system32\Mbognp32.exe25⤵
- Executes dropped EXE
PID:4632 -
C:\Windows\SysWOW64\Mfjcnold.exeC:\Windows\system32\Mfjcnold.exe26⤵
- Executes dropped EXE
- Modifies registry class
PID:1540 -
C:\Windows\SysWOW64\Nlglfe32.exeC:\Windows\system32\Nlglfe32.exe27⤵
- Executes dropped EXE
PID:5052 -
C:\Windows\SysWOW64\Nbadcpbh.exeC:\Windows\system32\Nbadcpbh.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2836 -
C:\Windows\SysWOW64\Nhnlkfpp.exeC:\Windows\system32\Nhnlkfpp.exe29⤵
- Executes dropped EXE
PID:964 -
C:\Windows\SysWOW64\Nohehq32.exeC:\Windows\system32\Nohehq32.exe30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2832 -
C:\Windows\SysWOW64\Nebmekoi.exeC:\Windows\system32\Nebmekoi.exe31⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Npgabc32.exeC:\Windows\system32\Npgabc32.exe32⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Ngaionfl.exeC:\Windows\system32\Ngaionfl.exe33⤵
- Executes dropped EXE
PID:3624 -
C:\Windows\SysWOW64\Nhbfff32.exeC:\Windows\system32\Nhbfff32.exe34⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Nomncpcg.exeC:\Windows\system32\Nomncpcg.exe35⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Neffpj32.exeC:\Windows\system32\Neffpj32.exe36⤵
- Executes dropped EXE
PID:1192 -
C:\Windows\SysWOW64\Nibbqicm.exeC:\Windows\system32\Nibbqicm.exe37⤵
- Executes dropped EXE
PID:1080 -
C:\Windows\SysWOW64\Nlqomd32.exeC:\Windows\system32\Nlqomd32.exe38⤵
- Executes dropped EXE
PID:3788 -
C:\Windows\SysWOW64\Nookip32.exeC:\Windows\system32\Nookip32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Oidofh32.exeC:\Windows\system32\Oidofh32.exe40⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Olckbd32.exeC:\Windows\system32\Olckbd32.exe41⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Ocmconhk.exeC:\Windows\system32\Ocmconhk.exe42⤵
- Executes dropped EXE
PID:3668 -
C:\Windows\SysWOW64\Oekpkigo.exeC:\Windows\system32\Oekpkigo.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1464 -
C:\Windows\SysWOW64\Olehhc32.exeC:\Windows\system32\Olehhc32.exe44⤵
- Executes dropped EXE
PID:4964 -
C:\Windows\SysWOW64\Oocddono.exeC:\Windows\system32\Oocddono.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:1188 -
C:\Windows\SysWOW64\Ogklelna.exeC:\Windows\system32\Ogklelna.exe46⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Oiihahme.exeC:\Windows\system32\Oiihahme.exe47⤵
- Executes dropped EXE
PID:4876 -
C:\Windows\SysWOW64\Olgemcli.exeC:\Windows\system32\Olgemcli.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:836 -
C:\Windows\SysWOW64\Ocamjm32.exeC:\Windows\system32\Ocamjm32.exe49⤵
- Executes dropped EXE
PID:3560 -
C:\Windows\SysWOW64\Oileggkb.exeC:\Windows\system32\Oileggkb.exe50⤵
- Executes dropped EXE
PID:5032 -
C:\Windows\SysWOW64\Opemca32.exeC:\Windows\system32\Opemca32.exe51⤵
- Executes dropped EXE
PID:3468 -
C:\Windows\SysWOW64\Ocdjpmac.exeC:\Windows\system32\Ocdjpmac.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:4856 -
C:\Windows\SysWOW64\Oebflhaf.exeC:\Windows\system32\Oebflhaf.exe53⤵
- Executes dropped EXE
PID:4776 -
C:\Windows\SysWOW64\Ollnhb32.exeC:\Windows\system32\Ollnhb32.exe54⤵
- Executes dropped EXE
PID:4568 -
C:\Windows\SysWOW64\Ocffempp.exeC:\Windows\system32\Ocffempp.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3144 -
C:\Windows\SysWOW64\Pjpobg32.exeC:\Windows\system32\Pjpobg32.exe56⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Ploknb32.exeC:\Windows\system32\Ploknb32.exe57⤵
- Executes dropped EXE
PID:3660 -
C:\Windows\SysWOW64\Pcicklnn.exeC:\Windows\system32\Pcicklnn.exe58⤵
- Executes dropped EXE
PID:3644 -
C:\Windows\SysWOW64\Phelcc32.exeC:\Windows\system32\Phelcc32.exe59⤵
- Executes dropped EXE
PID:3940 -
C:\Windows\SysWOW64\Plagcbdn.exeC:\Windows\system32\Plagcbdn.exe60⤵
- Executes dropped EXE
PID:3396 -
C:\Windows\SysWOW64\Pckppl32.exeC:\Windows\system32\Pckppl32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4156 -
C:\Windows\SysWOW64\Pjehmfch.exeC:\Windows\system32\Pjehmfch.exe62⤵
- Executes dropped EXE
PID:4916 -
C:\Windows\SysWOW64\Ppopjp32.exeC:\Windows\system32\Ppopjp32.exe63⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Pcmlfl32.exeC:\Windows\system32\Pcmlfl32.exe64⤵
- Executes dropped EXE
PID:4056 -
C:\Windows\SysWOW64\Phjenbhp.exeC:\Windows\system32\Phjenbhp.exe65⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Pcpikkge.exeC:\Windows\system32\Pcpikkge.exe66⤵PID:3216
-
C:\Windows\SysWOW64\Pfnegggi.exeC:\Windows\system32\Pfnegggi.exe67⤵PID:2980
-
C:\Windows\SysWOW64\Phlacbfm.exeC:\Windows\system32\Phlacbfm.exe68⤵
- Drops file in System32 directory
PID:3984 -
C:\Windows\SysWOW64\Plhnda32.exeC:\Windows\system32\Plhnda32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2156 -
C:\Windows\SysWOW64\Qcbfakec.exeC:\Windows\system32\Qcbfakec.exe70⤵PID:4956
-
C:\Windows\SysWOW64\Qjlnnemp.exeC:\Windows\system32\Qjlnnemp.exe71⤵PID:1392
-
C:\Windows\SysWOW64\Qljjjqlc.exeC:\Windows\system32\Qljjjqlc.exe72⤵PID:2420
-
C:\Windows\SysWOW64\Qcdbfk32.exeC:\Windows\system32\Qcdbfk32.exe73⤵PID:2592
-
C:\Windows\SysWOW64\Qjnkcekm.exeC:\Windows\system32\Qjnkcekm.exe74⤵PID:2296
-
C:\Windows\SysWOW64\Qqhcpo32.exeC:\Windows\system32\Qqhcpo32.exe75⤵PID:4860
-
C:\Windows\SysWOW64\Agbkmijg.exeC:\Windows\system32\Agbkmijg.exe76⤵PID:3292
-
C:\Windows\SysWOW64\Ahchda32.exeC:\Windows\system32\Ahchda32.exe77⤵PID:3988
-
C:\Windows\SysWOW64\Aompak32.exeC:\Windows\system32\Aompak32.exe78⤵PID:4324
-
C:\Windows\SysWOW64\Agdhbi32.exeC:\Windows\system32\Agdhbi32.exe79⤵PID:3564
-
C:\Windows\SysWOW64\Amaqjp32.exeC:\Windows\system32\Amaqjp32.exe80⤵PID:1196
-
C:\Windows\SysWOW64\Aggegh32.exeC:\Windows\system32\Aggegh32.exe81⤵PID:3948
-
C:\Windows\SysWOW64\Aobilkcl.exeC:\Windows\system32\Aobilkcl.exe82⤵PID:704
-
C:\Windows\SysWOW64\Aijnep32.exeC:\Windows\system32\Aijnep32.exe83⤵PID:4328
-
C:\Windows\SysWOW64\Aodfajaj.exeC:\Windows\system32\Aodfajaj.exe84⤵PID:2340
-
C:\Windows\SysWOW64\Acpbbi32.exeC:\Windows\system32\Acpbbi32.exe85⤵
- Drops file in System32 directory
PID:1052 -
C:\Windows\SysWOW64\Ajjjocap.exeC:\Windows\system32\Ajjjocap.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3304 -
C:\Windows\SysWOW64\Bcbohigp.exeC:\Windows\system32\Bcbohigp.exe87⤵PID:2916
-
C:\Windows\SysWOW64\Bfqkddfd.exeC:\Windows\system32\Bfqkddfd.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3892 -
C:\Windows\SysWOW64\Bcelmhen.exeC:\Windows\system32\Bcelmhen.exe89⤵PID:3532
-
C:\Windows\SysWOW64\Bjodjb32.exeC:\Windows\system32\Bjodjb32.exe90⤵PID:1952
-
C:\Windows\SysWOW64\Bmmpfn32.exeC:\Windows\system32\Bmmpfn32.exe91⤵PID:3040
-
C:\Windows\SysWOW64\Bcghch32.exeC:\Windows\system32\Bcghch32.exe92⤵PID:2984
-
C:\Windows\SysWOW64\Bjaqpbkh.exeC:\Windows\system32\Bjaqpbkh.exe93⤵PID:4564
-
C:\Windows\SysWOW64\Bmomlnjk.exeC:\Windows\system32\Bmomlnjk.exe94⤵
- Modifies registry class
PID:1572 -
C:\Windows\SysWOW64\Bqkill32.exeC:\Windows\system32\Bqkill32.exe95⤵PID:384
-
C:\Windows\SysWOW64\Bgeaifia.exeC:\Windows\system32\Bgeaifia.exe96⤵PID:3580
-
C:\Windows\SysWOW64\Bifmqo32.exeC:\Windows\system32\Bifmqo32.exe97⤵PID:4248
-
C:\Windows\SysWOW64\Bqmeal32.exeC:\Windows\system32\Bqmeal32.exe98⤵PID:2268
-
C:\Windows\SysWOW64\Bggnof32.exeC:\Windows\system32\Bggnof32.exe99⤵
- Modifies registry class
PID:2228 -
C:\Windows\SysWOW64\Cgjjdf32.exeC:\Windows\system32\Cgjjdf32.exe100⤵PID:5024
-
C:\Windows\SysWOW64\Cjhfpa32.exeC:\Windows\system32\Cjhfpa32.exe101⤵
- System Location Discovery: System Language Discovery
PID:1916 -
C:\Windows\SysWOW64\Cpeohh32.exeC:\Windows\system32\Cpeohh32.exe102⤵PID:3568
-
C:\Windows\SysWOW64\Cjjcfabm.exeC:\Windows\system32\Cjjcfabm.exe103⤵PID:5156
-
C:\Windows\SysWOW64\Cgndoeag.exeC:\Windows\system32\Cgndoeag.exe104⤵
- System Location Discovery: System Language Discovery
PID:5200 -
C:\Windows\SysWOW64\Cippgm32.exeC:\Windows\system32\Cippgm32.exe105⤵PID:5244
-
C:\Windows\SysWOW64\Cpihcgoa.exeC:\Windows\system32\Cpihcgoa.exe106⤵PID:5300
-
C:\Windows\SysWOW64\Cgqqdeod.exeC:\Windows\system32\Cgqqdeod.exe107⤵PID:5348
-
C:\Windows\SysWOW64\Cjomap32.exeC:\Windows\system32\Cjomap32.exe108⤵PID:5388
-
C:\Windows\SysWOW64\Cibmlmeb.exeC:\Windows\system32\Cibmlmeb.exe109⤵PID:5444
-
C:\Windows\SysWOW64\Ccgajfeh.exeC:\Windows\system32\Ccgajfeh.exe110⤵PID:5500
-
C:\Windows\SysWOW64\Cgcmjd32.exeC:\Windows\system32\Cgcmjd32.exe111⤵PID:5552
-
C:\Windows\SysWOW64\Cjaifp32.exeC:\Windows\system32\Cjaifp32.exe112⤵PID:5628
-
C:\Windows\SysWOW64\Dmpfbk32.exeC:\Windows\system32\Dmpfbk32.exe113⤵PID:5676
-
C:\Windows\SysWOW64\Dpnbog32.exeC:\Windows\system32\Dpnbog32.exe114⤵PID:5720
-
C:\Windows\SysWOW64\Dfhjkabi.exeC:\Windows\system32\Dfhjkabi.exe115⤵
- Drops file in System32 directory
PID:5808 -
C:\Windows\SysWOW64\Djdflp32.exeC:\Windows\system32\Djdflp32.exe116⤵PID:5868
-
C:\Windows\SysWOW64\Dmbbhkjf.exeC:\Windows\system32\Dmbbhkjf.exe117⤵
- Modifies registry class
PID:5908 -
C:\Windows\SysWOW64\Dpqodfij.exeC:\Windows\system32\Dpqodfij.exe118⤵
- Drops file in System32 directory
PID:5964 -
C:\Windows\SysWOW64\Dclkee32.exeC:\Windows\system32\Dclkee32.exe119⤵PID:6004
-
C:\Windows\SysWOW64\Dfjgaq32.exeC:\Windows\system32\Dfjgaq32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6060 -
C:\Windows\SysWOW64\Diicml32.exeC:\Windows\system32\Diicml32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6104 -
C:\Windows\SysWOW64\Dapkni32.exeC:\Windows\system32\Dapkni32.exe122⤵PID:5132
-
C:\Windows\SysWOW64\Dpckjfgg.exeC:\Windows\system32\Dpckjfgg.exe123⤵PID:5208
-
C:\Windows\SysWOW64\Dcogje32.exeC:\Windows\system32\Dcogje32.exe124⤵
- Modifies registry class
PID:5296 -
C:\Windows\SysWOW64\Dikpbl32.exeC:\Windows\system32\Dikpbl32.exe125⤵PID:5380
-
C:\Windows\SysWOW64\Dpehof32.exeC:\Windows\system32\Dpehof32.exe126⤵PID:5464
-
C:\Windows\SysWOW64\Dhlpqc32.exeC:\Windows\system32\Dhlpqc32.exe127⤵
- System Location Discovery: System Language Discovery
PID:5544 -
C:\Windows\SysWOW64\Dinmhkke.exeC:\Windows\system32\Dinmhkke.exe128⤵PID:5664
-
C:\Windows\SysWOW64\Dhomfc32.exeC:\Windows\system32\Dhomfc32.exe129⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5740 -
C:\Windows\SysWOW64\Emlenj32.exeC:\Windows\system32\Emlenj32.exe130⤵PID:5860
-
C:\Windows\SysWOW64\Eagaoh32.exeC:\Windows\system32\Eagaoh32.exe131⤵PID:5948
-
C:\Windows\SysWOW64\Edemkd32.exeC:\Windows\system32\Edemkd32.exe132⤵PID:6020
-
C:\Windows\SysWOW64\Eaindh32.exeC:\Windows\system32\Eaindh32.exe133⤵PID:6080
-
C:\Windows\SysWOW64\Eplnpeol.exeC:\Windows\system32\Eplnpeol.exe134⤵PID:5148
-
C:\Windows\SysWOW64\Efffmo32.exeC:\Windows\system32\Efffmo32.exe135⤵PID:5252
-
C:\Windows\SysWOW64\Ealkjh32.exeC:\Windows\system32\Ealkjh32.exe136⤵PID:5408
-
C:\Windows\SysWOW64\Eigonjcj.exeC:\Windows\system32\Eigonjcj.exe137⤵PID:5548
-
C:\Windows\SysWOW64\Eangpgcl.exeC:\Windows\system32\Eangpgcl.exe138⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5704 -
C:\Windows\SysWOW64\Edmclccp.exeC:\Windows\system32\Edmclccp.exe139⤵
- System Location Discovery: System Language Discovery
PID:5876 -
C:\Windows\SysWOW64\Efkphnbd.exeC:\Windows\system32\Efkphnbd.exe140⤵PID:5952
-
C:\Windows\SysWOW64\Fmgejhgn.exeC:\Windows\system32\Fmgejhgn.exe141⤵PID:6136
-
C:\Windows\SysWOW64\Ffpicn32.exeC:\Windows\system32\Ffpicn32.exe142⤵PID:5260
-
C:\Windows\SysWOW64\Faenpf32.exeC:\Windows\system32\Faenpf32.exe143⤵PID:5488
-
C:\Windows\SysWOW64\Fgbfhmll.exeC:\Windows\system32\Fgbfhmll.exe144⤵PID:5712
-
C:\Windows\SysWOW64\Fdffbake.exeC:\Windows\system32\Fdffbake.exe145⤵PID:5984
-
C:\Windows\SysWOW64\Fmnkkg32.exeC:\Windows\system32\Fmnkkg32.exe146⤵PID:4272
-
C:\Windows\SysWOW64\Fajgkfio.exeC:\Windows\system32\Fajgkfio.exe147⤵PID:4844
-
C:\Windows\SysWOW64\Fielph32.exeC:\Windows\system32\Fielph32.exe148⤵PID:5428
-
C:\Windows\SysWOW64\Gigheh32.exeC:\Windows\system32\Gigheh32.exe149⤵PID:5660
-
C:\Windows\SysWOW64\Ghhhcomg.exeC:\Windows\system32\Ghhhcomg.exe150⤵PID:5936
-
C:\Windows\SysWOW64\Gpcmga32.exeC:\Windows\system32\Gpcmga32.exe151⤵PID:5336
-
C:\Windows\SysWOW64\Gkiaej32.exeC:\Windows\system32\Gkiaej32.exe152⤵
- System Location Discovery: System Language Discovery
PID:2624 -
C:\Windows\SysWOW64\Gilapgqb.exeC:\Windows\system32\Gilapgqb.exe153⤵PID:6084
-
C:\Windows\SysWOW64\Gaefgd32.exeC:\Windows\system32\Gaefgd32.exe154⤵PID:5524
-
C:\Windows\SysWOW64\Ghpocngo.exeC:\Windows\system32\Ghpocngo.exe155⤵PID:4908
-
C:\Windows\SysWOW64\Gdfoio32.exeC:\Windows\system32\Gdfoio32.exe156⤵PID:5960
-
C:\Windows\SysWOW64\Hkpheidp.exeC:\Windows\system32\Hkpheidp.exe157⤵PID:5992
-
C:\Windows\SysWOW64\Hpmpnp32.exeC:\Windows\system32\Hpmpnp32.exe158⤵
- Modifies registry class
PID:6160 -
C:\Windows\SysWOW64\Hhfedm32.exeC:\Windows\system32\Hhfedm32.exe159⤵PID:6204
-
C:\Windows\SysWOW64\Hglaej32.exeC:\Windows\system32\Hglaej32.exe160⤵PID:6248
-
C:\Windows\SysWOW64\Haafcb32.exeC:\Windows\system32\Haafcb32.exe161⤵
- Modifies registry class
PID:6292 -
C:\Windows\SysWOW64\Hgnoki32.exeC:\Windows\system32\Hgnoki32.exe162⤵PID:6332
-
C:\Windows\SysWOW64\Hkjjlhle.exeC:\Windows\system32\Hkjjlhle.exe163⤵
- Modifies registry class
PID:6396 -
C:\Windows\SysWOW64\Hnhghcki.exeC:\Windows\system32\Hnhghcki.exe164⤵PID:6456
-
C:\Windows\SysWOW64\Hpfcdojl.exeC:\Windows\system32\Hpfcdojl.exe165⤵PID:6500
-
C:\Windows\SysWOW64\Idbodn32.exeC:\Windows\system32\Idbodn32.exe166⤵PID:6556
-
C:\Windows\SysWOW64\Iklgah32.exeC:\Windows\system32\Iklgah32.exe167⤵PID:6612
-
C:\Windows\SysWOW64\Injcmc32.exeC:\Windows\system32\Injcmc32.exe168⤵PID:6664
-
C:\Windows\SysWOW64\Iddljmpc.exeC:\Windows\system32\Iddljmpc.exe169⤵PID:6708
-
C:\Windows\SysWOW64\Igchfiof.exeC:\Windows\system32\Igchfiof.exe170⤵PID:6752
-
C:\Windows\SysWOW64\Inmpcc32.exeC:\Windows\system32\Inmpcc32.exe171⤵
- Drops file in System32 directory
PID:6800 -
C:\Windows\SysWOW64\Idghpmnp.exeC:\Windows\system32\Idghpmnp.exe172⤵PID:6848
-
C:\Windows\SysWOW64\Ikqqlgem.exeC:\Windows\system32\Ikqqlgem.exe173⤵PID:6892
-
C:\Windows\SysWOW64\Idieem32.exeC:\Windows\system32\Idieem32.exe174⤵PID:6936
-
C:\Windows\SysWOW64\Ihgnkkbd.exeC:\Windows\system32\Ihgnkkbd.exe175⤵PID:6980
-
C:\Windows\SysWOW64\Ibobdqid.exeC:\Windows\system32\Ibobdqid.exe176⤵PID:7024
-
C:\Windows\SysWOW64\Jjjghcfp.exeC:\Windows\system32\Jjjghcfp.exe177⤵
- System Location Discovery: System Language Discovery
PID:7068 -
C:\Windows\SysWOW64\Jqdoem32.exeC:\Windows\system32\Jqdoem32.exe178⤵PID:7112
-
C:\Windows\SysWOW64\Jjmcnbdm.exeC:\Windows\system32\Jjmcnbdm.exe179⤵
- Drops file in System32 directory
PID:7156 -
C:\Windows\SysWOW64\Jjopcb32.exeC:\Windows\system32\Jjopcb32.exe180⤵
- Modifies registry class
PID:6192 -
C:\Windows\SysWOW64\Jdedak32.exeC:\Windows\system32\Jdedak32.exe181⤵PID:6256
-
C:\Windows\SysWOW64\Jgcamf32.exeC:\Windows\system32\Jgcamf32.exe182⤵PID:6324
-
C:\Windows\SysWOW64\Jnmijq32.exeC:\Windows\system32\Jnmijq32.exe183⤵PID:6412
-
C:\Windows\SysWOW64\Jnpfop32.exeC:\Windows\system32\Jnpfop32.exe184⤵PID:6492
-
C:\Windows\SysWOW64\Jbkbpoog.exeC:\Windows\system32\Jbkbpoog.exe185⤵PID:6580
-
C:\Windows\SysWOW64\Kghjhemo.exeC:\Windows\system32\Kghjhemo.exe186⤵PID:6652
-
C:\Windows\SysWOW64\Kjffdalb.exeC:\Windows\system32\Kjffdalb.exe187⤵PID:6740
-
C:\Windows\SysWOW64\Kqpoakco.exeC:\Windows\system32\Kqpoakco.exe188⤵PID:6808
-
C:\Windows\SysWOW64\Kjhcjq32.exeC:\Windows\system32\Kjhcjq32.exe189⤵PID:6644
-
C:\Windows\SysWOW64\Kgmcce32.exeC:\Windows\system32\Kgmcce32.exe190⤵PID:6888
-
C:\Windows\SysWOW64\Keqdmihc.exeC:\Windows\system32\Keqdmihc.exe191⤵PID:6964
-
C:\Windows\SysWOW64\Kjmmepfj.exeC:\Windows\system32\Kjmmepfj.exe192⤵PID:7036
-
C:\Windows\SysWOW64\Kageaj32.exeC:\Windows\system32\Kageaj32.exe193⤵PID:7096
-
C:\Windows\SysWOW64\Kkmioc32.exeC:\Windows\system32\Kkmioc32.exe194⤵PID:6156
-
C:\Windows\SysWOW64\Leenhhdn.exeC:\Windows\system32\Leenhhdn.exe195⤵
- System Location Discovery: System Language Discovery
PID:6236 -
C:\Windows\SysWOW64\Ljbfpo32.exeC:\Windows\system32\Ljbfpo32.exe196⤵PID:6352
-
C:\Windows\SysWOW64\Legjmh32.exeC:\Windows\system32\Legjmh32.exe197⤵PID:6476
-
C:\Windows\SysWOW64\Ljdceo32.exeC:\Windows\system32\Ljdceo32.exe198⤵PID:6624
-
C:\Windows\SysWOW64\Lbkkgl32.exeC:\Windows\system32\Lbkkgl32.exe199⤵PID:6720
-
C:\Windows\SysWOW64\Lankbigo.exeC:\Windows\system32\Lankbigo.exe200⤵PID:6844
-
C:\Windows\SysWOW64\Lnbklm32.exeC:\Windows\system32\Lnbklm32.exe201⤵PID:6916
-
C:\Windows\SysWOW64\Lelchgne.exeC:\Windows\system32\Lelchgne.exe202⤵PID:7016
-
C:\Windows\SysWOW64\Lgkpdcmi.exeC:\Windows\system32\Lgkpdcmi.exe203⤵PID:7120
-
C:\Windows\SysWOW64\Ljilqnlm.exeC:\Windows\system32\Ljilqnlm.exe204⤵
- System Location Discovery: System Language Discovery
PID:6212 -
C:\Windows\SysWOW64\Lndham32.exeC:\Windows\system32\Lndham32.exe205⤵PID:6404
-
C:\Windows\SysWOW64\Ljkifn32.exeC:\Windows\system32\Ljkifn32.exe206⤵PID:6596
-
C:\Windows\SysWOW64\Meamcg32.exeC:\Windows\system32\Meamcg32.exe207⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6788 -
C:\Windows\SysWOW64\Mecjif32.exeC:\Windows\system32\Mecjif32.exe208⤵PID:6920
-
C:\Windows\SysWOW64\Mlmbfqoj.exeC:\Windows\system32\Mlmbfqoj.exe209⤵
- Drops file in System32 directory
PID:7164 -
C:\Windows\SysWOW64\Majjng32.exeC:\Windows\system32\Majjng32.exe210⤵PID:6320
-
C:\Windows\SysWOW64\Mhdckaeo.exeC:\Windows\system32\Mhdckaeo.exe211⤵PID:6672
-
C:\Windows\SysWOW64\Mlpokp32.exeC:\Windows\system32\Mlpokp32.exe212⤵PID:6876
-
C:\Windows\SysWOW64\Mjellmbp.exeC:\Windows\system32\Mjellmbp.exe213⤵PID:7100
-
C:\Windows\SysWOW64\Mnphmkji.exeC:\Windows\system32\Mnphmkji.exe214⤵PID:6592
-
C:\Windows\SysWOW64\Maodigil.exeC:\Windows\system32\Maodigil.exe215⤵PID:7008
-
C:\Windows\SysWOW64\Mejpje32.exeC:\Windows\system32\Mejpje32.exe216⤵PID:6772
-
C:\Windows\SysWOW64\Mifljdjo.exeC:\Windows\system32\Mifljdjo.exe217⤵PID:7172
-
C:\Windows\SysWOW64\Mldhfpib.exeC:\Windows\system32\Mldhfpib.exe218⤵PID:7224
-
C:\Windows\SysWOW64\Njghbl32.exeC:\Windows\system32\Njghbl32.exe219⤵
- System Location Discovery: System Language Discovery
PID:7268 -
C:\Windows\SysWOW64\Nbnpcj32.exeC:\Windows\system32\Nbnpcj32.exe220⤵
- System Location Discovery: System Language Discovery
PID:7340 -
C:\Windows\SysWOW64\Nemmoe32.exeC:\Windows\system32\Nemmoe32.exe221⤵
- System Location Discovery: System Language Discovery
PID:7400 -
C:\Windows\SysWOW64\Nihipdhl.exeC:\Windows\system32\Nihipdhl.exe222⤵PID:7448
-
C:\Windows\SysWOW64\Nlfelogp.exeC:\Windows\system32\Nlfelogp.exe223⤵PID:7524
-
C:\Windows\SysWOW64\Noeahkfc.exeC:\Windows\system32\Noeahkfc.exe224⤵PID:7576
-
C:\Windows\SysWOW64\Nacmdf32.exeC:\Windows\system32\Nacmdf32.exe225⤵
- Modifies registry class
PID:7628 -
C:\Windows\SysWOW64\Neoieenp.exeC:\Windows\system32\Neoieenp.exe226⤵
- Drops file in System32 directory
PID:7676 -
C:\Windows\SysWOW64\Nhmeapmd.exeC:\Windows\system32\Nhmeapmd.exe227⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7716 -
C:\Windows\SysWOW64\Nklbmllg.exeC:\Windows\system32\Nklbmllg.exe228⤵PID:7756
-
C:\Windows\SysWOW64\Nbcjnilj.exeC:\Windows\system32\Nbcjnilj.exe229⤵PID:7820
-
C:\Windows\SysWOW64\Nafjjf32.exeC:\Windows\system32\Nafjjf32.exe230⤵PID:7864
-
C:\Windows\SysWOW64\Nimbkc32.exeC:\Windows\system32\Nimbkc32.exe231⤵PID:7916
-
C:\Windows\SysWOW64\Nknobkje.exeC:\Windows\system32\Nknobkje.exe232⤵
- Drops file in System32 directory
PID:7976 -
C:\Windows\SysWOW64\Nbefdijg.exeC:\Windows\system32\Nbefdijg.exe233⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:8024 -
C:\Windows\SysWOW64\Nhbolp32.exeC:\Windows\system32\Nhbolp32.exe234⤵
- System Location Discovery: System Language Discovery
PID:8068 -
C:\Windows\SysWOW64\Nlnkmnah.exeC:\Windows\system32\Nlnkmnah.exe235⤵PID:8112
-
C:\Windows\SysWOW64\Nolgijpk.exeC:\Windows\system32\Nolgijpk.exe236⤵
- System Location Discovery: System Language Discovery
PID:8156 -
C:\Windows\SysWOW64\Najceeoo.exeC:\Windows\system32\Najceeoo.exe237⤵PID:6200
-
C:\Windows\SysWOW64\Nefped32.exeC:\Windows\system32\Nefped32.exe238⤵
- Drops file in System32 directory
- Modifies registry class
PID:7208 -
C:\Windows\SysWOW64\Nhdlao32.exeC:\Windows\system32\Nhdlao32.exe239⤵PID:7316
-
C:\Windows\SysWOW64\Nlphbnoe.exeC:\Windows\system32\Nlphbnoe.exe240⤵
- System Location Discovery: System Language Discovery
PID:7428 -
C:\Windows\SysWOW64\Objpoh32.exeC:\Windows\system32\Objpoh32.exe241⤵
- Modifies registry class
PID:7520 -
C:\Windows\SysWOW64\Oampjeml.exeC:\Windows\system32\Oampjeml.exe242⤵PID:7624