Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-12-2024 22:25
Behavioral task
behavioral1
Sample
581be70e45a40bc9e69ed04aeb98cdfa9f75c791ceb522f6d4e73b1cffc6df50.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
581be70e45a40bc9e69ed04aeb98cdfa9f75c791ceb522f6d4e73b1cffc6df50.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
581be70e45a40bc9e69ed04aeb98cdfa9f75c791ceb522f6d4e73b1cffc6df50.exe
-
Size
320KB
-
MD5
fe15935ca93791249cd1644e61791b1b
-
SHA1
77df88854dc5dff98dc6f4b5d76dbc065d049211
-
SHA256
581be70e45a40bc9e69ed04aeb98cdfa9f75c791ceb522f6d4e73b1cffc6df50
-
SHA512
fad19898c26f997119220305d0d6766730f016f0b61b61d0217f85ce396e0106265e7d496310027706411e47e15d20ba710a067cd9486aa20c1d2a8cf8237578
-
SSDEEP
6144:+PG6kqGPJu6cZLAYCtE07kli0KoCYtw2B0Ddu9szWfx09UBIUbPLwH/lLOUaR/N4:+NkfJPXYJ07kE0KoFtw2gu9RxrBIUbP+
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://viruslist.com/wcmd.txt
http://viruslist.com/ppslog.php
http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oafcqcea.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbfcmhpg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mogcihaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opclldhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ckeimm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnmhpg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmojkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Phonha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lihpif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nmigoagp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pagbaglh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cklhcfle.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mebcop32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlbcnd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljbfpo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmndpq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gbmingjo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbhijepa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ikkpgafg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idhnkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ncchae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bkphhgfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qfkqjmdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Adcjop32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hacbhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Leenhhdn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laqhhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Anobgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Boeebnhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jghpbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Adhdjpjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hfhgkmpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iepaaico.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kniieo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bbdhiojo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpphjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kqmkae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Omgcpokp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gfodeohd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qpcecb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jgbjbp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bheplb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gehbjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lcgpni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nqbpojnp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcigeooj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiaoid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fideeaco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kckqbj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paeelgnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cggimh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kngkqbgl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmkdcm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqklon32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccbadp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ckpbnb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdfjld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nelfeo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoeieolb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bnoddcef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Akglloai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nglhld32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfjfecno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mjlhgaqp.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 3980 Gacjadad.exe 3124 Gdafnpqh.exe 2480 Ghmbno32.exe 3476 Ggbook32.exe 384 Gknkpjfb.exe 452 Gnlgleef.exe 4792 Hnodaecc.exe 4648 Hgghjjid.exe 4716 Hpomcp32.exe 4088 Hgiepjga.exe 4456 Hncmmd32.exe 2500 Hglaej32.exe 3520 Hdpbon32.exe 5028 Hacbhb32.exe 4836 Iklgah32.exe 2808 Iddljmpc.exe 2628 Igchfiof.exe 1464 Iqklon32.exe 2452 Iakiia32.exe 3216 Iggaah32.exe 3956 Ibmeoq32.exe 1708 Igjngh32.exe 4608 Ibobdqid.exe 748 Jdnoplhh.exe 1508 Jbaojpgb.exe 1512 Jdpkflfe.exe 2040 Jnhpoamf.exe 1712 Jgadgf32.exe 3992 Jbfheo32.exe 3968 Jkomneim.exe 4604 Jgenbfoa.exe 316 Jbkbpoog.exe 4656 Kjffdalb.exe 4324 Kqpoakco.exe 3468 Kjhcjq32.exe 2256 Kgmcce32.exe 3440 Kaehljpj.exe 4940 Kgopidgf.exe 4736 Kniieo32.exe 2920 Kageaj32.exe 744 Kkmioc32.exe 2604 Leenhhdn.exe 3380 Lgcjdd32.exe 2556 Ljbfpo32.exe 4412 Lalnmiia.exe 3312 Lgffic32.exe 3492 Lnpofnhk.exe 2088 Lankbigo.exe 2016 Lldopb32.exe 4464 Lnbklm32.exe 3680 Laqhhi32.exe 3604 Lihpif32.exe 4420 Ljilqnlm.exe 392 Lbpdblmo.exe 4144 Leopnglc.exe 3776 Ljkifn32.exe 4620 Mhoipb32.exe 1376 Mjneln32.exe 1268 Mahnhhod.exe 4368 Mhafeb32.exe 4212 Mnlnbl32.exe 1012 Meefofek.exe 4700 Mlpokp32.exe 1672 Mbighjdd.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ekaapi32.exe Emoadlfo.exe File opened for modification C:\Windows\SysWOW64\Djqblj32.exe Dbjkkl32.exe File created C:\Windows\SysWOW64\Jklinohd.exe Jcdala32.exe File created C:\Windows\SysWOW64\Kkeldnpi.exe Kjepjkhf.exe File created C:\Windows\SysWOW64\Plmmif32.exe Pdfehh32.exe File created C:\Windows\SysWOW64\Ajihlijd.dll Mkhapk32.exe File created C:\Windows\SysWOW64\Jenmcggo.exe Jocefm32.exe File created C:\Windows\SysWOW64\Ghmbno32.exe Gdafnpqh.exe File created C:\Windows\SysWOW64\Cfqmpl32.exe Ccbadp32.exe File opened for modification C:\Windows\SysWOW64\Lcggio32.exe Lddgmbpb.exe File created C:\Windows\SysWOW64\Kqmfklog.dll Ahpmjejp.exe File opened for modification C:\Windows\SysWOW64\Akepfpcl.exe Ahgcjddh.exe File created C:\Windows\SysWOW64\Ennioe32.dll Hlegnjbm.exe File created C:\Windows\SysWOW64\Ahpmjejp.exe Amjillkj.exe File created C:\Windows\SysWOW64\Cdecba32.dll Dheibpje.exe File created C:\Windows\SysWOW64\Jhnhbn32.dll Efafgifc.exe File opened for modification C:\Windows\SysWOW64\Plpjoe32.exe Pefabkej.exe File created C:\Windows\SysWOW64\Mfchlbfd.exe Mcelpggq.exe File opened for modification C:\Windows\SysWOW64\Boihcf32.exe Bgbpaipl.exe File created C:\Windows\SysWOW64\Klhhpnaf.dll Gpqjglii.exe File created C:\Windows\SysWOW64\Ckhecmcf.exe Cdnmfclj.exe File opened for modification C:\Windows\SysWOW64\Ckhecmcf.exe Cdnmfclj.exe File created C:\Windows\SysWOW64\Dmennnni.exe Ddnfmqng.exe File created C:\Windows\SysWOW64\Ddnnfbmk.dll Iqklon32.exe File created C:\Windows\SysWOW64\Cacckp32.exe Ckjknfnh.exe File opened for modification C:\Windows\SysWOW64\Poomegpf.exe Pkcadhgm.exe File opened for modification C:\Windows\SysWOW64\Mkhapk32.exe Lndagg32.exe File opened for modification C:\Windows\SysWOW64\Ohmhmh32.exe Omgcpokp.exe File opened for modification C:\Windows\SysWOW64\Amjillkj.exe Aogiap32.exe File created C:\Windows\SysWOW64\Digehphc.exe Dbnmke32.exe File opened for modification C:\Windows\SysWOW64\Adcjop32.exe Amjbbfgo.exe File opened for modification C:\Windows\SysWOW64\Hoobdp32.exe Hplbickp.exe File created C:\Windows\SysWOW64\Malgcg32.exe Mbighjdd.exe File created C:\Windows\SysWOW64\Nbnpcj32.exe Mldhfpib.exe File opened for modification C:\Windows\SysWOW64\Efepbi32.exe Ecgcfm32.exe File opened for modification C:\Windows\SysWOW64\Nadleilm.exe Nnfpinmi.exe File created C:\Windows\SysWOW64\Abklmb32.dll Ckmonl32.exe File created C:\Windows\SysWOW64\Phcgcqab.exe Paiogf32.exe File opened for modification C:\Windows\SysWOW64\Hncmmd32.exe Hgiepjga.exe File opened for modification C:\Windows\SysWOW64\Plndcl32.exe Pedlgbkh.exe File created C:\Windows\SysWOW64\Cmcolgbj.exe Cjecpkcg.exe File opened for modification C:\Windows\SysWOW64\Hbhijepa.exe Hloqml32.exe File opened for modification C:\Windows\SysWOW64\Hmnmgnoh.exe Hibafp32.exe File opened for modification C:\Windows\SysWOW64\Aehgnied.exe Akccap32.exe File created C:\Windows\SysWOW64\Pmblagmf.exe Pjdpelnc.exe File created C:\Windows\SysWOW64\Kcmgob32.dll Eiokinbk.exe File created C:\Windows\SysWOW64\Dmkalh32.dll Feoodn32.exe File opened for modification C:\Windows\SysWOW64\Ahenokjf.exe Afgacokc.exe File created C:\Windows\SysWOW64\Dgeofeib.dll Omqmop32.exe File created C:\Windows\SysWOW64\Eignjamf.dll Adcjop32.exe File opened for modification C:\Windows\SysWOW64\Bgbpaipl.exe Bphgeo32.exe File opened for modification C:\Windows\SysWOW64\Leenhhdn.exe Kkmioc32.exe File created C:\Windows\SysWOW64\Fmikeaap.exe Fjjnifbl.exe File created C:\Windows\SysWOW64\Hhhdjbno.dll Bebjdgmj.exe File created C:\Windows\SysWOW64\Fimhjl32.exe Fpdcag32.exe File opened for modification C:\Windows\SysWOW64\Ljeafb32.exe Lfjfecno.exe File created C:\Windows\SysWOW64\Dbjkkl32.exe Ckpbnb32.exe File created C:\Windows\SysWOW64\Fmndpq32.exe Fjohde32.exe File opened for modification C:\Windows\SysWOW64\Jnlbojee.exe Jgbjbp32.exe File opened for modification C:\Windows\SysWOW64\Mkmkkjko.exe Mebcop32.exe File opened for modification C:\Windows\SysWOW64\Nnfpinmi.exe Nglhld32.exe File created C:\Windows\SysWOW64\Jhpicj32.dll Nfcabp32.exe File created C:\Windows\SysWOW64\Piomhofd.dll Iklgah32.exe File created C:\Windows\SysWOW64\Jgenbfoa.exe Jkomneim.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 14548 14344 WerFault.exe 779 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgadgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgqfdnah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnhenj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bedgjgkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmhgmmbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgnffj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igchfiof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibmeoq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gacjadad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoaojp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcepkfld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmmbbejp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmlpaoaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnlbojee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebgpad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gihgfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnpofnhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Najceeoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnaaib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gikdkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfoann32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oodcdb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfcabp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojajin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bacjdbch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akcjkfij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acmobchj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apaadpng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cklhcfle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmlmkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnfihkqm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkhapk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akepfpcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bebjdgmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oplfkeob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amjbbfgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgghjjid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgepom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdmgfedl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdodkebj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnmdme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbpajgmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfnjpfcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfdpad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgmcce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iggjga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hffken32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gipdap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omqmop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcimdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhbebj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlfelogp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlnkmnah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjecpkcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbpjaeoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfbped32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljbfpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alnmjjdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpcjgnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aokkahlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhblllfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efccmidp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfhndpol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhnikc32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Popbpqjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnnkgo32.dll" Kpoalo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpghll32.dll" Oakbehfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbdjiqhc.dll" Efhlhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ncofplba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Plmmif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cbfgkffn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lgcjdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Polppg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hiiggoaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Difpmfna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ifmqfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecjfni32.dll" Hacbhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pcepkfld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qljcoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejlgio32.dll" Lnohlgep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Adndoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfoaecol.dll" Ckebcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibifekgh.dll" Hpomcp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kqpoakco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iophkojl.dll" Kqmkae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Najceeoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qlimed32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hbohpn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ncchae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejbdho32.dll" Nahgoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dkbocbog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Idfaefkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhhdjbno.dll" Bebjdgmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggpdhj32.dll" Gfodeohd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Chfegk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Djqblj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dpphjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fpdcag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gnlgleef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnqjcbao.dll" Lihpif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fagnlg32.dll" Nklbmllg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gmojkj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gpelhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gbabigfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ackhdo32.dll" Gfokoelp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldcadhpd.dll" Jdodkebj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gfhndpol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gbnoiqdq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akcoajfm.dll" Hplbickp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlkpophj.dll" Hpchib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jllokajf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fmkgkapm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ikdcmpnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Plbfdekd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jncoikmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Njfkmphe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeidhb32.dll" Ibobdqid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mldhfpib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cfqmpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdflahpe.dll" Bokehc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cbpajgmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iepaaico.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmgagk32.dll" Mqafhl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qfkqjmdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plpjfnfg.dll" Ghmbno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ljbfpo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ahenokjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bmjkic32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4820 wrote to memory of 3980 4820 581be70e45a40bc9e69ed04aeb98cdfa9f75c791ceb522f6d4e73b1cffc6df50.exe 84 PID 4820 wrote to memory of 3980 4820 581be70e45a40bc9e69ed04aeb98cdfa9f75c791ceb522f6d4e73b1cffc6df50.exe 84 PID 4820 wrote to memory of 3980 4820 581be70e45a40bc9e69ed04aeb98cdfa9f75c791ceb522f6d4e73b1cffc6df50.exe 84 PID 3980 wrote to memory of 3124 3980 Gacjadad.exe 85 PID 3980 wrote to memory of 3124 3980 Gacjadad.exe 85 PID 3980 wrote to memory of 3124 3980 Gacjadad.exe 85 PID 3124 wrote to memory of 2480 3124 Gdafnpqh.exe 86 PID 3124 wrote to memory of 2480 3124 Gdafnpqh.exe 86 PID 3124 wrote to memory of 2480 3124 Gdafnpqh.exe 86 PID 2480 wrote to memory of 3476 2480 Ghmbno32.exe 87 PID 2480 wrote to memory of 3476 2480 Ghmbno32.exe 87 PID 2480 wrote to memory of 3476 2480 Ghmbno32.exe 87 PID 3476 wrote to memory of 384 3476 Ggbook32.exe 88 PID 3476 wrote to memory of 384 3476 Ggbook32.exe 88 PID 3476 wrote to memory of 384 3476 Ggbook32.exe 88 PID 384 wrote to memory of 452 384 Gknkpjfb.exe 89 PID 384 wrote to memory of 452 384 Gknkpjfb.exe 89 PID 384 wrote to memory of 452 384 Gknkpjfb.exe 89 PID 452 wrote to memory of 4792 452 Gnlgleef.exe 90 PID 452 wrote to memory of 4792 452 Gnlgleef.exe 90 PID 452 wrote to memory of 4792 452 Gnlgleef.exe 90 PID 4792 wrote to memory of 4648 4792 Hnodaecc.exe 91 PID 4792 wrote to memory of 4648 4792 Hnodaecc.exe 91 PID 4792 wrote to memory of 4648 4792 Hnodaecc.exe 91 PID 4648 wrote to memory of 4716 4648 Hgghjjid.exe 92 PID 4648 wrote to memory of 4716 4648 Hgghjjid.exe 92 PID 4648 wrote to memory of 4716 4648 Hgghjjid.exe 92 PID 4716 wrote to memory of 4088 4716 Hpomcp32.exe 93 PID 4716 wrote to memory of 4088 4716 Hpomcp32.exe 93 PID 4716 wrote to memory of 4088 4716 Hpomcp32.exe 93 PID 4088 wrote to memory of 4456 4088 Hgiepjga.exe 94 PID 4088 wrote to memory of 4456 4088 Hgiepjga.exe 94 PID 4088 wrote to memory of 4456 4088 Hgiepjga.exe 94 PID 4456 wrote to memory of 2500 4456 Hncmmd32.exe 95 PID 4456 wrote to memory of 2500 4456 Hncmmd32.exe 95 PID 4456 wrote to memory of 2500 4456 Hncmmd32.exe 95 PID 2500 wrote to memory of 3520 2500 Hglaej32.exe 96 PID 2500 wrote to memory of 3520 2500 Hglaej32.exe 96 PID 2500 wrote to memory of 3520 2500 Hglaej32.exe 96 PID 3520 wrote to memory of 5028 3520 Hdpbon32.exe 97 PID 3520 wrote to memory of 5028 3520 Hdpbon32.exe 97 PID 3520 wrote to memory of 5028 3520 Hdpbon32.exe 97 PID 5028 wrote to memory of 4836 5028 Hacbhb32.exe 98 PID 5028 wrote to memory of 4836 5028 Hacbhb32.exe 98 PID 5028 wrote to memory of 4836 5028 Hacbhb32.exe 98 PID 4836 wrote to memory of 2808 4836 Iklgah32.exe 99 PID 4836 wrote to memory of 2808 4836 Iklgah32.exe 99 PID 4836 wrote to memory of 2808 4836 Iklgah32.exe 99 PID 2808 wrote to memory of 2628 2808 Iddljmpc.exe 100 PID 2808 wrote to memory of 2628 2808 Iddljmpc.exe 100 PID 2808 wrote to memory of 2628 2808 Iddljmpc.exe 100 PID 2628 wrote to memory of 1464 2628 Igchfiof.exe 101 PID 2628 wrote to memory of 1464 2628 Igchfiof.exe 101 PID 2628 wrote to memory of 1464 2628 Igchfiof.exe 101 PID 1464 wrote to memory of 2452 1464 Iqklon32.exe 102 PID 1464 wrote to memory of 2452 1464 Iqklon32.exe 102 PID 1464 wrote to memory of 2452 1464 Iqklon32.exe 102 PID 2452 wrote to memory of 3216 2452 Iakiia32.exe 103 PID 2452 wrote to memory of 3216 2452 Iakiia32.exe 103 PID 2452 wrote to memory of 3216 2452 Iakiia32.exe 103 PID 3216 wrote to memory of 3956 3216 Iggaah32.exe 104 PID 3216 wrote to memory of 3956 3216 Iggaah32.exe 104 PID 3216 wrote to memory of 3956 3216 Iggaah32.exe 104 PID 3956 wrote to memory of 1708 3956 Ibmeoq32.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\581be70e45a40bc9e69ed04aeb98cdfa9f75c791ceb522f6d4e73b1cffc6df50.exe"C:\Users\Admin\AppData\Local\Temp\581be70e45a40bc9e69ed04aeb98cdfa9f75c791ceb522f6d4e73b1cffc6df50.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Windows\SysWOW64\Gacjadad.exeC:\Windows\system32\Gacjadad.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Windows\SysWOW64\Gdafnpqh.exeC:\Windows\system32\Gdafnpqh.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3124 -
C:\Windows\SysWOW64\Ghmbno32.exeC:\Windows\system32\Ghmbno32.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Ggbook32.exeC:\Windows\system32\Ggbook32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Windows\SysWOW64\Gknkpjfb.exeC:\Windows\system32\Gknkpjfb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:384 -
C:\Windows\SysWOW64\Gnlgleef.exeC:\Windows\system32\Gnlgleef.exe7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Windows\SysWOW64\Hnodaecc.exeC:\Windows\system32\Hnodaecc.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Windows\SysWOW64\Hgghjjid.exeC:\Windows\system32\Hgghjjid.exe9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Windows\SysWOW64\Hpomcp32.exeC:\Windows\system32\Hpomcp32.exe10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Windows\SysWOW64\Hgiepjga.exeC:\Windows\system32\Hgiepjga.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Windows\SysWOW64\Hncmmd32.exeC:\Windows\system32\Hncmmd32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Windows\SysWOW64\Hglaej32.exeC:\Windows\system32\Hglaej32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\Hdpbon32.exeC:\Windows\system32\Hdpbon32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3520 -
C:\Windows\SysWOW64\Hacbhb32.exeC:\Windows\system32\Hacbhb32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Windows\SysWOW64\Iklgah32.exeC:\Windows\system32\Iklgah32.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Windows\SysWOW64\Iddljmpc.exeC:\Windows\system32\Iddljmpc.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Igchfiof.exeC:\Windows\system32\Igchfiof.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Iqklon32.exeC:\Windows\system32\Iqklon32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\SysWOW64\Iakiia32.exeC:\Windows\system32\Iakiia32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\Iggaah32.exeC:\Windows\system32\Iggaah32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Windows\SysWOW64\Ibmeoq32.exeC:\Windows\system32\Ibmeoq32.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Windows\SysWOW64\Igjngh32.exeC:\Windows\system32\Igjngh32.exe23⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Ibobdqid.exeC:\Windows\system32\Ibobdqid.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:4608 -
C:\Windows\SysWOW64\Jdnoplhh.exeC:\Windows\system32\Jdnoplhh.exe25⤵
- Executes dropped EXE
PID:748 -
C:\Windows\SysWOW64\Jbaojpgb.exeC:\Windows\system32\Jbaojpgb.exe26⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Jdpkflfe.exeC:\Windows\system32\Jdpkflfe.exe27⤵
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\Jnhpoamf.exeC:\Windows\system32\Jnhpoamf.exe28⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Jgadgf32.exeC:\Windows\system32\Jgadgf32.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1712 -
C:\Windows\SysWOW64\Jbfheo32.exeC:\Windows\system32\Jbfheo32.exe30⤵
- Executes dropped EXE
PID:3992 -
C:\Windows\SysWOW64\Jkomneim.exeC:\Windows\system32\Jkomneim.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3968 -
C:\Windows\SysWOW64\Jgenbfoa.exeC:\Windows\system32\Jgenbfoa.exe32⤵
- Executes dropped EXE
PID:4604 -
C:\Windows\SysWOW64\Jbkbpoog.exeC:\Windows\system32\Jbkbpoog.exe33⤵
- Executes dropped EXE
PID:316 -
C:\Windows\SysWOW64\Kjffdalb.exeC:\Windows\system32\Kjffdalb.exe34⤵
- Executes dropped EXE
PID:4656 -
C:\Windows\SysWOW64\Kqpoakco.exeC:\Windows\system32\Kqpoakco.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:4324 -
C:\Windows\SysWOW64\Kjhcjq32.exeC:\Windows\system32\Kjhcjq32.exe36⤵
- Executes dropped EXE
PID:3468 -
C:\Windows\SysWOW64\Kgmcce32.exeC:\Windows\system32\Kgmcce32.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2256 -
C:\Windows\SysWOW64\Kaehljpj.exeC:\Windows\system32\Kaehljpj.exe38⤵
- Executes dropped EXE
PID:3440 -
C:\Windows\SysWOW64\Kgopidgf.exeC:\Windows\system32\Kgopidgf.exe39⤵
- Executes dropped EXE
PID:4940 -
C:\Windows\SysWOW64\Kniieo32.exeC:\Windows\system32\Kniieo32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4736 -
C:\Windows\SysWOW64\Kageaj32.exeC:\Windows\system32\Kageaj32.exe41⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Kkmioc32.exeC:\Windows\system32\Kkmioc32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:744 -
C:\Windows\SysWOW64\Leenhhdn.exeC:\Windows\system32\Leenhhdn.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Lgcjdd32.exeC:\Windows\system32\Lgcjdd32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:3380 -
C:\Windows\SysWOW64\Ljbfpo32.exeC:\Windows\system32\Ljbfpo32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2556 -
C:\Windows\SysWOW64\Lalnmiia.exeC:\Windows\system32\Lalnmiia.exe46⤵
- Executes dropped EXE
PID:4412 -
C:\Windows\SysWOW64\Lgffic32.exeC:\Windows\system32\Lgffic32.exe47⤵
- Executes dropped EXE
PID:3312 -
C:\Windows\SysWOW64\Lnpofnhk.exeC:\Windows\system32\Lnpofnhk.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3492 -
C:\Windows\SysWOW64\Lankbigo.exeC:\Windows\system32\Lankbigo.exe49⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Lldopb32.exeC:\Windows\system32\Lldopb32.exe50⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Lnbklm32.exeC:\Windows\system32\Lnbklm32.exe51⤵
- Executes dropped EXE
PID:4464 -
C:\Windows\SysWOW64\Laqhhi32.exeC:\Windows\system32\Laqhhi32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3680 -
C:\Windows\SysWOW64\Lihpif32.exeC:\Windows\system32\Lihpif32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3604 -
C:\Windows\SysWOW64\Ljilqnlm.exeC:\Windows\system32\Ljilqnlm.exe54⤵
- Executes dropped EXE
PID:4420 -
C:\Windows\SysWOW64\Lbpdblmo.exeC:\Windows\system32\Lbpdblmo.exe55⤵
- Executes dropped EXE
PID:392 -
C:\Windows\SysWOW64\Leopnglc.exeC:\Windows\system32\Leopnglc.exe56⤵
- Executes dropped EXE
PID:4144 -
C:\Windows\SysWOW64\Ljkifn32.exeC:\Windows\system32\Ljkifn32.exe57⤵
- Executes dropped EXE
PID:3776 -
C:\Windows\SysWOW64\Mhoipb32.exeC:\Windows\system32\Mhoipb32.exe58⤵
- Executes dropped EXE
PID:4620 -
C:\Windows\SysWOW64\Mjneln32.exeC:\Windows\system32\Mjneln32.exe59⤵
- Executes dropped EXE
PID:1376 -
C:\Windows\SysWOW64\Mahnhhod.exeC:\Windows\system32\Mahnhhod.exe60⤵
- Executes dropped EXE
PID:1268 -
C:\Windows\SysWOW64\Mhafeb32.exeC:\Windows\system32\Mhafeb32.exe61⤵
- Executes dropped EXE
PID:4368 -
C:\Windows\SysWOW64\Mnlnbl32.exeC:\Windows\system32\Mnlnbl32.exe62⤵
- Executes dropped EXE
PID:4212 -
C:\Windows\SysWOW64\Meefofek.exeC:\Windows\system32\Meefofek.exe63⤵
- Executes dropped EXE
PID:1012 -
C:\Windows\SysWOW64\Mlpokp32.exeC:\Windows\system32\Mlpokp32.exe64⤵
- Executes dropped EXE
PID:4700 -
C:\Windows\SysWOW64\Mbighjdd.exeC:\Windows\system32\Mbighjdd.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1672 -
C:\Windows\SysWOW64\Malgcg32.exeC:\Windows\system32\Malgcg32.exe66⤵PID:2172
-
C:\Windows\SysWOW64\Mhfppabl.exeC:\Windows\system32\Mhfppabl.exe67⤵PID:4056
-
C:\Windows\SysWOW64\Mjellmbp.exeC:\Windows\system32\Mjellmbp.exe68⤵PID:3016
-
C:\Windows\SysWOW64\Maodigil.exeC:\Windows\system32\Maodigil.exe69⤵PID:2332
-
C:\Windows\SysWOW64\Mldhfpib.exeC:\Windows\system32\Mldhfpib.exe70⤵
- Drops file in System32 directory
- Modifies registry class
PID:3636 -
C:\Windows\SysWOW64\Nbnpcj32.exeC:\Windows\system32\Nbnpcj32.exe71⤵PID:1196
-
C:\Windows\SysWOW64\Nihipdhl.exeC:\Windows\system32\Nihipdhl.exe72⤵PID:2848
-
C:\Windows\SysWOW64\Nlfelogp.exeC:\Windows\system32\Nlfelogp.exe73⤵
- System Location Discovery: System Language Discovery
PID:3060 -
C:\Windows\SysWOW64\Nacmdf32.exeC:\Windows\system32\Nacmdf32.exe74⤵PID:4348
-
C:\Windows\SysWOW64\Nliaao32.exeC:\Windows\system32\Nliaao32.exe75⤵PID:4112
-
C:\Windows\SysWOW64\Nklbmllg.exeC:\Windows\system32\Nklbmllg.exe76⤵
- Modifies registry class
PID:1592 -
C:\Windows\SysWOW64\Nafjjf32.exeC:\Windows\system32\Nafjjf32.exe77⤵PID:2244
-
C:\Windows\SysWOW64\Nlkngo32.exeC:\Windows\system32\Nlkngo32.exe78⤵PID:1812
-
C:\Windows\SysWOW64\Nojjcj32.exeC:\Windows\system32\Nojjcj32.exe79⤵PID:4544
-
C:\Windows\SysWOW64\Nahgoe32.exeC:\Windows\system32\Nahgoe32.exe80⤵
- Modifies registry class
PID:4304 -
C:\Windows\SysWOW64\Nlnkmnah.exeC:\Windows\system32\Nlnkmnah.exe81⤵
- System Location Discovery: System Language Discovery
PID:2032 -
C:\Windows\SysWOW64\Najceeoo.exeC:\Windows\system32\Najceeoo.exe82⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4448 -
C:\Windows\SysWOW64\Nefped32.exeC:\Windows\system32\Nefped32.exe83⤵PID:4480
-
C:\Windows\SysWOW64\Oondnini.exeC:\Windows\system32\Oondnini.exe84⤵PID:1468
-
C:\Windows\SysWOW64\Oampjeml.exeC:\Windows\system32\Oampjeml.exe85⤵PID:832
-
C:\Windows\SysWOW64\Okedcjcm.exeC:\Windows\system32\Okedcjcm.exe86⤵PID:404
-
C:\Windows\SysWOW64\Oifeab32.exeC:\Windows\system32\Oifeab32.exe87⤵PID:4344
-
C:\Windows\SysWOW64\Okgaijaj.exeC:\Windows\system32\Okgaijaj.exe88⤵PID:2320
-
C:\Windows\SysWOW64\Oaajed32.exeC:\Windows\system32\Oaajed32.exe89⤵PID:1608
-
C:\Windows\SysWOW64\Ohkbbn32.exeC:\Windows\system32\Ohkbbn32.exe90⤵PID:1852
-
C:\Windows\SysWOW64\Obafpg32.exeC:\Windows\system32\Obafpg32.exe91⤵PID:2248
-
C:\Windows\SysWOW64\Oeoblb32.exeC:\Windows\system32\Oeoblb32.exe92⤵PID:3596
-
C:\Windows\SysWOW64\Ohnohn32.exeC:\Windows\system32\Ohnohn32.exe93⤵PID:1636
-
C:\Windows\SysWOW64\Oklkdi32.exeC:\Windows\system32\Oklkdi32.exe94⤵PID:2152
-
C:\Windows\SysWOW64\Oafcqcea.exeC:\Windows\system32\Oafcqcea.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:228 -
C:\Windows\SysWOW64\Oeaoab32.exeC:\Windows\system32\Oeaoab32.exe96⤵PID:852
-
C:\Windows\SysWOW64\Pllgnl32.exeC:\Windows\system32\Pllgnl32.exe97⤵PID:1248
-
C:\Windows\SysWOW64\Pcepkfld.exeC:\Windows\system32\Pcepkfld.exe98⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4808 -
C:\Windows\SysWOW64\Pedlgbkh.exeC:\Windows\system32\Pedlgbkh.exe99⤵
- Drops file in System32 directory
PID:3540 -
C:\Windows\SysWOW64\Plndcl32.exeC:\Windows\system32\Plndcl32.exe100⤵PID:3548
-
C:\Windows\SysWOW64\Polppg32.exeC:\Windows\system32\Polppg32.exe101⤵
- Modifies registry class
PID:1528 -
C:\Windows\SysWOW64\Pakllc32.exeC:\Windows\system32\Pakllc32.exe102⤵PID:5052
-
C:\Windows\SysWOW64\Pibdmp32.exeC:\Windows\system32\Pibdmp32.exe103⤵PID:1572
-
C:\Windows\SysWOW64\Pkcadhgm.exeC:\Windows\system32\Pkcadhgm.exe104⤵
- Drops file in System32 directory
PID:3652 -
C:\Windows\SysWOW64\Poomegpf.exeC:\Windows\system32\Poomegpf.exe105⤵PID:4352
-
C:\Windows\SysWOW64\Pamiaboj.exeC:\Windows\system32\Pamiaboj.exe106⤵PID:1516
-
C:\Windows\SysWOW64\Plbmokop.exeC:\Windows\system32\Plbmokop.exe107⤵PID:2760
-
C:\Windows\SysWOW64\Pkenjh32.exeC:\Windows\system32\Pkenjh32.exe108⤵PID:5136
-
C:\Windows\SysWOW64\Papfgbmg.exeC:\Windows\system32\Papfgbmg.exe109⤵PID:5180
-
C:\Windows\SysWOW64\Pifnhpmi.exeC:\Windows\system32\Pifnhpmi.exe110⤵PID:5224
-
C:\Windows\SysWOW64\Plejdkmm.exeC:\Windows\system32\Plejdkmm.exe111⤵PID:5268
-
C:\Windows\SysWOW64\Pabblb32.exeC:\Windows\system32\Pabblb32.exe112⤵PID:5312
-
C:\Windows\SysWOW64\Qhlkilba.exeC:\Windows\system32\Qhlkilba.exe113⤵PID:5360
-
C:\Windows\SysWOW64\Qofcff32.exeC:\Windows\system32\Qofcff32.exe114⤵PID:5404
-
C:\Windows\SysWOW64\Qadoba32.exeC:\Windows\system32\Qadoba32.exe115⤵PID:5448
-
C:\Windows\SysWOW64\Qhngolpo.exeC:\Windows\system32\Qhngolpo.exe116⤵PID:5492
-
C:\Windows\SysWOW64\Qljcoj32.exeC:\Windows\system32\Qljcoj32.exe117⤵
- Modifies registry class
PID:5536 -
C:\Windows\SysWOW64\Qohpkf32.exeC:\Windows\system32\Qohpkf32.exe118⤵PID:5580
-
C:\Windows\SysWOW64\Qebhhp32.exeC:\Windows\system32\Qebhhp32.exe119⤵PID:5624
-
C:\Windows\SysWOW64\Allpejfe.exeC:\Windows\system32\Allpejfe.exe120⤵PID:5668
-
C:\Windows\SysWOW64\Acfhad32.exeC:\Windows\system32\Acfhad32.exe121⤵PID:5712
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-