Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-01-2025 06:43
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6ac204d97da28173a7899ebb9e4ee1ab3ec61457a6304e19ae52b2b3e2150c64N.exe
Resource
win7-20241023-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
6ac204d97da28173a7899ebb9e4ee1ab3ec61457a6304e19ae52b2b3e2150c64N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
6ac204d97da28173a7899ebb9e4ee1ab3ec61457a6304e19ae52b2b3e2150c64N.exe
-
Size
64KB
-
MD5
79303517ce18fe67448b5cdd0b0f58c0
-
SHA1
fb00bb914821abd18525d83c10100f26b620bb32
-
SHA256
6ac204d97da28173a7899ebb9e4ee1ab3ec61457a6304e19ae52b2b3e2150c64
-
SHA512
02bff26d21fe1903a40caf099e6f0ce9fb1f251cc766aaa45a722772fa5dc9717595701de6e515c3bbcad4b3a4d416f9417762a8873bb4e800bd9c4e83b85794
-
SSDEEP
768:+ta+Nl54s+oNvR3EnUlFlCwE6zV+ul9w9vhNuPs/1H5+h6XJ1IwEGp9ThfzyYsHv:Sa+2oN5cF6zH9QvK6FXUwXfzwv
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Modgdicm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcgiefen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhknpmma.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efjimhnh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inlihl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojbacd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiloco32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocgbld32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfamapjo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdigadjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lenicahg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dheibpje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnjqmpgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnmkfh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imgicgca.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojajin32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emnbdioi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iqpfjnba.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfgjjm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hginecde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iloidijb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eciplm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iphioh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejchhgid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olanmgig.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klahfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmhocd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhpqaiji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Meepdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogekbb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdagpnbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pehngkcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eiokinbk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paiogf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhdohp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdoihpbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdhedh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipflihfq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icdheded.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkgeainn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhnikc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eoideh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glipgf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apjkcadp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpbflg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibcaknbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpaqbbld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okchnk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkogiikb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boflmdkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdjibj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbighjdd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljobpiql.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mepfiq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njiegl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efccmidp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmkkmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hoobdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nncccnol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nclbpf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ombcji32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiildjag.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpjjac32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gljgbllj.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 216 Bifmqo32.exe 2372 Cpeohh32.exe 5060 Cjjcfabm.exe 456 Cpglnhad.exe 3516 Cfadkb32.exe 2768 Caghhk32.exe 4528 Cceddf32.exe 756 Cjomap32.exe 4788 Caienjfd.exe 552 Cgcmjd32.exe 232 Cidjbmcp.exe 2472 Dcjnoece.exe 2116 Diffglam.exe 3896 Dannij32.exe 2296 Dclkee32.exe 3612 Dfjgaq32.exe 5108 Diicml32.exe 3588 Dcogje32.exe 4072 Dfmcfp32.exe 4276 Dmglcj32.exe 3388 Ddadpdmn.exe 3264 Dfoplpla.exe 5044 Daediilg.exe 3448 Ddcqedkk.exe 4392 Dfamapjo.exe 3116 Emlenj32.exe 4848 Ehailbaa.exe 844 Emnbdioi.exe 4112 Ehcfaboo.exe 4732 Empoiimf.exe 2256 Efhcbodf.exe 4852 Eigonjcj.exe 1628 Epagkd32.exe 228 Eiildjag.exe 316 Eaqdegaj.exe 4396 Fkihnmhj.exe 3272 Fpeafcfa.exe 1980 Ffpicn32.exe 4024 Fphnlcdo.exe 1676 Fmlneg32.exe 2644 Fpjjac32.exe 1088 Fgdbnmji.exe 1800 Fajgkfio.exe 4784 Fhdohp32.exe 4048 Falcae32.exe 2936 Fhflnpoi.exe 1044 Gmcdffmq.exe 5000 Gpaqbbld.exe 1100 Gkgeoklj.exe 1096 Gpcmga32.exe 1624 Gdoihpbk.exe 1736 Gilapgqb.exe 4480 Gacjadad.exe 4836 Gdafnpqh.exe 1708 Ghmbno32.exe 1020 Ginnfgop.exe 916 Gphgbafl.exe 116 Gknkpjfb.exe 4756 Gahcmd32.exe 1640 Hgelek32.exe 3284 Hjchaf32.exe 2488 Hhdhon32.exe 1784 Hammhcij.exe 2764 Hgiepjga.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Knaalh32.dll Mifljdjo.exe File created C:\Windows\SysWOW64\Ohiemobf.exe Oaompd32.exe File created C:\Windows\SysWOW64\Ldipha32.exe Lmbhgd32.exe File opened for modification C:\Windows\SysWOW64\Ibcaknbi.exe Ipeeobbe.exe File opened for modification C:\Windows\SysWOW64\Hlnjbedi.exe Hipmfjee.exe File created C:\Windows\SysWOW64\Pjdhbppo.dll Jmeede32.exe File created C:\Windows\SysWOW64\Cffpglpg.dll Ljdceo32.exe File created C:\Windows\SysWOW64\Aljejh32.dll Knfeeimj.exe File opened for modification C:\Windows\SysWOW64\Bhnikc32.exe Boeebnhp.exe File created C:\Windows\SysWOW64\Ckmonl32.exe Cljobphg.exe File created C:\Windows\SysWOW64\Mfcjqc32.dll Kegpifod.exe File created C:\Windows\SysWOW64\Agnjelkm.dll Jnpfop32.exe File created C:\Windows\SysWOW64\Nihipdhl.exe Nobdbkhf.exe File created C:\Windows\SysWOW64\Lbekag32.dll Bbdhiojo.exe File created C:\Windows\SysWOW64\Copdgb32.dll Pdhbmh32.exe File created C:\Windows\SysWOW64\Bfjkjgbh.dll Ebjcajjd.exe File opened for modification C:\Windows\SysWOW64\Imgicgca.exe Iepaaico.exe File opened for modification C:\Windows\SysWOW64\Oampjeml.exe Okchnk32.exe File created C:\Windows\SysWOW64\Glipgf32.exe Geohklaa.exe File created C:\Windows\SysWOW64\Palbkhoj.dll Oklkdi32.exe File created C:\Windows\SysWOW64\Pnnlinml.dll Iciaqc32.exe File opened for modification C:\Windows\SysWOW64\Cnfaohbj.exe Ckhecmcf.exe File created C:\Windows\SysWOW64\Khliclno.dll Plbfdekd.exe File created C:\Windows\SysWOW64\Kpanan32.exe Kncaec32.exe File opened for modification C:\Windows\SysWOW64\Kjffdalb.exe Jnpfop32.exe File created C:\Windows\SysWOW64\Hejkiial.dll Phbhcmjl.exe File opened for modification C:\Windows\SysWOW64\Ciafbg32.exe Cfcjfk32.exe File created C:\Windows\SysWOW64\Ackhdo32.dll Gfokoelp.exe File opened for modification C:\Windows\SysWOW64\Bkaobnio.exe Bhbcfbjk.exe File created C:\Windows\SysWOW64\Bkncfepb.dll Modgdicm.exe File opened for modification C:\Windows\SysWOW64\Emnbdioi.exe Ehailbaa.exe File created C:\Windows\SysWOW64\Jnpfop32.exe Jibmgi32.exe File created C:\Windows\SysWOW64\Ljeffhcd.dll Hiiggoaf.exe File opened for modification C:\Windows\SysWOW64\Pdmdnadc.exe Panhbfep.exe File created C:\Windows\SysWOW64\Cmiogmig.dll Fipkjb32.exe File created C:\Windows\SysWOW64\Cndepccb.dll Pkbjjbda.exe File created C:\Windows\SysWOW64\Flfkkhid.exe Fihnomjp.exe File created C:\Windows\SysWOW64\Igfclkdj.exe Iplkpa32.exe File opened for modification C:\Windows\SysWOW64\Bnlhncgi.exe Bddcenpi.exe File created C:\Windows\SysWOW64\Elmlokdl.dll Fibhpbea.exe File created C:\Windows\SysWOW64\Ofkhpmpa.dll Nncccnol.exe File created C:\Windows\SysWOW64\Pdnjmc32.dll Lqikmc32.exe File created C:\Windows\SysWOW64\Dcgmfg32.dll Lqpamb32.exe File opened for modification C:\Windows\SysWOW64\Phaahggp.exe Pecellgl.exe File created C:\Windows\SysWOW64\Adndoe32.exe Anclbkbp.exe File opened for modification C:\Windows\SysWOW64\Bopocbcq.exe Bmabggdm.exe File created C:\Windows\SysWOW64\Ahgcjddh.exe Adkgje32.exe File created C:\Windows\SysWOW64\Klcekpdo.exe Kjeiodek.exe File opened for modification C:\Windows\SysWOW64\Ddgibkpc.exe Dpkmal32.exe File opened for modification C:\Windows\SysWOW64\Mjpbam32.exe Miofjepg.exe File created C:\Windows\SysWOW64\Cfcjfk32.exe Ckmehb32.exe File created C:\Windows\SysWOW64\Ojigdcll.exe Ohkkhhmh.exe File opened for modification C:\Windows\SysWOW64\Adkgje32.exe Aamknj32.exe File created C:\Windows\SysWOW64\Ofcmimpk.dll Emdajb32.exe File created C:\Windows\SysWOW64\Kjmqinmi.dll Miofjepg.exe File opened for modification C:\Windows\SysWOW64\Kkeldnpi.exe Kdkdgchl.exe File created C:\Windows\SysWOW64\Aaoaic32.exe Akdilipp.exe File created C:\Windows\SysWOW64\Bajqda32.exe Bhblllfo.exe File created C:\Windows\SysWOW64\Gdoihpbk.exe Gpcmga32.exe File created C:\Windows\SysWOW64\Coadnlnb.exe Clchbqoo.exe File opened for modification C:\Windows\SysWOW64\Ibfnqmpf.exe Ipgbdbqb.exe File opened for modification C:\Windows\SysWOW64\Ojbacd32.exe Ohcegi32.exe File created C:\Windows\SysWOW64\Aonoao32.exe Aefjii32.exe File created C:\Windows\SysWOW64\Chfhllkp.dll Hlnjbedi.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2372 3000 WerFault.exe 755 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljfhqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdigadjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fihnomjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipjoja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jllokajf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfgipd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cidjbmcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcogje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efccmidp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plbfdekd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chglab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hipmfjee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hehkajig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gacjadad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebejfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdglmkeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iebngial.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Impliekg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkhpdcab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lklbdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Megljppl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmpolgoi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkqaoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alcfei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfpffeaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glipgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdimqm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgifbhid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdnmfclj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nobdbkhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmmbbejp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Camddhoi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmabggdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coqncejg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emmdom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inlihl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngjbaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omgcpokp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phbhcmjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aajhndkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idhnkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqpamb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odoogi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbpajgmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckmonl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljbfpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkogiikb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbcfhibj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pknqoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdhedh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmojkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fphnlcdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjlpjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glengm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgbloglj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdhbmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmadco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoobdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lelchgne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oklkdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djcoai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdkdgchl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fligqhga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjomap32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obncjbkf.dll" Gphgbafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knaalh32.dll" Mifljdjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahobhgo.dll" Obcceg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmmbbejp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkhpdcab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnnbme32.dll" Gihgfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhblllfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djfjpgfm.dll" Eiildjag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdahg32.dll" Hhdhon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Alcfei32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Clchbqoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Clgbmp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipgbdbqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcoaglhk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llhikacp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lepein32.dll" Niakfbpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dflmlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikkpgafg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olicnfco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aonoao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Poomegpf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fgdbnmji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncabfkqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhghaf32.dll" Ohkkhhmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgncclck.dll" Ckjknfnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjkmhmpl.dll" Dfjgaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmdjapgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpfkpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eekgliip.dll" Cacckp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eejlephc.dll" Dmglcj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aleckinj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkakadbk.dll" Cmmbbejp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdimkqnb.dll" Jiglnf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qaqegecm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkjlic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oklkdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcldf32.dll" Dpgnjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hahqkaaa.dll" Bhnikc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ineedcfb.dll" Coadnlnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcelpggq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilnbicff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkihnmhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlkonq32.dll" Fmlneg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efccmidp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gingkqkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Clgbmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eoideh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaabap32.dll" Ipeeobbe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcmdaljn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmkdcm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Leenhhdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmdjapgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdlhkf32.dll" Cnfaohbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkhnjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgbloglj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Falcae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipjoja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmlmhc32.dll" Caojpaij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fphnlcdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgflfoob.dll" Gahcmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdcliikj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahgcjddh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dngjff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iophfi32.dll" Gmimai32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3644 wrote to memory of 216 3644 6ac204d97da28173a7899ebb9e4ee1ab3ec61457a6304e19ae52b2b3e2150c64N.exe 85 PID 3644 wrote to memory of 216 3644 6ac204d97da28173a7899ebb9e4ee1ab3ec61457a6304e19ae52b2b3e2150c64N.exe 85 PID 3644 wrote to memory of 216 3644 6ac204d97da28173a7899ebb9e4ee1ab3ec61457a6304e19ae52b2b3e2150c64N.exe 85 PID 216 wrote to memory of 2372 216 Bifmqo32.exe 86 PID 216 wrote to memory of 2372 216 Bifmqo32.exe 86 PID 216 wrote to memory of 2372 216 Bifmqo32.exe 86 PID 2372 wrote to memory of 5060 2372 Cpeohh32.exe 87 PID 2372 wrote to memory of 5060 2372 Cpeohh32.exe 87 PID 2372 wrote to memory of 5060 2372 Cpeohh32.exe 87 PID 5060 wrote to memory of 456 5060 Cjjcfabm.exe 88 PID 5060 wrote to memory of 456 5060 Cjjcfabm.exe 88 PID 5060 wrote to memory of 456 5060 Cjjcfabm.exe 88 PID 456 wrote to memory of 3516 456 Cpglnhad.exe 89 PID 456 wrote to memory of 3516 456 Cpglnhad.exe 89 PID 456 wrote to memory of 3516 456 Cpglnhad.exe 89 PID 3516 wrote to memory of 2768 3516 Cfadkb32.exe 90 PID 3516 wrote to memory of 2768 3516 Cfadkb32.exe 90 PID 3516 wrote to memory of 2768 3516 Cfadkb32.exe 90 PID 2768 wrote to memory of 4528 2768 Caghhk32.exe 91 PID 2768 wrote to memory of 4528 2768 Caghhk32.exe 91 PID 2768 wrote to memory of 4528 2768 Caghhk32.exe 91 PID 4528 wrote to memory of 756 4528 Cceddf32.exe 92 PID 4528 wrote to memory of 756 4528 Cceddf32.exe 92 PID 4528 wrote to memory of 756 4528 Cceddf32.exe 92 PID 756 wrote to memory of 4788 756 Cjomap32.exe 93 PID 756 wrote to memory of 4788 756 Cjomap32.exe 93 PID 756 wrote to memory of 4788 756 Cjomap32.exe 93 PID 4788 wrote to memory of 552 4788 Caienjfd.exe 94 PID 4788 wrote to memory of 552 4788 Caienjfd.exe 94 PID 4788 wrote to memory of 552 4788 Caienjfd.exe 94 PID 552 wrote to memory of 232 552 Cgcmjd32.exe 95 PID 552 wrote to memory of 232 552 Cgcmjd32.exe 95 PID 552 wrote to memory of 232 552 Cgcmjd32.exe 95 PID 232 wrote to memory of 2472 232 Cidjbmcp.exe 96 PID 232 wrote to memory of 2472 232 Cidjbmcp.exe 96 PID 232 wrote to memory of 2472 232 Cidjbmcp.exe 96 PID 2472 wrote to memory of 2116 2472 Dcjnoece.exe 97 PID 2472 wrote to memory of 2116 2472 Dcjnoece.exe 97 PID 2472 wrote to memory of 2116 2472 Dcjnoece.exe 97 PID 2116 wrote to memory of 3896 2116 Diffglam.exe 98 PID 2116 wrote to memory of 3896 2116 Diffglam.exe 98 PID 2116 wrote to memory of 3896 2116 Diffglam.exe 98 PID 3896 wrote to memory of 2296 3896 Dannij32.exe 99 PID 3896 wrote to memory of 2296 3896 Dannij32.exe 99 PID 3896 wrote to memory of 2296 3896 Dannij32.exe 99 PID 2296 wrote to memory of 3612 2296 Dclkee32.exe 100 PID 2296 wrote to memory of 3612 2296 Dclkee32.exe 100 PID 2296 wrote to memory of 3612 2296 Dclkee32.exe 100 PID 3612 wrote to memory of 5108 3612 Dfjgaq32.exe 101 PID 3612 wrote to memory of 5108 3612 Dfjgaq32.exe 101 PID 3612 wrote to memory of 5108 3612 Dfjgaq32.exe 101 PID 5108 wrote to memory of 3588 5108 Diicml32.exe 102 PID 5108 wrote to memory of 3588 5108 Diicml32.exe 102 PID 5108 wrote to memory of 3588 5108 Diicml32.exe 102 PID 3588 wrote to memory of 4072 3588 Dcogje32.exe 103 PID 3588 wrote to memory of 4072 3588 Dcogje32.exe 103 PID 3588 wrote to memory of 4072 3588 Dcogje32.exe 103 PID 4072 wrote to memory of 4276 4072 Dfmcfp32.exe 104 PID 4072 wrote to memory of 4276 4072 Dfmcfp32.exe 104 PID 4072 wrote to memory of 4276 4072 Dfmcfp32.exe 104 PID 4276 wrote to memory of 3388 4276 Dmglcj32.exe 105 PID 4276 wrote to memory of 3388 4276 Dmglcj32.exe 105 PID 4276 wrote to memory of 3388 4276 Dmglcj32.exe 105 PID 3388 wrote to memory of 3264 3388 Ddadpdmn.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\6ac204d97da28173a7899ebb9e4ee1ab3ec61457a6304e19ae52b2b3e2150c64N.exe"C:\Users\Admin\AppData\Local\Temp\6ac204d97da28173a7899ebb9e4ee1ab3ec61457a6304e19ae52b2b3e2150c64N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Windows\SysWOW64\Bifmqo32.exeC:\Windows\system32\Bifmqo32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Windows\SysWOW64\Cpeohh32.exeC:\Windows\system32\Cpeohh32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\Cjjcfabm.exeC:\Windows\system32\Cjjcfabm.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\SysWOW64\Cpglnhad.exeC:\Windows\system32\Cpglnhad.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:456 -
C:\Windows\SysWOW64\Cfadkb32.exeC:\Windows\system32\Cfadkb32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Windows\SysWOW64\Caghhk32.exeC:\Windows\system32\Caghhk32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Cceddf32.exeC:\Windows\system32\Cceddf32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Windows\SysWOW64\Cjomap32.exeC:\Windows\system32\Cjomap32.exe9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\SysWOW64\Caienjfd.exeC:\Windows\system32\Caienjfd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Windows\SysWOW64\Cgcmjd32.exeC:\Windows\system32\Cgcmjd32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\SysWOW64\Cidjbmcp.exeC:\Windows\system32\Cidjbmcp.exe12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:232 -
C:\Windows\SysWOW64\Dcjnoece.exeC:\Windows\system32\Dcjnoece.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\Diffglam.exeC:\Windows\system32\Diffglam.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\Dannij32.exeC:\Windows\system32\Dannij32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3896 -
C:\Windows\SysWOW64\Dclkee32.exeC:\Windows\system32\Dclkee32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\Dfjgaq32.exeC:\Windows\system32\Dfjgaq32.exe17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3612 -
C:\Windows\SysWOW64\Diicml32.exeC:\Windows\system32\Diicml32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Windows\SysWOW64\Dcogje32.exeC:\Windows\system32\Dcogje32.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Windows\SysWOW64\Dfmcfp32.exeC:\Windows\system32\Dfmcfp32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Windows\SysWOW64\Dmglcj32.exeC:\Windows\system32\Dmglcj32.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4276 -
C:\Windows\SysWOW64\Ddadpdmn.exeC:\Windows\system32\Ddadpdmn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3388 -
C:\Windows\SysWOW64\Dfoplpla.exeC:\Windows\system32\Dfoplpla.exe23⤵
- Executes dropped EXE
PID:3264 -
C:\Windows\SysWOW64\Daediilg.exeC:\Windows\system32\Daediilg.exe24⤵
- Executes dropped EXE
PID:5044 -
C:\Windows\SysWOW64\Ddcqedkk.exeC:\Windows\system32\Ddcqedkk.exe25⤵
- Executes dropped EXE
PID:3448 -
C:\Windows\SysWOW64\Dfamapjo.exeC:\Windows\system32\Dfamapjo.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4392 -
C:\Windows\SysWOW64\Emlenj32.exeC:\Windows\system32\Emlenj32.exe27⤵
- Executes dropped EXE
PID:3116 -
C:\Windows\SysWOW64\Ehailbaa.exeC:\Windows\system32\Ehailbaa.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4848 -
C:\Windows\SysWOW64\Emnbdioi.exeC:\Windows\system32\Emnbdioi.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:844 -
C:\Windows\SysWOW64\Ehcfaboo.exeC:\Windows\system32\Ehcfaboo.exe30⤵
- Executes dropped EXE
PID:4112 -
C:\Windows\SysWOW64\Empoiimf.exeC:\Windows\system32\Empoiimf.exe31⤵
- Executes dropped EXE
PID:4732 -
C:\Windows\SysWOW64\Efhcbodf.exeC:\Windows\system32\Efhcbodf.exe32⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Eigonjcj.exeC:\Windows\system32\Eigonjcj.exe33⤵
- Executes dropped EXE
PID:4852 -
C:\Windows\SysWOW64\Epagkd32.exeC:\Windows\system32\Epagkd32.exe34⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Eiildjag.exeC:\Windows\system32\Eiildjag.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:228 -
C:\Windows\SysWOW64\Eaqdegaj.exeC:\Windows\system32\Eaqdegaj.exe36⤵
- Executes dropped EXE
PID:316 -
C:\Windows\SysWOW64\Fkihnmhj.exeC:\Windows\system32\Fkihnmhj.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:4396 -
C:\Windows\SysWOW64\Fpeafcfa.exeC:\Windows\system32\Fpeafcfa.exe38⤵
- Executes dropped EXE
PID:3272 -
C:\Windows\SysWOW64\Ffpicn32.exeC:\Windows\system32\Ffpicn32.exe39⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Fphnlcdo.exeC:\Windows\system32\Fphnlcdo.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4024 -
C:\Windows\SysWOW64\Fmlneg32.exeC:\Windows\system32\Fmlneg32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:1676 -
C:\Windows\SysWOW64\Fpjjac32.exeC:\Windows\system32\Fpjjac32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Fgdbnmji.exeC:\Windows\system32\Fgdbnmji.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:1088 -
C:\Windows\SysWOW64\Fajgkfio.exeC:\Windows\system32\Fajgkfio.exe44⤵
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\Fhdohp32.exeC:\Windows\system32\Fhdohp32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4784 -
C:\Windows\SysWOW64\Falcae32.exeC:\Windows\system32\Falcae32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:4048 -
C:\Windows\SysWOW64\Fhflnpoi.exeC:\Windows\system32\Fhflnpoi.exe47⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Gmcdffmq.exeC:\Windows\system32\Gmcdffmq.exe48⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Gpaqbbld.exeC:\Windows\system32\Gpaqbbld.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5000 -
C:\Windows\SysWOW64\Gkgeoklj.exeC:\Windows\system32\Gkgeoklj.exe50⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\Gpcmga32.exeC:\Windows\system32\Gpcmga32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1096 -
C:\Windows\SysWOW64\Gdoihpbk.exeC:\Windows\system32\Gdoihpbk.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Gilapgqb.exeC:\Windows\system32\Gilapgqb.exe53⤵
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Gacjadad.exeC:\Windows\system32\Gacjadad.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4480 -
C:\Windows\SysWOW64\Gdafnpqh.exeC:\Windows\system32\Gdafnpqh.exe55⤵
- Executes dropped EXE
PID:4836 -
C:\Windows\SysWOW64\Ghmbno32.exeC:\Windows\system32\Ghmbno32.exe56⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Ginnfgop.exeC:\Windows\system32\Ginnfgop.exe57⤵
- Executes dropped EXE
PID:1020 -
C:\Windows\SysWOW64\Gphgbafl.exeC:\Windows\system32\Gphgbafl.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:916 -
C:\Windows\SysWOW64\Gknkpjfb.exeC:\Windows\system32\Gknkpjfb.exe59⤵
- Executes dropped EXE
PID:116 -
C:\Windows\SysWOW64\Gahcmd32.exeC:\Windows\system32\Gahcmd32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:4756 -
C:\Windows\SysWOW64\Hgelek32.exeC:\Windows\system32\Hgelek32.exe61⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Hjchaf32.exeC:\Windows\system32\Hjchaf32.exe62⤵
- Executes dropped EXE
PID:3284 -
C:\Windows\SysWOW64\Hhdhon32.exeC:\Windows\system32\Hhdhon32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:2488 -
C:\Windows\SysWOW64\Hammhcij.exeC:\Windows\system32\Hammhcij.exe64⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Hgiepjga.exeC:\Windows\system32\Hgiepjga.exe65⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Hncmmd32.exeC:\Windows\system32\Hncmmd32.exe66⤵PID:4900
-
C:\Windows\SysWOW64\Hdmein32.exeC:\Windows\system32\Hdmein32.exe67⤵PID:3948
-
C:\Windows\SysWOW64\Hnfjbdmk.exeC:\Windows\system32\Hnfjbdmk.exe68⤵PID:5032
-
C:\Windows\SysWOW64\Hhknpmma.exeC:\Windows\system32\Hhknpmma.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2360 -
C:\Windows\SysWOW64\Hnhghcki.exeC:\Windows\system32\Hnhghcki.exe70⤵PID:1724
-
C:\Windows\SysWOW64\Igqkqiai.exeC:\Windows\system32\Igqkqiai.exe71⤵PID:508
-
C:\Windows\SysWOW64\Iafonaao.exeC:\Windows\system32\Iafonaao.exe72⤵PID:4028
-
C:\Windows\SysWOW64\Ihphkl32.exeC:\Windows\system32\Ihphkl32.exe73⤵PID:348
-
C:\Windows\SysWOW64\Inmpcc32.exeC:\Windows\system32\Inmpcc32.exe74⤵PID:2652
-
C:\Windows\SysWOW64\Ikqqlgem.exeC:\Windows\system32\Ikqqlgem.exe75⤵PID:2108
-
C:\Windows\SysWOW64\Iqmidndd.exeC:\Windows\system32\Iqmidndd.exe76⤵PID:4820
-
C:\Windows\SysWOW64\Ihdafkdg.exeC:\Windows\system32\Ihdafkdg.exe77⤵PID:1128
-
C:\Windows\SysWOW64\Iqpfjnba.exeC:\Windows\system32\Iqpfjnba.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3444 -
C:\Windows\SysWOW64\Iqbbpm32.exeC:\Windows\system32\Iqbbpm32.exe79⤵PID:4008
-
C:\Windows\SysWOW64\Jglklggl.exeC:\Windows\system32\Jglklggl.exe80⤵PID:3992
-
C:\Windows\SysWOW64\Jqdoem32.exeC:\Windows\system32\Jqdoem32.exe81⤵PID:3952
-
C:\Windows\SysWOW64\Jbdlop32.exeC:\Windows\system32\Jbdlop32.exe82⤵PID:2460
-
C:\Windows\SysWOW64\Jhndljll.exeC:\Windows\system32\Jhndljll.exe83⤵PID:4172
-
C:\Windows\SysWOW64\Jjopcb32.exeC:\Windows\system32\Jjopcb32.exe84⤵PID:3688
-
C:\Windows\SysWOW64\Jhpqaiji.exeC:\Windows\system32\Jhpqaiji.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4916 -
C:\Windows\SysWOW64\Jibmgi32.exeC:\Windows\system32\Jibmgi32.exe86⤵
- Drops file in System32 directory
PID:4412 -
C:\Windows\SysWOW64\Jnpfop32.exeC:\Windows\system32\Jnpfop32.exe87⤵
- Drops file in System32 directory
PID:3256 -
C:\Windows\SysWOW64\Kjffdalb.exeC:\Windows\system32\Kjffdalb.exe88⤵PID:4908
-
C:\Windows\SysWOW64\Kiggbhda.exeC:\Windows\system32\Kiggbhda.exe89⤵PID:396
-
C:\Windows\SysWOW64\Kqbkfkal.exeC:\Windows\system32\Kqbkfkal.exe90⤵PID:1120
-
C:\Windows\SysWOW64\Kkhpdcab.exeC:\Windows\system32\Kkhpdcab.exe91⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4332 -
C:\Windows\SysWOW64\Kkjlic32.exeC:\Windows\system32\Kkjlic32.exe92⤵
- Modifies registry class
PID:4912 -
C:\Windows\SysWOW64\Kecabifp.exeC:\Windows\system32\Kecabifp.exe93⤵PID:3648
-
C:\Windows\SysWOW64\Kgamnded.exeC:\Windows\system32\Kgamnded.exe94⤵PID:5004
-
C:\Windows\SysWOW64\Leenhhdn.exeC:\Windows\system32\Leenhhdn.exe95⤵
- Modifies registry class
PID:4428 -
C:\Windows\SysWOW64\Ljbfpo32.exeC:\Windows\system32\Ljbfpo32.exe96⤵
- System Location Discovery: System Language Discovery
PID:3988 -
C:\Windows\SysWOW64\Lbinam32.exeC:\Windows\system32\Lbinam32.exe97⤵PID:2036
-
C:\Windows\SysWOW64\Licfngjd.exeC:\Windows\system32\Licfngjd.exe98⤵PID:4324
-
C:\Windows\SysWOW64\Ljdceo32.exeC:\Windows\system32\Ljdceo32.exe99⤵
- Drops file in System32 directory
PID:816 -
C:\Windows\SysWOW64\Lbkkgl32.exeC:\Windows\system32\Lbkkgl32.exe100⤵PID:2668
-
C:\Windows\SysWOW64\Lghcocol.exeC:\Windows\system32\Lghcocol.exe101⤵PID:1704
-
C:\Windows\SysWOW64\Lbngllob.exeC:\Windows\system32\Lbngllob.exe102⤵PID:920
-
C:\Windows\SysWOW64\Lelchgne.exeC:\Windows\system32\Lelchgne.exe103⤵
- System Location Discovery: System Language Discovery
PID:5080 -
C:\Windows\SysWOW64\Ljilqnlm.exeC:\Windows\system32\Ljilqnlm.exe104⤵PID:1940
-
C:\Windows\SysWOW64\Lacdmh32.exeC:\Windows\system32\Lacdmh32.exe105⤵PID:960
-
C:\Windows\SysWOW64\Lijlof32.exeC:\Windows\system32\Lijlof32.exe106⤵PID:4452
-
C:\Windows\SysWOW64\Llhikacp.exeC:\Windows\system32\Llhikacp.exe107⤵
- Modifies registry class
PID:3780 -
C:\Windows\SysWOW64\Maeachag.exeC:\Windows\system32\Maeachag.exe108⤵PID:1516
-
C:\Windows\SysWOW64\Mlkepaam.exeC:\Windows\system32\Mlkepaam.exe109⤵PID:5128
-
C:\Windows\SysWOW64\Mniallpq.exeC:\Windows\system32\Mniallpq.exe110⤵PID:5172
-
C:\Windows\SysWOW64\Miofjepg.exeC:\Windows\system32\Miofjepg.exe111⤵
- Drops file in System32 directory
PID:5216 -
C:\Windows\SysWOW64\Mjpbam32.exeC:\Windows\system32\Mjpbam32.exe112⤵PID:5260
-
C:\Windows\SysWOW64\Mbgjbkfg.exeC:\Windows\system32\Mbgjbkfg.exe113⤵PID:5304
-
C:\Windows\SysWOW64\Miaboe32.exeC:\Windows\system32\Miaboe32.exe114⤵PID:5348
-
C:\Windows\SysWOW64\Mjbogmdb.exeC:\Windows\system32\Mjbogmdb.exe115⤵PID:5392
-
C:\Windows\SysWOW64\Mbighjdd.exeC:\Windows\system32\Mbighjdd.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5436 -
C:\Windows\SysWOW64\Micoed32.exeC:\Windows\system32\Micoed32.exe117⤵PID:5480
-
C:\Windows\SysWOW64\Mjellmbp.exeC:\Windows\system32\Mjellmbp.exe118⤵PID:5524
-
C:\Windows\SysWOW64\Maodigil.exeC:\Windows\system32\Maodigil.exe119⤵PID:5568
-
C:\Windows\SysWOW64\Mifljdjo.exeC:\Windows\system32\Mifljdjo.exe120⤵
- Drops file in System32 directory
- Modifies registry class
PID:5612 -
C:\Windows\SysWOW64\Mhilfa32.exeC:\Windows\system32\Mhilfa32.exe121⤵PID:5656
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-