Analysis
-
max time kernel
118s -
max time network
20s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19/09/2024, 04:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8cfc6d9e42dcf167551fa3481d147b9f74079736d0c84da0e953c5e0c268955cN.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
8cfc6d9e42dcf167551fa3481d147b9f74079736d0c84da0e953c5e0c268955cN.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
8cfc6d9e42dcf167551fa3481d147b9f74079736d0c84da0e953c5e0c268955cN.exe
-
Size
128KB
-
MD5
fb1eb62bd35fdc3b71023d40c22c3530
-
SHA1
2974f90410592ad16523071c33952c1e515423a2
-
SHA256
8cfc6d9e42dcf167551fa3481d147b9f74079736d0c84da0e953c5e0c268955c
-
SHA512
6a3120cf18ee62e34d28860aed77fb117113f70a580e00414dd77ec4a1d4f41d317ad006d798703ef90b1f333f7899b48ec3fc832ae165baf557835d17a537c8
-
SSDEEP
3072:jNppTypQJk1RugI7XeJ4WkWs6FEYtdZCwGtLItkiXOBSLhoMrdGB8rVl:jNppy53I7O2DX4EYtCwGtMtkiXOoloMB
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://viruslist.com/wcmd.txt
http://viruslist.com/ppslog.php
http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kknfme32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpejnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hgjfnl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imbakfcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llkijb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bakgmgpe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgghidfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gceghn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Alpmep32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqfigjgi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbeakllj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhfcnb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbnajcig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmldajml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hdnggq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mdjppnkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cgicko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nbdpfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lifoia32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkgemh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iohiafag.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Anpekggc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dmkipb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Monjpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmdcecpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkdbibmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nqfigjgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qohfcmhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Condfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hcjpcmjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qlmnfh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moedbl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilkhabeg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecklgdag.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohdmhhod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kkkgnmqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bkkiab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kaigmoiq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odpghiqc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doibhekc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fgbpmh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmijij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ahilhikb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ffokan32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlliof32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfflal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fhljgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hoflpbmo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdpoeo32.exe -
Executes dropped EXE 64 IoCs
pid Process 2356 Pfmgmm32.exe 2248 Pjkpckob.exe 2732 Qloiqcbn.exe 2264 Qhejed32.exe 1688 Aelgdhei.exe 2640 Andlmnki.exe 1720 Ajkmbo32.exe 2420 Adenqd32.exe 2432 Beignlig.exe 2560 Bigpdjpm.exe 2872 Bkkiab32.exe 1744 Bkmegaaf.exe 612 Ckoblapc.exe 1740 Calgoken.exe 1392 Ccoplcii.exe 1456 Cofaad32.exe 3020 Dhaboi32.exe 772 Dbighojl.exe 1476 Dfgpnm32.exe 1328 Dnbdbomn.exe 2204 Dbpmin32.exe 2024 Egmeadbk.exe 2300 Enijcn32.exe 1312 Echpaecj.exe 1924 Ecklgdag.exe 2372 Emcqpjhh.exe 2788 Fngjmb32.exe 2708 Fhonegbd.exe 2720 Fdhlphff.exe 2696 Fnnpma32.exe 2744 Fjdqbbkp.exe 2464 Gbpegdik.exe 1940 Gmejdm32.exe 1400 Gfpkbbmo.exe 2896 Hejaon32.exe 2284 Hdonpjbi.exe 2904 Hincna32.exe 2924 Hcghffen.exe 1980 Ihfmdm32.exe 2144 Ianambhc.exe 2168 Ilcfjkgj.exe 2180 Ilfbpk32.exe 3040 Ifngiqlg.exe 1908 Injlmcib.exe 1768 Jqjdon32.exe 1284 Jmaedolh.exe 2012 Jcknqicd.exe 2504 Jmcbio32.exe 2456 Jgiffg32.exe 1652 Jodkkj32.exe 2368 Jjjohbgl.exe 2828 Jmhkdnfp.exe 1844 Kfqpmc32.exe 2936 Knldaf32.exe 2632 Kefmnp32.exe 2196 Kpkali32.exe 2888 Kkbbqjgb.exe 2460 Kaojiqej.exe 2908 Lneghd32.exe 1060 Ljlhme32.exe 2984 Lafpipoa.exe 2656 Lmmaoq32.exe 2400 Lbijgg32.exe 2240 Lpmjplag.exe -
Loads dropped DLL 64 IoCs
pid Process 904 8cfc6d9e42dcf167551fa3481d147b9f74079736d0c84da0e953c5e0c268955cN.exe 904 8cfc6d9e42dcf167551fa3481d147b9f74079736d0c84da0e953c5e0c268955cN.exe 2356 Pfmgmm32.exe 2356 Pfmgmm32.exe 2248 Pjkpckob.exe 2248 Pjkpckob.exe 2732 Qloiqcbn.exe 2732 Qloiqcbn.exe 2264 Qhejed32.exe 2264 Qhejed32.exe 1688 Aelgdhei.exe 1688 Aelgdhei.exe 2640 Andlmnki.exe 2640 Andlmnki.exe 1720 Ajkmbo32.exe 1720 Ajkmbo32.exe 2420 Adenqd32.exe 2420 Adenqd32.exe 2432 Beignlig.exe 2432 Beignlig.exe 2560 Bigpdjpm.exe 2560 Bigpdjpm.exe 2872 Bkkiab32.exe 2872 Bkkiab32.exe 1744 Bkmegaaf.exe 1744 Bkmegaaf.exe 612 Ckoblapc.exe 612 Ckoblapc.exe 1740 Calgoken.exe 1740 Calgoken.exe 1392 Ccoplcii.exe 1392 Ccoplcii.exe 1456 Cofaad32.exe 1456 Cofaad32.exe 3020 Dhaboi32.exe 3020 Dhaboi32.exe 772 Dbighojl.exe 772 Dbighojl.exe 1476 Dfgpnm32.exe 1476 Dfgpnm32.exe 1328 Dnbdbomn.exe 1328 Dnbdbomn.exe 2204 Dbpmin32.exe 2204 Dbpmin32.exe 2024 Egmeadbk.exe 2024 Egmeadbk.exe 2300 Enijcn32.exe 2300 Enijcn32.exe 1312 Echpaecj.exe 1312 Echpaecj.exe 1924 Ecklgdag.exe 1924 Ecklgdag.exe 2372 Emcqpjhh.exe 2372 Emcqpjhh.exe 2788 Fngjmb32.exe 2788 Fngjmb32.exe 2708 Fhonegbd.exe 2708 Fhonegbd.exe 2720 Fdhlphff.exe 2720 Fdhlphff.exe 2696 Fnnpma32.exe 2696 Fnnpma32.exe 2744 Fjdqbbkp.exe 2744 Fjdqbbkp.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pcfifk32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Hempmfcb.exe Hldldq32.exe File opened for modification C:\Windows\SysWOW64\Ijipbchn.exe Ijgcmc32.exe File created C:\Windows\SysWOW64\Jnedqnni.dll Process not Found File opened for modification C:\Windows\SysWOW64\Fphegici.exe Process not Found File created C:\Windows\SysWOW64\Ccdnep32.exe Process not Found File created C:\Windows\SysWOW64\Knabngen.exe Kdinea32.exe File opened for modification C:\Windows\SysWOW64\Nnokohkj.exe Negffbdi.exe File opened for modification C:\Windows\SysWOW64\Didiclbc.exe Dfdpbaeb.exe File opened for modification C:\Windows\SysWOW64\Lpmgioed.exe Lokkag32.exe File created C:\Windows\SysWOW64\Bkfqbgni.exe Bbnlia32.exe File opened for modification C:\Windows\SysWOW64\Pbmoke32.exe Piejbpgk.exe File opened for modification C:\Windows\SysWOW64\Hfbicg32.exe Process not Found File created C:\Windows\SysWOW64\Lgibjo32.dll Fhbcaa32.exe File opened for modification C:\Windows\SysWOW64\Emojih32.exe Eiabbicf.exe File created C:\Windows\SysWOW64\Gjllml32.dll Process not Found File created C:\Windows\SysWOW64\Hqpepigh.dll Process not Found File created C:\Windows\SysWOW64\Jjjohbgl.exe Jodkkj32.exe File opened for modification C:\Windows\SysWOW64\Eaaajo32.exe Dhimaill.exe File created C:\Windows\SysWOW64\Mieiip32.exe Process not Found File created C:\Windows\SysWOW64\Fkbhkplc.exe Process not Found File created C:\Windows\SysWOW64\Klkjbf32.exe Kogjib32.exe File created C:\Windows\SysWOW64\Gcqika32.exe Gemham32.exe File created C:\Windows\SysWOW64\Pbhepfbq.exe Plnmcl32.exe File opened for modification C:\Windows\SysWOW64\Lellfe32.exe Process not Found File created C:\Windows\SysWOW64\Kcmbco32.exe Kjdmjiae.exe File created C:\Windows\SysWOW64\Ffhoam32.exe Emojih32.exe File created C:\Windows\SysWOW64\Hlbade32.dll Icmnib32.exe File created C:\Windows\SysWOW64\Dkabjkek.dll Process not Found File created C:\Windows\SysWOW64\Gokcej32.dll Opokbdhc.exe File opened for modification C:\Windows\SysWOW64\Eioemj32.exe Edbmec32.exe File created C:\Windows\SysWOW64\Mildlmma.exe Mdplcfoi.exe File created C:\Windows\SysWOW64\Kfoiejdf.exe Process not Found File opened for modification C:\Windows\SysWOW64\Aclfigao.exe Ajcbpbkn.exe File opened for modification C:\Windows\SysWOW64\Cgbochop.exe Caffkapi.exe File created C:\Windows\SysWOW64\Mdgdid32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Cloqaiil.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fjgcdc32.exe Process not Found File created C:\Windows\SysWOW64\Anapcg32.dll Ojojmfed.exe File opened for modification C:\Windows\SysWOW64\Dlbanfbo.exe Dgehfodh.exe File opened for modification C:\Windows\SysWOW64\Mmijmn32.exe Mbdepe32.exe File created C:\Windows\SysWOW64\Iakidg32.dll Ihiogb32.exe File opened for modification C:\Windows\SysWOW64\Dolondiq.exe Deckeo32.exe File opened for modification C:\Windows\SysWOW64\Lcgnmlkk.exe Llkijb32.exe File opened for modification C:\Windows\SysWOW64\Olfnpnfl.exe Obnigi32.exe File created C:\Windows\SysWOW64\Afikmi32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Anpekggc.exe Qokhjjbk.exe File opened for modification C:\Windows\SysWOW64\Bmcnmapk.exe Bpomdmqa.exe File created C:\Windows\SysWOW64\Dcohih32.exe Dmbpaa32.exe File created C:\Windows\SysWOW64\Lcnojqdi.dll Kgahcn32.exe File created C:\Windows\SysWOW64\Gongkn32.dll Jfoeqmfg.exe File created C:\Windows\SysWOW64\Kkiclecl.dll Process not Found File created C:\Windows\SysWOW64\Kbjbck32.dll Process not Found File created C:\Windows\SysWOW64\Eodafp32.exe Process not Found File created C:\Windows\SysWOW64\Gqbaqccn.exe Gfippego.exe File created C:\Windows\SysWOW64\Lkgpmj32.exe Lpbkpa32.exe File created C:\Windows\SysWOW64\Balmjmeh.exe Process not Found File opened for modification C:\Windows\SysWOW64\Hldkfm32.exe Process not Found File created C:\Windows\SysWOW64\Ccgdeo32.dll Process not Found File created C:\Windows\SysWOW64\Legnoo32.dll Hempmfcb.exe File opened for modification C:\Windows\SysWOW64\Aqfiqjgb.exe Agmehd32.exe File opened for modification C:\Windows\SysWOW64\Obllai32.exe Omodibcg.exe File created C:\Windows\SysWOW64\Kopclo32.dll Emfhbi32.exe File created C:\Windows\SysWOW64\Dckbme32.dll Fcacfd32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkmbliip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmfkcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajkokgia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipefba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efkfbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obllai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eldkkali.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aepqac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enomam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onkoadhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlopbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaejfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eghcckld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Madbll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aiioanpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Haldgbkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkaicl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmjqhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpfnbkfk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgaoqdmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkijpnbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmejdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aklgabbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibghfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebofpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcpdip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cckjeq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkjeedio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbfidfem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egpfheoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgfqen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfhghgie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alnoepam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgmmnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaaohfjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkkcdq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkooed32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngikaijm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djokgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Henipenb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojfjke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihiogb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Macpcccp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlmqip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfpagd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nobpjbcn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhobbqkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agmehd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phbhpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dehfig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Limogpna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mildlmma.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lmmaoq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Epimjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlokem32.dll" Pdhdcnng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hchcmnlj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jifmgman.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kebggncm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaknnhph.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaidloac.dll" Kaojiqej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmbaklha.dll" Cahbem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Neohbe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fphqehda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Blplkp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lmmcgilj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kjdmjiae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hlopbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpfkhooh.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fnjkdcii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klcofleb.dll" Gkkkgkla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lkgpmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbmjekje.dll" Hfnhcami.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alldjd32.dll" Cklnog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfgekbni.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dolondiq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Efkfbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Adkaib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bpomdmqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidljiol.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ngikaijm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mgqigohb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hkhfoa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lneghd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hhfcnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pihfin32.dll" Hbgjoo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Odknmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnadjb32.dll" Ckklfoah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anobknbi.dll" Djeoan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ponene32.dll" Llhgce32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Giifkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cjnege32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jngfml32.dll" Cbijkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhfllb32.dll" Gmgfli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ecpbhlqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkfndfdl.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfklfa32.dll" Ianambhc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kefmnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdomqo32.dll" Gpknjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hkkcdq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cdbfanao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dclhap32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ildhcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jicgoohq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dplilono.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhfcoglc.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 904 wrote to memory of 2356 904 8cfc6d9e42dcf167551fa3481d147b9f74079736d0c84da0e953c5e0c268955cN.exe 29 PID 904 wrote to memory of 2356 904 8cfc6d9e42dcf167551fa3481d147b9f74079736d0c84da0e953c5e0c268955cN.exe 29 PID 904 wrote to memory of 2356 904 8cfc6d9e42dcf167551fa3481d147b9f74079736d0c84da0e953c5e0c268955cN.exe 29 PID 904 wrote to memory of 2356 904 8cfc6d9e42dcf167551fa3481d147b9f74079736d0c84da0e953c5e0c268955cN.exe 29 PID 2356 wrote to memory of 2248 2356 Pfmgmm32.exe 30 PID 2356 wrote to memory of 2248 2356 Pfmgmm32.exe 30 PID 2356 wrote to memory of 2248 2356 Pfmgmm32.exe 30 PID 2356 wrote to memory of 2248 2356 Pfmgmm32.exe 30 PID 2248 wrote to memory of 2732 2248 Pjkpckob.exe 31 PID 2248 wrote to memory of 2732 2248 Pjkpckob.exe 31 PID 2248 wrote to memory of 2732 2248 Pjkpckob.exe 31 PID 2248 wrote to memory of 2732 2248 Pjkpckob.exe 31 PID 2732 wrote to memory of 2264 2732 Qloiqcbn.exe 32 PID 2732 wrote to memory of 2264 2732 Qloiqcbn.exe 32 PID 2732 wrote to memory of 2264 2732 Qloiqcbn.exe 32 PID 2732 wrote to memory of 2264 2732 Qloiqcbn.exe 32 PID 2264 wrote to memory of 1688 2264 Qhejed32.exe 33 PID 2264 wrote to memory of 1688 2264 Qhejed32.exe 33 PID 2264 wrote to memory of 1688 2264 Qhejed32.exe 33 PID 2264 wrote to memory of 1688 2264 Qhejed32.exe 33 PID 1688 wrote to memory of 2640 1688 Aelgdhei.exe 34 PID 1688 wrote to memory of 2640 1688 Aelgdhei.exe 34 PID 1688 wrote to memory of 2640 1688 Aelgdhei.exe 34 PID 1688 wrote to memory of 2640 1688 Aelgdhei.exe 34 PID 2640 wrote to memory of 1720 2640 Andlmnki.exe 35 PID 2640 wrote to memory of 1720 2640 Andlmnki.exe 35 PID 2640 wrote to memory of 1720 2640 Andlmnki.exe 35 PID 2640 wrote to memory of 1720 2640 Andlmnki.exe 35 PID 1720 wrote to memory of 2420 1720 Ajkmbo32.exe 36 PID 1720 wrote to memory of 2420 1720 Ajkmbo32.exe 36 PID 1720 wrote to memory of 2420 1720 Ajkmbo32.exe 36 PID 1720 wrote to memory of 2420 1720 Ajkmbo32.exe 36 PID 2420 wrote to memory of 2432 2420 Adenqd32.exe 37 PID 2420 wrote to memory of 2432 2420 Adenqd32.exe 37 PID 2420 wrote to memory of 2432 2420 Adenqd32.exe 37 PID 2420 wrote to memory of 2432 2420 Adenqd32.exe 37 PID 2432 wrote to memory of 2560 2432 Beignlig.exe 38 PID 2432 wrote to memory of 2560 2432 Beignlig.exe 38 PID 2432 wrote to memory of 2560 2432 Beignlig.exe 38 PID 2432 wrote to memory of 2560 2432 Beignlig.exe 38 PID 2560 wrote to memory of 2872 2560 Bigpdjpm.exe 39 PID 2560 wrote to memory of 2872 2560 Bigpdjpm.exe 39 PID 2560 wrote to memory of 2872 2560 Bigpdjpm.exe 39 PID 2560 wrote to memory of 2872 2560 Bigpdjpm.exe 39 PID 2872 wrote to memory of 1744 2872 Bkkiab32.exe 40 PID 2872 wrote to memory of 1744 2872 Bkkiab32.exe 40 PID 2872 wrote to memory of 1744 2872 Bkkiab32.exe 40 PID 2872 wrote to memory of 1744 2872 Bkkiab32.exe 40 PID 1744 wrote to memory of 612 1744 Bkmegaaf.exe 41 PID 1744 wrote to memory of 612 1744 Bkmegaaf.exe 41 PID 1744 wrote to memory of 612 1744 Bkmegaaf.exe 41 PID 1744 wrote to memory of 612 1744 Bkmegaaf.exe 41 PID 612 wrote to memory of 1740 612 Ckoblapc.exe 42 PID 612 wrote to memory of 1740 612 Ckoblapc.exe 42 PID 612 wrote to memory of 1740 612 Ckoblapc.exe 42 PID 612 wrote to memory of 1740 612 Ckoblapc.exe 42 PID 1740 wrote to memory of 1392 1740 Calgoken.exe 43 PID 1740 wrote to memory of 1392 1740 Calgoken.exe 43 PID 1740 wrote to memory of 1392 1740 Calgoken.exe 43 PID 1740 wrote to memory of 1392 1740 Calgoken.exe 43 PID 1392 wrote to memory of 1456 1392 Ccoplcii.exe 44 PID 1392 wrote to memory of 1456 1392 Ccoplcii.exe 44 PID 1392 wrote to memory of 1456 1392 Ccoplcii.exe 44 PID 1392 wrote to memory of 1456 1392 Ccoplcii.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\8cfc6d9e42dcf167551fa3481d147b9f74079736d0c84da0e953c5e0c268955cN.exe"C:\Users\Admin\AppData\Local\Temp\8cfc6d9e42dcf167551fa3481d147b9f74079736d0c84da0e953c5e0c268955cN.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Windows\SysWOW64\Pfmgmm32.exeC:\Windows\system32\Pfmgmm32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\Pjkpckob.exeC:\Windows\system32\Pjkpckob.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\Qloiqcbn.exeC:\Windows\system32\Qloiqcbn.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Qhejed32.exeC:\Windows\system32\Qhejed32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\Aelgdhei.exeC:\Windows\system32\Aelgdhei.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\Andlmnki.exeC:\Windows\system32\Andlmnki.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Ajkmbo32.exeC:\Windows\system32\Ajkmbo32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\Adenqd32.exeC:\Windows\system32\Adenqd32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Beignlig.exeC:\Windows\system32\Beignlig.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\Bigpdjpm.exeC:\Windows\system32\Bigpdjpm.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\Bkkiab32.exeC:\Windows\system32\Bkkiab32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Bkmegaaf.exeC:\Windows\system32\Bkmegaaf.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\Ckoblapc.exeC:\Windows\system32\Ckoblapc.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:612 -
C:\Windows\SysWOW64\Calgoken.exeC:\Windows\system32\Calgoken.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\Ccoplcii.exeC:\Windows\system32\Ccoplcii.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\SysWOW64\Cofaad32.exeC:\Windows\system32\Cofaad32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1456 -
C:\Windows\SysWOW64\Dhaboi32.exeC:\Windows\system32\Dhaboi32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3020 -
C:\Windows\SysWOW64\Dbighojl.exeC:\Windows\system32\Dbighojl.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:772 -
C:\Windows\SysWOW64\Dfgpnm32.exeC:\Windows\system32\Dfgpnm32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1476 -
C:\Windows\SysWOW64\Dnbdbomn.exeC:\Windows\system32\Dnbdbomn.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1328 -
C:\Windows\SysWOW64\Dbpmin32.exeC:\Windows\system32\Dbpmin32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2204 -
C:\Windows\SysWOW64\Egmeadbk.exeC:\Windows\system32\Egmeadbk.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2024 -
C:\Windows\SysWOW64\Enijcn32.exeC:\Windows\system32\Enijcn32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2300 -
C:\Windows\SysWOW64\Echpaecj.exeC:\Windows\system32\Echpaecj.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1312 -
C:\Windows\SysWOW64\Ecklgdag.exeC:\Windows\system32\Ecklgdag.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1924 -
C:\Windows\SysWOW64\Emcqpjhh.exeC:\Windows\system32\Emcqpjhh.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2372 -
C:\Windows\SysWOW64\Fngjmb32.exeC:\Windows\system32\Fngjmb32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2788 -
C:\Windows\SysWOW64\Fhonegbd.exeC:\Windows\system32\Fhonegbd.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2708 -
C:\Windows\SysWOW64\Fdhlphff.exeC:\Windows\system32\Fdhlphff.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2720 -
C:\Windows\SysWOW64\Fnnpma32.exeC:\Windows\system32\Fnnpma32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2696 -
C:\Windows\SysWOW64\Fjdqbbkp.exeC:\Windows\system32\Fjdqbbkp.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2744 -
C:\Windows\SysWOW64\Gbpegdik.exeC:\Windows\system32\Gbpegdik.exe33⤵
- Executes dropped EXE
PID:2464 -
C:\Windows\SysWOW64\Gmejdm32.exeC:\Windows\system32\Gmejdm32.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1940 -
C:\Windows\SysWOW64\Gfpkbbmo.exeC:\Windows\system32\Gfpkbbmo.exe35⤵
- Executes dropped EXE
PID:1400 -
C:\Windows\SysWOW64\Hejaon32.exeC:\Windows\system32\Hejaon32.exe36⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Hdonpjbi.exeC:\Windows\system32\Hdonpjbi.exe37⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Hincna32.exeC:\Windows\system32\Hincna32.exe38⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Hcghffen.exeC:\Windows\system32\Hcghffen.exe39⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Ihfmdm32.exeC:\Windows\system32\Ihfmdm32.exe40⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Ianambhc.exeC:\Windows\system32\Ianambhc.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:2144 -
C:\Windows\SysWOW64\Ilcfjkgj.exeC:\Windows\system32\Ilcfjkgj.exe42⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Ilfbpk32.exeC:\Windows\system32\Ilfbpk32.exe43⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Ifngiqlg.exeC:\Windows\system32\Ifngiqlg.exe44⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Injlmcib.exeC:\Windows\system32\Injlmcib.exe45⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Jqjdon32.exeC:\Windows\system32\Jqjdon32.exe46⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Jmaedolh.exeC:\Windows\system32\Jmaedolh.exe47⤵
- Executes dropped EXE
PID:1284 -
C:\Windows\SysWOW64\Jcknqicd.exeC:\Windows\system32\Jcknqicd.exe48⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Jmcbio32.exeC:\Windows\system32\Jmcbio32.exe49⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Jgiffg32.exeC:\Windows\system32\Jgiffg32.exe50⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Jodkkj32.exeC:\Windows\system32\Jodkkj32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1652 -
C:\Windows\SysWOW64\Jjjohbgl.exeC:\Windows\system32\Jjjohbgl.exe52⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Jmhkdnfp.exeC:\Windows\system32\Jmhkdnfp.exe53⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Kfqpmc32.exeC:\Windows\system32\Kfqpmc32.exe54⤵
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Knldaf32.exeC:\Windows\system32\Knldaf32.exe55⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Kefmnp32.exeC:\Windows\system32\Kefmnp32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2632 -
C:\Windows\SysWOW64\Kpkali32.exeC:\Windows\system32\Kpkali32.exe57⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Kkbbqjgb.exeC:\Windows\system32\Kkbbqjgb.exe58⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Kaojiqej.exeC:\Windows\system32\Kaojiqej.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2460 -
C:\Windows\SysWOW64\Lneghd32.exeC:\Windows\system32\Lneghd32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:2908 -
C:\Windows\SysWOW64\Ljlhme32.exeC:\Windows\system32\Ljlhme32.exe61⤵
- Executes dropped EXE
PID:1060 -
C:\Windows\SysWOW64\Lafpipoa.exeC:\Windows\system32\Lafpipoa.exe62⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Lmmaoq32.exeC:\Windows\system32\Lmmaoq32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:2656 -
C:\Windows\SysWOW64\Lbijgg32.exeC:\Windows\system32\Lbijgg32.exe64⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Lpmjplag.exeC:\Windows\system32\Lpmjplag.exe65⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Lifoia32.exeC:\Windows\system32\Lifoia32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2868 -
C:\Windows\SysWOW64\Laacmc32.exeC:\Windows\system32\Laacmc32.exe67⤵PID:2860
-
C:\Windows\SysWOW64\Mlfgkleh.exeC:\Windows\system32\Mlfgkleh.exe68⤵PID:1992
-
C:\Windows\SysWOW64\Macpcccp.exeC:\Windows\system32\Macpcccp.exe69⤵
- System Location Discovery: System Language Discovery
PID:1616 -
C:\Windows\SysWOW64\Mlidplcf.exeC:\Windows\system32\Mlidplcf.exe70⤵PID:628
-
C:\Windows\SysWOW64\Mmjqhd32.exeC:\Windows\system32\Mmjqhd32.exe71⤵
- System Location Discovery: System Language Discovery
PID:2160 -
C:\Windows\SysWOW64\Mahinb32.exeC:\Windows\system32\Mahinb32.exe72⤵PID:2780
-
C:\Windows\SysWOW64\Mkqnghfk.exeC:\Windows\system32\Mkqnghfk.exe73⤵PID:2804
-
C:\Windows\SysWOW64\Mpmfoodb.exeC:\Windows\system32\Mpmfoodb.exe74⤵PID:2880
-
C:\Windows\SysWOW64\Miekhd32.exeC:\Windows\system32\Miekhd32.exe75⤵PID:1656
-
C:\Windows\SysWOW64\Ngikaijm.exeC:\Windows\system32\Ngikaijm.exe76⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2544 -
C:\Windows\SysWOW64\Nmccnc32.exeC:\Windows\system32\Nmccnc32.exe77⤵PID:2244
-
C:\Windows\SysWOW64\Neohbe32.exeC:\Windows\system32\Neohbe32.exe78⤵
- Modifies registry class
PID:980 -
C:\Windows\SysWOW64\Ncbilimn.exeC:\Windows\system32\Ncbilimn.exe79⤵PID:2668
-
C:\Windows\SysWOW64\Nhpadpke.exeC:\Windows\system32\Nhpadpke.exe80⤵PID:960
-
C:\Windows\SysWOW64\Nceeaikk.exeC:\Windows\system32\Nceeaikk.exe81⤵PID:2340
-
C:\Windows\SysWOW64\Nhbnjpic.exeC:\Windows\system32\Nhbnjpic.exe82⤵PID:2996
-
C:\Windows\SysWOW64\Najbbepc.exeC:\Windows\system32\Najbbepc.exe83⤵PID:696
-
C:\Windows\SysWOW64\Oggkklnk.exeC:\Windows\system32\Oggkklnk.exe84⤵PID:1948
-
C:\Windows\SysWOW64\Opoocb32.exeC:\Windows\system32\Opoocb32.exe85⤵PID:1568
-
C:\Windows\SysWOW64\Okecak32.exeC:\Windows\system32\Okecak32.exe86⤵PID:1804
-
C:\Windows\SysWOW64\Odmhjp32.exeC:\Windows\system32\Odmhjp32.exe87⤵PID:2528
-
C:\Windows\SysWOW64\Okgpfjbo.exeC:\Windows\system32\Okgpfjbo.exe88⤵PID:2380
-
C:\Windows\SysWOW64\Odpeop32.exeC:\Windows\system32\Odpeop32.exe89⤵PID:2776
-
C:\Windows\SysWOW64\Ofaaghom.exeC:\Windows\system32\Ofaaghom.exe90⤵PID:2976
-
C:\Windows\SysWOW64\Ooiepnen.exeC:\Windows\system32\Ooiepnen.exe91⤵PID:2580
-
C:\Windows\SysWOW64\Ogpnakfp.exeC:\Windows\system32\Ogpnakfp.exe92⤵PID:1920
-
C:\Windows\SysWOW64\Ojojmfed.exeC:\Windows\system32\Ojojmfed.exe93⤵
- Drops file in System32 directory
PID:2416 -
C:\Windows\SysWOW64\Oqibjq32.exeC:\Windows\system32\Oqibjq32.exe94⤵PID:2344
-
C:\Windows\SysWOW64\Pjafbfca.exeC:\Windows\system32\Pjafbfca.exe95⤵PID:2328
-
C:\Windows\SysWOW64\Pkbcjn32.exeC:\Windows\system32\Pkbcjn32.exe96⤵PID:1820
-
C:\Windows\SysWOW64\Pfhghgie.exeC:\Windows\system32\Pfhghgie.exe97⤵
- System Location Discovery: System Language Discovery
PID:2136 -
C:\Windows\SysWOW64\Pbohmh32.exeC:\Windows\system32\Pbohmh32.exe98⤵PID:1288
-
C:\Windows\SysWOW64\Pkglenej.exeC:\Windows\system32\Pkglenej.exe99⤵PID:2020
-
C:\Windows\SysWOW64\Qedjib32.exeC:\Windows\system32\Qedjib32.exe100⤵PID:972
-
C:\Windows\SysWOW64\Qgeckn32.exeC:\Windows\system32\Qgeckn32.exe101⤵PID:2288
-
C:\Windows\SysWOW64\Abodlk32.exeC:\Windows\system32\Abodlk32.exe102⤵PID:2424
-
C:\Windows\SysWOW64\Algida32.exeC:\Windows\system32\Algida32.exe103⤵PID:2216
-
C:\Windows\SysWOW64\Abaaakob.exeC:\Windows\system32\Abaaakob.exe104⤵PID:2268
-
C:\Windows\SysWOW64\Aikine32.exeC:\Windows\system32\Aikine32.exe105⤵PID:812
-
C:\Windows\SysWOW64\Angafl32.exeC:\Windows\system32\Angafl32.exe106⤵PID:3068
-
C:\Windows\SysWOW64\Aimfcedl.exeC:\Windows\system32\Aimfcedl.exe107⤵PID:2920
-
C:\Windows\SysWOW64\Aedghf32.exeC:\Windows\system32\Aedghf32.exe108⤵PID:616
-
C:\Windows\SysWOW64\Alnoepam.exeC:\Windows\system32\Alnoepam.exe109⤵
- System Location Discovery: System Language Discovery
PID:1964 -
C:\Windows\SysWOW64\Bakgmgpe.exeC:\Windows\system32\Bakgmgpe.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2352 -
C:\Windows\SysWOW64\Blplkp32.exeC:\Windows\system32\Blplkp32.exe111⤵
- Modifies registry class
PID:1828 -
C:\Windows\SysWOW64\Bhglpqeo.exeC:\Windows\system32\Bhglpqeo.exe112⤵PID:316
-
C:\Windows\SysWOW64\Bdnmda32.exeC:\Windows\system32\Bdnmda32.exe113⤵PID:1544
-
C:\Windows\SysWOW64\Bkheal32.exeC:\Windows\system32\Bkheal32.exe114⤵PID:1972
-
C:\Windows\SysWOW64\Bdpjjaiq.exeC:\Windows\system32\Bdpjjaiq.exe115⤵PID:2096
-
C:\Windows\SysWOW64\Bimbbhgh.exeC:\Windows\system32\Bimbbhgh.exe116⤵PID:2792
-
C:\Windows\SysWOW64\Bpgjob32.exeC:\Windows\system32\Bpgjob32.exe117⤵PID:3048
-
C:\Windows\SysWOW64\Beccgi32.exeC:\Windows\system32\Beccgi32.exe118⤵PID:2140
-
C:\Windows\SysWOW64\Cbhcankf.exeC:\Windows\system32\Cbhcankf.exe119⤵PID:944
-
C:\Windows\SysWOW64\Cialng32.exeC:\Windows\system32\Cialng32.exe120⤵PID:1532
-
C:\Windows\SysWOW64\Condfo32.exeC:\Windows\system32\Condfo32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3012
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-