Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
12-10-2024 09:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
db69193deed0d7ce76b1d84b9e14a416a01e3c1170f5564538031ef21114c5efN.exe
Resource
win7-20241010-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
db69193deed0d7ce76b1d84b9e14a416a01e3c1170f5564538031ef21114c5efN.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
db69193deed0d7ce76b1d84b9e14a416a01e3c1170f5564538031ef21114c5efN.exe
-
Size
366KB
-
MD5
e853c4f385c30e030b3c91497ee17770
-
SHA1
9deee6fae0c3d0f136e8537213ae6cdfac8eb324
-
SHA256
db69193deed0d7ce76b1d84b9e14a416a01e3c1170f5564538031ef21114c5ef
-
SHA512
84b0e266aa0fb44d4158725ea3348ae2e84a8a496dbf98a9f24c9a55e1b44ba7f1435f418890c98722001f890cb368d5f159521043f813d30d79349c57df6fcf
-
SSDEEP
6144:q9XakS8ZfByLhNpBLnLcdpui6yYPaIGckjh/xaSfBJKFbhD7sYQpui6yYPaIGckV:6XakS89wNPPcdpV6yYPMLnfBJKFbhDwH
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://viruslist.com/wcmd.txt
http://viruslist.com/ppslog.php
http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djgfgkbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkjpdcfj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkjnenbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fmaqgaae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lqgjkbop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epfhde32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kppldhla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Adgein32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Enmnahnm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mehbpjjk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Manljd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Imjmhkpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ofaolcmh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obhpad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gaplfinb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kopnma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdqhambg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmlfmn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Malmllfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kimlqfeq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kecmfg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enhcnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Onoqfehp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chggdoee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coldmfkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dammoahg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Babbng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Blqmid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fejfmk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkfghh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oemhjlha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hadfah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbgefa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekbhnkhf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kopnma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lgdfgbhf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcakbjpl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhmbdl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hclhjpjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Blobmm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbpbck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Idbgbahq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gapoob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dflmpebj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iaaoqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kjhopjqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hkpnjd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idmlniea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lodnjboi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nakikpin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpmkbl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdihmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjngbihn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ficehj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdnibdmf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nchipb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pbpoebgc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akjfhdka.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afhpca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Loclai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiofnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nhmbdl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnfpjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aejglo32.exe -
Executes dropped EXE 64 IoCs
pid Process 1952 Kdnkdmec.exe 2780 Kocpbfei.exe 2916 Kenhopmf.exe 2816 Kkojbf32.exe 2716 Lmpcca32.exe 1436 Loclai32.exe 2572 Lhlqjone.exe 2096 Mhqjen32.exe 1996 Mnmbme32.exe 1132 Mjdcbf32.exe 1236 Mqbejp32.exe 776 Mgmmfjip.exe 2232 Nohaklfk.exe 1588 Nghpjn32.exe 2456 Nbmdhfog.exe 2432 Ofafgipc.exe 288 Omlncc32.exe 1856 Ojblbgdg.exe 1972 Olchjp32.exe 2024 Obmpgjbb.exe 1252 Pbomli32.exe 2188 Pbajbi32.exe 764 Pilbocej.exe 2252 Pjmnfk32.exe 2760 Pllkpn32.exe 2784 Pmnghfhi.exe 3004 Pnmdbi32.exe 2812 Qanmcdlm.exe 2820 Qiiahgjh.exe 2772 Afmbak32.exe 1812 Amgjnepn.exe 2636 Abdbflnf.exe 992 Aedlhg32.exe 2752 Ahchdb32.exe 1484 Aompambg.exe 1908 Bdobdc32.exe 2436 Bkhjamcf.exe 1964 Babbng32.exe 2344 Bjngbihn.exe 2512 Bphooc32.exe 1676 Bomlppdb.exe 804 Bfgdmjlp.exe 1748 Blqmid32.exe 2304 Booiep32.exe 2184 Bfiabjjm.exe 1300 Chgnneiq.exe 2356 Coafko32.exe 1836 Cfknhi32.exe 1716 Chjjde32.exe 1612 Clefdcog.exe 2796 Cngcll32.exe 1848 Cdqkifmb.exe 2652 Ckkcep32.exe 2672 Cnipak32.exe 3008 Cqglng32.exe 2080 Ckmpkpbl.exe 2376 Cbghhj32.exe 2992 Cgdqpq32.exe 596 Cjbmll32.exe 1324 Cmqihg32.exe 1492 Ddhaie32.exe 832 Dgfmep32.exe 2964 Dmcfngde.exe 1672 Doabjbci.exe -
Loads dropped DLL 64 IoCs
pid Process 2124 db69193deed0d7ce76b1d84b9e14a416a01e3c1170f5564538031ef21114c5efN.exe 2124 db69193deed0d7ce76b1d84b9e14a416a01e3c1170f5564538031ef21114c5efN.exe 1952 Kdnkdmec.exe 1952 Kdnkdmec.exe 2780 Kocpbfei.exe 2780 Kocpbfei.exe 2916 Kenhopmf.exe 2916 Kenhopmf.exe 2816 Kkojbf32.exe 2816 Kkojbf32.exe 2716 Lmpcca32.exe 2716 Lmpcca32.exe 1436 Loclai32.exe 1436 Loclai32.exe 2572 Lhlqjone.exe 2572 Lhlqjone.exe 2096 Mhqjen32.exe 2096 Mhqjen32.exe 1996 Mnmbme32.exe 1996 Mnmbme32.exe 1132 Mjdcbf32.exe 1132 Mjdcbf32.exe 1236 Mqbejp32.exe 1236 Mqbejp32.exe 776 Mgmmfjip.exe 776 Mgmmfjip.exe 2232 Nohaklfk.exe 2232 Nohaklfk.exe 1588 Nghpjn32.exe 1588 Nghpjn32.exe 2456 Nbmdhfog.exe 2456 Nbmdhfog.exe 2432 Ofafgipc.exe 2432 Ofafgipc.exe 288 Omlncc32.exe 288 Omlncc32.exe 1856 Ojblbgdg.exe 1856 Ojblbgdg.exe 1972 Olchjp32.exe 1972 Olchjp32.exe 2024 Obmpgjbb.exe 2024 Obmpgjbb.exe 1252 Pbomli32.exe 1252 Pbomli32.exe 2188 Pbajbi32.exe 2188 Pbajbi32.exe 764 Pilbocej.exe 764 Pilbocej.exe 2252 Pjmnfk32.exe 2252 Pjmnfk32.exe 2760 Pllkpn32.exe 2760 Pllkpn32.exe 2784 Pmnghfhi.exe 2784 Pmnghfhi.exe 3004 Pnmdbi32.exe 3004 Pnmdbi32.exe 2812 Qanmcdlm.exe 2812 Qanmcdlm.exe 2820 Qiiahgjh.exe 2820 Qiiahgjh.exe 2772 Afmbak32.exe 2772 Afmbak32.exe 1812 Amgjnepn.exe 1812 Amgjnepn.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Nqpmimbe.exe Nggipg32.exe File created C:\Windows\SysWOW64\Doclpb32.dll Fpemhb32.exe File opened for modification C:\Windows\SysWOW64\Cniajdkg.exe Chmibmlo.exe File created C:\Windows\SysWOW64\Gojkgjkh.dll Bfmjoqoe.exe File created C:\Windows\SysWOW64\Oaeghhnb.dll Enhcnd32.exe File opened for modification C:\Windows\SysWOW64\Omjbihpn.exe Ogpjmn32.exe File created C:\Windows\SysWOW64\Dgfmep32.exe Ddhaie32.exe File created C:\Windows\SysWOW64\Hlmnogkl.exe Hecebm32.exe File opened for modification C:\Windows\SysWOW64\Ealahi32.exe Epkepakn.exe File created C:\Windows\SysWOW64\Cblaaajo.dll Kjkbpp32.exe File created C:\Windows\SysWOW64\Booqgija.dll Djafaf32.exe File created C:\Windows\SysWOW64\Laidgi32.exe Lhapocoi.exe File opened for modification C:\Windows\SysWOW64\Pjmjdnop.exe Pgnnhbpm.exe File created C:\Windows\SysWOW64\Eqnmne32.dll Elndpnnn.exe File created C:\Windows\SysWOW64\Feiepkmi.dll Fdfmpc32.exe File created C:\Windows\SysWOW64\Hkmaed32.exe Hhoeii32.exe File opened for modification C:\Windows\SysWOW64\Djmiejji.exe Dgnminke.exe File created C:\Windows\SysWOW64\Fhhofe32.dll Dpmgao32.exe File created C:\Windows\SysWOW64\Bcaafadj.dll Qmpplh32.exe File opened for modification C:\Windows\SysWOW64\Fipdqmje.exe Fqilppic.exe File opened for modification C:\Windows\SysWOW64\Fopnpaba.exe Fmnahilc.exe File created C:\Windows\SysWOW64\Hecebm32.exe Hkmaed32.exe File opened for modification C:\Windows\SysWOW64\Dgkiih32.exe Dleelp32.exe File created C:\Windows\SysWOW64\Iaaoqf32.exe Ikgfdlcb.exe File opened for modification C:\Windows\SysWOW64\Ahchdb32.exe Aedlhg32.exe File created C:\Windows\SysWOW64\Jqlidcln.dll Clfhml32.exe File opened for modification C:\Windows\SysWOW64\Lolofd32.exe Kiofnm32.exe File created C:\Windows\SysWOW64\Hknpkfec.dll Hhdqma32.exe File opened for modification C:\Windows\SysWOW64\Pqplqile.exe Oggghc32.exe File created C:\Windows\SysWOW64\Jmkimple.dll Hlecmkel.exe File created C:\Windows\SysWOW64\Ddhaie32.exe Cmqihg32.exe File created C:\Windows\SysWOW64\Jcdadhjb.exe Jeaahk32.exe File created C:\Windows\SysWOW64\Chmglegi.dll Mblcin32.exe File opened for modification C:\Windows\SysWOW64\Nddeae32.exe Nafiej32.exe File opened for modification C:\Windows\SysWOW64\Fnkpcd32.exe Fkldgi32.exe File created C:\Windows\SysWOW64\Ckmpkpbl.exe Cqglng32.exe File created C:\Windows\SysWOW64\Pgcnnh32.exe Peeabm32.exe File opened for modification C:\Windows\SysWOW64\Nmacej32.exe Ncloha32.exe File created C:\Windows\SysWOW64\Fdnmmaaf.dll Cdlmlidp.exe File opened for modification C:\Windows\SysWOW64\Hclhjpjc.exe Hnppaill.exe File created C:\Windows\SysWOW64\Jcfddmhe.dll Pnfpjc32.exe File created C:\Windows\SysWOW64\Lilfgq32.exe Lgnjke32.exe File created C:\Windows\SysWOW64\Pmfjmake.exe Pflbpg32.exe File created C:\Windows\SysWOW64\Emgdmc32.exe Efmlqigc.exe File opened for modification C:\Windows\SysWOW64\Hgoadp32.exe Habili32.exe File created C:\Windows\SysWOW64\Lpckce32.exe Llhocfnb.exe File opened for modification C:\Windows\SysWOW64\Dhleaq32.exe Dgkiih32.exe File created C:\Windows\SysWOW64\Ecmjid32.exe Eannmi32.exe File opened for modification C:\Windows\SysWOW64\Icdeee32.exe Imjmhkpj.exe File created C:\Windows\SysWOW64\Fqilppic.exe Fbfldc32.exe File created C:\Windows\SysWOW64\Egmbnkie.exe Ecbfmm32.exe File created C:\Windows\SysWOW64\Iabhdefo.exe Ipaklm32.exe File created C:\Windows\SysWOW64\Kocpbfei.exe Kdnkdmec.exe File created C:\Windows\SysWOW64\Jhfhec32.dll Jcikog32.exe File created C:\Windows\SysWOW64\Gpacogjm.exe Gigkbm32.exe File created C:\Windows\SysWOW64\Boegjgoa.dll Gmkjgfmf.exe File opened for modification C:\Windows\SysWOW64\Nakikpin.exe Nchipb32.exe File opened for modification C:\Windows\SysWOW64\Ahfgbkpl.exe Aegkfpah.exe File created C:\Windows\SysWOW64\Gcchgini.exe Gmipko32.exe File opened for modification C:\Windows\SysWOW64\Nilndfgl.exe Nbbegl32.exe File created C:\Windows\SysWOW64\Bjngbihn.exe Babbng32.exe File created C:\Windows\SysWOW64\Fejfmk32.exe Fopnpaba.exe File created C:\Windows\SysWOW64\Ikmfgnde.dll Nhakecld.exe File created C:\Windows\SysWOW64\Geqoad32.dll Lbhmok32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6548 2564 WerFault.exe 860 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fipbhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkaolm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kngaig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cngcll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecadddjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjnignob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flhhed32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfnoegaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcajceke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apfici32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aphehidc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Booiep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckmpkpbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goiafp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnhhge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjkfqlpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bimbql32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehgaknbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jghcbjll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nanhihno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npechhgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdflgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Honiikpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjdcbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Facdgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncgcdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahpddmia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fllaopcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcjlap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caokmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmbjjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmmnkglp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncjbba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocqhcqgk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Einlmkhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igmepdbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgkdigfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peeabm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dljngoea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbfldc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljbipolj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbekojlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmhhae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afmbak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mejmmqpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onoqfehp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blniinac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccqhdmbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agqfme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogddhmdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmnahilc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhhiiloh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqpbpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iofhmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nilndfgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgnjke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epqgopbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edeclabl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iaaoqf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhlcal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djafaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nikkkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mehbpjjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oipcnieb.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmidlkkk.dll" Fblljhbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hbpbck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijilkf32.dll" Clinfk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Neghdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omjefg32.dll" Fdapcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Icoepohq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fipdqmje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pnmdbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dgnminke.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ghekhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hpdbmooo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fgeabi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Copjlmfa.dll" Oodjjign.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Djafaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpfbjp32.dll" Feobac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qamqddlf.dll" Dpgckm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkbokl32.dll" Egebjmdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Malmllfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clneaj32.dll" Bjoohdbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ighmnbma.dll" Npffaq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Blqmid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Comjjjlc.dll" Ahfgbkpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ecoihm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dqaode32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mnhnfckm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Chhpgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kjhopjqi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qmpplh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bdgcaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hecebm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Adgein32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gplcia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Amjiln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gajlac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nddeae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dkeahf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlobbi32.dll" Hnpgloog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Egebjmdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Anpooe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgfcop32.dll" Dljngoea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kimlqfeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lmcdkbao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmooam32.dll" Mnncii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nilndfgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Idohdhbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngbpoo32.dll" Epnkip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kkefoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cdcjgnbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dpmgao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Chgimh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bfiabjjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eglhaeef.dll" Occlcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hhogaamj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kihbfg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lggbmbfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Meffjjln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bamdfpok.dll" Pllkpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opgikjgo.dll" Dleelp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iokfjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mcggef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Npkdnnfk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mcofid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Heedqe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Knoaeimg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2124 wrote to memory of 1952 2124 db69193deed0d7ce76b1d84b9e14a416a01e3c1170f5564538031ef21114c5efN.exe 30 PID 2124 wrote to memory of 1952 2124 db69193deed0d7ce76b1d84b9e14a416a01e3c1170f5564538031ef21114c5efN.exe 30 PID 2124 wrote to memory of 1952 2124 db69193deed0d7ce76b1d84b9e14a416a01e3c1170f5564538031ef21114c5efN.exe 30 PID 2124 wrote to memory of 1952 2124 db69193deed0d7ce76b1d84b9e14a416a01e3c1170f5564538031ef21114c5efN.exe 30 PID 1952 wrote to memory of 2780 1952 Kdnkdmec.exe 31 PID 1952 wrote to memory of 2780 1952 Kdnkdmec.exe 31 PID 1952 wrote to memory of 2780 1952 Kdnkdmec.exe 31 PID 1952 wrote to memory of 2780 1952 Kdnkdmec.exe 31 PID 2780 wrote to memory of 2916 2780 Kocpbfei.exe 32 PID 2780 wrote to memory of 2916 2780 Kocpbfei.exe 32 PID 2780 wrote to memory of 2916 2780 Kocpbfei.exe 32 PID 2780 wrote to memory of 2916 2780 Kocpbfei.exe 32 PID 2916 wrote to memory of 2816 2916 Kenhopmf.exe 33 PID 2916 wrote to memory of 2816 2916 Kenhopmf.exe 33 PID 2916 wrote to memory of 2816 2916 Kenhopmf.exe 33 PID 2916 wrote to memory of 2816 2916 Kenhopmf.exe 33 PID 2816 wrote to memory of 2716 2816 Kkojbf32.exe 34 PID 2816 wrote to memory of 2716 2816 Kkojbf32.exe 34 PID 2816 wrote to memory of 2716 2816 Kkojbf32.exe 34 PID 2816 wrote to memory of 2716 2816 Kkojbf32.exe 34 PID 2716 wrote to memory of 1436 2716 Lmpcca32.exe 35 PID 2716 wrote to memory of 1436 2716 Lmpcca32.exe 35 PID 2716 wrote to memory of 1436 2716 Lmpcca32.exe 35 PID 2716 wrote to memory of 1436 2716 Lmpcca32.exe 35 PID 1436 wrote to memory of 2572 1436 Loclai32.exe 36 PID 1436 wrote to memory of 2572 1436 Loclai32.exe 36 PID 1436 wrote to memory of 2572 1436 Loclai32.exe 36 PID 1436 wrote to memory of 2572 1436 Loclai32.exe 36 PID 2572 wrote to memory of 2096 2572 Lhlqjone.exe 37 PID 2572 wrote to memory of 2096 2572 Lhlqjone.exe 37 PID 2572 wrote to memory of 2096 2572 Lhlqjone.exe 37 PID 2572 wrote to memory of 2096 2572 Lhlqjone.exe 37 PID 2096 wrote to memory of 1996 2096 Mhqjen32.exe 38 PID 2096 wrote to memory of 1996 2096 Mhqjen32.exe 38 PID 2096 wrote to memory of 1996 2096 Mhqjen32.exe 38 PID 2096 wrote to memory of 1996 2096 Mhqjen32.exe 38 PID 1996 wrote to memory of 1132 1996 Mnmbme32.exe 39 PID 1996 wrote to memory of 1132 1996 Mnmbme32.exe 39 PID 1996 wrote to memory of 1132 1996 Mnmbme32.exe 39 PID 1996 wrote to memory of 1132 1996 Mnmbme32.exe 39 PID 1132 wrote to memory of 1236 1132 Mjdcbf32.exe 40 PID 1132 wrote to memory of 1236 1132 Mjdcbf32.exe 40 PID 1132 wrote to memory of 1236 1132 Mjdcbf32.exe 40 PID 1132 wrote to memory of 1236 1132 Mjdcbf32.exe 40 PID 1236 wrote to memory of 776 1236 Mqbejp32.exe 41 PID 1236 wrote to memory of 776 1236 Mqbejp32.exe 41 PID 1236 wrote to memory of 776 1236 Mqbejp32.exe 41 PID 1236 wrote to memory of 776 1236 Mqbejp32.exe 41 PID 776 wrote to memory of 2232 776 Mgmmfjip.exe 42 PID 776 wrote to memory of 2232 776 Mgmmfjip.exe 42 PID 776 wrote to memory of 2232 776 Mgmmfjip.exe 42 PID 776 wrote to memory of 2232 776 Mgmmfjip.exe 42 PID 2232 wrote to memory of 1588 2232 Nohaklfk.exe 43 PID 2232 wrote to memory of 1588 2232 Nohaklfk.exe 43 PID 2232 wrote to memory of 1588 2232 Nohaklfk.exe 43 PID 2232 wrote to memory of 1588 2232 Nohaklfk.exe 43 PID 1588 wrote to memory of 2456 1588 Nghpjn32.exe 44 PID 1588 wrote to memory of 2456 1588 Nghpjn32.exe 44 PID 1588 wrote to memory of 2456 1588 Nghpjn32.exe 44 PID 1588 wrote to memory of 2456 1588 Nghpjn32.exe 44 PID 2456 wrote to memory of 2432 2456 Nbmdhfog.exe 45 PID 2456 wrote to memory of 2432 2456 Nbmdhfog.exe 45 PID 2456 wrote to memory of 2432 2456 Nbmdhfog.exe 45 PID 2456 wrote to memory of 2432 2456 Nbmdhfog.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\db69193deed0d7ce76b1d84b9e14a416a01e3c1170f5564538031ef21114c5efN.exe"C:\Users\Admin\AppData\Local\Temp\db69193deed0d7ce76b1d84b9e14a416a01e3c1170f5564538031ef21114c5efN.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\Kdnkdmec.exeC:\Windows\system32\Kdnkdmec.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\Kocpbfei.exeC:\Windows\system32\Kocpbfei.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Kenhopmf.exeC:\Windows\system32\Kenhopmf.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Kkojbf32.exeC:\Windows\system32\Kkojbf32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Lmpcca32.exeC:\Windows\system32\Lmpcca32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Loclai32.exeC:\Windows\system32\Loclai32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\SysWOW64\Lhlqjone.exeC:\Windows\system32\Lhlqjone.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Mhqjen32.exeC:\Windows\system32\Mhqjen32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\Mnmbme32.exeC:\Windows\system32\Mnmbme32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\Mjdcbf32.exeC:\Windows\system32\Mjdcbf32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Windows\SysWOW64\Mqbejp32.exeC:\Windows\system32\Mqbejp32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\SysWOW64\Mgmmfjip.exeC:\Windows\system32\Mgmmfjip.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\SysWOW64\Nohaklfk.exeC:\Windows\system32\Nohaklfk.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\Nghpjn32.exeC:\Windows\system32\Nghpjn32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\SysWOW64\Nbmdhfog.exeC:\Windows\system32\Nbmdhfog.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Ofafgipc.exeC:\Windows\system32\Ofafgipc.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2432 -
C:\Windows\SysWOW64\Omlncc32.exeC:\Windows\system32\Omlncc32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:288 -
C:\Windows\SysWOW64\Ojblbgdg.exeC:\Windows\system32\Ojblbgdg.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1856 -
C:\Windows\SysWOW64\Olchjp32.exeC:\Windows\system32\Olchjp32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1972 -
C:\Windows\SysWOW64\Obmpgjbb.exeC:\Windows\system32\Obmpgjbb.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2024 -
C:\Windows\SysWOW64\Pbomli32.exeC:\Windows\system32\Pbomli32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1252 -
C:\Windows\SysWOW64\Pbajbi32.exeC:\Windows\system32\Pbajbi32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2188 -
C:\Windows\SysWOW64\Pilbocej.exeC:\Windows\system32\Pilbocej.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:764 -
C:\Windows\SysWOW64\Pjmnfk32.exeC:\Windows\system32\Pjmnfk32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2252 -
C:\Windows\SysWOW64\Pllkpn32.exeC:\Windows\system32\Pllkpn32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2760 -
C:\Windows\SysWOW64\Pmnghfhi.exeC:\Windows\system32\Pmnghfhi.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2784 -
C:\Windows\SysWOW64\Pnmdbi32.exeC:\Windows\system32\Pnmdbi32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3004 -
C:\Windows\SysWOW64\Qanmcdlm.exeC:\Windows\system32\Qanmcdlm.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2812 -
C:\Windows\SysWOW64\Qiiahgjh.exeC:\Windows\system32\Qiiahgjh.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2820 -
C:\Windows\SysWOW64\Afmbak32.exeC:\Windows\system32\Afmbak32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2772 -
C:\Windows\SysWOW64\Amgjnepn.exeC:\Windows\system32\Amgjnepn.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1812 -
C:\Windows\SysWOW64\Abdbflnf.exeC:\Windows\system32\Abdbflnf.exe33⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Aedlhg32.exeC:\Windows\system32\Aedlhg32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:992 -
C:\Windows\SysWOW64\Ahchdb32.exeC:\Windows\system32\Ahchdb32.exe35⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Aompambg.exeC:\Windows\system32\Aompambg.exe36⤵
- Executes dropped EXE
PID:1484 -
C:\Windows\SysWOW64\Bdobdc32.exeC:\Windows\system32\Bdobdc32.exe37⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Bkhjamcf.exeC:\Windows\system32\Bkhjamcf.exe38⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Babbng32.exeC:\Windows\system32\Babbng32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1964 -
C:\Windows\SysWOW64\Bjngbihn.exeC:\Windows\system32\Bjngbihn.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Bphooc32.exeC:\Windows\system32\Bphooc32.exe41⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Bomlppdb.exeC:\Windows\system32\Bomlppdb.exe42⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Bfgdmjlp.exeC:\Windows\system32\Bfgdmjlp.exe43⤵
- Executes dropped EXE
PID:804 -
C:\Windows\SysWOW64\Blqmid32.exeC:\Windows\system32\Blqmid32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1748 -
C:\Windows\SysWOW64\Booiep32.exeC:\Windows\system32\Booiep32.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2304 -
C:\Windows\SysWOW64\Bfiabjjm.exeC:\Windows\system32\Bfiabjjm.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:2184 -
C:\Windows\SysWOW64\Chgnneiq.exeC:\Windows\system32\Chgnneiq.exe47⤵
- Executes dropped EXE
PID:1300 -
C:\Windows\SysWOW64\Coafko32.exeC:\Windows\system32\Coafko32.exe48⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Cfknhi32.exeC:\Windows\system32\Cfknhi32.exe49⤵
- Executes dropped EXE
PID:1836 -
C:\Windows\SysWOW64\Chjjde32.exeC:\Windows\system32\Chjjde32.exe50⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Clefdcog.exeC:\Windows\system32\Clefdcog.exe51⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Cngcll32.exeC:\Windows\system32\Cngcll32.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2796 -
C:\Windows\SysWOW64\Cdqkifmb.exeC:\Windows\system32\Cdqkifmb.exe53⤵
- Executes dropped EXE
PID:1848 -
C:\Windows\SysWOW64\Ckkcep32.exeC:\Windows\system32\Ckkcep32.exe54⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Cnipak32.exeC:\Windows\system32\Cnipak32.exe55⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Cqglng32.exeC:\Windows\system32\Cqglng32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3008 -
C:\Windows\SysWOW64\Ckmpkpbl.exeC:\Windows\system32\Ckmpkpbl.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2080 -
C:\Windows\SysWOW64\Cbghhj32.exeC:\Windows\system32\Cbghhj32.exe58⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Cgdqpq32.exeC:\Windows\system32\Cgdqpq32.exe59⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Cjbmll32.exeC:\Windows\system32\Cjbmll32.exe60⤵
- Executes dropped EXE
PID:596 -
C:\Windows\SysWOW64\Cmqihg32.exeC:\Windows\system32\Cmqihg32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1324 -
C:\Windows\SysWOW64\Ddhaie32.exeC:\Windows\system32\Ddhaie32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1492 -
C:\Windows\SysWOW64\Dgfmep32.exeC:\Windows\system32\Dgfmep32.exe63⤵
- Executes dropped EXE
PID:832 -
C:\Windows\SysWOW64\Dmcfngde.exeC:\Windows\system32\Dmcfngde.exe64⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Doabjbci.exeC:\Windows\system32\Doabjbci.exe65⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Djgfgkbo.exeC:\Windows\system32\Djgfgkbo.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:544 -
C:\Windows\SysWOW64\Dijfch32.exeC:\Windows\system32\Dijfch32.exe67⤵PID:1760
-
C:\Windows\SysWOW64\Dqaode32.exeC:\Windows\system32\Dqaode32.exe68⤵
- Modifies registry class
PID:996 -
C:\Windows\SysWOW64\Dcokpa32.exeC:\Windows\system32\Dcokpa32.exe69⤵PID:1708
-
C:\Windows\SysWOW64\Dilchhgg.exeC:\Windows\system32\Dilchhgg.exe70⤵PID:2940
-
C:\Windows\SysWOW64\Dkjpdcfj.exeC:\Windows\system32\Dkjpdcfj.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2028 -
C:\Windows\SysWOW64\Dcageqgm.exeC:\Windows\system32\Dcageqgm.exe72⤵PID:1648
-
C:\Windows\SysWOW64\Decdmi32.exeC:\Windows\system32\Decdmi32.exe73⤵PID:548
-
C:\Windows\SysWOW64\Dphhka32.exeC:\Windows\system32\Dphhka32.exe74⤵PID:2640
-
C:\Windows\SysWOW64\Dbgdgm32.exeC:\Windows\system32\Dbgdgm32.exe75⤵PID:1800
-
C:\Windows\SysWOW64\Deeqch32.exeC:\Windows\system32\Deeqch32.exe76⤵PID:2448
-
C:\Windows\SysWOW64\Epkepakn.exeC:\Windows\system32\Epkepakn.exe77⤵
- Drops file in System32 directory
PID:2588 -
C:\Windows\SysWOW64\Ealahi32.exeC:\Windows\system32\Ealahi32.exe78⤵PID:2224
-
C:\Windows\SysWOW64\Egfjdchi.exeC:\Windows\system32\Egfjdchi.exe79⤵PID:2388
-
C:\Windows\SysWOW64\Ebknblho.exeC:\Windows\system32\Ebknblho.exe80⤵PID:2156
-
C:\Windows\SysWOW64\Eannmi32.exeC:\Windows\system32\Eannmi32.exe81⤵
- Drops file in System32 directory
PID:1260 -
C:\Windows\SysWOW64\Ecmjid32.exeC:\Windows\system32\Ecmjid32.exe82⤵PID:496
-
C:\Windows\SysWOW64\Ehhfjcff.exeC:\Windows\system32\Ehhfjcff.exe83⤵PID:1968
-
C:\Windows\SysWOW64\Ejfbfo32.exeC:\Windows\system32\Ejfbfo32.exe84⤵PID:1504
-
C:\Windows\SysWOW64\Eaqkcimg.exeC:\Windows\system32\Eaqkcimg.exe85⤵PID:880
-
C:\Windows\SysWOW64\Efmckpko.exeC:\Windows\system32\Efmckpko.exe86⤵PID:2808
-
C:\Windows\SysWOW64\Endklmlq.exeC:\Windows\system32\Endklmlq.exe87⤵PID:2768
-
C:\Windows\SysWOW64\Epfhde32.exeC:\Windows\system32\Epfhde32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2920 -
C:\Windows\SysWOW64\Ecadddjh.exeC:\Windows\system32\Ecadddjh.exe89⤵
- System Location Discovery: System Language Discovery
PID:2668 -
C:\Windows\SysWOW64\Einlmkhp.exeC:\Windows\system32\Einlmkhp.exe90⤵
- System Location Discovery: System Language Discovery
PID:1788 -
C:\Windows\SysWOW64\Eaednh32.exeC:\Windows\system32\Eaednh32.exe91⤵PID:2380
-
C:\Windows\SysWOW64\Ffbmfo32.exeC:\Windows\system32\Ffbmfo32.exe92⤵PID:2056
-
C:\Windows\SysWOW64\Fjnignob.exeC:\Windows\system32\Fjnignob.exe93⤵
- System Location Discovery: System Language Discovery
PID:2352 -
C:\Windows\SysWOW64\Floeof32.exeC:\Windows\system32\Floeof32.exe94⤵PID:2384
-
C:\Windows\SysWOW64\Fdfmpc32.exeC:\Windows\system32\Fdfmpc32.exe95⤵
- Drops file in System32 directory
PID:2012 -
C:\Windows\SysWOW64\Ficehj32.exeC:\Windows\system32\Ficehj32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1304 -
C:\Windows\SysWOW64\Fmnahilc.exeC:\Windows\system32\Fmnahilc.exe97⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:840 -
C:\Windows\SysWOW64\Fopnpaba.exeC:\Windows\system32\Fopnpaba.exe98⤵
- Drops file in System32 directory
PID:1916 -
C:\Windows\SysWOW64\Fejfmk32.exeC:\Windows\system32\Fejfmk32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:876 -
C:\Windows\SysWOW64\Fpokjd32.exeC:\Windows\system32\Fpokjd32.exe100⤵PID:2236
-
C:\Windows\SysWOW64\Fbngfo32.exeC:\Windows\system32\Fbngfo32.exe101⤵PID:2504
-
C:\Windows\SysWOW64\Figocipe.exeC:\Windows\system32\Figocipe.exe102⤵PID:2440
-
C:\Windows\SysWOW64\Fkilka32.exeC:\Windows\system32\Fkilka32.exe103⤵PID:2968
-
C:\Windows\SysWOW64\Facdgl32.exeC:\Windows\system32\Facdgl32.exe104⤵
- System Location Discovery: System Language Discovery
PID:320 -
C:\Windows\SysWOW64\Fdapcg32.exeC:\Windows\system32\Fdapcg32.exe105⤵
- Modifies registry class
PID:672 -
C:\Windows\SysWOW64\Flhhed32.exeC:\Windows\system32\Flhhed32.exe106⤵
- System Location Discovery: System Language Discovery
PID:1512 -
C:\Windows\SysWOW64\Fogdap32.exeC:\Windows\system32\Fogdap32.exe107⤵PID:1684
-
C:\Windows\SysWOW64\Geqlnjcf.exeC:\Windows\system32\Geqlnjcf.exe108⤵PID:2604
-
C:\Windows\SysWOW64\Goiafp32.exeC:\Windows\system32\Goiafp32.exe109⤵
- System Location Discovery: System Language Discovery
PID:2552 -
C:\Windows\SysWOW64\Gmlablaa.exeC:\Windows\system32\Gmlablaa.exe110⤵PID:2528
-
C:\Windows\SysWOW64\Gagmbkik.exeC:\Windows\system32\Gagmbkik.exe111⤵PID:2708
-
C:\Windows\SysWOW64\Gkpakq32.exeC:\Windows\system32\Gkpakq32.exe112⤵PID:2928
-
C:\Windows\SysWOW64\Gpmjcg32.exeC:\Windows\system32\Gpmjcg32.exe113⤵PID:1956
-
C:\Windows\SysWOW64\Gckfpc32.exeC:\Windows\system32\Gckfpc32.exe114⤵PID:1336
-
C:\Windows\SysWOW64\Gkbnap32.exeC:\Windows\system32\Gkbnap32.exe115⤵PID:1644
-
C:\Windows\SysWOW64\Gpogiglp.exeC:\Windows\system32\Gpogiglp.exe116⤵PID:1988
-
C:\Windows\SysWOW64\Gcmcebkc.exeC:\Windows\system32\Gcmcebkc.exe117⤵PID:2736
-
C:\Windows\SysWOW64\Gigkbm32.exeC:\Windows\system32\Gigkbm32.exe118⤵
- Drops file in System32 directory
PID:952 -
C:\Windows\SysWOW64\Gpacogjm.exeC:\Windows\system32\Gpacogjm.exe119⤵PID:1052
-
C:\Windows\SysWOW64\Ggklka32.exeC:\Windows\system32\Ggklka32.exe120⤵PID:2628
-
C:\Windows\SysWOW64\Hhmhcigh.exeC:\Windows\system32\Hhmhcigh.exe121⤵PID:756
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-