Analysis
-
max time kernel
91s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/11/2024, 12:02
Static task
static1
Behavioral task
behavioral1
Sample
32a1625fae8314ec81a14bb71c0cb2a2c5b89e299ace8b1e0a53940a6e21f175.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
32a1625fae8314ec81a14bb71c0cb2a2c5b89e299ace8b1e0a53940a6e21f175.exe
Resource
win10v2004-20241007-en
General
-
Target
32a1625fae8314ec81a14bb71c0cb2a2c5b89e299ace8b1e0a53940a6e21f175.exe
-
Size
570KB
-
MD5
27d7f7a70c9602b98f803d2cad925690
-
SHA1
67ad3c56cd00208e6b0f27eee55957f03ef0cb7e
-
SHA256
32a1625fae8314ec81a14bb71c0cb2a2c5b89e299ace8b1e0a53940a6e21f175
-
SHA512
ac2b2253d6da18e9df6bb68bb0dc2f7899cc7af6950c5d114e10588dd07420a884015da97853c171cfba81e502779c3aa168e1e86941e86c6d85687d8693770a
-
SSDEEP
12288:XA0KwPh2kkkkK4kXkkkkkkkkl888888888888888888nusMH0QiRLsRf:zKwPh2kkkkK4kXkkkkkkkkhLg
Malware Config
Extracted
berbew
http://viruslist.com/wcmd.txt
http://viruslist.com/ppslog.php
http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bjgnoj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pehlajkk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmhlpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eldloh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhfbnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jedbjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jibkqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kbobjg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qojcpnjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Coflbj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjogbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aaofmi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmfnehjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mahkbjnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Njhelo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phdlgfma.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgokel32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijigme32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eabodf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Noglgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ghjlhhol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nkpbgdlj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oilbajjl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kglamd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfmlfpka.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfnchg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdlcai32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhfofh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcfnhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Egmjgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kfnaklil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kphcianj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ipnfopbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lkpboe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ghommmob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ajlnclce.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flkbpg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hghedmhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mlfbeooc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pfmlfpka.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afilbnad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nabdcoio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qlkgdc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkhjpkla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kkejmm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbclefkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Epbdef32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glngldmm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmahmkap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhfjgogm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jojghc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agmbgqda.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjfgedel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fppqfdmq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlkgdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aefhbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fehmkchi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pfhckq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daaocb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Edinel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fagaeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oodana32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Emlbhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hdiiha32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 4028 Chgdocap.exe 3236 Doamlm32.exe 3548 Dmgjmjnd.exe 3056 Dhlnjb32.exe 1968 Dhokpb32.exe 2212 Dohcllbd.exe 3756 Dailng32.exe 4500 Eomlgk32.exe 3560 Eegddefl.exe 3636 Eheqpa32.exe 4896 Ekdmll32.exe 2204 Embihh32.exe 4188 Eejaje32.exe 2228 Edlaebkd.exe 2604 Egknanjg.exe 4956 Ekfjbl32.exe 4668 Eobfbkjj.exe 740 Eapbofjm.exe 4536 Eelnoe32.exe 4832 Ehjjkp32.exe 2940 Egmjgm32.exe 4476 Eodbhj32.exe 1148 Emgbcgoa.exe 3800 Eabodf32.exe 2912 Edakpa32.exe 4552 Egpglm32.exe 2188 Eogonj32.exe 4984 Emioigmo.exe 2952 Eeqgjdna.exe 3276 Fhocfpme.exe 4212 Fkmpbk32.exe 1128 Foilcjdb.exe 4464 Faghoece.exe 1552 Fdfdkqbi.exe 5072 Fgdqglbm.exe 2168 Fkpmhk32.exe 3156 Fnnidf32.exe 392 Feeqec32.exe 1508 Fhcmao32.exe 1816 Fkbinj32.exe 1348 Fnqejfgg.exe 1100 Fehmkchi.exe 1680 Fhfjgogm.exe 4624 Fkdfcjfq.exe 436 Fncboeed.exe 404 Fejjqcff.exe 2724 Fhhfmnej.exe 2932 Fkgbijdn.exe 1288 Fneoeeca.exe 3532 Gdogaojo.exe 4376 Ggncnkjb.exe 1236 Gacgkcih.exe 4560 Ghmphn32.exe 1420 Gkkldi32.exe 4884 Gnjhpd32.exe 3964 Geapabpo.exe 1120 Ghommmob.exe 2576 Gkniiinf.exe 4248 Gnleedmj.exe 916 Gecmganl.exe 1576 Ggdinj32.exe 648 Golapg32.exe 316 Gajnlb32.exe 4664 Gdhjhnbd.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Hfgkeb32.dll Eegddefl.exe File opened for modification C:\Windows\SysWOW64\Hngngloq.exe Hkfeea32.exe File created C:\Windows\SysWOW64\Jdiekcbc.exe Jnlpiimi.exe File opened for modification C:\Windows\SysWOW64\Eejaje32.exe Embihh32.exe File created C:\Windows\SysWOW64\Emoonlnb.exe Efefaa32.exe File opened for modification C:\Windows\SysWOW64\Epdakf32.exe Eijinlpa.exe File opened for modification C:\Windows\SysWOW64\Njhelo32.exe Mcnmodgj.exe File opened for modification C:\Windows\SysWOW64\Qhpkcdbd.exe Qeaogicp.exe File opened for modification C:\Windows\SysWOW64\Ikgnlo32.exe Iboici32.exe File created C:\Windows\SysWOW64\Pkojbj32.dll Egknanjg.exe File opened for modification C:\Windows\SysWOW64\Igkkaj32.exe Idloeo32.exe File created C:\Windows\SysWOW64\Kjlmic32.exe Kgmqmg32.exe File created C:\Windows\SysWOW64\Njokmnho.exe Ncecpc32.exe File created C:\Windows\SysWOW64\Kiigfbak.dll Hlbagd32.exe File created C:\Windows\SysWOW64\Oclafn32.dll Hgbfphgj.exe File opened for modification C:\Windows\SysWOW64\Ojpeap32.exe Ogaied32.exe File created C:\Windows\SysWOW64\Pghpecfi.exe Poagdffg.exe File created C:\Windows\SysWOW64\Ehdmkaha.dll Fgcjmfna.exe File opened for modification C:\Windows\SysWOW64\Eapbofjm.exe Eobfbkjj.exe File created C:\Windows\SysWOW64\Hnhdabcl.exe Hgnldh32.exe File opened for modification C:\Windows\SysWOW64\Iggokg32.exe Ibjgbp32.exe File created C:\Windows\SysWOW64\Bmbfkpfb.exe Bfinoe32.exe File opened for modification C:\Windows\SysWOW64\Bbpocfej.exe Boabgkef.exe File created C:\Windows\SysWOW64\Digcaopf.exe Dckkihao.exe File created C:\Windows\SysWOW64\Iobkfb32.dll Ohmegg32.exe File opened for modification C:\Windows\SysWOW64\Edlaebkd.exe Eejaje32.exe File opened for modification C:\Windows\SysWOW64\Fnnidf32.exe Fkpmhk32.exe File created C:\Windows\SysWOW64\Ajbkmm32.exe Affomo32.exe File created C:\Windows\SysWOW64\Cfpkjk32.exe Ccbono32.exe File created C:\Windows\SysWOW64\Hjoife32.dll Kcfnhh32.exe File opened for modification C:\Windows\SysWOW64\Hnhdabcl.exe Hgnldh32.exe File created C:\Windows\SysWOW64\Faaicgfn.dll Jfdodm32.exe File created C:\Windows\SysWOW64\Koifemhi.dll Qlkgdc32.exe File opened for modification C:\Windows\SysWOW64\Kmepjojp.exe Kkdccg32.exe File created C:\Windows\SysWOW64\Ebgjee32.dll Fdlcai32.exe File opened for modification C:\Windows\SysWOW64\Fifhjjed.exe Ffglnofp.exe File created C:\Windows\SysWOW64\Kmmekndg.exe Kjniobed.exe File created C:\Windows\SysWOW64\Qchcqc32.exe Qlnkdilf.exe File created C:\Windows\SysWOW64\Gfobnnph.exe Gmfnehjg.exe File created C:\Windows\SysWOW64\Oogdngna.exe Olihblon.exe File opened for modification C:\Windows\SysWOW64\Pcopjdlm.exe Plehnjdq.exe File created C:\Windows\SysWOW64\Ikehaejk.exe Iiglejjg.exe File created C:\Windows\SysWOW64\Hjdleo32.exe Gibopo32.exe File created C:\Windows\SysWOW64\Mnadgn32.exe Mggljcae.exe File created C:\Windows\SysWOW64\Oamampbm.dll Jbmedgal.exe File created C:\Windows\SysWOW64\Knjljg32.exe Kindbq32.exe File created C:\Windows\SysWOW64\Fipica32.exe Fkmihehm.exe File created C:\Windows\SysWOW64\Jdnidi32.dll Qccbkmdl.exe File opened for modification C:\Windows\SysWOW64\Cjpikbma.exe Cbiajemo.exe File created C:\Windows\SysWOW64\Ecihjf32.dll Gpgggc32.exe File created C:\Windows\SysWOW64\Lolpecdd.dll Ghlimg32.exe File created C:\Windows\SysWOW64\Cfnihn32.dll Kkgfcmfj.exe File created C:\Windows\SysWOW64\Ggcadg32.dll Gmfnehjg.exe File created C:\Windows\SysWOW64\Jdfakm32.exe Jnlincim.exe File created C:\Windows\SysWOW64\Fejjqcff.exe Fncboeed.exe File created C:\Windows\SysWOW64\Ocogcgjp.exe Oppkgkkl.exe File created C:\Windows\SysWOW64\Hdnqll32.dll Hbjlnnbg.exe File created C:\Windows\SysWOW64\Nagnno32.exe Njmeadnm.exe File opened for modification C:\Windows\SysWOW64\Ohaobfod.exe Oecbfk32.exe File opened for modification C:\Windows\SysWOW64\Jpmcmbhg.exe Jkagmd32.exe File created C:\Windows\SysWOW64\Phbpmdfa.dll Moeoajng.exe File created C:\Windows\SysWOW64\Qfjjph32.dll Njmeadnm.exe File opened for modification C:\Windows\SysWOW64\Cchndhdb.exe Cmnfgnle.exe File opened for modification C:\Windows\SysWOW64\Dpakni32.exe Digcaopf.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 12808 12312 WerFault.exe 673 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcbjad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgokel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kglkbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oldhlf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbpocfej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epbdef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pohnee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fibfiame.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbjlnnbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egknanjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aghhla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coflbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fneoeeca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npkall32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgpgdndl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eegddefl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loioflhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfjjmhql.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdlenagg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnilic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpdbeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efmclgdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knfcohen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlighc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nafgdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpmcmbhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noqomh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amqgii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckmmgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhclfbgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eelnoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oihhfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pacfaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnlincim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmfhamlm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mapqci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njhelo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edlaebkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmmpldbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdnbcqed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpcojp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmepjojp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgnideip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhmiokbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngqpng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqmpcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icfljmhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giokpimi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilnqcbnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldfjbkbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhokpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jibkqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pihamhpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgaaai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fehmkchi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akgjenim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ichipl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkadplbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgdqglbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfjcgq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iglhffop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdlcai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boabgkef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jinaeidp.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 5832 Jbkpingk.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hapbeb32.dll" Mahkbjnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaikckma.dll" Nhbmeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njddmn32.dll" Afilbnad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hnbdlm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hkfeea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niqjqfjo.dll" Lcndhgel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mflgcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dapchimn.dll" Fidboakb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmgnkn32.dll" Ahinicji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cmnfgnle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihpbmian.dll" Kqdokcda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eblgfblj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nljnla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hddiclhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aijedi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jkbfmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nkpbgdlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Peeokjnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mmahmkap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkhodo32.dll" Neefdm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eldloh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fcbjad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fiobik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iclaen32.dll" Hmdjgf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lgnideip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hnmnlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pjihgo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nhoieioi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jadhdfkj.dll" Oldhlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkeoanc.dll" Hbadla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Olknmeip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiohfqgf.dll" Coflbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Edqdfk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fdjgljkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mjilfe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kgmqmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ollccfgk.dll" Lqohllfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iepiokni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkboah32.dll" Pgoefbpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ehjjkp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bfinoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Djbfqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edpcapjj.dll" Mldfpoaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fmihoqjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gohgph32.dll" Jiehfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pabagi32.dll" Mifjdcbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Inqqmkgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmephi32.dll" Oilbajjl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dfpmfbkk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nimpdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fpijfeci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Flkbpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lemqbjlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeqkam32.dll" Ioljfe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ahinicji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dohcllbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nhpppobe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnoodied.dll" Jdiekcbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dbbdpddd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Emoonlnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mefhkjea.dll" Kglamd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cbiajemo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fmohei32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gpgggc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2220 wrote to memory of 4028 2220 32a1625fae8314ec81a14bb71c0cb2a2c5b89e299ace8b1e0a53940a6e21f175.exe 83 PID 2220 wrote to memory of 4028 2220 32a1625fae8314ec81a14bb71c0cb2a2c5b89e299ace8b1e0a53940a6e21f175.exe 83 PID 2220 wrote to memory of 4028 2220 32a1625fae8314ec81a14bb71c0cb2a2c5b89e299ace8b1e0a53940a6e21f175.exe 83 PID 4028 wrote to memory of 3236 4028 Chgdocap.exe 84 PID 4028 wrote to memory of 3236 4028 Chgdocap.exe 84 PID 4028 wrote to memory of 3236 4028 Chgdocap.exe 84 PID 3236 wrote to memory of 3548 3236 Doamlm32.exe 86 PID 3236 wrote to memory of 3548 3236 Doamlm32.exe 86 PID 3236 wrote to memory of 3548 3236 Doamlm32.exe 86 PID 3548 wrote to memory of 3056 3548 Dmgjmjnd.exe 87 PID 3548 wrote to memory of 3056 3548 Dmgjmjnd.exe 87 PID 3548 wrote to memory of 3056 3548 Dmgjmjnd.exe 87 PID 3056 wrote to memory of 1968 3056 Dhlnjb32.exe 89 PID 3056 wrote to memory of 1968 3056 Dhlnjb32.exe 89 PID 3056 wrote to memory of 1968 3056 Dhlnjb32.exe 89 PID 1968 wrote to memory of 2212 1968 Dhokpb32.exe 90 PID 1968 wrote to memory of 2212 1968 Dhokpb32.exe 90 PID 1968 wrote to memory of 2212 1968 Dhokpb32.exe 90 PID 2212 wrote to memory of 3756 2212 Dohcllbd.exe 91 PID 2212 wrote to memory of 3756 2212 Dohcllbd.exe 91 PID 2212 wrote to memory of 3756 2212 Dohcllbd.exe 91 PID 3756 wrote to memory of 4500 3756 Dailng32.exe 93 PID 3756 wrote to memory of 4500 3756 Dailng32.exe 93 PID 3756 wrote to memory of 4500 3756 Dailng32.exe 93 PID 4500 wrote to memory of 3560 4500 Eomlgk32.exe 94 PID 4500 wrote to memory of 3560 4500 Eomlgk32.exe 94 PID 4500 wrote to memory of 3560 4500 Eomlgk32.exe 94 PID 3560 wrote to memory of 3636 3560 Eegddefl.exe 95 PID 3560 wrote to memory of 3636 3560 Eegddefl.exe 95 PID 3560 wrote to memory of 3636 3560 Eegddefl.exe 95 PID 3636 wrote to memory of 4896 3636 Eheqpa32.exe 96 PID 3636 wrote to memory of 4896 3636 Eheqpa32.exe 96 PID 3636 wrote to memory of 4896 3636 Eheqpa32.exe 96 PID 4896 wrote to memory of 2204 4896 Ekdmll32.exe 97 PID 4896 wrote to memory of 2204 4896 Ekdmll32.exe 97 PID 4896 wrote to memory of 2204 4896 Ekdmll32.exe 97 PID 2204 wrote to memory of 4188 2204 Embihh32.exe 98 PID 2204 wrote to memory of 4188 2204 Embihh32.exe 98 PID 2204 wrote to memory of 4188 2204 Embihh32.exe 98 PID 4188 wrote to memory of 2228 4188 Eejaje32.exe 99 PID 4188 wrote to memory of 2228 4188 Eejaje32.exe 99 PID 4188 wrote to memory of 2228 4188 Eejaje32.exe 99 PID 2228 wrote to memory of 2604 2228 Edlaebkd.exe 100 PID 2228 wrote to memory of 2604 2228 Edlaebkd.exe 100 PID 2228 wrote to memory of 2604 2228 Edlaebkd.exe 100 PID 2604 wrote to memory of 4956 2604 Egknanjg.exe 101 PID 2604 wrote to memory of 4956 2604 Egknanjg.exe 101 PID 2604 wrote to memory of 4956 2604 Egknanjg.exe 101 PID 4956 wrote to memory of 4668 4956 Ekfjbl32.exe 102 PID 4956 wrote to memory of 4668 4956 Ekfjbl32.exe 102 PID 4956 wrote to memory of 4668 4956 Ekfjbl32.exe 102 PID 4668 wrote to memory of 740 4668 Eobfbkjj.exe 103 PID 4668 wrote to memory of 740 4668 Eobfbkjj.exe 103 PID 4668 wrote to memory of 740 4668 Eobfbkjj.exe 103 PID 740 wrote to memory of 4536 740 Eapbofjm.exe 104 PID 740 wrote to memory of 4536 740 Eapbofjm.exe 104 PID 740 wrote to memory of 4536 740 Eapbofjm.exe 104 PID 4536 wrote to memory of 4832 4536 Eelnoe32.exe 105 PID 4536 wrote to memory of 4832 4536 Eelnoe32.exe 105 PID 4536 wrote to memory of 4832 4536 Eelnoe32.exe 105 PID 4832 wrote to memory of 2940 4832 Ehjjkp32.exe 106 PID 4832 wrote to memory of 2940 4832 Ehjjkp32.exe 106 PID 4832 wrote to memory of 2940 4832 Ehjjkp32.exe 106 PID 2940 wrote to memory of 4476 2940 Egmjgm32.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\32a1625fae8314ec81a14bb71c0cb2a2c5b89e299ace8b1e0a53940a6e21f175.exe"C:\Users\Admin\AppData\Local\Temp\32a1625fae8314ec81a14bb71c0cb2a2c5b89e299ace8b1e0a53940a6e21f175.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\Chgdocap.exeC:\Windows\system32\Chgdocap.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\SysWOW64\Doamlm32.exeC:\Windows\system32\Doamlm32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3236 -
C:\Windows\SysWOW64\Dmgjmjnd.exeC:\Windows\system32\Dmgjmjnd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Windows\SysWOW64\Dhlnjb32.exeC:\Windows\system32\Dhlnjb32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\Dhokpb32.exeC:\Windows\system32\Dhokpb32.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\Dohcllbd.exeC:\Windows\system32\Dohcllbd.exe7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Dailng32.exeC:\Windows\system32\Dailng32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3756 -
C:\Windows\SysWOW64\Eomlgk32.exeC:\Windows\system32\Eomlgk32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Windows\SysWOW64\Eegddefl.exeC:\Windows\system32\Eegddefl.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3560 -
C:\Windows\SysWOW64\Eheqpa32.exeC:\Windows\system32\Eheqpa32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\Windows\SysWOW64\Ekdmll32.exeC:\Windows\system32\Ekdmll32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Windows\SysWOW64\Embihh32.exeC:\Windows\system32\Embihh32.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\Eejaje32.exeC:\Windows\system32\Eejaje32.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4188 -
C:\Windows\SysWOW64\Edlaebkd.exeC:\Windows\system32\Edlaebkd.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\Egknanjg.exeC:\Windows\system32\Egknanjg.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Ekfjbl32.exeC:\Windows\system32\Ekfjbl32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Windows\SysWOW64\Eobfbkjj.exeC:\Windows\system32\Eobfbkjj.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4668 -
C:\Windows\SysWOW64\Eapbofjm.exeC:\Windows\system32\Eapbofjm.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Windows\SysWOW64\Eelnoe32.exeC:\Windows\system32\Eelnoe32.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\SysWOW64\Ehjjkp32.exeC:\Windows\system32\Ehjjkp32.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Windows\SysWOW64\Egmjgm32.exeC:\Windows\system32\Egmjgm32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Eodbhj32.exeC:\Windows\system32\Eodbhj32.exe23⤵
- Executes dropped EXE
PID:4476 -
C:\Windows\SysWOW64\Emgbcgoa.exeC:\Windows\system32\Emgbcgoa.exe24⤵
- Executes dropped EXE
PID:1148 -
C:\Windows\SysWOW64\Eabodf32.exeC:\Windows\system32\Eabodf32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3800 -
C:\Windows\SysWOW64\Edakpa32.exeC:\Windows\system32\Edakpa32.exe26⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Egpglm32.exeC:\Windows\system32\Egpglm32.exe27⤵
- Executes dropped EXE
PID:4552 -
C:\Windows\SysWOW64\Eogonj32.exeC:\Windows\system32\Eogonj32.exe28⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Emioigmo.exeC:\Windows\system32\Emioigmo.exe29⤵
- Executes dropped EXE
PID:4984 -
C:\Windows\SysWOW64\Eeqgjdna.exeC:\Windows\system32\Eeqgjdna.exe30⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Fhocfpme.exeC:\Windows\system32\Fhocfpme.exe31⤵
- Executes dropped EXE
PID:3276 -
C:\Windows\SysWOW64\Fkmpbk32.exeC:\Windows\system32\Fkmpbk32.exe32⤵
- Executes dropped EXE
PID:4212 -
C:\Windows\SysWOW64\Foilcjdb.exeC:\Windows\system32\Foilcjdb.exe33⤵
- Executes dropped EXE
PID:1128 -
C:\Windows\SysWOW64\Faghoece.exeC:\Windows\system32\Faghoece.exe34⤵
- Executes dropped EXE
PID:4464 -
C:\Windows\SysWOW64\Fdfdkqbi.exeC:\Windows\system32\Fdfdkqbi.exe35⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Fgdqglbm.exeC:\Windows\system32\Fgdqglbm.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5072 -
C:\Windows\SysWOW64\Fkpmhk32.exeC:\Windows\system32\Fkpmhk32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2168 -
C:\Windows\SysWOW64\Fnnidf32.exeC:\Windows\system32\Fnnidf32.exe38⤵
- Executes dropped EXE
PID:3156 -
C:\Windows\SysWOW64\Feeqec32.exeC:\Windows\system32\Feeqec32.exe39⤵
- Executes dropped EXE
PID:392 -
C:\Windows\SysWOW64\Fhcmao32.exeC:\Windows\system32\Fhcmao32.exe40⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Fkbinj32.exeC:\Windows\system32\Fkbinj32.exe41⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Fnqejfgg.exeC:\Windows\system32\Fnqejfgg.exe42⤵
- Executes dropped EXE
PID:1348 -
C:\Windows\SysWOW64\Fehmkchi.exeC:\Windows\system32\Fehmkchi.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1100 -
C:\Windows\SysWOW64\Fhfjgogm.exeC:\Windows\system32\Fhfjgogm.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Fkdfcjfq.exeC:\Windows\system32\Fkdfcjfq.exe45⤵
- Executes dropped EXE
PID:4624 -
C:\Windows\SysWOW64\Fncboeed.exeC:\Windows\system32\Fncboeed.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:436 -
C:\Windows\SysWOW64\Fejjqcff.exeC:\Windows\system32\Fejjqcff.exe47⤵
- Executes dropped EXE
PID:404 -
C:\Windows\SysWOW64\Fhhfmnej.exeC:\Windows\system32\Fhhfmnej.exe48⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Fkgbijdn.exeC:\Windows\system32\Fkgbijdn.exe49⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Fneoeeca.exeC:\Windows\system32\Fneoeeca.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1288 -
C:\Windows\SysWOW64\Gdogaojo.exeC:\Windows\system32\Gdogaojo.exe51⤵
- Executes dropped EXE
PID:3532 -
C:\Windows\SysWOW64\Ggncnkjb.exeC:\Windows\system32\Ggncnkjb.exe52⤵
- Executes dropped EXE
PID:4376 -
C:\Windows\SysWOW64\Gacgkcih.exeC:\Windows\system32\Gacgkcih.exe53⤵
- Executes dropped EXE
PID:1236 -
C:\Windows\SysWOW64\Ghmphn32.exeC:\Windows\system32\Ghmphn32.exe54⤵
- Executes dropped EXE
PID:4560 -
C:\Windows\SysWOW64\Gkkldi32.exeC:\Windows\system32\Gkkldi32.exe55⤵
- Executes dropped EXE
PID:1420 -
C:\Windows\SysWOW64\Gnjhpd32.exeC:\Windows\system32\Gnjhpd32.exe56⤵
- Executes dropped EXE
PID:4884 -
C:\Windows\SysWOW64\Geapabpo.exeC:\Windows\system32\Geapabpo.exe57⤵
- Executes dropped EXE
PID:3964 -
C:\Windows\SysWOW64\Ghommmob.exeC:\Windows\system32\Ghommmob.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1120 -
C:\Windows\SysWOW64\Gkniiinf.exeC:\Windows\system32\Gkniiinf.exe59⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Gnleedmj.exeC:\Windows\system32\Gnleedmj.exe60⤵
- Executes dropped EXE
PID:4248 -
C:\Windows\SysWOW64\Gecmganl.exeC:\Windows\system32\Gecmganl.exe61⤵
- Executes dropped EXE
PID:916 -
C:\Windows\SysWOW64\Ggdinj32.exeC:\Windows\system32\Ggdinj32.exe62⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Golapg32.exeC:\Windows\system32\Golapg32.exe63⤵
- Executes dropped EXE
PID:648 -
C:\Windows\SysWOW64\Gajnlb32.exeC:\Windows\system32\Gajnlb32.exe64⤵
- Executes dropped EXE
PID:316 -
C:\Windows\SysWOW64\Gdhjhnbd.exeC:\Windows\system32\Gdhjhnbd.exe65⤵
- Executes dropped EXE
PID:4664 -
C:\Windows\SysWOW64\Gggfdiag.exeC:\Windows\system32\Gggfdiag.exe66⤵PID:2404
-
C:\Windows\SysWOW64\Gonnegbj.exeC:\Windows\system32\Gonnegbj.exe67⤵PID:552
-
C:\Windows\SysWOW64\Galjabam.exeC:\Windows\system32\Galjabam.exe68⤵PID:548
-
C:\Windows\SysWOW64\Hhfbnl32.exeC:\Windows\system32\Hhfbnl32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2768 -
C:\Windows\SysWOW64\Hkeojh32.exeC:\Windows\system32\Hkeojh32.exe70⤵PID:1144
-
C:\Windows\SysWOW64\Hnckfc32.exeC:\Windows\system32\Hnckfc32.exe71⤵PID:5136
-
C:\Windows\SysWOW64\Hfjcgq32.exeC:\Windows\system32\Hfjcgq32.exe72⤵
- System Location Discovery: System Language Discovery
PID:5176 -
C:\Windows\SysWOW64\Hhioclgg.exeC:\Windows\system32\Hhioclgg.exe73⤵PID:5216
-
C:\Windows\SysWOW64\Hkglpgfk.exeC:\Windows\system32\Hkglpgfk.exe74⤵PID:5256
-
C:\Windows\SysWOW64\Hbadla32.exeC:\Windows\system32\Hbadla32.exe75⤵
- Modifies registry class
PID:5296 -
C:\Windows\SysWOW64\Hdpphm32.exeC:\Windows\system32\Hdpphm32.exe76⤵PID:5336
-
C:\Windows\SysWOW64\Hgnldh32.exeC:\Windows\system32\Hgnldh32.exe77⤵
- Drops file in System32 directory
PID:5376 -
C:\Windows\SysWOW64\Hnhdabcl.exeC:\Windows\system32\Hnhdabcl.exe78⤵PID:5416
-
C:\Windows\SysWOW64\Hfombpco.exeC:\Windows\system32\Hfombpco.exe79⤵PID:5456
-
C:\Windows\SysWOW64\Hhmiokbb.exeC:\Windows\system32\Hhmiokbb.exe80⤵
- System Location Discovery: System Language Discovery
PID:5496 -
C:\Windows\SysWOW64\Hklekg32.exeC:\Windows\system32\Hklekg32.exe81⤵PID:5536
-
C:\Windows\SysWOW64\Hnjagb32.exeC:\Windows\system32\Hnjagb32.exe82⤵PID:5580
-
C:\Windows\SysWOW64\Hddiclhf.exeC:\Windows\system32\Hddiclhf.exe83⤵
- Modifies registry class
PID:5624 -
C:\Windows\SysWOW64\Hgbfphgj.exeC:\Windows\system32\Hgbfphgj.exe84⤵
- Drops file in System32 directory
PID:5668 -
C:\Windows\SysWOW64\Hnmnlb32.exeC:\Windows\system32\Hnmnlb32.exe85⤵
- Modifies registry class
PID:5708 -
C:\Windows\SysWOW64\Ihbbjk32.exeC:\Windows\system32\Ihbbjk32.exe86⤵PID:5756
-
C:\Windows\SysWOW64\Ioljfe32.exeC:\Windows\system32\Ioljfe32.exe87⤵
- Modifies registry class
PID:5800 -
C:\Windows\SysWOW64\Ibjgbp32.exeC:\Windows\system32\Ibjgbp32.exe88⤵
- Drops file in System32 directory
PID:5840 -
C:\Windows\SysWOW64\Iggokg32.exeC:\Windows\system32\Iggokg32.exe89⤵PID:5888
-
C:\Windows\SysWOW64\Inaggaka.exeC:\Windows\system32\Inaggaka.exe90⤵PID:5932
-
C:\Windows\SysWOW64\Ifhoiokd.exeC:\Windows\system32\Ifhoiokd.exe91⤵PID:5984
-
C:\Windows\SysWOW64\Iiglejjg.exeC:\Windows\system32\Iiglejjg.exe92⤵
- Drops file in System32 directory
PID:6020 -
C:\Windows\SysWOW64\Ikehaejk.exeC:\Windows\system32\Ikehaejk.exe93⤵PID:6060
-
C:\Windows\SysWOW64\Incdma32.exeC:\Windows\system32\Incdma32.exe94⤵PID:6104
-
C:\Windows\SysWOW64\Idnljkpl.exeC:\Windows\system32\Idnljkpl.exe95⤵PID:1696
-
C:\Windows\SysWOW64\Iglhffop.exeC:\Windows\system32\Iglhffop.exe96⤵
- System Location Discovery: System Language Discovery
PID:756 -
C:\Windows\SysWOW64\Iocqgdpb.exeC:\Windows\system32\Iocqgdpb.exe97⤵PID:1664
-
C:\Windows\SysWOW64\Ibamcooe.exeC:\Windows\system32\Ibamcooe.exe98⤵PID:4416
-
C:\Windows\SysWOW64\Iepiokni.exeC:\Windows\system32\Iepiokni.exe99⤵
- Modifies registry class
PID:224 -
C:\Windows\SysWOW64\Ignekfmm.exeC:\Windows\system32\Ignekfmm.exe100⤵PID:2928
-
C:\Windows\SysWOW64\Inhnhp32.exeC:\Windows\system32\Inhnhp32.exe101⤵PID:2720
-
C:\Windows\SysWOW64\Jinaeidp.exeC:\Windows\system32\Jinaeidp.exe102⤵
- System Location Discovery: System Language Discovery
PID:3528 -
C:\Windows\SysWOW64\Jklnadcc.exeC:\Windows\system32\Jklnadcc.exe103⤵PID:5040
-
C:\Windows\SysWOW64\Jnkjnpbg.exeC:\Windows\system32\Jnkjnpbg.exe104⤵PID:5204
-
C:\Windows\SysWOW64\Jfbbomci.exeC:\Windows\system32\Jfbbomci.exe105⤵PID:5264
-
C:\Windows\SysWOW64\Jedbjj32.exeC:\Windows\system32\Jedbjj32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5324 -
C:\Windows\SysWOW64\Jgcofe32.exeC:\Windows\system32\Jgcofe32.exe107⤵PID:5384
-
C:\Windows\SysWOW64\Jojghc32.exeC:\Windows\system32\Jojghc32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5452 -
C:\Windows\SysWOW64\Jnmgcpqd.exeC:\Windows\system32\Jnmgcpqd.exe109⤵PID:5532
-
C:\Windows\SysWOW64\Jfdodm32.exeC:\Windows\system32\Jfdodm32.exe110⤵
- Drops file in System32 directory
PID:3708 -
C:\Windows\SysWOW64\Jibkqh32.exeC:\Windows\system32\Jibkqh32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3680 -
C:\Windows\SysWOW64\Jkagmd32.exeC:\Windows\system32\Jkagmd32.exe112⤵
- Drops file in System32 directory
PID:5696 -
C:\Windows\SysWOW64\Jpmcmbhg.exeC:\Windows\system32\Jpmcmbhg.exe113⤵
- System Location Discovery: System Language Discovery
PID:5764 -
C:\Windows\SysWOW64\Jbkpingk.exeC:\Windows\system32\Jbkpingk.exe114⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:5832 -
C:\Windows\SysWOW64\Jiehfh32.exeC:\Windows\system32\Jiehfh32.exe115⤵
- Modifies registry class
PID:5928 -
C:\Windows\SysWOW64\Jkcdbc32.exeC:\Windows\system32\Jkcdbc32.exe116⤵PID:5972
-
C:\Windows\SysWOW64\Jbmloneh.exeC:\Windows\system32\Jbmloneh.exe117⤵PID:6028
-
C:\Windows\SysWOW64\Jleahcki.exeC:\Windows\system32\Jleahcki.exe118⤵PID:6048
-
C:\Windows\SysWOW64\Kndmdojl.exeC:\Windows\system32\Kndmdojl.exe119⤵PID:1408
-
C:\Windows\SysWOW64\Kfkeelko.exeC:\Windows\system32\Kfkeelko.exe120⤵PID:1160
-
C:\Windows\SysWOW64\Kglamd32.exeC:\Windows\system32\Kglamd32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:544 -
C:\Windows\SysWOW64\Kpcina32.exeC:\Windows\system32\Kpcina32.exe122⤵PID:4644
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-