Analysis
-
max time kernel
103s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
23/11/2024, 03:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c2d130d63435112ec0922da2aff4ee7c25e91a7a869ea3be35cdd49ce4005cf2.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
c2d130d63435112ec0922da2aff4ee7c25e91a7a869ea3be35cdd49ce4005cf2.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
c2d130d63435112ec0922da2aff4ee7c25e91a7a869ea3be35cdd49ce4005cf2.exe
-
Size
112KB
-
MD5
82e1208cb40e02aa76e7138ad8524d63
-
SHA1
c1283954cd6013e22a84a953c1d13dc1d2de7ced
-
SHA256
c2d130d63435112ec0922da2aff4ee7c25e91a7a869ea3be35cdd49ce4005cf2
-
SHA512
2d4c4dfe3ce5bc9b9526666c8f5fa0a2e55a38811e30c279016e4d1782a6e28e60c7c994c9a22eb671adf13c8ba0c70c8ad3b0df09ffe5e9440a7d975c1a19fc
-
SSDEEP
3072:ESgl40NKmsW8g/W28ODrLXfzoeqarm9mTE:Enl40NKmsdgRJXfxqySSE
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjhopjqi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jndhddaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Npffaq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pelnniga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pcjbfbmm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ngoleb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lenioenj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hjhlnahk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmgpcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mnlkdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Manjaldo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmegodpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojgokflc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qifnjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oebdndlp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laqadknn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klonqpbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Geinjapb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adbmjbif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djmknb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imgija32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kdincdcl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doapanne.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjkfglom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Incgfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbihpbpl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lielphqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qqoaefke.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qpjchicb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfgeoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Imkeneja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajibckpc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdailaib.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpmiahlp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilmlfcel.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnmhogjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bnjipn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afkccffq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oenmkngi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fofhdidp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abgeiaaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hjkneb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcjlap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Blpibghg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obfiijia.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agcekn32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2904 Egcfdn32.exe 2828 Epnkip32.exe 2848 Emdhhdqb.exe 2676 Elieipej.exe 2500 Einebddd.exe 2192 Fipbhd32.exe 1980 Flqkjo32.exe 2844 Fhglop32.exe 2980 Fmddgg32.exe 3040 Fjhdpk32.exe 2288 Gjjafkpe.exe 428 Gbhcpmkm.exe 2564 Gampaipe.exe 2504 Gekhgh32.exe 2388 Habili32.exe 1808 Hdbbnd32.exe 628 Hgckoofa.exe 1648 Hlbpme32.exe 1560 Hekefkig.exe 1116 Ilgjhena.exe 2036 Ifpnaj32.exe 1924 Ihpgce32.exe 2100 Igeddb32.exe 2864 Jnbifl32.exe 3052 Jjijkmbi.exe 1604 Jcckibfg.exe 2892 Jkopndcb.exe 2688 Kmnlhg32.exe 2880 Kiemmh32.exe 1208 Kbmafngi.exe 636 Kenjgi32.exe 1932 Kmiolk32.exe 1676 Lfdpjp32.exe 2544 Ljbipolj.exe 2988 Lekjal32.exe 2860 Mdgmbhgh.exe 2440 Manjaldo.exe 236 Mcacochk.exe 2404 Ngoleb32.exe 1708 Nhqhmj32.exe 2236 Ncfmjc32.exe 1228 Nnbjpqoa.exe 776 Ngjoif32.exe 1528 Noagjc32.exe 772 Opccallb.exe 2580 Ohjkcile.exe 568 Ojkhjabc.exe 1752 Oqepgk32.exe 752 Ogohdeam.exe 2808 Onipqp32.exe 2928 Ocfiif32.exe 2884 Onkmfofg.exe 2832 Ofgbkacb.exe 2652 Omqjgl32.exe 2216 Ojdjqp32.exe 2316 Pmcgmkil.exe 1844 Pbpoebgc.exe 1900 Pkhdnh32.exe 2528 Pfnhkq32.exe 2408 Pgodcich.exe 2384 Pioamlkk.exe 2620 Pnkiebib.exe 1484 Pgcnnh32.exe 2224 Pmqffonj.exe -
Loads dropped DLL 64 IoCs
pid Process 2772 c2d130d63435112ec0922da2aff4ee7c25e91a7a869ea3be35cdd49ce4005cf2.exe 2772 c2d130d63435112ec0922da2aff4ee7c25e91a7a869ea3be35cdd49ce4005cf2.exe 2904 Egcfdn32.exe 2904 Egcfdn32.exe 2828 Epnkip32.exe 2828 Epnkip32.exe 2848 Emdhhdqb.exe 2848 Emdhhdqb.exe 2676 Elieipej.exe 2676 Elieipej.exe 2500 Einebddd.exe 2500 Einebddd.exe 2192 Fipbhd32.exe 2192 Fipbhd32.exe 1980 Flqkjo32.exe 1980 Flqkjo32.exe 2844 Fhglop32.exe 2844 Fhglop32.exe 2980 Fmddgg32.exe 2980 Fmddgg32.exe 3040 Fjhdpk32.exe 3040 Fjhdpk32.exe 2288 Gjjafkpe.exe 2288 Gjjafkpe.exe 428 Gbhcpmkm.exe 428 Gbhcpmkm.exe 2564 Gampaipe.exe 2564 Gampaipe.exe 2504 Gekhgh32.exe 2504 Gekhgh32.exe 2388 Habili32.exe 2388 Habili32.exe 1808 Hdbbnd32.exe 1808 Hdbbnd32.exe 628 Hgckoofa.exe 628 Hgckoofa.exe 1648 Hlbpme32.exe 1648 Hlbpme32.exe 1560 Hekefkig.exe 1560 Hekefkig.exe 1116 Ilgjhena.exe 1116 Ilgjhena.exe 2036 Ifpnaj32.exe 2036 Ifpnaj32.exe 1924 Ihpgce32.exe 1924 Ihpgce32.exe 2100 Igeddb32.exe 2100 Igeddb32.exe 2864 Jnbifl32.exe 2864 Jnbifl32.exe 3052 Jjijkmbi.exe 3052 Jjijkmbi.exe 1604 Jcckibfg.exe 1604 Jcckibfg.exe 2892 Jkopndcb.exe 2892 Jkopndcb.exe 2688 Kmnlhg32.exe 2688 Kmnlhg32.exe 2880 Kiemmh32.exe 2880 Kiemmh32.exe 1208 Kbmafngi.exe 1208 Kbmafngi.exe 636 Kenjgi32.exe 636 Kenjgi32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Fbfilc32.dll Pembpkfi.exe File created C:\Windows\SysWOW64\Nlpcafgp.dll Lkcqfifp.exe File opened for modification C:\Windows\SysWOW64\Lcmopepp.exe Lhhjcmpj.exe File opened for modification C:\Windows\SysWOW64\Ggfgoo32.exe Process not Found File created C:\Windows\SysWOW64\Ankhmncb.exe Abeghmmn.exe File created C:\Windows\SysWOW64\Nleckcno.dll Hkljljko.exe File created C:\Windows\SysWOW64\Jjbpppeb.dll Process not Found File opened for modification C:\Windows\SysWOW64\Fgjkmijh.exe Fpcblkje.exe File created C:\Windows\SysWOW64\Hbfein32.dll Mkpieggc.exe File created C:\Windows\SysWOW64\Kapbmo32.exe Kgknpfdi.exe File created C:\Windows\SysWOW64\Imdjlida.exe Ikbndqnc.exe File created C:\Windows\SysWOW64\Dchpnd32.exe Cgaoic32.exe File opened for modification C:\Windows\SysWOW64\Mnijnjbh.exe Milaecdp.exe File opened for modification C:\Windows\SysWOW64\Qekdpkgj.exe Qkbpgeai.exe File opened for modification C:\Windows\SysWOW64\Gfogneop.exe Gcakbjpl.exe File opened for modification C:\Windows\SysWOW64\Doapanne.exe Didgig32.exe File opened for modification C:\Windows\SysWOW64\Pojgnf32.exe Pmijgn32.exe File created C:\Windows\SysWOW64\Jcjffc32.exe Process not Found File created C:\Windows\SysWOW64\Gbhnkdde.dll Process not Found File opened for modification C:\Windows\SysWOW64\Ljbipolj.exe Lfdpjp32.exe File opened for modification C:\Windows\SysWOW64\Dcpmijqc.exe Dleelp32.exe File created C:\Windows\SysWOW64\Cpcpjbah.exe Cjfgalcq.exe File created C:\Windows\SysWOW64\Cdkklgcn.dll Kdincdcl.exe File opened for modification C:\Windows\SysWOW64\Nlfaag32.exe Nflidmic.exe File opened for modification C:\Windows\SysWOW64\Pafpjljk.exe Pngcnpkg.exe File created C:\Windows\SysWOW64\Foaekdkd.dll Process not Found File opened for modification C:\Windows\SysWOW64\Mpcmojia.exe Process not Found File created C:\Windows\SysWOW64\Ajkhhfhl.dll Jhniebne.exe File created C:\Windows\SysWOW64\Kgnemhfd.dll Oppbjn32.exe File created C:\Windows\SysWOW64\Aapikqel.exe Alcqcjgd.exe File created C:\Windows\SysWOW64\Eedmheda.dll Qpmiahlp.exe File opened for modification C:\Windows\SysWOW64\Mcccglnn.exe Mlikkbga.exe File created C:\Windows\SysWOW64\Jfnfjblc.dll Process not Found File created C:\Windows\SysWOW64\Qnqmeo32.dll Process not Found File created C:\Windows\SysWOW64\Bnmnbiph.dll Process not Found File opened for modification C:\Windows\SysWOW64\Cnlnpd32.exe Cdcjgnbc.exe File created C:\Windows\SysWOW64\Ddnhidmm.exe Doapanne.exe File opened for modification C:\Windows\SysWOW64\Hmdnme32.exe Hggeeo32.exe File created C:\Windows\SysWOW64\Hbpccf32.dll Hcqcoo32.exe File created C:\Windows\SysWOW64\Eighpgge.dll Ncjcnfcn.exe File created C:\Windows\SysWOW64\Gcfmolmc.dll Bhjngnod.exe File created C:\Windows\SysWOW64\Gblaal32.dll Plneoace.exe File created C:\Windows\SysWOW64\Gmabknal.dll Fialggcl.exe File created C:\Windows\SysWOW64\Ebkilnbk.dll Deiipp32.exe File created C:\Windows\SysWOW64\Hnikmnho.exe Hccfoehi.exe File created C:\Windows\SysWOW64\Odbhfj32.dll Process not Found File created C:\Windows\SysWOW64\Lpiacp32.exe Knjdimdh.exe File opened for modification C:\Windows\SysWOW64\Bclqme32.exe Ajcldpkd.exe File created C:\Windows\SysWOW64\Doapanne.exe Didgig32.exe File created C:\Windows\SysWOW64\Fhccoe32.exe Fhqfie32.exe File created C:\Windows\SysWOW64\Gfogkalg.dll Process not Found File created C:\Windows\SysWOW64\Ndoelpid.exe Mlhmkbhb.exe File created C:\Windows\SysWOW64\Nphkpc32.dll Pihbbgjj.exe File created C:\Windows\SysWOW64\Ondnfndp.dll Lcmopepp.exe File opened for modification C:\Windows\SysWOW64\Dmgokcja.exe Dlfbck32.exe File created C:\Windows\SysWOW64\Docjpa32.exe Process not Found File created C:\Windows\SysWOW64\Ciifgpjl.dll Process not Found File opened for modification C:\Windows\SysWOW64\Aicfgn32.exe Anmbje32.exe File created C:\Windows\SysWOW64\Agffkn32.dll Eelfedpa.exe File created C:\Windows\SysWOW64\Qigefa32.dll Bnjipn32.exe File created C:\Windows\SysWOW64\Cmfjgc32.dll Clclhmin.exe File created C:\Windows\SysWOW64\Opebpdad.exe Ohjmlaci.exe File created C:\Windows\SysWOW64\Ibncdgoo.dll Jbgbjh32.exe File created C:\Windows\SysWOW64\Npffaq32.exe Nilndfgl.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4684 2852 Process not Found 1338 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhjofbdk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c2d130d63435112ec0922da2aff4ee7c25e91a7a869ea3be35cdd49ce4005cf2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgckoofa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meffjjln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fclmem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmegkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pngcnpkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlndfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofgbkacb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfnkji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipabfcdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgdpnqfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qolmip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbkaneao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhchjgoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnilfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbjbibli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdknfiea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjhopjqi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pembpkfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lojhmjag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kopnma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnmmidhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjneoeeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcjlap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fblljhbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pogaeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dglbmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnmihgkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjgonf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oljanhmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaegaaah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbijcgbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkjdpp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Degqka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkaghf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmdaeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omjeba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpdbdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgbmco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqjhjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlcgmpkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpfggeai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gafcahil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djffihmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Limhpihl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbhfgj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgehpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgmfjdbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnimeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blpibghg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpcnbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmldji32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ighchh32.dll" Bpdkajic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkommh32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klfbmd32.dll" Degqka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mibeofaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdjgbloo.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giiinjlg.dll" Lamkllea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hedllgjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bplofekp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Laackgka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Memlki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Egchmfnd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mgbcha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nnbjpqoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dkhpfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oedclm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qbiamm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dipnnmfk.dll" Hbjgbbpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Alknnodh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmdfje32.dll" Ghbhhnhk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ogohdeam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Klimcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Alncgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nalgneml.dll" Cgaoic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Befpkmph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bkonkpqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icgpcjpo.dll" Lafekm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aapikqel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elioal32.dll" Nidhfgpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jgbmco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfddnb32.dll" Kdlpkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekbglc32.dll" Lhklha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oabdgo32.dll" Jpfehq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bboqgikn.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfcfdk32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pdigkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node c2d130d63435112ec0922da2aff4ee7c25e91a7a869ea3be35cdd49ce4005cf2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jennjblp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fapapi32.dll" Oomlfpdi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Elkbipdi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iniidj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pnpfckmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blllchcf.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jlaeab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gfiaojkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cfmhfm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kmnlhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kkhdml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ppogok32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ndehjnpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hengep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdinjj32.dll" Ajibckpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bcdpacgl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2772 wrote to memory of 2904 2772 c2d130d63435112ec0922da2aff4ee7c25e91a7a869ea3be35cdd49ce4005cf2.exe 30 PID 2772 wrote to memory of 2904 2772 c2d130d63435112ec0922da2aff4ee7c25e91a7a869ea3be35cdd49ce4005cf2.exe 30 PID 2772 wrote to memory of 2904 2772 c2d130d63435112ec0922da2aff4ee7c25e91a7a869ea3be35cdd49ce4005cf2.exe 30 PID 2772 wrote to memory of 2904 2772 c2d130d63435112ec0922da2aff4ee7c25e91a7a869ea3be35cdd49ce4005cf2.exe 30 PID 2904 wrote to memory of 2828 2904 Egcfdn32.exe 31 PID 2904 wrote to memory of 2828 2904 Egcfdn32.exe 31 PID 2904 wrote to memory of 2828 2904 Egcfdn32.exe 31 PID 2904 wrote to memory of 2828 2904 Egcfdn32.exe 31 PID 2828 wrote to memory of 2848 2828 Epnkip32.exe 32 PID 2828 wrote to memory of 2848 2828 Epnkip32.exe 32 PID 2828 wrote to memory of 2848 2828 Epnkip32.exe 32 PID 2828 wrote to memory of 2848 2828 Epnkip32.exe 32 PID 2848 wrote to memory of 2676 2848 Emdhhdqb.exe 33 PID 2848 wrote to memory of 2676 2848 Emdhhdqb.exe 33 PID 2848 wrote to memory of 2676 2848 Emdhhdqb.exe 33 PID 2848 wrote to memory of 2676 2848 Emdhhdqb.exe 33 PID 2676 wrote to memory of 2500 2676 Elieipej.exe 34 PID 2676 wrote to memory of 2500 2676 Elieipej.exe 34 PID 2676 wrote to memory of 2500 2676 Elieipej.exe 34 PID 2676 wrote to memory of 2500 2676 Elieipej.exe 34 PID 2500 wrote to memory of 2192 2500 Einebddd.exe 35 PID 2500 wrote to memory of 2192 2500 Einebddd.exe 35 PID 2500 wrote to memory of 2192 2500 Einebddd.exe 35 PID 2500 wrote to memory of 2192 2500 Einebddd.exe 35 PID 2192 wrote to memory of 1980 2192 Fipbhd32.exe 36 PID 2192 wrote to memory of 1980 2192 Fipbhd32.exe 36 PID 2192 wrote to memory of 1980 2192 Fipbhd32.exe 36 PID 2192 wrote to memory of 1980 2192 Fipbhd32.exe 36 PID 1980 wrote to memory of 2844 1980 Flqkjo32.exe 37 PID 1980 wrote to memory of 2844 1980 Flqkjo32.exe 37 PID 1980 wrote to memory of 2844 1980 Flqkjo32.exe 37 PID 1980 wrote to memory of 2844 1980 Flqkjo32.exe 37 PID 2844 wrote to memory of 2980 2844 Fhglop32.exe 38 PID 2844 wrote to memory of 2980 2844 Fhglop32.exe 38 PID 2844 wrote to memory of 2980 2844 Fhglop32.exe 38 PID 2844 wrote to memory of 2980 2844 Fhglop32.exe 38 PID 2980 wrote to memory of 3040 2980 Fmddgg32.exe 39 PID 2980 wrote to memory of 3040 2980 Fmddgg32.exe 39 PID 2980 wrote to memory of 3040 2980 Fmddgg32.exe 39 PID 2980 wrote to memory of 3040 2980 Fmddgg32.exe 39 PID 3040 wrote to memory of 2288 3040 Fjhdpk32.exe 40 PID 3040 wrote to memory of 2288 3040 Fjhdpk32.exe 40 PID 3040 wrote to memory of 2288 3040 Fjhdpk32.exe 40 PID 3040 wrote to memory of 2288 3040 Fjhdpk32.exe 40 PID 2288 wrote to memory of 428 2288 Gjjafkpe.exe 41 PID 2288 wrote to memory of 428 2288 Gjjafkpe.exe 41 PID 2288 wrote to memory of 428 2288 Gjjafkpe.exe 41 PID 2288 wrote to memory of 428 2288 Gjjafkpe.exe 41 PID 428 wrote to memory of 2564 428 Gbhcpmkm.exe 42 PID 428 wrote to memory of 2564 428 Gbhcpmkm.exe 42 PID 428 wrote to memory of 2564 428 Gbhcpmkm.exe 42 PID 428 wrote to memory of 2564 428 Gbhcpmkm.exe 42 PID 2564 wrote to memory of 2504 2564 Gampaipe.exe 43 PID 2564 wrote to memory of 2504 2564 Gampaipe.exe 43 PID 2564 wrote to memory of 2504 2564 Gampaipe.exe 43 PID 2564 wrote to memory of 2504 2564 Gampaipe.exe 43 PID 2504 wrote to memory of 2388 2504 Gekhgh32.exe 44 PID 2504 wrote to memory of 2388 2504 Gekhgh32.exe 44 PID 2504 wrote to memory of 2388 2504 Gekhgh32.exe 44 PID 2504 wrote to memory of 2388 2504 Gekhgh32.exe 44 PID 2388 wrote to memory of 1808 2388 Habili32.exe 45 PID 2388 wrote to memory of 1808 2388 Habili32.exe 45 PID 2388 wrote to memory of 1808 2388 Habili32.exe 45 PID 2388 wrote to memory of 1808 2388 Habili32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\c2d130d63435112ec0922da2aff4ee7c25e91a7a869ea3be35cdd49ce4005cf2.exe"C:\Users\Admin\AppData\Local\Temp\c2d130d63435112ec0922da2aff4ee7c25e91a7a869ea3be35cdd49ce4005cf2.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Egcfdn32.exeC:\Windows\system32\Egcfdn32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Epnkip32.exeC:\Windows\system32\Epnkip32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Emdhhdqb.exeC:\Windows\system32\Emdhhdqb.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Elieipej.exeC:\Windows\system32\Elieipej.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Einebddd.exeC:\Windows\system32\Einebddd.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\Fipbhd32.exeC:\Windows\system32\Fipbhd32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Flqkjo32.exeC:\Windows\system32\Flqkjo32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\Fhglop32.exeC:\Windows\system32\Fhglop32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Fmddgg32.exeC:\Windows\system32\Fmddgg32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Fjhdpk32.exeC:\Windows\system32\Fjhdpk32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Gjjafkpe.exeC:\Windows\system32\Gjjafkpe.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Gbhcpmkm.exeC:\Windows\system32\Gbhcpmkm.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:428 -
C:\Windows\SysWOW64\Gampaipe.exeC:\Windows\system32\Gampaipe.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\Gekhgh32.exeC:\Windows\system32\Gekhgh32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Habili32.exeC:\Windows\system32\Habili32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\Hdbbnd32.exeC:\Windows\system32\Hdbbnd32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1808 -
C:\Windows\SysWOW64\Hgckoofa.exeC:\Windows\system32\Hgckoofa.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:628 -
C:\Windows\SysWOW64\Hlbpme32.exeC:\Windows\system32\Hlbpme32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1648 -
C:\Windows\SysWOW64\Hekefkig.exeC:\Windows\system32\Hekefkig.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1560 -
C:\Windows\SysWOW64\Ilgjhena.exeC:\Windows\system32\Ilgjhena.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1116 -
C:\Windows\SysWOW64\Ifpnaj32.exeC:\Windows\system32\Ifpnaj32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2036 -
C:\Windows\SysWOW64\Ihpgce32.exeC:\Windows\system32\Ihpgce32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1924 -
C:\Windows\SysWOW64\Igeddb32.exeC:\Windows\system32\Igeddb32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2100 -
C:\Windows\SysWOW64\Jnbifl32.exeC:\Windows\system32\Jnbifl32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2864 -
C:\Windows\SysWOW64\Jjijkmbi.exeC:\Windows\system32\Jjijkmbi.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3052 -
C:\Windows\SysWOW64\Jcckibfg.exeC:\Windows\system32\Jcckibfg.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1604 -
C:\Windows\SysWOW64\Jkopndcb.exeC:\Windows\system32\Jkopndcb.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2892 -
C:\Windows\SysWOW64\Kmnlhg32.exeC:\Windows\system32\Kmnlhg32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2688 -
C:\Windows\SysWOW64\Kiemmh32.exeC:\Windows\system32\Kiemmh32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2880 -
C:\Windows\SysWOW64\Kbmafngi.exeC:\Windows\system32\Kbmafngi.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1208 -
C:\Windows\SysWOW64\Kenjgi32.exeC:\Windows\system32\Kenjgi32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:636 -
C:\Windows\SysWOW64\Kmiolk32.exeC:\Windows\system32\Kmiolk32.exe33⤵
- Executes dropped EXE
PID:1932 -
C:\Windows\SysWOW64\Lfdpjp32.exeC:\Windows\system32\Lfdpjp32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1676 -
C:\Windows\SysWOW64\Ljbipolj.exeC:\Windows\system32\Ljbipolj.exe35⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Lekjal32.exeC:\Windows\system32\Lekjal32.exe36⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Mdgmbhgh.exeC:\Windows\system32\Mdgmbhgh.exe37⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Manjaldo.exeC:\Windows\system32\Manjaldo.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Mcacochk.exeC:\Windows\system32\Mcacochk.exe39⤵
- Executes dropped EXE
PID:236 -
C:\Windows\SysWOW64\Ngoleb32.exeC:\Windows\system32\Ngoleb32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Nhqhmj32.exeC:\Windows\system32\Nhqhmj32.exe41⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Ncfmjc32.exeC:\Windows\system32\Ncfmjc32.exe42⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Nnbjpqoa.exeC:\Windows\system32\Nnbjpqoa.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:1228 -
C:\Windows\SysWOW64\Ngjoif32.exeC:\Windows\system32\Ngjoif32.exe44⤵
- Executes dropped EXE
PID:776 -
C:\Windows\SysWOW64\Noagjc32.exeC:\Windows\system32\Noagjc32.exe45⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Opccallb.exeC:\Windows\system32\Opccallb.exe46⤵
- Executes dropped EXE
PID:772 -
C:\Windows\SysWOW64\Ohjkcile.exeC:\Windows\system32\Ohjkcile.exe47⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Ojkhjabc.exeC:\Windows\system32\Ojkhjabc.exe48⤵
- Executes dropped EXE
PID:568 -
C:\Windows\SysWOW64\Oqepgk32.exeC:\Windows\system32\Oqepgk32.exe49⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Ogohdeam.exeC:\Windows\system32\Ogohdeam.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:752 -
C:\Windows\SysWOW64\Onipqp32.exeC:\Windows\system32\Onipqp32.exe51⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Ocfiif32.exeC:\Windows\system32\Ocfiif32.exe52⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Onkmfofg.exeC:\Windows\system32\Onkmfofg.exe53⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Ofgbkacb.exeC:\Windows\system32\Ofgbkacb.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2832 -
C:\Windows\SysWOW64\Omqjgl32.exeC:\Windows\system32\Omqjgl32.exe55⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Ojdjqp32.exeC:\Windows\system32\Ojdjqp32.exe56⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Pmcgmkil.exeC:\Windows\system32\Pmcgmkil.exe57⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Pbpoebgc.exeC:\Windows\system32\Pbpoebgc.exe58⤵
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Pkhdnh32.exeC:\Windows\system32\Pkhdnh32.exe59⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Pfnhkq32.exeC:\Windows\system32\Pfnhkq32.exe60⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Pgodcich.exeC:\Windows\system32\Pgodcich.exe61⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Pioamlkk.exeC:\Windows\system32\Pioamlkk.exe62⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Pnkiebib.exeC:\Windows\system32\Pnkiebib.exe63⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Pgcnnh32.exeC:\Windows\system32\Pgcnnh32.exe64⤵
- Executes dropped EXE
PID:1484 -
C:\Windows\SysWOW64\Pmqffonj.exeC:\Windows\system32\Pmqffonj.exe65⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Qfikod32.exeC:\Windows\system32\Qfikod32.exe66⤵PID:2336
-
C:\Windows\SysWOW64\Qanolm32.exeC:\Windows\system32\Qanolm32.exe67⤵PID:996
-
C:\Windows\SysWOW64\Qijdqp32.exeC:\Windows\system32\Qijdqp32.exe68⤵PID:1452
-
C:\Windows\SysWOW64\Acohnhab.exeC:\Windows\system32\Acohnhab.exe69⤵PID:1748
-
C:\Windows\SysWOW64\Ailqfooi.exeC:\Windows\system32\Ailqfooi.exe70⤵PID:1536
-
C:\Windows\SysWOW64\Apfici32.exeC:\Windows\system32\Apfici32.exe71⤵PID:2496
-
C:\Windows\SysWOW64\Afpapcnc.exeC:\Windows\system32\Afpapcnc.exe72⤵PID:2708
-
C:\Windows\SysWOW64\Ankedf32.exeC:\Windows\system32\Ankedf32.exe73⤵PID:2872
-
C:\Windows\SysWOW64\Anmbje32.exeC:\Windows\system32\Anmbje32.exe74⤵
- Drops file in System32 directory
PID:1928 -
C:\Windows\SysWOW64\Aicfgn32.exeC:\Windows\system32\Aicfgn32.exe75⤵PID:2616
-
C:\Windows\SysWOW64\Abkkpd32.exeC:\Windows\system32\Abkkpd32.exe76⤵PID:2172
-
C:\Windows\SysWOW64\Ahhchk32.exeC:\Windows\system32\Ahhchk32.exe77⤵PID:3004
-
C:\Windows\SysWOW64\Beldao32.exeC:\Windows\system32\Beldao32.exe78⤵PID:2312
-
C:\Windows\SysWOW64\Bfmqigba.exeC:\Windows\system32\Bfmqigba.exe79⤵PID:1664
-
C:\Windows\SysWOW64\Bacefpbg.exeC:\Windows\system32\Bacefpbg.exe80⤵PID:2164
-
C:\Windows\SysWOW64\Binikb32.exeC:\Windows\system32\Binikb32.exe81⤵PID:2516
-
C:\Windows\SysWOW64\Bphaglgo.exeC:\Windows\system32\Bphaglgo.exe82⤵PID:1248
-
C:\Windows\SysWOW64\Bfbjdf32.exeC:\Windows\system32\Bfbjdf32.exe83⤵PID:1252
-
C:\Windows\SysWOW64\Bpjnmlel.exeC:\Windows\system32\Bpjnmlel.exe84⤵PID:860
-
C:\Windows\SysWOW64\Beggec32.exeC:\Windows\system32\Beggec32.exe85⤵PID:1952
-
C:\Windows\SysWOW64\Cbkgog32.exeC:\Windows\system32\Cbkgog32.exe86⤵PID:1888
-
C:\Windows\SysWOW64\Clclhmin.exeC:\Windows\system32\Clclhmin.exe87⤵
- Drops file in System32 directory
PID:848 -
C:\Windows\SysWOW64\Capdpcge.exeC:\Windows\system32\Capdpcge.exe88⤵PID:1592
-
C:\Windows\SysWOW64\Clfhml32.exeC:\Windows\system32\Clfhml32.exe89⤵PID:2796
-
C:\Windows\SysWOW64\Cdamao32.exeC:\Windows\system32\Cdamao32.exe90⤵PID:2724
-
C:\Windows\SysWOW64\Cofaog32.exeC:\Windows\system32\Cofaog32.exe91⤵PID:1912
-
C:\Windows\SysWOW64\Cdcjgnbc.exeC:\Windows\system32\Cdcjgnbc.exe92⤵
- Drops file in System32 directory
PID:2184 -
C:\Windows\SysWOW64\Cnlnpd32.exeC:\Windows\system32\Cnlnpd32.exe93⤵PID:1488
-
C:\Windows\SysWOW64\Cgdciiod.exeC:\Windows\system32\Cgdciiod.exe94⤵PID:2992
-
C:\Windows\SysWOW64\Dpmgao32.exeC:\Windows\system32\Dpmgao32.exe95⤵PID:2380
-
C:\Windows\SysWOW64\Dkblohek.exeC:\Windows\system32\Dkblohek.exe96⤵PID:1420
-
C:\Windows\SysWOW64\Dlchfp32.exeC:\Windows\system32\Dlchfp32.exe97⤵PID:1072
-
C:\Windows\SysWOW64\Djghpd32.exeC:\Windows\system32\Djghpd32.exe98⤵PID:1552
-
C:\Windows\SysWOW64\Dleelp32.exeC:\Windows\system32\Dleelp32.exe99⤵
- Drops file in System32 directory
PID:1744 -
C:\Windows\SysWOW64\Dcpmijqc.exeC:\Windows\system32\Dcpmijqc.exe100⤵PID:2092
-
C:\Windows\SysWOW64\Dpcnbn32.exeC:\Windows\system32\Dpcnbn32.exe101⤵
- System Location Discovery: System Language Discovery
PID:1096 -
C:\Windows\SysWOW64\Dljngoea.exeC:\Windows\system32\Dljngoea.exe102⤵PID:1896
-
C:\Windows\SysWOW64\Dcdfdi32.exeC:\Windows\system32\Dcdfdi32.exe103⤵PID:768
-
C:\Windows\SysWOW64\Ehaolpke.exeC:\Windows\system32\Ehaolpke.exe104⤵PID:2412
-
C:\Windows\SysWOW64\Eokgij32.exeC:\Windows\system32\Eokgij32.exe105⤵PID:2176
-
C:\Windows\SysWOW64\Edhpaa32.exeC:\Windows\system32\Edhpaa32.exe106⤵PID:2700
-
C:\Windows\SysWOW64\Eblpke32.exeC:\Windows\system32\Eblpke32.exe107⤵PID:1948
-
C:\Windows\SysWOW64\Ekddck32.exeC:\Windows\system32\Ekddck32.exe108⤵PID:2228
-
C:\Windows\SysWOW64\Ebnmpemq.exeC:\Windows\system32\Ebnmpemq.exe109⤵PID:2492
-
C:\Windows\SysWOW64\Edmilpld.exeC:\Windows\system32\Edmilpld.exe110⤵PID:984
-
C:\Windows\SysWOW64\Ekfaij32.exeC:\Windows\system32\Ekfaij32.exe111⤵PID:1724
-
C:\Windows\SysWOW64\Fblljhbo.exeC:\Windows\system32\Fblljhbo.exe112⤵
- System Location Discovery: System Language Discovery
PID:108 -
C:\Windows\SysWOW64\Felekcop.exeC:\Windows\system32\Felekcop.exe113⤵PID:3064
-
C:\Windows\SysWOW64\Ghbhhnhk.exeC:\Windows\system32\Ghbhhnhk.exe114⤵
- Modifies registry class
PID:2136 -
C:\Windows\SysWOW64\Gmoppefc.exeC:\Windows\system32\Gmoppefc.exe115⤵PID:2784
-
C:\Windows\SysWOW64\Gdihmo32.exeC:\Windows\system32\Gdihmo32.exe116⤵PID:612
-
C:\Windows\SysWOW64\Gjbqjiem.exeC:\Windows\system32\Gjbqjiem.exe117⤵PID:2728
-
C:\Windows\SysWOW64\Gamifcmi.exeC:\Windows\system32\Gamifcmi.exe118⤵PID:2956
-
C:\Windows\SysWOW64\Gfiaojkq.exeC:\Windows\system32\Gfiaojkq.exe119⤵
- Modifies registry class
PID:2468 -
C:\Windows\SysWOW64\Gdmbhnjj.exeC:\Windows\system32\Gdmbhnjj.exe120⤵PID:1984
-
C:\Windows\SysWOW64\Heonpf32.exeC:\Windows\system32\Heonpf32.exe121⤵PID:1088
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-